I have created the WCF web service which uses messageprotectionorder as "SignBeforeEncryptAndEncryptSignature". I have also developed the .net client to consume this web service. I am able to successfully able to connect and receive response from my WCF web service. But, my client is trying to consume WCF web service from TIBCO java client where TIBCO does not have concept of "MessageProtectionOrder". The sample signed soap request is as follows
<MessageLogTraceRecord>
<HttpRequest xmlns="http://schemas.microsoft.com/2004/06/ServiceModel/Management/MessageTrace">
<Method>POST</Method>
<QueryString></QueryString>
<WebHeaders>
<Connection>Keep-Alive</Connection>
<Content-Length>7895</Content-Length>
<Content-Type>text/xml; charset=utf-8</Content-Type>
<Expect>100-continue</Expect>
<Host>comp118</Host>
<SOAPAction>"https://XXX.XXX.XX.XX/APISIGN/IAPI/EnquireTransaction"</SOAPAction>
</WebHeaders>
</HttpRequest>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPowY5/i7l8ZdOl4B6x1uzACIAAAAA1re1c/La5kK2h1tnd2ijrMveD45HGZtHvanrpR7sXroACQAA</VsDebuggerCausalityData>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-34291a98-4feb-43eb-8f91-f182297d086b-21">
<u:Created>2013-06-17T07:16:53.671Z</u:Created>
<u:Expires>2013-06-17T07:21:53.671Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken>
<!-- Removed-->
</o:BinarySecurityToken>
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"></DigestMethod>
</e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">wc18MSP1B9qEKFLe8ji4H5tlIHQ=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>aQ4FENLuKcZvQGhiNPINr0c8BmTbCaLmXACs3ZFcsnRFVmGRMWUEIXCWCivJCxOIc9kYeftMxGADr6EbAJ6A3Bi/EcgLYnAulxZUcwMQrYwBTsbjFIOzJJBo9Ru5cz3RX+E/MgsroN9VFcOCzFfxlGiOi0ZmEqgfedzDlWBrRtUddA/mE9t6ZZBxsRDq1zzYu0bhY3oRtGe/RI0iYhZuAeS/UAk7g1PnIbr39lLI1XcYZG2gLGFlaxYGT76n+Zmph2tYW1usBnvHVXOpLc3Q8DN9CJ7lZJ8f+euTqIuDSApRLCHciauonQ6rPguPpSQQhLYf1CroqIeMr/nyStR0jQ==</e:CipherValue>
</e:CipherData>
<e:ReferenceList>
<e:DataReference URI="#_2"></e:DataReference>
<e:DataReference URI="#_3"></e:DataReference>
</e:ReferenceList>
</e:EncryptedKey>
<e:EncryptedData Id="_3" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></e:EncryptionMethod>
<e:CipherData>
<e:CipherValue>+VJi2EwCmK4ovTULaBd+.....</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</o:Security>
<To s:mustUnderstand="1" xmlns="http://schemas.microsoft.com/ws/2005/05/addressing/none">https://comp118/API_WCF_UAT/API.svc</To>
<Action s:mustUnderstand="1" xmlns="http://schemas.microsoft.com/ws/2005/05/addressing/none">https://XXX.XXX.XX.XX/APISIGN/IAPI/EnquireTransaction</Action>
</s:Header>
<s:Body u:Id="_1">
<e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></e:EncryptionMethod>
<e:CipherData>
<e:CipherValue>r0ktDG7sauaw7R2PEowODZFaC7Y5Gj3WWuctwOwiewZ.....</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
</MessageLogTraceRecord>
I would like to understand what values are signed and encrypted in the following tags
EncryptedKey tag -> CipherData -> CipherValue what value is
encrypted here.
For Signature encryption, AES256/CBC algorithm is
used.
What is the Key and IV value for AES algorithm? 3) Instead of
"rsa-oaep encryption method" in request message, algorithm "rsa-1_5"
can be used? If yes, where to specify this?
Kindly someone reply at the earliest.
Thanking You,
Bhavin Shah.
Related
The Windows Live ID authentication we used to connect via SOAP to our Dynamics stopped working, after years without problem.
Here is the SOAP Request:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
<a:MessageID>urn:uuid:56476fb1-26d4-4525-a62a-4a1c65e71e85</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://login.microsoftonline.com/extSTS.srf</a:To>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2022-05-05T15:13:25.00Z</u:Created>
<u:Expires>2022-05-06T15:13:25.00Z</u:Expires>
</u:Timestamp>
<o:UsernameToken u:Id="devicesoftware">
<o:Username>user here</o:Username>
<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password here</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<a:EndpointReference>
<a:Address>http://passport.net/tb</a:Address>
</a:EndpointReference>
</wsp:AppliesTo>
<t:RequestType>
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>`
And here is the answer :
<?xml version="1.0" encoding="utf-8"?><S:Envelope xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:S="http://www.w3.org/2003/05/soap-envelope"><S:Header><psf:pp xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault"><psf:serverVersion>1</psf:serverVersion><psf:authstate>0x80048800</psf:authstate><psf:reqstatus>0x80048800</psf:reqstatus><psf:serverInfo ServerTime="2022-05-05T14:54:49.1744415Z">ESTS-PUB-NEULR2-AZ1-FD071-001.ProdSlices rid:f2378b15-e610-4168-a77e-8572e61ba900</psf:serverInfo></psf:pp></S:Header><S:Body xmlns:S="http://www.w3.org/2003/05/soap-envelope"><S:Fault><S:Code><S:Value>S:Sender</S:Value><S:Subcode><S:Value>wst:FailedAuthentication</S:Value></S:Subcode></S:Code><S:Reason><S:Text xml:lang="en-US">Authentication Failure</S:Text></S:Reason><S:Detail><psf:error xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault"><psf:value>0x80048800</psf:value><psf:internalerror><psf:code>0x80048800</psf:code><psf:text>AADSTS90083: Request is unsupported.</psf:text></psf:internalerror></psf:error></S:Detail></S:Fault></S:Body></S:Envelope>
What could have gone wrong please ?
As #Guido Mentions in the comments.
