.net - .NET客户端不能使用绑定(bind)到通过引用使用STR-TRANSFORM算法签名的SAML 2.0身份声明的SOAP消息

Question

发布了一个有效的示例。请参阅下面的工作示例。

问题-.NET客户端无法使用绑定(bind)到通过引用使用STR-TRANSFORM算法签名的SAML 2.0身份声明的SOAP消息。

Java消息生成器:Spring和WSS4J

.NET客户端使用者:版本4.5.1

SAML:2.0版，发件人凭证确认方法；断言本身已签名；断言也使用STR-TRANSFORM算法通过引用在消息级别签名。

.NET客户端在此方面失败:

<ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">

.NET 3.5框架的Microsoft修补程序( http://support.microsoft.com/kb/974842)允许.NET消息生成器将SOAP消息绑定(bind)到通过引用在Web.config中定义自定义绑定(bind)的SAML断言。但是我们一直无法弄清楚如何让.NET客户端使用此类消息。

编辑:

感谢您为本文找到更好的论坛。我了解对多个问题的关注。让我重试。总体目标是使.NET客户端能够使用STR-TRANSFORM算法通过引用在消息级别签名的形式使用以消息形式签名的SAML声明形式绑定(bind)到身份的SOAP消息，该解析将对实际声明的引用解析为允许签名验证。 .NET客户端未处理转换。

.NET客户端抛出此错误:

An error occurred: 'System.Security.Cryptography.CryptographicException: Unknown transform has been encountered.
   at System.Security.Cryptography.Xml.Reference.LoadXml(XmlElement value)
   at System.Security.Cryptography.Xml.SignedInfo.LoadXml(XmlElement value)
   at System.Security.Cryptography.Xml.Signature.LoadXml(XmlElement value)
   at System.Security.Cryptography.Xml.SignedXml.LoadXml(XmlElement value)

我认为此错误意味着程序在.NET框架无法识别的消息元素中遇到了URI。我已经通过在消息中替换其他转换来验证.NET无法识别此转换:

<ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">

Section 3.4.3 (SAML Assertion Referenced from SignedInfo) of the OASIS Web Services Security SAML Token Profile Version 1.1.1指出:“所有一致的实现都必须能够处理由 header 中元素内的元素所引用的SAML断言。”

.NET框架似乎不符合规范。要自定义WSS4J OpenSAML以在生成消息时使用其他转换，只会使一致性变差。

有没有人在machine.config中注册一个自定义.NET类来处理STR-TRANSFORM算法？

在对.NET端进行故障排除后，更新:

为了产生上面的异常(“遇到未知的转换”)，System.Security.Cryptography.Xml.Reference.LoadXML尝试以下操作:

Transform transform = CryptoConfig.CreateFromName(attribute) as Transform;

并在这里失败:

if (transform == null) { throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Xml_UnknownTransform")); }

System.Security.Cryptography.CryptoConfig.CreateFromName进入machine.config，以确定.NET框架可用的算法。

定义一个自定义类来处理STR-Transform算法，然后在machine.config中引用该类是否合适？

<mscorlib>
    <cryptographySettings>
      <cryptoNameMapping>
        <cryptoClasses>
          <cryptoClass strtransform="Custom.Class.StrTransformProvider,Custom.Class" />
        </cryptoClasses>
        <nameEntry name="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform" class="strtransform" />
      </cryptoNameMapping>
    </cryptographySettings>
</mscorlib>

工作示例

我用一个工作示例更新了这篇文章。这需要一些时间才能实现，因为我是发生错误的Java消息生成器(而不是.NET消息使用方)方面的支持。示例有效负载基于带有OpenSAML库的WSS4J框架。该示例程序尝试成为一个简单的C#签名验证器。请注意，签名的密码验证不是该示例的重点，并且在示例有效负载上，成功地验证签名实际上实际上是不可能的。

要运行该示例，您将需要C#代码和示例有效负载。 (由于长度限制，我将在另一个单独的更新中发布有效负载。)如果将有效负载另存为C:\Temp\Payload.xml，则无需修改C#程序。对于我的测试，我将Visual Studio 2010与.NET 4.0用作目标框架。您可能需要向Visual Studio项目添加一些引用。我认为您也应该能够使用最新的.NET框架产生相同的错误。

