WCF 服务 MessageSecurityException 安全性 header 元素 'Timestamp' 和 '' id 必须被签名
WCF Service MessageSecurityException security header element with 'Timestamp' with the '' id must be signed
我们正在创建必须符合 pre-defined WSDL 的 WCF 服务。要求之一是时间戳、所有 WS-addressing 和消息 body 都应该签名。
为此,我们添加了以下 CustomBinding;
var secBE = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
secBE.EnableUnsecuredResponse = true;
secBE.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign;
secBE.IncludeTimestamp = true;
secBE.DefaultAlgorithmSuite = SecurityAlgorithmSuite.TripleDesRsa15;
secBE.AllowSerializedSigningTokenOnReply = true;
secBE.RecipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToInitiator;
//Create binding element for encoding
var mtomBE = new MtomMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8);
//Create binding element for transport
var httpsBE = new HttpsTransportBindingElement();
httpsBE.RequireClientCertificate = false;
httpsBE.AuthenticationScheme = AuthenticationSchemes.Anonymous;
CustomBinding binding = new CustomBinding();
binding.Elements.Add(secBE);
binding.Elements.Add(mtomBE);
binding.Elements.Add(httpsBE);
使用客户端证书,但我们在 Azure 上托管端点,证书将移动到 'X-ARR-ClientCert'-header,因此我们无法使用 built-in 使用 RequireClientCertificate = true 启用的证书验证器。
我启用了跟踪,但在收到来自客户端的请求时抛出了以下异常:
<ExceptionType>System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>The security header element 'Timestamp' with the 'wssecurity_signature_id_1803' id must be signed.</Message>
查看请求消息时,包含以下header;
<MessageHeaders>
<wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:BinarySecurityToken>
<!-- Removed-->
</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ds soapenc soapenv wsa wsse xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#wssecurity_signature_id_1799">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1800">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1801">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="p324 soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1802">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1803">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsse wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1804">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue><!-- Removed--></ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#x509bst_1805" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="wssecurity_signature_id_1803"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2021-04-07T07:25:47.641Z</wsu:Created>
</wsu:Timestamp>
</wsse:Security>
<wsa:To wsu:Id="wssecurity_signature_id_1802"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><!-- Removed--></wsa:To>
<wsa:Action wsu:Id="wssecurity_signature_id_1804"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><!-- Removed--></wsa:Action>
<wsa:MessageID wsu:Id="wssecurity_signature_id_1799"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">uuid:44bf184f-c7af-4efc-9385-cda168692d60</wsa:MessageID>
<wsa:ReplyTo wsu:Id="wssecurity_signature_id_1800"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
</wsa:ReplyTo>
</MessageHeaders>
我无法控制发送到我们的 WCF 服务的请求消息,所以一切都必须修复 server-side。为什么未检测到时间戳已签名?
我改变了一些东西,它开始工作了。首先是 AsymmetricSecurityBindingElement;
- 将 EnableUnsecuredResponse 设置为 false。
- 添加了默认为“严格”的 SecurityHeaderLayout 并将其设置为“SecurityHeaderLayout.LaxTimestampLast”。
然后,我添加了一个实现自定义 MessageEncoder 的自定义 MessageEncodingBindingElement。这个编码器添加了 To 和 MessageID headers 虽然我不认为这是问题所在。
我们正在创建必须符合 pre-defined WSDL 的 WCF 服务。要求之一是时间戳、所有 WS-addressing 和消息 body 都应该签名。
为此,我们添加了以下 CustomBinding;
var secBE = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
secBE.EnableUnsecuredResponse = true;
secBE.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign;
secBE.IncludeTimestamp = true;
secBE.DefaultAlgorithmSuite = SecurityAlgorithmSuite.TripleDesRsa15;
secBE.AllowSerializedSigningTokenOnReply = true;
secBE.RecipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToInitiator;
//Create binding element for encoding
var mtomBE = new MtomMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8);
//Create binding element for transport
var httpsBE = new HttpsTransportBindingElement();
httpsBE.RequireClientCertificate = false;
httpsBE.AuthenticationScheme = AuthenticationSchemes.Anonymous;
CustomBinding binding = new CustomBinding();
binding.Elements.Add(secBE);
binding.Elements.Add(mtomBE);
binding.Elements.Add(httpsBE);
使用客户端证书,但我们在 Azure 上托管端点,证书将移动到 'X-ARR-ClientCert'-header,因此我们无法使用 built-in 使用 RequireClientCertificate = true 启用的证书验证器。
我启用了跟踪,但在收到来自客户端的请求时抛出了以下异常:
<ExceptionType>System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>The security header element 'Timestamp' with the 'wssecurity_signature_id_1803' id must be signed.</Message>
查看请求消息时,包含以下header;
<MessageHeaders>
<wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:BinarySecurityToken>
<!-- Removed-->
</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ds soapenc soapenv wsa wsse xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#wssecurity_signature_id_1799">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1800">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1801">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="p324 soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1802">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1803">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsse wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1804">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue><!-- Removed--></ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#x509bst_1805" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="wssecurity_signature_id_1803"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2021-04-07T07:25:47.641Z</wsu:Created>
</wsu:Timestamp>
</wsse:Security>
<wsa:To wsu:Id="wssecurity_signature_id_1802"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><!-- Removed--></wsa:To>
<wsa:Action wsu:Id="wssecurity_signature_id_1804"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><!-- Removed--></wsa:Action>
<wsa:MessageID wsu:Id="wssecurity_signature_id_1799"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">uuid:44bf184f-c7af-4efc-9385-cda168692d60</wsa:MessageID>
<wsa:ReplyTo wsu:Id="wssecurity_signature_id_1800"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
</wsa:ReplyTo>
</MessageHeaders>
我无法控制发送到我们的 WCF 服务的请求消息,所以一切都必须修复 server-side。为什么未检测到时间戳已签名?
我改变了一些东西,它开始工作了。首先是 AsymmetricSecurityBindingElement;
- 将 EnableUnsecuredResponse 设置为 false。
- 添加了默认为“严格”的 SecurityHeaderLayout 并将其设置为“SecurityHeaderLayout.LaxTimestampLast”。
然后,我添加了一个实现自定义 MessageEncoder 的自定义 MessageEncodingBindingElement。这个编码器添加了 To 和 MessageID headers 虽然我不认为这是问题所在。