This seems like it should be handled natively so I am likely doing something wrong. I have a WCF client which calls an Active STS and uses the token from the RTSR to generate the WS-Security header included in the call to the RP. The RP requires that the header be signed, which seems a fair enough request. However, the WS-Security header generated by the client does not include a signature and I cannot see how to configured it to do so. The generated header is below. As can be seen it contains a signature for the assertion and the subjectconfirmationdata both of which are responsibilities of the STS. The "missing" header signature, in my limited understanding, is a responsibility of the client. So is what configuration/code that needs to be added in order to get a signature block that is a child element of the Security header much like the reference header below.
Client Generated WS-Security header
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2015-08-24T21:04:41.090Z</u:Created>
<u:Expires>2015-08-24T21:09:41.090Z</u:Expires>
</u:Timestamp>
<Assertion ID="_fea24920-d64c-4758-b51e-61208cb5084f" IssueInstant="2015-08-24T21:04:40.060Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">MySTS</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_fea24920-d64c-4758-b51e-61208cb5084f">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>/tfOnmKqjmkK8gH1GMNQ/XJ5gdtwzvcJTqxwiZJ7noQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>dGz1dN9odSSpblmgczWWRG6tF66oonOHAVJCSC5uqjCOH+18cjJfX/duqb0sv1w0VxGsKIzR0VZ74V5Pq5MWsKQArIgEwO/wnUEOcKPI9J3KlL/IU7XLJNFtVO/ioKB4ps34S/5vZLB+WxXryz5ylBd5JvVFT7cf9R68kSxY9IurxELCGdhe/YIgJtgI6JsEoqqk7314sUZj8qrCy5zUbEVufyyStCI23OIunXPQceksa/csdaTmHFPNkYtHY8yUmyzT8aKBVKZVG2iluXySoi0TwTiVH+4ImGqXKV+VhUebCwqQwAur1IWAu+V/r7ZkW7C0384ATkMTmmLXRhom3g==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyValue>
<RSAKeyValue>
<Modulus>2kUArhFnRE+a0oof35YUv0Pc8w+UHox/PlTxzDnp86eyiLggHj76egrVbtV6TpYXw783JUQb+NiKxm0V/f6DIeqFWvCeHfzFJaWntNwAjOULY3z0n4T5gJuHpk3/JtefBXBm2m5zW4OhvijMfU228oQ5kJDpuEmkcSgmyZwyPwbJZlLAS3agrFvMu+r7qU4O6imaCAoTt/QYHIo2TLKpprXSOFrszwJDz3I5XTGaE+peBlQueFg5XvlAlARqDfq3yCcP5Mlel1Xv6kFIv/0LBMCZ1U8zMgVQsKOGgnSXCGgyq+77nvS+MPSBc71jkSWh4FnxDFTlL1j1iGdH1BIkWQ==</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">JoeTester#example.org</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<SubjectConfirmationData a:type="KeyInfoConfirmationDataType" xmlns:a="http://www.w3.org/2001/XMLSchema-instance">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyValue>
<RSAKeyValue>
<Modulus>2kUArhFnRE+a0oof35YUv0Pc8w+UHox/PlTxzDnp86eyiLggHj76egrVbtV6TpYXw783JUQb+NiKxm0V/f6DIeqFWvCeHfzFJaWntNwAjOULY3z0n4T5gJuHpk3/JtefBXBm2m5zW4OhvijMfU228oQ5kJDpuEmkcSgmyZwyPwbJZlLAS3agrFvMu+r7qU4O6imaCAoTt/QYHIo2TLKpprXSOFrszwJDz3I5XTGaE+peBlQueFg5XvlAlARqDfq3yCcP5Mlel1Xv6kFIv/0LBMCZ1U8zMgVQsKOGgnSXCGgyq+77nvS+MPSBc71jkSWh4FnxDFTlL1j1iGdH1BIkWQ==</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</SubjectConfirmationData>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2015-08-24T20:59:36.114Z" NotOnOrAfter="2015-08-24T22:09:36.114Z"/>
<AttributeStatement>
<!-- attributes where here -->
</AttributeStatement>
<AuthnStatement AuthnInstant="2015-08-24T21:04:36.130Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</o:Security>
The client side WCF Binding
<configuration>
<system.serviceModel>
<bindings>
<ws2007HttpBinding>
<binding>
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</ws2007HttpBinding>
<customBinding>
<binding>
<security authenticationMode="IssuedTokenOverTransport" requireSignatureConfirmation="true" securityHeaderLayout="Lax" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10" messageProtectionOrder="EncryptBeforeSign"
keyEntropyMode="CombinedEntropy" includeTimestamp="true">
<issuedTokenParameters keyType="BearerKey" tokenType="urn:oasis:names:tc:SAML:2.0:assertion">
<issuer address="" binding="ws2007HttpBinding"/>
</issuedTokenParameters>
<localClientSettings></localClientSettings>
<secureConversationBootstrap />
</security>
<mtomMessageEncoding maxBufferSize="2147483647" />
<httpsTransport requireClientCertificate="true" maxBufferPoolSize="134217728" maxReceivedMessageSize="134217728" maxBufferSize="134217728" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint binding="customBinding" contract="IReplacable" name="*" />
</client>