C#代码在此行失败:

signedXml.LoadXml((XmlElement)node);

带有此消息:

A first chance exception of type 'System.Security.Cryptography.CryptographicException' occurred in System.Security.dll
********* ERROR: System.Security.Cryptography.CryptographicException: Unknown transform has been encountered.
   at System.Security.Cryptography.Xml.Reference.LoadXml(XmlElement value)
   at System.Security.Cryptography.Xml.SignedInfo.LoadXml(XmlElement value)
   at System.Security.Cryptography.Xml.Signature.LoadXml(XmlElement value)
   at System.Security.Cryptography.Xml.SignedXml.LoadXml(XmlElement value)
   at TestSignatureVerification.Program.ValidateDocument(XmlDocument docToTest) in ... Program.cs:line 59
   at TestSignatureVerification.Program.VerifyXMLSignature(String xmlFileLocation) in ... Program.cs:line 26 *********

请注意，此示例中的签名是伪造的。即使您可以克服错误，也无法验证它们。错误的下游是签名的加密验证，并且与该问题无关。还应注意，XOP引用的二进制附件未包含在示例有效负载中，并且与它无关。

测试消息的wsse:Security header 具有以下与此问题相关的子元素:

wsse:BinarySecurityToken(SOAP生产者的x509证书)

saml2:Assertion(标识事务的创建者； SOAP
生产者使用SAML发送者凭证来证明此身份
确认方法)

wsse:SecurityTokenReference(引用wsse:BinarySecurityToken和
由ds:Signature引用-请参阅下一个)

ds:签名(签名消息正文和SAML断言)

使用以下算法在消息级别通过引用对SAML断言进行签名:

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform

为了验证签名，必须首先使用STR-Transform算法从引用中解析SAML断言。我相信这是.NET代码失败的地方，并出现“遇到未知的转换”错误。我基于以下事实得出结论:如果在消息中将“ http://www.w3.org/2001/10/xml-exc-c14n#”替换为“ http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform”，则会绕过“遇到未知转换”错误，并且程序将简单地(并且按预期提供伪造的签名和虚拟身份)在消息中)无法验证签名(签名验证不是本例的重点，而是处理转换算法)。

请注意，saml2:Assertion元素本身具有ds:Signature元素。提供断言的安全 token 服务对断言进行签名。 SOAP生产者将断言作为来自安全 token 服务的消息输入。但是，在将断言包括在消息中之前，SOAP生产者需要验证断言签名以向其自身证明断言在从安全 token 服务的移交中没有被修改，并确认其与安全 token 服务的信任关系。 。验证了SAML断言的完整性和生成器之后，SOAP生产者在消息级别对断言进行签名，从而将断言提供给消息使用者。在消息级别，第二个签名不是重复签名，不仅是因为签名者不相同，而且还因为安全上下文不同(一个上下文是安全 token 服务；另一个是SOAP生产者)。

在此示例中，Google是虚拟的安全 token 服务。 SAML断言中ds:X509Certificate元素的值是www.google.com数字证书。 Google(虚拟地)对SAML声明进行签名，然后将签名的声明提供给SOAP生产者，SOAP生成者将验证签名。在此示例中，由 https://www.example.com的数字证书标识的SOAP生产者虚拟地标记了消息正文以及SAML断言。

此示例中的XPath查询将拾取消息中的所有ds:Signature元素。 SAML断言上的签名恰好来自消息中的第二个ds:Signature元素。该程序不会在第一次签名验证(SOAP消息级别的签名)的加密失败时中断，因为已标记为“if(!status)break”。然后，程序尝试验证SAML断言上的签名。它失败，并显示“遇到未知变换”错误。这是在尝试验证签名之前发生的。程序永远不会在第二个签名上执行该步骤。 SAML断言中所有条件的陈旧性与该示例无关。

示例C#代码

using System;
using System.Linq;
using System.Security.Cryptography.X509Certificates;
using System.Security.Cryptography.Xml;
using System.Xml;
using System.Collections.Generic;
using System.Diagnostics;

namespace TestSignatureVerification
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine(VerifyXMLSignature(@"C:\Temp\Payload.xml").ToString());
        }

        public static bool VerifyXMLSignature(string xmlFileLocation)
        {
            try
            {
                XmlDocument docToTest = new XmlDocument();
                docToTest.PreserveWhitespace = true;
                docToTest.XmlResolver = null;
                docToTest.Load(xmlFileLocation);
                return ValidateDocument(docToTest); 

