【问题标题】:Timestamp must be signed error in response时间戳必须在响应中签名错误
【发布时间】:2013-03-04 10:16:35
【问题描述】:

对于初学者,我知道您会认为这是重复的,但如果您阅读它们,您会注意到有些人说删除时间戳可以解决问题,而其他人则说不然。

我正在尝试使用 .Net 3.5 连接到带有证书的 Java SOAP Web 服务,但是当我收到响应时会引发错误:“安全标头元素 'Timestamp'必须使用 'Timestamp-984' id 签名。”

var b = new CustomBinding();
b.Name = "AVbinding";
b.CloseTimeout = new TimeSpan(0, 1, 0);
b.OpenTimeout = new TimeSpan(0, 1, 0);
b.ReceiveTimeout = new TimeSpan(0, 10, 0);
b.SendTimeout = new TimeSpan(0, 1, 0);

AsymmetricSecurityBindingElement security = new AsymmetricSecurityBindingElement();
security.IncludeTimestamp = true;
security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12;
security.RecipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToInitiator);
security.InitiatorTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToRecipient);
security.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
security.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic256Sha256Rsa15;
security.AllowSerializedSigningTokenOnReply = true;
security.AllowInsecureTransport = true;
security.EnableUnsecuredResponse = true;
security.RequireSignatureConfirmation = true;

security.SecurityHeaderLayout = SecurityHeaderLayout.Lax;

ExtensionElement extensionElement = new ExtensionElement();

b.Elements.Add(security);
b.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));
HttpsTransportBindingElement httpsBinding = new HttpsTransportBindingElement();
b.Elements.Add(httpsBinding);

string certMapPath = Server.MapPath("~/App_Data");
X509Certificate2 cert = new X509Certificate2(certMapPath + "\\_CERTNAME_", "X");
X509Certificate2 serCert = new X509Certificate2(certMapPath + "\\_CERTNAME2_.cer");
AsymmetricAlgorithm key = new System.Security.Cryptography.RSACryptoServiceProvider();
key.FromXmlString("_KEY_");
cert.PrivateKey = key;

client.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.Sign;

问题是,我该怎么办?

我的要求:

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<ActivityId CorrelationId="7d9e44cb-cecd-4c49-9a71-79a2ad04a2ec" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">63bde0b8-8953-41b8-b5c2-a69c712346b6</ActivityId>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo3dbGZWnrwhDouJE+VgKu4MAAAAAzmpHur/flUSUy0rxOVAJ8Nk4GsFjc6xOg46yQ3o0ZMQACQAA</VsDebuggerCausalityData>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:BinarySecurityToken>
<!-- Removed-->
</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></SignatureMethod>
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>
<DigestValue>Z4OHoIS/bVCWIROLBFcxjfJuXv0ebA/SO8WQWuPTrQo=</DigestValue>
</Reference>
<Reference URI="#uuid-f52585e9-3358-46f6-8e9f-9a16b5c0f29b-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>
<DigestValue>Pnp4gaKUnboMFE2LgLdsFzPBL+7fHqXacVg/MR7AS6c=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>NSE/peVOxXheXOqyNT1qx7uZPOhSms35fmJxlf4lBuODD9tz8/TCwzmAAdDArGwc6VJmdw1jVX5tNchYvAqignsPRgTwB+tSbMvUZ6UMwOgHZWRh8rXjYw34EhdEWWBzg0U1ves6ynY88vJW0oFyWiiFcNGkEuy140X7h/Ev+3I=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#uuid-da5ccb9b-2c40-4ede-9079-c94abf912843-2"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<u:Timestamp u:Id="uuid-f52585e9-3358-46f6-8e9f-9a16b5c0f29b-1">
<u:Created>2013-03-04T09:27:15.087Z</u:Created>
<u:Expires>2013-03-04T09:32:15.087Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body u:Id="_2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<getAvailabilityRequest xmlns="_url_">
<userID xmlns="">_UserID_</userID>
<password xmlns="">_pass_</password>
<requestID xmlns="">_request_</requestID>
<SystemIdentifier xmlns="">?</SystemIdentifier>
</getAvailabilityRequest>
</s:Body>
</s:Envelope>

