I'm trying to call a web service in asp.net 4.0. Vendor has sent me the following sample soap header. I need to know how can i create following header in WCF client asp.net 4.0.
currently i'm using following code in app.config
<bindings>
<customBinding>
<binding name="EDTPortBinding">
<mtomMessageEncoding messageVersion="Soap11"/>
<security
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11"
securityHeaderLayout="Strict"
includeTimestamp="false"
requireDerivedKeys="true"
keyEntropyMode="ServerEntropy">
</security>
<httpsTransport authenticationScheme ="Negotiate" requireClientCertificate ="false" realm =""/>
</binding>
</customBinding>
</bindings>
but i'm getting error
Addressing Version 'AddressingNone (http://schemas.microsoft.com/ws/2005/05/addressing/none)' does not support adding WS-Addressing headers. Following is a sample header which I need to generate from WCF client.
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-8B2ED84CAE64FADA2113775419342631">MIIF0zCCBLugAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBzzELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAm9uMREwDwYDVQQHEwhraW5nc3RvbjEpMCcGA1UEChMgSGVhbHRoIFNvbHV0aW9ucyBEZWxpdmVyeSBCcmFuY2gxJTAjBgNVBAsTHEVsZWN0cm9uaWMgQnVzaW5lc3MgU2VydmljZXMxJzAlBgNVBAMTHkVCUyBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWc2Vhbi5jYXJzb25Ab250YXJpby5jYTAeFw0xMjA0MjkxNjAyMjNaFw0xNDA0MzAxNjAyMjNaMIGUMQswCQYDVQQGEwJDQTELMAkGA1UECBMCb24xETAPBgNVBAcTCGtpbmdzdG9uMSkwJwYDVQQKEyBIZWFsdGggU29sdXRpb25zIERlbGl2ZXJ5IEJyYW5jaDElMCMGA1UECxMcRWxlY3Ryb25pYyBCdXNpbmVzcyBTZXJ2aWNlczETMBEGA1UEAxQKRUJTX0NsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEEvvZ96t117651bJXIa8AaE69N1klliJvhrXFxtV2JcKoJHZG19Em6nFtxznvrfjHjQCOJXgREq0YLJmIHgIaIggug9g4oZhZoSXm11b0k+l9sI0uV1UQxSPvKZbptLw3JuY3E8iHoBTBY4TZDg0yfuuk5kpwT0JCqn8Pcoi2Oq2rQtEdnQ0TG5/lofJAMDRzBpK1ETnNOjzCeAkR3wHPec++q2nTuY9QFYntpOyk5JksRVuuIsR5OCW6rjFXTF7CJ84qxWloXmWl4M3yKDTi3ouD36Gplgo8fi2HLpNqVBDLCm7Acv8klkc0EyiFOpBzhEYWAVIIwC9ovybXRjg0CAwEAAaOCAfEwggHtMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgSwMEsGCWCGSAGG+EIBDQQ+FjxTU0wgQ2xpZW50IGNlcnRpZmljYXRlIHZhbGlkIG9ubHkgZm9yIE1PSExUQy9IU0MgRUJTIFRlc3RpbmcwHQYDVR0OBBYEFKV6tGi2SztsTcIPYFkZcKr4yLJMMIIBBAYDVR0jBIH8MIH5gBT/qI53Ggvfsdz34whLQ2gDg+PhW6GB1aSB0jCBzzELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAm9uMREwDwYDVQQHEwhraW5nc3RvbjEpMCcGA1UEChMgSGVhbHRoIFNvbHV0aW9ucyBEZWxpdmVyeSBCcmFuY2gxJTAjBgNVBAsTHEVsZWN0cm9uaWMgQnVzaW5lc3MgU2VydmljZXMxJzAlBgNVBAMTHkVCUyBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWc2Vhbi5jYXJzb25Ab250YXJpby5jYYIJAOnNHCT34+b/MCEGA1UdEgQaMBiBFnNlYW4uY2Fyc29uQG9udGFyaW8uY2EwJgYDVR0RBB8wHYEbZGVyZXlrLmZlcm5hbmRlc0BvbnRhcmlvLmNhMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOCAQEAJqCht181F8rUUNQ8jHa42kdKH+FDF0ISuklbg5MARHo+wt1laltaMeaXdESnLJBNGvcgxPZ4StYMdCH8mOEWYftCy5nkyGQCuOd2GpaJ3Hj50bjZ9vZUYyUBPUmwIEP2v75QQe62fHTqza/VjA0I5eMGMKa3URHsTdfNdnEJjtmHdxWRjAjjrHpHQWE0e1QtG+ZV1ved0f5OzDvdylbvrm4S0mgCifk8qEvZtNSoDp37MmSFr5fFmo91BqT23xAgzUKra428dw4T1EKJYEd6pNssNS4XCQ6bTx0Au3mW5iINtiaYQP8rlSykwaJ+dFAtBG00kdGpebf1prvq4H91eA==</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-6">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ebs edt idp msa soapenv"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#TS-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="wsse erd edt abc deg soapenv"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>TSBdwFiHK6F64sibCXjThfekOJ5vQiXzPk5MjXPEwDE=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#UsernameToken-2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="sdf edt dfs dfd soapenv"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>pFSgm8Pc531sbAN/Oo3glEbs1Rh741tXJya+70oALdo=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="dsf dfd sdf soapenv"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>FHoEV5Xp//KLgM1Fg5NyeIfkRjUramyx0Y0+kX41leg=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="dsd edt dfd soapenv"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>2SieN++YDPYJwbhBTgirOvjJo0aQMwiTcg5bL4Oj0fU=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-5">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ebs edt idp msa"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>eALo7Pftw02ykaoXdlUt7IPiHB9RbRfj2t7zTLxzLXg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo> <ds:SignatureValue>lhXC6GdvAtJq87cQHin0DRkDWDMkKPUbyqEd1m5XRUz+puGxWIX8EtriEdCOQGf/fzmYg7Q5 qpbR xQYw94SCLHynJu1VCx7MoI8A3wFbwdsEKF9urE3rKzrM6F6YLlosuOiGNFN9kK20ryUAl4XHqCrC C1Su3kFIiE0bwnWNCoi1bqt2zkomyBSVNXUOfw/QWfPbKlRZLNlzap1WPYK9ECSYF6Tf1g4R0lxk 7LcBYlWQn+P/qSIqZAv4jPDFQJS+pJ+3/Le8yEHNsZJfGjMKt2PF9jer3AJt+GqA3zQbj/5Ql0NF AK/uZv25s2pji6cRcz29qeLlyqhYbzLgCTPlog==</ds:SignatureValue>