You need to shift over to passing a JWT token now.. Dataverse has not supported LiveID since 2017, so I assume your using WS-TRUST there :)
That said, if your handcrafting calls to Dataverse, you should be using the WebAPI.
if you're using .net. You can use the CrmServiceClient or DataverseServiceClient(cross platform) to connect to and interact with Dataverse.
You can find more information here: https://learn.microsoft.com/en-us/power-apps/developer/data-platform/authenticate-office365-deprecation
Description: I have a .NET 4.5 WCF client and I neeed to consume a Java-based web service using SOAP. The client has to authenticate using a client certificate at the transport level. The message body has to be signed using a separate signing certificate. I've implemented a CustomBinding object trying all combinations of binding objects that make sense for my case... still no luck. Here is the post I got the idea for the CustomBinding from.
This is the code that generates a SOAP request (the CustomCredentials implementation is provided from Jawad, see the link with his post at the bottom) that is closest to the working request I got from the web service provider:
public static MyClient CreateProxy()
{
EndpointAddress epa = new EndpointAddress(new Uri("https://www.webservice-url/Server20/ID"), EndpointIdentity.CreateDnsIdentity("Certificate_Issuer_Name"), new AddressHeaderCollection());
MyClient proxy = new MyClient(GetCustomBinding(), epa);
proxy.Endpoint.EndpointBehaviors.Remove(typeof(ClientCredentials));
CustomCredentials myCredentials = new CustomCredentials(GetClientAuthenticationCert(), GetSigningCertificate());
proxy.Endpoint.EndpointBehaviors.Add(myCredentials);
proxy.Endpoint.Contract.ProtectionLevel = ProtectionLevel.Sign;
return proxy;
}
private static Binding GetCustomBinding()
{
TransportSecurityBindingElement tsElement = SecurityBindingElement.CreateCertificateOverTransportBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
tsElement.SetKeyDerivation(false);
tsElement.AllowInsecureTransport = true;
X509SecurityTokenParameters tokenParams = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient);
tokenParams.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
tsElement.EndpointSupportingTokenParameters.SignedEncrypted.Add(tokenParams);
tsElement.EnableUnsecuredResponse = true;
tsElement.IncludeTimestamp = true;
TextMessageEncodingBindingElement tmElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, System.Text.Encoding.UTF8);
HttpsTransportBindingElement httpsElement = new HttpsTransportBindingElement();
httpsElement.RequireClientCertificate = true;
CustomBinding customBinding = new CustomBinding();
customBinding.Elements.Add(tsElement);
customBinding.Elements.Add(tmElement);
customBinding.Elements.Add(httpsElement);
return customBinding;
}
The generated SOAP request looks like this:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://bsi.bund.de/eID/useID</a:Action>
<a:MessageID>urn:uuid:288e93bd-b004-42e7-b49c-00f1a315cd29</a:MessageID>
<a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDP/Eczn0ACQAA</VsDebuggerCausalityData>
<a:To s:mustUnderstand="1" u:Id="_1">https://test.governikus-eid.de:8444/eID-Server-20/eID</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2014-08-25T13:48:07.634Z</u:Created>
<u:Expires>2014-08-25T13:53:07.634Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken><!--Removed--></o:BinarySecurityToken>
<o:BinarySecurityToken><!--Removed--></o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>BMfUzgz9+cG6FgNeljlm4T9v5Y0=</DigestValue>
</Reference>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>TM59Or2Dn8j6oddZ/HE7viskDVg=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>bQAoFq3VNK2GCxM9iM0ZLlvFZxxMLaH7E5Ch12X...</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#uuid-4432a63d-068b-4627-bbb3-2bc94d016357-1"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<useIDRequest xmlns="http://bsi.bund.de/eID/">
<UseOperations>
<GivenNames>REQUIRED</GivenNames>
<FamilyNames>REQUIRED</FamilyNames>
<Nationality>REQUIRED</Nationality>
</UseOperations>
<AgeVerificationRequest>
<Age>18</Age>
</AgeVerificationRequest>
<PlaceVerificationRequest></PlaceVerificationRequest>
</useIDRequest>
</s:Body>
</s:Envelope>
And here is how the SOAP request should look like:
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<S:Header>
<wsse:Security S:mustUnderstand="1">
<wsu:Timestamp xmlns:ns15="http://www.w3.org/2003/05/soap-envelope" xmlns:ns16="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" wsu:Id="_3">
<wsu:Created>2014-08-22T09:22:48Z</wsu:Created>
<wsu:Expires>2014-08-22T09:27:48Z</wsu:Expires>
</wsu:Timestamp>
<ds:Signature xmlns:ns15="http://www.w3.org/2003/05/soap-envelope" xmlns:ns16="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" Id="_1">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="wsse S"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_5002">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="S"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>xhfeoN1hwzzG6xj53QP4Y/waCm4=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="wsu wsse S"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>eNvJUyyQU/GRCS1V0tdoNzy8IHY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>KpzOsC/5r3UjKcOHx2l...</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>C=DE,ST=bremen,L=bremen,O=bos,OU=test,CN=demo_epa</ds:X509IssuerName>
<ds:X509SerialNumber>124466</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S:Header>
<S:Body wsu:Id="_5002">
<ns4:useIDRequest xmlns:ns2="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://bsi.bund.de/eID/" xmlns:ns5="http://www.w3.org/2001/04/xmlenc#\
" xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns7="urn:oasis:names:tc:SAML\:1.0:assertion">
<ns4:UseOperations>
<ns4:GivenNames>REQUIRED</ns4:GivenNames>
<ns4:FamilyNames>REQUIRED</ns4:FamilyNames>
</ns4:UseOperations>
</ns4:useIDRequest>
</S:Body>
</S:Envelope>
The main difference I see is that I don't have X509Data in the SecurityTokenReference tag, but only a reference.
So, what am I doing wrong? Is the missing X509Data tag in the request the key to the problem? If yes, how can I add this information there?
I am connecting to an external java webservice using WCF. I have no control over the service.
The supporting tokens are 2 x509's and one username token, sign and encrypt only the body. I am able to generate a 100% compliant request as per vendor soap request sample.
WCFClient uses a custombinding to generate the outgoing request. I am getting a problem with Digest Value in the response. How do I even check, verify this?.
The server log says the following :
Signer status: 'Extracted the certificate chain from the BinarySecurityToken having format x509'
Reject set: Hash values do not match.
