具有相互证书的 WCF 服务互操作的 Java 客户端 - 无法解析用于验证签名的 KeyInfo

标签 java wcf interop x509certificate x509

异常: MessageSecurityException:无法解析用于验证签名的 KeyInfo:KeyInfo 'SecurityKeyIdentifier

我必须设置 WCF 服务以接收来自 Java 客户端的 SOAP 调用,该客户端发送带有以下 header 的签名内容:

<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-2">
    <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
      <ds:Reference URI="#id-3" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
        <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">…</ds:DigestValue>
      </ds:Reference>
      <ds:Reference URI="#Timestamp-1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
        <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">…</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      …
    </ds:SignatureValue>
    <ds:KeyInfo Id="KeyId-66FC0491F2BB65AFF813274134607712" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="...." xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:X509IssuerSerial xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509IssuerName xmlns:ds="http://www.w3.org/2000/09/xmldsig#">CN=XXXXXXXX</ds:X509IssuerName>
            <ds:X509SerialNumber xmlns:ds="http://www.w3.org/2000/09/xmldsig#">111122222</ds:X509SerialNumber>
          </ds:X509IssuerSerial>
        </ds:X509Data>
      </wsse:SecurityTokenReference>
    </ds:KeyInfo>
  </ds:Signature>
  <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
    <wsu:Created>xxxxx</wsu:Created>
    <wsu:Expires>xxxx</wsu:Expires>
  </wsu:Timestamp></wsse:Security></soap:Header>

我已尝试设置以下绑定(bind)和行为:

      <customBinding>
    <binding name="javaclientBinding">
      <security
        defaultAlgorithmSuite="Basic256Rsa15" messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
        allowSerializedSigningTokenOnReply="true"
        authenticationMode="MutualCertificateDuplex"
        requireDerivedKeys="false"
        securityHeaderLayout="LaxTimestampLast"
        allowInsecureTransport="true"
        requireSignatureConfirmation="false"
        requireSecurityContextCancellation="false">
      </security>
      <textMessageEncoding messageVersion="Soap11" />
      <httpTransport />
    </binding>
  </customBinding>



<behavior name="javaclientBehavior">
<serviceMetadata httpGetEnabled="True"/>
<serviceDebug includeExceptionDetailInFaults="False"/>
<serviceCredentials>
    <clientCertificate>
    <authentication certificateValidationMode="PeerTrust"/>
</clientCertificate>
<serviceCertificate
    findValue="applicationServer"
  storeLocation="CurrentUser"
  storeName="My"
  x509FindType="FindBySubjectName" />
</serviceCredentials>
   </behavior>

但我在服务器事件日志中收到以下异常:

ClientIdentity: 
   ActivityId: <null>
   MessageSecurityException: Cannot resolve KeyInfo for verifying signature: KeyInfo
  'SecurityKeyIdentifier
   (
       IsReadOnly = False,
       Count = 1,
       Clause[0] = X509IssuerSerialKeyIdentifierClause(Issuer = 'CN=XXXXXX)
    )
   ', available tokens 'SecurityTokenResolver
(
TokenCount = 0,
)

'.

我们必须让签名验证正常工作,而且我们不可能更改 java 客户端发送的内容。

最佳答案

实际上我遇到了同样的问题,我正在使用 Yaron Naveh 建议的方法。

我还没有完成,但我正在取得一些进展(完成后我会发布完整的答案)。

请求使用 AsymmetricSecurityBindingElement,而不是 Yaron 建议的 SymmetricSecurityBindingElement。

X509SecurityTokenParameters 的包含模式应设置为 SecurityTokenInclusionMode.AlwaysToInitiator

绑定(bind)应该是这样的

//Only the following MessageSecurityVersion are asimetric: 

//WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
//WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10

AsymmetricSecurityBindingElement abe =(AsymmetricSecurityBindingElement)
SecurityBindingElement.CreateMutualCertificateBindingElement(    
  MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);

abe.SetKeyDerivation(false);

X509SecurityTokenParameters x509ProtectionParameters =
    new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial);

x509ProtectionParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToInitiator;
x509ProtectionParameters.X509ReferenceStyle = X509KeyIdentifierClauseType.IssuerSerial;

abe.InitiatorTokenParameters = x509ProtectionParameters;
abe.SecurityHeaderLayout = SecurityHeaderLayout.Strict;
abe.DefaultAlgorithmSuite = SecurityAlgorithmSuite.TripleDesRsa15;

HttpTransportBindingElement httpBinding = new HttpTransportBindingElement();
System.ServiceModel.Channels.Binding binding = new CustomBinding(abe, httpBinding);
return binding;

希望能帮到你

关于具有相互证书的 WCF 服务互操作的 Java 客户端 - 无法解析用于验证签名的 KeyInfo,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/9160503/

上一篇:java - 使用堆栈遍历和解决迷宫 - Java

下一篇:java - 无法发送 48681 字节的消息来保护来自 java 的 wcf 服务

相关文章:

java - 从 WCF 和 Biztalk 中的 WSDL 导入键/值复杂类型定义

c# - 互操作和 CRL 事件

java - 复选框的 onchange 方法不适用于 jsf 和 javascript

java - 如何用另一个表的计数更新一个表的字段? SQLite、Java、安卓

java - 如何解析一行的前6个字符串

c# - 如何在具有条件多个 where 条件的 Entity Framework 中编写查询?

java - 在实践中,JVM如何收集SoftReferences?

c# - Windows 服务中托管的 WCF 服务无法正常运行

c# - Pinvoke 中的一个问题

c++ - 无法从 C 应用程序访问 C++ DLL 中的变量

©2024 IT工具网  联系我们