</system.serviceModel>
</configuration>
Reference Security Header
<wsse:Security S:mustUnderstand="true" xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp wsu:Id="timestamp1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2015-08-21T22:34:49.138Z</wsu:Created>
<wsu:Expires>2016-08-21T22:34:49.138Z</wsu:Expires>
</wsu:Timestamp>
<saml2:Assertion ID="a956b920-4956-47c6-8a05-8a3a56e418a0" IssueInstant="2015-08-21T22:29:49.138Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAMLUser,OU=SU,O=SAML User,L=LosAngeles,ST=CA,C=US</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#a956b920-4956-47c6-8a05-8a3a56e418a0">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>guh8xR0Vu+3X3LlLAu7SJ0wCKXw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>2X2UmgJMLGQIzN73pxxyQZVVttnE8xAkPmScvFCX2zlrS7QdmqM+BoJswtmDImK9wAhXC0WtY17U C97Iw7brHrmNtQa3tM+4JClSCuW6SM6OjHn3qMLHiUJrpIZ1k0YAYfLcIF9S7x5lYFKUzWk+oOz1 3LMOMsjORXCssUpzd3BCOUhSSeg9+6b76ZyqTeaFqldn1OmG9jz3QS+h/vUo24h1ohKPJqEcE9sG 3Ab3LqyYv8ASVP9DsKRjOjxGKfhFT5WD9gW10IqQY2YGyYtguHfsyf05dPGBuXB8jaPZ3wgYsYXU FMmjRmuAYQkdQQRH8ju4HwtWdGnTtCQBRoqboA==</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>2kUArhFnRE+a0oof35YUv0Pc8w+UHox/PlTxzDnp86eyiLggHj76egrVbtV6TpYXw783JUQb+NiK xm0V/f6DIeqFWvCeHfzFJaWntNwAjOULY3z0n4T5gJuHpk3/JtefBXBm2m5zW4OhvijMfU228oQ5 kJDpuEmkcSgmyZwyPwbJZlLAS3agrFvMu+r7qU4O6imaCAoTt/QYHIo2TLKpprXSOFrszwJDz3I5 XTGaE+peBlQueFg5XvlAlARqDfq3yCcP5Mlel1Xv6kFIv/0LBMCZ1U8zMgVQsKOGgnSXCGgyq+77 nvS+MPSBc71jkSWh4FnxDFTlL1j1iGdH1BIkWQ==</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAMLUser,OU=SU,O=SAML User,L=LosAngeles,ST=CA,C=US</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml2:SubjectConfirmationData>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>2kUArhFnRE+a0oof35YUv0Pc8w+UHox/PlTxzDnp86eyiLggHj76egrVbtV6TpYXw783JUQb+NiK xm0V/f6DIeqFWvCeHfzFJaWntNwAjOULY3z0n4T5gJuHpk3/JtefBXBm2m5zW4OhvijMfU228oQ5 kJDpuEmkcSgmyZwyPwbJZlLAS3agrFvMu+r7qU4O6imaCAoTt/QYHIo2TLKpprXSOFrszwJDz3I5 XTGaE+peBlQueFg5XvlAlARqDfq3yCcP5Mlel1Xv6kFIv/0LBMCZ1U8zMgVQsKOGgnSXCGgyq+77 nvS+MPSBc71jkSWh4FnxDFTlL1j1iGdH1BIkWQ==</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:AuthnStatement AuthnInstant="2015-08-21T22:27:49.138Z" SessionIndex="123456">
<saml2:SubjectLocality/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509 </saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<!-- attributes-->
</saml2:AttributeStatement>
<saml2:AuthzDecisionStatement Decision="Permit" Resource="">
<saml2:Action Namespace="urn:oasis:names:tc:SAML:1.0:action:rwedc">Execute</saml2:Action>
<saml2:Evidence>
<saml2:Assertion ID="_3e0d08ce-a126-45e8-b602-ac0c7ea075ce" IssueInstant="2015-08-21T22:29:49.138Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=SU,O=SAML User,L=Los Angeles,ST=CA,C=US</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAMLUser,OU=SU,O=SAML User,L=LosAngeles,ST=CA,C=US</saml2:NameID>
</saml2:Subject>
<saml2:Conditions NotBefore="2015-08-21T21:34:49.138Z" NotOnOrAfter="2016-08-21T23:34:49.138Z"/>
<saml2:AttributeStatement>
<saml2:Attribute Name="AccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue>urn:oid:1.2.3.4</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="InstanceAccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue>urn:oid:1.2.3.4.123456789 </saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2:Evidence>
</saml2:AuthzDecisionStatement>
</saml2:Assertion>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#timestamp1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>qs//Jxv/CVrDvTxn8hYvdSe1pbY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>uf13RmBH95fP4o6x6eXC84+gkoLeZqLshw0ycm8t6HJP0+OtVEPZJbAw/UF2i2rzDk6oFE/Rxe1l /cks9HkIyNBEIwt2VY1hUldWfGd1cDq6Pi/H3EGuMasr42Qm8ObPCkSFqXhgowtIsSR9amo3e1KO YBsjYLnidcaZi7B1c6DjH1GozgSgdZDrYANUJr/KJ8zDDhGU09WXEuOekx41YvS4nWn/EHJbV+xf zKTN9ds+91PtFL1nnjqJT9BH4V2TvnRildsh7BeoMqQrXuePp7FxxgxCtg5tB15gDrNS1mOLorQZ 5UwqSrLp2/WkGkpzabMf2oN56lkiB6IHvsZ+Yg==</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">a956b920-4956-47c6-8a05-8a3a56e418a0</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
The headers are not signed since you are using bearer key token, as set in your configuration
<issuedTokenParameters keyType="BearerKey"...>
It needs to be either a symmetric key or asymmetrickey. Looking at your reference SOAP header, you'll need an asymmetrickey token.