Hash values do not match: 'l6kqP048t5INzJT3W8gxVSXplaE=', which is the Digest value in the Signature.
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-63c0b13f-8368-4bc9-a493-b362c67ac14b-1" />
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>REMOVED=</e:CipherValue>
</e:CipherData>
<e:ReferenceList>
<e:DataReference URI="#_2" />
</e:ReferenceList>
</e:EncryptedKey>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>l6kqP048t5INzJT3W8gxVSXplaE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>gCwFapZ3D/vUXsvAShTQwNWJoA23ad54NRmUWXR7IBFbsr75HBdZUG5lO1Af+ncShzwJA2a6jJXJmw/1gKswyAP9QuZsa9D+6fGh8jwcVqjm5v/Sh9rgQxWjL6U1kkovP0IAqEjafRu6YgmauFVCHUrJ2QfIN96WYTPnYm9Puvs=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-63c0b13f-8368-4bc9-a493-b362c67ac14b-2" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
As per my knowledge I am not doing anything special
Custom binding does all of this
Would it be an issue with trust stores. Working soap UI sample has a truststore cacerts with a pwd changeit. I think this ships with javakeytool.
I am using the following custom binding and chain trust
AsymmetricSecurityBindingElement secBE = AsymmetricSecurityBindingElement.CreateMutualCertificateDuplexBindingElement();
secBE.AllowSerializedSigningTokenOnReply = true;
secBE.DefaultAlgorithmSuite = SecurityAlgorithmSuite.TripleDesRsa15;
secBE.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
X509SecurityTokenParameters x509ProtectionParameters = new X509SecurityTokenParameters();
x509ProtectionParameters.RequireDerivedKeys = false;
secBE.InitiatorTokenParameters = x509ProtectionParameters;
secBE.RecipientTokenParameters = x509ProtectionParameters;
secBE.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
secBE.RequireSignatureConfirmation = false;
secBE.IncludeTimestamp = false;
CustomTextMessageBindingElement enc = new CustomTextMessageBindingElement(Encoding.UTF8.ToString(), "text/xml", MessageVersion.Soap11);
HttpsTransportBindingElement b = new HttpsTransportBindingElement();
b.RequireClientCertificate = true;
CustomBinding be = new CustomBinding();
be.Elements.Add(secBE);
be.Elements.Add(enc);
be.Elements.Add(b);
-----------------------------
proxy.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "Usercert");
proxy.ClientCredentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "ServerCert");
proxy.ClientCredentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;
proxy.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.ChainTrust;
Updated to show working both the working request and the faulty one
Both are the same as per my knowledge. One difference is the order
Working one has BST, UST, BST
Mine has BST, BST, UST.
Working Soap UI Request
<soapenv:Envelope xmlns:mhs="http://org/emedny/mhs/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="6BB387229F4FD6E3FC13753868206455">MIIDFjCCAn+gAwIBAgIBDzANBgkqhkiG9w0BAQUFADA2MQ8wDQYDVQQKEwZlTWVkTlkxIzAhBgNVBAsTGnJQcmQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDIxNjA1MDAwMFoXDTEzMDgyMDAzNTk1OVowYzEPMA0GA1UEChMGZU1lZE5ZMRQwEgYDVQQLEwtlTWVkTlktUFJPRDEPMA0GA1UECxMGZVBhY2VzMREwDwYDVQQLEwhlU2VydmVyczEWMBQGA1UEAxMNRFBNZWRzSGlzdG9yeTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqdOQyIej9kENyppOOeOPF5olvolfZz2GUG4eYEkJtBH0WBDahM5Pm3N7U52Sm+YYPXkPMe+NTOWXUvGOdrp3mMJlN/+A5N4oEM9WwXzDhdsIXufzW5s1zJOW1xKrWgb2/hHXAyNIciCrtsFVBZ8S6c1iibZecrmdkQyiNZsXntMCAwEAAaOCAQUwggEBMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgY8GA1UdHwSBhzCBhDBNoEugSaRHMEUxDzANBgNVBAoTBmVNZWROWTEjMCEGA1UECxMaclByZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxDTALBgNVBAMTBENSTDEwM6AxoC+GLWh0dHA6Ly93d3cuZW1lZG55Lm9yZy9lUGFjZXMvY2FjZXJ0cy9DUkwxLmNybDAdBgNVHQ4EFgQUs60iHpMc/Jz2F4lt/lHnLVtZco0wHwYDVR0jBBgwFoAUwbo3tXRFck0wN5g2DPS+/+xVHnQwDQYJKoZIhvcNAQEFBQADgYEAKzRgS2QNHW5f2R348N3+jRRbtlJdS/kM974rsnvoNHb2QatSLWxwa5dr7ASaDUXiED7jzB51HzbehyfE8afdq7OByuMN/J8yXK2B3Dv6y3F6uDHYP9H7JDGXoq2kdexpVD1oY4UEi5QOkdhtL8URJ355A3Fr/faIC8fGF4miq04=</wsse:BinarySecurityToken>
<xenc:EncryptedKey Id="EK-6BB387229F4FD6E3FC13753868206454" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#6BB387229F4FD6E3FC13753868206455" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference></ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>e5nL8OsjXRBtVrkV6eb4W5KhgOas2UL3C26BmcAArBZNk+yBVQoCIRTBMXYomvLeHFB/oNO3RqXEd8NTrSTnC8ydH/BEf9vKSGqsyQzaEkk4oV93fgWtMgE4DErUS/8oBS2DcgvtJle1tpoNR7FNp7iBif0idmGyL6L2lBT9HmM=</xenc:CipherValue></xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#ED-4"/></xenc:ReferenceList></xenc:EncryptedKey>
