I am connecting to an external java webservice using WCF. I have no control over the service.
The supporting tokens are 2 x509's and one username token, sign and encrypt only the body. I am able to generate a 100% compliant request as per vendor soap request sample.
WCFClient uses a custombinding to generate the outgoing request. I am getting a problem with Digest Value in the response. How do I even check, verify this?.
The server log says the following :
Signer status: 'Extracted the certificate chain from the BinarySecurityToken having format x509'
Reject set: Hash values do not match.
Hash values do not match: 'l6kqP048t5INzJT3W8gxVSXplaE=', which is the Digest value in the Signature.
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-63c0b13f-8368-4bc9-a493-b362c67ac14b-1" />
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>REMOVED=</e:CipherValue>
</e:CipherData>
<e:ReferenceList>
<e:DataReference URI="#_2" />
</e:ReferenceList>
</e:EncryptedKey>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>l6kqP048t5INzJT3W8gxVSXplaE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>gCwFapZ3D/vUXsvAShTQwNWJoA23ad54NRmUWXR7IBFbsr75HBdZUG5lO1Af+ncShzwJA2a6jJXJmw/1gKswyAP9QuZsa9D+6fGh8jwcVqjm5v/Sh9rgQxWjL6U1kkovP0IAqEjafRu6YgmauFVCHUrJ2QfIN96WYTPnYm9Puvs=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-63c0b13f-8368-4bc9-a493-b362c67ac14b-2" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
As per my knowledge I am not doing anything special
Custom binding does all of this
Would it be an issue with trust stores. Working soap UI sample has a truststore cacerts with a pwd changeit. I think this ships with javakeytool.
I am using the following custom binding and chain trust
AsymmetricSecurityBindingElement secBE = AsymmetricSecurityBindingElement.CreateMutualCertificateDuplexBindingElement();
secBE.AllowSerializedSigningTokenOnReply = true;
secBE.DefaultAlgorithmSuite = SecurityAlgorithmSuite.TripleDesRsa15;
secBE.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
X509SecurityTokenParameters x509ProtectionParameters = new X509SecurityTokenParameters();
x509ProtectionParameters.RequireDerivedKeys = false;
secBE.InitiatorTokenParameters = x509ProtectionParameters;
secBE.RecipientTokenParameters = x509ProtectionParameters;
secBE.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
secBE.RequireSignatureConfirmation = false;
secBE.IncludeTimestamp = false;
CustomTextMessageBindingElement enc = new CustomTextMessageBindingElement(Encoding.UTF8.ToString(), "text/xml", MessageVersion.Soap11);
HttpsTransportBindingElement b = new HttpsTransportBindingElement();
b.RequireClientCertificate = true;
CustomBinding be = new CustomBinding();
be.Elements.Add(secBE);
be.Elements.Add(enc);
be.Elements.Add(b);
-----------------------------
proxy.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "Usercert");
proxy.ClientCredentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "ServerCert");
proxy.ClientCredentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;
proxy.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.ChainTrust;
Updated to show working both the working request and the faulty one
Both are the same as per my knowledge. One difference is the order
Working one has BST, UST, BST
Mine has BST, BST, UST.
Working Soap UI Request
<soapenv:Envelope xmlns:mhs="http://org/emedny/mhs/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="6BB387229F4FD6E3FC13753868206455">MIIDFjCCAn+gAwIBAgIBDzANBgkqhkiG9w0BAQUFADA2MQ8wDQYDVQQKEwZlTWVkTlkxIzAhBgNVBAsTGnJQcmQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDIxNjA1MDAwMFoXDTEzMDgyMDAzNTk1OVowYzEPMA0GA1UEChMGZU1lZE5ZMRQwEgYDVQQLEwtlTWVkTlktUFJPRDEPMA0GA1UECxMGZVBhY2VzMREwDwYDVQQLEwhlU2VydmVyczEWMBQGA1UEAxMNRFBNZWRzSGlzdG9yeTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqdOQyIej9kENyppOOeOPF5olvolfZz2GUG4eYEkJtBH0WBDahM5Pm3N7U52Sm+YYPXkPMe+NTOWXUvGOdrp3mMJlN/+A5N4oEM9WwXzDhdsIXufzW5s1zJOW1xKrWgb2/hHXAyNIciCrtsFVBZ8S6c1iibZecrmdkQyiNZsXntMCAwEAAaOCAQUwggEBMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgY8GA1UdHwSBhzCBhDBNoEugSaRHMEUxDzANBgNVBAoTBmVNZWROWTEjMCEGA1UECxMaclByZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxDTALBgNVBAMTBENSTDEwM6AxoC+GLWh0dHA6Ly93d3cuZW1lZG55Lm9yZy9lUGFjZXMvY2FjZXJ0cy9DUkwxLmNybDAdBgNVHQ4EFgQUs60iHpMc/Jz2F4lt/lHnLVtZco0wHwYDVR0jBBgwFoAUwbo3tXRFck0wN5g2DPS+/+xVHnQwDQYJKoZIhvcNAQEFBQADgYEAKzRgS2QNHW5f2R348N3+jRRbtlJdS/kM974rsnvoNHb2QatSLWxwa5dr7ASaDUXiED7jzB51HzbehyfE8afdq7OByuMN/J8yXK2B3Dv6y3F6uDHYP9H7JDGXoq2kdexpVD1oY4UEi5QOkdhtL8URJ355A3Fr/faIC8fGF4miq04=</wsse:BinarySecurityToken>
<xenc:EncryptedKey Id="EK-6BB387229F4FD6E3FC13753868206454" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#6BB387229F4FD6E3FC13753868206455" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference></ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>e5nL8OsjXRBtVrkV6eb4W5KhgOas2UL3C26BmcAArBZNk+yBVQoCIRTBMXYomvLeHFB/oNO3RqXEd8NTrSTnC8ydH/BEf9vKSGqsyQzaEkk4oV93fgWtMgE4DErUS/8oBS2DcgvtJle1tpoNR7FNp7iBif0idmGyL6L2lBT9HmM=</xenc:CipherValue></xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#ED-4"/></xenc:ReferenceList></xenc:EncryptedKey>
<wsse:UsernameToken wsu:Id="UsernameToken-3">
<wsse:Username>USERID</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PWD</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">Vjjuy4+O3TwT7BmMACfLQA==</wsse:Nonce>
<wsu:Created>2013-08-01T19:53:40.446Z</wsu:Created></wsse:UsernameToken>
