Xml WCF服务异常:{“无法解析主题密钥标识符”}
我正在尝试使用WCF框架与服务通信。我唯一可用的安全信息是:Xml WCF服务异常:{“无法解析主题密钥标识符”},xml,wcf,soap,wcf-security,ws-security,Xml,Wcf,Soap,Wcf Security,Ws Security,我正在尝试使用WCF框架与服务通信。我唯一可用的安全信息是: 密钥标识符类型:二进制安全令牌/X.509证书 签名算法: 签名规范化: 摘要算法: 该证书是一个带有私钥的P12证书,在本地计算机根密钥存储中导入 我在SoapUI中获得了一个成功的事务,并且我成功地获得了Soap XML消息: SoapUI消息: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="*
- 密钥标识符类型:二进制安全令牌/X.509证书
- 签名算法:
- 签名规范化:
- 摘要算法:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="*removed*">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-*removed*">*removed*</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-37" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenv urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-36">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="urn" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>*removed*</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
*removed*
</ds:SignatureValue>
<ds:KeyInfo Id="KI-*removed*">
<wsse:SecurityTokenReference wsu:Id="STR-*removed*">
<wsse:Reference URI="#X509-*removed*" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-36" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<!--Not important-->
</soapenv:Body>
</soapenv:Envelope>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>*removed*</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>*removed*</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">*removed*</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<!--Not important-->
</s:Body>
</s:Envelope>
更多信息。感谢您的快速回复。我确实使用了你关于常见陷阱的非常有用的博客;)。我已正确设置了Sign protectionlevel,并尝试了您与httpsTransport的customBinding,这导致了另一个异常:“找不到'System.IdentityModel.Tokens.X509SecurityToken'令牌类型的令牌验证器。根据当前安全设置,无法接受该类型的令牌。”尽管我的绑定现在被设置为你帖子中提到的最后一个陷阱。查看这篇帖子谢谢你的快速回复。我确实使用了你关于常见陷阱的非常有用的博客;)。我已正确设置了Sign protectionlevel,并尝试了您与httpsTransport的customBinding,这导致了另一个异常:“找不到'System.IdentityModel.Tokens.X509SecurityToken'令牌类型的令牌验证器。根据当前安全设置,无法接受该类型的令牌。”即使我的绑定现在被设置为你文章中提到的最后一个陷阱。检查这篇文章
<identity>
<dns value="*IPv4-address*" />
</identity>
<behavior name="CustomBehavior">
<clientCredentials>
<clientCertificate findValue="*IPv4-address*" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="Root"/>
<serviceCertificate>
<defaultCertificate findValue="*IPv4-address*" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="Root"/>
</serviceCertificate>
</clientCredentials>
</behavior>
var asymmetricSecurityBindingElement = new AsymmetricSecurityBindingElement();
asymmetricSecurityBindingElement.InitiatorTokenParameters = new X509SecurityTokenParameters { InclusionMode = SecurityTokenInclusionMode.Never };
asymmetricSecurityBindingElement.RecipientTokenParameters = new X509SecurityTokenParameters { InclusionMode = SecurityTokenInclusionMode.Never };
asymmetricSecurityBindingElement.IncludeTimestamp = false;
CustomBinding customBinding = new CustomBinding();
customBinding.Elements.Add(asymmetricSecurityBindingElement);
customBinding.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));
HttpsTransportBindingElement httpsBindingElement = new HttpsTransportBindingElement();
httpsBindingElement.RequireClientCertificate = true;
customBinding.Elements.Add(httpsBindingElement);
<customBinding>
<binding name="NewBinding0">
<textMessageEncoding messageVersion="Soap11" />
<security authenticationMode="MutualCertificate" includeTimestamp="false"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<secureConversationBootstrap />
</security>
<httpTransport />
</binding>
</customBinding>
[System.ServiceModel.ServiceContractAttribute(ConfigurationName=..., ProtectionLevel=System.Net.Security.ProtectionLevel.Sign)]