<wsse:UsernameToken wsu:Id="UsernameToken-3">
<wsse:Username>USERID</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PWD</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">Vjjuy4+O3TwT7BmMACfLQA==</wsse:Nonce>
<wsu:Created>2013-08-01T19:53:40.446Z</wsu:Created></wsse:UsernameToken>
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="X509-6BB387229F4FD6E3FC13753868202121">MIIE4zCCAmcwggHQoAMCAQICAQAwDQYJKoZIhvcNAQEFBQAwNjEPMA0GA1UEChMGZU1lZE5ZMSMwIQYDVQQLExpyUHJkIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0wOTA1MTEwNDAwMDBaFw0yMTAyMTAwMzU5NTlaMDYxDzANBgNVBAoTBmVNZWROWTEjMCEGA1UECxMaclByZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMT0hW0sdDEmMBxg9Ye7TsHERFsAWzw7td+rAjTng0NRWiEGDDBzMiJGHnyWMdt3lUywLjKH2RNYep0D4rQkULtCsnaQ0I2M/+AgoDsR3+RGV3xGwU5TbvBQ56mzZzkfLWRKg0medA9q8Ia7rXAvVlm6Uhy1KW3xsrskEu9sLFOpAgMBAAGjgYQwgYEwPwYJYIZIAYb4QgENBDITMEdlbmVyYXRlZCBieSB0aGUgU2VjdXJpdHkgU2VydmVyIGZvciB6L09TIChSQUNGKTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUwbo3tXRFck0wN5g2DPS+/+xVHnQwDQYJKoZIhvcNAQEFBQADgYEAET5poNE2QeZNUjQ4u9PzNBkY4AO+5pFxHHp4AnbU6XzTrClHcn2QJlUAo2b9ryVgC2L8R+h6tJA1/2EQIVmmsCSegulzcOScNyDL0sm67GRwmx28zQ22y/9F3nAKSSsQwWz89vnXKQQSrpWPHEuMNVt/9fRTdUcWDWMW6LX3B3IwggJ0MIIB3aADAgECAgIAoDANBgkqhkiG9w0BAQUFADA2MQ8wDQYDVQQKEwZlTWVkTlkxIzAhBgNVBAsTGnJQcmQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEzMDQyNTA0MDAwMFoXDTEzMTAyNzAzNTk1OVowYDEPMA0GA1UEChMGZU1lZE5ZMRQwEgYDVQQLEwtlTWVkTlktUFJPRDEPMA0GA1UECxMGZVBhY2VzMRUwEwYDVQQLEwxlUGFjZXMgQ2VydHMxDzANBgNVBAMTBkxNV0FSRDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAkylE6EOuNVakw/ud2s3Rx/DH7JtlzHOK9BEpKRvzeorKAF3QkY2ck2oNe6+lru815uWjDavrd9xvXd3r/Yb87SSkKpYXmdaBzPRZmr/uDr8UkM9C3DkPE47ENqTjDQssLlpo3PZWDdvqsUObeURbKU+A8hhpiPOhza7DzytTsaUCAwEAAaNnMGUwDgYDVR0PAQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQEpxRjV1ZWlWPEmCM9oEqO7wQLKDAfBgNVHSMEGDAWgBTBuje1dEVyTTA3mDYM9L7/7FUedDANBgkqhkiG9w0BAQUFAAOBgQBUzaHqesbXbqclwHq9cRZPc/7FJp5udrzQ6nQgbXaBcuBKUql/v7C1/ZwkV/Rxi9BqGTMBDoKBaUpvyQ30drpCON9nQGfrQhMshpUxx6S/mfuLDazCjvhtdCxJE9uET4Fwi1bhifjHKNO1NnB8JMnm4avMMRnbi8Kr5+eoRD9mzA==</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-2" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="mhs soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-1">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="mhs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>FchA3vEpfP7i3adziwVpYnrI/BQ=</ds:DigestValue></ds:Reference></ds:SignedInfo>
<ds:SignatureValue>ZnEgibHIj1B+Gk+m8THvgNownzH8eCfymugLIHM+EyZsPz+xyOAd+IR43LAo/LcuAVZK8lBrtFKc
DJO2zETYXv9gXnQP4Z8kAirkOtWuE6nPPwooSBlGXRr/j2zOp6ekdCoyqI7Hlhljh0NVaIbwzAsS
yfrsYGw0I0zJzfI3Hkc=</ds:SignatureValue><ds:KeyInfo Id="KI-6BB387229F4FD6E3FC13753868203372">
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="STR-6BB387229F4FD6E3FC13753868203413" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<wsse:Reference URI="#X509-6BB387229F4FD6E3FC13753868202121" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<xenc:EncryptedData Id="ED-4" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<wsse:Reference URI="#EK-6BB387229F4FD6E3FC13753868206454"/></wsse:SecurityTokenReference></ds:KeyInfo>
<xenc:CipherData><xenc:CipherValue>IMyfgrFU0VZZV+buomWUGAmPr2TXGlNETpECX7jF5xrQcJAk6Ql/eGv70ttFaFulwyuNmtM8u+KT7CM0/xhmwyrB6X5iUYCjZp+aL7XAs+hOPHcd/lSZmAOyV2DBH7B/PopiDuE7hgmQQn0zhV4WommQbe3ss77mmdQQlQv8RhqvIg2xs4k70eB8QaYUdQ6sa6BxYPnc3SkxFXb24/3s7CZVPj8vecfLwiAVLhIk55rVR9eyYeGD97haM3YeuBRMA2xNNgItvsqK8m0ePxKNT/KrQlAeivRRLwfSY8+sIisdk9Q3ioXgkZ0quM+fjlHrH816swbeY9IVFBvoDA+jWqkjbriOezMHa5SJB/ubjxpS+UMld6EOP/71Btts6FGwUoJjygzbwCVYUIS9/rMCOvJf+q1gK8SbjTwTmiozoo3mIxb7cfGmN4/Y7B2zeFilKfDbPBPESIR7QW+c08Uyyr6P4C0rAJ6+NL5Lr8g+eEsVjCpFUtbzmupk2hfqsySnmWjPx3CfOBnaRrtlTYI3J3yK7Il4lQ4P3qvBT9vGNr8nnQ7ziS4OhTD6PTzmB1FDpv3Nb416xD5tIBVtAkhC3yDRqF9TAAmb8V+8ynxrkjgZOpmTp//PgrIMZmzLh2udttBSzAHTc4Waq1+baSimoRRwL/SxOOmRgjji2lp/yoSeMBIDDLoXRE67HSD1dtUdTab9kEu4Rqr1D/g1PXNZZA7qIXu1Gdg5zIN0kxRWWDERz/D8FtEFxCDb6VOlSkthBT3y/HD3EO67dtabqnKdSSCItcr9UuqrEs+B+SHujZv9DnsGFL6UAm2WMfqnGuvNk2tXYZAvtJCbcExmWm5olb2WdRiEyP0G6Tpnja+/VmMaJg1qVUwwuOcQRq0U1mZujkIX1Z1Rpbk3j/7g0Ck4Qn4jnAqaMqeLDu1WUBUZa41RuS55V9xhoVz7/zKXP9pqsf0Fv7bQ1LPspsV7pb5sWup+GzPvMJDG/LUDhEvFXGy7cEXvPypE+n88IY2i815xxNXKZgW3hoht3sESH8eqjCPoBJJ4CciDvzb9STjKBO3Cj6TcibLZU60LDDvMaJNXH2fN/VOOc4LY42tdgrvyZi9sipjOisp+r6qYg1uW5v+tAqA8hoY0UH8dD66sD6FHS02eAsMkwudAK7m9qmHfzU0BML1H9/rCF9hgUjsJet2wZgWs6ROulo2lT7qnFncOv+uRyN3yStRqsbSIk3WZAOAX8LKMpX8sgFvXWyqUDdSyJ4YJuB2G65G5Ijq75PbuQZZUaJMsWSQBDsbp+E4a7rZHigBEWc5WroktfptCuBwZvCbXC7v3VyzvlCswk5kBUCGfl0AgUjQ=</xenc:CipherValue></xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope
Below is the request which my custombinding generates. It fails at the Signature-Digest Value
<s:Envelope xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<ActivityId CorrelationId="2297e645-5077-443d-a7d2-d9af74ddb07e" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">00000000-0000-0000-2400-0080020000f7</ActivityId>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:BinarySecurityToken u:Id="uuid-63c0b13f-8368-4bc9-a493-b362c67ac14b-5" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIICdDCCAd2gAwIBAgICAKAwDQYJKoZIhvcNAQEFBQAwNjEPMA0GA1UEChMGZU1lZE5ZMSMwIQYDVQQLExpyUHJkIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMzA0MjUwNDAwMDBaFw0xMzEwMjcwMzU5NTlaMGAxDzANBgNVBAoTBmVNZWROWTEUMBIGA1UECxMLZU1lZE5ZLVBST0QxDzANBgNVBAsTBmVQYWNlczEVMBMGA1UECxMMZVBhY2VzIENlcnRzMQ8wDQYDVQQDEwZMTVdBUkQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMpROhDrjVWpMP7ndrN0cfwx+ybZcxzivQRKSkb83qKygBd0JGNnJNqDXuvpa7vNeblow2r63fcb13d6/2G/O0kpCqWF5nWgcz0WZq/7g6/FJDPQtw5DxOOxDak4w0LLC5aaNz2Vg3b6rFDm3lEWylPgPIYaYjzoc2uw88rU7GlAgMBAAGjZzBlMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQUBKcUY1dWVpVjxJgjPaBKju8ECygwHwYDVR0jBBgwFoAUwbo3tXRFck0wN5g2DPS+/+xVHnQwDQYJKoZIhvcNAQEFBQADgYEAVM2h6nrG126nJcB6vXEWT3P+xSaebna80Op0IG12gXLgSlKpf7+wtf2cJFf0cYvQahkzAQ6CgWlKb8kN9Ha6QjjfZ0Bn60ITLIaVMcekv5n7iw2swo74bXQsSRPbhE+BcItW4Yn4xyjTtTZwfCTJ5uGrzDEZ24vCq+fnqEQ/Zsw=</o:BinarySecurityToken>
<o:BinarySecurityToken u:Id="uuid-63c0b13f-8368-4bc9-a493-b362c67ac14b-4" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIDFjCCAn+gAwIBAgIBDzANBgkqhkiG9w0BAQUFADA2MQ8wDQYDVQQKEwZlTWVkTlkxIzAhBgNVBAsTGnJQcmQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDIxNjA1MDAwMFoXDTEzMDgyMDAzNTk1OVowYzEPMA0GA1UEChMGZU1lZE5ZMRQwEgYDVQQLEwtlTWVkTlktUFJPRDEPMA0GA1UECxMGZVBhY2VzMREwDwYDVQQLEwhlU2VydmVyczEWMBQGA1UEAxMNRFBNZWRzSGlzdG9yeTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqdOQyIej9kENyppOOeOPF5olvolfZz2GUG4eYEkJtBH0WBDahM5Pm3N7U52Sm+YYPXkPMe+NTOWXUvGOdrp3mMJlN/+A5N4oEM9WwXzDhdsIXufzW5s1zJOW1xKrWgb2/hHXAyNIciCrtsFVBZ8S6c1iibZecrmdkQyiNZsXntMCAwEAAaOCAQUwggEBMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgY8GA1UdHwSBhzCBhDBNoEugSaRHMEUxDzANBgNVBAoTBmVNZWROWTEjMCEGA1UECxMaclByZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxDTALBgNVBAMTBENSTDEwM6AxoC+GLWh0dHA6Ly93d3cuZW1lZG55Lm9yZy9lUGFjZXMvY2FjZXJ0cy9DUkwxLmNybDAdBgNVHQ4EFgQUs60iHpMc/Jz2F4lt/lHnLVtZco0wHwYDVR0jBBgwFoAUwbo3tXRFck0wN5g2DPS+/+xVHnQwDQYJKoZIhvcNAQEFBQADgYEAKzRgS2QNHW5f2R348N3+jRRbtlJdS/kM974rsnvoNHb2QatSLWxwa5dr7ASaDUXiED7jzB51HzbehyfE8afdq7OByuMN/J8yXK2B3Dv6y3F6uDHYP9H7JDGXoq2kdexpVD1oY4UEi5QOkdhtL8URJ355A3Fr/faIC8fGF4miq04=</o:BinarySecurityToken>
<o:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<o:Username>USERID</o:Username>
<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PWD</o:Password>
<o:Nonce>19sRmzQElHKqxL6ICMzpJf7NOU8=</o:Nonce>
<o:Created>2013-07-31T09:24:00.933Z</o:Created>
</o:UsernameToken>
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-63c0b13f-8368-4bc9-a493-b362c67ac14b-4" />
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>XQQjLvSY5VJ4BYkDxdsIUYYFRz+eleKaiU5bSFpUMblIm7ssKXOLJJsLBbNHREycIV8u5LR9ZixI7nI5BeacKYT+nlEikPREgUwEbvsGMb6LxkquUsIDhicpY5lKMhijbYtrE8O0Ee1TX3kT6hRb6QnvWZSGjnDhfLZvu3SO9cY=</e:CipherValue>
</e:CipherData>
<e:ReferenceList>
<e:DataReference URI="#_2" />
</e:ReferenceList>
</e:EncryptedKey>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>l6kqP048t5INzJT3W8gxVSXplaE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>gCwFapZ3D/vUXsvAShTQwNWJoA23ad54NRmUWXR7IBFbsr75HBdZUG5lO1Af+ncShzwJA2a6jJXJmw/1gKswyAP9QuZsa9D+6fGh8jwcVqjm5v/Sh9rgQxWjL6U1kkovP0IAqEjafRu6YgmauFVCHUrJ2QfIN96WYTPnYm9Puvs=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-63c0b13f-8368-4bc9-a493-b362c67ac14b-5" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_1" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<e:CipherData>
