Web 服务中的 c# MessageSecurityException
c# MessageSecurityException in a web service
我有一个网络服务功能,我已经使用了很多年。今天他们给我发了一个新证书,一个 .cer 文件,我插入了它而不是旧的,但我收到了这个错误:
(用 Google 翻译,抱歉)
MessageSecurityException
Failed to complete identity check for outgoing message.
The expected DNS identity of the remote endpoint was 'pddasl-coll.rmmg.rsr.rupar.puglia.it'
but the remote endpoint provided a DNS claim 'pdd-virtasl.rmmg.rsr.rupar.puglia.it'.
If this is a legitimate remote endpoint, you can fix the problem by specifying
explicitly the DNS identity 'pdd-virtasl.rmmg.rsr.rupar.puglia.it'
as the Identity property of EndpointAddress when creating the channel proxy.
我问过 Web 服务的所有者,他们告诉我必须确保忽略该错误,但我不知道如何操作。我尝试在 app.config 中插入:enableUnsecuredResponse = "true" 但没有成功。
这是连接到网络服务的方法:
public static CVPClient Connect()
{
CVPClient oConsist = null;
string cEndPoint = "https://pddasl-coll.rmmg.rsr.rupar.puglia.it:8181/aslba/CVPService";
ServicePointManager.ServerCertificateValidationCallback = Leo.CertificateHandler;
datiOperatore DataOp = Leo.OperatorData();//unimportant parameters
datiApplicativo DataApp = Leo.AppData();//unimportant parameters
var b = new CustomBinding();
var sec = new AsymmetricSecurityBindingElement(
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.Never),
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToRecipient));
sec.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
sec.SecurityHeaderLayout = SecurityHeaderLayout.Strict;
sec.IncludeTimestamp = true;
sec.SetKeyDerivation(false);
sec.KeyEntropyMode = System.ServiceModel.Security.SecurityKeyEntropyMode.ServerEntropy;
sec.EnableUnsecuredResponse = true;
b.Elements.Add(sec);
b.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));
b.Elements.Add(new HttpsTransportBindingElement());
EndpointAddress ea = new EndpointAddress(cEndPoint);
oConsist = new CVPClient(b, ea);
X509Certificate2 certSigned = Leo.GetSignedCert();//this returns my private certificate, not the one they replaced me
string cPin = "123456";
System.Security.SecureString SecurePIN = new System.Security.SecureString();
foreach (char ch in cPin)
{ SecurePIN.AppendChar(ch); }
var rsa = (RSACryptoServiceProvider)certSigned.PrivateKey;
string ContinerName = rsa.CspKeyContainerInfo.KeyContainerName;
string CspName = rsa.CspKeyContainerInfo.ProviderName;
int CspType = rsa.CspKeyContainerInfo.ProviderType;
CspParameters csp = new CspParameters(CspType, CspName, ContinerName, new System.Security.AccessControl.CryptoKeySecurity(), SecurePIN);
RSACryptoServiceProvider CSP = new RSACryptoServiceProvider(csp);
X509Certificate2 certUnsigned = Leo.GetUnSignedCertificate();//Here I read the new certificate
oConsist.ClientCredentials.ClientCertificate.Certificate = certSigned;
oConsist.ClientCredentials.ServiceCertificate.DefaultCertificate = certUnsigned;
oConsist.Open();
return oConsist;
}
正如你在这里看到的,我插入了 sec.EnableUnsecuredResponse = true;连接成功,但正如我之前所说,调用 Web 服务时出现错误。
我该如何解决这个问题?
更新:
由于错误告诉我明确分配 DNS 身份 'pdd-virtasl.rmmg.rsr.rupar.puglia.it'
作为 EndpointAddress 的身份 属性,我替换了这一行:
EndpointAddress ea = new EndpointAddress(cEndPoint);
有了这个:
DnsEndpointIdentity identity = new DnsEndpointIdentity(cEndPoint);
EndpointAddress ea = new EndpointAddress(new Uri(cEndPoint), identity, new AddressHeaderCollection());
但它不起作用,我得到同样的错误
正确的解法是这样的:
DnsEndpointIdentity identity = new DnsEndpointIdentity("pdd-virtasl.rmmg.rsr.rupar.puglia.it");
EndpointAddress ea = new EndpointAddress(new Uri(cEndPoint), identity, new AddressHeaderCollection());
您必须使用网络服务端点,但在身份中指定证书中包含的端点。
我有一个网络服务功能,我已经使用了很多年。今天他们给我发了一个新证书,一个 .cer 文件,我插入了它而不是旧的,但我收到了这个错误: (用 Google 翻译,抱歉)
MessageSecurityException
Failed to complete identity check for outgoing message.
