wsse 反对 wss4j,另一个肥皂签名
wsse against wss4j, another soap signing
我应该创建一个应该与 wss4j 服务对话的 soap 客户端..
预期的肥皂消息如下:
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<env:Header xmlns:env="http://www.w3.org/2003/05/soap-envelope">
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="true">
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="X509-2BF68C14B752C6AF9D13976577086141">R9lpib3+Lv9g0Gorz/5XQ==
</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Id="SIG-3">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="soap" />
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#TS-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse soap" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>ZKmbm/i1rJBrORIQCA5eIu9mNAk=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>RkeIc2YhRTxMQ/Wwm4gNHypLx24=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>O6ume5TiYL1t1KZrv6I7rpSCcF82yAu4FzkvcqYvQ2X1qxy/A==
</ds:SignatureValue>
<ds:KeyInfo Id="KI-2BF68C14B752C6AF9D13976577086302">
<wsse:SecurityTokenReference wsu:Id="STR-2BF68C14B752C6AF9D13976577086303">
<wsse:Reference URI="#X509-2BF68C14B752C6AF9D13976577086141"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-1">
<wsu:Created>2014-04-16T14:15:08.599Z</wsu:Created>
<wsu:Expires>2014-04-16T14:20:08.599Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</env:Header>
<soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="id-2">
<ns2:getBatchStatus xmlns:ns2="http://earsiv.vedop3.ggm.gov.org/">
<paketId>1</paketId>
</ns2:getBatchStatus>
</soap:Body>
</soap:Envelope>
我有以下内容:
.config 文件是:
<customBinding>
<binding name="EArsivWsServiceSoapBinding">
<security includeTimestamp="true" authenticationMode="MutualCertificateDuplex" defaultAlgorithmSuite="Basic256" requireDerivedKeys="false" enableUnsecuredResponse="true" securityHeaderLayout="LaxTimestampLast" messageProtectionOrder="SignBeforeEncrypt" keyEntropyMode="ClientEntropy" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
</security>
<textMessageEncoding messageVersion="Soap12"></textMessageEncoding>
<httpsTransport maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" transferMode="Buffered" hostNameComparisonMode="StrongWildcard" />
</binding>
</customBinding>
并且配置有一个保存在 Usb 令牌中的证书引用,当登录时,会询问个人识别码:
<behaviors>
<endpointBehaviors>
<behavior name="ClientBehavior">
<clientCredentials>
<clientCertificate storeLocation="CurrentUser" storeName="My" findValue="ddb10d5ef9ed14dada536ee144bd047ce42a1af8" x509FindType="FindByThumbprint" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
服务接口有:
[System.CodeDom.Compiler.GeneratedCodeAttribute("System.ServiceModel", "4.0.0.0")]
[System.ServiceModel.ServiceContractAttribute(ProtectionLevel = ProtectionLevel.Sign)]
public interface SampleWs
{
...
但最终的肥皂是:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:BinarySecurityToken u:Id="uuid-8bb4deea-8fd2-42ff-af9a-5f97fa33e6f0-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">..blah blah base64 content..</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>Ng/QkiXSRDBasCcQjf35pp51ufw=</DigestValue>
</Reference>
<Reference URI="#uuid-6ba044ea-3722-4eba-aabe-2f7afd012845-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>UdHyzU42q875NM1/W8pOW1QB+Pc=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>.. blah blah a long base64 content..</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-8bb4deea-8fd2-42ff-af9a-5f97fa33e6f0-2"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<u:Timestamp u:Id="uuid-6ba044ea-3722-4eba-aabe-2f7afd012845-1">
<u:Created>2015-09-15T22:17:11.416Z</u:Created>
<u:Expires>2015-09-15T22:22:11.416Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body u:Id="_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<getBatchStatus>
<paketId xmlns="">1</paketId>
</getBatchStatus>
</s:Body>
</s:Envelope>
它也给出
InvalidSecurity An error was discovered processing the
<wsse:Security> header.
因此,差异是;
- mustUnderstand="1",反对 mustUnderstand="true"
- SignatureMethod 算法是“http://www.w3.org/2000/09/xmldsig#rsa-sha1" against "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256”
- 缺少 InclusiveNamespaces 标签
我的问题是:
使用.config,我怎样才能准确地得到目标soap?
错误是由那些差异造成的?
您能解释一下是什么原因导致的错误吗?
并消除错误??
感谢您的帮助。
使用defaultAlgorithmSuite="Basic256Sha256"得到的解"w3.org/2001/04/xmldsig-more#rsa-sha256";在目标 SOAP.. 谢谢
我应该创建一个应该与 wss4j 服务对话的 soap 客户端..
