我有一个wcf客户端,要求我同时使用证书和用户名安全性。
在我输出的头签名中,存在两个引用元素。其中一个映射(通过URI)到UsernameToken,我的理解是另一个引用元素应该映射到SecurityTokenReference,但它不是。
我的传出soap标头的安全部分如下
<o:UsernameToken u:Id="uuid-89f26492-f6ad-4e9d-9106-03ae8dfd6774-1" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<o:Username>xxxxxxx</o:Username>
<o:Password o:Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token- profile-1.0#PasswordText">xxxxxxx</o:Password>
</o:UsernameToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>FNjRLXvhojvaLY/4MhdtsK1cicE=</DigestValue>
</Reference>
<Reference URI="#uuid-89f26492-f6ad-4e9d-9106-03ae8dfd6774-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>ZhCGi22F57ASm5YGVjLxe/s5wyY=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>CvxcSSur/epImkRyDh8AywiE3E6GabKzhQhGm/ISpHroWFEryIgpFCStZpGdvt6/QxXskgIiP39eQQILRm1CsTFBZkzP+mb1ktis2OlyiGOFfVNnOXVseOktMGt1WpeNlssFNk0prP9gy5EU3lWwxENvHFy8/IZZWCR8A4Cm+yA=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-89f26492-f6ad-4e9d-9106-03ae8dfd6774-3"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
您可以看到一个引用URI映射到UsernameToken的Id,但当我期望它是#uuid-89f26492-f6ad-4e9d-9106-03ae8dfd6774-3(SecurityTokenReference的URI)时,另一个引用URL是#_1
我创建自定义绑定的代码如下
private System.ServiceModel.Channels.Binding GetBinding()
{
System.ServiceModel.Channels.AsymmetricSecurityBindingElement asbe = new AsymmetricSecurityBindingElement();
asbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
asbe.InitiatorTokenParameters = new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters();
asbe.RecipientTokenParameters = new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters();
asbe.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.SignBeforeEncrypt;
asbe.SecurityHeaderLayout = SecurityHeaderLayout.Strict;
asbe.IncludeTimestamp = false;
asbe.SetKeyDerivation(false);
asbe.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128Rsa15;
asbe.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());
CustomBinding myBinding = new CustomBinding();
myBinding.Elements.Add(asbe);
myBinding.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));
HttpsTransportBindingElement httpsBindingElement = new HttpsTransportBindingElement();
httpsBindingElement.RequireClientCertificate = true;
myBinding.Elements.Add(httpsBindingElement);
return myBinding;
}
有人知道我需要更改什么配置设置才能将引用成功映射到SecurityToken吗?
请注意,这个问题实际上是我主要问题的一个子问题,我在"如何使WCF客户端符合特定的WS-Security-sign UsernameToken和SecurityTokenReference"中详细介绍了这个问题。似乎无法通过ootb配置或属性设置对证书进行签名,因此答案可能在于手动编写签名块。这就是我接下来要看的。
最终解决了我在相关问题上发布的问题-如何使WCF客户端符合特定的WS-Security-签署UsernameToken和SecurityTokenReference