I'm attempting to call a Secure SOAP service from C# using .NET 4.0
The SOAP service is expecting the message to be
Encrypted with certicate A,
Signed with certificate B, and then
Encrypt again with certificate A
I created a reference in Visual Studio with a local wsdl file.
I've found some articles on how to apply a UserName token, but that's not what I need. I've found ways to sign an xml document, but through the generated class there is no access to the xml.
The config file I use looks like this
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<customBinding>
<binding name="GetStatusV01">
<textMessageEncoding messageVersion="Default" />
<security authenticationMode="MutualCertificate" messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
requireSignatureConfirmation="true">
<issuedTokenParameters keyType="AsymmetricKey" />
</security>
<httpTransport />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="http://dev-server.com/GetStatusV01"
binding="customBinding" bindingConfiguration="GetStatusV01"
contract="GetStatusV01.GetStatusV01" name="GetStatusV01">
<identity>
<dns value="MYCRYPT" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
The response I get from the server is "Invalid signature", and according a server operator, that's because there are no signatures in the xml I'm sending.
The envelope I end up sending, looks like this
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1" u:Id="_5"/>
<k:EncryptedHeader s:mustUnderstand="1" u:Id="_7" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference URI="#_2"/>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>9HtcpmMXQXza5yex1aclsD5/0HHz9Me2IgFe6+M6CidhhNsxhExFfwMNDlT+jqiqHcspuoJtEMtwRdj6b52qXqhf7oGSqnD1JJZ1UjTg7TiOrCUHRsMjy2CxLAL7Lzez9GsHv4zK+ddz9Cif3tNQTHBMq/yeK0O8DmYNjqDbpuVv88A7eymdM1dmxrX9o88NdwJ2GwuNgHBkOUHQNdEflT8DgV0ENtYna8tDVbzgtQilCgPcIYZr9ku3h9dqK9PUYExUJSTtvYTDcLf0nY3r8ih0ub9TsMWGKy3i4G8hHUPrcJnn3CGr00irEuL1uth+nRpFPV2X0G6UAmRHluCVwUu7YkSPtt19NAZBzJq3RFz7KZfKbmn64oF14QCjkhTJprhcvKq97mjfO6wDj2SNBC+74Iun8G9yd9wLswmYTk7MjVCJQuHEEkzTPeXJzNJoF4vSOIWVqLz7vsEjy5SeGb6Hz8P8F63XwcPgu1sTZHgPD31yU5Hes2YBY2T2NrEaZEkSMp47vmwjOL5BBetto0KSFWjR/y1MQHLnEGn2JmI=</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</k:EncryptedHeader>
<k:EncryptedHeader s:mustUnderstand="1" u:Id="_9" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference URI="#_2"/>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>oNXVh8ahb5uYLmWjUH1p9hXYUQGgno8/jobu5/ZjAySldFH/liZzncErnzhdMZDAivbOMLQzVmrN0OxDFmclfktiDPkxMGSq8j+MNSI+rBaFKo805EOg1ZBO5J6DTR+Ys11BQbCjPTXT3UY9yx0QrnBmnS1pZK+nJN+PraI09YJk/Bne0Uo5IorJNJ1i6D2tH3hbhHlzKCT2B8i1r6Pl83QwGsTk+evz8dQp0bR1dZiMCXIMxE9EGYx62qw8d3TgNHCIWTGWWtFNhWC0zWTGgXsABKnf/jLrUlY9JqMQzsw6VTavRX6i2chz+sAEjCkqiAx5sPMof1UN1wL3YptzBTK3xWjQDXSEvqpIJHC4jPxn2LvkQKX3JxdAeQHU+V0m6j4Uz8DThB4UuSoZvQCljnAK4DbNasHbQ/Nma/MzJhiPrywBjO7p5yXZIQ/MhWw86ipgSgS99eyzGWDpHYtp1w3cXfGPz7Z5NKqbI0WNW99B8zomU7mhAmRrwSPCP6Ya6WPerrDbJIWl8CPjPd4yNH31XI7MD3T/p+M7MwLnUD2XM8lxR3MOTdNZOYD9r2m5NMCfRXSQJJ8l4bGX21W4mibITvKZWH1EEne3raLh0s8=</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</k:EncryptedHeader>
<a:MessageID u:Id="_10">urn:uuid:b9c526af-36f3-423a-8d3a-19985e0db257</a:MessageID>
<a:ReplyTo u:Id="_11">