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="X509-6BB387229F4FD6E3FC13753868202121">MIIE4zCCAmcwggHQoAMCAQICAQAwDQYJKoZIhvcNAQEFBQAwNjEPMA0GA1UEChMGZU1lZE5ZMSMwIQYDVQQLExpyUHJkIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0wOTA1MTEwNDAwMDBaFw0yMTAyMTAwMzU5NTlaMDYxDzANBgNVBAoTBmVNZWROWTEjMCEGA1UECxMaclByZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMT0hW0sdDEmMBxg9Ye7TsHERFsAWzw7td+rAjTng0NRWiEGDDBzMiJGHnyWMdt3lUywLjKH2RNYep0D4rQkULtCsnaQ0I2M/+AgoDsR3+RGV3xGwU5TbvBQ56mzZzkfLWRKg0medA9q8Ia7rXAvVlm6Uhy1KW3xsrskEu9sLFOpAgMBAAGjgYQwgYEwPwYJYIZIAYb4QgENBDITMEdlbmVyYXRlZCBieSB0aGUgU2VjdXJpdHkgU2VydmVyIGZvciB6L09TIChSQUNGKTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUwbo3tXRFck0wN5g2DPS+/+xVHnQwDQYJKoZIhvcNAQEFBQADgYEAET5poNE2QeZNUjQ4u9PzNBkY4AO+5pFxHHp4AnbU6XzTrClHcn2QJlUAo2b9ryVgC2L8R+h6tJA1/2EQIVmmsCSegulzcOScNyDL0sm67GRwmx28zQ22y/9F3nAKSSsQwWz89vnXKQQSrpWPHEuMNVt/9fRTdUcWDWMW6LX3B3IwggJ0MIIB3aADAgECAgIAoDANBgkqhkiG9w0BAQUFADA2MQ8wDQYDVQQKEwZlTWVkTlkxIzAhBgNVBAsTGnJQcmQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEzMDQyNTA0MDAwMFoXDTEzMTAyNzAzNTk1OVowYDEPMA0GA1UEChMGZU1lZE5ZMRQwEgYDVQQLEwtlTWVkTlktUFJPRDEPMA0GA1UECxMGZVBhY2VzMRUwEwYDVQQLEwxlUGFjZXMgQ2VydHMxDzANBgNVBAMTBkxNV0FSRDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAkylE6EOuNVakw/ud2s3Rx/DH7JtlzHOK9BEpKRvzeorKAF3QkY2ck2oNe6+lru815uWjDavrd9xvXd3r/Yb87SSkKpYXmdaBzPRZmr/uDr8UkM9C3DkPE47ENqTjDQssLlpo3PZWDdvqsUObeURbKU+A8hhpiPOhza7DzytTsaUCAwEAAaNnMGUwDgYDVR0PAQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQEpxRjV1ZWlWPEmCM9oEqO7wQLKDAfBgNVHSMEGDAWgBTBuje1dEVyTTA3mDYM9L7/7FUedDANBgkqhkiG9w0BAQUFAAOBgQBUzaHqesbXbqclwHq9cRZPc/7FJp5udrzQ6nQgbXaBcuBKUql/v7C1/ZwkV/Rxi9BqGTMBDoKBaUpvyQ30drpCON9nQGfrQhMshpUxx6S/mfuLDazCjvhtdCxJE9uET4Fwi1bhifjHKNO1NnB8JMnm4avMMRnbi8Kr5+eoRD9mzA==</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-2" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="mhs soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-1">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="mhs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>FchA3vEpfP7i3adziwVpYnrI/BQ=</ds:DigestValue></ds:Reference></ds:SignedInfo>
<ds:SignatureValue>ZnEgibHIj1B+Gk+m8THvgNownzH8eCfymugLIHM+EyZsPz+xyOAd+IR43LAo/LcuAVZK8lBrtFKc
DJO2zETYXv9gXnQP4Z8kAirkOtWuE6nPPwooSBlGXRr/j2zOp6ekdCoyqI7Hlhljh0NVaIbwzAsS
yfrsYGw0I0zJzfI3Hkc=</ds:SignatureValue><ds:KeyInfo Id="KI-6BB387229F4FD6E3FC13753868203372">
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="STR-6BB387229F4FD6E3FC13753868203413" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<wsse:Reference URI="#X509-6BB387229F4FD6E3FC13753868202121" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<xenc:EncryptedData Id="ED-4" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<wsse:Reference URI="#EK-6BB387229F4FD6E3FC13753868206454"/></wsse:SecurityTokenReference></ds:KeyInfo>
<xenc:CipherData><xenc:CipherValue>IMyfgrFU0VZZV+buomWUGAmPr2TXGlNETpECX7jF5xrQcJAk6Ql/eGv70ttFaFulwyuNmtM8u+KT7CM0/xhmwyrB6X5iUYCjZp+aL7XAs+hOPHcd/lSZmAOyV2DBH7B/PopiDuE7hgmQQn0zhV4WommQbe3ss77mmdQQlQv8RhqvIg2xs4k70eB8QaYUdQ6sa6BxYPnc3SkxFXb24/3s7CZVPj8vecfLwiAVLhIk55rVR9eyYeGD97haM3YeuBRMA2xNNgItvsqK8m0ePxKNT/KrQlAeivRRLwfSY8+sIisdk9Q3ioXgkZ0quM+fjlHrH816swbeY9IVFBvoDA+jWqkjbriOezMHa5SJB/ubjxpS+UMld6EOP/71Btts6FGwUoJjygzbwCVYUIS9/rMCOvJf+q1gK8SbjTwTmiozoo3mIxb7cfGmN4/Y7B2zeFilKfDbPBPESIR7QW+c08Uyyr6P4C0rAJ6+NL5Lr8g+eEsVjCpFUtbzmupk2hfqsySnmWjPx3CfOBnaRrtlTYI3J3yK7Il4lQ4P3qvBT9vGNr8nnQ7ziS4OhTD6PTzmB1FDpv3Nb416xD5tIBVtAkhC3yDRqF9TAAmb8V+8ynxrkjgZOpmTp//PgrIMZmzLh2udttBSzAHTc4Waq1+baSimoRRwL/SxOOmRgjji2lp/yoSeMBIDDLoXRE67HSD1dtUdTab9kEu4Rqr1D/g1PXNZZA7qIXu1Gdg5zIN0kxRWWDERz/D8FtEFxCDb6VOlSkthBT3y/HD3EO67dtabqnKdSSCItcr9UuqrEs+B+SHujZv9DnsGFL6UAm2WMfqnGuvNk2tXYZAvtJCbcExmWm5olb2WdRiEyP0G6Tpnja+/VmMaJg1qVUwwuOcQRq0U1mZujkIX1Z1Rpbk3j/7g0Ck4Qn4jnAqaMqeLDu1WUBUZa41RuS55V9xhoVz7/zKXP9pqsf0Fv7bQ1LPspsV7pb5sWup+GzPvMJDG/LUDhEvFXGy7cEXvPypE+n88IY2i815xxNXKZgW3hoht3sESH8eqjCPoBJJ4CciDvzb9STjKBO3Cj6TcibLZU60LDDvMaJNXH2fN/VOOc4LY42tdgrvyZi9sipjOisp+r6qYg1uW5v+tAqA8hoY0UH8dD66sD6FHS02eAsMkwudAK7m9qmHfzU0BML1H9/rCF9hgUjsJet2wZgWs6ROulo2lT7qnFncOv+uRyN3yStRqsbSIk3WZAOAX8LKMpX8sgFvXWyqUDdSyJ4YJuB2G65G5Ijq75PbuQZZUaJMsWSQBDsbp+E4a7rZHigBEWc5WroktfptCuBwZvCbXC7v3VyzvlCswk5kBUCGfl0AgUjQ=</xenc:CipherValue></xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope
Below is the request which my custombinding generates. It fails at the Signature-Digest Value
<s:Envelope xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<ActivityId CorrelationId="2297e645-5077-443d-a7d2-d9af74ddb07e" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">00000000-0000-0000-2400-0080020000f7</ActivityId>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:BinarySecurityToken u:Id="uuid-63c0b13f-8368-4bc9-a493-b362c67ac14b-5" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIICdDCCAd2gAwIBAgICAKAwDQYJKoZIhvcNAQEFBQAwNjEPMA0GA1UEChMGZU1lZE5ZMSMwIQYDVQQLExpyUHJkIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMzA0MjUwNDAwMDBaFw0xMzEwMjcwMzU5NTlaMGAxDzANBgNVBAoTBmVNZWROWTEUMBIGA1UECxMLZU1lZE5ZLVBST0QxDzANBgNVBAsTBmVQYWNlczEVMBMGA1UECxMMZVBhY2VzIENlcnRzMQ8wDQYDVQQDEwZMTVdBUkQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMpROhDrjVWpMP7ndrN0cfwx+ybZcxzivQRKSkb83qKygBd0JGNnJNqDXuvpa7vNeblow2r63fcb13d6/2G/O0kpCqWF5nWgcz0WZq/7g6/FJDPQtw5DxOOxDak4w0LLC5aaNz2Vg3b6rFDm3lEWylPgPIYaYjzoc2uw88rU7GlAgMBAAGjZzBlMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQUBKcUY1dWVpVjxJgjPaBKju8ECygwHwYDVR0jBBgwFoAUwbo3tXRFck0wN5g2DPS+/+xVHnQwDQYJKoZIhvcNAQEFBQADgYEAVM2h6nrG126nJcB6vXEWT3P+xSaebna80Op0IG12gXLgSlKpf7+wtf2cJFf0cYvQahkzAQ6CgWlKb8kN9Ha6QjjfZ0Bn60ITLIaVMcekv5n7iw2swo74bXQsSRPbhE+BcItW4Yn4xyjTtTZwfCTJ5uGrzDEZ24vCq+fnqEQ/Zsw=</o:BinarySecurityToken>