            }
            catch (Exception e)
            {
               // Console.WriteLine(e.Message);
                Debug.WriteLine("********* ERROR: " + e.ToString() + " *********");
               // Debug.WriteLine(e.StackTrace);
                return false;
            }
        }

        public static bool ValidateDocument(XmlDocument docToTest)
        {
            bool status = true;

            XmlNamespaceManager manager = new XmlNamespaceManager(docToTest.NameTable);
            manager.AddNamespace("wsse", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");

            XmlNodeList securityList = docToTest.SelectNodes("//wsse:Security", manager);
            X509Certificate2 cert = getCertificate(securityList[0]);

            // http://www.w3.org/2000/09/xmldsig#
            manager.AddNamespace("ds", SignedXml.XmlDsigNamespaceUrl); 
            XmlNodeList nodeList = docToTest.SelectNodes("//ds:Signature", manager);

            Debug.WriteLine("Count of Signature nodes: " + nodeList.Count);

            SignedXml signedXml = new SignedXml(docToTest);

                foreach (XmlNode node in nodeList)
                {
                Debug.WriteLine("InnerXML: " + node.InnerXml);
                signedXml.LoadXml((XmlElement)node);
//                Debug.WriteLine("Certificate: " + cert);
                status = signedXml.CheckSignature(cert, true);
//                Debug.WriteLine("Node Name: " + node.Name);
                Debug.WriteLine("CheckSignature status: " + status);
//                if (!status)
//                    break;
            }
            return status;
        }


        private static XmlElement retrieveHeader(XmlDocument xmlContent)
        {
            return xmlContent.ChildNodes.OfType<XmlElement>().First(e => e.Name.Contains("Envelope")).ChildNodes.OfType<XmlElement>().First(e=> e.Name.Contains("Header"));

        }

        private static X509Certificate2 getCertificate(XmlNode securityNode)
        {
            XmlElement binarySecurityToken = (
               from element in securityNode.ChildNodes.OfType<XmlElement>()
               where element.Name.Contains("BinarySecurityToken")
               select element).First();
            string encodedCertificate = binarySecurityToken.InnerText;
            byte[] decodedContent = Convert.FromBase64String(encodedCertificate);
            return new X509Certificate2(decodedContent);
        }


