c# WSE3.0 证书加密 调用java webservice
0
悬赏园豆:50
[已解决问题]
解决于 2014-08-06 16:45
我通过Keystore生成了server.jks client.jks 并把server.jks导出的cer导入到client.jks 把client.jks导出的cer导入到server.jks,然后通过JKS2PFX工具成功把server.jks与client.jks转为.net下的pfx文件。
并且成功通过MMC导入到本地计算机中。
问题:在server certificate select 面板无法选择已经安装了证书,但在client certificate select 面板却可以选择证书。
有朋友知道为何吗?
我是参照这个博文一步一步进行尝试的:
http://www.searchsoa.com.cn/showcontent_1531.htm
最佳答案
0
因为你配置的是客户端。
收获园豆:40
我是用WSE3.0作为客户端调用需要验证以及加密转送数据的java webservice.谢谢。
@cwcls: 你可以通过添加服务引用的方式生成基于 WCF 的服务代理客户端。
@Launcher: 但出现了这样的异常:
Security requirements are not satisfied because the security header is not present in the incoming messag
@cwcls: 中文我就不解释了。我现在需要你这么做,因为我这里没有这样的服务,无法分析请求。你去下载一个 SoapUI 工具,将正确调用的请求和响应给贴出来。
@Launcher: 很感激您的回复。我用Java 作为客户端是可以正确调用的,我贴出请求以及响应的xml:
请求:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
</soap:Envelope>
响应:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
</soap:Envelope>
.net 客户端 app.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<section name="microsoft.web.services3" type="Microsoft.Web.Services3.Configuration.WebServicesConfiguration, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<sectionGroup name="applicationSettings" type="System.Configuration.ApplicationSettingsGroup, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<section name="SAFPWebService.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
</sectionGroup>
</configSections>
<appSettings>
<add key="username" value="safp" />
<add key="password" value="123456" />
</appSettings>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0" />
</startup>
<applicationSettings>
<SAFPWebService.Properties.Settings>
<setting name="SAFPWebService_CivilWebService_CivilAccountWebService" serializeAs="String">
<value>http://192.168.1.254:8080/acms/services/CivilAccount</value>
</setting>
<setting name="SAFPWebService_EpassWebService_EpassAccountWebService" serializeAs="String">
<value>http://192.168.1.254:8080/acms/services/EpassAccount</value>
</setting>
</SAFPWebService.Properties.Settings>
</applicationSettings>
<microsoft.web.services3>
<policy fileName="wse3policyCache.config" />
<diagnostics>
<trace enabled="true" input="InputTrace.xml" output="OutputTrace.xml" />
</diagnostics>
<security>
<x509 skiMode="ThumbprintSHA1" verifyTrust="true" allowTestRoot="true" />
</security>
</microsoft.web.services3>
</configuration>
wse3policyCache.config
<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
<extensions>
<extension name="CustomSecurityAssertion" type="SAFPWebService.CustomSecurityAssertion, SAFPWebService" />
<extension name="usernameOverTransportSecurity" type="Microsoft.Web.Services3.Design.UsernameOverTransportAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="username" type="Microsoft.Web.Services3.Design.UsernameTokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="mutualCertificate10Security" type="Microsoft.Web.Services3.Design.MutualCertificate10Assertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="x509" type="Microsoft.Web.Services3.Design.X509TokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="usernameForCertificateSecurity" type="Microsoft.Web.Services3.Design.UsernameForCertificateAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="ClientPolicy">
<mutualCertificate10Security establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300">
<clientToken>
<x509 verifyTrust="false" storeLocation="LocalMachine" storeName="My" findValue="CN=ACMS-CLIENT, OU=SAFP, O=SAFP, L=Macau, S=Macau, C=MO" findType="FindBySubjectDistinguishedName" />
</clientToken>
<serviceToken>
<x509 verifyTrust="false" storeLocation="LocalMachine" storeName="AddressBook" findValue="CN=ACMS-SERVER, OU=SAFP, O=SAFP, L=Macau, S=Macau, C=MO" findType="FindBySubjectDistinguishedName" />
</serviceToken>
<protection>
<request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
</protection>
</mutualCertificate10Security>
<requireActionHeader />
</policy>
</policies>
再次谢谢您^_^
@cwcls: 把用 WCF 客户端调用的请求和响应也贴出来。
@cwcls: 我想问一下,你必须要使用旧的 Asp.Net Web Service 技术来实现你的客户端吗?
@Launcher: WCF 实现客户端 我不懂呢?我是用wse 3.0来实现的。其实我是想实现这样的功能:webservice 服务端是用java wss4j是有usernametoken验证以及数据加密解密的.
WCF可以方便于旧的.net web service实现吗?