<o:BinarySecurityToken u:Id="uuid-63c0b13f-8368-4bc9-a493-b362c67ac14b-4" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIDFjCCAn+gAwIBAgIBDzANBgkqhkiG9w0BAQUFADA2MQ8wDQYDVQQKEwZlTWVkTlkxIzAhBgNVBAsTGnJQcmQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDIxNjA1MDAwMFoXDTEzMDgyMDAzNTk1OVowYzEPMA0GA1UEChMGZU1lZE5ZMRQwEgYDVQQLEwtlTWVkTlktUFJPRDEPMA0GA1UECxMGZVBhY2VzMREwDwYDVQQLEwhlU2VydmVyczEWMBQGA1UEAxMNRFBNZWRzSGlzdG9yeTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqdOQyIej9kENyppOOeOPF5olvolfZz2GUG4eYEkJtBH0WBDahM5Pm3N7U52Sm+YYPXkPMe+NTOWXUvGOdrp3mMJlN/+A5N4oEM9WwXzDhdsIXufzW5s1zJOW1xKrWgb2/hHXAyNIciCrtsFVBZ8S6c1iibZecrmdkQyiNZsXntMCAwEAAaOCAQUwggEBMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgY8GA1UdHwSBhzCBhDBNoEugSaRHMEUxDzANBgNVBAoTBmVNZWROWTEjMCEGA1UECxMaclByZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxDTALBgNVBAMTBENSTDEwM6AxoC+GLWh0dHA6Ly93d3cuZW1lZG55Lm9yZy9lUGFjZXMvY2FjZXJ0cy9DUkwxLmNybDAdBgNVHQ4EFgQUs60iHpMc/Jz2F4lt/lHnLVtZco0wHwYDVR0jBBgwFoAUwbo3tXRFck0wN5g2DPS+/+xVHnQwDQYJKoZIhvcNAQEFBQADgYEAKzRgS2QNHW5f2R348N3+jRRbtlJdS/kM974rsnvoNHb2QatSLWxwa5dr7ASaDUXiED7jzB51HzbehyfE8afdq7OByuMN/J8yXK2B3Dv6y3F6uDHYP9H7JDGXoq2kdexpVD1oY4UEi5QOkdhtL8URJ355A3Fr/faIC8fGF4miq04=</o:BinarySecurityToken>
<o:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<o:Username>USERID</o:Username>
<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PWD</o:Password>
<o:Nonce>19sRmzQElHKqxL6ICMzpJf7NOU8=</o:Nonce>
<o:Created>2013-07-31T09:24:00.933Z</o:Created>
</o:UsernameToken>
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-63c0b13f-8368-4bc9-a493-b362c67ac14b-4" />
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>XQQjLvSY5VJ4BYkDxdsIUYYFRz+eleKaiU5bSFpUMblIm7ssKXOLJJsLBbNHREycIV8u5LR9ZixI7nI5BeacKYT+nlEikPREgUwEbvsGMb6LxkquUsIDhicpY5lKMhijbYtrE8O0Ee1TX3kT6hRb6QnvWZSGjnDhfLZvu3SO9cY=</e:CipherValue>
</e:CipherData>
<e:ReferenceList>
<e:DataReference URI="#_2" />
</e:ReferenceList>
</e:EncryptedKey>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>l6kqP048t5INzJT3W8gxVSXplaE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>gCwFapZ3D/vUXsvAShTQwNWJoA23ad54NRmUWXR7IBFbsr75HBdZUG5lO1Af+ncShzwJA2a6jJXJmw/1gKswyAP9QuZsa9D+6fGh8jwcVqjm5v/Sh9rgQxWjL6U1kkovP0IAqEjafRu6YgmauFVCHUrJ2QfIN96WYTPnYm9Puvs=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-63c0b13f-8368-4bc9-a493-b362c67ac14b-5" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_1" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<e:CipherData>
<e:CipherValue>pkVTvAXkNSAw49UQaR8xjz3N9BLM3fS2k9j9JKUwLfg1hynpnDZMme5P4xwfDjnhYtx/ftIc3lnN9fDnECeMG+V8dPPD/nRqCsaExYbIgyY9KBmCBRx0OgrbJQEYX6Jq5n24sWDZb9yk7JEKmh3sZOnzWm6k/GaTv8UYzY0/rEBmS4m1W7kP/asCw11QzM2daolIerQ0OOYSecnk/NjmiEmK21dq4yIBVbUGn5UPllD5fIHtL5PQk8kcp9S8snfaAkKQhSQqokv8s0R9uLIKBYlmX4r+uFJLKXFIKdDZLb39U2MOWacOmQQ/KlEuBWZibhxvRfUnBote74dI7rfYjKCHpJZ9LoQN+/3R5CNfsJmlyEKGvp7pCZfPABtkjTQgKBJkL0zj8xA0149g1m0mSPN1AfUeRlFHw/T90qknYwQ5JTX4vVP1HKStieFf7raMocT4poNkm3Anqik+IDFPNNsH85TnVJgCOeemnM8ZoWRTsnAIhmTSEiRaDE+bAi2+vNJHBxIwpoR65rgk1N8DcEPfQkWAPgiy76lyXyTk/kPqZgepnZdghcdZ6u7tl1eLv0IscJVXJpQtFHgWur/AIBaUEUyfiMSPVIWfJdd/W4E3/BCFEdqfJwOqmxULS+w2GQMvUHrQJ9S3+8o2ajBBCUqxjYBKgcoDrdvopDaPzaBALQJUqECUz3grCCTiqiEzGyWiGjqwHVl9JQTNJesfxOATlEDjRu8lPdeM/c0OlM8JOdG8CiTx1x0TuUTGGsGXmfr25tanwoA5iEEms6oP0sUhB2o65BvuGPUSdJRmlfM2p9kEohShUDYR/hHnvFhKPd/dnPHP/q1kIiAybgWUaXQ9BsQajKEt1ZsW+zJ2T0vqiSrZkJOJSirSFOOsz4vFzOtEM/lMy80n6ltF4GHPxJHNK9zv14CHoTGUCK18+uvFCcA2DKgaPnJBXmBwpPjAW2jAVIFE7RgA3kGJomPygyV88A8TkkPs+7h2v+mLpj2B+9ev62g9Lws+At74b0DFU5D70SFazVNnRHGXPHHSr0L2XRDlHg6A9ZW884cGmRftGyPuWZotCfaBfCI4gWjak0W2Zu3TSdU1HHxWKW8jOvsSr8pdMjnzMAsPRAyjlPfE69eODRh1J+FAcJg+jVpAvpwWfpo81GRn9F7RcpkfySh7hKufNMsKOTZg5ciXl+N4dBCJ186Q5eqCAItEqwkxwGiXWB3W/QQGdinCdwz8gA==</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
Messages look very similar, a little disappointing that the server rejects WCF. You should be prepared that this can take some time to troubleshoot. I would try debug this with the following different approaches:
Based on the error message I assume the challenge is in the digest calculation. See how the soap UI has this element "". This element is an instruction to the signature signer/validator. Maybe the server hard codes this value into its signer in some way so the fact that WCF does not have it affects the digest. WCF cannot be configured to have this (usually it is not a problem not to have it). See if there is any configuration in SOAPUI where you can also not use it and see if it still works.
replace SignBeforeEncrypt with EncryptBeforeSign
setup a WCF service for the same WCF client and see if it works (though it probably will, so this is a long shot).
Try to contact the service from clients in other platforms, see how the server reacts.
Try to remove complexity from the service - e.g. remove the encryption and just use signature. See if that works. This can help pinpoint the problem.
