2017-11-07 18 views
4

WCF 클라이언트의 Oracle Web Logic에서 실행되는 SOAP 1.1 웹 서비스를 사용하려고합니다. 이 서비스는 본문 서명 및 암호화 (암호화 전 기호) 및 알고리즘 Basic256Sha256 및 LaxTimestampLast 구성 레이아웃과 함께 표준 Oasis WS-Security 1.2를 구현합니다. 내가 예상되는 형식으로 서명 및 암호화 된 메시지를 보낼 수 있어요WCF SOAP 클라이언트가 서명에서 URI를 해석하여 다이제스트를 계산할 수 없음

그러나

<s:Envelope 
    xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" 
    xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> 
    <s:Header> 
     <o:Security s:mustUnderstand="1" 
      xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> 
      <e:EncryptedKey Id="_0" 
       xmlns:e="http://www.w3.org/2001/04/xmlenc#"> 
       <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> 
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" 
         xmlns="http://www.w3.org/2000/09/xmldsig#"/> 
       </e:EncryptionMethod> 
       <KeyInfo 
        xmlns="http://www.w3.org/2000/09/xmldsig#"> 
        <o:SecurityTokenReference> 
         <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">h5cRJR6NnWrnf3PvAPJ4iB70Tow=</o:KeyIdentifier> 
        </o:SecurityTokenReference> 
       </KeyInfo> 
       <e:CipherData> 
        <e:CipherValue>fOgGM...Ixw==</e:CipherValue> 
       </e:CipherData> 
       <e:ReferenceList> 
        <e:DataReference URI="#_2"/> 
       </e:ReferenceList> 
      </e:EncryptedKey> 
      <o:BinarySecurityToken u:Id="uuid-792fca62-dad8-442e-b720-d52f48768dd0-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIFf...O2A8=</o:BinarySecurityToken> 
      <Signature 
       xmlns="http://www.w3.org/2000/09/xmldsig#"> 
       <SignedInfo> 
        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 
        <Reference URI="#_1"> 
         <Transforms> 
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
         </Transforms> 
         <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> 
         <DigestValue>0OiBt3eXZek5bJ9d9CFsduwbtQVoFY3DvFqxfnQz7Dg=</DigestValue> 
        </Reference> 
        <Reference URI="#uuid-a1958c98-41b5-40d4-bdaa-2c0948d4f526-1"> 
         <Transforms> 
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
         </Transforms> 
         <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> 
         <DigestValue>PtcCDNfz7ocVM86qgSnDFnUUJnVz6E884Ll9QeV6Wfg=</DigestValue> 
        </Reference> 
        <Reference URI="#uuid-792fca62-dad8-442e-b720-d52f48768dd0-1"> 
         <Transforms> 
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
         </Transforms> 
         <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> 
         <DigestValue>SezODccgkQ2rfYtKfSxAC14igVpLxbfQtKChSddDf+c=</DigestValue> 
        </Reference> 
       </SignedInfo> 
       <SignatureValue>j6XPB.../ow==</SignatureValue> 
       <KeyInfo> 
        <o:SecurityTokenReference> 
         <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">D5Myi4vs+Af3Dg1ByUs1kCKm55E=</o:KeyIdentifier> 
        </o:SecurityTokenReference> 
       </KeyInfo> 
      </Signature> 
      <u:Timestamp u:Id="uuid-a1958c98-41b5-40d4-bdaa-2c0948d4f526-1"> 
       <u:Created>2017-11-06T20:43:29.722Z</u:Created> 
       <u:Expires>2017-11-06T20:48:29.722Z</u:Expires> 
      </u:Timestamp> 
     </o:Security> 
    </s:Header> 
    <s:Body u:Id="_1" 
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xmlns:xsd="http://www.w3.org/2001/XMLSchema"> 
     <e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" 
      xmlns:e="http://www.w3.org/2001/04/xmlenc#"> 
      <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> 
      <e:CipherData> 
       <e:CipherValue>L7f+O...Rw7jHL</e:CipherValue> 
      </e:CipherData> 
     </e:EncryptedData> 
    </s:Body> 
</s:Envelope> 

, 응답을 가져올 때 :