    }
}

有效负载示例

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" SOAP-ENV:mustUnderstand="1">
            <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-81591DAC97D1A4EF26139995608718319">MIIROTCCECGgAwIBAgIQD2AtUFHRJ/PkEI4BTHIMwDANBgkqhkiG9w0BAQUFADBmMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5jZSBDQS0zMB4XDTExMTAwMzAwMDAwMFoXDTE0MTIxMDEyMDAwMFowfTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFTATBgNVBAcTDFNhbnRhIE1vbmljYTEgMB4GA1UEChMXRWRnZUNhc3QgTmV0d29ya3MsIEluYy4xIDAeBgNVBAMTF2dwMS53YWMuZWRnZWNhc3RjZG4ubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw1K3ZOsUnhUTxZgquo3P2QZ3KJxdugFaKGfPIxkaEaX4pQl6uOVCjcMbzsh/RoW3XBGbo1Gp9KibpYMCwjSYyRNvr4TZsjjLoY1+WfFIHD+3PwkFyIzQo9oZdr9hViSI0DENmdqTbJJVODuQt4jjUgNuCTIRdPrHS+MR4OTwvtGQRwc358/deZVdoWNMhcyBQaxXGVZskJpFKHr3waFW5yMt4JGy2QuCMYZCNHftZlLLXOezcWZBldxi/BNTTDgeQvzZNCNR290qu2hddqF6vivjbgBncRhEQ1ZVdTHON7iy5e66smEKtDNmfBobHHUvOuhOYXNhawiayJuYgvriVQIDAQABo4INyjCCDcYwHwYDVR0jBBgwFoAUUOpzidsp+xCPnuUBINTeeZlIg/cwHQYDVR0OBBYEFBQVJB6vf7Wp91ztREPqVFypreKRMIIMIQYDVR0RBIIMGDCCDBSCF2dwMS53YWMuZWRnZWNhc3RjZG4ubmV0ghN3YWMuZWRnZWNhc3RjZG4ubmV0ghZuZS53YWMuZWRnZWNhc3RjZG4ubmV0gg1zd2YubWl4cG8uY29tghVjZG4udHJhY2VyZWdpc3Rlci5jb22CDnMudG1vY2FjaGUuY29tghFzLm15LnRtb2NhY2hlLmNvbYINZTEuYm94Y2RuLm5ldIINZTIuYm94Y2RuLm5ldIINZTMuYm94Y2RuLm5ldIINd3d3LnNvbm9zLmNvbYIac3RhdGljLWNhY2hlLnRwLWdsb2JhbC5uZXSCFXNzbC1jZG4uc29tZXRyaWNzLmNvbYIjY2FjaGUudmVoaWNsZWFzc2V0cy5jYXB0aXZlbGVhZC5jb22CEXN0YXRpYy53b29wcmEuY29tgg9pbWFnZXMuaW5rMi5jb22CF2Fzc2V0cy1zZWN1cmUucmF6b28uY29tggxlYy5wb25kNS5jb22CFWltYWdlcy5lc2VsbGVycHJvLmNvbYIPdXNlLnR5cGVraXQuY29tghFzdGF0aWMuaXNlYXR6LmNvbYIVc3RhdGljLnd3dy50dXJudG8uY29tghhpbnBhdGgtc3RhdGljLmlzZWF0ei5jb22CF3NlY3VyZS5hdmVsbGVhc3NldHMuY29tghBzdGF0aWMuZHVibGkuY29tghR3d3ctY2RuLmNpbmFtdXNlLmNvbYITd3d3LWNkbi5jaW5lYmxlLmNvbYIVd3d3LWNkbi5jaW5lbWFkZW4uY29tghR3d3ctY2RuLmZpbG1sdXNoLmNvbYIWd3d3LWNkbi5mbGl4YWRkaWN0LmNvbYIRd3d3LWNkbi5pdHNoZC5jb22CFHd3dy1jZG4ubW92aWVhc2UuY29tghV3d3ctY2RuLm1vdmllbHVzaC5jb22CEnd3dy1jZG4ucmVlbGhkLmNvbYIUd3d3LWNkbi5wdXNocGxheS5jb22CE2NkbjEuZmlzaHBvbmQuY28ubnqCFGNkbjEuZmlzaHBvbmQuY29tLmF1gg13d3cuaXNhY2Eub3JnghJjZG4ub3B0aW1pemVseS5jb22CFXN0YXRpYy5zaG9lZGF6emxlLmNvbYIYd3d3LnRyYXZlbHJlcHVibGljLmNvLnVrgg5jZG4ubnByb3ZlLmNvbYISc3NsYmVzdC5ib296dHguY29tghZ3d3cudHJhdmVscmVwdWJsaWMuY29tghV3d3cuYmxhY2tsYWJlbGFkcy5jb22CEGNkbi53aG9pcy5jb20uYXWCF25lMS53YWMuZWRnZWNhc3RjZG4ubmV0ghdnczEud2FjLmVkZ2VjYXN0Y2RuLm5ldIIYYzEuc29jaWFsY2FzdGNvbnRlbnQuY29tghV3d3cuc3RlZXBhbmRjaGVhcC5jb22CFnd3dy53aGlza2V5bWlsaXRpYS5jb22CEXd3dy5jaGFpbmxvdmUuY29tghB3d3cudHJhbWRvY2suY29tghB3d3cuYm9ua3Rvd24uY29tghB3d3cuYnJvY2lldHkuY29tghNlZGdlY2FzdC5vbmVncnAuY29tggtjZG4ucHN3Lm5ldIIOY2RuLmdhZ2dsZS5uZXSCFHd3dy1jZG4ucmVlbHZpZHouY29tgg5mYXN0LmZvbnRzLmNvbYISZWMueG5nbG9iYWxyZXMuY29tgg9pbWFnZXMudnJiby5jb22CEmJldGEuZmlsZWJsYXplLm5ldIIaY2RuLmJyYW5kc2V4Y2x1c2l2ZS5jb20uYXWCEXd3dy1jZG4uaXJlZWwuY29tghBjZGNzc2wuaWJzcnYubmV0ghFjZG4uYmV0Y2hvaWNlLmNvbYIQcGxheWVyLnZ6YWFyLmNvbYIUZnJhbWVncmFicy52emFhci5jb22CEHRodW1icy52emFhci5jb22CG3N0eWxpc3Rsb3VuZ2Uuc3RlbGxhZG90LmNvbYIRd3d3LnN0ZWxsYWRvdC5jb22CEWNvbnRlbnQuYXFjZG4uY29tghZjb250ZW50LmViZ2FtZXMuY29tLmF1ghVjb250ZW50LmViZ2FtZXMuY28ubnqCE2ltYWdlcy5wYWdlcmFnZS5jb22CFGltYWdlcy5hbGxzYWludHMuY29tghZjZG5iMS5rb2Rha2