The brute force way would be to find the service code that calculate the xml canonicalization and the digest and debug it viz-a-viz to the .Net code. But at that stage you would probably seek to bypass the problem in some other way.
Related
I'm trying to send the request to IRS using WCF and file is attached as follows
TransmitterACAUIBusinessHeaderType manifestType = iRSSubmissionManifest;
ACASendService.BulkRequestTransmitterRequest request = new ACASendService.BulkRequestTransmitterRequest();
request.Security = GetSecurity();
request.ACATransmitterManifestReqDtl = GetACATransmitterManifestReqDtl(manifestType);
request.ACABusinessHeader = GetACATransmitterBusinessHeaderRequest(manifestType);
request.ACABulkRequestTransmitter = new ACABulkRequestTransmitterType();
byte[] uploadFile = StreamingHelper.Chunk(_submissionXmlFolderPath);
request.ACABulkRequestTransmitter.BulkExchangeFile = uploadFile;
ACASendService.BulkRequestTransmitterPortTypeClient _airClient = new ACASendService.BulkRequestTransmitterPortTypeClient();
ACASendService.ACABulkRequestTransmitterResponseType response = _airClient.BulkRequestTransmitter(request.ACASecurityHeader, request.Security, ref request.ACABusinessHeader, request.ACATransmitterManifestReqDtl, request.ACABulkRequestTransmitter);
When I look at the request I can see the binary data in Soap Body
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:us:gov:treasury:irs:ext:aca:air:7.0" xmlns:urn1="urn:us:gov:treasury:irs:common" xmlns:urn2="urn:us:gov:treasury:irs:msg:acabusinessheader" xmlns:urn3="urn:us:gov:treasury:irs:msg:irsacabulkrequesttransmitter">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<Signature Id="SIG-57610A09584142FAA8ABFBD262776BF9" xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#TS-C126221AACCA4F37BDBBC1AE27A45F44">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="wsse wsa soapenv urn urn1 urn2 urn3" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>DtSEqek9RuRdR/q8AlxobY/90+o=</DigestValue>
</Reference>
<Reference URI="#MF-D3C0AAF6624148A08627F799ECDDA387">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="wsa soapenv urn1 urn2 urn3" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>adRdmNY8Gwrebd9fMaiBRCgz/3o=</DigestValue>
</Reference>
<Reference URI="#BH-CD8C12D6D4984DD3901CFE1D9E65A86A">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="wsa soapenv urn urn1 urn3" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>dj4DhqNAJnNp40DT5dEdKGTOP48=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Signature==</SignatureValue>
<KeyInfo Id="KI-4174BEF920A14F639F7C4E9F825D53AE">
<wsse:SecurityTokenReference wsu:Id="STR-192B01936AC24010A0DF60BD21F3A6FA">
<KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">KeyData==</KeyIdentifier>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
<wsu:Timestamp wsu:Id="TS-C126221AACCA4F37BDBBC1AE27A45F44" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2016-04-18T12:03:46.570Z</wsu:Created>
<wsu:Expires>2016-04-18T12:13:46.572Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<urn:ACATransmitterManifestReqDtl wsu:Id="MF-D3C0AAF6624148A08627F799ECDDA387" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<PaymentYr>2015</PaymentYr>
<PriorYearDataInd>0</PriorYearDataInd>
<EIN>EIN</EIN>
<TransmissionTypeCd>O</TransmissionTypeCd>
<TestFileCd>T</TestFileCd>
<TransmitterNameGrp>
<BusinessNameLine1Txt>Name</BusinessNameLine1Txt>
</TransmitterNameGrp>
<CompanyInformationGrp>
<CompanyNm>Company</CompanyNm>
<MailingAddressGrp>
<USAddressGrp>
<AddressLine1Txt>Address1</AddressLine1Txt>
<CityNm>City</CityNm>
<USStateCd>MD</USStateCd>
<USZIPCd>ZIP</USZIPCd>
</USAddressGrp>
</MailingAddressGrp>
<ContactNameGrp>
<PersonFirstNm>First</PersonFirstNm>
<PersonLastNm>Last</PersonLastNm>
</ContactNameGrp>
<ContactPhoneNum>Phone</ContactPhoneNum>
</CompanyInformationGrp>
<VendorInformationGrp>
<VendorCd>I</VendorCd>
<ContactNameGrp>
<PersonFirstNm>First</PersonFirstNm>
<PersonLastNm>Last</PersonLastNm>
</ContactNameGrp>
<ContactPhoneNum>Phone</ContactPhoneNum>
</VendorInformationGrp>
<TotalPayeeRecordCnt>1</TotalPayeeRecordCnt>
<TotalPayerRecordCnt>1</TotalPayerRecordCnt>
<SoftwareId></SoftwareId>
<FormTypeCd>1094/1095C</FormTypeCd>
<BinaryFormatCd>application/xml</BinaryFormatCd>
<ChecksumAugmentationNum>4BDAA151D8543B25D9A3DCDFDBFF0F44</ChecksumAugmentationNum>
<AttachmentByteSizeNum>3800</AttachmentByteSizeNum>
<DocumentSystemFileNm>1094C_Request_TCC_20160418T062909155Z.xml</DocumentSystemFileNm>
</urn:ACATransmitterManifestReqDtl>
<urn2:ACABusinessHeader wsu:Id="BH-CD8C12D6D4984DD3901CFE1D9E65A86A" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<urn:UniqueTransmissionId xmlns:urn="urn:us:gov:treasury:irs:ext:aca:air:7.0">d5631c37-de39-4569-914f-41d482b780e6:SYS12:TCC::T</urn:UniqueTransmissionId>
<urn1:Timestamp xmlns:urn1="urn:us:gov:treasury:irs:common">2016-04-18T17:33:53Z</urn1:Timestamp>
</urn2:ACABusinessHeader>
<wsa:Action>BulkRequestTransmitterService</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<urn3:ACABulkRequestTransmitter version="1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<urn1:BulkExchangeFile>PEZvcm0xMDk0OTVDVHJhbnNtaXR0YWxVcHN0cm_File_Bytes=</urn1:BulkExchangeFile>
</urn3:ACABulkRequestTransmitter>
</soapenv:Body>
Am I missing anything? is there any specific bindings or encoding need to be added?
If I'm reading your generated XML correctly, it seems that you have embedded the file contents of your tax forms in the BulkExchangeFile element. Perhaps this is because when you looked at the wsdl file that the IRS distributes, the said element is described as xsd:base64Binary.
