2012-11-05 85 views
4

我有以下C#代碼來調用Web服務。如何在soap消息中籤署BinarySecurityToken

System.ServiceModel.Channels.AsymmetricSecurityBindingElement asbe = new AsymmetricSecurityBindingElement(); 
asbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10; 

asbe.InitiatorTokenParameters = new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters(); 
asbe.RecipientTokenParameters = new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters(); 
asbe.ProtectTokens = true; 
asbe.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.SignBeforeEncrypt; 

asbe.SecurityHeaderLayout = SecurityHeaderLayout.Strict; 
asbe.EnableUnsecuredResponse = true; 
asbe.IncludeTimestamp = false; 
asbe.SetKeyDerivation(false); 
asbe.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128Rsa15; 
asbe.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters()); 

CustomBinding myBinding = new CustomBinding(); 
myBinding.Elements.Add(asbe); 
myBinding.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8)); 

HttpsTransportBindingElement httpsBindingElement = new HttpsTransportBindingElement(); 
httpsBindingElement.RequireClientCertificate = true; 
myBinding.Elements.Add(httpsBindingElement); 


ServiceReference1.ConnectionTestType testType = new WindowsFormsApplication9.ServiceReference1.ConnectionTestType(); 
testType.Message = "Bonjour"; 

var c = new ServiceReference1.ConnectionTestServiceClient(myBinding, new EndpointAddress(new Uri("https://(IP of server)/ConnectionTest"), new DnsEndpointIdentity("(XXX)"), new AddressHeaderCollection())); 

c.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.Sign; 
c.ClientCredentials.UserName.UserName = "pts"; 
c.ClientCredentials.UserName.Password = "test"; 
c.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None; 
c.ClientCredentials.ServiceCertificate.DefaultCertificate = new X509Certificate2(Application.StartupPath + "\\" + "Certs\\ca-crt"); 
c.ClientCredentials.ClientCertificate.Certificate = new X509Certificate2(Application.StartupPath + "\\" + "Certs\\sign-and-enc.p12", "ThePassword"); 

c.Open(); 
ServiceReference1.ConnectionTestType t = c.ConnectionTest(testType); 
c.Close(); 

這將創建以下消息,它非常接近usernameToken和消息正文簽名所需的內容。

<?xml version="1.0"?> 
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> 
<s:Header> 
<o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1"> 
<o:BinarySecurityToken u:Id="uuid-5c84e7b3-53ee-4262-8621-edd24e69253f-3" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">(binary data)</o:BinarySecurityToken> 
<o:UsernameToken u:Id="uuid-5c84e7b3-53ee-4262-8621-edd24e69253f-1"> 
    <o:Username>pts</o:Username> 
    <o:Password o:Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</o:Password> 
</o:UsernameToken> 
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> 
<SignedInfo> 
    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 
    <Reference URI="#_1"> 
     <Transforms> 
      <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
     </Transforms> 
     <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 
     <DigestValue>FNjRLXvhojvaLY/4MhdtsK1cicE=</DigestValue> 
    </Reference> 
    <Reference URI="#uuid-5c84e7b3-53ee-4262-8621-edd24e69253f-1"> 
     <Transforms> 
      <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
     </Transforms> 
     <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 
     <DigestValue>EpYurWbP+j2aXiuzO5/pswx/rQ8=</DigestValue> 
    </Reference> 
</SignedInfo> 
<SignatureValue>(binary data)</SignatureValue> 
<KeyInfo> 
    <o:SecurityTokenReference> 
     <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-5c84e7b3-53ee-4262-8621-edd24e69253f-3"/> 
    </o:SecurityTokenReference> 
</KeyInfo> 
</Signature> 
</o:Security> 
</s:Header> 
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" u:Id="_1"> 
<ConnectionTest xmlns="xxx:xxx:xxx:ConnectionTest"> 
<Message xmlns="">Bonjour</Message> 
</ConnectionTest> 
</s:Body> 
</s:Envelope> 

我有規範說明BinarySecurityToken也要簽名。即在SignedInfo部分應該有一個引用塊,它具有BinarySecurityToken的ID和digestValue。

是否可以指定標頭的哪些部分被簽名?

我發現這個鏈接http://msdn.microsoft.com/en-us/library/aa528813.aspx但它似乎過時了,依靠Microsoft.Web.Services3。

回答

2

是的,比如說該代碼將簽署的BinarySecurityToken:

asbe.EndpointSupportingTokenParameters.Signed.Add(new X509SecurityTokenParameters());