none
Trouble Decrypting Response from Java in WCF RRS feed

  • Question

  • Hello MSDN Community, 

    I have become stuck, and would love and appreciate some assistance! I am creating a WCF service to connect to a clients system that is running Java. This client requires transport and message security, and that the data be signed.

    Currently I am on what I would hope to be the final step, decryption the response data back from the client. However I am receiving an error that even through my extensive research, I cannot personally figure out how to resolve. The error message is below, and I have confirmed with the client that the data we send is getting into their system. But without being able to see the response i cannot determine if their was an error to queue the data again for later.

    Error Message: The incoming message was signed with a token which was different from what used to encrypt the body.  This was not expected.

    I have already tried what other similar threads have stated to try from this link https://docs.microsoft.com/en-us/dotnet/framework/wcf/extending/how-to-use-separate-x-509-certificates-for-signing-and-encryption and have unfortunately had no luck. I have used Fiddler to grab the request and the response data and added them below. I also have no issues with sharing the code I have been using, so I have also included that as well. 

    I hope this is enough detail and any help would be greatly appreciated.

    Thank you!

    ---- Request Data ----

    <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <s:Header>
        <VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo5DHI8+iTotIssyL+ipUgVcAAAAAZgvoz92b20y2nknMgcunrUR4MK0dMXpIkXAeQgTDpEoACQAA</VsDebuggerCausalityData>
        <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
          <o:BinarySecurityToken u:Id="uuid-21a35b35-3dc7-4035-90cb-cd3ab6a46bde-3" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"><!-- KEY TWO REMOVED --></o:BinarySecurityToken>
          <o:BinarySecurityToken u:Id="uuid-21a35b35-3dc7-4035-90cb-cd3ab6a46bde-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"><!-- KEY ONE REMOVED --></o:BinarySecurityToken>
          <e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
            <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
              <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
            </e:EncryptionMethod>
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
              <o:SecurityTokenReference>
                <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-21a35b35-3dc7-4035-90cb-cd3ab6a46bde-2"/>
              </o:SecurityTokenReference>
            </KeyInfo>
            <e:CipherData>
              <e:CipherValue><!-- CIPHER ONE REMOVED --></e:CipherValue>
            </e:CipherData>
            <e:ReferenceList>
              <e:DataReference URI="#_2"/>
            </e:ReferenceList>
          </e:EncryptedKey>
          <o:BinarySecurityToken u:Id="uuid-21a35b35-3dc7-4035-90cb-cd3ab6a46bde-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"><!-- KEY TWO REMOVED --></o:BinarySecurityToken>
          <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
              <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
              <Reference URI="#_1">
                <Transforms>
                  <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <DigestValue>ER0Xr6/qYzagjw3CCYsKw1c35A0=</DigestValue>
              </Reference>
              <Reference URI="#uuid-935d53e7-205e-4285-9a80-a21f6ce8a40e-1">
                <Transforms>
                  <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <DigestValue>u3odRzumoG+raII3sYyD+2UWu6k=</DigestValue>
              </Reference>
              <Reference URI="#uuid-21a35b35-3dc7-4035-90cb-cd3ab6a46bde-1">
                <Transforms>
                  <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <DigestValue>aeIsoIv+IkB60lOosrRq2Yk9dns=</DigestValue>
              </Reference>
            </SignedInfo>
            <SignatureValue><!-- SIGNATURE VALUE ONE REMOVED --></SignatureValue>
            <KeyInfo>
              <o:SecurityTokenReference>
                <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-21a35b35-3dc7-4035-90cb-cd3ab6a46bde-3"/>
              </o:SecurityTokenReference>
            </KeyInfo>
          </Signature>
          <u:Timestamp u:Id="uuid-935d53e7-205e-4285-9a80-a21f6ce8a40e-1">
            <u:Created>2018-09-27T13:59:58.752Z</u:Created>
            <u:Expires>2018-09-27T14:04:58.752Z</u:Expires>
          </u:Timestamp>
        </o:Security>
      </s:Header>
      <s:Body u:Id="_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
          <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
          <e:CipherData>
            <e:CipherValue><!-- CIPHER TWO REMOVED --></e:CipherValue>
          </e:CipherData>
        </e:EncryptedData>
      </s:Body>
    </s:Envelope>