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo4aefT0KQzZDpNvQrzwnNtsAAAAAJzXxAWN+LESmfMegQxoSGvNvA3qZWLlOqUZ21s0IQugACQAA</VsDebuggerCausalityData>
<a:To s:mustUnderstand="1" u:Id="_12">http://dev-server.com/GetStatusV01</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-6f0fe239-3cd9-4d55-b4b4-ef0e95685b22-2">
<u:Created>2015-01-23T09:20:49.574Z</u:Created>
<u:Expires>2015-01-23T09:25:49.574Z</u:Expires>
</u:Timestamp>
<e:EncryptedKey Id="uuid-6f0fe239-3cd9-4d55-b4b4-ef0e95685b22-1" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
</e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">WvRehCqSEu079vWus36QbxPWAGc=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>ISnfyYYfr4pldTG+JkP/sKlFkM67SuMG14x8h/wGfvqHwjiqZ/qMWl3vY3SE3wa9hBjPDNl4xLw/8XB/2IlnZIUqcd1hS2CPngON3hGiu9C5GCYNPOgzAApjHhX8EO/wbjxDdNd99CFxJfM/SIQ266Z+qA2f6/o2xyoPlEwb79fm+ZBXQGQAAJOAHpojISjfykWqMA4/UyzACjhYESZsnIrc0YjTzAadBJcyBGGWVBtsRxFE3hWelN4jlKxo9BndkpDRtQBjKkk0jUJTZ9UxC+9MkybEDbS+FUBmZLc+61HR9ZNrfEqCxHZi8KsMm2QgbprYsUIuQWw7N97xe47sqw==</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
<c:DerivedKeyToken u:Id="_0" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<o:SecurityTokenReference>
<o:Reference URI="#uuid-6f0fe239-3cd9-4d55-b4b4-ef0e95685b22-1"/>
</o:SecurityTokenReference>
<c:Offset>0</c:Offset>
<c:Length>24</c:Length>
<c:Nonce>Rwl/m9QIizpTsdcwLXErBQ==</c:Nonce>
</c:DerivedKeyToken>
<c:DerivedKeyToken u:Id="_2" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<o:SecurityTokenReference>
<o:Reference URI="#uuid-6f0fe239-3cd9-4d55-b4b4-ef0e95685b22-1"/>
</o:SecurityTokenReference>
<c:Nonce>Jxn1Kk2F2zJ+d2+eTTS3Hw==</c:Nonce>
</c:DerivedKeyToken>
<e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:DataReference URI="#_4"/>
<e:DataReference URI="#_7"/>
<e:DataReference URI="#_9"/>
<e:DataReference URI="#_13"/>
<e:DataReference URI="#_14"/>
</e:ReferenceList>
<o:BinarySecurityToken u:Id="uuid-b69ebd3b-2a8b-4279-9106-d67e08facdc1-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIID4jCCAsqgAwIBAgIHDpkdHWHajTANBgkqhkiG9w0BAQsFADCBmjEQMA4GA1UEAxMHREJHU1dESzELMAkGA1UEBhMCREsxEzARBgNVBAcTCkNvcGVuaGFnZW4xEDAOBgNVBAgTB0Rlbm1hcmsxGjAYBgNVBAoTEURhbnNrZSBCYW5rIEdyb3VwMRwwGgYDVQQLExNEYW5za2UgQmFuayBEZW5tYXJrMRgwFgYDVQQFEw82MTEyNjIyODc3MzAxMDEwHhcNMTIxMjAzMDcxNjIzWhcNMTQxMjAzMDcxNjIzWjB0MRYwFAYDVQQDEw1NQU5VIFBFTFRPTkVOMQswCQYDVQQGEwJESzEXMBUGA1UEChMOU09IVVMgVkFORFZFUksxNDAyBgNVBAUTK1NFLU5SL0RBQkE6MDAyODIxMTcxNi1BR1I6MjE0NTI5LVVTUjoxMTYzNjkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuZ1L43OwCq0boGtTzgUE5ssTtenD1BXyudwympbes9j6ezX8gHNHt2PMvpzMKCr8w7G0EGcaOENvDg0ESYtAa5D87m0TAZGNV/JWLkJdReyRxUq56OVtqo4vGHNaLs5BJnWnK8FjKm5CQmJmROR6gAUQAnx7Gp6LZyJxv/L/G4zjAdEH/e6ERnBQho8zJfSrDtgZ2Wc77uSacW3UJfRNKu50D1YtWH3CRh8TJn6Qe03kSNMq+gcKlK3EKeq7AK9gpOV5sS14uyj0TZ1XpsiGecVKQ29e1ALogeQJslVPJonMyeHsaZSE7QLSkT2knRk72NTWSOgBAewlJFlN4xDSFAgMBAAGjUjBQMB8GA1UdIwQYMBaAFA7mcPtCSqVAKvGKB0mdxNijbS0jMB0GA1UdDgQWBBRrbEk6rdXl/sKs2MZ16xdXYu1BfzAOBgNVHQ8BAf8EBAMCBsAwDQYJKoZIhvcNAQELBQADggEBAFTjBKr/K54MTrz8lthO7jbMG+OhL9YmBXF0pgowRjH3J7ECp0hXxIL68ia9ZaYalAou+YcXljLkASj8+Xt0yiTH91pPyDKNU/wk8bFAEMz3brOu8ok10iE3TNA4iyeronHpw1o1WVCzycCYYziv1iluU1thnWB3lqbGdOH4Rk0Mw8UBymTbc63T126bKBMeyzwvjPgTcuYjpA03394VDaXylm1w1XVX+i4RJGBcUTng6tJObEdaEJhNNXf9Yk2LQL4GjZpf1lsUguTh7i2Argq0bZgzoEzKE4UPwJD71B0yU13dL2ZuSQ+WDqiXFRkSaJHaK586SwttggTCE+J3Zko=</o:BinarySecurityToken>
