Utilizzando la configurazione seguente abbiamo implementato la sicurezza dei messaggi usando WCF e WS-security. Tieni presente che usiamo clientCredentialType = Certificate.
Ora le mie domande sono:
- La configurazione seguente rappresenta un modo crittograficamente sicuro per verificare l'identità del client?
- Il client utilizza un certificato con una chiave privata conosciuta come credenziali del client. In che modo il server può verificare questo certificato dato che il server ha la chiave pubblica corrispondente?
- Che cosa accade quando un client WCF utilizza un certificato come credenziali client? È informazioni sul certificato. incluso nel messaggio SOAP? O c'è un elemento incluso firmato con il certificato? O cosa?
Configurazione WCF del server:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="srv">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
<serviceCredentials>
<serviceCertificate x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" findValue="ServerCert"/>
<clientCertificate>
<authentication certificateValidationMode="Custom" customCertificateValidatorType="CertValidator, WcfService1"/>
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="ServerBinding">
<security mode="Message">
<message clientCredentialType="Certificate" negotiateServiceCredential="false" establishSecurityContext="false"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="WcfService1.Service1" behaviorConfiguration="srv">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="ServerBinding" contract="WcfService1.IService1"/>
</service>
</services>
</system.serviceModel>
Configurazione WCF client:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WsHttpBinding_IService1">
<security mode="Message">
<message clientCredentialType="Certificate" negotiateServiceCredential="false" establishSecurityContext="false"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost.fiddler:49694/Service1.svc" binding="wsHttpBinding"
bindingConfiguration="WsHttpBinding_IService1" contract="ServiceReference1.IService1"
name="WsHttpBinding_IService1" behaviorConfiguration="endpBehavior">
<identity>
<certificateReference findValue="ServerCert" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="endpBehavior">
<clientCredentials>
<clientCertificate findValue="ClientCert" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
La configurazione del server restituisce il seguente elemento della politica in wsdl:
<wsp:Policy wsu:Id="WSHttpBinding_IService1_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:EncryptSignature/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
<sp:RequireSignatureConfirmation/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Si noti che questa domanda viene anche richiesta su Stack Overflow .