XMl 서명과 WCF로 SOAp 메시지에 서명하기

Question

현재 .NET에서 SOAP 서비스를 사용하기 위해 클라이언트를 구현하고 있습니다 (확실하지 않습니다). SOAP 봉투는 매우 구체적인 방식으로 서명되어야하며 그렇게하려고하는 악몽이었습니다. 내가 서명 헤더에 적절한 네임 스페이스를 설정할 수 없었던

1. : 나는이 문제가 그래서 기본적으로

   <?xml version="1.0" encoding="UTF-8"?> 
   <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> 
       <soapenv:Header> 
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1"> 
         <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
          <ds:SignedInfo> 
           <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod> 
           <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod> 
           <ds:Reference URI="#id-319644606"> 
            <ds:Transforms> 
             <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform> 
            </ds:Transforms> 
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod> 
            <ds:DigestValue>uQpjnTTrxxI7ck9FpeEI6YRVHBA=</ds:DigestValue> 
           </ds:Reference> 
          </ds:SignedInfo> 
          <ds:SignatureValue> 
   paNzJWyYDBNTj8Ay4z0/wOKKQUCe/z0q/LRcDgB9CP1fn/FZW8uyLdASHxs2HHlpYG7daFvbtpsQ 
   ZoiIUSzUuUBUAjjaqLWRZyUeCqc48f8X6vxR52mLARnJdPC9MWPZg8FTsoqJ2nvyH28chqf8Svql 
   KxgtCtBiL9wPnkzG5m4= 
   </ds:SignatureValue> 
          <ds:KeyInfo Id="KeyId-1827725498"> 
           <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-131635550"> 
            <ds:X509IssuerSerial> 
             <ds:X509IssuerName>CN=DESARROLLO,OU=INGENIERIA,O=ASOBANCARIA,L=BOGOTA,ST=D.C,C=CO</ds:X509IssuerName> 
             <ds:X509SerialNumber>1141316577</ds:X509SerialNumber> 
            </ds:X509IssuerSerial> 
           </wsse:SecurityTokenReference> 
          </ds:KeyInfo> 
         </ds:Signature> 
         <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> 
          <wsu:Created>2014-10-29T22:14:01Z</wsu:Created> 
          <wsu:Expires>2014-10-29T22:19:01Z</wsu:Expires> 
         </wsu:Timestamp> 
        </wsse:Security> 
       </soapenv:Header> 
       <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-319644606"> 
        <ns1:evaluarCuestionario xmlns:ns1="http://ws.confrontaultra.cifin.asobancaria.com" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> 
         <p_parametrosSeguridad href="#id0"></p_parametrosSeguridad> 
         <p_respuestaCuestionario href="#id1"></p_respuestaCuestionario> 
        </ns1:evaluarCuestionario> 
        <multiRef xmlns:ns2="http://ultras.dto.confrontaultra.cifin.co" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" id="id1" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="ns2:RespuestaCuestionarioULTRADTO"> 
         <secuenciaCuestionario href="#id2"></secuenciaCuestionario> 
         <codigoCuestionario href="#id3"></codigoCuestionario> 
         <respuestas xmlns:ns3="http://ultra.dto.confrontaultra.cifin.co" soapenc:arrayType="ns3:RespuestaPreguntaULTRADTO[5]" xsi:type="soapenc:Array"> 
          <respuestas href="#id4"></respuestas> 
          <respuestas href="#id5"></respuestas> 
          <respuestas href="#id6"></respuestas> 
          <respuestas href="#id7"></respuestas> 
          <respuestas href="#id8"></respuestas> 
         </respuestas> 
        </multiRef> 
        <multiRef xmlns:ns4="http://ultra.dto.confrontaultra.cifin.co" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" id="id0" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="ns4:ParametrosSeguridadULTRADTO"> 
         <claveCIFIN xsi:type="soapenc:string">90681</claveCIFIN> 
         <password xsi:type="soapenc:string">H32std</password> 
        </multiRef> 
        <multiRef xmlns:ns5="http://ultra.dto.confrontaultra.cifin.co" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" id="id7" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="ns5:RespuestaPreguntaULTRADTO"> 