<e:EncryptedData Id="_13" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:Reference URI="#_2"/>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>3b39yD6RDg/JVv4NnfHZcd3z6+iCeqGzsE2kc+9na18OFNTFsvArRss6FLYFunpg3GqyHxsLdeKPcCFcn0IqY+gijO/2LNEIkNRb41ZLzycMgo0VKfqj/v6QKCDHkrrqp+oaKZdedvgOixjKFsUKCcZGH8K/ToGyNtFsdFkkwctGmooIKPJA/erQmOZiq4vWi/S5jT4v6mfCdKnAKwwLwUhY3xFgVDNxYio6SjX9xDb0Cmeczex6EvPx9VxBX3yG7sTlQ0d4wgEiSum6DiFNO2hvvKdUCgp0rPbjXcxgB0xnRQlm45P8cMw49tooc6bYXz5Zpp5qBP2zpBDNrmIXS9t8hGiPG9J+MCeIxWbA0lZIIZzeuMMKSsbyKTxSmeN3G0+BuAD/xRA18jD4v/hnXhSv77+YB7iqmtWpkRUPtnaVkHiM4SiagUMTDBCW5yNOQCaUJN4yHJo34tTJ0PBBtFKji+4wVmu5QjMy5jO2dgdzGo4iDiHxOEqVkjk1U3d9I0Cul7Gt7PwQNkTxd2sqSrst/A3tUe2gaw9MPqMSvQjle552FQCKxK5rlIlfBiO/CI1Le7zEJhpkTqr67H88TMOCKR/5ylTqM8ctI4l1HtaAgPULZU+iU7lWg8BZoYwzP9htH85Olgqp8CNa7nuBWiIGn2J/4Trle8fOonm/WbRVapaJLbWGdP9Zr1NVxOMIDCkp9DcozgeJ/GKMG5niriZ+/S+Xu+l6MENP9wyYERw43PD4bQzaSGnKTNnfEVi/nPjJjro5ipEdf5m9My3xmdIw9FOVPi2ybw+W1zi/SuT82sJGraOYZcwHzIpZ801EyQTK94S6tBHyOxpMXAPZFxbLwOVowtK1nKmlSra6NLDXVriAKcjRSnYuKkduPYwXvb4H32aKpfWEClTd66nTGU/FyHa/MM7ydgz0jyB30a+Vt6eOY3JkelzFlqwbaUV5JledP16eLyV7qxESzyYr8Jf8Lbo0ERiljBBflQaLcQ9hOWx4RUGcqDNGwX8cbc2C6LY0NWOq91vwuz7rg547JgNHwoFW0MNAqKb9kJFu5FIO4lG3ny4l13tcJL2iAUz/uKgWtl2rasJTRyavQtBT3wEZb9ux8aiYyGr5oUKqLdxwIN/s5EBNiwPY1OHUvJx0NiLMTap0rrupKeAZMJud54u6rBk5AV1cYDtJ4O5UxjgyNZF4RiUdRYyPIK7M3ugRx4K/GZ0v4i1xkxxW/T65P4FDKt/VU6Oqx/9q2ZLm14UUc9Ty07fvyW0KMYruvIqaf1gSTzgNaZfWpfyaTCwNRTi/bEhwpfRRqy5JPaft0b02H6U0Qsnixvj3E5vhFu/KZXRtZmiSxN9+ZBkRd73jFxTstSHQxZU7P5aYo/swm605qYsPUEnuAIjtdEAtEEjJ2fvjDP/sOvfnk1R789IDxRJYJiUgB+KHOGWUw6B0bcContIL497EH3+dm269BZhspxbEnRLqnZvKCLxiWmO2XCVeM/PxphVabSTXX+W34XkT68qLeTgkEjGPrTPFuNefG5f5BoUR1djwEj160TCknsG6sg3BEuIS7FLLe9q4fqy2VfoeLU3XCFoX5vGq5E6UH9TMVXCbk7kKq2Q4aexaq8I0qPKkG637qwj4rrMSnVZ0yYEWHkwpsRstmShQqcdteQg/hFS1joRzjF6mg6ehYT2Mic08NrpEU6+Iwyk/uWmgbtMqZb91OM4tE5lYTA1bJQmTL+c3mw8Nvfpyw1iLPt/cRagfGNavdkJZslfEqBnmJ75hYrA5Lsd3Of57nJOqJInBfnVB6+0gHLI0PAM7HphtopDYxX5ECcctOkKDQ1NgtfvVZXn03QGrfTDFn2LrvZnX+RzsvwopVkLZkbalMK7aSOMhpw0c9CQ1zTObST3CNidQgk/22aaZZpbkfm4oGmJyvvJ2c5nc9x0uiBOVpKunWulzoG268v8mHKcOpT/JTRLs3kFHwqCrrjn+l80JhKlPRHO1NeBeQL0VzA1v80EMVkjQ8ZPYuV3/tZfwWopptAYi2BXmTVCYe/oFpNch5wyIkWdLbiQljUxL8DIqgI6fgxkXBNZPdyxADhLlSs6PgmKwSVKYhXsbkPCsnSH3ukNTX+KZoE973aPvOIo0jbP28HczJ5T5GoQCd8vrHW8QO+nMQhKnUhHLkmwENwaygTII2zp0AGa4niwfLXZM4O8LfpaIIEdfJlmyKVrgIkseDVnG7Qi5M+Gl+McfMjuBKw3hW8qK9DWxoo8BOoT9qD3jB9aMqpN5B87M9K75nl25G4lxeIXVKmiSaCpOgDrVu1/VewJ37qsfffiF6AGu09cSNzV2x0+DIeh4oelhPOvEvNdUniqX18NZIVcFPhkwbQFbi0zFYTB6FwURCOXoAukHTb7FepnF/CefXdNCa77ouKzz9tHpgP5OuIx8htiSoZxSIb2aKZlq19+3BR6h8aMBAbKmMyj5lFG95rboYrkctJNZyvckWidV5tz6BtVVNmp1zX3NEzZp087hvzPebq/iU9qCg5kcJ5Tasrc0VpMvt40PUDAcpzrfBH6fwZ6jsIv8FzTuFJcxBsx+P+aWKlFXOj+tNmprTT2olbSvaC2T8R/C+VG8lkC0M94oot8tIWDHW9tpKrPNoT0fvTo5JhoZvTYq7cVp4DMBldX7GVTuAMooCwg3rPx+Bus/wZJaU+NiCHi1R/1rYmi31/58ZE7hm0lVPV034zG8tLN0zmev7io6e95y/6F8B/ZUFpwOSV1KdJvCFN0ENYh7YhTGIDWzBMzlMksj04A6pzsLNdLy9Ar70oqOUlJOR4zd3vbWVCZpYBmr0rM3IYGehWor10WYjb8HizSUq56OD3g2LnOjMao/qN+VEu/SgyQVnf36QoDdw9Y54hi8qCm9ZpRATcOGRjNc3xtnZyKsGoH/+XjM8bJ1UJ7wcYMg6NGCGnxFv35SoyOEJx3YMesjc+WZy4z6j0zy0kMO5hpvttdAHAd31UyuJE9lg1kQ9/6oIchmP6c8ItfSphfyauvW8IdAjB2IW1kLRI2qHmMjmVA41b0c/25GB7s41wTzJwSVTBTdiKEX/DNxmN6Fb/UlA0TqTFmxzoTInCTMav5sPPCA4X+MPS0UYqCbl5kYndz7fpLjOX9Lj7DmN8DKr+SqhYEgVrF7Fe6aRp0Gj1HwqEn4C1VHMjKeAd/kzjz++PrDdR8RkfCGYwk17grk6bdUAForFprUVyGOa9d7nJ//ySQBCehyiwNQtXY9RY4Xf6yqe5UpPwdQhejn693gb4Fm+swcreUP5QhztCMw8nufx81Xg+U9n1cwz2PGI0dQm+toveTBjpSmFRsNl699XYBfJ7W5cg==</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