If you look at the page 84 of IRS' Composition Guide v4.3,https://www.irs.gov/PUP/for_taxpros/software_developers/information_returns/AIR%20Submission%20Composition%20and%20Reference%20Guide%20TY2015_v4.3_03_17_2016.pdf (or search for http://www.w3.org/2004/08/xop/include in the document), you will see that BulkExchangeFile should be populated like:
<inc:Include href="cid:yourAttachmentFile.xml" xmlns:inc="http://www.w3.org/2004/08/xop/include"/>
where yourAtachmentFile.xml is the file you want to send to the IRS-AIR-A2A system. As you'll see in the page, your tax data is expected to be received as an MTOM attachment.
In essence, your XML above has the tax data within the BulkExchangeElement and you aren't sending the data as an MTOM attachment.
I think you're a C# guy (I'm a java dude) so this thread might help you out: IRS-A2A BulkRequestTransmitter message not formmatted properly and/or cannot be interpreted
I had trouble sending our 1095 data to the IRS until I saw page 84 in the Composition Guide. One would think that complying to the WSDL should be enough to communicate with a web service ;)
Description: I have a .NET 4.5 WCF client and I neeed to consume a Java-based web service using SOAP. The client has to authenticate using a client certificate at the transport level. The message body has to be signed using a separate signing certificate. I've implemented a CustomBinding object trying all combinations of binding objects that make sense for my case... still no luck. Here is the post I got the idea for the CustomBinding from.
This is the code that generates a SOAP request (the CustomCredentials implementation is provided from Jawad, see the link with his post at the bottom) that is closest to the working request I got from the web service provider:
public static MyClient CreateProxy()
{
EndpointAddress epa = new EndpointAddress(new Uri("https://www.webservice-url/Server20/ID"), EndpointIdentity.CreateDnsIdentity("Certificate_Issuer_Name"), new AddressHeaderCollection());
MyClient proxy = new MyClient(GetCustomBinding(), epa);
proxy.Endpoint.EndpointBehaviors.Remove(typeof(ClientCredentials));
CustomCredentials myCredentials = new CustomCredentials(GetClientAuthenticationCert(), GetSigningCertificate());
proxy.Endpoint.EndpointBehaviors.Add(myCredentials);
proxy.Endpoint.Contract.ProtectionLevel = ProtectionLevel.Sign;
return proxy;
}
private static Binding GetCustomBinding()
{
TransportSecurityBindingElement tsElement = SecurityBindingElement.CreateCertificateOverTransportBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
tsElement.SetKeyDerivation(false);
tsElement.AllowInsecureTransport = true;
X509SecurityTokenParameters tokenParams = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient);
tokenParams.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
tsElement.EndpointSupportingTokenParameters.SignedEncrypted.Add(tokenParams);
tsElement.EnableUnsecuredResponse = true;
tsElement.IncludeTimestamp = true;
TextMessageEncodingBindingElement tmElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, System.Text.Encoding.UTF8);
HttpsTransportBindingElement httpsElement = new HttpsTransportBindingElement();
httpsElement.RequireClientCertificate = true;
CustomBinding customBinding = new CustomBinding();
customBinding.Elements.Add(tsElement);
customBinding.Elements.Add(tmElement);
customBinding.Elements.Add(httpsElement);
return customBinding;
}
The generated SOAP request looks like this:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://bsi.bund.de/eID/useID</a:Action>
<a:MessageID>urn:uuid:288e93bd-b004-42e7-b49c-00f1a315cd29</a:MessageID>
<a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDP/Eczn0ACQAA</VsDebuggerCausalityData>
<a:To s:mustUnderstand="1" u:Id="_1">https://test.governikus-eid.de:8444/eID-Server-20/eID</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2014-08-25T13:48:07.634Z</u:Created>
<u:Expires>2014-08-25T13:53:07.634Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken><!--Removed--></o:BinarySecurityToken>
<o:BinarySecurityToken><!--Removed--></o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>BMfUzgz9+cG6FgNeljlm4T9v5Y0=</DigestValue>
</Reference>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>TM59Or2Dn8j6oddZ/HE7viskDVg=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>bQAoFq3VNK2GCxM9iM0ZLlvFZxxMLaH7E5Ch12X...</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#uuid-4432a63d-068b-4627-bbb3-2bc94d016357-1"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<useIDRequest xmlns="http://bsi.bund.de/eID/">
<UseOperations>
<GivenNames>REQUIRED</GivenNames>
<FamilyNames>REQUIRED</FamilyNames>
<Nationality>REQUIRED</Nationality>
</UseOperations>
<AgeVerificationRequest>
<Age>18</Age>
</AgeVerificationRequest>
<PlaceVerificationRequest></PlaceVerificationRequest>
</useIDRequest>
</s:Body>
</s:Envelope>
And here is how the SOAP request should look like:
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<S:Header>
<wsse:Security S:mustUnderstand="1">
<wsu:Timestamp xmlns:ns15="http://www.w3.org/2003/05/soap-envelope" xmlns:ns16="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" wsu:Id="_3">
<wsu:Created>2014-08-22T09:22:48Z</wsu:Created>
<wsu:Expires>2014-08-22T09:27:48Z</wsu:Expires>
</wsu:Timestamp>
