wcf错误:传入消息使用与用于加密正文的令牌不同的令牌签名。没想到 [英] wcf Error: Incoming message was signed with a token which is different from what used to encrypt body. This was not expected
本文介绍了wcf错误:传入消息使用与用于加密正文的令牌不同的令牌签名。没想到的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在尝试使用verisign测试x.509证书致电第三方服务。当我收到响应消息时,它会产生以下错误:
I am trying to call a third party service with a verisign test x.509 certificate. When I get the response message back, it generates the following error:
传入消息是使用与用于加密正文的令牌不同的令牌签名的。
我不希望出现此错误,因为我只向服务提供了一个x.509证书。
This error was not expected by me because I only supplied the service the one x.509 certificate. What other certificate is it using?
任何见识都会受到赞赏!
Any insight would be appreciated!
我的自定义绑定如下:
<binding name="NodalCustomBinding" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:10:00">
<textMessageEncoding messageVersion="Soap11" />
<security
authenticationMode="MutualCertificate"
requireDerivedKeys="false"
includeTimestamp="true"
keyEntropyMode="ClientEntropy"
messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireSecurityContextCancellation="false"
allowSerializedSigningTokenOnReply="true"
enableUnsecuredResponse="true" >
<secureConversationBootstrap />
</security>
<httpsTransport />
</binding>
我的终端行为看起来像:
My Endpoint behavoir looks like:
<endpointBehaviors>
<behavior name="NodalCredentialBehavior">
<clientCredentials>
<clientCertificate findValue="Testx509"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName"/>
<serviceCertificate>
<authentication certificateValidationMode="None"/>
<defaultCertificate findValue="Testx509"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
最后,我的回复消息如下:
and finally my response message looks like:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="SecurityToken-b1a3e7ef-008e-6bc0-b779-69cc8bf72d39Q</wsse:BinarySecurityToken>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#Id-b75df9d2-5a50-d36b-b26a-08ee4065010d">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>YKW87r6WtI5b5Mx3D/WIPg2bcIk=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>lAB8mXepN63lGSk/lraYooTEFfn8dnwiJ89z8d5S6HKsDjAgg= </dsig:SignatureValue>
<dsig:KeyInfo>
<SecurityTokenReference xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#SecurityToken-b1a3e7ef-008e-6bc0-b779-69cc8bf72d39" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</SecurityTokenReference>
</dsig:KeyInfo>
</dsig:Signature>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body wsu:Id="Id-b75df9d2-5a50-d36b-b26a-08ee4065010d" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ns0:ResponseMessage xmlns:ns0="http://www.ercot.com/schema/2007-06/nodal/ews/message">
<ns0:Header>
<ns0:Verb>reply</ns0:Verb>
<ns0:Noun/>
<ns0:ReplayDetection>
<ns0:Nonce/>
<ns0:Created/>
</ns0:ReplayDetection>
<ns0:Revision>001</ns0:Revision>
<ns0:Source/>
<ns0:UserID>API</ns0:UserID>
</ns0:Header>
<ns0:Reply>
<ns0:ReplyCode>FATAL</ns0:ReplyCode>
<ns0:Error>Invalid Verb</ns0:Error>
<ns0:Timestamp>2012-03-14T10:54:31.701-05:00</ns0:Timestamp>
</ns0:Reply>
</ns0:ResponseMessage>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
推荐答案
我找到了答案。证书和配置有问题。
I found the answer. It was a problem with the certificates and the configuration.
证书
显然,我需要两个x.509证书,一个用于请求,一个用于响应。
Certificates Apparently, I needed two x.509 certificates one for the request and one for the response.
- 在资源管理器中,双击cer文件将其打开。
- 单击证书路径选项卡并记下层次结构。
- 在个人证书文件夹中安装两个x.509证书。
- 在MMC中,双击证书以将其打开
- 单击证书路径选项卡,并确保路径与步骤2中的路径匹配。 / li>
- In explorer, double click your cer file to open it.
- Click on the "Certification Path" tab and make note of hierarchy
- Install both x.509 certificates in the Personal Certificates folder.
- In MMC, double click the certificate to open it
- Click on the "Certification Path" tab and make sure path matches paths in step 2
现在应该正确设置证书。
Certificates should be set up correctly now.
配置
在app.config中创建端点行为并创建身份
Create an endpoint behavior in the app.config and create an identity
<behaviors>
<endpointBehaviors>
<behavior name="myBehavior">
<clientCredentials>
<clientCertificate findValue="#RequestCertificate#"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName"/>
<serviceCertificate>
<authentication certificateValidationMode="ChainTrust"/>
<defaultCertificate findValue="#ResponseCertificate#"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName" />
</serviceCertificate>
</clientCredentials>
</behavior>
<endpoint address="https://myaddress.com/" binding="customBinding"
contract="mycontract"
behaviorConfiguration="myBehavior"
name="HttpEndPoint">
<identity>
<dns value="#ResponseCertificate" />
</identity>
</endpoint>
其中:
#RequestCertificate#是您的请求证书的名称
#RequestCertificate# is the name of your request certificate
#ResponseCertificate#是您的响应证书的名称
#ResponseCertificate# is the name of your response certificate
这篇关于wcf错误:传入消息使用与用于加密正文的令牌不同的令牌签名。没想到的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
