WCF-Soap-Client kann URI in Signatur nicht auflösen, um Digest zu berechnen

Question

Ich versuche, einen SOAP 1.1-Webdienst zu verbrauchen, der auf Oracle Web Logic von einem WCF-Client ausgeführt wird. Der Service implementiert den Standard Oasis WS-Security 1.2 mit Bodysigning und Verschlüsselung (Vor dem Verschlüsseln signieren) und den Algorithmen Basic256Sha256 und LaxTimestampLast Konfigurationslayout.

Ich bin in der Lage, die Nachricht unterzeichnet zu senden und verschlüsselt, mit dem erwarteten Format:

<s:Envelope 
    xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" 
    xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> 
    <s:Header> 
     <o:Security s:mustUnderstand="1" 
      xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> 
      <e:EncryptedKey Id="_0" 
       xmlns:e="http://www.w3.org/2001/04/xmlenc#"> 
       <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> 
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" 
         xmlns="http://www.w3.org/2000/09/xmldsig#"/> 
       </e:EncryptionMethod> 
       <KeyInfo 
        xmlns="http://www.w3.org/2000/09/xmldsig#"> 
        <o:SecurityTokenReference> 
         <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">h5cRJR6NnWrnf3PvAPJ4iB70Tow=</o:KeyIdentifier> 
        </o:SecurityTokenReference> 
       </KeyInfo> 
       <e:CipherData> 
        <e:CipherValue>fOgGM...Ixw==</e:CipherValue> 
       </e:CipherData> 
       <e:ReferenceList> 
        <e:DataReference URI="#_2"/> 
       </e:ReferenceList> 
      </e:EncryptedKey> 
      <o:BinarySecurityToken u:Id="uuid-792fca62-dad8-442e-b720-d52f48768dd0-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIFf...O2A8=</o:BinarySecurityToken> 
      <Signature 
       xmlns="http://www.w3.org/2000/09/xmldsig#"> 
       <SignedInfo> 
        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 
        <Reference URI="#_1"> 
         <Transforms> 
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
         </Transforms> 
         <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> 
         <DigestValue>0OiBt3eXZek5bJ9d9CFsduwbtQVoFY3DvFqxfnQz7Dg=</DigestValue> 
        </Reference> 
        <Reference URI="#uuid-a1958c98-41b5-40d4-bdaa-2c0948d4f526-1"> 
         <Transforms> 
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
         </Transforms> 
         <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> 
         <DigestValue>PtcCDNfz7ocVM86qgSnDFnUUJnVz6E884Ll9QeV6Wfg=</DigestValue> 
        </Reference> 
        <Reference URI="#uuid-792fca62-dad8-442e-b720-d52f48768dd0-1"> 
         <Transforms> 
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
         </Transforms> 
         <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> 
         <DigestValue>SezODccgkQ2rfYtKfSxAC14igVpLxbfQtKChSddDf+c=</DigestValue> 
        </Reference> 
       </SignedInfo> 
       <SignatureValue>j6XPB.../ow==</SignatureValue> 
       <KeyInfo> 
        <o:SecurityTokenReference> 
         <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">D5Myi4vs+Af3Dg1ByUs1kCKm55E=</o:KeyIdentifier> 
        </o:SecurityTokenReference> 
       </KeyInfo> 
      </Signature> 
      <u:Timestamp u:Id="uuid-a1958c98-41b5-40d4-bdaa-2c0948d4f526-1"> 
       <u:Created>2017-11-06T20:43:29.722Z</u:Created> 
       <u:Expires>2017-11-06T20:48:29.722Z</u:Expires> 
      </u:Timestamp> 
     </o:Security> 
    </s:Header> 
    <s:Body u:Id="_1" 
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xmlns:xsd="http://www.w3.org/2001/XMLSchema"> 
     <e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" 
      xmlns:e="http://www.w3.org/2001/04/xmlenc#"> 
      <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> 
      <e:CipherData> 
       <e:CipherValue>L7f+O...Rw7jHL</e:CipherValue> 
      </e:CipherData> 
     </e:EncryptedData> 
    </s:Body> 
</s:Envelope> 

Wenn jedoch die Antwort bekommen:

<?xml version='1.0' encoding='UTF-8'?> 
<S:Envelope 
    xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" 
    xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"> 
    <env:Header> 
     <wsse:Security 
      xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" S:mustUnderstand="1"> 
      <ns1:EncryptedKey 
       xmlns:ns1="http://www.w3.org/2001/04/xmlenc#" Id="18iq0thuJbDO21Gk"> 
       <ns1:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> 
        <ns2:DigestMethod 
         xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 
       </ns1:EncryptionMethod> 
       <ns3:KeyInfo 
        xmlns:ns3="http://www.w3.org/2000/09/xmldsig#"> 
        <wsse:SecurityTokenReference 
         xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
         xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" 
         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="str_nczorGBwzUSf1PJG"> 
         <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">D5Myi4vs+Af3Dg1ByUs1kCKm55E=</wsse:KeyIdentifier> 
        </wsse:SecurityTokenReference> 
       </ns3:KeyInfo> 
       <ns1:CipherData> 
        <ns1:CipherValue>VLX9L...jTQ==</ns1:CipherValue> 
       </ns1:CipherData> 
       <ns1:ReferenceList> 
        <ns1:DataReference URI="#XgzvGdpjeeFiU0AH"/> 
       </ns1:ReferenceList> 
      </ns1:EncryptedKey> 
      <wsse11:SignatureConfirmation 
       xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" 
       xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="sigconf_gF2mG4MS0QT3gGyg" Value="j6XPB.../ow=="/> 
      <dsig:Signature 
       xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> 
       <dsig:SignedInfo> 
        <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
        <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 
        <dsig:Reference URI="#Timestamp_be1msZa7e60oVdtW"> 
         <dsig:Transforms> 
          <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
         </dsig:Transforms> 
         <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> 
         <dsig:DigestValue>mWxC8kSZIGKE1KTyVWbr2YgOmE1UqVNV3lS4vdM4kdM=</dsig:DigestValue> 
        </dsig:Reference> 
        <dsig:Reference URI="#Body_fr2ndXxiUtwuP3Y2"> 
         <dsig:Transforms> 
          <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
         </dsig:Transforms> 
         <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> 
         <dsig:DigestValue>ZztOfa8rAv2aaMUxxKaYAPgUbEfIZRe/1ZRgPacmAlc=</dsig:DigestValue> 
        </dsig:Reference> 
        <dsig:Reference URI="#sigconf_gF2mG4MS0QT3gGyg"> 
         <dsig:Transforms> 
          <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
         </dsig:Transforms> 
         <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> 
         <dsig:DigestValue>AfX4C1zXqAIX1pEHPw7PHEhf/g/8JWACJqgX7p63RkI=</dsig:DigestValue> 
        </dsig:Reference> 
        <dsig:Reference URI="#str_RLjzz112Lwz91VZF"> 
         <dsig:Transforms> 
          <dsig:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"> 
           <wsse:TransformationParameters> 
            <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
           </wsse:TransformationParameters> 
          </dsig:Transform> 
         </dsig:Transforms> 
         <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> 
         <dsig:DigestValue>gRa3zakGn13XISoKpekB3zl0iDqb/LmNy7+aMDtzKIY=</dsig:DigestValue> 
        </dsig:Reference> 
       </dsig:SignedInfo> 
       <dsig:SignatureValue>xlVJb...EPZg==</dsig:SignatureValue> 
       <dsig:KeyInfo> 
        <wsse:SecurityTokenReference 
         xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
         xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" 
         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="str_RLjzz112Lwz91VZF"> 
         <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">h5cRJR6NnWrnf3PvAPJ4iB70Tow=</wsse:KeyIdentifier> 
        </wsse:SecurityTokenReference> 
       </dsig:KeyInfo> 
      </dsig:Signature> 
      <wsu:Timestamp 
       xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp_be1msZa7e60oVdtW"> 
       <wsu:Created>2017-11-06T20:43:30Z</wsu:Created> 
       <wsu:Expires>2017-11-06T20:44:30Z</wsu:Expires> 
      </wsu:Timestamp> 
     </wsse:Security> 
    </env:Header> 
    <S:Body 
     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body_fr2ndXxiUtwuP3Y2"> 
     <ns1:EncryptedData 
      xmlns:ns1="http://www.w3.org/2001/04/xmlenc#" Id="XgzvGdpjeeFiU0AH" Type="http://www.w3.org/2001/04/xmlenc#Content" MimeType="text/xml"> 
      <ns1:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> 
      <ns1:CipherData> 
       <ns1:CipherValue>GT08G...PqanY</ns1:CipherValue> 
      </ns1:CipherData> 
     </ns1:EncryptedData> 
    </S:Body> 
</S:Envelope> 