dhbGxlcnkuY29tghFjZG4ub3JiZW5naW5lLmNvbYITY2RuLnF1aWNrb2ZmaWNlLmNvbYITY29udGVudC5nbHNjcmlwLmNvbYIOY2RuLmJpZGZhbi5jb22CFG1lZGlhLnF1YW50dW1hZHMuY29tghVjZG4uYWxsZW5icm90aGVycy5jb22CEXBpY3MuaW50ZWxpdXMuY29tghVwaWNzLnBlb3BsZWxvb2t1cC5jb22CFXBpY3MubG9va3VwYW55b25lLmNvbYIQY2RuMS1zc2wuaWhhLmNvbYIOcy5jZG4tY2FyZS5jb22CE2NkbjItYi5leGFtaW5lci5jb22CDGNkbi50cnRrLm5ldIIQZWRnZWNkbi5pbmsyLmNvbYIeZWMuZHN0aW1hZ2UuZGlzcG9zb2x1dGlvbnMuY29tgg5jZG4uY2x5dGVsLmNvbYIXd2VsY29tZTIuY2Fyc2RpcmVjdC5jb22CEnMxLmNhcmQtaW1hZ2VzLmNvbYIPdXBkYXRlLmFsb3QuY29tghJ3d3cub3V0c3lzdGVtcy5jb22CEHd3dy5kcndtZWRpYS5jb22CE2xvb2t1cC5ibHVlY2F2YS5jb22CDmNkbi50YXhhY3QuY29tghRjZG4udGF4YWN0b25saW5lLmNvbYIOY2RuLjIwMDU4MS5jb22CDWltZy52eGNkbi5jb22CDGpzLnZ4Y2RuLmNvbYIMd3d3LmdvYWwuY29tghZjZG5zMS5rb2Rha2dhbGxlcnkuY29tghZlZGdlLmRyb3Bkb3duZGVhbHMuY29tghFlZGdlLnBhZ2VyYWdlLmNvbYIVZWRnZS5zYW5pdHlzd2l0Y2guY29tgg9lZGdlLnlvbnRvby5jb22CEWxheWVycy55b250b28uY29tghRjZG4ud2lkZ2V0c2VydmVyLmNvbYISd3d3LmNsb3Vkd29yZHMuY29tghBlZGdlLmFjdGFhZHMuY29tghVpbWFnZXMuc2tpbmNhcmVyeC5jb22CEnNzbC5jZG4tcmVkZmluLmNvbYIVc21hbGwub3V0c28tbWVkaWEuY29tghBjZG4uZm94eWNhcnQuY29tghVlZGdlLmplZXR5ZXRtZWRpYS5jb22CEWNkbi50aWNrZXRmbHkuY29tghdpbWFnZXMuY29zbWV0aWNtYWxsLmNvbYITd3d3LmJhY2tjb3VudHJ5LmNvbYIOc3NsLmJvb3p0eC5jb22CDXAudHlwZWtpdC5uZXSCD3VzZS50eXBla2l0Lm5ldIIUY2RuLnRoZXdhdGVyc2hlZC5jb22CH3N0YXRpYy5jZG4uZG9sbGFyc2RpcmVjdC5jb20uYXWCGGVkZ2UucmVkZm9yZG1lZGlhbGxjLmNvbYIXZWRnZS5wbHVyYWxtZWRpYWxsYy5jb22CGnd3dy5nb3VybWV0Z2lmdGJhc2tldHMuY29tghp3d3cubnVtYmVyaW52ZXN0aWdhdG9yLmNvbYIdYjJicG9ydGFsLmRpc25leWxhbmRwYXJpcy5jb22CImIyYnBvcnRhbC5kaXNuZXl0cmF2ZWxhZ2VudHMuY28udWuCC3d3dy5ud2Yub3JnghJhc3NldHMuemVuZGVzay5jb22CDGEuY2Rua2ljLmNvbYIMcy5jZG5raWMuY29tghl3d3cuc3VwZXJiaWtldG95c3RvcmUuY29tghZjZG4uc3R5bGV0aHJlYWQuY29tLmF1ghJjZG4uY2FydHJhd2xlci5jb22CI3B1YmxpY3N0YXRpY2Nkbi50YWJsZWF1c29mdHdhcmUuY29tghNzZWN1cmUuMzNhY3Jvc3MuY29tgg5jLnp0c3RhdGljLmNvbYIMYy5tc2NpbWcuY29tghhzdGF0aWMudGVhbXRyZWVob3VzZS5jb22CEHd3dy5lZGdlY2FzdC5jb22CGHdhYy5hOGI1LmVkZ2VjYXN0Y2RuLm5ldDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGEGA1UdHwRaMFgwKqAooCaGJGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9jYTMtZzI3LmNybDAqoCigJoYkaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL2NhMy1nMjcuY3JsMEIGA1UdIAQ7MDkwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwewYIKwYBBQUHAQEEbzBtMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEhpZ2hBc3N1cmFuY2VDQS0zLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQBgDQfkvzhPs4cvyN0P+Ztwh7/u8peAVPxfP6bs0zT55v5QbHFapmuvCyP40oNrGYbNArrN0ZbchA2vpYWhyLpi6VIRNeH0nQM7nn8HxkrHcAGjjHYn7VNIHg+AR+Mrx1WhFE5kaaw6e7DZh/vbshx6DRW2pqSvdDu2v2l/V4oli1iz0lYkVl/yLXXCNWpQHQhI2tcQ0YI5suw/NlXJ7f6De0SFEtsf2K65XKF2mrqVX1amiNbiyqKD40i7qYI7XaAX5Rf+YXfcgcGH6svRchDeNlMXmfS53IFmi7/aToZRkp+pLA5fQ1QsJmPjf8cwVX4+tWFNhVLH/kUZKZ1gqL/R</wsse:BinarySecurityToken>
            <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_81591DAC97D1A4EF26139995608705916" IssueInstant="2014-05-13T04:41:27.065Z" Version="2.0" xsi:type="saml2:AssertionType">
                <saml2:Issuer>
www.example.com</saml2:Issuer>
                <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:SignedInfo>
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                        <ds:Reference URI="#_81591DAC97D1A4EF26139995608705916">