<?xml version='1.0' encoding='UTF-8'?> 
<S:Envelope 
    xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" 
    xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"> 
    <env:Header> 
     <wsse:Security 
      xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" S:mustUnderstand="1"> 
      <ns1:EncryptedKey 
       xmlns:ns1="http://www.w3.org/2001/04/xmlenc#" Id="18iq0thuJbDO21Gk"> 
       <ns1:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> 
        <ns2:DigestMethod 
         xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 
       </ns1:EncryptionMethod> 
       <ns3:KeyInfo 
        xmlns:ns3="http://www.w3.org/2000/09/xmldsig#"> 
        <wsse:SecurityTokenReference 
         xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
         xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" 
         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="str_nczorGBwzUSf1PJG"> 
         <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">D5Myi4vs+Af3Dg1ByUs1kCKm55E=</wsse:KeyIdentifier> 
        </wsse:SecurityTokenReference> 
       </ns3:KeyInfo> 
       <ns1:CipherData> 
        <ns1:CipherValue>VLX9L...jTQ==</ns1:CipherValue> 
       </ns1:CipherData> 
       <ns1:ReferenceList> 
        <ns1:DataReference URI="#XgzvGdpjeeFiU0AH"/> 
       </ns1:ReferenceList> 
      </ns1:EncryptedKey> 
      <wsse11:SignatureConfirmation 
       xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" 
       xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="sigconf_gF2mG4MS0QT3gGyg" Value="j6XPB.../ow=="/> 
      <dsig:Signature 
       xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> 
       <dsig:SignedInfo> 
        <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
        <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 
        <dsig:Reference URI="#Timestamp_be1msZa7e60oVdtW"> 
         <dsig:Transforms> 
          <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
         </dsig:Transforms> 
         <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> 
         <dsig:DigestValue>mWxC8kSZIGKE1KTyVWbr2YgOmE1UqVNV3lS4vdM4kdM=</dsig:DigestValue> 
        </dsig:Reference> 
        <dsig:Reference URI="#Body_fr2ndXxiUtwuP3Y2"> 
         <dsig:Transforms> 
          <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
         </dsig:Transforms> 
         <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> 
         <dsig:DigestValue>ZztOfa8rAv2aaMUxxKaYAPgUbEfIZRe/1ZRgPacmAlc=</dsig:DigestValue> 
        </dsig:Reference> 
        <dsig:Reference URI="#sigconf_gF2mG4MS0QT3gGyg"> 
         <dsig:Transforms> 
          <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
         </dsig:Transforms> 
         <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> 
         <dsig:DigestValue>AfX4C1zXqAIX1pEHPw7PHEhf/g/8JWACJqgX7p63RkI=</dsig:DigestValue> 
        </dsig:Reference> 
        <dsig:Reference URI="#str_RLjzz112Lwz91VZF"> 
         <dsig:Transforms> 
          <dsig:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"> 
           <wsse:TransformationParameters> 
            <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
           </wsse:TransformationParameters> 
          </dsig:Transform> 
         </dsig:Transforms> 
         <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> 
         <dsig:DigestValue>gRa3zakGn13XISoKpekB3zl0iDqb/LmNy7+aMDtzKIY=</dsig:DigestValue> 
        </dsig:Reference> 
       </dsig:SignedInfo> 
       <dsig:SignatureValue>xlVJb...EPZg==</dsig:SignatureValue> 
       <dsig:KeyInfo> 
        <wsse:SecurityTokenReference 
         xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
         xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" 
         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="str_RLjzz112Lwz91VZF"> 
         <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">h5cRJR6NnWrnf3PvAPJ4iB70Tow=</wsse:KeyIdentifier> 
        </wsse:SecurityTokenReference> 
       </dsig:KeyInfo> 
      </dsig:Signature> 
      <wsu:Timestamp 
       xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp_be1msZa7e60oVdtW"> 
       <wsu:Created>2017-11-06T20:43:30Z</wsu:Created> 
       <wsu:Expires>2017-11-06T20:44:30Z</wsu:Expires> 
      </wsu:Timestamp> 
     </wsse:Security> 
    </env:Header> 
    <S:Body 
     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body_fr2ndXxiUtwuP3Y2"> 
     <ns1:EncryptedData 
      xmlns:ns1="http://www.w3.org/2001/04/xmlenc#" Id="XgzvGdpjeeFiU0AH" Type="http://www.w3.org/2001/04/xmlenc#Content" MimeType="text/xml"> 
      <ns1:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> 
      <ns1:CipherData> 
       <ns1:CipherValue>GT08G...PqanY</ns1:CipherValue> 
      </ns1:CipherData> 
     </ns1:EncryptedData> 
    </S:Body> 
</S:Envelope> 