<e:EncryptedData Id="_14" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:Reference URI="#_2"/>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>N4TKQH9x4e2rMm+OUkXbWs0FeADT03aG1DsyP7V303vRQL/k5OS+nLmKgojOxFEn2MzZxbS4MlOeY+CxWehZaVJB0vnHA68VUTkERUtUwKuIlrNwAHwRil3icnACEtPTkgzQasz3T1f9uexZ1ZCC1x6sywdA30uTSe/qHG1MfBNYCL3UfUiWzOmrH0Nfgqoz755MvlrYeXg/YHD7JeUX2KQhai5KIHBj6UExGF1MtfVAXy3AKOGiz962M+zznc1jNMZ3LfjIyX/r16p83tadljbHT1B/UXT+3ePjmuNRqSaWgRzpCKX4hWc0C9n+RdOY9jSjW7OwttrJS8ZA+I+81rKi6FZ1B5Ivbu/4RC2/DpgxDlLMn8pkCT/4JaoVZUmeFnbonDL76qrAfk2fB2sOVe7gbeEI9g9ej0TTkW3SFHZmqMe0t0VeH//YMBwNSpNOuQbQC2sBCFdVANjxzkuiHXiYQBgB6JuxjE1m1esg6A39zK1ilQTnbp+B7sqkWHATG9EE5Cx50u1XUV3l4F6zV31u8WNYV0R+oMtZjdWH0gXLcdl8pz+hKHE2ZkuGtn5/cWqhZrXWeSX/N3tyoKwbbMgOKP9XXtneKj4bfMJJVIluVXcQbfuJLYabdA3YM+8Zqh2m8VOLQpZwlhgcSR+F9lR2mM1HHi8zZGlZPmgMv78I/QZ2UT09WXUFhJb26q5+msJuY+JKD42dKaWMwKY8Z0h6iaqdSov6dY3T1aHvfooQp0GRpHFBRAGS7aN9Vi48NzROfYt2oEKbJpc6nBQ3tvX6qOMq4JmF+etn/xnUZNF57beDU3KQd2aNDvGmcUJaFEtAiuTkbLfK0K9ehOEZw+MYgSDKJnZsrbMs0WEhOBh3WQWPIvlfa57/S8t2wUKqeevRKZ+n67/sFFcirOTCJxJOOtYVviAb5pNjPdISIcmz0sdsJGuifY73DJjlJZ/jraHtoWg+xtUyhpGjFiL/6Q5ACDSzqSeuY6XiAOkseAWEw7YaHJtbA3iSU7hjQYQzNjEGphjXBXQzDtHyts1x2INxPJVvDO+5NiCDUlYHoO+bfCvLeG0QP+Bes0wx4EOCWTBfM7WeYhwQpIo1D/c+m0IFOPmOR0wkA+l/CvwqNVzd5u/wwzKBRquBTpKFqJDfikkkvg5ZU9dE/lNs3hjKu+eGOPQacAAHNWFFqu1a7i9/bcY+4xaYkL5pK3m33jxwuahKpgZceTpyYsZxC13WBLXuoEDHD7ycKUaZ1XQzp74IaIfEYa8JN0aAG/SVeMLRG8+DlUMSTBe9xSuc2Z9ICfm8dYb8DnvO8wyAaOYwaIq0fmNLc8SJjEQVEuidLdBWznvQkwDokZgFQIPvPvRnQRfI7Jk/IAhNd/l5ZvhRIf7N7FZu8g3hjQQvqA6eEi0TE0eSQzyaJhDZnVQOBBAXnM9yjtiTh++v6SahhE9mGOGbqk9nB6Sdw6x6DqQwa2M4H6QB6W9F0a6nZMWUO4Ul8g==</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</o:Security>
</s:Header>
<s:Body u:Id="_3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<e:EncryptedData Id="_4" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference URI="#_2"/>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>bhK3DQ/NTQSnh0pQxwhtass+Eefb1HOlrRcaXrmfUMnvwK+tjf78pmrWIXguiY7ZycI22fcnp4cJQk9af1S7L9Y5aJsv7XP8XBeAW6WggtOp/BR+OPGGS5r5qP7kr3oemSpvuapxBh5n1xAT95PSbNxyDcEt3MzMsGGvl7KK4au+bodKcWFK0GJlnxW0VotdhMTjqm7fK0qtP2xWC5RpfpQVZO1dF/4qE7/nENidFnLuszYH/7VFIatFYwhXI/UdnZ/H7E6h8MdnhLBMbuEDOFvgVx1v61YBOibIcNK6Pi9Mjm7Zh9JuOiEsdGKM/vU1o/4D4qmecu9iN+QwbFA7l2F9L10SO3dzZAyNfzjySVGU0TBy+UZTMdNW2y4TJ/l+y5TOOX++88RweL7E3EDzJg==</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
I've tried fiddling about with the settings in the configuation file, but it seems I cant get it rigth.
The certifcates are set in the code
myClient.ClientCredentials.ClientCertificate.Certificate = mySignCert;
myClient.ClientCredentials.ServiceCertificate.DefaultCertificate = dbCryptCert;
-- edit:
I've tried using ProtectionLevel.
myClient.ClientCredentials.ClientCertificate.Certificate = mySignCert;
myClient.ClientCredentials.ServiceCertificate.DefaultCertificate = dbCryptCert;
