wcf 错误 : Incoming message was signed with a token which is different from what used to encrypt body. 这不是预期的

Question

我正在尝试使用威瑞信测试 x.509 证书调用第三方服务。当我收到响应消息时，它会生成以下错误:

传入消息使用不同于用于加密正文的 token 进行签名。这出乎意料

这个错误不是我预料到的，因为我只为服务提供了一个 x.509 证书。它使用的是什么其他证书？

如有任何见解，我们将不胜感激!

我的自定义绑定(bind)看起来像:

<binding name="NodalCustomBinding" closeTimeout="00:01:00" openTimeout="00:01:00"
        receiveTimeout="00:10:00" sendTimeout="00:10:00">
      <textMessageEncoding messageVersion="Soap11" />
      <security
        authenticationMode="MutualCertificate"
        requireDerivedKeys="false"
        includeTimestamp="true"
         keyEntropyMode="ClientEntropy"
        messageProtectionOrder="SignBeforeEncrypt"
        messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
        requireSecurityContextCancellation="false"
        allowSerializedSigningTokenOnReply="true"
        enableUnsecuredResponse="true" >
        <secureConversationBootstrap />
      </security>
      <httpsTransport />
    </binding>

我的端点行为如下:

<endpointBehaviors>
    <behavior name="NodalCredentialBehavior">   
      <clientCredentials>
        <clientCertificate findValue="Testx509"                                
          storeLocation="CurrentUser"
         storeName="My"
          x509FindType="FindBySubjectName"/>
        <serviceCertificate>
          <authentication certificateValidationMode="None"/>
          <defaultCertificate findValue="Testx509"
          storeLocation="CurrentUser"
           storeName="My"
          x509FindType="FindBySubjectName" />
        </serviceCertificate>
      </clientCredentials>          
    </behavior>
  </endpointBehaviors>

最后我的回复信息是这样的:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
 <SOAP-ENV:Header>
   <wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="SecurityToken-b1a3e7ef-008e-6bc0-b779-69cc8bf72d39Q</wsse:BinarySecurityToken>
  <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
    <dsig:SignedInfo>
      <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <dsig:Reference URI="#Id-b75df9d2-5a50-d36b-b26a-08ee4065010d">
        <dsig:Transforms>
          <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </dsig:Transforms>
        <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <dsig:DigestValue>YKW87r6WtI5b5Mx3D/WIPg2bcIk=</dsig:DigestValue>
      </dsig:Reference>
    </dsig:SignedInfo>
    <dsig:SignatureValue>lAB8mXepN63lGSk/lraYooTEFfn8dnwiJ89z8d5S6HKsDjAgg=    </dsig:SignatureValue>
    <dsig:KeyInfo>
      <SecurityTokenReference xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <wsse:Reference URI="#SecurityToken-b1a3e7ef-008e-6bc0-b779-69cc8bf72d39" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
      </SecurityTokenReference>
    </dsig:KeyInfo>
  </dsig:Signature>
</wsse:Security>
</SOAP-ENV:Header>
  <SOAP-ENV:Body wsu:Id="Id-b75df9d2-5a50-d36b-b26a-08ee4065010d" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   <ns0:ResponseMessage xmlns:ns0="http://www.ercot.com/schema/2007-06/nodal/ews/message">
  <ns0:Header>
    <ns0:Verb>reply</ns0:Verb>
    <ns0:Noun/>
    <ns0:ReplayDetection>
      <ns0:Nonce/>
      <ns0:Created/>
    </ns0:ReplayDetection>
    <ns0:Revision>001</ns0:Revision>
    <ns0:Source/>
    <ns0:UserID>API</ns0:UserID>
  </ns0:Header>
  <ns0:Reply>
    <ns0:ReplyCode>FATAL</ns0:ReplyCode>
    <ns0:Error>Invalid Verb</ns0:Error>
    <ns0:Timestamp>2012-03-14T10:54:31.701-05:00</ns0:Timestamp>
  </ns0:Reply>
</ns0:ResponseMessage>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Answer 1

我找到了答案。这是证书和配置的问题。

证书显然，我需要两份 x.509 证书，一份用于请求，一份用于响应。

1. 在资源管理器中，双击您的 cer 文件将其打开。
2. 单击“认证路径”选项卡并记下层次结构
3. 在个人证书文件夹中安装两个 x.509 证书。
4. 在 MMC 中，双击证书将其打开
5. 单击“认证路径”选项卡并确保路径与步骤 2 中的路径相匹配

现在应该正确设置证书。

配置

在 app.config 中创建端点行为并创建身份

<behaviors>
  <endpointBehaviors>
    <behavior name="myBehavior">   
      <clientCredentials>
        <clientCertificate findValue="#RequestCertificate#"                                
          storeLocation="CurrentUser"
         storeName="My"
          x509FindType="FindBySubjectName"/>
        <serviceCertificate>
          <authentication certificateValidationMode="ChainTrust"/>
          <defaultCertificate findValue="#ResponseCertificate#"
          storeLocation="CurrentUser"
           storeName="My"
          x509FindType="FindBySubjectName" />
        </serviceCertificate>
      </clientCredentials>          
    </behavior>

  <endpoint address="https://myaddress.com/" binding="customBinding"
            contract="mycontract"
            behaviorConfiguration="myBehavior"
            name="HttpEndPoint">
    <identity>
      <dns value="#ResponseCertificate" />
    </identity>        
  </endpoint>

哪里:

#RequestCertificate#是你申请证书的名字

#ResponseCertificate# 是您的响应证书的名称