    ---- Response Data ----

    <?xml version="1.0" encoding="UTF-8"?>
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
      <s:Header xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
        <VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo5DHI8+iTotIssyL+ipUgVcAAAAAZgvoz92b20y2nknMgcunrUR4MK0dMXpIkXAeQgTDpEoACQAA</VsDebuggerCausalityData>
        <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
          <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="BST-rP2zPLuZvY7pgVKv5ffghQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><!-- KEY TWO REMOVED --></wsse:BinarySecurityToken>
          <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
              <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/>
            </xenc:EncryptionMethod>
            <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
              <wsse:SecurityTokenReference>
                <wsse:Reference URI="#BST-rP2zPLuZvY7pgVKv5ffghQ22" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
              </wsse:SecurityTokenReference>
            </dsig:KeyInfo>
            <xenc:CipherData>
              <xenc:CipherValue xmime:contentType="application/octet-stream" xmlns:xmime="http://www.w3.org/2005/05/xmlmime">
                <!-- CIPHER THREE REMOVED -->
              </xenc:CipherValue>
            </xenc:CipherData>
            <xenc:ReferenceList>
              <xenc:DataReference URI="#_26c8NQRQKRYnqVkwpf1ylg22"/>
            </xenc:ReferenceList>
          </xenc:EncryptedKey>
          <wsu:Timestamp wsu:Id="Timestamp-HLPvsIqVULJgsy5KYC0yZw22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsu:Created>2018-09-27T14:00:02Z</wsu:Created>
            <wsu:Expires>2018-09-27T14:05:02Z</wsu:Expires>
          </wsu:Timestamp>
          <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="BST-LZr2APtJNO2gD692ztYnxg22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><!-- KEY ONE REMOVED --></wsse:BinarySecurityToken>
          <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
            <dsig:SignedInfo>
              <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
              <dsig:Reference URI="#Timestamp-HLPvsIqVULJgsy5KYC0yZw22">
                <dsig:Transforms>
                  <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </dsig:Transforms>
                <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <dsig:DigestValue>EuJckWr8sgVDMGfGwaqn6PJwGOU=</dsig:DigestValue>
              </dsig:Reference>
              <dsig:Reference URI="#Body-_1">
                <dsig:Transforms>
                  <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </dsig:Transforms>
                <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <dsig:DigestValue>yOlMlwV/atjkTSUhzRbIHJw9BL0=</dsig:DigestValue>
              </dsig:Reference>
            </dsig:SignedInfo>
            <dsig:SignatureValue><!-- SIGNATURE VALUE TWO REMOVED --></dsig:SignatureValue>
            <dsig:KeyInfo Id="KeyInfo-5NbjH81XxaxHnKEDHrDFaw22">
              <wsse:SecurityTokenReference>
                <wsse:Reference URI="#BST-LZr2APtJNO2gD692ztYnxg22" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
              </wsse:SecurityTokenReference>
            </dsig:KeyInfo>
          </dsig:Signature>
        </wsse:Security>
      </s:Header>
      <s:Body u:Id="Body-_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Content" Id="_26c8NQRQKRYnqVkwpf1ylg22" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
          <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
          <xenc:CipherData>
            <xenc:CipherValue xmime:contentType="application/octet-stream" xmlns:xmime="http://www.w3.org/2005/05/xmlmime">
              <!-- CIPHER FOUR REMOVED -->
            </xenc:CipherValue>
          </xenc:CipherData>
        </xenc:EncryptedData>
      </s:Body>
    </soapenv:Envelope>

    ---- Code ----

    // Setup Asymmetric Binding Rules
    AsymmetricSecurityBindingElement sec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
    sec.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
    sec.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128;
    sec.InitiatorTokenParameters = new X509SecurityTokenParameters { InclusionMode = SecurityTokenInclusionMode.Once };
    sec.RecipientTokenParameters = new X509SecurityTokenParameters { InclusionMode = SecurityTokenInclusionMode.Once };
    sec.EndpointSupportingTokenParameters.Signed.Add(new X509SecurityTokenParameters());
    sec.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
    sec.SecurityHeaderLayout = SecurityHeaderLayout.LaxTimestampLast;
    sec.IncludeTimestamp = true;
    sec.AllowSerializedSigningTokenOnReply = true;
    sec.EnableUnsecuredResponse = true;
    sec.AllowInsecureTransport = true;
    sec.ProtectTokens = false;
    sec.SetKeyDerivation(false);
    
    // Create custom SOAP binding in order: security, message, transport
    CustomBinding binding = new CustomBinding();
    binding.Elements.Clear();
    binding.Elements.Add(sec);
    binding.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));
    binding.Elements.Add(new HttpsTransportBindingElement { RequireClientCertificate = true });
    
    // Setup Endpoint Details
    EndpointIdentity dnsIdentity = EndpointIdentity.CreateDnsIdentity(ConfigurationManager.AppSettings.Get($"ClientCertificateDNS_{env}"));
    EndpointAddress endpointAddress = new EndpointAddress(new Uri(ConfigurationManager.AppSettings.Get($"ClientAdditionalUrl_{env}")), dnsIdentity);
    
    // Create Client
    using (var svcClient = new ServicePortClient(binding, endpointAddress))
    {
    	svcClient.Endpoint.Contract.ProtectionLevel = ProtectionLevel.EncryptAndSign;
    
    	// Client Transport Certificate (Ours)
    	svcClient.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, ourCert[0].Thumbprint);
    	svcClient.ClientCredentials.ClientCertificate.Certificate.GetRSAPrivateKey();
    
    	// Server & Encryption Certificate (Clients)
    	svcClient.ClientCredentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.LocalMachine, StoreName.AddressBook, X509FindType.FindByThumbprint, clientCert[0].Thumbprint);
    	svcClient.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust;
    	
    	// Make Request	
    	/* The rest has been cut away */
    }

    • Edited by MSDNPublicProfile Thursday, September 27, 2018 4:14 PM Removed Useless XML
    Thursday, September 27, 2018 2:34 PM