// myClient.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.Sign;
myClient.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign;
ProtectioLevel.Sign results in a NoEncryptedData(start) from the server.
ProtectioLevel.EncryptAndSign result in a "Invalid signature", because there is no signature in the xml. I think, I what I need is actually and ProtecionLevel.SignEncryptAndSign, alas there is no such protection level.
Is there a way to configure WCF to put the signature in the envelope?
You can do that using the ProtectionLevel attribute. Have a look here: https://msdn.microsoft.com/en-us/library/aa347791%28v=vs.110%29.aspx
Related
I’m trying to connect to a SOAP WS with the following features:
HTTPS
Signed Timestamp
Signed Body
Not encrypted Request
That's an example of the Soap Request I want:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-c1cf1e29">
<wsu:Created>2018-08-29T10:20:58Z</wsu:Created>
<wsu:Expires>2018-08-29T10:25:58Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-2e4f8773"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
[...]
</wsse:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Timestamp-c1cf1e29">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>........</DigestValue>
</Reference>
<Reference URI="#Body-d96b5e74">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>........</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
[...]
</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference xmlns="">
<wsse:Reference URI="#SecurityToken-2e4f8773" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body-d96b5e74">
[...]
</soapenv:Body>
</soapenv:Envelope>
I’m connecting thought WCF and I’ve created a custom binding that works via HTTPS, gives me the timestamp signed and is not encrypted, but I’m not able to sign the body.
I use a X509 Certificate for sign the timestamp.
That's the binding I'm using:
<binding name="customBind">
<security allowInsecureTransport="true" includeTimestamp="true"
requireDerivedKeys="false" authenticationMode="CertificateOverTransport" />
<textMessageEncoding messageVersion="Soap11" writeEncoding="UTF-8"/>
<httpsTransport />
</binding>
I’ve tried different bindings like wsHttpBinding, ws2007HttpBinding, basicHttpBinding, wsHttpContextBinding… with different configurations, with no succeed.
Any idea?
Thanks!
I am using WSBinding with "TransportWithMessageCredential" to secure my WCF web service, I am using it without any problems using .NET clients.
But when trying to use it from Android or non-.Net client, I can't tell where to provide the message credentials!!
I have intercepted the SOAP message being sent by the .NET client, it doesn't contain any thing related to the credentials, but it is working perfectly, but when using the same syntax for the SOAP request from and Android client, we are facing this error:
The message could not be processed. This is most likely because the
action 'http://tempuri.org/XXX/YYY' is incorrect or because the
message contains an invalid or expired security context token or
because there is a mismatch between bindings. The security context
token would be invalid if the service aborted the channel due to
inactivity. To prevent the service from aborting idle sessions
prematurely increase the Receive timeout on the service endpoint's
binding.