WSE 请求的xml:
<?xml version="1.0" encoding="utf-8"?>
<log>
<outputMessage utc="2014-7-21 02:21:08" messageId="urn:uuid:1c80859a-2c4f-4ef4-ba73-97fd6df27048">
<processingStep description="Unprocessed message">
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<isLoginNameExisted xmlns="http://epms.safp.gov.mo/">
<loginName xmlns="">test</loginName>
</isLoginNameExisted>
</soap:Body>
</soap:Envelope>
</processingStep>
<processingStep description="Entering SOAP filter Microsoft.Web.Services3.Design.MutualCertificate10Assertion+ClientOutputFilter" />
<processingStep description="Exited SOAP filter Microsoft.Web.Services3.Design.MutualCertificate10Assertion+ClientOutputFilter" />
<processingStep description="Processed message">
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action wsu:Id="Id-97afd741-b3da-4eb4-b641-6dea61c5df4f">
</wsa:Action>
<wsa:MessageID wsu:Id="Id-d86c37bf-6d1c-4817-9005-0381f107c363">urn:uuid:1c80859a-2c4f-4ef4-ba73-97fd6df27048</wsa:MessageID>
<wsa:ReplyTo wsu:Id="Id-2e90969a-c177-4b52-a6c6-eb375cefc479">
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To wsu:Id="Id-0bd37501-669a-4ceb-8b78-1e89e786ae70">http://192.168.1.254:8080/acms/services/EpassAccount</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="Timestamp-e9b72f85-6be9-4b8c-85e0-c35455443ec6">
<wsu:Created>2014-07-21T02:21:08Z</wsu:Created>
<wsu:Expires>2014-07-21T02:26:08Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-ffaec356-e34f-4338-8fa0-e9b4ab017fcc">MIICOTCCAaKgAwIBAgIEU8iHwTANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJNTzEOMAwGA1UECBMFTWFjYXUxDjAMBgNVBAcTBU1hY2F1MQ0wCwYDVQQKEwRTQUZQMQ0wCwYDVQQLEwRTQUZQMRQwEgYDVQQDEwtBQ01TLUNMSUVOVDAeFw0xNDA3MTgwMjM0NDFaFw0yNDA3MTUwMjM0NDFaMGExCzAJBgNVBAYTAk1PMQ4wDAYDVQQIEwVNYWNhdTEOMAwGA1UEBxMFTWFjYXUxDTALBgNVBAoTBFNBRlAxDTALBgNVBAsTBFNBRlAxFDASBgNVBAMTC0FDTVMtQ0xJRU5UMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCKNxSqkFDLB41R5+uzzVSFhyaFuLLsDFFaBeM8y+h/9g7r9Yc0IqgG5+NgeLvfNomDneF+saiKC2uTGACtHj/Hebihylq6Ly30u/NoxLvL5bshtLEn1lcMQ9DEx5Bd+o4UcxjUIFoCnSew2D14IjuS047OTQ22iemqcxe9JQ/CuQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAE8PoxwlXm/Sdvqnh3MkQGKV9RTYFNS+CY5NpkiLoAkTORSU79ks527GpBwLEd0fPkbMytgT1v8pnyocN97QtKCun4iZ/8tXPx16zNjshaz1hs8QWS55NokRojigEObOafhmL9ngmvYk3sOtCWN1G1wPG1dqUcN2XuMQWWaOfZRA</wsse:BinarySecurityToken>
<xenc:EncryptedKey Id="SecurityToken-b1e80aad-45f5-4c7c-9ae5-b714a6c97798" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>CN=ACMS-SERVER, OU=SAFP, O=SAFP, L=Macau, S=Macau, C=MO</X509IssuerName>
<X509SerialNumber>1405650838</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</wsse:SecurityTokenReference>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>lI6Oqc+bPDcx90OV7E/Zc07pCLcJEuQ5zF2lrxY0gMYasquSP/+kBv7eOEMqZWXtJrMYYAXByvDD7v2THbHQmlV6p0wCeLKezg9Rqs3EyiC0YYsdCn1t5ICIg12BMYCKqMmt1k2GfRFaAop9R8mPj6dZBScUvf0+rsN0gcNuVIw=</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#Enc-14e5f8f4-7887-4289-91fd-edfe2a6807e3" />
</xenc:ReferenceList>
</xenc:EncryptedKey>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#Id-97afd741-b3da-4eb4-b641-6dea61c5df4f">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>aOm+tZHizz2WVgrM1t+CH20wEe4=</DigestValue>
</Reference>
<Reference URI="#Id-d86c37bf-6d1c-4817-9005-0381f107c363">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>yBObJIZxfg3CpGW5ZMAcaftZNCI=</DigestValue>
</Reference>