                            <ds:Transforms>
                                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                            </ds:Transforms>
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                            <ds:DigestValue>Q8nxma/rf1XRfxq46oR7vaj/1yA=</ds:DigestValue>
                        </ds:Reference>
                    </ds:SignedInfo>
                    <ds:SignatureValue>CzkNUiZppovAIY/atOQzRQfirJ8yFcwbTnwSz8tKcJgx5nYMP23jRZ855lo20laazvoducWqWYDOqGtK4+yzsQmN8OvUkedSzT++KJHUf68LV2ubdmOZ9o6ktLGFsVoj8XGZYlrYHj4mQuuWcBMYgPItiE5kMOPuUWT/8CDS8HkjD0twc7m8/HkQ+PzHfcNSdRHBldH/tXPu3RcOchUjT/LrH6j5A1vdz4aWF7IizKIhtDtu4/dedR1S3DiSj3KG0p2tPxVVEzJX0D1KSyGASxgeP1Sxux0+omZI8U8V2r6cupNaFxg/7iPkA3OFPcbVvOzYL/GLPUcaysFpOdI/cg==</ds:SignatureValue>
                    <ds:KeyInfo>
                        <ds:X509Data>
                            <ds:X509Certificate>MIIEdjCCA16gAwIBAgIILBjgSyHeH78wDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwNzE2MTIxNDExWhcNMTQxMDE0MDAwMDAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKMwph
144V2I3T0MfpUCYOgRASpo9gOTP/jVfkart6L2Y5OkJRWLPf2kjFHu9lneFMUkYU
SF/FM62prDo256Hw19/ec8GqfeeWgdn/I7F1GWeAWH96hah0hx0mKApoUN+S3jCD
8ZUEq3CG5WosyFaior0ms/M6lxVg+qFpZMr40jiM8wmBmNdUPaRpFa00EXKSvEN4
wkOcy3/chrZhvYvaPynbqESWslyIWjBbS1fo8HmE4tccf3hw3BzO75pmkjMJy/nG
G5NfB0sV8TvwKClF7UYj16gKMFOmGzYrKsMJJZdACbPcEHZJsvs49SGTLLTQECk6
MGWpB8mco2gxMHOXAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSG63QhKSoMLrf/MwcMKcIpgpLsezAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW
eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB
RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCHHplYC1ORmY7GI7NuJrV23e0Tc8NZ
zIHwBr/MKHeu07h8tXw6empmo8Jpl72xCAlMdiaJ6gnx3T8euJdj387P60uIvYba
nSJt8hxwlOKxHWbK5WoIjlSERfD0Q8rJ7Sv77wsKv7HKxJgsjn1Eg8VeO0ruhmgO
6PT8pdRYazvxl82Mzs3rqXZKCslIa1OBt/nKaBDJ8Rl+J+LZ0idFXCj/oRUhSoaw
W0+zmPBMCJJkSom61LumjGXgU/TMLBCWI2NZp7JhUOoOkeb/lOMcZJIYQ7+zCtJH
P3gUMNJhX3uyZH1FzyAg9rpenMGSYMUPB2MXmKQi5b2Zu4qHiLjsJ0MK</ds:X509Certificate>
                        </ds:X509Data>
                    </ds:KeyInfo>
                </ds:Signature>
                <saml2:Subject>
                    <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="www.example.com">
Tester</saml2:NameID>
                    <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
                </saml2:Subject>
                <saml2:Conditions NotBefore="2014-05-13T04:41:27.117Z" NotOnOrAfter="2014-05-13T04:46:27.117Z"/>
                <saml2:AuthnStatement AuthnInstant="2014-05-13T04:41:27.113Z">
                    <saml2:AuthnContext>
                        <saml2:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
                    </saml2:AuthnContext>
                </saml2:AuthnStatement>
            </saml2:Assertion>
            <wsse:SecurityTokenReference xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" wsu:Id="STRSAMLId-81591DAC97D1A4EF26139995608718320">
                <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">
_81591DAC97D1A4EF26139995608705916</wsse:KeyIdentifier>