클라이언트 시험이 오류와 함께 실패

Test Name: TestMethod_CodedCustomBinding 
Test FullName: Integration.TestServiceClient.Tests.CodeClientTests.TestMethod_CodedCustomBinding 
Test Source: C:\Source\Integration.TestServiceClient.Tests\CodeClientTests.cs : line 207 
Test Outcome: Failed 
Test Duration: 0:00:00.9372511 

Result StackTrace: 
at System.IdentityModel.StandardSignedInfo.EnsureAllReferencesVerified() 
    at System.IdentityModel.SignedXml.CompleteSignatureVerification() 
    at System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.ExecuteMessageProtectionPass(Boolean hasAtLeastOneSupportingTokenExpectedToBeSigned) 
    at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy) 
    at System.ServiceModel.Security.MessageSecurityProtocol.ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, Message& message, SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) 
    at System.ServiceModel.Security.AsymmetricSecurityProtocol.VerifyIncomingMessageCore(Message& message, String actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) 
    at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) 
--- End of inner exception stack trace --- 

Server stack trace: 
    at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) 
    at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout) 
    at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout) 
    at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout) 
    at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) 
    at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) 
    at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) 
Exception rethrown at [0]: 
    at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) 
    at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) 
    at Integration.ServiceClient.TestServiceClient.ServiceWs.notify(notifyRequest request) 
    at Integration.ServiceClient.TestServiceClient.ServiceWsClient.Integration.ServiceClient.TestServiceClient.ServiceWs.notify(notifyRequest request) in C:\Source\Integration.ServiceClient\Service References\TestServiceClient\Reference.cs:line 994 
    at Integration.ServiceClient.TestServiceClient.ServiceWsClient.notify(Int64 idNotification) in C:\Source\Integration.ServiceClient\Service References\TestServiceClient\Reference.cs:line 1000 
    at Integration.TestServiceClient.Tests.CodeClientTests.TestMethod_CodedCustomBinding() in C:\Source\Integration.TestServiceClient.Tests\CodeClientTests.cs:line 212 
Result Message: 
Test method Integration.TestServiceClient.Tests.CodeClientTests.TestMethod_CodedCustomBinding threw exception: 
System.ServiceModel.Security.MessageSecurityException: Message security verification failed. ---> System.Security.Cryptography.CryptographicException: Unable to resolve the '#str_RLjzz112Lwz91VZF' URI in the signature to compute the digest. 

그러나 URI는 SecurityTokenReference 태그에 있습니다. Signature>KeyInfo 태그가 있습니다. 서명 유효성 검사 중에이 참조가 발견되지 않는 이유와이 오류를 해결하기 위해 수행 할 수있는 작업에 대한 아이디어가 있습니까?

답변

0

참고 :

당신이 CertificateOverTransport를 사용하여 메시지 본문을 로그인 할 수 없습니다.

이렇게하면 WCF에서 허용하지 않습니다.

이 경우 MutualCertificateDuplex을 사용해보고 응답에 서명하는 데 관심이 없다면 보호 수준을 none : ProtectionLevel.None으로 변경하십시오. 이것이 실패하면

, 당신의 WCF 사용자 지정 바인딩을 추가하려고 :이 인증서가 제대로 소화 할 수

<customBinding> 
     <binding name="NewBinding0"> 
      <textMessageEncoding messageVersion="Soap11" /> 
      <security authenticationMode="MutualCertificateDuplex" includeTimestamp="false" 
       messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"> 
       <secureConversationBootstrap /> 
      </security> 
      <httpTransport /> 
     </binding> 
</customBinding> 

.