用于 Web 服务的 WCF 客户端，具有 WS-Security、签名标头、身份验证令牌和正文加密

Question

我被分配为 Web 服务创建一个客户端。我以前没有使用 Web 服务的经验，并且一直在尝试但没有成功。\nWeb 服务托管在https://ws.conf.ebs.health.gov.on.ca:1441/EDTService/EDTService \n我是能够使用 Visual Studio 2012 创建代理类并创建被服务拒绝的基本客户端，因为它不包含服务所需的任何安全规范。\n以下内容摘自文档，可从 http获取://www.health.gov.on.ca/en/pro/publications/ohip/default.aspx

\n\n

WS-Security 部分包括：\nWSS 1.1 的技术规范\n\xe2\x80\xa2 身份要求；\n\xe2\x80\xa2 签名要求；\n\xe2\x80\xa2 加密要求；和\n\xe2\x80\xa2 时间戳

\n\n

IDP\n为了确保消息中敏感信息的机密性和完整性，发送方软件必须使用公钥技术对 SOAP 标头和正文进行签名。\n签名证书可以是任何可用的证书，并且可以进行自签名。\n如果有任何响应数据如果指定要加密，则根据特定的 Web 服务技术规范，将至少使用 AES128-CBC 对称加密算法以及属于初始 SOAP 请求签名者的公钥对数据进行加密。可以根据具体的Web服务技术规范增加加密算法。

\n\n

我的目标是创建一个可以访问此服务的 wcf 客户端。到目前为止，这就是我所做的，但它不起作用：\n此示例尝试将文件上传到服务器：

\n\n

        EndpointAddress address = new EndpointAddress("https://ws.conf.ebs.health.gov.on.ca:1441/EDTService/EDTService");\n        //MCEDT userID and password\n        string userId = "abcdefg";\n        string password = "password";\n        //MOH Id\n        string mohId = "123456";\n        //Vendor Conformance Key\n        string key = "1234abcd-eeee-aaaa-ffff-abcdef123456";\n\npublic void upload()\n        {\n            Console.WriteLine("Uploading....");\n            //Specify the binding to be used for the client.\n            WSHttpBinding binding = new WSHttpBinding(SecurityMode.TransportWithMessageCredential);          \n\n            binding.SendTimeout = new TimeSpan(0, 10, 0);\n            UsernameToken ut = new UsernameToken(userId, password, PasswordOption.SendHashed);\n\n            EDTDelegateClient client = new EDTDelegateClient(binding,address);            \n\n            //Capture before send and after receive events\n            client.Endpoint.Behaviors.Add(new InspectorBehavior());            \n\n            ebs_header EBS = new ebs_header();\n            EBS.AuditId = "123456789";\n            EBS.SoftwareConformanceKey = confomanceKey;\n\n            //The MCEDT service will only support the IDP security model in its first release.\n            idp_header IDP = new idp_header();\n            IDP.ServiceUserMUID = mohId;\n\n            msa_header MSA = new msa_header();\n            MSA.UserID = userId;\n\n            //data to upload\n            //sample claim provided by OHIP\n            uploadData data = new uploadData();\n            data.description = claim_file;\n            data.content = File.ReadAllBytes(@"..\\..\\" + claim_file);\n\n            uploadRequest ur = new uploadRequest();\n            ur.upload = new uploadData[1];\n            ur.upload[0] = data;\n\n            try\n            {\n                resourceResult result = client.upload(EBS, MSA, IDP, ur.upload);\n\n            }\n            catch (Exception e)\n            {\n                Console.WriteLine(e.Message);\n            }\n         }\n    }\n

\n\n

我相信到目前为止我所做的符合技术要求：\n" 电子系统使用适当的值构造 SOAP 消息，并将 EBS 和 IDP 标头插入到 SOAP 消息标头中，其中包含用户名和密码（对于WS-Security 用户名令牌中的 IDP）。然后对 SOAP 标头和正文进行数字签名，以保证消息的完整性和来源。如果特定 Web 服务技术规范指定任何请求数据要加密，则它将使用公共的EBS 系统的密钥。”\n但我不知道如何对标头和正文进行签名以及如何加密数据。\n证书附有所有技术规格，我们有正确的用户和密码信息。只是我缺乏知识，是什么阻碍了这个项目的完成。
\n提前感谢社区的帮助。