The SOAP request that is being sent by .NET client and working as intercepted:
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<a:Action s:mustUnderstand="1">http://tempuri.org/XXX/YYY</a:Action>
<a:MessageID>urn:uuid:XX-XX-XX-XX-XX</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
</s:Header>
<s:Body>
<XXXXXX xmlns="http://tempuri.org/">
<request xmlns:d4p1="http://schemas.datacontract.org/2004/07/XXX.XXX.XXX" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<d4p1:Prop1 i:nil="true" />
<d4p1:Prop2 i:nil="true" />
<d4p1:Prop3 i:nil="true" />
</request>
</XXXXXX >
</s:Body>
</s:Envelope>
My WCF confing for the service:
<wsHttpBinding>
<binding name="wsHttpBindingExt" maxReceivedMessageSize="4096000">
<readerQuotas maxDepth="32" maxStringContentLength="409600" maxArrayLength="4096000" maxBytesPerRead="4096000" />
<security mode="TransportWithMessageCredential" >
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
For the working .NET Client:
Client code to call the service from .NET and working correctly:
XXXXXServiceClient client = new XXXXXServiceClient ();
client.ClientCredentials.UserName.UserName = "XXXX";
client.ClientCredentials.UserName.Password = "YYYY";
var res = client.DoXXXXX(a,b,c);
EDIT
It is exists, that interceptor is not giving me the whole request, but I have another problem.
Using fiddler, I have found that there are two requests, the first one is to request a security token:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</a:Action>
<a:MessageID>urn:uuid:b7c8d134-ec01-48cd-abb6-81988e7270b1</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://XXX.XXX.com/XXX.svc</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2014-04-25T10:31:13.686Z</u:Created>
<u:Expires>2014-04-25T10:36:13.686Z</u:Expires>
</u:Timestamp>
<o:UsernameToken u:Id="uuid-4d51d9cc-f621-48af-96a7-1fa541c18ea1-1">
<o:Username>XXX</o:Username>
<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">YYY</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:Entropy>
<t:BinarySecret u:Id="uuid-c32043fe-d4fb-4802-b15a-ba2691c2b3d8-1" Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce">XXXXXXXXXXXXXXXXXXXXXXXXX</t:BinarySecret>
</t:Entropy>
<t:KeySize>256</t:KeySize>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>
And the response of this request is:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT</a:Action>
<a:RelatesTo>urn:uuid:b7c8d134-ec01-48cd-abb6-81988e7270b1</a:RelatesTo>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2014-04-25T10:31:02.106Z</u:Created>
<u:Expires>2014-04-25T10:36:02.106Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</t:TokenType>
<t:RequestedSecurityToken>
<c:SecurityContextToken u:Id="uuid-67a62dc5-2ce5-45d2-af88-371d06243652-8" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<c:Identifier>urn:uuid:e2562052-1de3-496d-b455-e36958692176</c:Identifier>
</c:SecurityContextToken>
</t:RequestedSecurityToken>
<t:RequestedAttachedReference>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" URI="#uuid-67a62dc5-2ce5-45d2-af88-371d06243652-8"/>
</o:SecurityTokenReference>
</t:RequestedAttachedReference>
<t:RequestedUnattachedReference>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference URI="urn:uuid:e2562052-1de3-496d-b455-e36958692176" ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"/>
</o:SecurityTokenReference>
</t:RequestedUnattachedReference>
<t:RequestedProofToken>
<t:ComputedKey>http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1</t:ComputedKey>
</t:RequestedProofToken>
<t:Entropy>
<t:BinarySecret u:Id="uuid-67a62dc5-2ce5-45d2-af88-371d06243652-9" Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce">JrVuueyiE55P172GX97vM3KM/oo26pN71wQ4B4C5dbo=</t:BinarySecret>
</t:Entropy>
<t:Lifetime>
<u:Created>2014-04-25T10:31:02.106Z</u:Created>
<u:Expires>2014-04-26T01:31:02.106Z</u:Expires>
</t:Lifetime>
<t:KeySize>256</t:KeySize>
</t:RequestSecurityTokenResponse>
</s:Body>
</s:Envelope>
And then, I can use these information in this response in the main second request:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://tempuri.org/XXX/YYY</a:Action>
<a:MessageID>urn:uuid:e2ec7944-a6b8-46f1-b021-270cea67c205</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://XXXX.YYYY.com/ZZZZ.svc</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2014-04-25T10:31:14.905Z</u:Created>
<u:Expires>2014-04-25T10:36:14.905Z</u:Expires>
</u:Timestamp>
<c:SecurityContextToken u:Id="uuid-67a62dc5-2ce5-45d2-af88-371d06243652-8" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<c:Identifier>urn:uuid:e2562052-1de3-496d-b455-e36958692176</c:Identifier>
</c:SecurityContextToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>YYYYYYYYYYYYYYYYYYYYYY=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>XXXXXXXXXXXXXXXXXXXXX=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" URI="#uuid-67a62dc5-2ce5-45d2-af88-371d06243652-8"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body>
<XXXXXX xmlns="http://tempuri.org/">
<request xmlns:d4p1="http://schemas.datacontract.org/2004/07/XXX.XXX.XXX" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<d4p1:Prop1 i:nil="true" />
<d4p1:Prop2 i:nil="true" />
<d4p1:Prop3 i:nil="true" />
</request>
</XXXXXX >
</s:Body>
</s:Envelope>
The big question here is, where to find:
BinarySecret, DigestValue, SignatureValue!!! and the other huge amount of values and ids!!!
