Клиент WCF Soap не может разрешить URI в подписи для вычисления дайджеста

Я пытаюсь использовать веб-службу SOAP 1.1, которая работает поверх Oracle Web Logic, из клиента WCF. Сервис реализует стандарт Oasis WS-Security 1.2 с подписью тела и шифрованием (подписать перед шифрованием), алгоритмами Basic256Sha256 и макетом конфигурации LaxTimestampLast.

Я могу отправить подписанное и зашифрованное сообщение в ожидаемом формате:

<s:Envelope 
    xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" 
    xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
        <o:Security s:mustUnderstand="1" 
            xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <e:EncryptedKey Id="_0" 
                xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" 
                        xmlns="http://www.w3.org/2000/09/xmldsig#"/>
                </e:EncryptionMethod>
                <KeyInfo 
                    xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <o:SecurityTokenReference>
                        <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">h5cRJR6NnWrnf3PvAPJ4iB70Tow=</o:KeyIdentifier>
                    </o:SecurityTokenReference>
                </KeyInfo>
                <e:CipherData>
                    <e:CipherValue>fOgGM...Ixw==</e:CipherValue>
                </e:CipherData>
                <e:ReferenceList>
                    <e:DataReference URI="#_2"/>
                </e:ReferenceList>
            </e:EncryptedKey>
            <o:BinarySecurityToken u:Id="uuid-792fca62-dad8-442e-b720-d52f48768dd0-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIFf...O2A8=</o:BinarySecurityToken>
            <Signature 
                xmlns="http://www.w3.org/2000/09/xmldsig#">
                <SignedInfo>
                    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <Reference URI="#_1">
                        <Transforms>
                            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </Transforms>
                        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <DigestValue>0OiBt3eXZek5bJ9d9CFsduwbtQVoFY3DvFqxfnQz7Dg=</DigestValue>
                    </Reference>
                    <Reference URI="#uuid-a1958c98-41b5-40d4-bdaa-2c0948d4f526-1">
                        <Transforms>
                            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </Transforms>
                        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <DigestValue>PtcCDNfz7ocVM86qgSnDFnUUJnVz6E884Ll9QeV6Wfg=</DigestValue>
                    </Reference>
                    <Reference URI="#uuid-792fca62-dad8-442e-b720-d52f48768dd0-1">
                        <Transforms>
                            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </Transforms>
                        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <DigestValue>SezODccgkQ2rfYtKfSxAC14igVpLxbfQtKChSddDf+c=</DigestValue>
                    </Reference>
                </SignedInfo>
                <SignatureValue>j6XPB.../ow==</SignatureValue>
                <KeyInfo>
                    <o:SecurityTokenReference>
                        <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">D5Myi4vs+Af3Dg1ByUs1kCKm55E=</o:KeyIdentifier>
                    </o:SecurityTokenReference>
                </KeyInfo>
            </Signature>
            <u:Timestamp u:Id="uuid-a1958c98-41b5-40d4-bdaa-2c0948d4f526-1">
                <u:Created>2017-11-06T20:43:29.722Z</u:Created>
                <u:Expires>2017-11-06T20:48:29.722Z</u:Expires>
            </u:Timestamp>
        </o:Security>
    </s:Header>
    <s:Body u:Id="_1" 
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
        xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" 
            xmlns:e="http://www.w3.org/2001/04/xmlenc#">
            <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
            <e:CipherData>
                <e:CipherValue>L7f+O...Rw7jHL</e:CipherValue>
            </e:CipherData>
        </e:EncryptedData>
    </s:Body>
</s:Envelope>

Однако при получении ответа:

<?xml version='1.0' encoding='UTF-8'?>
<S:Envelope 
    xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" 
    xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
    <env:Header>
        <wsse:Security 
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" S:mustUnderstand="1">
            <ns1:EncryptedKey 
                xmlns:ns1="http://www.w3.org/2001/04/xmlenc#" Id="18iq0thuJbDO21Gk">
                <ns1:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                    <ns2:DigestMethod 
                        xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                </ns1:EncryptionMethod>
                <ns3:KeyInfo 
                    xmlns:ns3="http://www.w3.org/2000/09/xmldsig#">
                    <wsse:SecurityTokenReference 
                        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
                        xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" 
                        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="str_nczorGBwzUSf1PJG">
                        <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">D5Myi4vs+Af3Dg1ByUs1kCKm55E=</wsse:KeyIdentifier>
                    </wsse:SecurityTokenReference>
                </ns3:KeyInfo>
                <ns1:CipherData>
                    <ns1:CipherValue>VLX9L...jTQ==</ns1:CipherValue>
                </ns1:CipherData>
                <ns1:ReferenceList>
                    <ns1:DataReference URI="#XgzvGdpjeeFiU0AH"/>
                </ns1:ReferenceList>
            </ns1:EncryptedKey>
            <wsse11:SignatureConfirmation 
                xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" 
                xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="sigconf_gF2mG4MS0QT3gGyg" Value="j6XPB.../ow=="/>
            <dsig:Signature 
                xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                <dsig:SignedInfo>
                    <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <dsig:Reference URI="#Timestamp_be1msZa7e60oVdtW">
                        <dsig:Transforms>
                            <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </dsig:Transforms>
                        <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <dsig:DigestValue>mWxC8kSZIGKE1KTyVWbr2YgOmE1UqVNV3lS4vdM4kdM=</dsig:DigestValue>
                    </dsig:Reference>
                    <dsig:Reference URI="#Body_fr2ndXxiUtwuP3Y2">
                        <dsig:Transforms>
                            <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </dsig:Transforms>
                        <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <dsig:DigestValue>ZztOfa8rAv2aaMUxxKaYAPgUbEfIZRe/1ZRgPacmAlc=</dsig:DigestValue>
                    </dsig:Reference>
                    <dsig:Reference URI="#sigconf_gF2mG4MS0QT3gGyg">
                        <dsig:Transforms>
                            <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </dsig:Transforms>
                        <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <dsig:DigestValue>AfX4C1zXqAIX1pEHPw7PHEhf/g/8JWACJqgX7p63RkI=</dsig:DigestValue>
                    </dsig:Reference>
                    <dsig:Reference URI="#str_RLjzz112Lwz91VZF">
                        <dsig:Transforms>
                            <dsig:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
                                <wsse:TransformationParameters>
                                    <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                </wsse:TransformationParameters>
                            </dsig:Transform>
                        </dsig:Transforms>
                        <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <dsig:DigestValue>gRa3zakGn13XISoKpekB3zl0iDqb/LmNy7+aMDtzKIY=</dsig:DigestValue>
                    </dsig:Reference>
                </dsig:SignedInfo>
                <dsig:SignatureValue>xlVJb...EPZg==</dsig:SignatureValue>
                <dsig:KeyInfo>
                    <wsse:SecurityTokenReference 
                        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
                        xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" 
                        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="str_RLjzz112Lwz91VZF">
                        <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">h5cRJR6NnWrnf3PvAPJ4iB70Tow=</wsse:KeyIdentifier>
                    </wsse:SecurityTokenReference>
                </dsig:KeyInfo>
            </dsig:Signature>
            <wsu:Timestamp 
                xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp_be1msZa7e60oVdtW">
                <wsu:Created>2017-11-06T20:43:30Z</wsu:Created>
                <wsu:Expires>2017-11-06T20:44:30Z</wsu:Expires>
            </wsu:Timestamp>
        </wsse:Security>
    </env:Header>
    <S:Body 
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body_fr2ndXxiUtwuP3Y2">
        <ns1:EncryptedData 
            xmlns:ns1="http://www.w3.org/2001/04/xmlenc#" Id="XgzvGdpjeeFiU0AH" Type="http://www.w3.org/2001/04/xmlenc#Content" MimeType="text/xml">
            <ns1:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
            <ns1:CipherData>
                <ns1:CipherValue>GT08G...PqanY</ns1:CipherValue>
            </ns1:CipherData>
        </ns1:EncryptedData>
    </S:Body>
</S:Envelope>

Тест клиента завершается с ошибкой:

Test Name:  TestMethod_CodedCustomBinding
Test FullName:  Integration.TestServiceClient.Tests.CodeClientTests.TestMethod_CodedCustomBinding
Test Source:    C:\Source\Integration.TestServiceClient.Tests\CodeClientTests.cs : line 207
Test Outcome:   Failed
Test Duration:  0:00:00.9372511

Result StackTrace:  
at System.IdentityModel.StandardSignedInfo.EnsureAllReferencesVerified()
   at System.IdentityModel.SignedXml.CompleteSignatureVerification()
   at System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.ExecuteMessageProtectionPass(Boolean hasAtLeastOneSupportingTokenExpectedToBeSigned)
   at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
   at System.ServiceModel.Security.MessageSecurityProtocol.ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, Message& message, SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
   at System.ServiceModel.Security.AsymmetricSecurityProtocol.VerifyIncomingMessageCore(Message& message, String actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
   at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
 --- End of inner exception stack trace ---

Server stack trace: 
   at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Integration.ServiceClient.TestServiceClient.ServiceWs.notify(notifyRequest request)
   at Integration.ServiceClient.TestServiceClient.ServiceWsClient.Integration.ServiceClient.TestServiceClient.ServiceWs.notify(notifyRequest request) in C:\Source\Integration.ServiceClient\Service References\TestServiceClient\Reference.cs:line 994
   at Integration.ServiceClient.TestServiceClient.ServiceWsClient.notify(Int64 idNotification) in C:\Source\Integration.ServiceClient\Service References\TestServiceClient\Reference.cs:line 1000
   at Integration.TestServiceClient.Tests.CodeClientTests.TestMethod_CodedCustomBinding() in C:\Source\Integration.TestServiceClient.Tests\CodeClientTests.cs:line 212
Result Message: 
Test method Integration.TestServiceClient.Tests.CodeClientTests.TestMethod_CodedCustomBinding threw exception: 
System.ServiceModel.Security.MessageSecurityException: Message security verification failed. ---> System.Security.Cryptography.CryptographicException: Unable to resolve the '#str_RLjzz112Lwz91VZF' URI in the signature to compute the digest.

Однако URI присутствует в теге SecurityTokenReference внутри тега Signature > KeyInfo. Любая идея о том, почему эта ссылка не найдена во время проверки подписи, и что можно сделать, чтобы устранить эту ошибку?


c# wcf soap ws-security xml-signature
person Guillermo Gutiérrez    schedule 07.11.2017    source источник

Ответы (1)


arrow_upward
0
arrow_downward

Пожалуйста, обрати внимание:

Вы не можете использовать CertificateOverTransport и подписывать тело сообщения.

WCF не допустит этого, если вы это делаете.

в этом случае попробуйте использовать MutualCertificateDuplex и измените уровень защиты на none: ProtectionLevel.None если вы не заинтересованы в подписании ответа.

Если это не удается, попробуйте добавить пользовательскую привязку к вашему WCF:

<customBinding>
        <binding name="NewBinding0">
            <textMessageEncoding messageVersion="Soap11" />
            <security authenticationMode="MutualCertificateDuplex" includeTimestamp="false"
                messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
                <secureConversationBootstrap />
            </security>
            <httpTransport />
        </binding>
</customBinding>

Это позволит правильно обработать ваш сертификат.

person Barr J    schedule 12.11.2017