<Reference URI="#Id-2e90969a-c177-4b52-a6c6-eb375cefc479">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>Hxs//lnhJfHO+X6wOy009Kdxq8I=</DigestValue>
</Reference>
<Reference URI="#Id-0bd37501-669a-4ceb-8b78-1e89e786ae70">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>u1kZ1Fg6/2iGq5TMvY6+EYQ3MGg=</DigestValue>
</Reference>
<Reference URI="#Timestamp-e9b72f85-6be9-4b8c-85e0-c35455443ec6">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>XyjxUmfHPDIgM5HmTeNmzDZCq6o=</DigestValue>
</Reference>
<Reference URI="#Id-3807ec02-b17e-478c-afc6-f8a14e513e44">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>WWyU/+p9YrG754IfPrugkadcBAs=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>EYIdkl3AIEBUxfnYX/iWo/aNO1AEaMC3Q3MyIfDhJfZvoZrV3DTlW6/KedpWfLWxnokfH17tsfJKLdXMC+xhVJNCc9Uv8zjiKXtct15EEAxrZGgqdRT9yQUfWw0Esu/u/oWiFdOPwgQPPQ3Jzt9ThIeGYKICKGOIp7hvbkw81J8=</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-ffaec356-e34f-4338-8fa0-e9b4ab017fcc" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soap:Header>
<soap:Body wsu:Id="Id-3807ec02-b17e-478c-afc6-f8a14e513e44">
<xenc:EncryptedData Id="Enc-14e5f8f4-7887-4289-91fd-edfe2a6807e3" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<xenc:CipherData>
<xenc:CipherValue>/Z8XvsRnDdYKE25fkOnf422TmsOGWjJDcRWBroxxueQdptawRE/XIgfPbbnAiSWj7m7aFCYbwTjZ/ARlrtktKE+CzTZaAPsf8WkMGejB05lZ+HymhhzFxU0g0ALphw8YD4uPNNeZGXMhWHS512UPtkEb9mQB861DPPAfdT/vSVY=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>
</processingStep>
</outputMessage>
</log>
@Launcher: java 后台的异常:
Caused by: org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied to verify signature)
at org.apache.ws.security.validate.SignatureTrustValidator.validate(SignatureTrustValidator.java:64)
at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:187)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:270)
... 29 more
貌似是找不到同样的keystore解密加密
@cwcls: 你的请求明显跟 java 的不一样,你这里使用的是 <wsse:BinarySecurityToken,而 java 使用的是 <wsse:UsernameToken。
WCF可以方便于旧的.net web service实现吗? =〉 可以。 从你贴的两个请求就可以看出来,你说你不会 wcf,但是好像 wse 对你而言更困难,因为明显的两个请求使用的 Token 类型都不一样,你都看不出来。
@cwcls: 你看下这篇文章:http://blog.csdn.net/whw6_faye/article/details/5410742,按照这个成功后的请求,来对比你的 java 的请求的格式。
@Launcher: 是呀 对于我来讲,.net技术都是陌生的,我是搞Java开发的,现在需要应用户需求写一个.net例子给他们。WCF如何实现webservice呢?有例子吗?我就是按照这篇文章来做的,但.net客户端也有同样的异常,但java后台的异常就不一样:
org.apache.ws.security.WSSecurityException: An error was discovered processing the <wsse:Security> header.
如果WCF方便 麻烦您给我一个WCF 调用java webservice的例子 谢谢。
@cwcls: 你还记得我以前回答过的一个帖子吗?我看到你有在那里回帖问楼主是怎么解决的。那里面有说。
@Launcher: 找不到了 麻烦您贴一下给我 谢谢^_^
@cwcls: 我也找不到,因为我回答此贴的时间更长,相对来说你比我更容易找到。但是我可以教你个方法来找:在“博问”页面鼠标左键单击“我的博问”,然后在鼠标左键单击“我回答的”,然后逐个浏览标题识别.
@Launcher: 您好,我那个帖子看到这样一句话:
【关系就是添加 WEB 引用时生成的代理类设置证书的方式和通过添加服务引用生成的代理类设置的证书的方式不同,因为后者采用的是 WCF 框架。这都是上面那个链接里写的主要意思。】
这样说,添加服务引用而不是web引用,就已经是用了WCF框架了吗?
@cwcls: 这样说,添加服务引用而不是web引用,就已经是用了WCF框架了吗? ---> 正确。
@Launcher: 那您知道WCF如何实现usernametoken和证书加密解密吗?谢谢。
@cwcls: 你用“添加服务”的形式生成客户端代理了吗?
@Launcher: 已经生成了。我一开始就是这种方式添加客户端代理的,后来查资料说WSE可以用usernamtoken,所以就换了web 引用。
@Launcher: 能否加个QQ呢 ^_^
@cwcls: 不能。你把生成的配置文件给贴出来,然后用此 wcf client 调用一次服务,把请求和响应贴出来。
@Launcher: WCF client怎样可以看到请求和响应呢?WSE3是可以的。
@cwcls: 你会用什么抓包工具?
@Launcher: 你直接介绍一个工具比我,或者您直接比一个usernametoken的例子给我可以吗?谢谢了。
其他回答(2)
0
收获园豆:10
Java webservice是有usernametoken以及证书加密解密的,所以我要用到WSE3.0去实现呢?有其他建议吗?谢谢。
@dudu: 现在出现了这样的异常 您遇到过吗?
Security requirements are not satisfied because the security header is not present in the incoming messag
0
通过重写policy assertion 以及outputfilter实现了usernametoken以及证书加密的方法