<ds:KeyInfo Id="KI-8B2ED84CAE64FADA2113775419343232">
<wsse:SecurityTokenReference wsu:Id="STR-8B2ED84CAE64FADA2113775419343253">
<wsse:Reference URI="#X509-8B2ED84CAE64FADA2113775419342631" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile- 1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsse:UsernameToken wsu:Id="UsernameToken-2">
<wsse:Username>confsuxx#outlook.com</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username- token-profile-1.0#PasswordText">xxxxxxxxx</wsse:Password>
</wsse:UsernameToken>
<wsu:Timestamp wsu:Id="TS-1">
<wsu:Created>2013-08-26T18:32:14Z</wsu:Created>
<wsu:Expires>2013-08-26T18:32:44Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<idp:IDP wsu:Id="id-4">
<ServiceUserMUID>039396</ServiceUserMUID>
</idp:IDP>
<ebs:EBS wsu:Id="id-3">
<SoftwareConformanceKey>5cc6a261-d970-4898-920c-119fd07eads</SoftwareConformanceKey>
<AuditId>444361ee-277f-7732-c684-7a9923jaaa1b</AuditId>
</ebs:EBS>
</soapenv:Header>
I notice you're using soap 1.1 with addressing, which is unusual.
Try setting the textMessageEncoding binding element :
<bindings>
<customBinding>
<binding name="EDTPortBinding">
...
<textMessageEncoding messageVersion="Soap11WSAddressing10" />
...
</binding>
</customBinding>
</bindings>
Following is the soap message I captured from fiddler. This message is quite different from required message i published on top.
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<k:EncryptedHeader a:mustUnderstand="1" u:Id="_3" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:a="http://schemas.xmlsoap.org/soap/envelope/">
<e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference URI="#_0"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>BB/K56PdPa2IXdceVcLvCmFIuly4HwOGVmv4OCI6sNd/D7pLzcz9R/DtCI7uKI7Xn1ppIzQf9P+HgQ6dB2k+Dc8SrKpbzgJR9JhTzOSxm/0ZkdVuk6nhpPORo0Ch4507u/YqaiQkveO/tANBXiToi9GgFNYEOZTzR/rMvpRmvEyGnlxOkiXQI8H5CJn87dZxMc/KITyaAae3CNFhcLcUIsMDgc58GICbjNCx09YLHuxHaofng+D1yGhW0CmtMymCvxcvLcZmvcH4QBMD1LeEmliqaVIA7PfrF0C6z4ukN7cK2lQyYPeiJ2HQ0Vd0MbaDYoX7qVt3c1SOlVEzGVhC1NDi7Ejilt6laftyqX2uBWd0JcLsJpLLYioTB5mcxuXS+0LnmAGuU6njJWEfTqidLyticIzo3yitFdgjofgaGymkjVq0jCtTfE8mkzLTW2/S</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</k:EncryptedHeader>
<k:EncryptedHeader a:mustUnderstand="1" u:Id="_4" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:a="http://schemas.xmlsoap.org/soap/envelope/">
<e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference URI="#_0"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>pFKhSf01843H0S0lR16/NFymFGqVt6cNNP2VzL8W6t8N+4uVI3QAMj0NigFigBpNi1WtXLV/Y5E3zUlnEP6drl1pVWo7ue4fYIKM3VZ347p27xHLO72Jy+734uf9n8nI1ruiWGPZZ/hDUwB5gmU0AEJGJPDzKS4fd3fZcMKaem7I9g8nRNhEE5sBq7w2YraIRsep++MK7FSqNJ/y6RIw5ifaVtEIzMqiXdPv6DSpfkU=</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</k:EncryptedHeader>
<ActivityId CorrelationId="8d7e0216-f29e-466d-8f59-fee9237be43a" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">30b8fade-6c73-4e77-aff7-98248cea2c09</ActivityId>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo1UOM+fT2PVBuVeE+3YdGt4AAAAAm+k0MQFSMkSxuNClyxbltwINs5gG8f1OoEvHXvwJM9IACQAA</VsDebuggerCausalityData>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-14ace37f-2548-40e3-b88a-f3d95a3fef73-1">
<u:Created>2013-09-09T02:07:20.028Z</u:Created>
<u:Expires>2013-09-09T02:12:20.028Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken u:Id="uuid-03555e25-2fe1-4dcf-bbda-42727af2e12f-3" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIC1DCCAbygAwIBAgIQPpGuGBOBzJdOQbuT5uWbsjANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDEwhFTVJBTi1QQzAeFw0xMzA5MDcyMjE2MDJaFw0xNDA5MDcwMDAwMDBaMBMxETAPBgNVBAMTCEVNUkFOLVBDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyWYMQAVEJxSDKmRk93Z+dH236HFSKF27TVAIoEcRAsBwN3MWUiIUOA4jPg20YaDHiFdGzCUr3rtRKtFo6rqhkj4gixObocG52fnJ4Ae8mlhO0hc/OONp40st9RuGY8my78GBzcSc9Tp+gW6/5ZHsVeXRFpwK7n+QnPTa2y3aPbsUHsazrSvxFp+LGzYxns5aLAi1k3PEAxoB7wHkOBEED0WuOuY7++EUKJDDjbiM/mRwklU43Y3zZfFdTDhqH/OFpuufPacvmTKDwvIbdIbfCvLNWenskMTSLb7Ak0YbPVdMY/7AsKlwHzrSVcENyYM+zIRSGVKswIVbL00VA0Ld7QIDAQABoyQwIjALBgNVHQ8EBAMCBDAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBAIi9agMTAHXMhB9N9/P1iKPeWnVblutod/0i49oKsDxn3gb2d7AX8+fRgRHBP6L6yFcjX0goDl1MnWTYDl3AQaassDk1hW1SZlKhQgBVmsW38s+beEb1hyhZQtr7+SQbDEqRWL5RBN8Fi9CQiP5pOIvsNyymFixWk0HdjAo+8yE086YR3Wko6GtUDiQfZb2/05fRooQjmhxxUy4vlyteuP3nMnHxIR4jd9MO47dK30zyQpW9RuZxSVjAnpy+LnKhTFl9MwIXwubTaUrBAvru9T/OuQrBh+vllPfgSG4Q8U1z40Vp1JVGLqFXy9H+5T+MipFA7OVJrs6+/NnCdx8pwiQ=</o:BinarySecurityToken>