The expected DNS identity of the remote endpoint was 'pddasl-coll.rmmg.rsr.rupar.puglia.it'
but the remote endpoint provided a DNS claim 'pdd-virtasl.rmmg.rsr.rupar.puglia.it'.
If this is a legitimate remote endpoint, you can fix the problem by specifying
explicitly the DNS identity 'pdd-virtasl.rmmg.rsr.rupar.puglia.it'
as the Identity property of EndpointAddress when creating the channel proxy.
我问过 Web 服务的所有者,他们告诉我必须确保忽略该错误,但我不知道如何操作。我尝试在 app.config 中插入:enableUnsecuredResponse = "true" 但没有成功。
这是连接到网络服务的方法:
public static CVPClient Connect()
{
CVPClient oConsist = null;
string cEndPoint = "https://pddasl-coll.rmmg.rsr.rupar.puglia.it:8181/aslba/CVPService";
ServicePointManager.ServerCertificateValidationCallback = Leo.CertificateHandler;
datiOperatore DataOp = Leo.OperatorData();//unimportant parameters
datiApplicativo DataApp = Leo.AppData();//unimportant parameters
var b = new CustomBinding();
var sec = new AsymmetricSecurityBindingElement(
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.Never),
new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToRecipient));
sec.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
sec.SecurityHeaderLayout = SecurityHeaderLayout.Strict;
sec.IncludeTimestamp = true;
sec.SetKeyDerivation(false);
sec.KeyEntropyMode = System.ServiceModel.Security.SecurityKeyEntropyMode.ServerEntropy;
sec.EnableUnsecuredResponse = true;
b.Elements.Add(sec);
b.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));
b.Elements.Add(new HttpsTransportBindingElement());
EndpointAddress ea = new EndpointAddress(cEndPoint);
oConsist = new CVPClient(b, ea);
X509Certificate2 certSigned = Leo.GetSignedCert();//this returns my private certificate, not the one they replaced me
string cPin = "123456";
System.Security.SecureString SecurePIN = new System.Security.SecureString();
foreach (char ch in cPin)
{ SecurePIN.AppendChar(ch); }
var rsa = (RSACryptoServiceProvider)certSigned.PrivateKey;
string ContinerName = rsa.CspKeyContainerInfo.KeyContainerName;
string CspName = rsa.CspKeyContainerInfo.ProviderName;
int CspType = rsa.CspKeyContainerInfo.ProviderType;
CspParameters csp = new CspParameters(CspType, CspName, ContinerName, new System.Security.AccessControl.CryptoKeySecurity(), SecurePIN);
RSACryptoServiceProvider CSP = new RSACryptoServiceProvider(csp);
X509Certificate2 certUnsigned = Leo.GetUnSignedCertificate();//Here I read the new certificate
oConsist.ClientCredentials.ClientCertificate.Certificate = certSigned;
oConsist.ClientCredentials.ServiceCertificate.DefaultCertificate = certUnsigned;
oConsist.Open();
return oConsist;
}
正如你在这里看到的,我插入了 sec.EnableUnsecuredResponse = true;连接成功,但正如我之前所说,调用 Web 服务时出现错误。 我该如何解决这个问题?
更新: 由于错误告诉我明确分配 DNS 身份 'pdd-virtasl.rmmg.rsr.rupar.puglia.it' 作为 EndpointAddress 的身份 属性,我替换了这一行:
EndpointAddress ea = new EndpointAddress(cEndPoint);
有了这个:
DnsEndpointIdentity identity = new DnsEndpointIdentity(cEndPoint);
EndpointAddress ea = new EndpointAddress(new Uri(cEndPoint), identity, new AddressHeaderCollection());
但它不起作用,我得到同样的错误
正确的解法是这样的:
DnsEndpointIdentity identity = new DnsEndpointIdentity("pdd-virtasl.rmmg.rsr.rupar.puglia.it");
EndpointAddress ea = new EndpointAddress(new Uri(cEndPoint), identity, new AddressHeaderCollection());
您必须使用网络服务端点,但在身份中指定证书中包含的端点。