WCF Soap 客户端无法解析签名中的 URI 以计算摘要
Posted
技术标签:
【中文标题】WCF Soap 客户端无法解析签名中的 URI 以计算摘要【英文标题】:WCF Soap client unable to resolve URI in signature to compute digest 【发布时间】:2018-04-19 06:18:38 【问题描述】:我正在尝试从 WCF 客户端使用在 Oracle Web Logic 之上运行的 SOAP 1.1 Web 服务。该服务实现了标准的 Oasis WS-Security 1.2,具有正文签名和加密(加密前签名)和算法 Basic256Sha256,以及 LaxTimestampLast 配置布局。
我能够以预期的格式发送经过签名和加密的消息:
<s:Envelope
xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<e:EncryptedKey Id="_0"
xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
xmlns="http://www.w3.org/2000/09/xmldsig#"/>
</e:EncryptionMethod>
<KeyInfo
xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">h5cRJR6NnWrnf3PvAPJ4iB70Tow=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>fOgGM...Ixw==</e:CipherValue>
</e:CipherData>
<e:ReferenceList>
<e:DataReference URI="#_2"/>
</e:ReferenceList>
</e:EncryptedKey>
<o:BinarySecurityToken u:Id="uuid-792fca62-dad8-442e-b720-d52f48768dd0-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIFf...O2A8=</o:BinarySecurityToken>
<Signature
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>0OiBt3eXZek5bJ9d9CFsduwbtQVoFY3DvFqxfnQz7Dg=</DigestValue>
</Reference>
<Reference URI="#uuid-a1958c98-41b5-40d4-bdaa-2c0948d4f526-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>PtcCDNfz7ocVM86qgSnDFnUUJnVz6E884Ll9QeV6Wfg=</DigestValue>
</Reference>
<Reference URI="#uuid-792fca62-dad8-442e-b720-d52f48768dd0-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>SezODccgkQ2rfYtKfSxAC14igVpLxbfQtKChSddDf+c=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>j6XPB.../ow==</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">D5Myi4vs+Af3Dg1ByUs1kCKm55E=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<u:Timestamp u:Id="uuid-a1958c98-41b5-40d4-bdaa-2c0948d4f526-1">
<u:Created>2017-11-06T20:43:29.722Z</u:Created>
<u:Expires>2017-11-06T20:48:29.722Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body u:Id="_1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content"
xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<e:CipherData>
<e:CipherValue>L7f+O...Rw7jHL</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
但是,当得到响应时:
<?xml version='1.0' encoding='UTF-8'?>
<S:Envelope
xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" S:mustUnderstand="1">
<ns1:EncryptedKey
xmlns:ns1="http://www.w3.org/2001/04/xmlenc#" Id="18iq0thuJbDO21Gk">
<ns1:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<ns2:DigestMethod
xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
</ns1:EncryptionMethod>
<ns3:KeyInfo
xmlns:ns3="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="str_nczorGBwzUSf1PJG">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">D5Myi4vs+Af3Dg1ByUs1kCKm55E=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ns3:KeyInfo>
<ns1:CipherData>
<ns1:CipherValue>VLX9L...jTQ==</ns1:CipherValue>
</ns1:CipherData>
<ns1:ReferenceList>
<ns1:DataReference URI="#XgzvGdpjeeFiU0AH"/>
</ns1:ReferenceList>
</ns1:EncryptedKey>
<wsse11:SignatureConfirmation
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="sigconf_gF2mG4MS0QT3gGyg" Value="j6XPB.../ow=="/>
<dsig:Signature
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#Timestamp_be1msZa7e60oVdtW">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>mWxC8kSZIGKE1KTyVWbr2YgOmE1UqVNV3lS4vdM4kdM=</dsig:DigestValue>
</dsig:Reference>
<dsig:Reference URI="#Body_fr2ndXxiUtwuP3Y2">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>ZztOfa8rAv2aaMUxxKaYAPgUbEfIZRe/1ZRgPacmAlc=</dsig:DigestValue>
</dsig:Reference>
<dsig:Reference URI="#sigconf_gF2mG4MS0QT3gGyg">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>AfX4C1zXqAIX1pEHPw7PHEhf/g/8JWACJqgX7p63RkI=</dsig:DigestValue>
</dsig:Reference>
<dsig:Reference URI="#str_RLjzz112Lwz91VZF">
<dsig:Transforms>
<dsig:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
<wsse:TransformationParameters>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</wsse:TransformationParameters>
