WCF 客户端无法验证 Java Web 服务。找不到 X509SecurityToken 的 token 验证器

Question

我创建了集成了 Java WS 的 WCF 客户端。这个想法很简单。我应该用客户端的证书签署我的请求，服务器应该返回签名的响应。由服务器的私钥签名。所有通信都通过 SSL 运行。

我启用了 .NET 跟踪，我可以看到我的请求已成功处理并收到响应。不幸的是我收到了以下异常:

Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type.

我找到了亚龙blog他提出了一个对我不起作用的解决方案。

这是我的客户端配置:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.diagnostics>
    <sources>
    <source propagateActivity="true"  name="System.ServiceModel" switchValue="All" logKnownPii="true">
        <listeners>
          <add name="xml"/>
        </listeners>
      </source>
      <source propagateActivity="true"  name="System.ServiceModel.IdentityModel" switchValue="All"  logKnownPii="true">
        <listeners>
          <add name="xml"/>
        </listeners>
      </source>
      <source propagateActivity="true"  name="System.ServiceModel.Activation" switchValue="All"  logKnownPii="true">
        <listeners>
          <add name="xml"/>
        </listeners>
      </source>
      <source  name="System.ServiceModel.MessageLogging"  switchValue="All"  logKnownPii="true">
        <listeners>
          <add name="xml" />
        </listeners>
      </source>
    </sources>
    <sharedListeners>
      <add initializeData="c:\log\Traces.svclog" type="System.Diagnostics.XmlWriterTraceListener" 
        name="xml" traceOutputOptions="None">
      </add>
    </sharedListeners>
    <trace autoflush="true" indentsize="2">
      <listeners>
        <add name="xml"/>
      </listeners>
    </trace>
  </system.diagnostics>
    <startup> 
        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />
    </startup>
    <system.serviceModel>
        <diagnostics>
            <messageLogging logEntireMessage="true" logKnownPii="true" logMalformedMessages="false"
                logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true"
                />
            <endToEndTracing propagateActivity="true" activityTracing="true"
                messageFlowTracing="true" />
        </diagnostics>
      <client>
        <endpoint address="https://www.server.com/ws"
          behaviorConfiguration="clientCertificateBehaviour" binding="customBinding"
          bindingConfiguration="appCustomBinding" contract="ws.services"
          name="app-servicesSOAP" >

        </endpoint>
      </client>
        <bindings>
            <customBinding>
                <binding name="appCustomBinding">
                    <security allowSerializedSigningTokenOnReply="true" enableUnsecuredResponse="true"
                        authenticationMode="CertificateOverTransport" requireDerivedKeys="false" 
                        securityHeaderLayout="Lax" allowInsecureTransport="false"
                        messageProtectionOrder="SignBeforeEncrypt" protectTokens="false"
                        messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
                        requireSignatureConfirmation="false" />
                    <textMessageEncoding messageVersion="Soap11" />
                    <httpsTransport authenticationScheme="Digest" transferMode="Buffered"
                        requireClientCertificate="true" />
                </binding>
            </customBinding>
        </bindings>
      <behaviors>
        <endpointBehaviors>
          <behavior name="clientCertificateBehaviour">
            <clientCredentials>
              <clientCertificate findValue="CLIENT_CERT" storeLocation="CurrentUser"
                x509FindType="FindBySubjectName" />
              <serviceCertificate>
                <defaultCertificate findValue="SERVER_CERT" x509FindType="FindBySubjectName" />
                <authentication certificateValidationMode="None" />
              </serviceCertificate>
            </clientCredentials>
          </behavior>
        </endpointBehaviors>
      </behaviors>
    </system.serviceModel>
</configuration>

我收到的回复是:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
            <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-14514880453351538613570">
                <wsu:Created>2015-12-30T15:07:25Z</wsu:Created>
                <wsu:Expires>2015-12-30T15:12:25Z</wsu:Expires>
            </wsu:Timestamp>
            <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" 
            ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="XWSSGID-14501832448541055407999">MASASIFIjCCB.......</wsse:BinarySecurityToken>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="XWSSGID-1450183244852-860467203">
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse SOAP-ENV"/>
                    </ds:CanonicalizationMethod>
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <ds:Reference URI="#XWSSGID-14514880453351164099649">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
                                <ds:XPath>./SOAP-ENV:Envelope/SOAP-ENV:Header/wsse:Security/ds:Signature[1]/ds:KeyInfo/wsse:SecurityTokenReference</ds:XPath>
                            </ds:Transform>
                            <ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
                                <wsse:TransformationParameters>
                                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                </wsse:TransformationParameters>
                            </ds:Transform>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <ds:DigestValue>5kmj7l.....</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#XWSSGID-14514880453351538613570">
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <ds:DigestValue>GssfNgXcx....</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>zcfVW....</ds:SignatureValue>
                <ds:KeyInfo>
                    <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1451488045318234803139">
                        <wsse:Reference URI="#XWSSGID-14501832448541055407999" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
            </ds:Signature>
        </wsse:Security>
    </SOAP-ENV:Header>
    <SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-14514880453351164099649">
        body content
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

我收到的异常应该表明证书引用不正确，但我没有看到响应中有任何错误。这是 WCF 相关的问题吗？

谢谢!

Answer 1

试试“mutualCertificate”的authenticationMode，在合约上设置ProtectionLevel.Sign，也可以allowSerializedTokenOnResponse=true。此处提供更多信息:https://gist.github.com/yaronn/6775810