用于Web服务的WCF客户端,具有WS-Security,签名的标头,身份验证令牌和主体加密
[英]WCF Client for web service with WS-Security, signed headers, authentication tokens and encryption of body
问题描述
I was assigned to create a client for a web service. 
我被分配为Web服务创建客户端。 I have no previous experience with web services and I have been trying with no success. 我以前没有使用Web服务的经验,并且尝试一直没有成功。 The web service is hosted at https://ws.conf.ebs.health.gov.on.ca:1441/EDTService/EDTService I was able to create the proxy classes with Visual Studio 2012 and create a basic client that was rejected by the service since it did not include any of the security specifications that the services require. 该Web服务托管在https://ws.conf.ebs.health.gov.on.ca:1441/EDTService/EDTService上,我能够使用Visual Studio 2012创建代理类并创建被拒绝的基本客户端该服务,因为它不包括该服务所需的任何安全规范。 The following are extract from the documentation, that is available at http://www.health.gov.on.ca/en/pro/publications/ohip/default.aspx 以下摘录自文档,摘录于http://www.health.gov.on.ca/en/pro/publications/ohip/default.aspx
The WS-Security section includes: Technical specifications of the WSS 1.1 • Identity requirements; WS-Security部分包括:WSS 1.1的技术规范•身份要求; • Signing requirements ; •签名要求; • Encryption requirements; •加密要求; and • Time stamps 和•时间戳
IDP To ensure confidentiality and integrity of sensitive information within the message, sender software must use public key technology to sign the SOAP headers and body. IDP为确保消息中敏感信息的机密性和完整性,发送者软件必须使用公钥技术对SOAP标头和正文进行签名。 The signing certificate can be any available certificate and can be self signed. 签名证书可以是任何可用的证书,并且可以是自签名的。 If any response data is specified to be encrypted, by the specific web service technical specification, the data will be encrypted using, at least, the AES128-CBC symmetric encryption algorithm with the public key belonging to the signer of the initial SOAP request. 如果通过特定的Web服务技术规范将任何响应数据指定为要加密,则将至少使用AES128-CBC对称加密算法对数据进行加密,并且公钥属于初始SOAP请求的签名者。 The encryption algorithm may be increased based on the specific web service technical specification. 可以基于特定的Web服务技术规范来增加加密算法。
My goal is to create a wcf client that can access this service. 我的目标是创建一个可以访问此服务的WCF客户端。 So far this is what I have done and it does not work: This example tries to upload a file to the server: 到目前为止,这是我已经完成的工作,并且不起作用:本示例尝试将文件上传到服务器:
EndpointAddress address = new EndpointAddress("https://ws.conf.ebs.health.gov.on.ca:1441/EDTService/EDTService");
//MCEDT userID and password
string userId = "abcdefg";
string password = "password";
//MOH Id
string mohId = "123456";
//Vendor Conformance Key
string key = "1234abcd-eeee-aaaa-ffff-abcdef123456";
public void upload()
{
Console.WriteLine("Uploading....");
//Specify the binding to be used for the client.
WSHttpBinding binding = new WSHttpBinding(SecurityMode.TransportWithMessageCredential);
binding.SendTimeout = new TimeSpan(0, 10, 0);
UsernameToken ut = new UsernameToken(userId, password, PasswordOption.SendHashed);
EDTDelegateClient client = new EDTDelegateClient(binding,address);
//Capture before send and after receive events
client.Endpoint.Behaviors.Add(new InspectorBehavior());
ebs_header EBS = new ebs_header();
EBS.AuditId = "123456789";
EBS.SoftwareConformanceKey = confomanceKey;
//The MCEDT service will only support the IDP security model in its first release.