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
</e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>CN=EMRAN-PC</X509IssuerName>
<X509SerialNumber>83168549829936402630366527231323642802</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>JBPf96uwqg3QWqWrqBXLms269TvxNiPuwQiIp1yCxpFCmGYlHAPPzwKp0uIaY2GotNeot9eg29ob5hu9KAYUiYPHklVXYbl4pg3Jvim4O6ElcbkN5A6v1eTZgk7xLlDf+eMGT7zCP0UwjEjzl8Z/K9VdLSASV9E7eUHiZH2xQmbuhyckQAEGSzlpFO3pu9fiTTQZRScURc6cn6hCTsNaLT93nJUWKY2rSehDWA5X8WBMVs5E2nYxBdXzmRABP/0nW8BGRyKvl9reqxB/3nmCErG5ADLI2XlipT4h/pa6o7qYMHaiPPYTOuM+3dXdGie2gYv89j5TIQfeaRMiyFuqyA==</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
<o:UsernameToken u:Id="uuid-03555e25-2fe1-4dcf-bbda-42727af2e12f-1">
<o:Username>abcdf14</o:Username>
<o:Password>asdfasdf34!</o:Password>
</o:UsernameToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>cnhQbioITPIFIdQJYIuRoxIZcKs=</DigestValue>
</Reference>
<Reference URI="#_3">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>tY4Bfb76si198z7okwNeD2AqChg=</DigestValue>
</Reference>
<Reference URI="#_4">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>zAqp1Yf2HzJ12a2WQZj6ZsvN44M=</DigestValue>
</Reference>
<Reference URI="#uuid-14ace37f-2548-40e3-b88a-f3d95a3fef73-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>4F0ElIwHLQe4hnmTCqxo7n8Q/U4=</DigestValue>
</Reference>
<Reference URI="#uuid-03555e25-2fe1-4dcf-bbda-42727af2e12f-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>0u8ZWlKe7AGzrNJDS+ytvn1Jumg=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>jnxPBBQEUNYPL8OcrzSywUVa/ipMwLiKlE+n+W7EpgKZjz2LJlCF8BYEJ4yOrF4WsiX1k26qSk/O59Kf+PWRqhJGYQ2Z0eZc5CW4upHhHoatymKFLphh75d4xef7dfPs+MvsN5Elw2QHvsiz5uO7OLyP5uSCNdVxg9F3zjcfmnW4aIIHvzV8PmTpysmPAnoNvRkNjGFxuemLERVKxjWc1Rn8JDy6nDVi4wYvISn1d6i00IsrIc0LJZosx/MwuSiE8AOP6Lo6+1eBDUzd6S9vqN6fCcJ1lykO6CouMuo+qxA37nmItfsgb7NtC+lAZpnVRB9qC8aqaFsXh9Vu1qeUoA==</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#uuid-03555e25-2fe1-4dcf-bbda-42727af2e12f-3"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:DataReference URI="#_1"/>
<e:DataReference URI="#_3"/>
<e:DataReference URI="#_4"/>
</e:ReferenceList>
</o:Security>
</s:Header>
<s:Body u:Id="_2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<e:EncryptedData Id="_1" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference URI="#_0"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>t52vr+BDePvaT3bRjdKNt1Py915Jn/x7XAtM+z2c9I6nlFhw/Sf6H4AQh+MpRolfzoBIcmZQWQ56x6YrhdbOEVI9s+zEprLcvBoGn1JewZ1U7rqdpjXVuiee83hMHeFTT2THIJ7fX1O7Pm3rWxqM0AMaUm41UACnaxp0hZAncCFPEoc/+AtyC39zS/oxKYchNzVDkEBkoxjDnHndrQt2XGVSV0fjnCnWfAZ1Zi2zXVH50RA7nTSufZjZXld78nphJ+a5QqeT9V9XGWsd7Pg2ivI9ykb7Ke5IMTYD4nmLV7zR+zqMDiQnj+7GEpVKnuCraOilkr8afwyWZF97vi+9A1PIvzJbKnlQ3jryDZDUmWU=</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
EDIT: See here a detailed solution to consume this EBS-EDT service
You need both username and client certificate. This cannot be done via binding xml configuration. you must create the binding progrematically. Something like this:
var b = new CustomBinding();
var sec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
sec.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());
sec.MessageSecurityVersion =
MessageSecurityVersion.
WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
sec.IncludeTimestamp = false;
sec.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.EncryptBeforeSign;
b.Elements.Add(sec);
b.Elements.Add(new MtomMessageEncodingBindingElement(MessageVersion.Soap12, Encoding.UTF8));
b.Elements.Add(new HttpsTransportBindingElement());
var c =
new ServiceReference1.SimpleServiceSoapClient(b, new EndpointAddress(new Uri("https://www.url.com/"), new DnsEndpointIdentity("WSE2QuickStartServer"), new AddressHeaderCollection()));
c.ClientCredentials.UserName.UserName = "yaron";
c.ClientCredentials.UserName.Password = "1234";
c.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode =
System.ServiceModel.Security.X509CertificateValidationMode.None;
c.ClientCredentials.ServiceCertificate.DefaultCertificate = new X509Certificate2(#"C:\Program Files\Microsoft WSE\v2.0\Samples\Sample Test Certificates\Server Public.cer");
c.ClientCredentials.ClientCertificate.Certificate = new X509Certificate2(#"C:\Program Files\Microsoft WSE\v2.0\Samples\Sample Test Certificates\Client Private.pfx", "wse2qs");
c.EchoString("1");
Since you only use signature and not encryption you also need to set ProtectionLevel.Sign on your contract. See about this and other gotchas you may encounter in this detailed wcf security post.
