Java客户端到WCF服务互操作与相互证书 – 无法解析KeyInfo以validation签名
exception:MessageSecurityException:无法解析用于validation签名的KeyInfo:KeyInfo’SecurityKeyIdentifier
我必须设置一个WCF服务来接收来自Java客户端的SOAP调用,该客户端使用以下标头发送签名内容:
… … … CN=XXXXXXXX 111122222 xxxxx xxxx 我尝试过设置以下绑定和行为:
但是我在服务器事件日志中遇到以下exception:
ClientIdentity: ActivityId: MessageSecurityException: Cannot resolve KeyInfo for verifying signature: KeyInfo 'SecurityKeyIdentifier ( IsReadOnly = False, Count = 1, Clause[0] = X509IssuerSerialKeyIdentifierClause(Issuer = 'CN=XXXXXX) ) ', available tokens 'SecurityTokenResolver ( TokenCount = 0, )
”。
我们必须让签名validation工作,我们不可能改变java客户端发送的内容。
实际上我遇到了同样的问题,我正在使用Yaron Naveh建议的方法。
我还没有完成,但我正在取得一些进展(当我完成时我会发一个完整的答案)。
请求使用AsymmetricSecurityBindingElement,而不是Yaron建议的SymmetricSecurityBindingElement。
X509SecurityTokenParameters的包含模式应设置为SecurityTokenInclusionMode.AlwaysToInitiator
绑定应该是这样的
//Only the following MessageSecurityVersion are asimetric: //WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10 //WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10 AsymmetricSecurityBindingElement abe =(AsymmetricSecurityBindingElement) SecurityBindingElement.CreateMutualCertificateBindingElement( MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10); abe.SetKeyDerivation(false); X509SecurityTokenParameters x509ProtectionParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial); x509ProtectionParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToInitiator; x509ProtectionParameters.X509ReferenceStyle = X509KeyIdentifierClauseType.IssuerSerial; abe.InitiatorTokenParameters = x509ProtectionParameters; abe.SecurityHeaderLayout = SecurityHeaderLayout.Strict; abe.DefaultAlgorithmSuite = SecurityAlgorithmSuite.TripleDesRsa15; HttpTransportBindingElement httpBinding = new HttpTransportBindingElement(); System.ServiceModel.Channels.Binding binding = new CustomBinding(abe, httpBinding); return binding;
我希望这能有所帮助
请在此公布整个请求信封。
通常在这种情况下,我建议首先构建一个WCF客户端并validation它是否有效。 您可以构建一个发送序列号的WCF客户端,如下所示:
SymmetricSecurityBindingElement messageSecurity = new SymmetricSecurityBindingElement(); X509SecurityTokenParameters x509ProtectionParameters = new X509SecurityTokenParameters( X509KeyIdentifierClauseType.IssuerSerial); messageSecurity.ProtectionTokenParameters = x509ProtectionParameters; HttpTransportBindingElement httpBinding = new HttpTransportBindingElement(); Binding binding = new CustomBinding(messageSecurity, httpBinding);
请注意X509KeyIdentifierClauseType.IssuerSerial的用法。 可能通过使用此设置的自定义绑定创建服务器将解决整个问题,但我建议启动wcf到wcf。