WS-Security を使用して証明書 (秘密鍵) ですべての SOAP 要求に署名する必要がある ASMX Web サービス (SOAP 1.1) があります。
ASMX サービスは、要求を受信すると、証明書の公開キーを使用してそれを認証します。操作が完了した後、クライアントに返される応答は署名されません!
それがセキュリティ要件です...
「サービス参照の追加」とクライアントの app.config を介してプロキシを作成しました。
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<client>
<endpoint
name="endpoint1"
address="http://1.1.1.1/Test.asmx"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_ITest"
behaviorConfiguration="TestBehavior"
contract="ITest" >
</endpoint>
</client>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ITest">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="TestBehavior">
<clientCredentials>
<clientCertificate storeLocation="LocalMachine" storeName="My"
x509FindType="FindByThumbprint" findValue="xxxxxxxxxxxxxxx" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
私が説明したシナリオによると:
正しいバインディングを使用していますか?
clientCredentialType 値は「Certificate」または「None」にする必要がありますか?
タグ「serviceCertificate」が必要ですか?
4.私のシナリオの正しい構成は何ですか?
私のシナリオに適した便利なリンクを知っている場合は、それらを提供してください。
前もって感謝します :)
編集#1:
リクエスト
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action wsu:Id="Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800">XXXXXXXXXXX</wsa:Action>
<wsa:MessageID wsu:Id="Id-3beeb885-12a4-4b65-b14c-0tmj6ad21855">YYYYYYYYYY</wsa:MessageID>
<wsa:ReplyTo wsu:Id="Id-10c46143-cb53-4a8e-9e83-ef374e40aa54">
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To wsu:Id="Id-17c40943-cs53-4a8e-9e83-ef374e40ab70">
<wsa:Address>http://.../TestOperation</wsa:Address>
</wsa:To>
<wsse:Security soap:mustUnderstand="1" >
<wsu:Timestamp wsu:Id="Timestamp-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685">
<wsu:Created wsu:Id="Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800">2002-08-22T00:26:15Z</wsu:Created>
<wsu:Expires wsu:Id="Id-10c46143-cb53-4a8e-9e83-ef374e40aa54">2002-08-22T00:31:15Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d">MIICeDCC...kE9</wsse:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>wRUq.........</DigestValue>
</Reference>
<Reference URI="#Id-3beeb885-12a4-4b65-b14c-0tmj6ad21855">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>8gIo.........</DigestValue>
</Reference>
<Reference URI="#Id-10c46143-cb53-4a8e-9e83-ef374e40aa54">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>zx4h.........</DigestValue>
</Reference>
<Reference URI="#Id-17c40943-cs53-4a8e-9e83-ef374e40ab70">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>UjdN.........</DigestValue>
</Reference>
<Reference URI="#Timestamp-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>34ff.........</DigestValue>
</Reference>
<Reference URI="#Id-f10674fd-b999-47c9-9568-c11fa5e5405b"">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>ss67.........</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>tBSsaZi........</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soap:Header>
<soap:Body wsu:Id="Id-f10674fd-b999-47c9-9568-c11fa5e5405b">
...
</soap:Body>
</soap:Envelope>
応答:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action>http://.../TestOperationResponse</wsa:Action>
<wsa:MessageID>YYYYYYYYYY</wsa:MessageID>
<wsa:RelatesTo>WWWWWWWWWW</wsa:RelatesTo>
<wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
<wsse:Security>
<wsu:Timestamp wsu:Id="Timestamp-c0kjk2d4-o83d-4fa5-abfa-bd485afdjj80">
<wsu:Created>2002-08-22T00:26:15Z</wsu:Created>
<wsu:Expires>2002-08-22T00:31:15Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body>
<Response>
...
