我绑定如下
//Get certificate in bytes[]
X509Store store = new X509Store(StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadWrite);
localCert = new X509Certificate2(cert.File, "mypassword");
store.Add(localCert);
certFriendlyName = localCert.FriendlyName;
//set binding
SecurityBindingElement security = new TransportSecurityBindingElement();
X509SecurityTokenParameters item = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToRecipient);
security.EndpointSupportingTokenParameters.SignedEncrypted.Add(item);
security.IncludeTimestamp = false;
security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
TextMessageEncodingBindingElement encoding = new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8);
HttpsTransportBindingElement transport = new HttpsTransportBindingElement();
transport.RequireClientCertificate = true;
System.ServiceModel.Channels.Binding currentBinding = new CustomBinding(security, encoding, transport);
EndpointIdentity identity = EndpointIdentity.CreateDnsIdentity("mydns");
EndpointAddress ea = new EndpointAddress(new Uri("MyURI"), identity);
service.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My , X509FindType.FindBySubjectName, certFriendlyName);
service.ClientCredentials.ServiceCertificate.SetDefaultCertificate(System.Security.Cryptography.X509Certificates.StoreLocation.CurrentUser,
System.Security.Cryptography.X509Certificates.StoreName.My,
System.Security.Cryptography.X509Certificates.X509FindType.FindBySubjectName,
certFriendlyName);
下面是来自所提供的 WSDL 的安全策略
<wsp:Policy Name="GAPolicy" wsu:Id="policy.ga" xmlns:wsaws="http://www.w3.org/2005/08/addressing">
<wsp:ExactlyOne>
<wsp:All>
<wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy Name="NPPIPolicy" wsu:Id="policy.nppi"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:ExactlyOne>
<wsp:All>
<!-- Force the use of WS-Addressing -->
<wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" />
<!-- Require a signature on the body of the message -->
<wsp:SignedParts>
<wsp:Body />
</wsp:SignedParts>
<!-- X.509 Certs in header -->
<wsp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorSignatureToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient" />
</wsp:Policy>
</sp:InitiatorSignatureToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never" />
</wsp:Policy>
</sp:RecipientToken>
<!-- Supported encryption algorithms -->
<sp:AlgorithmSuite>
<wsp:Policy>
<wsp:ExactlyOne>
<sp:Basic256 />
<sp:TripleDes />
<sp:TripleDesSha256 />
<sp:TripleDesSha256Rsa15 />
</wsp:ExactlyOne>
</wsp:Policy>
</sp:AlgorithmSuite>
<!-- Do not impose an order of layout -->
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</wsp:AsymmetricBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy Name="PCIPolicy" wsu:Id="policy.pci"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:ExactlyOne>
<wsp:All>
<!-- Force the use of WS-Addressing -->
<wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" />
<!-- Require a signature on the body of the message -->
<wsp:SignedParts>
<wsp:Body />
</wsp:SignedParts>
<!-- X.509 Certs in header -->
<wsp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorSignatureToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient" />
</wsp:Policy>
</sp:InitiatorSignatureToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never" />
</wsp:Policy>
</sp:RecipientToken>
<!-- Supported encryption algorithms -->
<sp:AlgorithmSuite>
<wsp:Policy>
<wsp:ExactlyOne>
<sp:Basic256 />
<sp:TripleDes />
<sp:TripleDesSha256 />
<sp:TripleDesSha256Rsa15 />
</wsp:ExactlyOne>
</wsp:Policy>
</sp:AlgorithmSuite>
<!-- Do not impose an order of layout -->
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</wsp:AsymmetricBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
使用此方法,我遇到“System.ServiceModel.FaultException:配置的肥皂演员/角色“”的 WS-Security 消息中没有签名!(来自客户端)”
直接使用CustomBinding。通过引入 WsHttpBinding 并将其安全性设置为期望客户端证书,您正在配置完全不同的安全模式。我写了一篇关于这个问题的文章(由于你已经在 MSDN 上找到了这个问题)。从文章中描述的绑定开始,或者根据您的需要进行修改。所描述的绑定使用相互 HTTPS(HTTPS 客户端证书)以及每个请求消息中的支持证书。