Related
I'm trying to consume a java web service from a WCF client with this specifications:
The request must be signed (but NOT encrypted). I have my client's certificate installed on my computer.
The response is signed (not encrypted) by the server. I have the server's certificate installed on my computer.
Communication is over HTTPS (certificate installed on my computer).
This is the configuration of the client:
Endpoint:
<endpoint address="https://..."
binding="customBinding" bindingConfiguration="SincronSoapCustom" behaviorConfiguration="webEndpointExtern"
contract="Proves.Service.SincronSoap" name="SincronSoap">
<identity>
<dns value="Test app"/>
</identity>
</endpoint>
Custom binding:
<customBinding>
<binding name="SincronSoapCustom" >
<security authenticationMode="MutualCertificate" allowSerializedSigningTokenOnReply="true" requireSignatureConfirmation="false" requireDerivedKeys="false" includeTimestamp="true" securityHeaderLayout="LaxTimestampLast" messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
</security>
<textMessageEncoding messageVersion="Soap11" writeEncoding="utf-8" ></textMessageEncoding>
<httpsTransport transferMode="Buffered" ></httpsTransport>
</binding>
</customBinding>
Behavior:
<behavior name="webEndpointExtern">
<clientCredentials>
<clientCertificate findValue="19cab2cd6bc982fb" storeLocation="CurrentUser"
storeName="My" x509FindType="FindBySerialNumber" />
<serviceCertificate>
<defaultCertificate findValue="311a360557c1056c5367435e7dad3866" storeLocation="CurrentUser"
storeName="My" x509FindType="FindBySerialNumber" />
<authentication certificateValidationMode="PeerOrChainTrust" />
</serviceCertificate>
</clientCredentials>
</behavior>
To only sign the message (and avoid encryption) I set the protection level in the service contract:
<System.CodeDom.Compiler.GeneratedCodeAttribute("System.ServiceModel", "4.0.0.0"),
System.ServiceModel.ServiceContract([Namespace]:="http://xxxx/", ProtectionLevel:=Net.Security.ProtectionLevel.Sign)>
Public Interface SincronSoap
<System.ServiceModel.OperationContractAttribute(Action:="http://xxxxxx", ReplyAction:="*", ProtectionLevel:=Net.Security.ProtectionLevel.Sign),
System.ServiceModel.XmlSerializerFormatAttribute(SupportFaults:=True)>
Function procesa(ByVal request As Service.procesaRequest) As Service.procesaResponse
<System.ServiceModel.OperationContractAttribute(Action:="http://xxxxxx", ReplyAction:="*")>
Function procesaAsync(ByVal request As PdibService.procesaRequest) As System.Threading.Tasks.Task(Of Service.procesaResponse)
End Interface
With this configuration, my requests are processed correctly by the server but my client throws an error when processing the response:
Cannot read the token from the 'SignatureConfirmation' element with the 'http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd' namespace for BinarySecretSecurityToken, with a '' ValueType. If this element is expected to be valid, ensure that security is configured to consume tokens with the name, namespace and value type specified.
Ok, my client uses WS-Security 1.0 and the SignatureConfirmation element is only allowed in WS-Security 1.1. The provider of the service confirms to me that the correct versiĆ³n is 1.1.
So I change from:
WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
to:
WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
But when I make a request using this config, the remote server returns an error:
WSDoAllReceiver: security processing failed; nested exception is:
org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto propery file supplied for decryption)
It seems that in this case my client is including some encryption in the request and the server doesn't expects it. This is the request:
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<ActivityId xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics" CorrelationId="868039bc-362d-4d3b-93fa-afb7ccdaf7e9">8160d724-54b3-4aa5-acbd-82d26abbf3b5</ActivityId>
<o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#" Id="uuid-caa9c9fc-8225-403e-b844-fffa7e439ec6-1">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod xmlns="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
</e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">M0m/j9IjdvtsfXoboTzGX4jRw5I=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>..removed..</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
<o:BinarySecurityToken>
<!--Removed-->
</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="_0">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" />
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>m6K+Htbhimq+ncV9cu48xtaHCXU=</DigestValue>
</Reference>
<Reference URI="#uuid-caa9c9fc-8225-403e-b844-fffa7e439ec6-2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>DptGdl9nICPuR7ym4VB4DAsT05o=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>b7kn3APi45hTIGgnbhSvwInLmMP=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<o:Reference ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" URI="#uuid-caa9c9fc-8225-403e-b844-fffa7e439ec6-1" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>80Q2miLGWvPm9Tl8qN2CwPHwbIA=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>..removed..</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-20121b2c-b772-4bc9-83fe-f422d6a80a0b-1" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<u:Timestamp u:Id="uuid-caa9c9fc-8225-403e-b844-fffa7e439ec6-2">
<u:Created>2017-01-23T11:48:37.635Z</u:Created>
<u:Expires>2017-01-23T11:53:37.635Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" u:Id="_1">
.................. removed ............................
</s:Body>
</s:Envelope>
And this is the request when I use WS-Security 1.0:
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<ActivityId xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics" CorrelationId="8797dc6e-b03a-4681-ab6f-6d52c561a79a">3e959f6f-2b84-4aca-a024-b5b50f429730</ActivityId>
<o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
<o:BinarySecurityToken>
<!--Removed-->
</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>frO7LOsocv71gm5QWTGhfem0VQY=</DigestValue>
</Reference>
<Reference URI="#uuid-5768e670-1786-4c0c-b563-0306ac7fc3eb-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>/FLwiT1IYuqSWdrthZRebVeql0c=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>..removed..</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-2cf2ba54-442a-422c-a2e7-b6861431c23b-2" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<u:Timestamp u:Id="uuid-5768e670-1786-4c0c-b563-0306ac7fc3eb-1">
<u:Created>2017-01-23T11:36:11.128Z</u:Created>
<u:Expires>2017-01-23T11:41:11.128Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" u:Id="_1">
... removed ...