\n\n

编辑 #1：来自文档的示例消息：

\n\n

<soapenv:Envelope\nxmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"\nxmlns:msa="http://msa.ebs.health.ontario.ca/"\nxmlns:idp="http://idp.ebs.health.ontario.ca/"\nxmlns:edt="http://edt.health.ontario.ca/"\nxmlns:ebs="http://ebs.health.ontario.ca/">\n  <soapenv:Header>\n    <ebs:EBS wsu:Id="id-4"\n    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">\n      <SoftwareConformanceKey>444361ee-277f-7732-c684-7a9923jfgh1b</SoftwareConformanceKey>\n      <AuditId>124355467675</AuditId>\n    </ebs:EBS>\n    <idp:IDP wsu:Id="id-3"\n    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">\n      <ServiceUserMUID>1111222</ServiceUserMUID>\n    </idp:IDP>\n    <wsse:Security soapenv:mustUnderstand="1"\n    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"\n    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">\n      <wsse:BinarySecurityToken\n      EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"     \n      ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"\n      wsu:Id="X509-04FD51796CB607011413612828891871">MIIF0zCCBLugAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBzzELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAm9uMREwDwYDVQQHEwhraW5nc3RvbjEpMCcGA1UEChMgSGVhbHRoIFNvbHV0aW9ucyBEZWxpdmVyeSBCcmFuY2gxJTAjBgNVBAsTHEVsZWN0cm9uaWMgQnVzaW5lc3MgU2VydmljZXMxJzAlBgNVBAMTHkVCUyBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWc2Vhbi5jYXJzb25Ab250YXJpby5jYTAeFw0xMjA0MjkxNjAyMjNaFw0xNDA0MzAxNjAyMjNaMIGUMQswCQYDVQQGEwJDQTELMAkGA1UECBMCb24xETAPBgNVBAcTCGtpbmdzdG9uMSkwJwYDVQQKEyBIZWFsdGggU29sdXRpb25zIERlbGl2ZXJ5IEJyYW5jaDElMCMGA1UECxMcRWxlY3Ryb25pYyBCdXNpbmVzcyBTZXJ2aWNlczETMBEGA1UEAxQKRUJTX0NsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEEvvZ96t117651bJXIa8AaE69N1klliJvhrXFxtV2JcKoJHZG19Em6nFtxznvrfjHjQCOJXgREq0YLJmIHgIaIggug9g4oZhZoSXm11b0k+l9sI0uV1UQxSPvKZbptLw3JuY3E8iHoBTBY4TZDg0yfuuk5kpwT0JCqn8Pcoi2Oq2rQtEdnQ0TG5/lofJAMDRzBpK1ETnNOjzCeAkR3wHPec++q2nTuY9QFYntpOyk5JksRVuuIsR5OCW6rjFXTF7CJ84qxWloXmWl4M3yKDTi3ouD36Gplgo8fi2HLpNqVBDLCm7Acv8klkc0EyiFOpBzhEYWAVIIwC9ovybXRjg0CAwEAAaOCAfEwggHtMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgSwMEsGCWCGSAGG+EIBDQQ+FjxTU0wgQ2xpZW50IGNlcnRpZmljYXRlIHZhbGlkIG9ubHkgZm9yIE1PSExUQy9IU0MgRUJTIFRlc3RpbmcwHQYDVR0OBBYEFKV6tGi2SztsTcIPYFkZcKr4yLJMMIIBBAYDVR0jBIH8MIH5gBT/qI53Ggvfsdz34whLQ2gDg+PhW6GB1aSB0jCBzzELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAm9uMREwDwYDVQQHEwhraW5nc3RvbjEpMCcGA1UEChMgSGVhbHRoIFNvbHV0aW9ucyBEZWxpdmVyeSBCcmFuY2gxJTAjBgNVBAsTHEVsZWN0cm9uaWMgQnVzaW5lc3MgU2VydmljZXMxJzAlBgNVBAMTHkVCUyBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWc2Vhbi5jYXJzb25Ab250YXJpby5jYYIJAOnNHCT34+b/MCEGA1UdEgQaMBiBFnNlYW4uY2Fyc29uQG9udGFyaW8uY2EwJgYDVR0RBB8wHYEbZGVyZXlrLmZlcm5hbmRlc0BvbnRhcmlvLmNhMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOCAQEAJqCht181F8rUUNQ8jHa42kdKH+FDF0ISuklbg5MARHo+wt1laltaMeaXdESnLJBNGvcgxPZ4StYMdCH8mOEWYftCy5nkyGQCuOd2GpaJ3Hj50bjZ9vZUYyUBPUmwIEP2v75QQe62fHTqza/VjA0I5eMGMKa3URHsTdfNdnEJjtmHdxWRjAjjrHpHQWE0e1QtG+ZV1ved0f5OzDvdylbvrm4S0mgCifk8qEvZtNSoDp37MmSFr5fFmo91BqT23xAgzUKra428dw4T1EKJYEd6pNssNS4XCQ6bTx0Au3mW5iINtiaYQP8rlSykwaJ+dFAtBG00kdGpebf1prvq4H91eA==</wsse:BinarySecurityToken>\n      <ds:Signature Id="SIG-6" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">\n        <ds:SignedInfo>\n          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">\n            <ec:InclusiveNamespaces PrefixList="ebs edt idp msa soapenv"\n            xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>\n          </ds:CanonicalizationMethod>\n          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />\n          <ds:Reference URI="#UsernameToken-2">\n            <ds:Transforms>\n              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">\n                <ec:InclusiveNamespaces PrefixList="ebs edt idp msa soapenv"\n                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>\n              </ds:Transform>\n            </ds:Transforms>\n            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />\n            <ds:DigestValue>peTHpiEd5ujPqxNuKGN0k4p7up8c0dFPuRXbpQ+eMwI=</ds:DigestValue>\n          </ds:Reference>\n          <ds:Reference URI="#TS-1">\n            <ds:Transforms>\n              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">\n                <ec:InclusiveNamespaces PrefixList="wsse ebs edt idp msa soapenv"\n                