WCF Web服务请求：在SecurityTokenReference中添加引用标记而不是KeyIdentifier标记

Question

我需要使用.NET来使用Java Web服务。必须对请求进行签名，并且证书必须包含在请求中。

使用下面的“ GetClient”方法时，除一个字段外，该请求是正确的。在SecurityTokenReference元素中，添加了“ KeyIdentifier”。此SecurityTokenReference字段应在'SignedInfo'元素中包含对第三参考的'Reference'字段：

</o:Security>
  </s:Header>
    <o:BinarySecurityToken>...</o:BinarySecurityToken>
    <Signature>
      <SignedInfo>
        <CanonicalizationMethod></CanonicalizationMethod>
        <SignatureMethod></SignatureMethod>
        <Reference URI="#_1">...</Reference>
        <Reference URI="#uuid-001">...</Reference>
        <Reference URI="#uuid-002">...</Reference>
      </SignedInfo>
      <SignatureValue>...</SignatureValue>
      <KeyInfo>
        <o:SecurityTokenReference>
          <o:KeyIdentifier >...</o:KeyIdentifier>
        </o:SecurityTokenReference>
      </KeyInfo>
    </Signature>
  </o:Security>
</s:Header>

所以

    <o:SecurityTokenReference>
      <o:KeyIdentifier >...</o:KeyIdentifier>
    </o:SecurityTokenReference>

应该

    <o:SecurityTokenReference>
        <o:Reference ValueType="..." URI="uuid-002" />
    </o:SecurityTokenReference>

但是我不能使这个工作。

使用时

 InitiatorTokenParameters InclusionMode = SecurityTokenInclusionMode.Once

添加了正确的“ Reference”标记，但是随后生成了一个双重“ BinarySecurityToken”标记，从而导致Web服务被拒绝。有什么解决办法吗？

public wsClient GetClient()  
{  

        CustomBinding b = new CustomBinding();
        HttpsTransportBindingElement transport = new HttpsTransportBindingElement();

        AsymmetricSecurityBindingElement asec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement
            (MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
        asec.SetKeyDerivation(false);
        asec.AllowInsecureTransport = true;
        asec.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
        asec.IncludeTimestamp = true;
        asec.ProtectTokens = true;
        asec.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
        asec.InitiatorTokenParameters = new X509SecurityTokenParameters
        {
            InclusionMode = SecurityTokenInclusionMode.Never, //.Once, ----> Once creates correct SecurityTokenReference, but double BinarySecurityToken
            ReferenceStyle = SecurityTokenReferenceStyle.Internal
        };

        asec.EndpointSupportingTokenParameters.Signed.Add(new X509SecurityTokenParameters());
        TextMessageEncodingBindingElement textMessageEncoding = new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8);

        b.Elements.Add(asec);
        b.Elements.Add(textMessageEncoding);
        b.Elements.Add(transport);

        string url = "https://service";

        var c = new wsClient(b, new EndpointAddress(new Uri(url), 
            new DnsEndpointIdentity(kgParams.DnsEndpointIdentity), new AddressHeaderCollection()));


        X509Certificate cert = GetCertificate();
        c.ClientCredentials.ClientCertificate.Certificate = new X509Certificate2(cert);
        c.ClientCredentials.ServiceCertificate.DefaultCertificate = c.ClientCredentials.ClientCertificate.Certificate;
        c.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.Sign;

        return c;
}

Answer 1

在这个问题上苦苦挣扎了几天之后，尽管有 250 分的赏金，但没有任何评论或答案，我只能得出结论，这是 Java 和 .NET WCF 之间的不兼容。

最后我只是沮丧地放弃了WCF，并从头开始重新创建了整个*****请求。这意味着：

• 创建包含所需数据的 XmlDocument
• 将证书作为 Base64 添加到标头
• 手动为请求添加时间戳
• 手动添加正确的KeyInfo 标签
• 使用适当的 GUID 手动添加所有引用
• 使用 SignedXml 和证书手动签署所有元素
• 手动发布请求

服务器毫无怨言地接受了请求。