我如何在soap消息中签署BinarySecurityToken [英] How do i sign a BinarySecurityToken in soap message

问题描述

我有以下 C# 代码来调用 Web 服务.

I have the following C# code to call a web service.

System.ServiceModel.Channels.AsymmetricSecurityBindingElement asbe = new AsymmetricSecurityBindingElement();
asbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;

asbe.InitiatorTokenParameters = new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters();
asbe.RecipientTokenParameters = new  System.ServiceModel.Security.Tokens.X509SecurityTokenParameters();
asbe.ProtectTokens = true;
asbe.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.SignBeforeEncrypt;

asbe.SecurityHeaderLayout = SecurityHeaderLayout.Strict;
asbe.EnableUnsecuredResponse = true;
asbe.IncludeTimestamp = false;
asbe.SetKeyDerivation(false);
asbe.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128Rsa15;
asbe.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());

CustomBinding myBinding = new CustomBinding();
myBinding.Elements.Add(asbe);
myBinding.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));

HttpsTransportBindingElement httpsBindingElement = new HttpsTransportBindingElement();
httpsBindingElement.RequireClientCertificate = true;
myBinding.Elements.Add(httpsBindingElement);


ServiceReference1.ConnectionTestType testType = new WindowsFormsApplication9.ServiceReference1.ConnectionTestType();
testType.Message = "Bonjour";

var c = new ServiceReference1.ConnectionTestServiceClient(myBinding, new EndpointAddress(new Uri("https://(IP of server)/ConnectionTest"), new DnsEndpointIdentity("(XXX)"), new AddressHeaderCollection()));

c.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.Sign;
c.ClientCredentials.UserName.UserName = "pts";
c.ClientCredentials.UserName.Password = "test";
c.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
c.ClientCredentials.ServiceCertificate.DefaultCertificate = new X509Certificate2(Application.StartupPath + "\\" + "Certs\\ca-crt");
c.ClientCredentials.ClientCertificate.Certificate = new X509Certificate2(Application.StartupPath + "\\" + "Certs\\sign-and-enc.p12", "ThePassword");

c.Open();
ServiceReference1.ConnectionTestType t = c.ConnectionTest(testType);
c.Close();

这将创建以下消息，该消息非常接近用户名令牌和消息正文签名所需的消息.

This creates the following message which is pretty close to what is required with the usernameToken and message body signed.

<?xml version="1.0"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
<o:BinarySecurityToken u:Id="uuid-5c84e7b3-53ee-4262-8621-edd24e69253f-3" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">(binary data)</o:BinarySecurityToken>
<o:UsernameToken u:Id="uuid-5c84e7b3-53ee-4262-8621-edd24e69253f-1">
    <o:Username>pts</o:Username>
    <o:Password o:Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</o:Password>
</o:UsernameToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <Reference URI="#_1">
        <Transforms>
            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>FNjRLXvhojvaLY/4MhdtsK1cicE=</DigestValue>
    </Reference>
    <Reference URI="#uuid-5c84e7b3-53ee-4262-8621-edd24e69253f-1">
        <Transforms>
            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>EpYurWbP+j2aXiuzO5/pswx/rQ8=</DigestValue>
    </Reference>
</SignedInfo>
<SignatureValue>(binary data)</SignatureValue>
<KeyInfo>
    <o:SecurityTokenReference>
        <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-5c84e7b3-53ee-4262-8621-edd24e69253f-3"/>
    </o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" u:Id="_1">
<ConnectionTest xmlns="xxx:xxx:xxx:ConnectionTest">
<Message xmlns="">Bonjour</Message>
</ConnectionTest>
</s:Body>
</s:Envelope>

我的规范指出 BinarySecurityToken 也将被签名.即在 SignedInfo 部分中应该有一个具有 BinarySecurityToken 的 ID 和digestValue 的参考块.

The specification I have states that the BinarySecurityToken is to be signed as well. i.e. there should be a Reference block in the SignedInfo section that has the ID and digestValue of the BinarySecurityToken.

是否可以指定标头的哪些部分被签名?

Is it possible to specify which parts of the header get signed?

我找到了这个链接 http://msdn.microsoft.com/en-us/library/aa528813.aspx 不过好像已经过时了，依赖Microsoft.Web.Services3.

I found this link http://msdn.microsoft.com/en-us/library/aa528813.aspx but it seems outdated, relying on Microsoft.Web.Services3.

推荐答案

是的，例如此代码将签署 BinarySecurityToken:

Yes, for example this code will sign the BinarySecurityToken:

asbe.EndpointSupportingTokenParameters.Signed.Add(new X509SecurityTokenParameters());

这篇关于我如何在soap消息中签署BinarySecurityToken的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！