The simplest way is to use ws2007FederationBinding. If you have to use a custom binding (as in your config), here is a sample config from MSDN at https://msdn.microsoft.com/en-us/library/aa734714(v=vs.100).aspx
<issuedTokenParameters
DefaultMessageSecurityVersion="System.ServiceModel.MessageSecurityVersion"
inclusionMode="AlwaysToInitiator/AlwaysToRecipient/Never/Once"
keySize="Integer"
keyType="AsymmetricKey/BearerKey/SymmetricKey"
tokenType="String" >
<additionalRequestParameters />
<claimTypeRequirements>
<add claimType="URI"
isOptional="Boolean" />
</claimTypeRequirements>
<issuer address="String"
binding=" " />
<issuerMetadata address="String" />
</issuedTokenParameters>
You can omit the issuer element and obtain the SAML token separately from your STS using WS-Trust, and use the token to secure your outgoing message to RP.
Related
I have an wcf service that has classical username-password message security.
On transport level this service has https
Binding is typical
<bindings>
<wsHttpBinding>
<binding name="RgiServiceBinding">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" negotiateServiceCredential="false" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
But. Now we should add client signing to this interchange. We decide to use standard wsse headers for this signature.
Example:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://tempuri.org/IRgiService/RegisterAuction</a:Action>
<a:MessageID>urn:uuid:054cd820-1e0c-4643-881d-48d8c7682080</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://ws.test.rosim.ru:8443/RGI_ETP/RgiService.svc</a:To>
<Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken b:Id="urn:uuid:bc811ecb-4313-44f4-a627-9237d147294e" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:b="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<Username>login</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</Password>
</UsernameToken>
</Security>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:actor="http://esugi.rosim.ru/pibi/actors/etp">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#gostr34102001-gostr3411" />
<Reference URI="#body8d018149d5ea441a817ea018da2c8ce1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#gostr3411" />
<DigestValue>0pgHWuhnDlw/s8aHBxbk2FrHc072go1xXE/JnUBboRk=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>aL6ag12120eSmz6CQYQY8HjgZ+Gdz6UfaRZdV9qXY21ccxVfCkme1zsSw9Vy4jh2ofK/QYsebomEnWd51xIq1w==</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#cert9c65aba5ea814fc5a27137859c9c3df2" />
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="cert9c65aba5ea814fc5a27137859c9c3df2">therewascertificateinbase64</wsse:BinarySecurityToken>
</wsse:Security>
</s:Header>
<s:Body>
<RegisterAuction xmlns="http://tempuri.org/" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" wsu:Id="body8d018149d5ea441a817ea018da2c8ce1">
<auctionInfo xmlns:b="http://schemas.datacontract.org/2004/07/Rgi.Etp.Service.Contract.DataContracts">
<b:AuctionNumber>1112233</b:AuctionNumber>
<b:Note>Новый аукцион создан</b:Note>
</auctionInfo>
<tradeRequestInfo xmlns:b="http://schemas.datacontract.org/2004/07/Rgi.Etp.Service.Contract.DataContracts">
<b:TradeRequestDate>2015-03-11T00:00:00</b:TradeRequestDate>
<b:TradeRequestNumber>111</b:TradeRequestNumber>
</tradeRequestInfo>
</RegisterAuction>
</s:Body>
</s:Envelope>
But WCF don't want to work with multiple wsse headers. It says "An error occurred when verifying security for the message." without any additional info, and it is before my own code.
Can I do something to get my signatures on server side and my username validation works?
Java client wants to send SOAP request to my WCF service. SOAP header contains signature and certificate information, example:
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ds:Signature Id="SIG-3767FCEC48BA3FC46A141268453194033" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="myg soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-3767FCEC48BA3FC46A14126804973444">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="myg" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>fsN0Bl7FcJhPTZFFOCvyIrLkcg/Oo9JhOpbv23VnnDI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>gVdpmh...0b/1FHPatVA==</ds:SignatureValue>
<ds:KeyInfo Id="KI-3767FCEC48BA3FC46A141268453193931">
<wsse:SecurityTokenReference wsu:Id="STR-3767FCEC48BA3FC46A141268453193932">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIDnjCCA...7Of</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
How should look the web.config binding of my WCF service, so that SOAP body will be validated against signature in the SOAP header?
Thank you
Try this:
<customBinding>
<binding name="NewBinding0">
<textMessageEncoding messageVersion="Soap11" />
<security authenticationMode="MutualCertificate" includeTimestamp="false"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<secureConversationBootstrap />
</security>
<httpTransport />
</binding>
</customBinding>
Make sure to decorate your contract to sign only:
[System.ServiceModel.ServiceContractAttribute(ConfigurationName=..., ProtectionLevel=System.Net.Security.ProtectionLevel.Sign)]
I'm trying to call a web service in asp.net 4.0. Vendor has sent me the following sample soap header. I need to know how can i create following header in WCF client asp.net 4.0.
currently i'm using following code in app.config
<bindings>
<customBinding>
<binding name="EDTPortBinding">
<mtomMessageEncoding messageVersion="Soap11"/>
<security
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11"
securityHeaderLayout="Strict"
includeTimestamp="false"
requireDerivedKeys="true"
keyEntropyMode="ServerEntropy">
</security>
<httpsTransport authenticationScheme ="Negotiate" requireClientCertificate ="false" realm =""/>
</binding>
</customBinding>
</bindings>
but i'm getting error
Addressing Version 'AddressingNone (http://schemas.microsoft.com/ws/2005/05/addressing/none)' does not support adding WS-Addressing headers. Following is a sample header which I need to generate from WCF client.