            </wsse:SecurityTokenReference>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-81591DAC97D1A4EF26139995608718622">
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="SOAP-ENV"/>
                    </ds:CanonicalizationMethod>
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <ds:Reference URI="#id-81591DAC97D1A4EF26139995608718421">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
                            </ds:Transform>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <ds:DigestValue>
JLjybHqBnly5B2u2yhvTCTnn3os=</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#STRSAMLId-81591DAC97D1A4EF26139995608718320">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
                                <wsse:TransformationParameters>
                                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                </wsse:TransformationParameters>
                            </ds:Transform>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <ds:DigestValue>
g3PCuPeWIcXW9HFYYuLJp2lrVwM=</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>
gGZU5Fwzd86oNABwaX0kzlWU0XVR4HUAp/F04WwxgVI7TThTK/e4OdvyvFJ2tt3kaItoWXhS+YgVnv+4MqmeqAZU+dYvJVuDD+mXjlhokKjHr8RKjLKaKIMIJOcApQrrKqbX0BrT1VySdnARLm3z+z4R0EWU+FNUSFg3nFKA2w63NARAZzeVs4dmFNJH8JtIvh4qHOytpEzJVnBG0bcnVD5BMeLZFZVFP3PCFwLEyb01QMe84GR60HocVPszHbQYnahYVtVABtOkFZjWj8+6C3pM+jaSa0QgB8Kvlwnkr/I8qU1q4HP2gvFkAMl9PZqfsO2zYn6OX6Gihcm4KJ/K3g==</ds:SignatureValue>
                <ds:KeyInfo Id="KeyId-81591DAC97D1A4EF26139995608718317">
                    <wsse:SecurityTokenReference wsu:Id="STRId-81591DAC97D1A4EF26139995608718318">
                        <wsse:Reference URI="#CertId-81591DAC97D1A4EF26139995608718319" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
            </ds:Signature>
        </wsse:Security>
        <WSHeader xmlns="http://www.example.com/WSHeader.xsd">
            <UsernameToken>
                <Username>
Tester</Username>
                <Nonce>
ODE1OTFEQUM5N0QxQTRFRjI2MTM5OTk1NjA4NTUyOTE1</Nonce>
                <Created>
2014-05-13T04:41:25.529Z</Created>
            </UsernameToken>
        </WSHeader>
        <ns1:attachmentHash xmlns:ns1="http://www.example.com/schemas/attachmenthash" SOAP-ENV:actor="http://schemas.xmlsoap.org/soap/actor/next" SOAP-ENV:mustUnderstand="0">
            <ns1:hashValue>
7WxA7WJauYkMVd7KzK369YFQKS8=</ns1:hashValue>
        </ns1:attachmentHash>
        <ns1:standardAttachment xmlns:ns1="http://www.example.com/Attachment.xsd">
            <Attachment>
                <id>
1</id>
                <compressFlag>
yes</compressFlag>
                <compressMethod>
gzip</compressMethod>
            </Attachment>
        </ns1:standardAttachment>
    </SOAP-ENV:Header>
    <SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-81591DAC97D1A4EF26139995608718421">
        <submitTest xmlns="http://www.example.com/Test">
            <AttachmentInfo xmlns="http://www.example.com/Attachment.xsd">
                <attachmentData>
                    <Include xmlns="http://www.w3.org/2004/08/xop/include" href="cid:2b380066-5b7e-4d5c-949d-f11d41d1cd1b"/>
                </attachmentData>
            </AttachmentInfo>
        </submitTest>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