</Response>
</soap:Body>
</soap:Envelope>
編集#2:
生成されたリクエスト:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<a:Action soap:mustUnderstand="1" u:Id="_2">XXXXXXXXXXX</a:Action>
<a:MessageID u:Id="_3">YYYYYYYYYY</a:MessageID>
<a:ReplyTo u:Id="_4">
<a:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uID...</VsDebuggerCausalityData>
<a:To soap:mustUnderstand="1" u:Id="_5">
<a:Address>http://1.1.1.1/Test.asmx</a:Address>
</a:To>
<o:Security soap:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685-1">
<u:Created>2002-08-22T00:26:15Z</u:Created>
<u:Expires>2002-08-22T00:31:15Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken u:Id="uuid-e00c8062-83d2-4f04-88fc-996218e7bb3d-2"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIICeDCC...kE9</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>wRUq.........</DigestValue>
</Reference>
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>8gIo.........</DigestValue>
</Reference>
<Reference URI="#_3">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>zx4h.........</DigestValue>
</Reference>
<Reference URI="#_4">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>UjdN.........</DigestValue>
</Reference>
<Reference URI="#_5">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>34ff.........</DigestValue>
</Reference>
<Reference URI="#uuid-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>ss67.........</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>tBSsaZi........</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#uuid-e00c8062-83d2-4f04-88fc-996218e7bb3d-2"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</soap:Header>
<soap:Body u:Id="_1">
...
</soap:Body>
</soap:Envelope>
このリクエストに関する問題は次のとおりです。
- Id 形式: Id="Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800" (asmx プロキシ) VS Id="_2" (WCF プロキシ)
- 「VsDebuggerCausalityData」タグの存在。どうすればそれを取り除くことができますか?
- タイムスタンプ ID の形式: Id="Timestamp-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685" (asmx プロキシ) VS Id="uuid-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685-1" (WCF プロキシ)
- Timestamp の「Created」および「Expires」タグに Id 属性がありません。
- BinarySecurityToken Id 形式: Id="SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d" (asmx プロキシ) VS Id="uuid-e00c8062-83d2-4f04-88fc-996218e7bb3d-2" (WCF プロキシ)
ASMX サービスを呼び出したときに発生するエラー:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"">
<soap:Header>
<wsa:Action>http://schemas.xmlsoap.org/ws/2004/08/addressing/fault</wsa:Action>
<wsa:MessageID>YYYYYYYYYY</wsa:MessageID>
<wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
</soap:Header>
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>
System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ApplicationException: WSE842: The service pipeline could not be created. ---> System.ApplicationException: WSE2012: X509TokenProvider is unable to provide an X.509 token. There are multiple certificates store that match the find value of 'xxx'.
at Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLocation location, StoreName storeName, String findValue, X509FindType findType)
at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken()
at Microsoft.Web.Services3.Design.MutualCertificate10Assertion.ServiceInputFilter..ctor(MutualCertificate10Assertion assertion)
at Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateServiceInputFilter(FilterCreationContext context)
at Microsoft.Web.Services3.Design.Policy.CreateServicePipeline(PipelineCreationContext context)
at Microsoft.Web.Services3.PolicyAttribute.Microsoft.Web.Services3.IPipelineProvider.CreateServicePipeline(PipelineCreationContext context)
at Microsoft.Web.Services3.Pipeline.TryCreate(Type type, Boolean forClient)
at Microsoft.Web.Services3.WseProtocol.CreateProtocolPipeline()
at Microsoft.Web.Services3.WseProtocol.RouteRequest(SoapServerMessage message)
at System.Web.Services.Protocols.SoapServerProtocol.Initialize()
at System.Web.Services.Protocols.ServerProtocolFactory.Create(Type type, HttpContext context, HttpRequest request, HttpResponse response, Boolean& abortProcessing)
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
</faultstring>
<faultfactor>http://1.1.1.1/Test.asmx</faultfactor>
</soap:Fault>
</soap:Body>
</soap:Envelope>
「xxx」findValue はクライアント証明書ではなくサーバーに関連付けられているため、問題はサーバーにあると思います。どうすればこれを修正できますか?