WCF服务互操作的Java客户端与互证书-无法解析KeyInfo来验证签名 [英] Java client to WCF service interop with mutual certificate - Cannot resolve KeyInfo for verifying signature

问题描述

例外: MessageSecurityException:无法解析用于验证签名的KeyInfo:KeyInfo'SecurityKeyIdentifier

Exception: MessageSecurityException: Cannot resolve KeyInfo for verifying signature: KeyInfo 'SecurityKeyIdentifier

我必须设置WCF服务以接收来自Java客户端的SOAP调用，该Java客户端发送带有以下标头的签名内容:

I have to set up a WCF service to receive SOAP calls from a Java client that is sending signed content with the following header:

<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-2">
    <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
      <ds:Reference URI="#id-3" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
        <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">…</ds:DigestValue>
      </ds:Reference>
      <ds:Reference URI="#Timestamp-1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
        <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">…</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      …
    </ds:SignatureValue>
    <ds:KeyInfo Id="KeyId-66FC0491F2BB65AFF813274134607712" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="...." xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:X509IssuerSerial xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509IssuerName xmlns:ds="http://www.w3.org/2000/09/xmldsig#">CN=XXXXXXXX</ds:X509IssuerName>
            <ds:X509SerialNumber xmlns:ds="http://www.w3.org/2000/09/xmldsig#">111122222</ds:X509SerialNumber>
          </ds:X509IssuerSerial>
        </ds:X509Data>
      </wsse:SecurityTokenReference>
    </ds:KeyInfo>
  </ds:Signature>
  <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
    <wsu:Created>xxxxx</wsu:Created>
    <wsu:Expires>xxxx</wsu:Expires>
  </wsu:Timestamp></wsse:Security></soap:Header>

我尝试设置以下绑定和行为:

      <customBinding>
    <binding name="javaclientBinding">
      <security
        defaultAlgorithmSuite="Basic256Rsa15" messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
        allowSerializedSigningTokenOnReply="true"
        authenticationMode="MutualCertificateDuplex"
        requireDerivedKeys="false"
        securityHeaderLayout="LaxTimestampLast"
        allowInsecureTransport="true"
        requireSignatureConfirmation="false"
        requireSecurityContextCancellation="false">
      </security>
      <textMessageEncoding messageVersion="Soap11" />
      <httpTransport />
    </binding>
  </customBinding>



<behavior name="javaclientBehavior">
<serviceMetadata httpGetEnabled="True"/>
<serviceDebug includeExceptionDetailInFaults="False"/>
<serviceCredentials>
    <clientCertificate>
    <authentication certificateValidationMode="PeerTrust"/>
</clientCertificate>
<serviceCertificate
    findValue="applicationServer"
  storeLocation="CurrentUser"
  storeName="My"
  x509FindType="FindBySubjectName" />
</serviceCredentials>
   </behavior>

但是服务器事件日志中出现以下异常:

ClientIdentity: 
   ActivityId: <null>
   MessageSecurityException: Cannot resolve KeyInfo for verifying signature: KeyInfo
  'SecurityKeyIdentifier
   (
       IsReadOnly = False,
       Count = 1,
       Clause[0] = X509IssuerSerialKeyIdentifierClause(Issuer = 'CN=XXXXXX)
    )
   ', available tokens 'SecurityTokenResolver
(
TokenCount = 0,
)

'.

我们必须使签名验证正常工作，并且我们无法更改Java客户端发送的内容.

We have to get signature validation working, and we have no possibility to change what the java client is sending.

推荐答案

实际上，我遇到了同样的问题，并且我使用了Yaron Naveh建议的方法.

Actually I'm having the same problem, and i'm using the aproach suggested by Yaron Naveh.

我还没有完成，但是我正在取得一些进步(完成后我会给出完整的答案).

I haven't finished yet, but I'm making some advances (I'll post a full answer when I finish).

请求使用的是AsymmetricSecurityBindingElement，而不是Yaron建议的SymmetricSecurityBindingElement.

The request uses an AsymmetricSecurityBindingElement, not a SymmetricSecurityBindingElement as Yaron suggested.

X509SecurityTokenParameters的包含模式应设置为SecurityTokenInclusionMode.AlwaysToInitiator

The Inclusion Mode of the X509SecurityTokenParameters should be set to SecurityTokenInclusionMode.AlwaysToInitiator

绑定应该看起来像这样

//Only the following MessageSecurityVersion are asimetric: 

//WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
//WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10

AsymmetricSecurityBindingElement abe =(AsymmetricSecurityBindingElement)
SecurityBindingElement.CreateMutualCertificateBindingElement(    
  MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);

abe.SetKeyDerivation(false);

X509SecurityTokenParameters x509ProtectionParameters =
    new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial);

x509ProtectionParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToInitiator;
x509ProtectionParameters.X509ReferenceStyle = X509KeyIdentifierClauseType.IssuerSerial;

abe.InitiatorTokenParameters = x509ProtectionParameters;
abe.SecurityHeaderLayout = SecurityHeaderLayout.Strict;
abe.DefaultAlgorithmSuite = SecurityAlgorithmSuite.TripleDesRsa15;

HttpTransportBindingElement httpBinding = new HttpTransportBindingElement();
System.ServiceModel.Channels.Binding binding = new CustomBinding(abe, httpBinding);
return binding;

我希望这会有所帮助

这篇关于WCF服务互操作的Java客户端与互证书-无法解析KeyInfo来验证签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！