WCF WS2007FederationHttpBinding 与 HTTPS

WCF WS2007FederationHttpBinding with HTTPS

我在尝试连接到 HTTPS 代理后面的 WCF API 时遇到以下错误:

名称为 'CN=hostname' 的服务器证书未能通过身份验证,因为其指纹 ('X') 与端点身份 ('Y') 中指定的指纹不匹配。因此,当前的 HTTPS 请求已失败。请更新客户端使用的终结点标识或服务器使用的证书。

其中 X 是代理使用的证书的指纹,Y 是服务使用的证书的指纹

问题是我设法从 STS 获得了一个令牌,但之后我无法执行任何 Web 服务调用。

我使用本地 SSL 代理在我的 PC 上重现了该问题,代理上使用的证书在我的 PC 上是受信任的。使用 HTTP 时一切正常。

我搜索了几天的解决方案,我注意到这篇知识库文章接近我的问题但不再适用(我是 运行 .Net 4.5 中的示例和服务器):https://support.microsoft.com/en-us/kb/2564823

我错过了什么?

代码如下:

class Program
{
    static void Main(string[] args)
    {
        Thread.CurrentThread.CurrentUICulture = new CultureInfo("en-us");

        string serverUrl = ConfigurationManager.AppSettings["ServerURL"];
        GenericXmlSecurityToken token = GetToken(serverUrl);

        Console.WriteLine("Token Received");
        Console.WriteLine(token);

        TestServiceClient client = CreateClient(serverUrl, token);

        try
        {
            client.SearchSomething();

            Console.WriteLine("SearchSomething succeeded");
        }
        catch (Exception e)
        {
            Console.WriteLine("SearchSomething failed :" + e);
        }

        Console.ReadLine();

    }

    private static TestServiceClient CreateClient(string serverUrl, GenericXmlSecurityToken token)
    {
        var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.Message)
        {
            MaxReceivedMessageSize = int.MaxValue,
            MaxBufferPoolSize = int.MaxValue
        };

        binding.Security.Message.EstablishSecurityContext = false;
        binding.Security.Message.IssuedTokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
        binding.Security.Message.NegotiateServiceCredential = false;

        binding.ReaderQuotas.MaxDepth = int.MaxValue;
        binding.ReaderQuotas.MaxStringContentLength = int.MaxValue;
        binding.ReaderQuotas.MaxArrayLength = int.MaxValue;
        binding.ReaderQuotas.MaxBytesPerRead = int.MaxValue;
        binding.ReaderQuotas.MaxNameTableCharCount = int.MaxValue;

        var uri = new Uri(serverUrl + "Test.Service/Test.Service.svc");

        var identity = new X509CertificateEndpointIdentity(new X509Certificate2(ConfigurationManager.AppSettings["ServiceCertificate"], ConfigurationManager.AppSettings["ServiceCertificatePassword"]));

        var client = new TestServiceClient(binding, new EndpointAddress(uri, identity));
        client.ClientCredentials.SupportInteractive = false;

        var customBinding = new CustomBinding();
        var bindingElements = binding.CreateBindingElements();

        if (serverUrl.Contains("https"))
        {
            bindingElements.Remove<HttpTransportBindingElement>();

            bindingElements.Add(new HttpsTransportBindingElement() { MaxReceivedMessageSize = int.MaxValue });
        }
        customBinding.Elements.AddRange(bindingElements.ToArray());

        client.Endpoint.Binding = customBinding;

        var clientCredentials = new SamlClientCredentials(token, client.ClientCredentials);
        client.Endpoint.Behaviors.Remove<ClientCredentials>();
        client.Endpoint.Behaviors.Add(clientCredentials);

        return client;
    }

    private static GenericXmlSecurityToken GetToken(string serverUrl)
    {
        string username = ConfigurationManager.AppSettings["Username"];
        string password = ConfigurationManager.AppSettings["Password"];
        string identityDnsName = ConfigurationManager.AppSettings["IdentityDnsName"];
        string ClientCertificate = ConfigurationManager.AppSettings["ClientCertificate"];
        string ClientCertificatePassword = ConfigurationManager.AppSettings["ClientCertificatePassword"];
        string ServiceCertificate = ConfigurationManager.AppSettings["ServiceCertificate"];
        string ServiceCertificatePassword = ConfigurationManager.AppSettings["ServiceCertificatePassword"];

        var stsUrl = serverUrl + "Security.Sts/Security.Sts.svc";

