Signing RST sent w/ WSTrustClient

Question

Hi All,

I'm trying to send an RST to an STS that requires me to auth by signing the request.  No matter what I do, I can't get WCF and WIF to stick the security token in the SOAP header of the RST.

I grabbed the following RST off the wire using a working non-WIF-based app:

<env:Envelope...>
    <env:Header...>
        <wsa:To>http://mysts/sts</wsa:To>
        <wsa:Action>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</wsa:Action>
        <wsa:ReplyTo>
            <wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
        </wsa:ReplyTo>
        <wsa:MessageID>...</wsa:MessageID>
        <wsse:Security...>
            <wsse:BinarySecurityToken...>...</wsse:BinarySecurityToken>
            <wsu:Timestamp>...</wsu:Timestamp>
            <ds:Signature...>...</ds:Signature>
        </wsse:Security>
    </env:Header>
    <env:Body wsu:Id="...">
        <wst:RequestSecurityToken xmlns:wsa="http://www.w3.org/2005/08/addressing"
            xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
            xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
            <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
            <wsp:AppliesTo>
                <wsa:EndpointReference>
                    <wsa:Address>default</wsa:Address>
                </wsa:EndpointReference>
            </wsp:AppliesTo>
            <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</wst:KeyType>
        </wst:RequestSecurityToken>
    </env:Body>
</env:Envelope>

(If I over snipped that XML doc, let me know, and I can post more of it. It's not private, I'm just trying to avoid information overload.)

I am using all sorts of variations of code like the following to try to get that digital signature in the RST:

private static RequestSecurityTokenResponse GetIssuedToken()
{
    var binding = new WS2007HttpBinding(SecurityMode.None, false);

    binding.Security.Message.EstablishSecurityContext = false;

    var creds = new ClientCredentials();

    creds.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
    creds.ServiceCertificate.SetDefaultCertificate(StoreLocation.LocalMachine, StoreName.My,
        X509FindType.FindByThumbprint, serverCertThumbprint);
    creds.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, 
        X509FindType.FindByThumbprint, clientCertThumbprint);

    var trustClient = new WSTrustClient(binding, new EndpointAddress(stsAddress),
        TrustVersion.WSTrust13, creds);

    var rst = new RequestSecurityToken(WSTrust13Constants.RequestTypes.Issue);
    RequestSecurityTokenResponse rstr;

    // AppliesTo has to be a valid URL?!
    //rst.AppliesTo = new EndpointAddress("default");

    var st = trustClient.Issue(rst, out rstr);
    
    trustClient.Close();
    
    return rstr;
}

Besides not knowing how to include security token in the RST, I am also bumping up against an issue of not being able to put "default" in as the AppliesTo URI.  Accourding to WS-Addressing, the value of an Address element is xs:anyURI which "default" is. 

Any help or suggestions would be much appreciated!

---

Regards,

Travis Spencer
http://travisspencer.com

Answer 1

Hi Travis,

I think you going to need to use a custom binding for your scenario but I don't know the exact combination of message security options which need to set. Perhaps its best to present your problem on the WCF forum. I think you could remove the RST part and pretend your sending a simple soap request.

I don't have any answers for the addressing issue either but again the WCF forum may have suggestions.

Sorry I couldn't help you out more.

---

Regards Wilko31

Answer 2

Thanks Wilko31 for the reply.  I spent some of the day yesterday relearning binding-related minutia :-/  I think I can figure this one out now. If I get stuck though, I'll send a note to the WCF list.

The issue about the AppliesTo property not accepting valid URIs isn't a big deal.  The URI is certainly valid because it conforms to this syntax:

[scheme : ]scheme-specific-part [# fragment ]

where square brackets [...] delineate optional components and the characters : and # stand for themselves.

See RFC 2396: Uniform Resource Identifiers (URI): Generic Syntax and RFC 2732: Format for Literal IPv6 Addresses in URLs

This can also be seen by executing this code snippet:

Uri uri;

if (!Uri.TryCreate("default", UriKind.RelativeOrAbsolute, out uri))
{
    throw new UriFormatException();
}

Regardless, I can work around this on the STS by changing the RP's realm identifier.

---

Regards,

Travis Spencer
http://travisspencer.com

Answer 3

Hi Travis,
In your constructor for the WSHttpBinding, the SecurityMode is set to None. This implies, no security for outgoing messages. You will have to create the proper binding.
Your code is not supposed to include the signatures (and other security related message parts). All of this is handled by the underlying WCF security stack, the controlling knob being the binding configuration.

-Rakesh

Answer 4

Yep, got it, Rakesh. Thanks.

---

Regards,

Travis Spencer
http://travisspencer.com