The message exchanage that you see is Ws-SecureConversation. Here you can find the the full specification of those messages: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/ws-secureconversation-1.3-os.html
Most likely you don't want to implement or use it in your Android client, so you can disable it in binding by setting establishSecurityContext to false in message element.
More info:
What are the impacts of setting establishSecurityContext="False" if i use https?
I'm trying to consume an external web service (as far as I can see it is an axis2/apache service) with a .NET 3.5 WCF client.
The service expects incoming messages to be signed and encrypted using x509 certificates. Signing and encrypting seems to work so far, but WCF adds a second <signature> element in the SOAP header, which confuses the remote web service.
I am unable to get rid of this second signature element. What I found while researching the matter is, that this signature is used to sign the first signature.
My WCF configuration currently uses a custom binding with the following security settings:
<security messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
authenticationMode="MutualCertificate"
securityHeaderLayout="Lax"
defaultAlgorithmSuite="Basic128"
includeTimestamp="false"
keyEntropyMode="CombinedEntropy"
requireDerivedKeys="false"
messageProtectionOrder="SignBeforeEncrypt"
requireSignatureConfirmation="true">
Anybody has an idea as what I have to change to make this work?
A sample SOAP request generated by my client looks like this:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<e:EncryptedKey Id="uuid-0a13788c-6cb3-4fe2-940b-1e220d15230e-3" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
</e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"><!-- ... --></o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue><!-- ... --></e:CipherValue>
</e:CipherData>
<e:ReferenceList>
<e:DataReference URI="#_2"/>
</e:ReferenceList>
</e:EncryptedKey>
<o:BinarySecurityToken>
<!-- Removed-->
</o:BinarySecurityToken>
<Signature Id="_0" xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue><!-- ... --></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue><!-- ... --></SignatureValue>
<KeyInfo>
<o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<o:Reference ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" URI="#uuid-0a13788c-6cb3-4fe2-940b-1e220d15230e-3"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue><!-- ... --></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue><!-- ... --></SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-9618ae47-8bcd-4a96-b56e-800759a0ee57-7"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<e:CipherData>
<e:CipherValue><!-- ... --></e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
Turns out I was using the wrong messageSecurityVersion value. With a value of WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10 only a single signature is added to the SOAP header.
Afterwards the server was able to understand the requests. Some tweaks to the defaultAlgorithmSuite and now service and client are talking and understanding each other.
i'm not a WCF expert, and i know just the basics of service security, so maybe most of the things that i'll point out will be wrong.
That said, i need to invoke a 3d party service that requires a specific format for the SOAP header.
They require that the soap header provides:
1) timestamp block
2) Binary Token
3) digest (checksum of a part of data to encrypt)
They've provided me this exemple of request (i've removed the sensible parts)
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"
wsu:Id="...omissis...">
</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-6" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="S" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#TS-5">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="wsse S" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>...omissis...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
....
...omissis...
....
</ds:SignatureValue>
<ds:KeyInfo Id="KI-...omissis...">
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="STR-...omissis..." xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<wsse:Reference URI="#X509-...omissis..." ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-5">
<wsu:Created>2013-03-27T15:10:18.523Z</wsu:Created>
<wsu:Expires>2013-03-27T15:26:58.523Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</S:Header>
<S:Body>
...clear (not encrypted) body of the soap request
</S:Body>
</S:Envelope>
They gave me also a WSDL and an xsd.
What i've done was to create a new web application, using the wsdl as service reference.
Checking the web.config, i can see that this have created a basicHttpBinding like this
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="CPBinding">
<security mode="Transport" />
</binding>
<binding name="CPBinding1" />
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://...omissis"
binding="basicHttpBinding" bindingConfiguration="CPBinding"
contract="BTClient.CPCUVPortType" name="CPCUVPort" />
</client>
</system.serviceModel>
But this binding doesn't use any kind of security policy, so i've created a behaviour that takes into account the certificates (for a mutual certificate) like that
<behaviors>
<endpointBehaviors>
<behavior name="CustomBehaviorForCertificates">
<clientCredentials>
<clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" findValue="...omissis..." />
<serviceCertificate>
<scopedCertificates>
<add targetUri="https://...omissis..." storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindByThumbprint" findValue="...omissis..." />
</scopedCertificates>
<authentication certificateValidationMode="PeerTrust" revocationMode="NoCheck" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
And referenced this on the binding. By inspecting the outgoing messages (using the method BeforeSendRequest of a custom Inspector) i can see that it totally ignores the certificates, sending the same request as the without-behaviour one.
The 3d party service answer to my request like this:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp wsu:Id="Timestamp-..." xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2013-09-06T14:31:28Z</wsu:Created>
<wsu:Expires>2013-09-06T14:36:28Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken wsu:Id="SecurityToken-...." EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
...omissis...
</wsse:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#Timestamp-...">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>...omissis...</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...omissis...</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference xmlns="">
<wsse:Reference URI="#SecurityToken-...omissis..." ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body wsu:Id="..." xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<SOAP-ENV:Fault>
<faultcode>wsse:FailedCheck</faultcode>
<faultstring>The signature or decryption was invalid</faultstring>
<detail>
<e:myfaultdetails xmlns:e="Some-URI">
<errorCode>500</errorCode>
<message>INTERNAL_SERVER_ERROR</message>
</e:myfaultdetails>
</detail>
</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
After doing some research i've read that to provide a BinarySecurityToken as requested i need to implement a customBinding. I've tried different approaches and combinations but i always fail to make progress.
