Get WCF to Sign Message Body (Soap 1.1)

Question

I am trying to get WCF to contact a webservice that requires not only  HTTPS but also the Header and Body to be signed.  I have the header signed but can't get it to sign the body.  I have created a custom binding (See blow), and set the ProtectionLevel to Sign.  I am not getting any errors except an error from the service that the body is not signed.  Which when I look at the Soap I see that it isn't signed.  Is this possible?

        <binding name="CustomSoapBinding">
          <security defaultAlgorithmSuite="Default" authenticationMode="CertificateOverTransport"
            requireDerivedKeys="false" securityHeaderLayout="Strict" includeTimestamp="true"
            keyEntropyMode="ClientEntropy" messageProtectionOrder="SignBeforeEncrypt"
            messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
            requireSecurityContextCancellation="false" requireSignatureConfirmation="false">
            <secureConversationBootstrap />
          </security>
          <textMessageEncoding messageVersion="Soap11WSAddressing10" />
          <httpsTransport requireClientCertificate="false" />
        </binding>
      </customBinding>

Answer 1

Yes, it is possible.

You can create behavior extension element.

Something like this:

    public class MyBehavior : IEndpointBehavior
    {
        public void AddBindingParameters(ServiceEndpoint endpoint, BindingParameterCollection bindingParameters)
        {
            ChannelProtectionRequirements requirements = bindingParameters.Find<ChannelProtectionRequirements>();

            if (requirements == null)
                requirements = new ChannelProtectionRequirements();

            MessagePartSpecification part = new MessagePartSpecification(true);

            requirements.IncomingSignatureParts.AddParts(part);
            requirements.OutgoingSignatureParts.AddParts(part);
        }

        public void ApplyClientBehavior(ServiceEndpoint endpoint, System.ServiceModel.Dispatcher.ClientRuntime clientRuntime)
        {
        }

        public void ApplyDispatchBehavior(ServiceEndpoint endpoint, System.ServiceModel.Dispatcher.EndpointDispatcher endpointDispatcher)
        {
        }

        public void Validate(ServiceEndpoint endpoint)
        {
        }
    }


You can read more here:
http://adilakhter.wordpress.com/

Answer 2

I actually have added the

ProtectionLevel:=Net.Security.ProtectionLevel.Sign

to all of the places to try and get it to sign the correct places but it doesn't seem to be listening to this directive.  The above answer tells me how I would add it in the configuration but I don't need to do this as I have already added it in the proxy.  So I guess I am back to my original question, Why is the body not being signed when it even is told to do this in the proxy?

Answer 3

Hi,

If you would want to sign the message body then you will have to use a message security binding (like SecurityBindingElement.CreateMutualCertificateBinding). However, it is not a supported combination to use message security binding with HTTPS and hence your WSDL generation will fail.

Referenced by this link:

https://connect.microsoft.com/VisualStudio/feedback/ViewFeedback.aspx?FeedbackID=481030&wa=wsignin1.0

Thanks
Binze

---

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.