私はこれについていくつかの調査を行いましたが、適切な解決策を見つけることができませんでした。私の SOAP リクエストが非常に多くの参照 URI を要求するのはなぜですか。送信する SOAP 本体は、秘密鍵を使用して署名し、公開鍵を使用して暗号化する必要があります。
私の発信石鹸にはいくつかの追加要素があります
1) 追加の暗号化データ ノード。2) 署名内の追加の参照されていない参照 URi
<s:Security>
<s:Binarysecuritytoken1>
<s:Binarysecuirtytoken2>
<s:usernametoken>
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-c91ddd2c-e452-4616-b443-b58c919bcace-6" />
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>Wp9slJCs7umXjsMi6diTRB+cSLIADY8RyeNmym7MkfYVxDmP5FIKXwyIV8e7IbLlJEKBUqgIQbYTtwNej7E1PfoD+vI64rOTyxbIhgZ/icnoAIQFJ/Mwuwq60hJhjpfC9m2Ll/S+JsWfg+0Njl+gpYzaECLYeSGEJND6CmbKTUY=</e:CipherValue>
</e:CipherData>
<e:ReferenceList>
<e:DataReference URI="#_2" />
<e:DataReference URI="#_7" />---Not needed.Only #_2,which references the Body is needed
</e:ReferenceList>
</e:EncryptedKey>
---Not needed
<e:EncryptedData Id="_7" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<e:CipherData>
<e:CipherValue></e:CipherValue>
</e:CipherData>
</e:EncryptedData>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_1"> Needed
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>l6kqP048t5INzJT3W8gxVSXplaE=</DigestValue>
</Reference>
<Reference URI="#_3"> --Not needed
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>r9QXAfEWv2UhmnjzIXyoyHVy9wQ=</DigestValue>
</Reference>
<Reference URI="#_4"> --Not needed
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>5JI25GEJj/63MQB6j2P2uiFTwe0=</DigestValue>
</Reference>
<Reference URI="#_5"> --Not needed
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>dRaV5csLUbHL6k4X97njcIkwp5k=</DigestValue>
</Reference>
<Reference URI="#_6"> --Not needed
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>3c80pnhYcV2BcsEsduxDdQ6z2q0=</DigestValue>
</Reference>
<Reference URI="#uuid-131924a6-ba69-4a84-8786-cdbacfe2f79a-2"> --Not needed
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>1fvCyhzU3bILTCoFB8xUnQtP2wA=</DigestValue>
</Reference>
<Reference URI="#uuid-c91ddd2c-e452-4616-b443-b58c919bcace-5"> --Not needed
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>LihjfykAPG4wv/HsoKZXjuJ4Eq0=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>removed</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-c91ddd2c-e452-4616-b443-b58c919bcace-7" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
これはカスタム バインディングです
AsymmetricSecurityBindingElement secBE = AsymmetricSecurityBindingElement.CreateMutualCertificateDuplexBindingElement();
secBE.AllowSerializedSigningTokenOnReply = false;
secBE.RequireSignatureConfirmation = true ;
secBE.DefaultAlgorithmSuite = SecurityAlgorithmSuite.TripleDesRsa15;
secBE.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
X509SecurityTokenParameters x509ProtectionParameters = new X509SecurityTokenParameters();
x509ProtectionParameters.RequireDerivedKeys = false;
x509ProtectionParameters.X509ReferenceStyle = X509KeyIdentifierClauseType.SubjectKeyIdentifier;
x509ProtectionParameters.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
x509ProtectionParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
secBE.InitiatorTokenParameters = x509ProtectionParameters;
secBE.RecipientTokenParameters = x509ProtectionParameters;
secBE.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign;
secBE.EndpointSupportingTokenParameters.SignedEncrypted.Add(new X509SecurityTokenParameters());
CustomTextMessageBindingElement enc = new CustomTextMessageBindingElement();
HttpsTransportBindingElement b = new HttpsTransportBindingElement();
b.RequireClientCertificate = true;
CustomBinding be = new CustomBinding();
be.Elements.Add(secBE);
be.Elements.Add(enc);
be.Elements.Add(b);
return be;
ベンダーからの石鹸サンプルの一部。私の理解によると、本文のみが署名され、暗号化されています。
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>gpBAWt91pdwhKva............</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#Enc-0641b860-b16d-4941-91c0-d60bece67794"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
SAMP L E R EQUE ST W I T H WS S E CURI T Y
eMedNY Meds History Service User Guide Page 13 of 48 February 16, 2012
Version 1.1
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Id-f10674fd-b999-47c9-9568-c11fa5e5405b">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>wRUq.........</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>tBSsaZi........</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="Id-f10674fd-b999-47c9-9568-c11fa5e5405b" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<xenc:EncryptedData Id="Enc-0641b860-b16d-4941-91c0-d60bece67794" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<xenc:CipherData>
<xenc:CipherValue>SQsTCAK6ZaVhojB8+Y.........</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>
カスタムの EncryptedData、Signature 要素を表示するように編集
public static void Encrypt(XmlDocument xmlDoc, string elementToEncrypt, SymmetricAlgorithm ts, XmlNamespaceManager nsmgr, string encdataId) //[8]
{
XmlNode elementsToEncrypt = xmlDoc.DocumentElement.SelectSingleNode("/s:Envelope/s:Body", nsmgr);
XmlElement xmlElementToEncrypt = (XmlElement)elementsToEncrypt;
EncryptedXml encryptedXml = new EncryptedXml();
byte[] encryptedElement = encryptedXml.EncryptData
(xmlElementToEncrypt,ts, true);
System.Security.Cryptography.Xml.EncryptedData encryptedData = new System.Security.Cryptography.Xml.EncryptedData();
encryptedData.Id = encdataId;
encryptedData.Type = EncryptedXml.XmlEncElementUrl;
encryptedData.EncryptionMethod =
new System.Security.Cryptography.Xml.EncryptionMethod(EncryptedXml.XmlEncTripleDESUrl);
// Create a new CipherData object.