回应:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-932">
<wsu:Created>2013-03-04T09:27:24.013Z</wsu:Created>
<wsu:Expires>2013-03-04T09:32:24.013Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken>
<!-- Removed-->
</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-930">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod>
<ds:Reference URI="#id-931">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
<ds:DigestValue>+/NJN562AUh5U5T4VXGRbdU28+JLmW2bdHg1gLf/SWg=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#SigConf-929">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
<ds:DigestValue>uzljMoX3dAm90+8P10b2/xE5OooNeP81NDtlefCBoc8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Fixb+0TnwQ2KfLqywusmwcKF8OvoBP/bLqIKfLadyV1U97+NZKzcMrSJjSD0a0sDhJZ+lo/KoHVE
KBY12ZZDP9xE+k9LHAlWZIq3a2gvBkTFR3p5NcYFQM4cbA/x/bvpEqDyzqYSoXnXMOG46DFn5klo
DO0PJkMiXKvLBhrCpZtM26AovD5WQlD694EeIXt4jey15zvGzKz88eNfHqNiYa1Wu2HuOTcnSJRv
hQKHmJKpDzn9+ZSohsULVR5xtGFQD7GWL6LLFEMqthD2a10KMan43Qd62SMUcB64o+l/M+l89+Oo
AbE0S2GXP3vvSa3ZoGduktWlyNlC7Qz/Iww0Qg==
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-83F04DBB53B92E8E1F1362389243499698">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-83F04DBB53B92E8E1F1362389243499699" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#CertId-83F04DBB53B92E8E1F1362389243499697" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsse11:SignatureConfirmation xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Value="NSE/peVOxXheXOqyNT1qx7uZPOhSms35fmJxlf4lBuODD9tz8/TCwzmAAdDArGwc6VJmdw1jVX5tNchYvAqignsPRgTwB+tSbMvUZ6UMwOgHZWRh8rXjYw34EhdEWWBzg0U1ves6ynY88vJW0oFyWiiFcNGkEuy140X7h/Ev+3I=" wsu:Id="SigConf-929"></wsse11:SignatureConfirmation>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-931">
<ns3:getAvailabilityResponse xmlns:ns3="_URL_" xmlns="">
<RequestID>_requestID_</RequestID>
<Status>Available</Status>
<Version>1.32.0</Version>
</ns3:getAvailabilityResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

【问题讨论】:

    标签: wcf wcf-security


    【解决方案1】:

    请在此处发布完整的请求和响应消息(您可以从 Wcf 日志或 Fiddler 获取它们)。 一般来说,如果 Wcf 发送一个签名的时间戳,并且响应包含一个时间戳,那么响应 ts 必须是签名的。根据确切的消息,有多种解决方法,包括不从一开始就发送时间戳,或者通过将时间戳推送到处理程序中的消息来发送,或者从响应中删除时间戳。

    【讨论】:

    • 感谢阅读!我用请求和响应编辑了我的帖子,但第 3 方服务需要请求中的时间戳。如果我将它移植到 4.0(因为无法再安装修补程序),它会告诉我我的密钥不存在
    • EnableUnsecuredResponse 表示响应根本不安全。您需要添加一个自定义编码器以从响应中剥离所有安全性以使用它。这意味着根本不会验证响应的签名,这可能不是您想要的(尽管如果有 ssl 或者您出于某种原因不关心也可以)。否则公平地说服务器要求请求具有时间戳并对其进行签名,否则它将不起作用?然后服务器在响应中返回一个未签名的时间戳?
    • 如果我们不包含任何时间戳,它将无法工作,所以除了剥离我猜的响应之外别无选择?
    • 问题是,如果您发送时间戳但不签名,这是否可行。这可能有效,因为服务器没有签署响应时间戳。这样做的方法是配置 includeTimestamp=false 所以 wcf 不会发出/签署时间戳。然后使用自定义消息编码器推送您在其中创建的时间戳(注意不要更改编码器中的任何签名消息部分)。以下是一些编码器示例:msdn.microsoft.com/en-us/library/ms751486.aspxblogs.msdn.com/b/carlosfigueira/archive/2010/06/13/…
    • 是的,这听起来是个很棒的计划!我会尝试使用编码器,问题是我在哪里添加它?在返回消息之前的 WriteMessage 方法中?
    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 2017-03-13
    • 1970-01-01
    • 2021-07-03
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多