For example, by using this custom behaviour:
<customBinding>
<binding name="cb">
<security authenticationMode="MutualCertificateDuplex" requireDerivedKeys="false" includeTimestamp="true"
messageProtectionOrder="EncryptBeforeSign" messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10" />
<textMessageEncoding messageVersion="Soap11" />
<httpsTransport />
</binding>
</customBinding>
I receive an Internal server error like this:
ExceptionType: System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.InnerException: System.ServiceModel.FaultException:Internal Error
and, most important...my outgoing request is ALWAYS the same as the basicHttpBinding one!
Obviously i have not well understood something. I can see that, using the basicHttpBindig i can correctly communicate with them, but i fail to provide the required security fragments. If i try to use any other king of binding (for example wsHttpBinding or a customBinding) i receive an error message.
Can someone please help me understanding the correct way to do such job? any help would be very appreciated.
Thanks a lot.
EDIT:
I'm adding the outgoing request:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<ActivityId CorrelationId="dd479557-7e51-41de-822b-d2ac669ff827" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">bbd2f92b-33d5-4ec0-87b6-690f2142cdf5</ActivityId>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-7b22e181-f551-4821-91e0-cf8c9b8d9eef-1">
<u:Created>2013-09-09T12:24:03.563Z</u:Created>
<u:Expires>2013-09-09T12:29:03.563Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken>
<!-- Removed-->
</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>...omissis...</DigestValue>
</Reference>
<Reference URI="#uuid-7b22e181-f551-4821-91e0-cf8c9b8d9eef-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>...omissis...=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...omissis...</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-e31a3eed-6ac7-4dcb-bfb2-2384764acd93-2"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<CPCUValidityRequest xmlns="http://......omissis...">
<serviceType>3</serviceType>
<arg1>arg1</arg1>
<arg2>arg2</arg2>
...omissis...
</CPCUValidityRequest>
</s:Body>
</s:Envelope>
Solution:
Actually i can't successfully invoke the remote service due to an error (as stated in the comments to the accepted solution. But i can say that this question is answered due to the fact that i've managed to create a request mostly similar to the required one. Many thanks to Yaron.
PS:( An hint for those who will have a similar issue, to check the outgoing/incoming request, try to use the Microsoft Trace Viewer, enabling tracing as suggested in this answer https://stackoverflow.com/a/11678740/2274007 (remember to follow also the advice in the comment))
Please publish your outgoing request.
In your binding I would change to authenticationMode="mutualCertificate". Otherwise it looks good.
Also in order to send just signed message and not encrypted one add this attribute on top of your data contract (reference.cs):
[System.ServiceModel.ServiceContractAttribute(ConfigurationName="ServiceReference1.SimpleServiceSoap", ProtectionLevel=System.Net.Security.ProtectionLevel.Sign)]
More details on this approach in this wcf security tips article.
Try this customBinding:
<customBinding>
<binding name="cb">
<security authenticationMode="MutualCertificateDuplex"
defaultAlgorithmSuite="Basic128Rsa15"
requireDerivedKeys="false"
enableUnsecuredResponse="true"
messageProtectionOrder="EncryptBeforeSign"
messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
</security>
<textMessageEncoding messageVersion="Soap11WSAddressing10"/>
<httpsTransport />
</binding>
</customBinding>
What is the best/doable way to implement SOAP, ws-security in C#.
These are the required security tokes as per documentation
–
Required Security
Tokens
•Username Token (username, password, timestamp and nonce)
•User cert
•Server cert
In the past When I created a SAOP+ HTTP request, I used a stringbuider and appended the request
stringbuilder sb = new stringbuilder();
Then finally used HTTPWebrequest.create(url) and then a HTTP post.
Any hints on how to start would help. Can anyone point me to some tutorials. I have used a certificate generating tool to generate a certificate.
I haven't really understood a good way to do this even after 3days of research and fiddling with certificates and web.configs
here's an example of a sample request in the documentation
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mhs="http://org/TEST/mhs/" xmlns:urn="urn:hl7-org:v3">
<soapenv:Header>
<wsse:Security soap:mustUnderstand="1" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d">MIICeDCC....(signed user MLS cert).......</wsse:BinarySecurityToken>
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685">MIIDFj.....( MLS web-service end-point public cert)........</wsse:BinarySecurityToken>
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-970e9a80-00cc-4c86-8ec4-3ba16e029a5b">
<wsse:Username>....your_username.....</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">.....your_plaintext_password....</wsse:Password>
<wsse:Nonce>KNyu6MsXCkTg4DDyvwvEiw==</wsse:Nonce>
<wsu:Created>2010-09-15T18:00:30Z</wsu:Created>
</wsse:UsernameToken>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>gpBAWt91pdwhKva............</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#Enc-0641b860-b16d-4941-91c0-d60bece67794"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Id-f10674fd-b999-47c9-9568-c11fa5e5405b">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>wRUq.........</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>tBSsaZi........</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="Id-f10674fd-b999-47c9-9568-c11fa5e5405b" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<xenc:EncryptedData Id="Enc-0641b860-b16d-4941-91c0-d60bece67794" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<xenc:CipherData>
<xenc:CipherValue>SQsTCAK6ZaVhojB8+Y.........</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>