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>\n              </ds:Transform>\n            </ds:Transforms>\n            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />\n            <ds:DigestValue>DqLqNQVHwzHRx7amwoYxEMwxN2g0/rND2I13WPP1Vhw=</ds:DigestValue>\n          </ds:Reference>\n          <ds:Reference URI="#id-3">\n            <ds:Transforms>\n              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">\n                <ec:InclusiveNamespaces PrefixList="ebs edt msa soapenv"\n                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>\n              </ds:Transform>\n            </ds:Transforms>\n            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />\n            <ds:DigestValue>K4IrndAA4zBmkumIfgKcluiKA8dmzwgGdKo5aq45LHg=</ds:DigestValue>\n          </ds:Reference>\n          <ds:Reference URI="#id-4">\n            <ds:Transforms>\n              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">\n                <ec:InclusiveNamespaces PrefixList="edt idp msa soapenv"\n                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>\n              </ds:Transform>\n            </ds:Transforms>\n            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />\n            <ds:DigestValue>o92xRJQNwGz0Hv7DX87vSYUScX0qHL/bFGE3GmtUzQg=</ds:DigestValue>\n          </ds:Reference>\n          <ds:Reference URI="#id-5">\n            <ds:Transforms>\n              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">\n                <ec:InclusiveNamespaces PrefixList="ebs edt idp msa"\n                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>\n              </ds:Transform>\n            </ds:Transforms>\n            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />\n            <ds:DigestValue>svNyvvP+MrjIYlZFsg+bgw//8IPNVvIO9px3vYUfW3I=</ds:DigestValue>\n          </ds:Reference>\n        </ds:SignedInfo>\n        <ds:SignatureValue>\n          qDSZlgY/aTFOzzo1C4tx+1E8ertrbmBySRxEK6sJ1JCt/77TLV5PBGnAme9Ttdmzf6h7/qb4rBGL 76LM0PaCQ9xm3DTsSQOz/So82G+/kX8M9TPY9D44+dvlB+cXm9rPn2BLMSVwtJf0kwI22SmRzMTR 6a6jfNYkGga6ZwZC9NLfG5/KTvsyZ39vOdO3T5GYc15RSjHKVBggoWmKm7x5PHrhU+3gClEbtHP8+Fgmmd9PJOtl9WunzR7NpY79xRNGxmDmL8hLvE4+uIc//b6TvrbGB2t8IWb5e5Wdz+ssHgMm0802 wFwGXlVxvSHpEJroHz5OvRgh7PKGlUSZP9fWkg==\n        </ds:SignatureValue>\n        <ds:KeyInfo Id="KI-04FD51796CB607011413612828892812">\n          <wsse:SecurityTokenReference wsu:Id="STR-04FD51796CB607011413612828892813">\n            <wsse:Reference\n            URI="#X509-04FD51796CB607011413612828891871"\n            ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />\n          </wsse:SecurityTokenReference>\n        </ds:KeyInfo>\n      </ds:Signature>\n      <wsse:UsernameToken wsu:Id="UsernameToken-2">\n        <wsse:Username>johndoe@examplemail.com</wsse:Username>\n        <wsse:Password\n        Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">****</wsse:Password>\n      </wsse:UsernameToken>\n      <wsu:Timestamp wsu:Id="TS-1">\n        <wsu:Created>2013-02-19T14:08:08Z</wsu:Created>\n        <wsu:Expires>2013-02-19T14:08:38Z</wsu:Expires>\n      </wsu:Timestamp>\n    </wsse:Security>\n  </soapenv:Header>\n  <soapenv:Body wsu:Id="id-5"\n  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">\n    <edt:upload>\n      <upload>\n        <content>\n          <inc:Include href="cid:2341682853256" xmlns:inc="http://www.w3.org/2004/08/xop/include" />\n        </content>\n        <description>00123</description>\n        <resourceType>CL</resourceType>\n      </upload>\n    </edt:upload>\n  </soapenv:Body>\n</soapenv:Envelope>\n

\n

Answer 1

编辑：请参阅此处使用此 EBS-EDT 服务的详细解决方案

由于您同时拥有用户名身份验证和 x.509 签名，因此您需要从代码创建绑定：

var sec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
            sec.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());
            sec.MessageSecurityVersion =
                MessageSecurityVersion.
                    WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
            sec.IncludeTimestamp = false;
            sec.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.EncryptBeforeSign;

            b.Elements.Add(sec);
            b.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));
            b.Elements.Add(new HttpsTransportBindingElement());

然后您需要签署标头。假设您使用消息协定（而不是数据协定），其中标头显式标记有 MessageHeader 属性，然后向其添加属性“ProtectionMode=ProtectionMode.Sign”。