none
unsupported security policy assertion exception when generating proxy from a service

    Question

  • Hi All,

    I'm trying to integrate a .NET client with a java service (not under my control) which has following policy specified :

        <wsp:Policy wsu:Id="X509EndpointPolicy">
    <wsp:ExactlyOne>
    <wsp:All>
    <sp:AsymmetricBinding>
    <wsp:Policy>
    <sp:InitiatorToken>
    <wsp:Policy>
    <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
    <wsp:Policy>
    <sp:WssX509V3Token10/>
    </wsp:Policy>
    </sp:X509Token>
    </wsp:Policy>
    </sp:InitiatorToken>
    <sp:RecipientToken>
    <wsp:Policy>
    <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator">
    <wsp:Policy>
    <sp:WssX509V3Token10/>
    </wsp:Policy>
    </sp:X509Token>
    </wsp:Policy>
    </sp:RecipientToken>
    <sp:AlgorithmSuite>
    <wsp:Policy>
    <sp:Basic128Rsa15/>
    <sp:Basic256Rsa15/>
    <sp:TripleDesRsa15/>
    </wsp:Policy>
    </sp:AlgorithmSuite>
    <sp:IncludeTimestamp/>
    <sp:EncryptBeforeSigning/>
    <sp:OnlySignEntireHeadersAndBody/>
    </wsp:Policy>
    </sp:AsymmetricBinding>
    <wsam:Addressing>
    <wsp:Policy>
    <wsp:ExactlyOne>
    <wsp:All>
    <wsam:Anonymous>required</wsam:Anonymous>
    </wsp:All>
    <wsp:All>
    <AnonymousResponses/>
    </wsp:All>
    </wsp:ExactlyOne>
    </wsp:Policy>
    </wsam:Addressing>
    <mtom:OptimizedMimeSerialization wsp:Optional="true"/>
    </wsp:All>
    </wsp:ExactlyOne>
    </wsp:Policy> 

    When I try to generate a proxy from the wsdl I get  : An exception was thrown in a call to a policy import extension. Extension: System.ServiceModel.Channels.SecurityBindingElementImporterError: An unsupported security policy assertion was detected during the security policy import: <sp:AsymmetricBinding ...

    I removed this policy from the WSDL, so now I am able to generate a proxy with svcutil.

    I tried to add this policy to my custom binding by building it up from C# code :

            private static AsymmetricSecurityBindingElement BuildAsymmetricSecurityBinding() {
                var initiator =
                    new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial,
                                                    SecurityTokenInclusionMode.AlwaysToRecipient);
                var recipient =
                    new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial,
                                                    SecurityTokenInclusionMode.AlwaysToInitiator);
                
                var asymmetricSecurityBinding = new AsymmetricSecurityBindingElement(recipient, initiator);
                asymmetricSecurityBinding.SetKeyDerivation(false);
                asymmetricSecurityBinding.IncludeTimestamp = true;
                asymmetricSecurityBinding.AllowSerializedSigningTokenOnReply = true;
                asymmetricSecurityBinding.AllowInsecureTransport = true;
                asymmetricSecurityBinding.DefaultAlgorithmSuite = SecurityAlgorithmSuite.TripleDesRsa15;
                asymmetricSecurityBinding.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign;
                return asymmetricSecurityBinding;
            }

    First i have no idea whether this is the best way to work around this limitation in the proxy generator.

    Also how i can tell WCF to OnlySignEntireHeadersAndBody as stated in the policy ?

    Also when making the actual call i get :

    System.ServiceModel.Security.SecurityNegotiationException: Could not establish secure channel for SSL/TLS with authority . ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel. at System.Net.HttpWebRequest.GetResponse()

    This is probably unrelated to the unsupported policy ?

    If google for this exception most results talk about a version mismatch between TLS/SSL3 between the client & the server.

    I think I have 2 problems ...

    Any suggestions are more then welcome.

