我正在尝试使用 verisign 测试 x.509 证书调用第三方服务。当我收到响应消息时,它会生成以下错误:
传入消息使用令牌进行签名,该令牌与用于加密正文的令牌不同。这是没有预料到的
我没有预料到会出现此错误,因为我只向服务提供了一个 x.509 证书。它还使用什么其他证书?
任何见解将不胜感激!
我的自定义绑定如下所示:
<binding name="NodalCustomBinding" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:10:00">
<textMessageEncoding messageVersion="Soap11" />
<security
authenticationMode="MutualCertificate"
requireDerivedKeys="false"
includeTimestamp="true"
keyEntropyMode="ClientEntropy"
messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireSecurityContextCancellation="false"
allowSerializedSigningTokenOnReply="true"
enableUnsecuredResponse="true" >
<secureConversationBootstrap />
</security>
<httpsTransport />
</binding>
我的端点行为如下:
<endpointBehaviors>
<behavior name="NodalCredentialBehavior">
<clientCredentials>
<clientCertificate findValue="Testx509"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName"/>
<serviceCertificate>
<authentication certificateValidationMode="None"/>
<defaultCertificate findValue="Testx509"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
最后我的回复消息如下所示:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="SecurityToken-b1a3e7ef-008e-6bc0-b779-69cc8bf72d39Q</wsse:BinarySecurityToken>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#Id-b75df9d2-5a50-d36b-b26a-08ee4065010d">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>YKW87r6WtI5b5Mx3D/WIPg2bcIk=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>lAB8mXepN63lGSk/lraYooTEFfn8dnwiJ89z8d5S6HKsDjAgg= </dsig:SignatureValue>
<dsig:KeyInfo>
<SecurityTokenReference xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#SecurityToken-b1a3e7ef-008e-6bc0-b779-69cc8bf72d39" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</SecurityTokenReference>
</dsig:KeyInfo>
</dsig:Signature>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body wsu:Id="Id-b75df9d2-5a50-d36b-b26a-08ee4065010d" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ns0:ResponseMessage xmlns:ns0="http://www.ercot.com/schema/2007-06/nodal/ews/message">
<ns0:Header>
<ns0:Verb>reply</ns0:Verb>
<ns0:Noun/>
<ns0:ReplayDetection>
<ns0:Nonce/>
<ns0:Created/>
</ns0:ReplayDetection>
<ns0:Revision>001</ns0:Revision>
<ns0:Source/>
<ns0:UserID>API</ns0:UserID>
</ns0:Header>
<ns0:Reply>
<ns0:ReplyCode>FATAL</ns0:ReplyCode>
<ns0:Error>Invalid Verb</ns0:Error>
<ns0:Timestamp>2012-03-14T10:54:31.701-05:00</ns0:Timestamp>
</ns0:Reply>
</ns0:ResponseMessage>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
我找到了答案。这是证书和配置的问题。
证书显然,我需要两张 x.509 证书,一张用于请求,一张用于响应。
- 在资源管理器中,双击 cer 文件将其打开。
- 单击“认证路径”选项卡并记下层次结构
- 将两个 x.509 证书安装在个人证书文件夹中。
- 在MMC中,双击证书将其打开
- 单击“证书路径”选项卡并确保路径与步骤 2 中的路径匹配
现在应该正确设置证书。
配置
在 app.config 中创建端点行为并创建身份
<behaviors>
<endpointBehaviors>
<behavior name="myBehavior">
<clientCredentials>
<clientCertificate findValue="#RequestCertificate#"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName"/>
<serviceCertificate>
<authentication certificateValidationMode="ChainTrust"/>
<defaultCertificate findValue="#ResponseCertificate#"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName" />
</serviceCertificate>
</clientCredentials>
</behavior>
<endpoint address="https://myaddress.com/" binding="customBinding"
contract="mycontract"
behaviorConfiguration="myBehavior"
name="HttpEndPoint">
<identity>
<dns value="#ResponseCertificate" />
</identity>
</endpoint>
where:
#RequestCertificate#是您请求证书的名称
#ResponseCertificate# 是您的响应证书的名称
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)