CipherData cd = new CipherData();
// Assign a byte array to be the CipherValue. This is a byte array representing encrypted data.
cd.CipherValue = new byte[8];
encryptedData.CipherData = cd;
EncryptedXml.ReplaceElement(xmlElementToEncrypt, encryptedData, true);
}
public void SignSoapBody(XmlDocument xmlDoc, XmlNode xmlnodeEncKey, string encdataId)
{
XmlNamespaceManager nsmgr =
new XmlNamespaceManager(xmlDoc.NameTable);
nsmgr.AddNamespace("s",
@"http://www.w3.org/2000/09/xmldsig#");
X509Certificate2 cert = GetCertificateFromStore("LMWARD");
string refURI = DateTime.Now.Ticks.ToString();
// *** Signed XML will create Xml Signature - Xml fragment
SignedXml signedXml = new SignedXml(xmlDoc);
signedXml.SigningKey = cert.PrivateKey;
// *** Create a KeyInfo structure
KeyInfo keyInfo = new KeyInfo();
KeyInfoX509Data keyInfoData = new KeyInfoX509Data();
keyInfoData.AddCertificate(cert);
keyInfo.AddClause(keyInfoData);
signedXml.KeyInfo = keyInfo;
signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigC14NTransformUrl;
// *** Now create reference to sign: Point at the Body element
Reference reference = new Reference();
reference.Uri = "#"+ encdataId; // reference id=body section in same doc
reference.AddTransform(new XmlDsigExcC14NTransform()); // required to match doc
signedXml.AddReference(reference);
// *** Finally create the signature
signedXml.ComputeSignature();
XmlElement signedElement = signedXml.GetXml();
XmlNode SignatureNode = xmlDoc.CreateNode(XmlNodeType.Element, "Signature", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
SignatureNode.InnerXml = signedElement.InnerXml;
// *** And add our signature as content
XmlNode commonParent = xmlnodeEncKey.ParentNode;
commonParent.InsertAfter(SignatureNode, xmlnodeEncKey);
}
実際、暗号化データ メソッドは、soap 本体を暗号化し、参照 ID を追加します。SignSoapBody(...) について助けが必要です。KeyInfo 要素内に SecurityTokenReference が必要であり、さらに別の Canonicalization アルゴリズムが必要です。必要なことを全く書いていません。リクエストがどのように表示されるかについては、上記を参照してください。
これは実際に署名に書き込むものです (私のコードは次の署名を生成します)
<Signature xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#635077936132736291">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>NUOpt38t11pdL0wAPiyFthhYM9Q=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue xmlns="http://www.w3.org/2000/09/xmldsig#">kNXiSoBMOeEuoKhUQzuJddNzPrSGxFZIyj0QIp0ngmEbUwQXP25loZBKtX6QB/l913ZX5PGgU7IwCsVjuiCluqqtEGEy7V03gqSKpY+Iz45Md+kyazrfDXDVnPNIZKN8p8K+0QhJmqWA0r1K/sjyYldNiJJd8d12gIRPtDEVGPU=</SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>=</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
06/26 編集
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="fgsgsd2cc312a052f-6" />
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue></e:CipherValue>
</e:CipherData>
<e:ReferenceList>
<e:DataReference URI="#_2" />
<e:DataReference URI="#_3" />---NOT NEEDE---
</e:ReferenceList>
</e:EncryptedKey>
---NOT NEEDED---
<e:EncryptedData Id="_3" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<e:CipherData>
ありがとうサン