【问题标题】:WCF Service exception: {"Could not resolve subject key identifier"}WCF 服务异常:{“无法解析主题密钥标识符”}
【发布时间】:2013-10-01 08:41:54
【问题描述】:

我正在尝试使用 WCF 框架与服务进行通信。我唯一可用的安全信息是:

证书是带有私钥的 P12 证书,导入本地计算机根密钥存储区。

我在 SoapUI 中获得了成功的事务,并且我设法获得了 Soap XML 消息:

SoapUI 消息:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="*removed*">
  <soapenv:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-*removed*">*removed*</wsse:BinarySecurityToken>
      <ds:Signature Id="SIG-37" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces PrefixList="soapenv urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </ds:CanonicalizationMethod>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#id-36">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces PrefixList="urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>*removed*</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
          *removed*
        </ds:SignatureValue>
        <ds:KeyInfo Id="KI-*removed*">
          <wsse:SecurityTokenReference wsu:Id="STR-*removed*">
            <wsse:Reference URI="#X509-*removed*" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
  </soapenv:Header>
  <soapenv:Body wsu:Id="id-36" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <!--Not important-->
  </soapenv:Body>
</soapenv:Envelope>

我经历了许多异常和安全设置,现在我已经获得了带有 AsymmetricSecurityBindingElement 的 CustomBinding。这是我在 WCF 中最接近成功的 SoapUI 消息:

WCF 消息:

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <s:Header>
    <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
          <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
          <Reference URI="#_2">
            <Transforms>
              <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
            <DigestValue>*removed*</DigestValue>
          </Reference>
        </SignedInfo>
        <SignatureValue>*removed*</SignatureValue>
        <KeyInfo>
          <o:SecurityTokenReference>
            <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">*removed*</o:KeyIdentifier>
          </o:SecurityTokenReference>
        </KeyInfo>
      </Signature>
    </o:Security>
  </s:Header>
  <s:Body u:Id="_2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <!--Not important-->
  </s:Body>
</s:Envelope>

SoapUI 有一些安全设置,需要二进制安全令牌,而不是 X509 证书。 我还在 app.config 中更改了 EndPoint 的 DNS 值,因此它不会抱怨证书中的不同 DNS 声明:S

<identity>
  <dns value="*IPv4-address*" />
</identity>

我的 EndPoint 行为是这样的:

<behavior name="CustomBehavior">
  <clientCredentials>
    <clientCertificate findValue="*IPv4-address*" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="Root"/>
    <serviceCertificate>
      <defaultCertificate findValue="*IPv4-address*" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="Root"/>
    </serviceCertificate>
  </clientCredentials>
</behavior>

C#中的customBinding:

var asymmetricSecurityBindingElement = new AsymmetricSecurityBindingElement();
asymmetricSecurityBindingElement.InitiatorTokenParameters = new X509SecurityTokenParameters { InclusionMode = SecurityTokenInclusionMode.Never };
asymmetricSecurityBindingElement.RecipientTokenParameters = new X509SecurityTokenParameters { InclusionMode = SecurityTokenInclusionMode.Never };
asymmetricSecurityBindingElement.IncludeTimestamp = false;

CustomBinding customBinding = new CustomBinding();
customBinding.Elements.Add(asymmetricSecurityBindingElement);
customBinding.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));

HttpsTransportBindingElement httpsBindingElement = new HttpsTransportBindingElement();
httpsBindingElement.RequireClientCertificate = true;
customBinding.Elements.Add(httpsBindingElement);

远程服务在执行 WSDL 方法时抛出异常:{"Could not resolve subject key identifier"} (innerException) http://docs.oracle.com/html/E13983_01/troubleshooting.htm 表示远程服务密钥库中可能缺少公钥证书,但 SoapUI 事务有效.它还提到了一些关于别名的东西,我不确定这是什么意思。

我似乎没有解决问题的线索。谁能帮帮我?

【问题讨论】:

    标签: xml wcf soap wcf-security ws-security


    【解决方案1】:

    试试this binding:

    <customBinding>
            <binding name="NewBinding0">
                <textMessageEncoding messageVersion="Soap11" />
                <security authenticationMode="MutualCertificate" includeTimestamp="false"
                    messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
                    <secureConversationBootstrap />
                </security>
                <httpTransport />
            </binding>
    </customBinding>
    

    确保装饰你的合同只签署:

    [System.ServiceModel.ServiceContractAttribute(ConfigurationName=..., ProtectionLevel=System.Net.Security.ProtectionLevel.Sign)]
    

    更多信息here

    【讨论】:

    • 感谢您的快速回复。而且我确实使用了您关于常见陷阱的非常有用的博客;)。我正确设置了标志保护级别,并尝试使用 httpsTransport 进行 customBinding,这导致另一个异常:“找不到 'System.IdentityModel.Tokens.X509SecurityToken' 令牌类型的令牌身份验证器。根据该类型的令牌不能被接受当前的安全设置。”即使我的绑定现在设置为您帖子中提到的最后一个陷阱。
    猜你喜欢
    • 2020-05-20
    • 1970-01-01
    • 2017-06-18
    • 1970-01-01
    • 2017-01-05
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多