<e:CipherValue>pkVTvAXkNSAw49UQaR8xjz3N9BLM3fS2k9j9JKUwLfg1hynpnDZMme5P4xwfDjnhYtx/ftIc3lnN9fDnECeMG+V8dPPD/nRqCsaExYbIgyY9KBmCBRx0OgrbJQEYX6Jq5n24sWDZb9yk7JEKmh3sZOnzWm6k/GaTv8UYzY0/rEBmS4m1W7kP/asCw11QzM2daolIerQ0OOYSecnk/NjmiEmK21dq4yIBVbUGn5UPllD5fIHtL5PQk8kcp9S8snfaAkKQhSQqokv8s0R9uLIKBYlmX4r+uFJLKXFIKdDZLb39U2MOWacOmQQ/KlEuBWZibhxvRfUnBote74dI7rfYjKCHpJZ9LoQN+/3R5CNfsJmlyEKGvp7pCZfPABtkjTQgKBJkL0zj8xA0149g1m0mSPN1AfUeRlFHw/T90qknYwQ5JTX4vVP1HKStieFf7raMocT4poNkm3Anqik+IDFPNNsH85TnVJgCOeemnM8ZoWRTsnAIhmTSEiRaDE+bAi2+vNJHBxIwpoR65rgk1N8DcEPfQkWAPgiy76lyXyTk/kPqZgepnZdghcdZ6u7tl1eLv0IscJVXJpQtFHgWur/AIBaUEUyfiMSPVIWfJdd/W4E3/BCFEdqfJwOqmxULS+w2GQMvUHrQJ9S3+8o2ajBBCUqxjYBKgcoDrdvopDaPzaBALQJUqECUz3grCCTiqiEzGyWiGjqwHVl9JQTNJesfxOATlEDjRu8lPdeM/c0OlM8JOdG8CiTx1x0TuUTGGsGXmfr25tanwoA5iEEms6oP0sUhB2o65BvuGPUSdJRmlfM2p9kEohShUDYR/hHnvFhKPd/dnPHP/q1kIiAybgWUaXQ9BsQajKEt1ZsW+zJ2T0vqiSrZkJOJSirSFOOsz4vFzOtEM/lMy80n6ltF4GHPxJHNK9zv14CHoTGUCK18+uvFCcA2DKgaPnJBXmBwpPjAW2jAVIFE7RgA3kGJomPygyV88A8TkkPs+7h2v+mLpj2B+9ev62g9Lws+At74b0DFU5D70SFazVNnRHGXPHHSr0L2XRDlHg6A9ZW884cGmRftGyPuWZotCfaBfCI4gWjak0W2Zu3TSdU1HHxWKW8jOvsSr8pdMjnzMAsPRAyjlPfE69eODRh1J+FAcJg+jVpAvpwWfpo81GRn9F7RcpkfySh7hKufNMsKOTZg5ciXl+N4dBCJ186Q5eqCAItEqwkxwGiXWB3W/QQGdinCdwz8gA==</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
Messages look very similar, a little disappointing that the server rejects WCF. You should be prepared that this can take some time to troubleshoot. I would try debug this with the following different approaches:
Based on the error message I assume the challenge is in the digest calculation. See how the soap UI has this element "". This element is an instruction to the signature signer/validator. Maybe the server hard codes this value into its signer in some way so the fact that WCF does not have it affects the digest. WCF cannot be configured to have this (usually it is not a problem not to have it). See if there is any configuration in SOAPUI where you can also not use it and see if it still works.
replace SignBeforeEncrypt with EncryptBeforeSign
setup a WCF service for the same WCF client and see if it works (though it probably will, so this is a long shot).
Try to contact the service from clients in other platforms, see how the server reacts.
Try to remove complexity from the service - e.g. remove the encryption and just use signature. See if that works. This can help pinpoint the problem.
The brute force way would be to find the service code that calculate the xml canonicalization and the digest and debug it viz-a-viz to the .Net code. But at that stage you would probably seek to bypass the problem in some other way.
I'm trying to communicate with a web service that implements WS-Security with SOAP 1.1 and requires the client to sign both the body and the timestamp in the request. On the client-side, I'm using WCF and have no control over the service. The proxy interface has its ProtectionLevel.Sign-attributes where they should be.
The client is also required to negotiate the service certificate (TLS/SSL) and to validate the service signing certificate according to some custom rules.
So far, my best attempt to get a connection is with this binding:
var b = new BasicHttpBinding(BasicHttpSecurityMode.TransportWithMessageCredential);
b.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.Certificate;
b.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
b.Security.Message.AlgorithmSuite = SecurityAlgorithmSuite.Basic256Sha256;
b.TextEncoding = new UTF8Encoding();
It results in the request below, where only the timestamp signed - not the body. The service responds that the signature is invalid.
I've tried using CustomBinding and the SecurityBindingElement.CreateCertificateOverTransportBindingElement-function to create a security element, but it yielded the same results.
Using the SecurityBindingElement.CreateMutualCertificateBindingElement-function, both the body and timestamp were signed, but now WCF required me to specify the service certificate, which should be negotiated during the TLS/SSL handshake.