预期的肥皂消息如下:
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<env:Header xmlns:env="http://www.w3.org/2003/05/soap-envelope">
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="true">
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="X509-2BF68C14B752C6AF9D13976577086141">R9lpib3+Lv9g0Gorz/5XQ==
</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Id="SIG-3">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="soap" />
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#TS-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse soap" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>ZKmbm/i1rJBrORIQCA5eIu9mNAk=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>RkeIc2YhRTxMQ/Wwm4gNHypLx24=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>O6ume5TiYL1t1KZrv6I7rpSCcF82yAu4FzkvcqYvQ2X1qxy/A==
</ds:SignatureValue>
<ds:KeyInfo Id="KI-2BF68C14B752C6AF9D13976577086302">
<wsse:SecurityTokenReference wsu:Id="STR-2BF68C14B752C6AF9D13976577086303">
<wsse:Reference URI="#X509-2BF68C14B752C6AF9D13976577086141"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-1">
<wsu:Created>2014-04-16T14:15:08.599Z</wsu:Created>
<wsu:Expires>2014-04-16T14:20:08.599Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</env:Header>
<soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="id-2">
<ns2:getBatchStatus xmlns:ns2="http://earsiv.vedop3.ggm.gov.org/">
<paketId>1</paketId>
</ns2:getBatchStatus>
</soap:Body>
</soap:Envelope>
我有以下内容:
.config 文件是:
<customBinding>
<binding name="EArsivWsServiceSoapBinding">
<security includeTimestamp="true" authenticationMode="MutualCertificateDuplex" defaultAlgorithmSuite="Basic256" requireDerivedKeys="false" enableUnsecuredResponse="true" securityHeaderLayout="LaxTimestampLast" messageProtectionOrder="SignBeforeEncrypt" keyEntropyMode="ClientEntropy" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
</security>
<textMessageEncoding messageVersion="Soap12"></textMessageEncoding>
<httpsTransport maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" transferMode="Buffered" hostNameComparisonMode="StrongWildcard" />
</binding>
</customBinding>
并且配置有一个保存在 Usb 令牌中的证书引用,当登录时,会询问个人识别码:
<behaviors>
<endpointBehaviors>
<behavior name="ClientBehavior">
<clientCredentials>
<clientCertificate storeLocation="CurrentUser" storeName="My" findValue="ddb10d5ef9ed14dada536ee144bd047ce42a1af8" x509FindType="FindByThumbprint" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
服务接口有:
[System.CodeDom.Compiler.GeneratedCodeAttribute("System.ServiceModel", "4.0.0.0")]
[System.ServiceModel.ServiceContractAttribute(ProtectionLevel = ProtectionLevel.Sign)]
public interface SampleWs
{
...
但最终的肥皂是:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:BinarySecurityToken u:Id="uuid-8bb4deea-8fd2-42ff-af9a-5f97fa33e6f0-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">..blah blah base64 content..</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>Ng/QkiXSRDBasCcQjf35pp51ufw=</DigestValue>
</Reference>
<Reference URI="#uuid-6ba044ea-3722-4eba-aabe-2f7afd012845-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>UdHyzU42q875NM1/W8pOW1QB+Pc=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>.. blah blah a long base64 content..</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-8bb4deea-8fd2-42ff-af9a-5f97fa33e6f0-2"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<u:Timestamp u:Id="uuid-6ba044ea-3722-4eba-aabe-2f7afd012845-1">
<u:Created>2015-09-15T22:17:11.416Z</u:Created>
<u:Expires>2015-09-15T22:22:11.416Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body u:Id="_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<getBatchStatus>
<paketId xmlns="">1</paketId>
</getBatchStatus>
</s:Body>
</s:Envelope>
它也给出
InvalidSecurity An error was discovered processing the <wsse:Security> header.
因此,差异是;
- mustUnderstand="1",反对 mustUnderstand="true"
- SignatureMethod 算法是“http://www.w3.org/2000/09/xmldsig#rsa-sha1" against "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256”
- 缺少 InclusiveNamespaces 标签
我的问题是:
使用.config,我怎样才能准确地得到目标soap?
错误是由那些差异造成的?
您能解释一下是什么原因导致的错误吗?
并消除错误??
感谢您的帮助。
使用defaultAlgorithmSuite="Basic256Sha256"得到的解"w3.org/2001/04/xmldsig-more#rsa-sha256";在目标 SOAP.. 谢谢