</s:Body>
</s:Envelope>
In this case no encryption is included in the request.
The question is, why my client uses encryption when I change from WS-Security 1.0 to 1.1?
How can I avoid this?
Thanks.
This seems like it should be handled natively so I am likely doing something wrong. I have a WCF client which calls an Active STS and uses the token from the RTSR to generate the WS-Security header included in the call to the RP. The RP requires that the header be signed, which seems a fair enough request. However, the WS-Security header generated by the client does not include a signature and I cannot see how to configured it to do so. The generated header is below. As can be seen it contains a signature for the assertion and the subjectconfirmationdata both of which are responsibilities of the STS. The "missing" header signature, in my limited understanding, is a responsibility of the client. So is what configuration/code that needs to be added in order to get a signature block that is a child element of the Security header much like the reference header below.
Client Generated WS-Security header
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2015-08-24T21:04:41.090Z</u:Created>
<u:Expires>2015-08-24T21:09:41.090Z</u:Expires>
</u:Timestamp>
<Assertion ID="_fea24920-d64c-4758-b51e-61208cb5084f" IssueInstant="2015-08-24T21:04:40.060Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">MySTS</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_fea24920-d64c-4758-b51e-61208cb5084f">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>/tfOnmKqjmkK8gH1GMNQ/XJ5gdtwzvcJTqxwiZJ7noQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>dGz1dN9odSSpblmgczWWRG6tF66oonOHAVJCSC5uqjCOH+18cjJfX/duqb0sv1w0VxGsKIzR0VZ74V5Pq5MWsKQArIgEwO/wnUEOcKPI9J3KlL/IU7XLJNFtVO/ioKB4ps34S/5vZLB+WxXryz5ylBd5JvVFT7cf9R68kSxY9IurxELCGdhe/YIgJtgI6JsEoqqk7314sUZj8qrCy5zUbEVufyyStCI23OIunXPQceksa/csdaTmHFPNkYtHY8yUmyzT8aKBVKZVG2iluXySoi0TwTiVH+4ImGqXKV+VhUebCwqQwAur1IWAu+V/r7ZkW7C0384ATkMTmmLXRhom3g==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyValue>
<RSAKeyValue>
<Modulus>2kUArhFnRE+a0oof35YUv0Pc8w+UHox/PlTxzDnp86eyiLggHj76egrVbtV6TpYXw783JUQb+NiKxm0V/f6DIeqFWvCeHfzFJaWntNwAjOULY3z0n4T5gJuHpk3/JtefBXBm2m5zW4OhvijMfU228oQ5kJDpuEmkcSgmyZwyPwbJZlLAS3agrFvMu+r7qU4O6imaCAoTt/QYHIo2TLKpprXSOFrszwJDz3I5XTGaE+peBlQueFg5XvlAlARqDfq3yCcP5Mlel1Xv6kFIv/0LBMCZ1U8zMgVQsKOGgnSXCGgyq+77nvS+MPSBc71jkSWh4FnxDFTlL1j1iGdH1BIkWQ==</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">JoeTester#example.org</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<SubjectConfirmationData a:type="KeyInfoConfirmationDataType" xmlns:a="http://www.w3.org/2001/XMLSchema-instance">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyValue>
<RSAKeyValue>
<Modulus>2kUArhFnRE+a0oof35YUv0Pc8w+UHox/PlTxzDnp86eyiLggHj76egrVbtV6TpYXw783JUQb+NiKxm0V/f6DIeqFWvCeHfzFJaWntNwAjOULY3z0n4T5gJuHpk3/JtefBXBm2m5zW4OhvijMfU228oQ5kJDpuEmkcSgmyZwyPwbJZlLAS3agrFvMu+r7qU4O6imaCAoTt/QYHIo2TLKpprXSOFrszwJDz3I5XTGaE+peBlQueFg5XvlAlARqDfq3yCcP5Mlel1Xv6kFIv/0LBMCZ1U8zMgVQsKOGgnSXCGgyq+77nvS+MPSBc71jkSWh4FnxDFTlL1j1iGdH1BIkWQ==</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</SubjectConfirmationData>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2015-08-24T20:59:36.114Z" NotOnOrAfter="2015-08-24T22:09:36.114Z"/>
<AttributeStatement>
<!-- attributes where here -->
</AttributeStatement>
<AuthnStatement AuthnInstant="2015-08-24T21:04:36.130Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</o:Security>
The client side WCF Binding
<configuration>
<system.serviceModel>
<bindings>
<ws2007HttpBinding>
<binding>
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</ws2007HttpBinding>
<customBinding>
<binding>
<security authenticationMode="IssuedTokenOverTransport" requireSignatureConfirmation="true" securityHeaderLayout="Lax" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10" messageProtectionOrder="EncryptBeforeSign"
keyEntropyMode="CombinedEntropy" includeTimestamp="true">
<issuedTokenParameters keyType="BearerKey" tokenType="urn:oasis:names:tc:SAML:2.0:assertion">
<issuer address="" binding="ws2007HttpBinding"/>
</issuedTokenParameters>
<localClientSettings></localClientSettings>
<secureConversationBootstrap />
</security>
<mtomMessageEncoding maxBufferSize="2147483647" />
<httpsTransport requireClientCertificate="true" maxBufferPoolSize="134217728" maxReceivedMessageSize="134217728" maxBufferSize="134217728" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint binding="customBinding" contract="IReplacable" name="*" />
</client>
</system.serviceModel>
</configuration>
Reference Security Header
<wsse:Security S:mustUnderstand="true" xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp wsu:Id="timestamp1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2015-08-21T22:34:49.138Z</wsu:Created>
<wsu:Expires>2016-08-21T22:34:49.138Z</wsu:Expires>
