WCF-智能卡的x509证书-“无法验证签名" [英] WCF - x509 Certificate from Smart Card - 'Cannot Verify Signature'
问题描述
我有一个运行在IIS6上的WCF服务,该服务使用WSHTTPBinding配置为使用带有消息凭据的传输"安全设置(传输客户端凭据设置为无",消息设置为证书") .NET客户端正在使用它,该客户端是通过使用VS 2010中的服务通过自动生成的代码创建的.
在开发环境中,我创建了一个证书,同时充当服务证书和IIS SSL证书,并且由于我很懒,因此导出了该证书以供客户端应用程序使用.在这种配置下,一切工作都很好,但这不是目标环境.想法是让用户利用他们的智能卡来访问此服务.目前,该服务器将不在同一域上,并且不允许使用LDAP.
问题是,现在我在测试实验室中安装了此环境,并建立了一个环境,在该环境中,SSL证书是由与用户证书相同的CA颁发的,并且我创建了一个自定义x509证书验证器和服务凭据,但之后首次调用我的验证器时,在切换之间发生了一些事情,并在服务跟踪日志上踢出了一个错误,提示错误验证消息安全性",内部异常为无法验证签名".由于这是通过我的自定义验证程序来的,并且我已记录了消息,因此在SOAP方面一切正常,而在另一端则通过证书.我确保我要使用的每个证书都在受信任的用户"存储中,甚至尝试导出该证书并将其放在本地计算机个人"存储中,但是没有运气.
我有一种感觉,我不完全了解web.config文件中服务证书和客户端证书的使用.有人可以在这里帮我吗?
I have a WCF service running on IIS6 which is configured with a WSHTTPBinding using the "Transport with Message Credentials" security setting (with the transport client credentials set to ''None'' and the Message set to ''Certificate''. This is being consumed by a .NET client that was created through the auto generated code by consuming a service in VS 2010.
In my development environment, I created a certificate to act as both the service cert and the IIS SSL certificate, and since I was lazy, I exported the certificate for use with my client application. Everything works great in that configuration, but that is not the target environment. The idea is to have users utilize their smart cards to access this service. The server will not be on the same domain and LDAP is not allowed, for now.
The problem is that now I got this in a test lab and set up an environment where the SSL certificate was issued by the same CA as the user''s certs, and I have created a custom x509 Cert validator and service credentials, but after the initial call to my validator, something is happening in between the hand off and kicks out an error on the service trace log saying, "Error verifying message security" with an inner exception of "Cannot verify the signature". Since is is coming through my custom validator and I got the message logging up, everything looks fine on the SOAP side and I am getting the certificate through on the other side. I have made sure that every cert that I am trying to use is in the "Trusted Users" store and even tried exporting the certs and putting them in the local computer "Personal" store, with no luck.
I have a feeling that I do not fully understand the use of the service certificate and the client certificate in the web.config file. Can someone please help me out here?
推荐答案
好,所以我在同事的帮助下设法回答了自己的问题.在我们坐下来开始对我提出一系列问题并进行一些随机Google搜索之后,我们决定更改配置,使我感到惊讶.
因此,为了完成我的问题,我将消息凭据设置为证书",并将加密算法套件设置为"TripleDesSha256Rsa15".事实证明,智能卡上的证书或卡本身仅支持Sha1(这不是其他所有选项).当我们将设置更改为"Basic256"时,一切开始起作用.我最终能够将其设置为"TripleDesRsa15",然后它继续工作.
基本上,WCF会在没有私钥的情况下发送证书,因为它无法使用该加密算法进行访问. WCF 不 在尝试访问证书时会引发异常,它只会在服务器端引发异常,但会出现无法验证签名"异常.有点希望说没有签名",因为那样会更容易查找.我不知道是否有人会发现此功能有用,但是如果您这样做,并且可以找到有关在WCF中使用智能卡的正确"方法的参考,请在参考文献中发布.
总体而言,请检查您要使用的加密算法,并确保它与您计划使用的智能卡/证书一起使用
Ok so I have managed to answer my own question with some help from my coworker. After we sat down together and started to run a bunch of questions by me and doing some random google searches, we decided to change something in the configuration that surprised me.
So to finish my question up top, I had the message credentials set to "Certificate" with the encryption algorithm suite set to "TripleDesSha256Rsa15". Turns out that the certificates on the smart card, or the card itself, would only support Sha1 (which was not an option with everything else). When we changed the setting to "Basic256", everything started working. I eventually was able to set it to "TripleDesRsa15" and it continued to work.
Basically, WCF sends the certificate up without a private key, because it cannot access it with that encryption algorithm. WCF DOES NOT throw an exception with this when trying to access the certificate, it will only throw it on the server side with the exception "Could not Verify Signature". Kind of wish it would say "There was no signature" because that would have been a bit easier to track down. I don''t know if anyone will ever find this useful, but if you do and can find a reference to the "Proper" way of using Smart Cards with WCF, please post it with a ref.
Overall, check your encryption algorithm that you are trying to use, and make sure it works with the smart cards/certificates that you plan on using
这篇关于WCF-智能卡的x509证书-“无法验证签名"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
