WSE3003:无法验证证书的信任链
我正在编写一个使用公共网络服务的系统。我正在使用 VS2008 和经典的 .NET Framework 2.0 Web 服务技术来使用 Web 服务。我的问题不是使用网络服务或调用它的操作。
问题是,当我从操作中收到响应时,它已签名,并且生成的代理在后台开始验证签名。当时我收到了 WSE3003 错误。我(认为我)已将服务证书加载到我的 LocalComputer/TrustedPeople 证书存储中,当我查看它的证书路径时,我可以看到一切正常:
VeriSign 3 级公共主要 CA
www.verisign.com/CPS Incorp.by 参考。责任有限公司(c)97...
servcert.there.com
但我不断收到以下异常:
Microsoft.Web.Services3.ResponseProcessingException: WSE910: 期间发生错误 处理响应消息,以及 你可以发现里面的错误 例外。您还可以找到 Response 中的响应消息 财产。 ---> Microsoft.Web.Services3.Security.SecurityFault: 安全令牌不能 已验证或授权---> 系统.安全.安全异常: WSE3003:证书的信任链 无法验证。请检查 证书是否正确 安装在受信任的人中 证书存储。或者你可能想要 设置allowTestRoot配置 如果这是一个测试,则部分为 true 证书。
下面的代码可能无法编译,我已经删除了一些敏感内容,但这是我如何完成我的部分背后的想法:
// Construct the wse proxy
MyServiceWse wsClient = new MyServiceWse();
// Assign the credentials
UsernameToken userToken = new UsernameToken("user", "pass", PasswordOption.SendPlainText);
wsClient.SetClientCredential(userToken);
wsClient.RequestSoapContext.IdentityToken = userToken;
// Find the client and service certificates
X509Certificate2 clientCert = MyCertificateManager.FindCertificate(StoreLocation.LocalMachine, StoreName.TrustedPeople, "mycert.here.com");
X509Certificate2 serviceCert = MyCertificateManager.FindCertificate(StoreLocation.LocalMachine, StoreName.TrustedPeople, "servicecert.there.com");
// Add the policy to the proxy
Policy policy = new Policy();
MySecurityClientAssertion assertion = new MySecurityClientAssertion();
assertion.SetServiceCertificate(serviceCert);
assertion.SetClientCertificate(clientCert);
policy.Assertions.Add(assertion);
wsClient.SetPolicy(policy);
// Assign the service URL and call an operation
wsClient.Url = "https://services.there.com/TheirService.asmx";
TheirOperationResponse r = wsClient.CallTheirOperation();
我当然希望我的代码是错误的,因为我可以比证书存储和信任更好地理解这一点连锁的东西。任何帮助都会很棒。感谢你们的努力。
I am writing a system that consumes a public web service. I'm consuming the web service using VS2008 and classic .NET Framework 2.0 Web Services technology. My problem is not consuming the web service or calling it's operations.
The problem is when I get the response back from the operation it is signed and behind-the-scenes the generated proxy starts verifying the signature. And at that time I get the WSE3003 error. I (think I) have loaded the service certificate into my LocalComputer/TrustedPeople certificate storage and when I look at it's certificate path I can see that all is ok:
VeriSign Class 3 Public Primary CA
www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97...
servcert.there.com
But I keep getting the following exception:
Microsoft.Web.Services3.ResponseProcessingException:
WSE910: An error happened during the
processing of a response message, and
you can find the error in the inner
exception. You can also find the
response message in the Response
property. --->
Microsoft.Web.Services3.Security.SecurityFault:
The security token could not be
authenticated or authorized --->
System.Security.SecurityException:
WSE3003: The certificate's trust chain
could not be verified. Please check
if the certificate has been properly
installed in the Trusted People
Certificate store. Or you might want
to set allowTestRoot configuration
section to true if this is a test
certificate.
The following code probably doesn't compile and I have removed some of the sensitive stuff but here is the idea behind how I do my part:
// Construct the wse proxy
MyServiceWse wsClient = new MyServiceWse();
// Assign the credentials
UsernameToken userToken = new UsernameToken("user", "pass", PasswordOption.SendPlainText);
wsClient.SetClientCredential(userToken);
wsClient.RequestSoapContext.IdentityToken = userToken;
// Find the client and service certificates
X509Certificate2 clientCert = MyCertificateManager.FindCertificate(StoreLocation.LocalMachine, StoreName.TrustedPeople, "mycert.here.com");
X509Certificate2 serviceCert = MyCertificateManager.FindCertificate(StoreLocation.LocalMachine, StoreName.TrustedPeople, "servicecert.there.com");
// Add the policy to the proxy
Policy policy = new Policy();
MySecurityClientAssertion assertion = new MySecurityClientAssertion();
assertion.SetServiceCertificate(serviceCert);
assertion.SetClientCertificate(clientCert);
policy.Assertions.Add(assertion);
wsClient.SetPolicy(policy);
// Assign the service URL and call an operation
wsClient.Url = "https://services.there.com/TheirService.asmx";
TheirOperationResponse r = wsClient.CallTheirOperation();
I sure hope my code is wrong because I can understand that a lot better than the certificate storage and trust chain stuff. Any help would be great. Thanks for you efforts.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果问题出在链上,那么所有其他证书也需要位于证书存储中。
那么让我们从顶部开始;启动 MMC 并添加证书管理管理单元并将其指向本地计算机帐户。
现在,在受信任的根颁发机构中检查“VeriSign Class 3 Public Primary CA”是否存在,并且与您尝试使用的证书中的根 CA 相匹配。 (它应该在那里,这是标准的)。
接下来检查 www.verisign.com/CPS Incorp.by Ref。 LIABILITY LTD.(c)97... 位于中间证书颁发机构存储中。我的机器上有两个,其中一个已过期。
如果它们都在那里,那么您需要仔细查看证书链。在浏览器中加载 Web 服务并查看从浏览器中收到的证书错误。如果您继续访问该网站,您将能够单击 SSL 图标并沿着链向上移动。单击挂锁并选择查看证书。然后选择认证路径选项卡。希望您能在那里看到链条,并突出显示问题证书(我现在找不到问题网站,所以我不记得它是什么样子)。选择最低的一个,然后突出显示它并单击查看证书来查看错误是什么。您可能会发现这只是一个过期的证书或类似的东西。
If the problem is with the chain then all the other certificates need to be in the cerificate store too.
So let's start from the top; start up MMC and add the Certificate Management snap-in and point it to the local computer account.
Now in the trusted root authority check "VeriSign Class 3 Public Primary CA" is there, and matches the root CA in the certificate you are trying to use. (it should be there, that's a standard one).
Next check that www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97... is in the intermediate certificate authorities store. On my machine there are two of these, one of which is expired.
If they're both there then you need to look at the certificate chain a little closer. Load the web service in your browser and see what certificate error you get from the browser. If you continue onto the site you'll be able to click the SSL icon and work your way up the chain. Click the padlock and choose view certificates. Then choose the certification path tab. Hopefully there you'll see the chain, and problem certs highlighted (I can't find a problem web site right now, so I can't remember what it looks like). Choose the lowest one and see what the error is by highlighting it and clicking view certificate. You may find it's just an expired cert or something like that.