</wsu:Timestamp>
<saml2:Assertion ID="a956b920-4956-47c6-8a05-8a3a56e418a0" IssueInstant="2015-08-21T22:29:49.138Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAMLUser,OU=SU,O=SAML User,L=LosAngeles,ST=CA,C=US</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#a956b920-4956-47c6-8a05-8a3a56e418a0">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>guh8xR0Vu+3X3LlLAu7SJ0wCKXw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>2X2UmgJMLGQIzN73pxxyQZVVttnE8xAkPmScvFCX2zlrS7QdmqM+BoJswtmDImK9wAhXC0WtY17U C97Iw7brHrmNtQa3tM+4JClSCuW6SM6OjHn3qMLHiUJrpIZ1k0YAYfLcIF9S7x5lYFKUzWk+oOz1 3LMOMsjORXCssUpzd3BCOUhSSeg9+6b76ZyqTeaFqldn1OmG9jz3QS+h/vUo24h1ohKPJqEcE9sG 3Ab3LqyYv8ASVP9DsKRjOjxGKfhFT5WD9gW10IqQY2YGyYtguHfsyf05dPGBuXB8jaPZ3wgYsYXU FMmjRmuAYQkdQQRH8ju4HwtWdGnTtCQBRoqboA==</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>2kUArhFnRE+a0oof35YUv0Pc8w+UHox/PlTxzDnp86eyiLggHj76egrVbtV6TpYXw783JUQb+NiK xm0V/f6DIeqFWvCeHfzFJaWntNwAjOULY3z0n4T5gJuHpk3/JtefBXBm2m5zW4OhvijMfU228oQ5 kJDpuEmkcSgmyZwyPwbJZlLAS3agrFvMu+r7qU4O6imaCAoTt/QYHIo2TLKpprXSOFrszwJDz3I5 XTGaE+peBlQueFg5XvlAlARqDfq3yCcP5Mlel1Xv6kFIv/0LBMCZ1U8zMgVQsKOGgnSXCGgyq+77 nvS+MPSBc71jkSWh4FnxDFTlL1j1iGdH1BIkWQ==</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAMLUser,OU=SU,O=SAML User,L=LosAngeles,ST=CA,C=US</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml2:SubjectConfirmationData>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>2kUArhFnRE+a0oof35YUv0Pc8w+UHox/PlTxzDnp86eyiLggHj76egrVbtV6TpYXw783JUQb+NiK xm0V/f6DIeqFWvCeHfzFJaWntNwAjOULY3z0n4T5gJuHpk3/JtefBXBm2m5zW4OhvijMfU228oQ5 kJDpuEmkcSgmyZwyPwbJZlLAS3agrFvMu+r7qU4O6imaCAoTt/QYHIo2TLKpprXSOFrszwJDz3I5 XTGaE+peBlQueFg5XvlAlARqDfq3yCcP5Mlel1Xv6kFIv/0LBMCZ1U8zMgVQsKOGgnSXCGgyq+77 nvS+MPSBc71jkSWh4FnxDFTlL1j1iGdH1BIkWQ==</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:AuthnStatement AuthnInstant="2015-08-21T22:27:49.138Z" SessionIndex="123456">
<saml2:SubjectLocality/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509 </saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<!-- attributes-->
</saml2:AttributeStatement>
<saml2:AuthzDecisionStatement Decision="Permit" Resource="">
<saml2:Action Namespace="urn:oasis:names:tc:SAML:1.0:action:rwedc">Execute</saml2:Action>
<saml2:Evidence>
<saml2:Assertion ID="_3e0d08ce-a126-45e8-b602-ac0c7ea075ce" IssueInstant="2015-08-21T22:29:49.138Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=SU,O=SAML User,L=Los Angeles,ST=CA,C=US</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAMLUser,OU=SU,O=SAML User,L=LosAngeles,ST=CA,C=US</saml2:NameID>
</saml2:Subject>
<saml2:Conditions NotBefore="2015-08-21T21:34:49.138Z" NotOnOrAfter="2016-08-21T23:34:49.138Z"/>
<saml2:AttributeStatement>
<saml2:Attribute Name="AccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue>urn:oid:1.2.3.4</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="InstanceAccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue>urn:oid:1.2.3.4.123456789 </saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2:Evidence>
</saml2:AuthzDecisionStatement>
</saml2:Assertion>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#timestamp1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>qs//Jxv/CVrDvTxn8hYvdSe1pbY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>uf13RmBH95fP4o6x6eXC84+gkoLeZqLshw0ycm8t6HJP0+OtVEPZJbAw/UF2i2rzDk6oFE/Rxe1l /cks9HkIyNBEIwt2VY1hUldWfGd1cDq6Pi/H3EGuMasr42Qm8ObPCkSFqXhgowtIsSR9amo3e1KO YBsjYLnidcaZi7B1c6DjH1GozgSgdZDrYANUJr/KJ8zDDhGU09WXEuOekx41YvS4nWn/EHJbV+xf zKTN9ds+91PtFL1nnjqJT9BH4V2TvnRildsh7BeoMqQrXuePp7FxxgxCtg5tB15gDrNS1mOLorQZ 5UwqSrLp2/WkGkpzabMf2oN56lkiB6IHvsZ+Yg==</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">a956b920-4956-47c6-8a05-8a3a56e418a0</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
The headers are not signed since you are using bearer key token, as set in your configuration
<issuedTokenParameters keyType="BearerKey"...>
It needs to be either a symmetric key or asymmetrickey. Looking at your reference SOAP header, you'll need an asymmetrickey token.
The simplest way is to use ws2007FederationBinding. If you have to use a custom binding (as in your config), here is a sample config from MSDN at https://msdn.microsoft.com/en-us/library/aa734714(v=vs.100).aspx
<issuedTokenParameters
DefaultMessageSecurityVersion="System.ServiceModel.MessageSecurityVersion"
inclusionMode="AlwaysToInitiator/AlwaysToRecipient/Never/Once"
keySize="Integer"
keyType="AsymmetricKey/BearerKey/SymmetricKey"
tokenType="String" >
<additionalRequestParameters />
<claimTypeRequirements>
<add claimType="URI"
isOptional="Boolean" />
</claimTypeRequirements>
<issuer address="String"
binding=" " />
<issuerMetadata address="String" />
</issuedTokenParameters>
You can omit the issuer element and obtain the SAML token separately from your STS using WS-Trust, and use the token to secure your outgoing message to RP.