The request:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2013-03-11T15:41:19.744Z</u:Created>
<u:Expires>2013-03-11T15:46:19.744Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken u:Id="uuid-75db13c1-3c82-4e31-8dbf-75af257850ac-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">..REMOVED..</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>z2Q9Bb/I1Mo7DJFZ3uXA42JSH0AJJguvIfnYMxlKBAg=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>FgvpaSy+Zg3PHul6q2//Wc1lp+z+tuPCFKcLFp5edYvApb8yDwVDhuRuYPfn5K2TdGpQQekV095WZofIpIUV5aA+VBzf0/qVMP9hvOCqloyjJF3FWiMC829yFE8ePrYT3c1VXWSZi1172E7iRTNetz5ZmRYKAlcy6t7MaIq++q6MlM0gkK/w/W5qWVLIvopf2MQc+V+PBBmx7nWKGzF4SxIgdD4JeGOUzIND68OozBYD7jrvHLeYUjUzmBCkrLKm2bXDDksrV9rJHZdoizKrC7C59uRPh+gG5pl2pMLYtimFnwot3L4lvysBG0apAftxXat091c5a4JtKAvuDiWOFQ==</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-75db13c1-3c82-4e31-8dbf-75af257850ac-1"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Request xmlns="http://theurltotheservice">
<Value>123456789</Value>
</Request>
</s:Body>
I have a wcf service. The binding of the service is wsHttpBinding and the security type is message security. The service is hosted on IIS. The site binding on IIS is http(80). The service also has a certificate which is configured with a service behaviour.
Binding:
<wsHttpBinding>
<binding name="maksServiceBinding" maxReceivedMessageSize="2147483647">
<security mode ="Message">
<message clientCredentialType="UserName" establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
Behaviour:
<serviceCredentials>
<serviceCertificate findValue="xxxxName" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="xxx.xxx.xxxServiceUsernameValidator, xxx.xxx"/>
<!--<clientCertificate >
<authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck"/>
</clientCertificate>-->
</serviceCredentials>
My service is working well but I have three questions:
1) How can I enforce my clients for these configurations:
certificateValidationMode="ChainTrust" revocationMode="NoCheck"
These configurations can be changed on client(ex: certificateValidationMode can be changed to None) but I do not want clients to change these configurations. (commented) does not work.
2) A client needs to add certificate to consume my service when the certificateValidationMode is ChainTrust. But if the client does not add certificate and change certificateValidationMode to None, client can consume the service. If I can not find a solution to prevent this, I will write custom certificate validation with X509CertificateValidator. Because the service messages can not be encrypted(unsecure).
3) I watch the requests and responses on the client side with fiddler2. I tried out two situations.
First; the certificate is added and certificateValidationMode is ChainTrust.
Second; the certificate is not added and certificateValidationMode is None.
The requests and responses for both of the situations are same. Here the questions come. Are requests and responses encrypted? If they are encrypted, how can the second situation be? Because there was no certificate on the client. Can the certificate be stored on somewhere else like cache?
Fiddler2 output:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1" u:Id="_2">http://nvi.gov.tr/adres/IMaksCrudBusinessOf_Bina/Read</a:Action>
<a:MessageID u:Id="_3">urn:uuid:e1ef9b1b-14c4-4952-b535-ff84a11b18b4</a:MessageID>
<a:ReplyTo u:Id="_4">
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1" u:Id="_5">http://umuts/MaksServices/MaksBinaIslemleri.svc</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-fcbcbde5-ec92-4e46-9a7b-f541ed9e62c8-11">
<u:Created>2013-03-10T17:54:01.744Z</u:Created>
<u:Expires>2013-03-10T17:59:01.744Z</u:Expires>
</u:Timestamp>
<c:SecurityContextToken u:Id="uuid-e4d1e34d-0fe2-4a44-a5f7-b94ab0e4d33c-5" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<c:Identifier>urn:uuid:ced2f798-d488-405d-9e4d-a9bce5acc8f5</c:Identifier>
</c:SecurityContextToken>
<c:DerivedKeyToken u:Id="uuid-fcbcbde5-ec92-4e46-9a7b-f541ed9e62c8-9" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<o:SecurityTokenReference>
