none
How to sign the SOAP request messages at client side when the .WSDL is using "X509EndpointPolicy" ?

    Question

  • Hi All,

    I'm trying to integrate a .NET client with a java service (not under my control) which has following policy specified :

        <wsp:Policy wsu:Id="X509EndpointPolicy">
    <wsp:ExactlyOne>
    <wsp:All>
    <sp:AsymmetricBinding>
    <wsp:Policy>
    <sp:InitiatorToken>
    <wsp:Policy>
    <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
    <wsp:Policy>
    <sp:WssX509V3Token10/>
    </wsp:Policy>
    </sp:X509Token>
    </wsp:Policy>
    </sp:InitiatorToken>
    <sp:RecipientToken>
    <wsp:Policy>
    <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator">
    <wsp:Policy>
    <sp:WssX509V3Token10/>
    </wsp:Policy>
    </sp:X509Token>
    </wsp:Policy>
    </sp:RecipientToken>
    <sp:AlgorithmSuite>
    <wsp:Policy>
    <sp:Basic128Rsa15/>
    <sp:Basic256Rsa15/>
    <sp:TripleDesRsa15/>
    </wsp:Policy>
    </sp:AlgorithmSuite>
    <sp:IncludeTimestamp/>
    <sp:EncryptBeforeSigning/>
    <sp:OnlySignEntireHeadersAndBody/>
    </wsp:Policy>
    </sp:AsymmetricBinding>
    <wsam:Addressing>
    <wsp:Policy>
    <wsp:ExactlyOne>
    <wsp:All>
    <wsam:Anonymous>required</wsam:Anonymous>
    </wsp:All>
    <wsp:All>
    <AnonymousResponses/>
    </wsp:All>
    </wsp:ExactlyOne>
    </wsp:Policy>
    </wsam:Addressing>
    <mtom:OptimizedMimeSerialization wsp:Optional="true"/>
    </wsp:All>
    </wsp:ExactlyOne>
    </wsp:Policy> 

    When I try to generate a proxy from the wsdl I get  : An exception was thrown in a call to a policy import extension. Extension: System.ServiceModel.Channels.SecurityBindingElementImporterError: An unsupported security policy assertion was detected during the security policy import: <sp:AsymmetricBinding ...

    I removed this policy from the WSDL, so now I am able to generate a proxy with svcutil.

    I tried to add this policy to my custom binding by building it up from C# code :

            private static AsymmetricSecurityBindingElement BuildAsymmetricSecurityBinding() {
                var initiator =
                    new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial,
                                                    SecurityTokenInclusionMode.AlwaysToRecipient);
                var recipient =
                    new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial,
                                                    SecurityTokenInclusionMode.AlwaysToInitiator);
                
                var asymmetricSecurityBinding = new AsymmetricSecurityBindingElement(recipient, initiator);
                asymmetricSecurityBinding.SetKeyDerivation(false);
                asymmetricSecurityBinding.IncludeTimestamp = true;
                asymmetricSecurityBinding.AllowSerializedSigningTokenOnReply = true;
                asymmetricSecurityBinding.AllowInsecureTransport = true;
                asymmetricSecurityBinding.DefaultAlgorithmSuite = SecurityAlgorithmSuite.TripleDesRsa15;
                asymmetricSecurityBinding.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign;
                return asymmetricSecurityBinding;
            }

    First i have no idea whether this is the best way to work around this limitation in the proxy generator.

    Also how i can tell WCF to OnlySignEntireHeadersAndBody as stated in the policy ?

    Thanks in advance.

    Regards,

    Jagadeesh


    JK

    Friday, August 31, 2012 9:51 AM

All replies

  • Hi,

    As OnlySignEntireHeadersAndBody is supported, the simplest way is keep OnlySignEntireHeadersAndBody in the policy, remove other un-supported property.

    Tuesday, September 04, 2012 4:42 AM