         <secuenciaPregunta href="#id9"></secuenciaPregunta> 
         <secuenciaRespuesta href="#id10"></secuenciaRespuesta> 
        </multiRef> 
        <multiRef xmlns:ns6="http://ultra.dto.confrontaultra.cifin.co" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" id="id4" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="ns6:RespuestaPreguntaULTRADTO"> 
         <secuenciaPregunta href="#id11"></secuenciaPregunta> 
         <secuenciaRespuesta href="#id12"></secuenciaRespuesta> 
        </multiRef> 
        <multiRef xmlns:ns7="http://ultra.dto.confrontaultra.cifin.co" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" id="id6" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="ns7:RespuestaPreguntaULTRADTO"> 
         <secuenciaPregunta href="#id13"></secuenciaPregunta> 
         <secuenciaRespuesta href="#id14"></secuenciaRespuesta> 
        </multiRef> 
        <multiRef xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" id="id2" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="xsd:long">8846263</multiRef> 
        <multiRef xmlns:ns8="http://ultra.dto.confrontaultra.cifin.co" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" id="id5" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="ns8:RespuestaPreguntaULTRADTO"> 
         <secuenciaPregunta href="#id15"></secuenciaPregunta> 
         <secuenciaRespuesta href="#id16"></secuenciaRespuesta> 
        </multiRef> 
        <multiRef xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" id="id3" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="xsd:int">7062</multiRef> 
        <multiRef xmlns:ns9="http://ultra.dto.confrontaultra.cifin.co" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" id="id8" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="ns9:RespuestaPreguntaULTRADTO"> 
         <secuenciaPregunta href="#id17"></secuenciaPregunta> 
         <secuenciaRespuesta href="#id18"></secuenciaRespuesta> 
        </multiRef> 
        <multiRef xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" id="id12" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="xsd:int">150136315</multiRef> 
        <multiRef xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" id="id14" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="xsd:int">150136266</multiRef> 
        <multiRef xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" id="id17" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="xsd:int">7</multiRef> 
        <multiRef xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" id="id10" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="xsd:int">150136259</multiRef> 
        <multiRef xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" id="id16" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="xsd:int">150136277</multiRef> 
        <multiRef xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" id="id9" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="xsd:int">20</multiRef> 
        <multiRef xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" id="id18" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="xsd:int">150136247</multiRef> 
        <multiRef xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" id="id15" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="xsd:int">35</multiRef> 
        <multiRef xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" id="id13" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="xsd:int">9</multiRef> 
        <multiRef xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" id="id11" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="xsd:int">92</multiRef> 
       </soapenv:Body> 
   </soapenv:Envelope> 
   

