none
How to sign both Timestamp AND Body in a Soap 1.1 envelope with WCF RRS feed

  • Question

  • Hi

    I am consuming a WS that requires the request to be signed but not encrypted.

    I think (from what i understand) that i am signing the timestamp only in the envelope below. I want to sign both the Timestamp AND the Body. How do i go about doing this?

    Here is what i get for an envelope:

    <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <s:Header>
        <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
          <u:Timestamp u:Id="_0">
            <u:Created>2013-05-29T05:55:56.985Z</u:Created>
            <u:Expires>2013-05-29T06:00:56.985Z</u:Expires>
          </u:Timestamp>
          <o:BinarySecurityToken u:Id="uuid-e02563d0-3a94-42e0-8730-d25accfcb3ad-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIEyjCCA7KgA <!-- REMOVED -->n6uOrzSPBhsCS+PHZ0</o:BinarySecurityToken>
          <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
              <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
              <Reference URI="#_0">
                <Transforms>
                  <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <DigestValue>dZeTSPuEpxx6xx/LO1LAIA+NNj8=</DigestValue>
              </Reference>
            </SignedInfo>
            <SignatureValue>BduH8ukQxZAhWD7qtnmYZw5fng+9jR2aSRmaVEBrf3lgYfSS8Eg40EYud4k/0zvj9S1WviF5VW/KE+r0gfi01fkNm4CJcNfdHG5Ty+WIriwWs45kGyLa3PgCOOietDfCb1vBJUz/QvN7QFHGoN6w6upvtrY1x7z16Ets91SDdkaMh9V5exjV5yvv6CNikOlzfd2u1jxrrnfzl3rukcttOGE+VioaJUkvbrNbsiJTgRldevGRo7NW83tSCrXQUtmt1WbPQljNM7z145jOgAWPbfDGuqcGlUtSPbfYmiRkQjB1IYCig1TwapJlIz9cHzJCEjTmlakfYjpnpyCdxJzPsQ==</SignatureValue>
            <KeyInfo>
              <o:SecurityTokenReference>
                <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-e02563d0-3a94-42e0-8730-d25accfcb3ad-1"/>
              </o:SecurityTokenReference>
            </KeyInfo>
          </Signature>
        </o:Security>
      </s:Header>
      <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <HentHelseindikasjonRequest xmlns="http://helse.no/sektor/kjernejournal/v1">
          <Fnr>08088800204</Fnr>
        </HentHelseindikasjonRequest>
      </s:Body>
    </s:Envelope>

    Here is my code. This is just a small testapplication, and i know it does not look good. I just want to make it work, then i will make it look a bit better :)

    ServiceReference1.KjernejournalClient proxy = new ServiceReference1.KjernejournalClient();                
    ServiceReference1.HentHelseindikasjonRequestType request = new ServiceReference1.HentHelseindikasjonRequestType();
    var vs = proxy.Endpoint.Behaviors.Where((i) => i.GetType().Namespace.Contains("VisualStudio"));
    proxy.Endpoint.Behaviors.Remove((System.ServiceModel.Description.IEndpointBehavior)vs.Single());
    request.Fnr = txtFodselsnummer.Text;
    proxy.ClientCredentials.ClientCertificate.Certificate = new X509Certificate2(@"\\biztalkfil.helsemn.no\Biztalkt\Certificates\883974832\Private\Nonrep\Buypass ID-ST OLAVS HOSPITAL HF-serienummer547829953466922088190048-2013-04-16.p12", strCertPwd);
    proxy.Endpoint.Contract.Operations[0].Messages[0].ProtectionLevel = System.Net.Security.ProtectionLevel.Sign;
    ServiceReference1.HentHelseindikasjonResponseType response = proxy.HentHelseindikasjon(request);

    And here is my app.config:

    <?xml version="1.0"?>
    <configuration>
      <system.serviceModel>
        <bindings>
          <customBinding>
            <binding  name="sslSignedEnvelope"  >
              <security authenticationMode="CertificateOverTransport" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10" >
                <secureConversationBootstrap />
              </security>
              <textMessageEncoding messageVersion="Soap11">
                <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
              </textMessageEncoding>
              <httpsTransport  authenticationScheme="Anonymous" maxReceivedMessageSize="2147483647" maxBufferPoolSize="524288"  />
            </binding>
          </customBinding>
        </bindings>
        <client>
          <endpoint address="https://endpoint/url"
            binding="customBinding" bindingConfiguration="sslSignedEnvelope"
            contract="ServiceReference1.Kjernejournal" name="Kjernejournal" />
        </client>
      </system.serviceModel>
      <startup>
        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>
      </startup>
    </configuration>

    Help would really be appreciated.

    Regards

    John Viggo





    • Edited by johnviggo Wednesday, May 29, 2013 11:23 AM
    Wednesday, May 29, 2013 6:39 AM

Answers

All replies

  • After scratching my head even more i now maybe see that i infact have not made a signatura for the body, but only the timestamp? Can this be right? If so. What do i need to do to sign both the Timestamp and the Body?

    (updated the question with the new information)

    • Edited by johnviggo Wednesday, May 29, 2013 9:29 AM
    Wednesday, May 29, 2013 9:07 AM
  • Hi,

    If you are using a binding that applies security at the transport level, all application data will be secured according to the capabilities of the transport.

    You can consider using a binding that applies security at the message level, then application data will be secured according to the protection levels set on the contract.

    Please check http://msdn.microsoft.com/en-us/library/aa347692.aspx to get detail information of the protection level feature.

    Best Regards.


    Haixia
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Thursday, May 30, 2013 7:06 AM
    Moderator