This描述了相同的问题，除了Java生产者将Metro框架用于WS-Security而不是Apache WSS4J。但是，结果是相同的。由于多种原因，我想避免破坏Java方面，尤其是要破坏对WS-Security SAML token 概要文件的合规性。在帖子中:“我们修改了Metro源代码以消除STR-Transform，并直接从主签名中签名SAML断言(而不是使用SecurityTokenReference和STR-Transform)。”我认为这不是可接受的解决方案。

Answer 1

直接与Microsoft合作一段时间后，我正在回答自己的问题。这个问题的标题仍然是真实的，但现在可以澄清:

Windows Identity Foundation(WIF)支持指定用于验证引用签名的 token 的STR-Transform算法，但Windows Communication Foundation(WCF)不支持。

WCF源代码包括SendSecurityHeader.cs，该文件处理XML签名和XML加密以发送服务消息。当前的问题与接收消息有关，但是SendSecurityHeader的OnWriteHeaderContents中的注释似乎已成为问题的根源。

从Microsoft的针对SendSecurityHeader.cs的published source reference的第606行开始，请注意以下几点:

if (elementContainer.SourceSigningToken != null)
{
if (ShouldSerializeToken(this.signingTokenParameters, this.MessageDirection))
{
this.StandardsManager.SecurityTokenSerializer.WriteToken(writer, elementContainer.SourceSigningToken);

// Implement Protect token 
// NOTE: The spec says sign the primary token if it is not included in the message. But we currently are not supporting it
// as we do not support STR-Transform for external references. Hence we can not sign the token which is external ie not in the message.
// This only affects the messages from service to client where 
// 1. allowSerializedSigningTokenOnReply is false.
// 2. SymmetricSecurityBindingElement with IssuedTokens binding where the issued token has a symmetric key.

if (this.ShouldProtectTokens)
{
    this.WriteSecurityTokenReferencyEntry(writer, elementContainer.SourceSigningToken, this.signingTokenParameters);
}
}
}

这意味着WCF不支持在外部引用的 token (例如，本期中的SAML断言)上的XML安全性构造。这也意味着Microsoft不完全支持他们主持和共同编辑的标准 Web Services Security SAML Token Profile Version 1.1.1。我正在与Microsoft一起提出增强请求，并正在评估覆盖该框架的可能性。这里的含义是.NET服务使用者与通过引用签名的SAML断言保护的服务消息的Java生产者缺乏互操作性。