WCF：以编程方式配置消息安全性

Question

我正在编写一个 Azure WCF 服务总线服务，该服务将以编程方式配置为使用证书获得消息安全性：

        ServiceBusEnvironment.SystemConnectivity.Mode = ConnectivityMode.Tcp;

        // create the service URI based on the service namespace
        Uri address = ServiceBusEnvironment.CreateServiceUri("sb", ConfigurationManager.AppSettings["serviceNamespace"], "TestService");

        // create the credentials object for the endpoint
        TransportClientEndpointBehavior sharedSecretServiceBusCredential = new TransportClientEndpointBehavior();
        sharedSecretServiceBusCredential.TokenProvider = TokenProvider.CreateSharedSecretTokenProvider(ConfigurationManager.AppSettings["issuerName"], ConfigurationManager.AppSettings["issuerSecret"]);

        //Create and bind the serviceEndpoint
        ContractDescription contractDescription = ContractDescription.GetContract(typeof(ITestContract), typeof(TestServiceImpl));
        ServiceEndpoint serviceEndPoint = new ServiceEndpoint(contractDescription);
        serviceEndPoint.Address = new EndpointAddress(address);    

        var NetTcpRelayBinding = new NetTcpRelayBinding(EndToEndSecurityMode.TransportWithMessageCredential, RelayClientAuthenticationType.RelayAccessToken);            
        NetTcpRelayBinding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate; //The serivice will check the TrustedPeople store for the client
        serviceEndPoint.Binding = NetTcpRelayBinding;
        serviceEndPoint.Behaviors.Add(sharedSecretServiceBusCredential);  

        Host = new ServiceHost(typeof(TestServiceImpl), address);

        //Add a service certificate            
        Host.Credentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerTrust;
        Host.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine,StoreName.My,X509FindType.FindByThumbprint,"E86870F0118CE39D771A49B9337C28444F3C7348");            

        // create the service host reading the configuration
        Host.Description.Endpoints.Add(serviceEndPoint); 

我可以启动并运行此服务，但是，任何客户端（仅使用 ServiceBus SharedSecret，clientCredentials 未设置为使用任何证书）都能够调用我的服务而不会出现任何错误。 上面的代码是否足以表明证书（并且只有证书基础授权）应该用于消息安全？ 有没有关于以编程方式配置 WCF 消息安全的好文章？

Answer 1

事实证明，睡眠不足是罪魁祸首；我正在运行旧版本的服务。没有任何证书的客户端会出错（System.ServiceModel.ProtocolException 在读取流位置 1 的消息帧格式时未处理 Message=Error（状态：开始）。
一个正确编码的客户端是：

        ServiceBusEnvironment.SystemConnectivity.Mode = ConnectivityMode.Tcp;

        string serviceNamespace = "valid-namespace";
        string issuerName = "owner";
        string issuerSecret = "validSecret";

        // create the service URI based on the service namespace
        Uri serviceUri = ServiceBusEnvironment.CreateServiceUri("sb", serviceNamespace, "valid-namespace");

        // create the credentials object for the endpoint
        TransportClientEndpointBehavior sharedSecretServiceBusCredential = new TransportClientEndpointBehavior();
        sharedSecretServiceBusCredential.CredentialType = TransportClientCredentialType.SharedSecret;
        sharedSecretServiceBusCredential.Credentials.SharedSecret.IssuerName = issuerName;
        sharedSecretServiceBusCredential.Credentials.SharedSecret.IssuerSecret = issuerSecret;


        ChannelFactory<ITestChannel> channelFactory = new ChannelFactory<ITestChannel>();
        channelFactory.Endpoint.Address = new EndpointAddress(serviceUri);
        var NTRB = new NetTcpRelayBinding();
        NTRB.Security.Mode = EndToEndSecurityMode.TransportWithMessageCredential;
        NTRB.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;
        channelFactory.Endpoint.Binding = NTRB;
        channelFactory.Endpoint.Contract.ContractType = typeof(ITestChannel);
        // apply the Service Bus credentials
        channelFactory.Endpoint.Behaviors.Add(sharedSecretServiceBusCredential);

        //Question : Why doesn't use of the following line effect Service-Validation ? I can successfully call the service from a machine where the server's certificate does NOT exist in the trusted-people store          
        //channelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.PeerTrust;

        channelFactory.Credentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "valid-thubmprint");
        // create and open the client channel          
        ITestChannel channel = channelFactory.CreateChannel();

        Console.WriteLine(channel.ServiceMethod());
        Console.ReadKey();
        channel.Close();
        channelFactory.Close();

仍然存在 ServiceCertificate 始终被假定为有效的问题，即使 PeerTrust 用于 channelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode 并且服务证书不在 TrustedPeople 存储中。 任何人对为什么会发生这种情况有想法？