使用SignedXml.ComputeSignature将签名添加到配置文件后,"无法识别的配置部分"

Question

我有一个使用.NET 3.5 Framework构建的Windows窗体应用程序,它自带一个WCF服务.服务和应用程序可以自行正常运行.

关于在app.config文件中可以访问地址和绑定信息,我决定使用System.Security.Cryptography.Xml.SignedXml.ComputeSignature添加数字签名.然后我将签名添加到app.config并保存.这会在app.config中创建一个Signature元素,作为app.config文件的配置节点的最后一个子元素.

我在启动服务之前添加了一个检查签名的函数.该应用程序正确验证签名,但在尝试启动该服务时,它会抛出以下嵌套错误:

1. 'System.ServiceModel.DiagnosticUtility'的类型初始值设定项引发了异常.

2.配置系统无法初始化

3.无法识别的配置部分签名.

在app.config中放置Signature元素的位置似乎并不重要.签名始终可以正确验证,并且服务始终会对未识别的配置部分进行控制.注释掉app.config中的Signature元素和代码中的签名检查,服务将重新开始,没有任何问题.

为什么服务会抛出这些错误,我该怎么做才能解决它们？

这是带有编辑的应用程序名称和URL的app.config:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <configSections>
    <sectionGroup name="applicationSettings" type="System.Configuration.ApplicationSettingsGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
      <section name="MyApp.My.MySettings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
    </sectionGroup>
  </configSections>
  <system.serviceModel>
    <bindings>
      <basicHttpBinding>     
        <binding name="MyAppServicePortBinding" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true">
          <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          <security mode="None">
            <transport clientCredentialType="None" proxyCredentialType="None" realm="" />
            <message clientCredentialType="UserName" algorithmSuite="Default" />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <client>
      <endpoint address="http://myappurl/MyService" binding="basicHttpBinding" bindingConfiguration="MyAppServicePortBinding" contract="MyAppService" name="MyAppServicePort" />
    </client>
    <services>
      <service name="MyApp.MyService" behaviorConfiguration="MyAppServiceBehavior">
        <host>
          <baseAddresses>
            <add baseAddress="http://mylocalservice:8080/LocalService" />
          </baseAddresses>
        </host>
        <!-- this endpoint is exposed at the base address provided by host -->
        <endpoint address="" binding="wsHttpBinding" contract="MyApp.IServiceInit" bindingNamespace="http://mylocalservice:8080/LocalService" />
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="MyAppServiceBehavior">
          <serviceMetadata httpGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="false" />
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>
    <applicationSettings>
    <MyApp.My.MySettings>
      <setting name="DefaultEntryType" serializeAs="String">
        <value>M</value>
      </setting>
      <setting name="CardTypes" serializeAs="String">
        <value>1111</value>
      </setting>
      <setting name="Freq" serializeAs="String">
        <value>120000</value>
      </setting>
    </MyApp.My.MySettings>
  </applicationSettings>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <Reference URI="">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <DigestValue>jJYnz3j6LgxqdcUgvNSGNmJVum4=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>czpn/uA31kMSoGFk2hi3SCYky6YM6/MjBT3lpMn7wluCjeFIFj0vJJZVI9ueQQn/RglFi8RIfAyov3rDwiS+pP/4b1Yh8KqNOftHMH9pC+CFsMHMQnIoPHyXVrFLpuU6rzjACdUky4zuB7I7Q5AHf1CF8F9PSEgIxiQ4gHgPhJCLujl6wvsMg3rXDHazRQ2Curj94iKUIsKo50X1dJxER1oWOB9g6QgzqsXTOmUkgGOygJrnrn1WQJ0UbWAvHHXIPZdD6jOL24vqhOYm55+b6hlkWdIvEvLBPVMtv2V8oQqxBpWRDh8ovMn4LQdgcFOpa/vG3ISXGp2oRzsCEpaxCQ==</SignatureValue>
    </Signature>
</configuration>

Answer 1

您缺少一些基本信息,以允许将符号嵌入app.config中.

从http://www.beefycode.com/post/Managing-AppConfig-Integrity-using-Xml-Digital-Signatures.aspx关于向app.config文件添加签名:

我们不能只在app.config中填充这个新元素,并期望.NET配置管理器在不知道它是什么的情况下处理它; 这将导致应用程序启动期间失败.这里没有特殊的技巧,我们只需要通过在配置文件的顶部添加以下内容来指示配置系统忽略此元素.

首先在app.config中输入以下内容:

<configSections>
  ...
  <section name="Signature" type="System.Configuration.IgnoreSectionHandler" />  
</configSections>  

查看完整app.config和用法示例的上述链接.它应该做的工作.