<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" URI="#uuid-e4d1e34d-0fe2-4a44-a5f7-b94ab0e4d33c-5"/>
</o:SecurityTokenReference>
<c:Offset>0</c:Offset>
<c:Length>24</c:Length>
<c:Nonce>vUN53uBYs3XxRkW30IRUGg==</c:Nonce>
</c:DerivedKeyToken>
<c:DerivedKeyToken u:Id="uuid-fcbcbde5-ec92-4e46-9a7b-f541ed9e62c8-10" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<o:SecurityTokenReference>
<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" URI="#uuid-e4d1e34d-0fe2-4a44-a5f7-b94ab0e4d33c-5"/>
</o:SecurityTokenReference>
<c:Nonce>cJDYx++Xl28SaS57RPr/Og==</c:Nonce>
</c:DerivedKeyToken>
<e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:DataReference URI="#_1"/>
<e:DataReference URI="#_6"/>
</e:ReferenceList>
<e:EncryptedData Id="_6" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/dk" URI="#uuid-fcbcbde5-ec92-4e46-9a7b-f541ed9e62c8-10"/>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>Awdg0bBuWmrYzddiVm2TztRIvytluR/wUVfe329DiPk2kNVO1NI5RE4/Gol/3dyObGXbvBO9eFR1Y84gOAw6gwVue+BVRMqIlYxuVkSijXsWzp/Cz84nJN+paGnKtXMIlefdRC3y3G3AcN3TX8hzwoPM1BQttJ8YJQV8PK7Lbgv2YXX/9XzgIteeIgz5KzMWp+rJ0egGxdsKLkwE3jFbj+ncfiKX7qWoFhQgCz53FbNXvPMQ/QE7LBaqhEereX/U2+Dc8ku+D/eep9g5i6v9p0RPv2g5K4dT5UeLXIh5Whqh8fx9xSZY1WsV+RegePNIyXEf/meeN3FnnC8dyJENoxfKny0tWfkiXyLxtF6SHHAUh50VKPnsrdpJh+9yIfprCpLRSLqIAaRGPjiK+oZEnDSNI7q/ipFB8KHeJKi+b38VrfBC/4IqUL+BQ+AHfWyRS2yYsAXGBWsIBLzUU7AFsslpJb3Z5Q2Z7g5FpRNUKiIbvhPZ+1dLBdthYAP0JuiawX4WCq4Ew0UB6Rh6bH1OD5eqfEbetRzr4KJt/9VW585x/Opx24wAfP2ktC5Tl//Az6jz1PAOhotHDXUN6FCW5oG9ah93S2i/fHNpqeiJoVCWEOBR+v8ExJcgbC/EtH01TaoyMHS+UlpbzWZk1h5sC21rtqHVrWjy4s0ZupBiPWabfVwKzz0VJ4DCTbnnHdNcyryvAM6kS+6qOgZbf6pWDx5MqRp00l2+N3yFJWoOCjPWzCqRcL0WUHucrJhRvCzpzKy16mQuFyFrZwXJjYmSBFv41V1lP/uyV+1+WMRcAdezqDDaYOyRb15jizMXZD9YYRau89nre64UzsCDNpmt4heD+tqOIivsId4tteKg64umY3xPRRaD0beZDrfBm8SpXsgt7U1K/wd2R2Q4U0fVFKgYJPH/1W6ZgONd/skg6AZ1tRK4y2nDiQk+yV8F99j9ipk2iMgjhDxlNN20yA2Svz85i3wJqUp3Qh+Eksmre2rcuClE1GZPadAOWumJVuL8FsNjZ50jeTWwYUE3jYKxCFIs+05jeiRbBRrbhVCDSze/47to9sNNXyGrR0yxIYE5QI+fE7zbjalWXdSISD68cpuGUg+ne/+ABa3DMlxmj1DOD3DwlHpWFxWC4F2E/nQvd5cDczyru+hpEw6kObR1RhlZR8AWY1FDP7YotugGM3imPelrRR91+vYPjY74pz0XZX6KqIlUS70as8tKodrZejMxqK542pmsc1r1/NyOmr669++6EEt1U5gikO8LLuUyKw7IpI6cxqyIN1aKoMhpZktS3NS4paQdWxtJqS1mT0FgvpyxVurPliWh5nreb8/5/txrfVxvNjmbEEVDTdHIa4IzefPpX19ZQwYnWea5hGGBSS7q20VA3gXkQGmHxjyZl9Vm6xCqTXqI8HLk7+zOncUuzo8rsk6k/LoEhLKkVpSliwrMMZdOvAyY9mgpn55KWDpD4cTxli4KhosltOmZ4S+8cErMSwBUVqiB2DEMj2nPsOjM9wA1LnPsWj7yva84Fc5/zwLS+hUN40MFohtsu3+wj5eyXnoIbDmTGTLq4W/p8DFxZfgE50DLtNmy06TAz06lOzpXYViFwC/gJnhNrmn/a3l79QCIl+ldyOqbrsosSSCXqk7aLx6IvLiw5AugiH3lQXH6bjtPd3KoYXZiTbSdTNNDy+Q8d1uO8lDAsXClXdRqUuss8pPQJhVHUdvffr0AF//mpfiC1O5kSppTpJCjyhpZ7B+uHLKeehXuhvuGxyIsdb4NzPD+cjDhxwwdEFH2nUCOYLdIsqzSCluF3hovAFnCQ00wdqS2s/GTu+p+8d7VrYaau6Fv+B8/N3pBLBWIPjmEbKlmX70KaBAT2y3CEUG+nGmiqI649UXJ492A7s0bdTBVmetdTyAyvRsFucDi/ZswbTr4D4LrDNouYn+cI0cUoXOAJ5zv3xFGuYdeqsyaLIHP2y06P9RSHCACBvjZHwW3Kl4BUZOneTCAquFPgFdc8gcwXmx8uGaIgwdTx9H20FOq+VIacpr2sThZ4yxZdz6SPIejlOOyrL/oxgaqRi9Rkt+N91Z6U7/dK3Rl8SHjc0LQT3czL0MOtzwY5lq05FXhnSzpkXauQ9K8Qy83Nxfx5s8DT3tOyFOdTe308melK/3uRlvyQ5wJFqcd6u7+fQNqCsDJ3hQmHJqZCwRawJPcS1B9zlpo+9sT86Gz0HwUpSILHEHF0iBLg9X1yz6jZfeWc8qW1noFvnRI0aNkiypQSEbC/nR4AJp7KPsaD6bwK7+H3yX+p6Tqydyj4ckVQBP9jV3w0dfk5wQNaQIXyVEzr4/x9Jg4fb4CGK8gCTSFx8jPta8vjWRirf/LpYoFwF02S6llSGRJERIc/hR1FPLTn3gfx5sl5bqkpmk2U3hHSO0OR1fYU8Dcw2YJduxC3e8aHXOMVrkHx4N6hLT6a5EJy8N4W79vqo+6964ZC9nKxQk/l7UkgcEtogw5pnuZZn39elk4pAK51FsrAgnzNIpFoepOfBP3hLj3xGFSUDHmt50G+cAlxgl04Y2i/isecXDOxzMxWN7wpJjcgr25tju93Y2Bt+sR4Zs+mg4A2cSQ4LSrXrfQSPuKL0KeU60u9wJmQda/zT5NNOIVFL4fTl9yNOBugpESbTIF/ceg4KW9rOeyqJJQg16GRVLG1Xayu6GXdjSuxVfoInccNJQJZpzaeMZolYeHnQVWcP9D1QmBBuJL/OnKrsvDpZt61qn9lCXcYF+UiTl+tZOOQry9ASKnNZFHIIymUyFb26Gzgydzud5b/HCfy6T4YxKO</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</o:Security>
</s:Header>
<s:Body u:Id="_0">
<e:EncryptedData Id="_1" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/dk" URI="#uuid-fcbcbde5-ec92-4e46-9a7b-f541ed9e62c8-10"/>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>xgJK91cn2sLm4FvnVJZoueexPXVExJaA/gCoBdZK2nLlBLvIFnQz/Y6okzRfh0jugF6Vrx5aj+0i3T6V6TfNnBkFuLsKnDeyL2D/cawlBqM=</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>