    Thanks in advance

    Filip

    Friday, March 02, 2012 2:36 PM

Answers

All replies

  • Hi Filip,

    First , I think you need to consult the Java web service vendor and get some instruction about the correct way to consume this java web service, because I don't think or can't confirm your curent way to consume th Java web service is correct.

    here i'd like to share you an article describing the normal way a .NET client consuming a Java web service:

    How To: Call a Java EE Web Service from a .Net Client

    http://blogs.msdn.com/b/bursteg/archive/2008/07/19/how-to-call-a-java-ee-web-service-from-a-net-client.aspx

    Second, I think the exception saying "Could not establish secure channel for SSL/TLS with authority "  could be caused by untrusted certificate. But my question is: is that the corect way we present the certificate from client side? or do we need that? I think Java web service can share you the exact answer.

    At the same time, i'd like to share you an article about certificate trust issue:

    http://blogs.msdn.com/b/hongmeig/archive/2007/05/01/wcf-exception-the-remote-certificate-is-invalid-according-to-the-validation-procedure.aspx

    • Marked as answer by Yi-Lun Luo Thursday, March 08, 2012 9:47 AM
    Tuesday, March 06, 2012 1:13 PM
  • Hi,

    First off all thanks for replying.

    I tried the code at http://blogs.msdn.com/b/hongmeig/archive/2007/05/01/wcf-exception-the-remote-certificate-is-invalid-according-to-the-validation-procedure.aspx. But unfortunately this did not solved the issue...  

    Yesterday I was able to fix "Could not establish secure channel for SSL/TLS with authority" by importing the server side ssl certifcates + its whole chain and  storing it in the windows certificate store + reference the certifcate in the client/endpoint/identity section in the config file :

       <identity>
              <dns value="<%dnsname%>"/>
              <certificateReference storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName" findValue="<%cert_subjectname%>" />
            </identity>

    However now i get an "ASN.1 parse of certificate failed" back from the server.

    It looks like the service is unable to parse my base64 encoded certicate (specified in the BinarySecurityToken element)

    <o:BinarySecurityToken u:Id="uuid-844f7281-6b14-4893-a37d-1c4b1bdabe6a-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIF5zC/KuHKLrNUlrq ....</o:BinarySecurityToken>

    which is used for signing the hashes (xml-dsig). see this wsdl 


       <wsp:Policy wsu:Id="SecureMessagePolicy">
    <wsp:ExactlyOne>
    <wsp:All>
    <sp:SignedParts>
    <sp:Body/>
    <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
    <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
    <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
    <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>
    <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>
    <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>
    <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>
    </sp:SignedParts>
    <sp:SignedElements>
    <sp:XPath>/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' and local-name()='Envelope']/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' and local-name()='Timestamp']</sp:XPath>
    <sp:XPath>/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' and local-name()='Envelope']/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' and local-name()='Timestamp']</sp:XPath>
    </sp:SignedElements>
    </wsp:All>
    </wsp:ExactlyOne>
    </wsp:Policy>

    I'll contact the Java Webservice guys, and see whether they can help out.

    Thanks !

    Filip 

    Friday, March 09, 2012 4:05 PM
  • Hi Filip,

    I also have similar requirement. the .WSDl file that I got from the Service provider has "X509EndpointPolicy" tag which blocked me to run svcutil. finally I got proxy.cs & .config files after commenting that policy. 

    I also got the "Could not establish secure channel for SSL/TLS with authority"  error which was resolved by setting the client certificate and password to the proxy.

    Important and the only left thing is "adding X509EndpointPolicy to my custom binding by building it up from C# code". I am trying from my side. 

    Please let me know how you have handled, if you have already resolved this. Thanks in advance.

    Jagadeesh


    JK

    Thursday, August 30, 2012 11:39 AM
  • Hi Filip,

    I also have similar requirement. the .WSDl file that I got from the Service provider has "X509EndpointPolicy" tag which blocked me to run svcutil. finally I got proxy.cs & .config files after commenting that policy. 

    I also got the "Could not establish secure channel for SSL/TLS with authority"  error which was resolved by setting the client certificate and password to the proxy.

    Important and the only left thing is "adding X509EndpointPolicy to my custom binding by building it up from C# code". I am trying from my side. 

    Please let me know how you have handled, if you have already resolved this. Thanks in advance.

    Jagadeesh


    JK



    JK

    Friday, August 31, 2012 9:45 AM