<ds:Signature xmlns:ns15="http://www.w3.org/2003/05/soap-envelope" xmlns:ns16="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" Id="_1">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="wsse S"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_5002">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="S"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>xhfeoN1hwzzG6xj53QP4Y/waCm4=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="wsu wsse S"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>eNvJUyyQU/GRCS1V0tdoNzy8IHY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>KpzOsC/5r3UjKcOHx2l...</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>C=DE,ST=bremen,L=bremen,O=bos,OU=test,CN=demo_epa</ds:X509IssuerName>
<ds:X509SerialNumber>124466</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S:Header>
<S:Body wsu:Id="_5002">
<ns4:useIDRequest xmlns:ns2="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://bsi.bund.de/eID/" xmlns:ns5="http://www.w3.org/2001/04/xmlenc#\
" xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns7="urn:oasis:names:tc:SAML\:1.0:assertion">
<ns4:UseOperations>
<ns4:GivenNames>REQUIRED</ns4:GivenNames>
<ns4:FamilyNames>REQUIRED</ns4:FamilyNames>
</ns4:UseOperations>
</ns4:useIDRequest>
</S:Body>
</S:Envelope>
The main difference I see is that I don't have X509Data in the SecurityTokenReference tag, but only a reference.
So, what am I doing wrong? Is the missing X509Data tag in the request the key to the problem? If yes, how can I add this information there?
I did some research on this, but couldn't find a proper solution. Why does my soap request so many reference uri's. The outgoing soap body only should be signed using Private key and encrypted using public key.
My outgoing soap has some additional elements
1)Additional encrypted data node.
2) Additioanal and unreferenced reference URi in Signature
<s:Security>
<s:Binarysecuritytoken1>
<s:Binarysecuirtytoken2>
<s:usernametoken>
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-c91ddd2c-e452-4616-b443-b58c919bcace-6" />
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>Wp9slJCs7umXjsMi6diTRB+cSLIADY8RyeNmym7MkfYVxDmP5FIKXwyIV8e7IbLlJEKBUqgIQbYTtwNej7E1PfoD+vI64rOTyxbIhgZ/icnoAIQFJ/Mwuwq60hJhjpfC9m2Ll/S+JsWfg+0Njl+gpYzaECLYeSGEJND6CmbKTUY=</e:CipherValue>
</e:CipherData>
<e:ReferenceList>
<e:DataReference URI="#_2" />
<e:DataReference URI="#_7" />---Not needed.Only #_2,which references the Body is needed
</e:ReferenceList>
</e:EncryptedKey>
---Not needed
<e:EncryptedData Id="_7" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<e:CipherData>
<e:CipherValue></e:CipherValue>
</e:CipherData>
</e:EncryptedData>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_1"> Needed
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>l6kqP048t5INzJT3W8gxVSXplaE=</DigestValue>
</Reference>
<Reference URI="#_3"> --Not needed
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>r9QXAfEWv2UhmnjzIXyoyHVy9wQ=</DigestValue>
</Reference>
<Reference URI="#_4"> --Not needed
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>5JI25GEJj/63MQB6j2P2uiFTwe0=</DigestValue>
</Reference>
<Reference URI="#_5"> --Not needed
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>dRaV5csLUbHL6k4X97njcIkwp5k=</DigestValue>
</Reference>
<Reference URI="#_6"> --Not needed
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>3c80pnhYcV2BcsEsduxDdQ6z2q0=</DigestValue>
</Reference>
<Reference URI="#uuid-131924a6-ba69-4a84-8786-cdbacfe2f79a-2"> --Not needed
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>1fvCyhzU3bILTCoFB8xUnQtP2wA=</DigestValue>
</Reference>
<Reference URI="#uuid-c91ddd2c-e452-4616-b443-b58c919bcace-5"> --Not needed
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>LihjfykAPG4wv/HsoKZXjuJ4Eq0=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>removed</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-c91ddd2c-e452-4616-b443-b58c919bcace-7" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
This is the custom Binding
AsymmetricSecurityBindingElement secBE = AsymmetricSecurityBindingElement.CreateMutualCertificateDuplexBindingElement();
secBE.AllowSerializedSigningTokenOnReply = false;
secBE.RequireSignatureConfirmation = true ;
secBE.DefaultAlgorithmSuite = SecurityAlgorithmSuite.TripleDesRsa15;
secBE.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
X509SecurityTokenParameters x509ProtectionParameters = new X509SecurityTokenParameters();
x509ProtectionParameters.RequireDerivedKeys = false;
x509ProtectionParameters.X509ReferenceStyle = X509KeyIdentifierClauseType.SubjectKeyIdentifier;
x509ProtectionParameters.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
x509ProtectionParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
secBE.InitiatorTokenParameters = x509ProtectionParameters;
secBE.RecipientTokenParameters = x509ProtectionParameters;
secBE.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign;
secBE.EndpointSupportingTokenParameters.SignedEncrypted.Add(new X509SecurityTokenParameters());
CustomTextMessageBindingElement enc = new CustomTextMessageBindingElement();
HttpsTransportBindingElement b = new HttpsTransportBindingElement();
b.RequireClientCertificate = true;
CustomBinding be = new CustomBinding();
be.Elements.Add(secBE);
be.Elements.Add(enc);
be.Elements.Add(b);
return be;
part of Soap sample from vendor. As per my understanding only the Body is signed and encrypted.