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-8B2ED84CAE64FADA2113775419342631">MIIF0zCCBLugAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBzzELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAm9uMREwDwYDVQQHEwhraW5nc3RvbjEpMCcGA1UEChMgSGVhbHRoIFNvbHV0aW9ucyBEZWxpdmVyeSBCcmFuY2gxJTAjBgNVBAsTHEVsZWN0cm9uaWMgQnVzaW5lc3MgU2VydmljZXMxJzAlBgNVBAMTHkVCUyBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWc2Vhbi5jYXJzb25Ab250YXJpby5jYTAeFw0xMjA0MjkxNjAyMjNaFw0xNDA0MzAxNjAyMjNaMIGUMQswCQYDVQQGEwJDQTELMAkGA1UECBMCb24xETAPBgNVBAcTCGtpbmdzdG9uMSkwJwYDVQQKEyBIZWFsdGggU29sdXRpb25zIERlbGl2ZXJ5IEJyYW5jaDElMCMGA1UECxMcRWxlY3Ryb25pYyBCdXNpbmVzcyBTZXJ2aWNlczETMBEGA1UEAxQKRUJTX0NsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEEvvZ96t117651bJXIa8AaE69N1klliJvhrXFxtV2JcKoJHZG19Em6nFtxznvrfjHjQCOJXgREq0YLJmIHgIaIggug9g4oZhZoSXm11b0k+l9sI0uV1UQxSPvKZbptLw3JuY3E8iHoBTBY4TZDg0yfuuk5kpwT0JCqn8Pcoi2Oq2rQtEdnQ0TG5/lofJAMDRzBpK1ETnNOjzCeAkR3wHPec++q2nTuY9QFYntpOyk5JksRVuuIsR5OCW6rjFXTF7CJ84qxWloXmWl4M3yKDTi3ouD36Gplgo8fi2HLpNqVBDLCm7Acv8klkc0EyiFOpBzhEYWAVIIwC9ovybXRjg0CAwEAAaOCAfEwggHtMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgSwMEsGCWCGSAGG+EIBDQQ+FjxTU0wgQ2xpZW50IGNlcnRpZmljYXRlIHZhbGlkIG9ubHkgZm9yIE1PSExUQy9IU0MgRUJTIFRlc3RpbmcwHQYDVR0OBBYEFKV6tGi2SztsTcIPYFkZcKr4yLJMMIIBBAYDVR0jBIH8MIH5gBT/qI53Ggvfsdz34whLQ2gDg+PhW6GB1aSB0jCBzzELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAm9uMREwDwYDVQQHEwhraW5nc3RvbjEpMCcGA1UEChMgSGVhbHRoIFNvbHV0aW9ucyBEZWxpdmVyeSBCcmFuY2gxJTAjBgNVBAsTHEVsZWN0cm9uaWMgQnVzaW5lc3MgU2VydmljZXMxJzAlBgNVBAMTHkVCUyBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWc2Vhbi5jYXJzb25Ab250YXJpby5jYYIJAOnNHCT34+b/MCEGA1UdEgQaMBiBFnNlYW4uY2Fyc29uQG9udGFyaW8uY2EwJgYDVR0RBB8wHYEbZGVyZXlrLmZlcm5hbmRlc0BvbnRhcmlvLmNhMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOCAQEAJqCht181F8rUUNQ8jHa42kdKH+FDF0ISuklbg5MARHo+wt1laltaMeaXdESnLJBNGvcgxPZ4StYMdCH8mOEWYftCy5nkyGQCuOd2GpaJ3Hj50bjZ9vZUYyUBPUmwIEP2v75QQe62fHTqza/VjA0I5eMGMKa3URHsTdfNdnEJjtmHdxWRjAjjrHpHQWE0e1QtG+ZV1ved0f5OzDvdylbvrm4S0mgCifk8qEvZtNSoDp37MmSFr5fFmo91BqT23xAgzUKra428dw4T1EKJYEd6pNssNS4XCQ6bTx0Au3mW5iINtiaYQP8rlSykwaJ+dFAtBG00kdGpebf1prvq4H91eA==</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-6">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ebs edt idp msa soapenv"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#TS-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="wsse erd edt abc deg soapenv"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>TSBdwFiHK6F64sibCXjThfekOJ5vQiXzPk5MjXPEwDE=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#UsernameToken-2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="sdf edt dfs dfd soapenv"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>pFSgm8Pc531sbAN/Oo3glEbs1Rh741tXJya+70oALdo=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="dsf dfd sdf soapenv"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>FHoEV5Xp//KLgM1Fg5NyeIfkRjUramyx0Y0+kX41leg=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="dsd edt dfd soapenv"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>2SieN++YDPYJwbhBTgirOvjJo0aQMwiTcg5bL4Oj0fU=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-5">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ebs edt idp msa"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>eALo7Pftw02ykaoXdlUt7IPiHB9RbRfj2t7zTLxzLXg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo> <ds:SignatureValue>lhXC6GdvAtJq87cQHin0DRkDWDMkKPUbyqEd1m5XRUz+puGxWIX8EtriEdCOQGf/fzmYg7Q5 qpbR xQYw94SCLHynJu1VCx7MoI8A3wFbwdsEKF9urE3rKzrM6F6YLlosuOiGNFN9kK20ryUAl4XHqCrC C1Su3kFIiE0bwnWNCoi1bqt2zkomyBSVNXUOfw/QWfPbKlRZLNlzap1WPYK9ECSYF6Tf1g4R0lxk 7LcBYlWQn+P/qSIqZAv4jPDFQJS+pJ+3/Le8yEHNsZJfGjMKt2PF9jer3AJt+GqA3zQbj/5Ql0NF AK/uZv25s2pji6cRcz29qeLlyqhYbzLgCTPlog==</ds:SignatureValue>
<ds:KeyInfo Id="KI-8B2ED84CAE64FADA2113775419343232">
<wsse:SecurityTokenReference wsu:Id="STR-8B2ED84CAE64FADA2113775419343253">
<wsse:Reference URI="#X509-8B2ED84CAE64FADA2113775419342631" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile- 1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsse:UsernameToken wsu:Id="UsernameToken-2">
<wsse:Username>confsuxx#outlook.com</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username- token-profile-1.0#PasswordText">xxxxxxxxx</wsse:Password>
</wsse:UsernameToken>
<wsu:Timestamp wsu:Id="TS-1">
<wsu:Created>2013-08-26T18:32:14Z</wsu:Created>
<wsu:Expires>2013-08-26T18:32:44Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<idp:IDP wsu:Id="id-4">
<ServiceUserMUID>039396</ServiceUserMUID>
</idp:IDP>
<ebs:EBS wsu:Id="id-3">
<SoftwareConformanceKey>5cc6a261-d970-4898-920c-119fd07eads</SoftwareConformanceKey>
<AuditId>444361ee-277f-7732-c684-7a9923jaaa1b</AuditId>
</ebs:EBS>
</soapenv:Header>
I notice you're using soap 1.1 with addressing, which is unusual.
