通过 SSL 传输的消息中的安全令牌

发布于 2024-08-09 14:46:49 字数 2979 浏览 9 评论 0原文

我需要在 WCF 中确保这样的肥皂头：

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header>
 <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
  <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-1D82AB9733B359236712457035776561"></wsse:BinarySecurityToken>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-2">
    <ds:SignedInfo>
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
     <ds:Reference URI="#Timestamp-1">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transforms>       <ds:DigestMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>
      </ds:DigestValue>
     </ds:Reference>
     <ds:Reference URI="#id-3">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>
      </ds:DigestValue>
     </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
    </ds:SignatureValue>
    <ds:KeyInfo Id="KeyId-1D82AB9733B359236712457035776562">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-1D82AB9733B359236712457035776563">
     <wsse:Reference URI="#CertId-1D82AB9733B359236712457035776561" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
   </ds:Signature>
   <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
    <wsu:Created>2009-06-22T20:46:17Z
    </wsu:Created>
    <wsu:Expires>2009-06-22T20:51:17Z
    </wsu:Expires>
   </wsu:Timestamp>
  </wsse:Security>
 </SOAP-ENV:Header>

其中时间戳和正文部分/元素将通过消息（BinarySecurityToken）中包含的直接引用证书进行数字签名，并且仅在传输级别通过 SSL（IIS 托管服务）确保机密性。目前我正在使用类 TransportSecurityBindingElement 和 HttpsTransportBinding，但是我无法像我想要的那样获得肥皂头...问题是（根据消息跟踪）BinarySecurityToken 元素中缺少 id、EncodingType、ValueType 等属性，而消息正文则不然签署（我将 ProtectionLevel 设置为签署合同）

因此，如果有人有这方面的技能，我将非常感激。

原文

I need in WCF ensure soap header like this:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header>
 <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
  <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-1D82AB9733B359236712457035776561"></wsse:BinarySecurityToken>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-2">
    <ds:SignedInfo>
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
     <ds:Reference URI="#Timestamp-1">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transforms>       <ds:DigestMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>
      </ds:DigestValue>
     </ds:Reference>
     <ds:Reference URI="#id-3">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>
      </ds:DigestValue>
     </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
    </ds:SignatureValue>
    <ds:KeyInfo Id="KeyId-1D82AB9733B359236712457035776562">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-1D82AB9733B359236712457035776563">
     <wsse:Reference URI="#CertId-1D82AB9733B359236712457035776561" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
   </ds:Signature>
   <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
    <wsu:Created>2009-06-22T20:46:17Z
    </wsu:Created>
    <wsu:Expires>2009-06-22T20:51:17Z
    </wsu:Expires>
   </wsu:Timestamp>
  </wsse:Security>
 </SOAP-ENV:Header>

where timestamp and body parts/elements will be digitally signed by directly referenced certificate included in message (BinarySecurityToken) and confidentiality will be ensured only on transport level by SSL(IIS hosted service). Currently Iam using classes TransportSecurityBindingElement and HttpsTransportBinding, but yet I can't gain soap header like I want... Problem is (according to message tracing) that in BinarySecurityToken element is missing attributes like id, EncodingType, ValueType and message body isn't signed (I set ProtectionLevel to Sign in contract)

So if someone have skills with this I will very appreciate.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

零時差 2024-08-16 14:46:49

这是一个盲目的尝试，因为我不知道任何 WCF，但我知道 SOAP 消息签名。

SOAP 主体元素中必须有一个属性“Id”或“wsu:Id”。签名将使用该 ID 作为正在签名的数据的参考。在您发布的示例中，这是在 wsu:Timestamp 元素上完成的 - 它的 id 为

wsu:Id="Timestamp-1"

然后签名使用它作为引用：

 <ds:Reference URI="#Timestamp-1">

在示例中签名还引用：

 <ds:Reference URI="#id-3">

我认为这是 id示例主体的部分。

我不确定你的工具包的 API 如何附加 Id，但你签名的任何内容肯定都需要它。

EncodingType 和 ValueType 有点棘手。恐怕我根本不认识这个人。我的诱惑是尝试获得正确的 Id，然后看看是否一切都到位。可能会。

This is a shot in the dark, since I don't know any WCF, but I do know SOAP message signing.

A must-have is an attribute "Id" or "wsu:Id" in your SOAP body element. The signature will use that Id as the reference for the data being signed. In the example you posted, this is being done on the wsu:Timestamp element -- it has an id of

wsu:Id="Timestamp-1"

And then the signature uses that as a reference:

 <ds:Reference URI="#Timestamp-1">

And in the example the signature also references:

 <ds:Reference URI="#id-3">

Which, I assume, is the id of the body of the example.

I'm not sure how your toolkit's API attaches Ids, but you'll definitely need it on anything you sign.

EncodingType and ValueType are a little trickier. I'm afraid I don't know that one off the top of my head. My temptation would be to try to get the Ids right and then see if it all falls into place. It might.

回复收藏 0 原文

~没有更多了~