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>gpBAWt91pdwhKva............</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#Enc-0641b860-b16d-4941-91c0-d60bece67794"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
SAMP L E R EQUE ST W I T H WS S E CURI T Y
eMedNY Meds History Service User Guide Page 13 of 48 February 16, 2012
Version 1.1
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Id-f10674fd-b999-47c9-9568-c11fa5e5405b">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>wRUq.........</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>tBSsaZi........</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="Id-f10674fd-b999-47c9-9568-c11fa5e5405b" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<xenc:EncryptedData Id="Enc-0641b860-b16d-4941-91c0-d60bece67794" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<xenc:CipherData>
<xenc:CipherValue>SQsTCAK6ZaVhojB8+Y.........</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>
Edited to show custom EncryptedData, Signature elements
public static void Encrypt(XmlDocument xmlDoc, string elementToEncrypt, SymmetricAlgorithm ts, XmlNamespaceManager nsmgr, string encdataId) //[8]
{
XmlNode elementsToEncrypt = xmlDoc.DocumentElement.SelectSingleNode("/s:Envelope/s:Body", nsmgr);
XmlElement xmlElementToEncrypt = (XmlElement)elementsToEncrypt;
EncryptedXml encryptedXml = new EncryptedXml();
byte[] encryptedElement = encryptedXml.EncryptData
(xmlElementToEncrypt,ts, true);
System.Security.Cryptography.Xml.EncryptedData encryptedData = new System.Security.Cryptography.Xml.EncryptedData();
encryptedData.Id = encdataId;
encryptedData.Type = EncryptedXml.XmlEncElementUrl;
encryptedData.EncryptionMethod =
new System.Security.Cryptography.Xml.EncryptionMethod(EncryptedXml.XmlEncTripleDESUrl);
// Create a new CipherData object.
CipherData cd = new CipherData();
// Assign a byte array to be the CipherValue. This is a byte array representing encrypted data.
cd.CipherValue = new byte[8];
encryptedData.CipherData = cd;
EncryptedXml.ReplaceElement(xmlElementToEncrypt, encryptedData, true);
}
public void SignSoapBody(XmlDocument xmlDoc, XmlNode xmlnodeEncKey, string encdataId)
{
XmlNamespaceManager nsmgr =
new XmlNamespaceManager(xmlDoc.NameTable);
nsmgr.AddNamespace("s",
#"http://www.w3.org/2000/09/xmldsig#");
X509Certificate2 cert = GetCertificateFromStore("LMWARD");
string refURI = DateTime.Now.Ticks.ToString();
// *** Signed XML will create Xml Signature - Xml fragment
SignedXml signedXml = new SignedXml(xmlDoc);
signedXml.SigningKey = cert.PrivateKey;
// *** Create a KeyInfo structure
KeyInfo keyInfo = new KeyInfo();
KeyInfoX509Data keyInfoData = new KeyInfoX509Data();
keyInfoData.AddCertificate(cert);
keyInfo.AddClause(keyInfoData);
signedXml.KeyInfo = keyInfo;
signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigC14NTransformUrl;
// *** Now create reference to sign: Point at the Body element
Reference reference = new Reference();
reference.Uri = "#"+ encdataId; // reference id=body section in same doc
reference.AddTransform(new XmlDsigExcC14NTransform()); // required to match doc
signedXml.AddReference(reference);
// *** Finally create the signature
signedXml.ComputeSignature();
XmlElement signedElement = signedXml.GetXml();
XmlNode SignatureNode = xmlDoc.CreateNode(XmlNodeType.Element, "Signature", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
SignatureNode.InnerXml = signedElement.InnerXml;
// *** And add our signature as content
XmlNode commonParent = xmlnodeEncKey.ParentNode;
commonParent.InsertAfter(SignatureNode, xmlnodeEncKey);
}
Actually the encrypted data method encrypts the soap body, adds a reference ID.
i would need some help on the SignSoapBody(...). It needs a SecurityTokenReference inside the KeyInfo element,and moreover different Canonicalization algorithm. It is totally not writing what is needed. See above for how the request should look like.
THis is what it actually writes to the Signature
(My code generates the following signature)
<Signature xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#635077936132736291">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>NUOpt38t11pdL0wAPiyFthhYM9Q=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue xmlns="http://www.w3.org/2000/09/xmldsig#">kNXiSoBMOeEuoKhUQzuJddNzPrSGxFZIyj0QIp0ngmEbUwQXP25loZBKtX6QB/l913ZX5PGgU7IwCsVjuiCluqqtEGEy7V03gqSKpY+Iz45Md+kyazrfDXDVnPNIZKN8p8K+0QhJmqWA0r1K/sjyYldNiJJd8d12gIRPtDEVGPU=</SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>=</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
Edited 06/26
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="fgsgsd2cc312a052f-6" />
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue></e:CipherValue>
</e:CipherData>
<e:ReferenceList>
<e:DataReference URI="#_2" />
<e:DataReference URI="#_3" />---NOT NEEDE---
</e:ReferenceList>
</e:EncryptedKey>
---NOT NEEDED---
<e:EncryptedData Id="_3" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<e:CipherData>
Thank you
Sun
Change MessageSecurityVersion to a value that starts with WSSecurity10
I'm trying to communicate with a web service that implements WS-Security with SOAP 1.1 and requires the client to sign both the body and the timestamp in the request. On the client-side, I'm using WCF and have no control over the service. The proxy interface has its ProtectionLevel.Sign-attributes where they should be.
The client is also required to negotiate the service certificate (TLS/SSL) and to validate the service signing certificate according to some custom rules.
So far, my best attempt to get a connection is with this binding:
var b = new BasicHttpBinding(BasicHttpSecurityMode.TransportWithMessageCredential);
b.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.Certificate;
b.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
b.Security.Message.AlgorithmSuite = SecurityAlgorithmSuite.Basic256Sha256;
b.TextEncoding = new UTF8Encoding();
It results in the request below, where only the timestamp signed - not the body. The service responds that the signature is invalid.
I've tried using CustomBinding and the SecurityBindingElement.CreateCertificateOverTransportBindingElement-function to create a security element, but it yielded the same results.
Using the SecurityBindingElement.CreateMutualCertificateBindingElement-function, both the body and timestamp were signed, but now WCF required me to specify the service certificate, which should be negotiated during the TLS/SSL handshake.
The request:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2013-03-11T15:41:19.744Z</u:Created>
<u:Expires>2013-03-11T15:46:19.744Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken u:Id="uuid-75db13c1-3c82-4e31-8dbf-75af257850ac-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">..REMOVED..</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>z2Q9Bb/I1Mo7DJFZ3uXA42JSH0AJJguvIfnYMxlKBAg=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>FgvpaSy+Zg3PHul6q2//Wc1lp+z+tuPCFKcLFp5edYvApb8yDwVDhuRuYPfn5K2TdGpQQekV095WZofIpIUV5aA+VBzf0/qVMP9hvOCqloyjJF3FWiMC829yFE8ePrYT3c1VXWSZi1172E7iRTNetz5ZmRYKAlcy6t7MaIq++q6MlM0gkK/w/W5qWVLIvopf2MQc+V+PBBmx7nWKGzF4SxIgdD4JeGOUzIND68OozBYD7jrvHLeYUjUzmBCkrLKm2bXDDksrV9rJHZdoizKrC7C59uRPh+gG5pl2pMLYtimFnwot3L4lvysBG0apAftxXat091c5a4JtKAvuDiWOFQ==</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-75db13c1-3c82-4e31-8dbf-75af257850ac-1"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Request xmlns="http://theurltotheservice">
<Value>123456789</Value>
</Request>
</s:Body>
For starters, I know you'd think this is a duplicate but if you read them you'll notice that some people say that deleting the timestamp will fix it and others tell otherwise.