Try setting the textMessageEncoding binding element :
<bindings>
<customBinding>
<binding name="EDTPortBinding">
...
<textMessageEncoding messageVersion="Soap11WSAddressing10" />
...
</binding>
</customBinding>
</bindings>
Following is the soap message I captured from fiddler. This message is quite different from required message i published on top.
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<k:EncryptedHeader a:mustUnderstand="1" u:Id="_3" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:a="http://schemas.xmlsoap.org/soap/envelope/">
<e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference URI="#_0"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>BB/K56PdPa2IXdceVcLvCmFIuly4HwOGVmv4OCI6sNd/D7pLzcz9R/DtCI7uKI7Xn1ppIzQf9P+HgQ6dB2k+Dc8SrKpbzgJR9JhTzOSxm/0ZkdVuk6nhpPORo0Ch4507u/YqaiQkveO/tANBXiToi9GgFNYEOZTzR/rMvpRmvEyGnlxOkiXQI8H5CJn87dZxMc/KITyaAae3CNFhcLcUIsMDgc58GICbjNCx09YLHuxHaofng+D1yGhW0CmtMymCvxcvLcZmvcH4QBMD1LeEmliqaVIA7PfrF0C6z4ukN7cK2lQyYPeiJ2HQ0Vd0MbaDYoX7qVt3c1SOlVEzGVhC1NDi7Ejilt6laftyqX2uBWd0JcLsJpLLYioTB5mcxuXS+0LnmAGuU6njJWEfTqidLyticIzo3yitFdgjofgaGymkjVq0jCtTfE8mkzLTW2/S</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</k:EncryptedHeader>
<k:EncryptedHeader a:mustUnderstand="1" u:Id="_4" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:a="http://schemas.xmlsoap.org/soap/envelope/">
<e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference URI="#_0"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>pFKhSf01843H0S0lR16/NFymFGqVt6cNNP2VzL8W6t8N+4uVI3QAMj0NigFigBpNi1WtXLV/Y5E3zUlnEP6drl1pVWo7ue4fYIKM3VZ347p27xHLO72Jy+734uf9n8nI1ruiWGPZZ/hDUwB5gmU0AEJGJPDzKS4fd3fZcMKaem7I9g8nRNhEE5sBq7w2YraIRsep++MK7FSqNJ/y6RIw5ifaVtEIzMqiXdPv6DSpfkU=</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</k:EncryptedHeader>
<ActivityId CorrelationId="8d7e0216-f29e-466d-8f59-fee9237be43a" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">30b8fade-6c73-4e77-aff7-98248cea2c09</ActivityId>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo1UOM+fT2PVBuVeE+3YdGt4AAAAAm+k0MQFSMkSxuNClyxbltwINs5gG8f1OoEvHXvwJM9IACQAA</VsDebuggerCausalityData>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-14ace37f-2548-40e3-b88a-f3d95a3fef73-1">
<u:Created>2013-09-09T02:07:20.028Z</u:Created>
<u:Expires>2013-09-09T02:12:20.028Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken u:Id="uuid-03555e25-2fe1-4dcf-bbda-42727af2e12f-3" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIC1DCCAbygAwIBAgIQPpGuGBOBzJdOQbuT5uWbsjANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDEwhFTVJBTi1QQzAeFw0xMzA5MDcyMjE2MDJaFw0xNDA5MDcwMDAwMDBaMBMxETAPBgNVBAMTCEVNUkFOLVBDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyWYMQAVEJxSDKmRk93Z+dH236HFSKF27TVAIoEcRAsBwN3MWUiIUOA4jPg20YaDHiFdGzCUr3rtRKtFo6rqhkj4gixObocG52fnJ4Ae8mlhO0hc/OONp40st9RuGY8my78GBzcSc9Tp+gW6/5ZHsVeXRFpwK7n+QnPTa2y3aPbsUHsazrSvxFp+LGzYxns5aLAi1k3PEAxoB7wHkOBEED0WuOuY7++EUKJDDjbiM/mRwklU43Y3zZfFdTDhqH/OFpuufPacvmTKDwvIbdIbfCvLNWenskMTSLb7Ak0YbPVdMY/7AsKlwHzrSVcENyYM+zIRSGVKswIVbL00VA0Ld7QIDAQABoyQwIjALBgNVHQ8EBAMCBDAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBAIi9agMTAHXMhB9N9/P1iKPeWnVblutod/0i49oKsDxn3gb2d7AX8+fRgRHBP6L6yFcjX0goDl1MnWTYDl3AQaassDk1hW1SZlKhQgBVmsW38s+beEb1hyhZQtr7+SQbDEqRWL5RBN8Fi9CQiP5pOIvsNyymFixWk0HdjAo+8yE086YR3Wko6GtUDiQfZb2/05fRooQjmhxxUy4vlyteuP3nMnHxIR4jd9MO47dK30zyQpW9RuZxSVjAnpy+LnKhTFl9MwIXwubTaUrBAvru9T/OuQrBh+vllPfgSG4Q8U1z40Vp1JVGLqFXy9H+5T+MipFA7OVJrs6+/NnCdx8pwiQ=</o:BinarySecurityToken>