Der Client Test mit diesem Fehler fehlschlägt:

Test Name: TestMethod_CodedCustomBinding 
Test FullName: Integration.TestServiceClient.Tests.CodeClientTests.TestMethod_CodedCustomBinding 
Test Source: C:\Source\Integration.TestServiceClient.Tests\CodeClientTests.cs : line 207 
Test Outcome: Failed 
Test Duration: 0:00:00.9372511 

Result StackTrace: 
at System.IdentityModel.StandardSignedInfo.EnsureAllReferencesVerified() 
    at System.IdentityModel.SignedXml.CompleteSignatureVerification() 
    at System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.ExecuteMessageProtectionPass(Boolean hasAtLeastOneSupportingTokenExpectedToBeSigned) 
    at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy) 
    at System.ServiceModel.Security.MessageSecurityProtocol.ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, Message& message, SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) 
    at System.ServiceModel.Security.AsymmetricSecurityProtocol.VerifyIncomingMessageCore(Message& message, String actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) 
    at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) 
--- End of inner exception stack trace --- 

Server stack trace: 
    at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) 
    at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout) 
    at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout) 
    at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout) 
    at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) 
    at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) 
    at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) 
Exception rethrown at [0]: 
    at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) 
    at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) 
    at Integration.ServiceClient.TestServiceClient.ServiceWs.notify(notifyRequest request) 
    at Integration.ServiceClient.TestServiceClient.ServiceWsClient.Integration.ServiceClient.TestServiceClient.ServiceWs.notify(notifyRequest request) in C:\Source\Integration.ServiceClient\Service References\TestServiceClient\Reference.cs:line 994 
    at Integration.ServiceClient.TestServiceClient.ServiceWsClient.notify(Int64 idNotification) in C:\Source\Integration.ServiceClient\Service References\TestServiceClient\Reference.cs:line 1000 
    at Integration.TestServiceClient.Tests.CodeClientTests.TestMethod_CodedCustomBinding() in C:\Source\Integration.TestServiceClient.Tests\CodeClientTests.cs:line 212 
Result Message: 
Test method Integration.TestServiceClient.Tests.CodeClientTests.TestMethod_CodedCustomBinding threw exception: 
System.ServiceModel.Security.MessageSecurityException: Message security verification failed. ---> System.Security.Cryptography.CryptographicException: Unable to resolve the '#str_RLjzz112Lwz91VZF' URI in the signature to compute the digest. 

Der URI ist jedoch in dem Tag SecurityTokenReference in vorhanden Seite der Signature>KeyInfo Tag. Irgendeine Idee darüber, warum diese Referenz während der Signaturvalidierung nicht gefunden wird, und was kann getan werden, um diesen Fehler zu beheben?

Answer 1

Bitte beachten Sie:

Sie können nicht CertificateOverTransport verwenden und den Nachrichtentext unterzeichnen.

WCF wird dies nicht zulassen, wenn Sie dies tun.

versuchen Sie in diesem Fall MutualCertificateDuplex und ändern Sie Ihre Schutzstufe auf keine: ProtectionLevel.None, wenn Sie nicht daran interessiert sind, die Antwort zu signieren.

Wenn dies nicht gelingt, versuchen Sie, Ihre WCF benutzerdefinierte Bindung hinzuzufügen:

<customBinding> 
     <binding name="NewBinding0"> 
      <textMessageEncoding messageVersion="Soap11" /> 
      <security authenticationMode="MutualCertificateDuplex" includeTimestamp="false" 
       messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"> 
       <secureConversationBootstrap /> 
      </security> 
      <httpTransport /> 
     </binding> 
</customBinding> 

Diese Ihr Zertifikat ermöglicht richtig verdaut werden.