程序员经验分享-hwhale

wcf 错误:传入消息使用的令牌进行签名,该令牌与用于加密正文的令牌不同。这是没有预料到的

2024-04-19

我正在尝试使用 verisign 测试 x.509 证书调用第三方服务。当我收到响应消息时,它会生成以下错误:

传入消息使用令牌进行签名,该令牌与用于加密正文的令牌不同。这是没有预料到的

我没有预料到会出现此错误,因为我只向服务提供了一个 x.509 证书。它还使用什么其他证书?

任何见解将不胜感激!

我的自定义绑定如下所示:

<binding name="NodalCustomBinding" closeTimeout="00:01:00" openTimeout="00:01:00"
        receiveTimeout="00:10:00" sendTimeout="00:10:00">
      <textMessageEncoding messageVersion="Soap11" />
      <security
        authenticationMode="MutualCertificate"
        requireDerivedKeys="false"
        includeTimestamp="true"
         keyEntropyMode="ClientEntropy"
        messageProtectionOrder="SignBeforeEncrypt"
        messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
        requireSecurityContextCancellation="false"
        allowSerializedSigningTokenOnReply="true"
        enableUnsecuredResponse="true" >
        <secureConversationBootstrap />
      </security>
      <httpsTransport />
    </binding>

我的端点行为如下:

<endpointBehaviors>
    <behavior name="NodalCredentialBehavior">   
      <clientCredentials>
        <clientCertificate findValue="Testx509"                                
          storeLocation="CurrentUser"
         storeName="My"
          x509FindType="FindBySubjectName"/>
        <serviceCertificate>
          <authentication certificateValidationMode="None"/>
          <defaultCertificate findValue="Testx509"
          storeLocation="CurrentUser"
           storeName="My"
          x509FindType="FindBySubjectName" />
        </serviceCertificate>
      </clientCredentials>          
    </behavior>
  </endpointBehaviors>

最后我的回复消息如下所示:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
 <SOAP-ENV:Header>
   <wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="SecurityToken-b1a3e7ef-008e-6bc0-b779-69cc8bf72d39Q</wsse:BinarySecurityToken>
  <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
    <dsig:SignedInfo>
      <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <dsig:Reference URI="#Id-b75df9d2-5a50-d36b-b26a-08ee4065010d">
        <dsig:Transforms>
          <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </dsig:Transforms>
        <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <dsig:DigestValue>YKW87r6WtI5b5Mx3D/WIPg2bcIk=</dsig:DigestValue>
      </dsig:Reference>
    </dsig:SignedInfo>
    <dsig:SignatureValue>lAB8mXepN63lGSk/lraYooTEFfn8dnwiJ89z8d5S6HKsDjAgg=    </dsig:SignatureValue>
    <dsig:KeyInfo>
      <SecurityTokenReference xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <wsse:Reference URI="#SecurityToken-b1a3e7ef-008e-6bc0-b779-69cc8bf72d39" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
      </SecurityTokenReference>
    </dsig:KeyInfo>
  </dsig:Signature>
</wsse:Security>
</SOAP-ENV:Header>
  <SOAP-ENV:Body wsu:Id="Id-b75df9d2-5a50-d36b-b26a-08ee4065010d" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   <ns0:ResponseMessage xmlns:ns0="http://www.ercot.com/schema/2007-06/nodal/ews/message">
  <ns0:Header>
    <ns0:Verb>reply</ns0:Verb>
    <ns0:Noun/>
    <ns0:ReplayDetection>
      <ns0:Nonce/>
      <ns0:Created/>
    </ns0:ReplayDetection>
    <ns0:Revision>001</ns0:Revision>
    <ns0:Source/>
    <ns0:UserID>API</ns0:UserID>
  </ns0:Header>
  <ns0:Reply>
    <ns0:ReplyCode>FATAL</ns0:ReplyCode>
    <ns0:Error>Invalid Verb</ns0:Error>
    <ns0:Timestamp>2012-03-14T10:54:31.701-05:00</ns0:Timestamp>
  </ns0:Reply>
</ns0:ResponseMessage>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

我找到了答案。这是证书和配置的问题。

证书显然,我需要两张 x.509 证书,一张用于请求,一张用于响应。

  1. 在资源管理器中,双击 cer 文件将其打开。
  2. 单击“认证路径”选项卡并记下层次结构
  3. 将两个 x.509 证书安装在个人证书文件夹中。
  4. 在MMC中,双击证书将其打开
  5. 单击“证书路径”选项卡并确保路径与步骤 2 中的路径匹配

现在应该正确设置证书。

配置

在 app.config 中创建端点行为并创建身份

<behaviors>
  <endpointBehaviors>
    <behavior name="myBehavior">   
      <clientCredentials>
        <clientCertificate findValue="#RequestCertificate#"                                
          storeLocation="CurrentUser"
         storeName="My"
          x509FindType="FindBySubjectName"/>
        <serviceCertificate>
          <authentication certificateValidationMode="ChainTrust"/>
          <defaultCertificate findValue="#ResponseCertificate#"
          storeLocation="CurrentUser"
           storeName="My"
          x509FindType="FindBySubjectName" />
        </serviceCertificate>
      </clientCredentials>          
    </behavior>

  <endpoint address="https://myaddress.com/" binding="customBinding"
            contract="mycontract"
            behaviorConfiguration="myBehavior"
            name="HttpEndPoint">
    <identity>
      <dns value="#ResponseCertificate" />
    </identity>        
  </endpoint>

where:

#RequestCertificate#是您请求证书的名称

#ResponseCertificate# 是您的响应证书的名称

本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)

wcf

Certificate

wcfsecurity

x509certificate

wcf 错误:传入消息使用的令牌进行签名,该令牌与用于加密正文的令牌不同。这是没有预料到的 的相关文章

随机推荐

热门标签