        GenericXmlSecurityToken token = null;

        try
        {
            var customBinding = new CustomBinding();

            var securityBindingElement =
                (SymmetricSecurityBindingElement) SecurityBindingElement.CreateMutualCertificateBindingElement();
            securityBindingElement.SetKeyDerivation(true);
            securityBindingElement.MessageSecurityVersion =
                MessageSecurityVersion
                    .WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
            securityBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
            securityBindingElement.RequireSignatureConfirmation = false;

            var securityTokenParameters = new UserNameSecurityTokenParameters()
            {
                InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient,
                RequireDerivedKeys = false
            };
            securityBindingElement.EndpointSupportingTokenParameters.SignedEncrypted.Add(securityTokenParameters);
            customBinding.Elements.Add(securityBindingElement);

            if (serverUrl.StartsWith("http:"))
                customBinding.Elements.Add(new HttpTransportBindingElement()
                {
                    MaxReceivedMessageSize = int.MaxValue,
                    MaxBufferPoolSize = int.MaxValue,
                    MaxBufferSize = int.MaxValue
                });
            else if (serverUrl.StartsWith("https:"))
                customBinding.Elements.Add(new HttpsTransportBindingElement()
                {
                    MaxReceivedMessageSize = int.MaxValue,
                    MaxBufferPoolSize = int.MaxValue,
                    MaxBufferSize = int.MaxValue
                });

            var stsChannelFactory = new WSTrustChannelFactory(customBinding,
                new EndpointAddress(new Uri(stsUrl), new DnsEndpointIdentity(identityDnsName)));

            stsChannelFactory.Credentials.SupportInteractive = false;

            stsChannelFactory.Credentials.ClientCertificate.Certificate = new X509Certificate2(ClientCertificate,
                ClientCertificatePassword);
            stsChannelFactory.Credentials.ServiceCertificate.DefaultCertificate =
                new X509Certificate2(ServiceCertificate, ServiceCertificatePassword);
            stsChannelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode =
                X509CertificateValidationMode.None;

            stsChannelFactory.Credentials.UserName.UserName = username;
            stsChannelFactory.Credentials.UserName.Password = password;

            foreach (OperationDescription operationDescription in stsChannelFactory.Endpoint.Contract.Operations)
            {
                var operationBehavior =
                    operationDescription.Behaviors.Find<DataContractSerializerOperationBehavior>();
                if (operationBehavior != null)
                    operationBehavior.MaxItemsInObjectGraph = int.MaxValue;
            }

            var stsChannel = stsChannelFactory.CreateChannel();

            RequestSecurityToken request = new RequestSecurityToken();
            request.KeyType = "http://schemas.microsoft.com/idfx/keytype/symmetric";
            request.RequestType = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue";
            request.TokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
            token = (GenericXmlSecurityToken) stsChannel.Issue(request);

            return token;
        }
        catch (Exception e)
        {
            Console.WriteLine("GetToken Exception :" + e);
        }
        return token; 
    }
}

internal class SamlClientCredentials : ClientCredentials
{
    public GenericXmlSecurityToken Token { get; private set; }

    public SamlClientCredentials(GenericXmlSecurityToken token, ClientCredentials clientCredentials)
      : base(clientCredentials)
    {
        Token = token;
    }

    protected override ClientCredentials CloneCore()
    {
        return new SamlClientCredentials(Token, this);
    }

    public override SecurityTokenManager CreateSecurityTokenManager()
    {
        return new SamlSecurityTokenManager(this);
    }
}

internal class SamlSecurityTokenManager : ClientCredentialsSecurityTokenManager
{
    private SamlClientCredentials clientCredentials;

    public SamlSecurityTokenManager(SamlClientCredentials clientCredentials)
      : base(clientCredentials)
    {
        this.clientCredentials = clientCredentials;
    }

    public override SecurityTokenProvider CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement)
    {
        if (tokenRequirement.TokenType == SecurityTokenTypes.Saml || tokenRequirement.TokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")
            return new SamlSecurityTokenProvider(this.clientCredentials.Token);
        return base.CreateSecurityTokenProvider(tokenRequirement);
    }
}

internal class SamlSecurityTokenProvider : SecurityTokenProvider
{
    private readonly GenericXmlSecurityToken token;

    public SamlSecurityTokenProvider(GenericXmlSecurityToken token)
    {
        this.token = token;
    }

    protected override SecurityToken GetTokenCore(TimeSpan timeout)
    {
        return token;
    }
}

正如我对这个问题的评论: 在花费大量时间寻找解决方案之后,由于服务器身份检查,WS2007FederationHttpBinding with Security Mode 'Message' 似乎不适合用于此上下文。仍然可以在 SSL 卸载程序和服务标识上使用相同的证书。

这是我选择保留安全模型并解决我的问题的解决方案