idp_header IDP = new idp_header();
IDP.ServiceUserMUID = mohId;
msa_header MSA = new msa_header();
MSA.UserID = userId;
//data to upload
//sample claim provided by OHIP
uploadData data = new uploadData();
data.description = claim_file;
data.content = File.ReadAllBytes(@"..\..\" + claim_file);
uploadRequest ur = new uploadRequest();
ur.upload = new uploadData[1];
ur.upload[0] = data;
try
{
resourceResult result = client.upload(EBS, MSA, IDP, ur.upload);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
}
}
II believe that what I have done so far is in line with the technical requirements: " The electronic system constructs a SOAP message using appropriate values and inserts the EBS and IDP headers into the SOAP message header with the user name and password (for the IDP in a WS-Security Username token). The SOAP headers and body are then digitally signed to guarantee message integrity and source. If any request data is specified to be encrypted, by the specific web service technical specification, it will use the public key of the EBS system." II相信到目前为止,我所做的工作符合技术要求:“电子系统使用适当的值构造SOAP消息,并将EBS和IDP头插入用户名和密码(对于IDP来说,是IDP然后以数字方式对SOAP标头和主体进行签名,以确保消息的完整性和源。如果特定的Web服务技术规范指定了要加密的任何请求数据,它将使用的公共密钥。 EBS系统。” but I don't know how to sign the headers and body and how to encrypt the data. 但我不知道如何对标头和正文进行签名以及如何对数据进行加密。 The certificates are provided with all the technical specifications and we have the proper information for user and password. 证书随附所有技术规范,并且我们提供了正确的用户名和密码信息。 It is only my lack of knowledge what is stopping to finish this project. 只是我缺乏知识,才停止完成此项目。
Thanks in advance to the community for the help. 在此先感谢社区的帮助。
Edit #1: Sample Message from Docs: 编辑#1:来自文档的示例消息:
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:msa="http://msa.ebs.health.ontario.ca/"
xmlns:idp="http://idp.ebs.health.ontario.ca/"
xmlns:edt="http://edt.health.ontario.ca/"
xmlns:ebs="http://ebs.health.ontario.ca/">
<soapenv:Header>
<ebs:EBS wsu:Id="id-4"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<SoftwareConformanceKey>444361ee-277f-7732-c684-7a9923jfgh1b</SoftwareConformanceKey>
<AuditId>124355467675</AuditId>
</ebs:EBS>
<idp:IDP wsu:Id="id-3"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ServiceUserMUID>1111222</ServiceUserMUID>
</idp:IDP>
<wsse:Security soapenv:mustUnderstand="1"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="X509-04FD51796CB607011413612828891871">MIIF0zCCBLugAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBzzELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAm9uMREwDwYDVQQHEwhraW5nc3RvbjEpMCcGA1UEChMgSGVhbHRoIFNvbHV0aW9ucyBEZWxpdmVyeSBCcmFuY2gxJTAjBgNVBAsTHEVsZWN0cm9uaWMgQnVzaW5lc3MgU2VydmljZXMxJzAlBgNVBAMTHkVCUyBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWc2Vhbi5jYXJzb25Ab250YXJpby5jYTAeFw0xMjA0MjkxNjAyMjNaFw0xNDA0MzAxNjAyMjNaMIGUMQswCQYDVQQGEwJDQTELMAkGA1UECBMCb24xETAPBgNVBAcTCGtpbmdzdG9uMSkwJwYDVQQKEyBIZWFsdGggU29sdXRpb25zIERlbGl2ZXJ5IEJyYW5jaDElMCMGA1UECxMcRWxlY3Ryb25pYyBCdXNpbmVzcyBTZXJ2aWNlczETMBEGA1UEAxQKRUJTX0NsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEEvvZ96t117651bJXIa8AaE69N1klliJvhrXFxtV2JcKoJHZG19Em6nFtxznvrfjHjQCOJXgREq0YLJmIHgIaIggug9g4oZhZoSXm11b0k+l9sI0uV1UQxSPvKZbptLw3JuY3E8iHoBTBY4TZDg0yfuuk5kpwT0JCqn8Pcoi2Oq2rQtEdnQ0TG5/lofJAMDRzBpK1ETnNOjzCeAkR3wHPec++q2nTuY9QFYntpOyk5JksRVuuIsR5OCW6rjFXTF7CJ84qxWloXmWl4M3yKDTi3ouD36Gplgo8fi2HLpNqVBDLCm7Acv8klkc0EyiFOpBzhEYWAVIIwC9ovybXRjg0CAwEAAaOCAfEwggHtMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgSwMEsGCWCGSAGG+EIBDQQ+FjxTU0wgQ2xpZW50IGNlcnRpZmljYXRlIHZhbGlkIG9ubHkgZm9yIE1PSExUQy9IU0MgRUJTIFRlc3RpbmcwHQYDVR0OBBYEFKV6tGi2SztsTcIPYFkZcKr4yLJMMIIBBAYDVR0jBIH8MIH5gBT/qI53Ggvfsdz34whLQ2gDg+PhW6GB1aSB0jCBzzELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAm9uMREwDwYDVQQHEwhraW5nc3RvbjEpMCcGA1UEChMgSGVhbHRoIFNvbHV0aW9ucyBEZWxpdmVyeSBCcmFuY2gxJTAjBgNVBAsTHEVsZWN0cm9uaWMgQnVzaW5lc3MgU2VydmljZXMxJzAlBgNVBAMTHkVCUyBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWc2Vhbi5jYXJzb25Ab250YXJpby5jYYIJAOnNHCT34+b/MCEGA1UdEgQaMBiBFnNlYW4uY2Fyc29uQG9udGFyaW8uY2EwJgYDVR0RBB8wHYEbZGVyZXlrLmZlcm5hbmRlc0BvbnRhcmlvLmNhMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOCAQEAJqCht181F8rUUNQ8jHa42kdKH+FDF0ISuklbg5MARHo+wt1laltaMeaXdESnLJBNGvcgxPZ4StYMdCH8mOEWYftCy5nkyGQCuOd2GpaJ3Hj50bjZ9vZUYyUBPUmwIEP2v75QQe62fHTqza/VjA0I5eMGMKa3URHsTdfNdnEJjtmHdxWRjAjjrHpHQWE0e1QtG+ZV1ved0f5OzDvdylbvrm4S0mgCifk8qEvZtNSoDp37MmSFr5fFmo91BqT23xAgzUKra428dw4T1EKJYEd6pNssNS4XCQ6bTx0Au3mW5iINtiaYQP8rlSykwaJ+dFAtBG00kdGpebf1prvq4H91eA==</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-6" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ebs