I'm trying to connect to a Java SOAP Webservice with certificates by using .Net 3.5 but when I receive the response it throws an error : "The security header element 'Timestamp' with the 'Timestamp-984' id must be signed."
var b = new CustomBinding();
b.Name = "AVbinding";
b.CloseTimeout = new TimeSpan(0, 1, 0);
b.OpenTimeout = new TimeSpan(0, 1, 0);
b.ReceiveTimeout = new TimeSpan(0, 10, 0);
b.SendTimeout = new TimeSpan(0, 1, 0);
AsymmetricSecurityBindingElement security = new AsymmetricSecurityBindingElement();
security.IncludeTimestamp = true;
security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12;
security.RecipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToInitiator);
security.InitiatorTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToRecipient);
security.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
security.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic256Sha256Rsa15;
security.AllowSerializedSigningTokenOnReply = true;
security.AllowInsecureTransport = true;
security.EnableUnsecuredResponse = true;
security.RequireSignatureConfirmation = true;
security.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
ExtensionElement extensionElement = new ExtensionElement();
b.Elements.Add(security);
b.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));
HttpsTransportBindingElement httpsBinding = new HttpsTransportBindingElement();
b.Elements.Add(httpsBinding);
string certMapPath = Server.MapPath("~/App_Data");
X509Certificate2 cert = new X509Certificate2(certMapPath + "\\_CERTNAME_", "X");
X509Certificate2 serCert = new X509Certificate2(certMapPath + "\\_CERTNAME2_.cer");
AsymmetricAlgorithm key = new System.Security.Cryptography.RSACryptoServiceProvider();
key.FromXmlString("_KEY_");
cert.PrivateKey = key;
client.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.Sign;
Question is, what do I have to do?
My request :
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<ActivityId CorrelationId="7d9e44cb-cecd-4c49-9a71-79a2ad04a2ec" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">63bde0b8-8953-41b8-b5c2-a69c712346b6</ActivityId>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo3dbGZWnrwhDouJE+VgKu4MAAAAAzmpHur/flUSUy0rxOVAJ8Nk4GsFjc6xOg46yQ3o0ZMQACQAA</VsDebuggerCausalityData>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:BinarySecurityToken>
<!-- Removed-->
</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></SignatureMethod>
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>
<DigestValue>Z4OHoIS/bVCWIROLBFcxjfJuXv0ebA/SO8WQWuPTrQo=</DigestValue>
</Reference>
<Reference URI="#uuid-f52585e9-3358-46f6-8e9f-9a16b5c0f29b-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>
<DigestValue>Pnp4gaKUnboMFE2LgLdsFzPBL+7fHqXacVg/MR7AS6c=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>NSE/peVOxXheXOqyNT1qx7uZPOhSms35fmJxlf4lBuODD9tz8/TCwzmAAdDArGwc6VJmdw1jVX5tNchYvAqignsPRgTwB+tSbMvUZ6UMwOgHZWRh8rXjYw34EhdEWWBzg0U1ves6ynY88vJW0oFyWiiFcNGkEuy140X7h/Ev+3I=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#uuid-da5ccb9b-2c40-4ede-9079-c94abf912843-2"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<u:Timestamp u:Id="uuid-f52585e9-3358-46f6-8e9f-9a16b5c0f29b-1">
<u:Created>2013-03-04T09:27:15.087Z</u:Created>
<u:Expires>2013-03-04T09:32:15.087Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body u:Id="_2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<getAvailabilityRequest xmlns="_url_">
<userID xmlns="">_UserID_</userID>
<password xmlns="">_pass_</password>
<requestID xmlns="">_request_</requestID>
<SystemIdentifier xmlns="">?</SystemIdentifier>
</getAvailabilityRequest>
</s:Body>
</s:Envelope>
Response :
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-932">
<wsu:Created>2013-03-04T09:27:24.013Z</wsu:Created>
<wsu:Expires>2013-03-04T09:32:24.013Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken>
<!-- Removed-->
</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-930">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod>
<ds:Reference URI="#id-931">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
<ds:DigestValue>+/NJN562AUh5U5T4VXGRbdU28+JLmW2bdHg1gLf/SWg=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#SigConf-929">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
<ds:DigestValue>uzljMoX3dAm90+8P10b2/xE5OooNeP81NDtlefCBoc8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Fixb+0TnwQ2KfLqywusmwcKF8OvoBP/bLqIKfLadyV1U97+NZKzcMrSJjSD0a0sDhJZ+lo/KoHVE
KBY12ZZDP9xE+k9LHAlWZIq3a2gvBkTFR3p5NcYFQM4cbA/x/bvpEqDyzqYSoXnXMOG46DFn5klo
DO0PJkMiXKvLBhrCpZtM26AovD5WQlD694EeIXt4jey15zvGzKz88eNfHqNiYa1Wu2HuOTcnSJRv
hQKHmJKpDzn9+ZSohsULVR5xtGFQD7GWL6LLFEMqthD2a10KMan43Qd62SMUcB64o+l/M+l89+Oo
AbE0S2GXP3vvSa3ZoGduktWlyNlC7Qz/Iww0Qg==
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-83F04DBB53B92E8E1F1362389243499698">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-83F04DBB53B92E8E1F1362389243499699" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#CertId-83F04DBB53B92E8E1F1362389243499697" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsse11:SignatureConfirmation xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Value="NSE/peVOxXheXOqyNT1qx7uZPOhSms35fmJxlf4lBuODD9tz8/TCwzmAAdDArGwc6VJmdw1jVX5tNchYvAqignsPRgTwB+tSbMvUZ6UMwOgHZWRh8rXjYw34EhdEWWBzg0U1ves6ynY88vJW0oFyWiiFcNGkEuy140X7h/Ev+3I=" wsu:Id="SigConf-929"></wsse11:SignatureConfirmation>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-931">
<ns3:getAvailabilityResponse xmlns:ns3="_URL_" xmlns="">
<RequestID>_requestID_</RequestID>
<Status>Available</Status>
<Version>1.32.0</Version>
</ns3:getAvailabilityResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Please publish the full request and response messages here (you can get them from Wcf log or Fiddler).
In general, if Wcf sends a signed timestamp, and the response contains a timestamp, then the response ts must be signed. There are various workarouns depending on the exact messages, including not sending a timestamp from the first place, or sending it via pushing it to the message in a handler, or removing the timestamp from the response.