[英]WCF Client - Specifying the signature algorithm for WS-Security Timestamp signature
我有一个WCF客户端正在向非WCF服务发送消息,并且该服务在处理用于签署WS-Security Timestamp元素的HMAC-SHA1签名方法时遇到问题。 理想情况下,我们想使用RSA-SHA1签名方法,但我无法让WCF使用该签名方法。
我正在使用的绑定是一个自定义绑定,它允许我通过HTTPS发送SAML 2.0令牌:
<customBinding>
<!-- This binding is a WS2007FederationHttpBinding without Secure Sessions that uses Text message encoding. -->
<binding
name="WS2007FederationHttpBinding_NoSecureSession_Text"
closeTimeout="00:01:00"
openTimeout="00:01:00"
receiveTimeout="00:10:00"
sendTimeout="00:01:00">
<security
authenticationMode="IssuedTokenOverTransport"
requireSignatureConfirmation="true"
securityHeaderLayout="Lax"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
keyEntropyMode="CombinedEntropy"
includeTimestamp="true">
<issuedTokenParameters
tokenType="urn:oasis:names:tc:SAML:2.0:assertion">
<!-- This describes the STS. That is, the URL, the binding to use, and its Identity -->
<issuer
address="http://hostname//STS.svc"
binding="ws2007HttpBinding"
bindingConfiguration="StsUserNameBindingConfiguration">
<identity>
<!-- This is the certificate used for signing on the STS. -->
<!-- Replace "sts-signing-certificate-thumbprint" with the actual thumbprint of the STS's signing certificate -->
<certificateReference
findValue="sts-signing-certificate-thumbprint"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindByThumbprint"/>
</identity>
</issuer>
</issuedTokenParameters>
<!-- This basically says "Don't use Secure Conversation" -->
<secureConversationBootstrap/>
</security>
<!-- Use Text Encoding -->
<textMessageEncoding/>
<!-- This says to use HTTPS when communicating with the remote service -->
<httpsTransport
requireClientCertificate="true"
maxBufferPoolSize="134217728"
maxReceivedMessageSize="134217728"
maxBufferSize="134217728"/>
</binding>
</customBinding>
传出请求中的签名如下所示:
<Signature
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference
URI="#_0">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>GZfW1RkyS4DHYFPHRnRuqNSo+qE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>rMzQ/kEV7AXcO3wm9hfQXNoX5r4=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference
b:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
xmlns:b="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_9f79359e-63dc-4e38-888c-6567dac4b41b</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
请注意<SignatureMethod>是http://www.w3.org/2000/09/xmldsig#hmac-sha1
一个有趣的事情是HMAC-SHA1算法是对称的(加密和解密的一个密钥),而RSA-SHA1是非对称的(需要一个密钥加密,一个密钥解密)。 我认为WCF使用HMAC-SHA1算法,因为它是对称的,并且正在交换的SAML令牌是共享密钥(密钥)。 使用SAML令牌作为对称算法的共享密钥是有意义的,但是有一个选项可用于强制WCF使用像RSA-SHA1这样的非对称算法吗?
通过更改binding / security / defaultAlgorithmSuite属性,我能够对签名方法稍作修改,但是各种选项不能让我在这里指定RSA-SHA1:
defaultAlgorithm =默认值:
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
defaultAlgorithm = Basic256:
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
defaultAlgorithm = Basic256Rsa15:
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
defaultAlgorithm = Basic256Sha256:
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"/> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
defaultAlgorithm = Basic256Sha256Rsa15:
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"/> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
有没有办法可以强制WCF在Timestamp签名上使用RSA-SHA1?
我认为这是一个互操作性问题。 下面的链接中存在类似的问题。
http://www.fokkog.com/2011/01/ws-security-interoperability-issue.html
您可以手动创建和签署令牌。 查看这篇文章:
如何使WCF客户端符合特定的WS-Security - 签署UsernameToken和SecurityTokenReference
如何在 WCF 客户端服务中实现 WS-security(时间戳、用户名令牌、签名)
[英]How do I implement WS-security in WCF client service (timestamp, usernametoken, signature)
从WCF创建的ws-security标头中删除timestamp元素
[英]Remove timestamp element from ws-security headers created by WCF
WCF 客户端中的 WS-Trust、WS-Security 和 WS-A 寻址绑定
[英]WS-Trust, WS-Security & WS-A Addressing Binding in WCF Client
我正在使用 SignedXML 签署 WS-Security Soap 请求,但在匹配 SOAPUI 签名值时遇到问题
[英]I am signing WS-Security Soap request with SignedXML, but having trouble matching SOAPUI signature value
使用 WS-Security UsernameToken PasswordDigest 身份验证方案使用 Axis 2 Web 服务的 WCF 客户端出错
[英]Error in WCF client consuming Axis 2 web service with WS-Security UsernameToken PasswordDigest authentication scheme
如何使WCF客户端符合特定的WS-Security - 签署UsernameToken和SecurityTokenReference
[英]How to make WCF Client conform to specific WS-Security - sign UsernameToken and SecurityTokenReference
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.