Java client wants to send SOAP request to my WCF service. SOAP header contains signature and certificate information, example:
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ds:Signature Id="SIG-3767FCEC48BA3FC46A141268453194033" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="myg soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-3767FCEC48BA3FC46A14126804973444">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="myg" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>fsN0Bl7FcJhPTZFFOCvyIrLkcg/Oo9JhOpbv23VnnDI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>gVdpmh...0b/1FHPatVA==</ds:SignatureValue>
<ds:KeyInfo Id="KI-3767FCEC48BA3FC46A141268453193931">
<wsse:SecurityTokenReference wsu:Id="STR-3767FCEC48BA3FC46A141268453193932">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIDnjCCA...7Of</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
How should look the web.config binding of my WCF service, so that SOAP body will be validated against signature in the SOAP header?
Thank you
Try this:
<customBinding>
<binding name="NewBinding0">
<textMessageEncoding messageVersion="Soap11" />
<security authenticationMode="MutualCertificate" includeTimestamp="false"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<secureConversationBootstrap />
</security>
<httpTransport />
</binding>
</customBinding>
Make sure to decorate your contract to sign only:
[System.ServiceModel.ServiceContractAttribute(ConfigurationName=..., ProtectionLevel=System.Net.Security.ProtectionLevel.Sign)]
I have a ASMX web service (SOAP 1.1) that requires to sign all SOAP requests with certificate (private key) using WS-Security.
When the ASMX service receives the request, it will authenticate it using the public key of the certificate.
After the operation is done, the response sent back to the client will not be signed!
That's the security requirements...
I've created the proxy via 'Add Service Reference' and the client's app.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<client>
<endpoint
name="endpoint1"
address="http://1.1.1.1/Test.asmx"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_ITest"
behaviorConfiguration="TestBehavior"
contract="ITest" >
</endpoint>
</client>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ITest">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="TestBehavior">
<clientCredentials>
<clientCertificate storeLocation="LocalMachine" storeName="My"
x509FindType="FindByThumbprint" findValue="xxxxxxxxxxxxxxx" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
According to the scenario I've described:
Am I using the correct binding?
clientCredentialType value should be 'Certificate' or 'None' ?
The tag 'serviceCertificate' is needed ?
4.What is the correct configuration for my scenario?
If you know some useful links that could be suitable for my scenario, please supply them.
Thanks in advance :)
EDIT #1:
Request
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action wsu:Id="Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800">XXXXXXXXXXX</wsa:Action>
<wsa:MessageID wsu:Id="Id-3beeb885-12a4-4b65-b14c-0tmj6ad21855">YYYYYYYYYY</wsa:MessageID>
<wsa:ReplyTo wsu:Id="Id-10c46143-cb53-4a8e-9e83-ef374e40aa54">
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To wsu:Id="Id-17c40943-cs53-4a8e-9e83-ef374e40ab70">
<wsa:Address>http://.../TestOperation</wsa:Address>
</wsa:To>
<wsse:Security soap:mustUnderstand="1" >
<wsu:Timestamp wsu:Id="Timestamp-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685">
<wsu:Created wsu:Id="Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800">2002-08-22T00:26:15Z</wsu:Created>
<wsu:Expires wsu:Id="Id-10c46143-cb53-4a8e-9e83-ef374e40aa54">2002-08-22T00:31:15Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d">MIICeDCC...kE9</wsse:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>wRUq.........</DigestValue>
</Reference>
<Reference URI="#Id-3beeb885-12a4-4b65-b14c-0tmj6ad21855">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>8gIo.........</DigestValue>
</Reference>
<Reference URI="#Id-10c46143-cb53-4a8e-9e83-ef374e40aa54">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>zx4h.........</DigestValue>
</Reference>
<Reference URI="#Id-17c40943-cs53-4a8e-9e83-ef374e40ab70">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>UjdN.........</DigestValue>
</Reference>
<Reference URI="#Timestamp-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>34ff.........</DigestValue>
</Reference>
<Reference URI="#Id-f10674fd-b999-47c9-9568-c11fa5e5405b"">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>ss67.........</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>tBSsaZi........</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soap:Header>
<soap:Body wsu:Id="Id-f10674fd-b999-47c9-9568-c11fa5e5405b">
...
</soap:Body>
</soap:Envelope>
Respose:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action>http://.../TestOperationResponse</wsa:Action>
<wsa:MessageID>YYYYYYYYYY</wsa:MessageID>
<wsa:RelatesTo>WWWWWWWWWW</wsa:RelatesTo>
<wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
<wsse:Security>
<wsu:Timestamp wsu:Id="Timestamp-c0kjk2d4-o83d-4fa5-abfa-bd485afdjj80">
<wsu:Created>2002-08-22T00:26:15Z</wsu:Created>
<wsu:Expires>2002-08-22T00:31:15Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body>
<Response>
...
</Response>
</soap:Body>
</soap:Envelope>
EDIT #2:
The generated request:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<a:Action soap:mustUnderstand="1" u:Id="_2">XXXXXXXXXXX</a:Action>
<a:MessageID u:Id="_3">YYYYYYYYYY</a:MessageID>
<a:ReplyTo u:Id="_4">
<a:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uID...</VsDebuggerCausalityData>
<a:To soap:mustUnderstand="1" u:Id="_5">
<a:Address>http://1.1.1.1/Test.asmx</a:Address>
</a:To>
<o:Security soap:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685-1">
<u:Created>2002-08-22T00:26:15Z</u:Created>
<u:Expires>2002-08-22T00:31:15Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken u:Id="uuid-e00c8062-83d2-4f04-88fc-996218e7bb3d-2"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIICeDCC...kE9</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>wRUq.........</DigestValue>
</Reference>
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>8gIo.........</DigestValue>
</Reference>
<Reference URI="#_3">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>zx4h.........</DigestValue>
</Reference>
<Reference URI="#_4">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>UjdN.........</DigestValue>
</Reference>
<Reference URI="#_5">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>34ff.........</DigestValue>
</Reference>
<Reference URI="#uuid-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>ss67.........</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>tBSsaZi........</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#uuid-e00c8062-83d2-4f04-88fc-996218e7bb3d-2"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</soap:Header>
<soap:Body u:Id="_1">
...