</dsig:Transform>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>gRa3zakGn13XISoKpekB3zl0iDqb/LmNy7+aMDtzKIY=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>xlVJb...EPZg==</dsig:SignatureValue>
<dsig:KeyInfo>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="str_RLjzz112Lwz91VZF">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">h5cRJR6NnWrnf3PvAPJ4iB70Tow=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</dsig:KeyInfo>
</dsig:Signature>
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp_be1msZa7e60oVdtW">
<wsu:Created>2017-11-06T20:43:30Z</wsu:Created>
<wsu:Expires>2017-11-06T20:44:30Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</env:Header>
<S:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body_fr2ndXxiUtwuP3Y2">
<ns1:EncryptedData
xmlns:ns1="http://www.w3.org/2001/04/xmlenc#" Id="XgzvGdpjeeFiU0AH" Type="http://www.w3.org/2001/04/xmlenc#Content" MimeType="text/xml">
<ns1:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<ns1:CipherData>
<ns1:CipherValue>GT08G...PqanY</ns1:CipherValue>
</ns1:CipherData>
</ns1:EncryptedData>
</S:Body>
</S:Envelope>
客户端测试失败并出现以下错误:
Test Name: TestMethod_CodedCustomBinding
Test FullName: Integration.TestServiceClient.Tests.CodeClientTests.TestMethod_CodedCustomBinding
Test Source: C:\Source\Integration.TestServiceClient.Tests\CodeClientTests.cs : line 207
Test Outcome: Failed
Test Duration: 0:00:00.9372511
Result StackTrace:
at System.IdentityModel.StandardSignedInfo.EnsureAllReferencesVerified()
at System.IdentityModel.SignedXml.CompleteSignatureVerification()
at System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.ExecuteMessageProtectionPass(Boolean hasAtLeastOneSupportingTokenExpectedToBeSigned)
at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
at System.ServiceModel.Security.MessageSecurityProtocol.ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, Message& message, SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
at System.ServiceModel.Security.AsymmetricSecurityProtocol.VerifyIncomingMessageCore(Message& message, String actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
--- End of inner exception stack trace ---
Server stack trace:
at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Integration.ServiceClient.TestServiceClient.ServiceWs.notify(notifyRequest request)
at Integration.ServiceClient.TestServiceClient.ServiceWsClient.Integration.ServiceClient.TestServiceClient.ServiceWs.notify(notifyRequest request) in C:\Source\Integration.ServiceClient\Service References\TestServiceClient\Reference.cs:line 994
at Integration.ServiceClient.TestServiceClient.ServiceWsClient.notify(Int64 idNotification) in C:\Source\Integration.ServiceClient\Service References\TestServiceClient\Reference.cs:line 1000
at Integration.TestServiceClient.Tests.CodeClientTests.TestMethod_CodedCustomBinding() in C:\Source\Integration.TestServiceClient.Tests\CodeClientTests.cs:line 212
Result Message:
Test method Integration.TestServiceClient.Tests.CodeClientTests.TestMethod_CodedCustomBinding threw exception:
System.ServiceModel.Security.MessageSecurityException: Message security verification failed. ---> System.Security.Cryptography.CryptographicException: Unable to resolve the '#str_RLjzz112Lwz91VZF' URI in the signature to compute the digest.
但是,URI 存在于 Signature > KeyInfo 标记内的 SecurityTokenReference 标记中。关于为什么在签名验证期间未找到此引用以及如何解决此错误的任何想法?
【问题讨论】:
【参考方案1】:请注意:
您不能使用 CertificateOverTransport 并对邮件正文进行签名。
如果您这样做,WCF 将不允许这样做。
在这种情况下,尝试使用MutualCertificateDuplex 并将保护级别更改为无:ProtectionLevel.None,如果您对签署响应不感兴趣。
如果失败,请尝试将自定义绑定添加到您的 WCF:
<customBinding>
<binding name="NewBinding0">
<textMessageEncoding messageVersion="Soap11" />
<security authenticationMode="MutualCertificateDuplex" includeTimestamp="false"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<secureConversationBootstrap />
</security>
<httpTransport />
</binding>
</customBinding>
这将使您的证书被正确消化。
【讨论】:
以上是关于WCF Soap 客户端无法解析签名中的 URI 以计算摘要的主要内容,如果未能解决你的问题,请参考以下文章
WCF SOAP 1.1 和 WS-Security 1.0、客户端证书传输身份验证、消息正文签名的服务证书、用户名令牌、密码摘要、随机数