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
</e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>CN=EMRAN-PC</X509IssuerName>
<X509SerialNumber>83168549829936402630366527231323642802</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>JBPf96uwqg3QWqWrqBXLms269TvxNiPuwQiIp1yCxpFCmGYlHAPPzwKp0uIaY2GotNeot9eg29ob5hu9KAYUiYPHklVXYbl4pg3Jvim4O6ElcbkN5A6v1eTZgk7xLlDf+eMGT7zCP0UwjEjzl8Z/K9VdLSASV9E7eUHiZH2xQmbuhyckQAEGSzlpFO3pu9fiTTQZRScURc6cn6hCTsNaLT93nJUWKY2rSehDWA5X8WBMVs5E2nYxBdXzmRABP/0nW8BGRyKvl9reqxB/3nmCErG5ADLI2XlipT4h/pa6o7qYMHaiPPYTOuM+3dXdGie2gYv89j5TIQfeaRMiyFuqyA==</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
<o:UsernameToken u:Id="uuid-03555e25-2fe1-4dcf-bbda-42727af2e12f-1">
<o:Username>abcdf14</o:Username>
<o:Password>asdfasdf34!</o:Password>
</o:UsernameToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>cnhQbioITPIFIdQJYIuRoxIZcKs=</DigestValue>
</Reference>
<Reference URI="#_3">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>tY4Bfb76si198z7okwNeD2AqChg=</DigestValue>
</Reference>
<Reference URI="#_4">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>zAqp1Yf2HzJ12a2WQZj6ZsvN44M=</DigestValue>
</Reference>
<Reference URI="#uuid-14ace37f-2548-40e3-b88a-f3d95a3fef73-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>4F0ElIwHLQe4hnmTCqxo7n8Q/U4=</DigestValue>
</Reference>
<Reference URI="#uuid-03555e25-2fe1-4dcf-bbda-42727af2e12f-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>0u8ZWlKe7AGzrNJDS+ytvn1Jumg=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>jnxPBBQEUNYPL8OcrzSywUVa/ipMwLiKlE+n+W7EpgKZjz2LJlCF8BYEJ4yOrF4WsiX1k26qSk/O59Kf+PWRqhJGYQ2Z0eZc5CW4upHhHoatymKFLphh75d4xef7dfPs+MvsN5Elw2QHvsiz5uO7OLyP5uSCNdVxg9F3zjcfmnW4aIIHvzV8PmTpysmPAnoNvRkNjGFxuemLERVKxjWc1Rn8JDy6nDVi4wYvISn1d6i00IsrIc0LJZosx/MwuSiE8AOP6Lo6+1eBDUzd6S9vqN6fCcJ1lykO6CouMuo+qxA37nmItfsgb7NtC+lAZpnVRB9qC8aqaFsXh9Vu1qeUoA==</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#uuid-03555e25-2fe1-4dcf-bbda-42727af2e12f-3"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:DataReference URI="#_1"/>
<e:DataReference URI="#_3"/>
<e:DataReference URI="#_4"/>
</e:ReferenceList>
</o:Security>
</s:Header>
<s:Body u:Id="_2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<e:EncryptedData Id="_1" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference URI="#_0"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>t52vr+BDePvaT3bRjdKNt1Py915Jn/x7XAtM+z2c9I6nlFhw/Sf6H4AQh+MpRolfzoBIcmZQWQ56x6YrhdbOEVI9s+zEprLcvBoGn1JewZ1U7rqdpjXVuiee83hMHeFTT2THIJ7fX1O7Pm3rWxqM0AMaUm41UACnaxp0hZAncCFPEoc/+AtyC39zS/oxKYchNzVDkEBkoxjDnHndrQt2XGVSV0fjnCnWfAZ1Zi2zXVH50RA7nTSufZjZXld78nphJ+a5QqeT9V9XGWsd7Pg2ivI9ykb7Ke5IMTYD4nmLV7zR+zqMDiQnj+7GEpVKnuCraOilkr8afwyWZF97vi+9A1PIvzJbKnlQ3jryDZDUmWU=</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
EDIT: See here a detailed solution to consume this EBS-EDT service
You need both username and client certificate. This cannot be done via binding xml configuration. you must create the binding progrematically. Something like this:
var b = new CustomBinding();
var sec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
sec.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());
sec.MessageSecurityVersion =
MessageSecurityVersion.
WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
sec.IncludeTimestamp = false;
sec.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.EncryptBeforeSign;
b.Elements.Add(sec);
b.Elements.Add(new MtomMessageEncodingBindingElement(MessageVersion.Soap12, Encoding.UTF8));
b.Elements.Add(new HttpsTransportBindingElement());
var c =
new ServiceReference1.SimpleServiceSoapClient(b, new EndpointAddress(new Uri("https://www.url.com/"), new DnsEndpointIdentity("WSE2QuickStartServer"), new AddressHeaderCollection()));
c.ClientCredentials.UserName.UserName = "yaron";
c.ClientCredentials.UserName.Password = "1234";
c.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode =
System.ServiceModel.Security.X509CertificateValidationMode.None;
c.ClientCredentials.ServiceCertificate.DefaultCertificate = new X509Certificate2(#"C:\Program Files\Microsoft WSE\v2.0\Samples\Sample Test Certificates\Server Public.cer");
c.ClientCredentials.ClientCertificate.Certificate = new X509Certificate2(#"C:\Program Files\Microsoft WSE\v2.0\Samples\Sample Test Certificates\Client Private.pfx", "wse2qs");
c.EchoString("1");
Since you only use signature and not encryption you also need to set ProtectionLevel.Sign on your contract. See about this and other gotchas you may encounter in this detailed wcf security post.
I'm trying to consume an IBM DataPower web service in WCF getting the following error message:
Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.
The HTTP response is coming back as 200 and I can see the correct SOAP response while debugging it in Fiddler.
However, the WCF clients doesn't seem to know how to process the BinarySecurityToken element in the SOAP response.
Here is my WCF config:
<client>
<endpoint address="https://xxxx:6443/xxxx/xxxxx"
binding="customBinding" bindingConfiguration="NewBinding0"
contract="SoapPort" name="XXSoapPort" behaviorConfiguration="ServiceBehavior">
</endpoint>
</client>
<customBinding>
<binding name="NewBinding0">
<security allowSerializedSigningTokenOnReply="true" authenticationMode="CertificateOverTransport" messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" requireDerivedKeys="false" securityHeaderLayout="Lax" />
<textMessageEncoding messageVersion="Soap11" />
<httpsTransport />
</binding>
</customBinding>
<behaviors>
<endpointBehaviors>
<behavior name="ServiceBehavior">
<clientCredentials>
<clientCertificate findValue="xxxxxx" storeLocation="LocalMachine" x509FindType="FindBySubjectName" storeName="My" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
This is a SOAP request sample:
<soapenv:Envelope xmlns:dgi="http://dgi.gub.uy" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-
1.0.xsd"><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-45851B081998E431E8132880700036719"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
1.0.xsd">binarysecuritytoken base64...</wsse:BinarySecurityToken><ds:Signature Id="Signature-13"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-14">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>62KaCXQkeXTGyGd+aoX46cGAl9M=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
YdwY0hmkHE8tnQmGQBdfA5fjVyoHWMiQhKanI1SEaii295hakwMbf5KsP3YMMhzl4HEHs6nqhZpq
lyL1OBcbJPJQN34uhOtucnzgObUYHckkJqfAN/sYmfNMSFGDvyZCFQSiJwh8dkvKxmxzdUwv3wza
M+i0nzLAh9viQZYS8N8=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-45851B081998E431E8132880700036720">
<wsse:SecurityTokenReference wsu:Id="STRId-45851B081998E431E8132880700036821" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
wss-wssecurity-utility-1.0.xsd"><wsse:Reference URI="#CertId-45851B081998E431E8132880700036719" ValueType="http://docs.oasisopen.
org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature></wsse:Security></soapenv:Header>
<soapenv:Body wsu:Id="id-14" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<method>
data...
</method>
..
This is an SOAP response:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAPENC="
http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Header>
<wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:BinarySecurityToken wsu:Id="SecurityToken-c0477b7a-df1a-4883-9ae1-59a518913f96" EncodingType="http://docs.oasisopen.
org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wssx509-
token-profile-1.0#X509v3" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
1.0.xsd">MIIFrDCCA5SgAwIBAgIQas+Rf7PxwFxNudVRjoOzEjANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJVWTErMCkGA1UECgwiQURNSU5JU1RSQ
UNJT04gTkFDSU9OQUwgREUgQ09SUkVPUzEfMB0GA1UECwwWU0VSVklDSU9TIEVMRUNUUk9OSUNPUzEdMBsGA1UEAwwUQ29ycmVvIFVydWd1YXlvIC
0gQ0EwHhcNMTEwNDI4MjEwMDAxWhcNMTIwNDI4MjEwMDAxWjCBxzEiMCAGCSqGSIb3DQEJARYTam1vbnRhbmVAZGdpLmd1Yi51eTEfMB0GA1UECwwW
QU5BTElTSVMgREUgUFJPRFVDQ0lPTjEhMB8GA1UECgwYREdJLVBSVUVCQSBTRVJWSUNJT1MgV0VCMRMwEQYDVQQIDApNb250ZXZpZGVvMQswCQ
YDVQQGEwJVWTEYMBYGA1UEBRMPUlVDMjE5OTk5ODIwMDEzMSEwHwYDVQQDDBhER0ktUFJVRUJBIFNFUlZJQ0lPUyBXRUIwgZ8wDQYJKoZIhvcNAQE
BBQADgY0AMIGJAoGBAMcMcu70s0RQkD6ifYBGXwATovTxxA/Hjc8WKM16yJkz63d0eSTjjREYmM87g6NRacADy9LZRyENiRPjsBI+Tw9PHR/7g+frTIS+vIQZ0+f
9Rq1q2uxvw8TKoO9FvcrBabdl9dUBIrJEPa20wj6U+dupTZ66bD5uFXBUsKo2sZujAgMBAAGjggFiMIIBXjAeBgNVHREEFzAVgRNqbW9udGFuZUBkZ2kuZ3ViLnV
5MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgP4MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDARBglghkgBhvhCAQEEBAMCBaAw