</soap:Body>
</soap:Envelope>
Issues with this request are:
Id format: Id="Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800" (asmx proxy) VS Id="_2" (WCF proxy)
'VsDebuggerCausalityData' tag presence. How do I get rid of it?
Timestamp Id format: Id="Timestamp-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685" (asmx proxy) VS Id="uuid-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685-1" (WCF proxy)
'Created' and 'Expires' tags in Timestamp doesn't have Id attribute.
BinarySecurityToken Id format: Id="SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d" (asmx proxy) VS Id="uuid-e00c8062-83d2-4f04-88fc-996218e7bb3d-2" (WCF proxy)
The fault I get when I make a call to the ASMX service:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"">
<soap:Header>
<wsa:Action>http://schemas.xmlsoap.org/ws/2004/08/addressing/fault</wsa:Action>
<wsa:MessageID>YYYYYYYYYY</wsa:MessageID>
<wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
</soap:Header>
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>
System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ApplicationException: WSE842: The service pipeline could not be created. ---> System.ApplicationException: WSE2012: X509TokenProvider is unable to provide an X.509 token. There are multiple certificates store that match the find value of 'xxx'.
at Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLocation location, StoreName storeName, String findValue, X509FindType findType)
at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken()
at Microsoft.Web.Services3.Design.MutualCertificate10Assertion.ServiceInputFilter..ctor(MutualCertificate10Assertion assertion)
at Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateServiceInputFilter(FilterCreationContext context)
at Microsoft.Web.Services3.Design.Policy.CreateServicePipeline(PipelineCreationContext context)
at Microsoft.Web.Services3.PolicyAttribute.Microsoft.Web.Services3.IPipelineProvider.CreateServicePipeline(PipelineCreationContext context)
at Microsoft.Web.Services3.Pipeline.TryCreate(Type type, Boolean forClient)
at Microsoft.Web.Services3.WseProtocol.CreateProtocolPipeline()
at Microsoft.Web.Services3.WseProtocol.RouteRequest(SoapServerMessage message)
at System.Web.Services.Protocols.SoapServerProtocol.Initialize()
at System.Web.Services.Protocols.ServerProtocolFactory.Create(Type type, HttpContext context, HttpRequest request, HttpResponse response, Boolean& abortProcessing)
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
</faultstring>
<faultfactor>http://1.1.1.1/Test.asmx</faultfactor>
</soap:Fault>
</soap:Body>
</soap:Envelope>
I assume the problem is at the server, because the 'xxx' findValue is associated with the server and not with my client certificate.
How can I fix this?
Try this binding:
<customBinding>
<binding name="NewBinding0">
<textMessageEncoding messageVersion="Soap11WSAddressingAugust2004" />
<security authenticationMode="MutualCertificate">
<secureConversationBootstrap />
</security>
<httpTransport />
</binding>
</customBinding>
you will need to define both client and server certificates on the wcf proxy, if you do not know the server cert just define a dummy one. you also need to change protection level for your proxy such that it does not encrypt the body:
[System.ServiceModel.ServiceContractAttribute(ConfigurationName="ServiceReference1.SimpleServiceSoap", ProtectionLevel=System.Net.Security.ProtectionLevel.Sign)]
This post summaries a few other issues you may encounter.
I try to sign a message using a certificate and a private key to call a java (JBoss) web service, but the server refuses to accept my signed message. It only echoes back the same message that I've sent.
I have successfully signed the outgoing message using the certificate, and the structure of the message look alright when I compare it to an exampel message supplied by the web service creator.
I use a custom binding declared as shown below
<binding name="FSACustomServiceBinding"
closeTimeout="00:01:00"
openTimeout="00:01:00"
receiveTimeout="00:10:00"
sendTimeout="00:01:00">
<textMessageEncoding
messageVersion="Soap11" />
<security
authenticationMode="MutualCertificate"
requireDerivedKeys="false"
keyEntropyMode="ClientEntropy"
includeTimestamp="false"
securityHeaderLayout="Lax"
messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<secureConversationBootstrap />
</security>
<httpTransport/>
</binding>
and the resulting message looks like this
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:BinarySecurityToken u:Id="uuid-0794e8c9-f354-42de-acf2-3d2caf80ff9c-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">[BINARYSECURITYTOKEN]</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>[DIGESTVALUE]</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>[SIGNATUREVALUE]</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference><o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-0794e8c9-f354-42de-acf2-3d2caf80ff9c-2"/></o:SecurityTokenReference>
</KeyInfo>
</Signature></o:Security></s:Header>
<s:Body u:Id="_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><list xmlns="http://etis.ford.com/services/fsa/1.0"><String_1 xmlns="">[VINNUMBER]</String_1></list></s:Body>
</s:Envelope>
An exampel message that works with the web service:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://etis.ford.com/services/fsa/1.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" env:mustUnderstand="1">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="token-26-1284446233382-10880960">[BINARYSECURITYTOKEN]</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#element-25-1284446233382-9656454">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>[DIGESTVALUE]</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>[SIGNATUREVALUE]</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference><wsse:Reference URI="#token-26-1284446233382-10880960" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature></wsse:Security></env:Header>
<env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="element-25-1284446233382-9656454"><ns0:list><String_1>[VINNUMBER]</String_1></ns0:list></env:Body>
</env:Envelope>
I've run out of ideas, and the web service creator doesn't supply any information what so ever as to why my message isn't accepted.
Does anyone have an idea?
Regards,
Simon
One possibility is that you are using a self signed certificate that the Jboss server does not trust.