   :

   이

   은 기대 봉투의 예입니다 . (ds 네임 스페이스)

2. 또한 KeyInfo 태그 안에 wsse : SecutiryTokenReference 태그가 있습니다. SignedXml 클래스는 KeyInfo 엘리먼트 내부에 기본적으로이 XML을 생성

   그래서

   <KeyInfo> 
       <X509Data> 
        <X509IssuerSerial> 
         <X509IssuerName>CN=RootCATest</X509IssuerName> 
         <X509SerialNumber>228801528337358580231830876343013017805</X509SerialNumber> 
        </X509IssuerSerial> 
       </X509Data> 
   </KeyInfo> 
   

, 내가 <wsse:SecurityTokenReference> 요소와이 <X509Data> 요소를 대체 할 수있는 방법에 대해 설명합니다.

지금까지 XML 문서에 서명하기 위해 찾은 많은 게시물과 블로그를 따라 구현했습니다. 이것은 내 구현입니다.

public class Signer 
    { 
     public XmlDocument SignMessage(XmlDocument xmlDoc, X509Certificate2 certificate) 
     { 
      var ns = new XmlNamespaceManager(xmlDoc.NameTable); 
      ns.AddNamespace("soapenv", "http://schemas.xmlsoap.org/soap/envelope/"); 

      var body = xmlDoc.DocumentElement.SelectSingleNode(@"//soapenv:Body", ns) as XmlElement; 
      if (body == null) 
       throw new ApplicationException("No body tag found"); 
      body.SetAttribute("id", "Body"); 

      var signedXml = new SignedXml(xmlDoc); 

      var keyInfo = new KeyInfo(); 
      signedXml.SigningKey = certificate.PrivateKey;     

      var keyInfoData = new KeyInfoX509Data(); 
      keyInfoData.AddIssuerSerial(certificate.Issuer, certificate.GetSerialNumberString()); 
      keyInfo.AddClause(keyInfoData);  

      signedXml.KeyInfo = keyInfo; 

      signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl; 
      var reference = new Reference { Uri = "#Body" }; 

      reference.AddTransform(new XmlDsigExcC14NTransform()); 
      signedXml.AddReference(reference); 
      signedXml.ComputeSignature(); 

      var signedElement = signedXml.GetXml(); 

      var securityNode = xmlDoc.CreateElement(
       "wsse", 
       "Security", 
       "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"); 

      securityNode.AppendChild(signedElement); 

      var timeStampNOde = xmlDoc.CreateElement("Timestamp"); 
      var createdNode = xmlDoc.CreateElement("Created"); 
      createdNode.InnerText = JsonConvert.SerializeObject(DateTime.UtcNow, new IsoDateTimeConverter()); 
      var expiresNode = xmlDoc.CreateElement("Created"); 
      expiresNode.InnerText = JsonConvert.SerializeObject(DateTime.UtcNow.AddMinutes(5), new IsoDateTimeConverter()); 
      timeStampNOde.AppendChild(createdNode); 
      timeStampNOde.AppendChild(expiresNode); 

      securityNode.AppendChild(timeStampNOde); 

      var soapHeader = xmlDoc.DocumentElement.SelectSingleNode(@"//soapenv:Header", ns) as XmlElement; 
      if (soapHeader == null) 
      { 
       soapHeader = xmlDoc.CreateElement("soapenv:Header", ""); 
       xmlDoc.DocumentElement.InsertBefore(soapHeader, xmlDoc.DocumentElement.ChildNodes[0]); 
      } 
      soapHeader.AppendChild(securityNode); 

      return xmlDoc; 
     } 

모든 의견, 제안 사항, 게시물 등은 매우 유용합니다. 이 조직은 나를 위해 그것을 바꿀 것이기 때문에 그들이 필요로하는 봉투를 보내야한다고 생각해. 나는 그들에게 많은 고객이있는 것 같아.

대단히 감사합니다!

Answer 1

접근 방식은 유효하지만 WCF 보안 기능을 사용하지 않습니다. 먼저 WCF로 시도한 다음 사용자 지정 서명을 사용하여 가능하지 않은 경우 WCF를 사용하는 것이 좋습니다.

<customBinding> 
     <binding name="NewBinding0"> 
      <textMessageEncoding messageVersion="Soap11" /> 
      <security authenticationMode="MutualCertificate" includeTimestamp="false" 
       messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"> 
       <secureConversationBootstrap /> 
      </security> 
      <httpTransport /> 
     </binding> 
</customBinding> 

은 또한 단지 서명 WCF를 구성 : 첫 번째 바인딩이 WCF에 시도

c.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.Sign; 

이 당신이 필요로 비슷한 SOAP를 생성되지만하는 KeyInfo는 binarySecurityToken과하지에 대한 참조로 할 것이다 샘플에서와 같이 그래도 시도해 볼 것을 제안합니다. 제대로 작동 할 가능성이 있습니다.

실패한 경우 a code binding을 만들고 x509 params으로 재생해야합니다. 또는 custom WCF encoder을 구현하여 키 참조를 변경할 수 있습니다.

코드를 완전히 따르지 않았습니다. WCF없이 자신을 서명하는 접근법은 유효하지만 오류가 발생할 가능성이 큽니다.