HQYDVR0OBBYEFP0YQfFQvej6szyGhKlpNI0tESi5MB8GA1UdIwQYMBaAFCWP30Mvjmq6C75GXFdQk7dRvvzZMFQGA1UdIARNMEswSQYMKwYBBAGB9U8
BAQEEMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly93d3cuY29ycmVvLmNvbS51eS9jb3JyZW9jZXJ0L2Nwcy5wZGYwGAYNKwYBBAGB9U8BAQEEAQQHDAVE
aXNjbzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vd3d3LmNvcnJlby5jb20udXkvQ29ycmVvQ2VydC9hbmMuY3JsMA0GCSqGSIb3DQEBBQUAA4ICAQA01MEJ
sZ8VXJIybZQ0NlBJPXz7n8GbTf41Aq4lWxLI5rBWJD1uyWUdz2jUD0DuqflTAGknphzxn49QACCTA1Pv0aZ6hnK04uI9j7UJe4LiVx3aWbpLRBCnYrIs+QU2pyClEM
4bNPt0BU2DG+Q9k9SeCDQ8VD7hiD2W/aK8HLo6EVLAEwrl3pTums2dwxtO1KKPw6OBbYYitCjR5j6Hy5q1+fMTFXmx0vo+ZYFOl8DVoSp6OQJd2mcaL0CNVWI
9sOYRkJKEoELIJDSnIMKkUqgN2ilg05Dqcl/TDj2I5VfPLXZpnpuQbb6ADjEOtMzlkfe2EFemn0s/+2Hn97h5rtJMcjTuUhh937JZPWnD1XQTxICjS3ql1nSwbnJz9bk8P
N/j8cK4Kw+xipGo7pRxITFKUHmOIXsj05tH3kFWf8htdU/4rIyrvzJ3xUhita78SHaJMALQa4AGxmSxIEvej0+qyrxx4geMkzb/n5t3JAAluxW2ja3f/FrXMuwT7iKebreMS4
4FO0maMpP29SW94G8yClumghtU/6LI67oHxhpUNkCQ3UV4JaI6wEZcgV5KLXm9rr1i/hMKV5FspQcYg36qdeRz/N4DwuorVwZuTsXCIMwcKQCkzu1oUSkvO3PE
5cCRnu9cyJ3GzPfUO0T8mrCmI2XwISAvkuLs3kd6FeRBAw==</wsse:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Body-75c3e1d7-a956-4387-827e-58e7bf7f9672">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>O+QjV1cBEXJlS3Z15FBQZImx/Gs=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>lCEfQOGBeSvfvHPLUYtT5PUlwe8Gdbv6b2yto4WzSsoEpYz+6d4YFlyt+Vzq1DSK8Jcmz1ELuJkzPwZCt2aAkSxpToI51vjziELJJqiZfGR5gLJRCZ
CK/zhk3pJUBzaiLLSwfN1iX9t4X8IGqisc6yqrS9kabkhUvvsiYrdRIr4=</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference xmlns="">
<wsse:Reference URI="#SecurityToken-c0477b7a-df1a-4883-9ae1-59a518913f96" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body wsu:Id="Body-75c3e1d7-a956-4387-827e-58e7bf7f9672" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurityutility-
1.0.xsd">
...data...
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Thanks in advance!
Use "MutualCertificate" instead of "CertificateOverTransport".
This will require you to supply a service certificate - just configure any dummy certificate, even the same one as used for signature. Also you will get an exception on dns expected name which will tell you what to fix.
Then try it once with allowSerializedSigningTokenOnReply true and once false.
If this fails send me your config, the soap request you sent, and the response the server sent.
I try to sign a message using a certificate and a private key to call a java (JBoss) web service, but the server refuses to accept my signed message. It only echoes back the same message that I've sent.
I have successfully signed the outgoing message using the certificate, and the structure of the message look alright when I compare it to an exampel message supplied by the web service creator.
I use a custom binding declared as shown below
<binding name="FSACustomServiceBinding"
closeTimeout="00:01:00"
openTimeout="00:01:00"
receiveTimeout="00:10:00"
sendTimeout="00:01:00">
<textMessageEncoding
messageVersion="Soap11" />
<security
authenticationMode="MutualCertificate"
requireDerivedKeys="false"
keyEntropyMode="ClientEntropy"
includeTimestamp="false"
securityHeaderLayout="Lax"
messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<secureConversationBootstrap />
</security>
<httpTransport/>
</binding>
and the resulting message looks like this
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:BinarySecurityToken u:Id="uuid-0794e8c9-f354-42de-acf2-3d2caf80ff9c-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">[BINARYSECURITYTOKEN]</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>[DIGESTVALUE]</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>[SIGNATUREVALUE]</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference><o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-0794e8c9-f354-42de-acf2-3d2caf80ff9c-2"/></o:SecurityTokenReference>
</KeyInfo>
</Signature></o:Security></s:Header>
<s:Body u:Id="_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><list xmlns="http://etis.ford.com/services/fsa/1.0"><String_1 xmlns="">[VINNUMBER]</String_1></list></s:Body>
</s:Envelope>
An exampel message that works with the web service:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://etis.ford.com/services/fsa/1.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" env:mustUnderstand="1">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="token-26-1284446233382-10880960">[BINARYSECURITYTOKEN]</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#element-25-1284446233382-9656454">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>[DIGESTVALUE]</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>[SIGNATUREVALUE]</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference><wsse:Reference URI="#token-26-1284446233382-10880960" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature></wsse:Security></env:Header>
<env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="element-25-1284446233382-9656454"><ns0:list><String_1>[VINNUMBER]</String_1></ns0:list></env:Body>
</env:Envelope>
I've run out of ideas, and the web service creator doesn't supply any information what so ever as to why my message isn't accepted.
Does anyone have an idea?
Regards,
Simon
One possibility is that you are using a self signed certificate that the Jboss server does not trust.