我设计了一个向供应商发送SOAP请求的WCF.net客户端。为了满足供应商WS安全性需求,我必须创建一个自定义SOAP报头,并将带有自定义报头的请求发送到供应商端的web服务。因此,我通过实现从MessageHeader派生的新类(见下文)创建了一个自定义头(header)
public class SignOnlyMessageHeader : MessageHeader
{
private const string PREFIX_CP = "wsse";
public string m_Username { get; set; }
public string m_Envelope { get; set; }
public SignOnlyMessageHeader(string Username, string Envelope)
{
m_Username = Username;
m_Envelope = Envelope;
}
public override string Name
{
get { return "wsse:Security"; }
}
public override string Namespace
{
get { return null; }
}
public override bool MustUnderstand
{
get
{
return false;
}
}
protected override void OnWriteStartHeader(XmlDictionaryWriter writer, MessageVersion messageVersion)
{
base.OnWriteStartHeader(writer, messageVersion);
writer.WriteXmlnsAttribute(PREFIX_CP, "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
}
protected override void OnWriteHeaderContents(XmlDictionaryWriter writer, MessageVersion messageVersion)
{
writer.WriteStartElement(PREFIX_CP, "UsernameToken", null);
writer.WriteAttributeString("wsu:Id", "UsernameToken-20");
writer.WriteXmlnsAttribute("wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
writer.WriteElementString(PREFIX_CP, "Username", null, m_Username);
writer.WriteEndElement();
SignXmlFile(writer);
}
public void SignXmlFile(XmlDictionaryWriter writer)
{
string certificatePath = "C:\Users\22428-cert.p12";
System.Security.Cryptography.X509Certificates.X509Certificate2 cert = new X509Certificate2(certificatePath, "changeit");
// Create a new XML document.
XmlDocument doc = new XmlDocument();
// Format the document to ignore white spaces.
doc.PreserveWhitespace = false;
doc.LoadXml(m_Envelope);
// Create a SignedXml object.
SignedXml signedXml = new SignedXml(doc);
// Add the key to the SignedXml document.
//signedXml.SigningKey = Key;
signedXml.SigningKey = cert.PrivateKey;
// Create a new KeyInfo object.
KeyInfo keyInfo = new KeyInfo();
keyInfo.Id = "";
// Load the certificate into a KeyInfoX509Data object
// and add it to the KeyInfo object.
KeyInfoX509Data keyInfoData = new KeyInfoX509Data();
keyInfoData.AddCertificate(cert);
keyInfo.AddClause(keyInfoData);
// Add the KeyInfo object to the SignedXml object.
signedXml.KeyInfo = keyInfo;
signedXml.SignedInfo.CanonicalizationMethod = "http://www.w3.org/2001/10/xml-exc-c14n#";
// Create a reference to be signed.
Reference reference = new Reference();
reference.Uri = "";
// Add an enveloped transformation to the reference.
XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform();
reference.AddTransform(env);
reference.DigestMethod = "http://www.w3.org/2001/04/xmlenc#sha256";
// Add the reference to the SignedXml object.
signedXml.AddReference(reference);
signedXml.Signature.Id = "";
// Compute the signature.
signedXml.ComputeSignature();
// Get the XML representation of the signature and save
// it to an XmlElement object.
XmlElement xmlDigitalSignature = signedXml.GetXml();
// Check the signature and return the result.
if (!signedXml.CheckSignature(new X509Certificate2(certificatePath, "changeit"), true))
{
Console.WriteLine("invalid signature");
}
xmlDigitalSignature.WriteTo(writer);
}
所以在创建自定义头类之后,我覆盖了IClientMessageInspector。beforeendrequest方法拦截传出请求,并将自定义报头添加到soap请求中。见下面的代码,
object IClientMessageInspector.BeforeSendRequest(ref System.ServiceModel.Channels.Message request, IClientChannel channel)
{
request.Headers.RemoveAt(0);
SignOnlyMessageHeader header = new SignOnlyMessageHeader("x509user", env);
request.Headers.Add(header);
return null;
}
最终结果是我拦截了SOAP请求,并正确地将当前报头替换为自定义报头。在发出请求之前,我检查了更新的SOAP请求(放置了一个断点),结构与供应商请求的完全匹配。但是在供应商端处理请求后,我收到了一个错误。它只说"签名核心验证失败"。我认为我在"SignXmlFile"方法中正确地签署了整个信封。我甚至检查了方法(if (!signedXml)中的有效性。CheckSignature(new X509Certificate2(certificatePath, "changeit"), true)),语句返回false,表示签名有效。
我做错了什么
嗯,我试了又试,我拦截头的方式,然后我用签名注入头。验证失败。作为解决方案,我从我的。net客户端中剔除了整个头。我用soap包将我的请求路由到XML网关,我们配置网关来拦截请求并添加必要的头init并将请求转发给外部供应商。它工作。