edt idp msa soapenv"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#UsernameToken-2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ebs edt idp msa soapenv"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>peTHpiEd5ujPqxNuKGN0k4p7up8c0dFPuRXbpQ+eMwI=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#TS-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="wsse ebs edt idp msa soapenv"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>DqLqNQVHwzHRx7amwoYxEMwxN2g0/rND2I13WPP1Vhw=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ebs edt msa soapenv"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>K4IrndAA4zBmkumIfgKcluiKA8dmzwgGdKo5aq45LHg=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="edt idp msa soapenv"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>o92xRJQNwGz0Hv7DX87vSYUScX0qHL/bFGE3GmtUzQg=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-5">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ebs edt idp msa"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>svNyvvP+MrjIYlZFsg+bgw//8IPNVvIO9px3vYUfW3I=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
qDSZlgY/aTFOzzo1C4tx+1E8ertrbmBySRxEK6sJ1JCt/77TLV5PBGnAme9Ttdmzf6h7/qb4rBGL 76LM0PaCQ9xm3DTsSQOz/So82G+/kX8M9TPY9D44+dvlB+cXm9rPn2BLMSVwtJf0kwI22SmRzMTR 6a6jfNYkGga6ZwZC9NLfG5/KTvsyZ39vOdO3T5GYc15RSjHKVBggoWmKm7x5PHrhU+3gClEbtHP8+Fgmmd9PJOtl9WunzR7NpY79xRNGxmDmL8hLvE4+uIc//b6TvrbGB2t8IWb5e5Wdz+ssHgMm0802 wFwGXlVxvSHpEJroHz5OvRgh7PKGlUSZP9fWkg==
</ds:SignatureValue>
<ds:KeyInfo Id="KI-04FD51796CB607011413612828892812">
<wsse:SecurityTokenReference wsu:Id="STR-04FD51796CB607011413612828892813">
<wsse:Reference
URI="#X509-04FD51796CB607011413612828891871"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsse:UsernameToken wsu:Id="UsernameToken-2">
<wsse:Username>johndoe@examplemail.com</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">****</wsse:Password>
</wsse:UsernameToken>
<wsu:Timestamp wsu:Id="TS-1">
<wsu:Created>2013-02-19T14:08:08Z</wsu:Created>
<wsu:Expires>2013-02-19T14:08:38Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-5"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<edt:upload>
<upload>
<content>
<inc:Include href="cid:2341682853256" xmlns:inc="http://www.w3.org/2004/08/xop/include" />
</content>
<description>00123</description>
<resourceType>CL</resourceType>
</upload>
</edt:upload>
</soapenv:Body>
</soapenv:Envelope>
1 个解决方案
解决方案1
4 已采纳 2013-09-25 21:25:40
EDIT: See here a detailed solution to consume this EBS-EDT service 编辑: 请参阅此处使用此EBS-EDT服务的详细解决方案
Since you have both username auth and x.509 signature you need to create the binding from code: 由于您同时具有用户名auth和x.509签名,因此需要通过代码创建绑定:
var sec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
sec.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());
sec.MessageSecurityVersion =
MessageSecurityVersion.
WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
sec.IncludeTimestamp = false;
sec.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.EncryptBeforeSign;
b.Elements.Add(sec);
b.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));
b.Elements.Add(new HttpsTransportBindingElement());
Then you need to sign the headers. 然后,您需要对标题进行签名。 Assuming you use a message contract (not a data contract) where headers are explicitly tagged with a MessageHeader attribute then add to it a property "ProtectionMode=ProtectionMode.Sign". 假设您使用消息合同(不是数据合同),其中标头使用MessageHeader属性进行显式标记,然后向其添加属性“ ProtectionMode = ProtectionMode.Sign”。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.