使用C#将签名的SOAP消息创建为字符串
我需要调用web服务,我必须使用C#发送这样的soap请求。SoapBody和TimeStamp必须签署。
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:web="http://xyzt.com/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="X509-F4AF9673207AC5E0B614180667985061">MIIFsDCCBawwggSUoAMCAQICBgCaWhnEajANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJUUjFNMEsGA1UEAwxETWFsaSBNw7xow7xyIEVsZWt0cm9uaWsgU2VydGlmaWthIEhpem1ldCBTYcSfbGF5xLFjxLFzxLEgLSBTw7xyw7xtIDEwHhcNMT</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-3" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soap web" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#id-2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="web" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>IZVrIpPCxiPcvyVOVv/d4nRPZWM=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#TS-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="wsse soap web" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>fltghgDztDtuVQX7y4t0ZJxAnxE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>IOVXxBTp053aNJMbQj+VTiBblZ63peyJ1vWazKmEWNxN7RaeFfKELoxede8xQEqzSaB/u8exC7LLGYiEdChboVCf9liLMN4MmNj5JR6gfDrsL3azThf5hxLQ+WIE20PRoU6ozpp20zC1IaO3IU4ZaRLw</ds:SignatureValue>
<ds:KeyInfo Id="KI-F4AF9673207AC5E0B614180667986422">
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="STR-F4AF9673207AC5E0B614180667986643" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<wsse:Reference URI="#X509-F4AF9673207AC5E0B614180667985061" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-1">
<wsu:Created>2014-12-08T21:26:36.191Z</wsu:Created>
<wsu:Expires>2014-12-08T21:36:36.191Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body wsu:Id="id-2" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<web:getStatus>
<itemID>1234567</itemID>
</web:getStatus>
</soap:Body>
</soap:Envelope>我创建了这个soap请求,并通过使用带有私钥证书的WCF客户端CustomBinding和.pfx文件获得了良好的响应。
有关签名soap消息的大多数示例都使用证书存储区或pfx文件中的证书。但是在我的场景中,存储在智能卡上的用户证书(带有私钥)不能导出证书私钥。因此,在这种情况下,我不能使用WCF CustomBinding,也不能使用SignedXml类来签名SOAP消息,因为当我尝试通过编程获得证书时,私钥就会丢失。(我还通过使用NCryptoki - PKCS包装器获得私钥,但这种私钥类型与我无法为WCF客户端或SignedXmlClass私钥设置的密钥类型不同。)
因此,我尝试将此SOAP消息创建为字符串,并使用智能卡手动创建DigestValues、BinarySecurityToken和SignatureValue。
我可以将BinarySecurityToken值计算为:
var certificate = GetX5092Certificate(); // X5092 certificate on smart card without private key
string binarySecToken= Convert.ToBase64String(certificate.RawData);此外,我还有一些代码可以计算摘要值,如下所示:
byte[] dataToHashTS = Encoding.UTF8.GetBytes(TimeStampReference.OuterXml);
XmlDsigExcC14NTransform transformDataTS = new XmlDsigExcC14NTransform("wsse soap web");
transformDataTS.LoadInput(new MemoryStream(dataToHashTS));
byte[] bDigestDataTS = transformDataTS.GetDigestedOutput(SHA1Managed.Create());
string sDigestDataTS = Convert.ToBase64String(bDigestDataTS); //timestamp digest- 我不确定我是否计算摘要值对不对?
- 要计算SignatureValue,我想我需要得到SignedInfo部件的散列。我有用智能卡对内容(字节数组)进行签名的方法。那么我如何将SignedInfo内容发送到这个方法呢?我的意思是,将SignedInfo块的散列作为字符串就足够了吗?或者让SignedInfo作为XmlElement,然后像计算摘要值那样转换+哈希?
任何帮助都将不胜感激。谢谢。
回答 1
Stack Overflow用户
发布于 2016-06-23 03:40:47
- 对于需要使用的DigestValue,您需要规范化如下所示的字符串:
<u:Timestamp u:Id="\_0" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <u:Created>2016-06-14T22:56:10.896Z</u:Created> <u:Expires>2016-06-14T23:01:10.896Z</u:Expires> </u:Timestamp>
因此,您可以将该字符串作为参数放在这里:
private string CanonicalizeDsig(string input)
{
XmlDocument doc = new XmlDocument();
doc.PreserveWhitespace = false;
try
{
doc.LoadXml(input);
XmlDsigC14NTransform trans = new XmlDsigC14NTransform();
trans.LoadInput(doc);
String c14NInput = new StreamReader((Stream)trans.GetOutput(typeof(Stream))).ReadToEnd();
return c14NInput;
}
catch (Exception ex)
{
return String.Empty;
}
}在规范化之后,您现在可以计算哈希:(我的是一个SHA1示例)。因此,将上述方法的返回值放在这个方法的参数上。得到类似于JCMdwz5g8iq05Lj6tjfDOxKqT4k=的东西
private string ComputeHashSHA1(string input)
{
try
{
SHA1CryptoServiceProvider sha1Hasher = new SHA1CryptoServiceProvider();
byte[] hashedDataBytes = sha1Hasher.ComputeHash(Encoding.UTF8.GetBytes(input));
string digestValue = Convert.ToBase64String(hashedDataBytes);
return digestValue;
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
return String.Empty;
}
}- 签名值是一个棘手的值,我只能介绍一个具体的例子。如果有类似于以下内容的策略,请检查服务的WSDL。
这意味着您需要将客户端熵(这是您的密钥--根据get令牌请求发送到服务器的任何基于64的字符串)和服务器熵(返回基64键)组合在一起。
在有Microsoft.IdentityModel对象的情况下,可以使用KeyGenerator dll组合它们。
您的输入将类似于此,它还需要使用DsigExcC14N进行规范化:
<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> <Reference URI="#\_0"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>JCMdwz5g8iq05Lj6tjfDOxKqT4k=</DigestValue> </Reference> </SignedInfo>
这里是规范化:
private string CanonicalizeExc(string input)
{
XmlDocument doc = new XmlDocument();
doc.PreserveWhitespace = false;
try
{
doc.LoadXml(input);
XmlDsigExcC14NTransform trans = new XmlDsigExcC14NTransform();
trans.LoadInput(doc);
String c14NInput = new StreamReader((Stream)trans.GetOutput(typeof(Stream))).ReadToEnd();
return c14NInput;
}
catch (Exception ex)
{
MessageBox.Show(ex.ToString());
return String.Empty;
}
}下面是如何获得签名值:
private string ComputeHMACSHA1_PSHA(string input, string serversecret, string clientsecret)
{
try
{
byte[] signedInfoBytes = Encoding.UTF8.GetBytes(input);
byte[] binarySecretBytesServer = Convert.FromBase64String(serversecret);
byte[] binarySecretBytesClient = Convert.FromBase64String(clientsecret);
byte[] key = KeyGenerator.ComputeCombinedKey(binarySecretBytesClient, binarySecretBytesServer, 256);
HMACSHA1 hmac = new HMACSHA1(key);
hmac.Initialize();
byte[] hmacHash = hmac.ComputeHash(signedInfoBytes);
string signatureValue = Convert.ToBase64String(hmacHash);
return signatureValue;
}
catch (Exception ex)
{
return string.Empty;
}
}它会给你这样的东西。kykmlowWIW4TXRcCi46OfZPUBKQ=
https://stackoverflow.com/questions/27367034
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号