none
Signing BinarySecurityToken RRS feed

  • Question

  • After trying, searching the net and dedicating many hours ... I have to ask for help. I can not create the "resquest" that the webservice needs.
    Let's see if I can explain myself well.

    I need to create a request, signing the token, the timestamp and the body from Dynamics Ax 2012 R2.

    I have already created other requests, which do not need to have a signed token and are working correctly, but I do not see how to correctly sign the token.

    The request that I need to create is similar to:


    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <soapenv:Header>
    <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-4717041D9F2F977B7E151800507638124958" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIH4jCCBcqgAwIBAgICEn0wDQYJKoZIhvcNAQELBQAwgZ0xCzAJBgNVBAYTAkVTMRQwEgYDVQQKDAtJWkVOUEUgUy5BLjE6MDgGA1UECwwxQVpaIFppdXJ0YWdpcmkgcHVibGlrb2EgLSBDZXJ0aWZpY2FkbyBwdWJsaWNvIFNDQTE8MDoGA1UEAwwzRUFFa28gSGVycmkgQWRtaW5pc3RyYXppb2VuIENBIC0gQ0EgQUFQUCBWYXNjYXMgKDIpMB4XDTE1MTExNjA2NTgwMFoXDTE4MTExNjA2NTgwMFowgdAxCzAJBgNVBAYTAkVTMS0wKwYDVQQKEyRJbmZvcm1hdGlrYSBaZXJiaXR6dWVuIEZvcnUgRWxrYXJ0ZWExLTArBgNVBAsTJEluZm9ybWF0aWthIFplcmJpdHp1ZW4gRm9ydSBFbGthcnRlYTEXMBUGA1UEAxMOSVpGRSBGUkFNRVdPUksxJDAiBgkqhkiG9w0BCQEWFWlkYXprYXJpQGdpcHV6a29hLmV1czERMA8GA1UEBxMIRG9ub3N0aWExETAPBgNVBAgTCEdpcHV6a29hMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwcd7jWLscdc/SU+Prv3Hl2Oemfvbopll9Si8+ND3OldbXjHXe7R9v0VUF306M1JBN3eP4/fZ7PDbFV+cGeETg7DMFImUufZiLUrce6p+zKgXnTMY9l338FrFDUZCB8+zzZFZxk3bdqR3x5Vhl7jShaZpsFI8QWbT4Uxs7lJQOCOL6btHEp0jlxm88J7G8Ul1wUsG4DSL7xB12B807PnSWiatYX33myr9l9ga9Oi4BQZo0ichvNMgQW3+gPkuRv2iaksBowF6oSeTWGR5g/gO67NHu/mJQfCGaFUOAs9T6YpqXATxs+EvGVDQuNIkokaqo4xzBtBOkxtgdX3FI7MDkwIDAQABo4IC9TCCAvEwgccGA1UdEgSBvzCBvIYVaHR0cDovL3d3dy5pemVucGUuY29tgQ9pbmZvQGl6ZW5wZS5jb22kgZEwgY4xRzBFBgNVBAoMPklaRU5QRSBTLkEuIC0gQ0lGIEEwMTMzNzI2MC1STWVyYy5WaXRvcmlhLUdhc3RlaXogVDEwNTUgRjYyIFM4MUMwQQYDVQQJDDpBdmRhIGRlbCBNZWRpdGVycmFuZW8gRXRvcmJpZGVhIDE0IC0gMDEwMTAgVml0b3JpYS1HYXN0ZWl6MA4GA1UdDwEB/wQEAwIGwDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEQYJYIZIAYb4QgEBBAQDAgWgMB0GA1UdDgQWBBSWEpQUt/34WCy8ihCTBpmKXapXJDAfBgNVHSMEGDAWgBTAqUr3RyWH/7y1ponOgtJGqInrozCCASwGA1UdIASCASMwggEfMIIBGwYKKwYBBAHzOQECAjCCAQswMgYIKwYBBQUHAgEWJmh0dHA6Ly93d3cuaXplbnBlLmNvbS9ycGFzY2FhcGxpY2FjaW9uMIHUBggrBgEFBQcCAjCBxxqBxEJlcm1lZW4gbXVnYWsgZXphZ3V0emVrbyB3d3cuaXplbnBlLmNvbSBaaXVydGFnaXJpYW4ga29uZmlhbnR6YSBpemFuIGF1cnJldGlrIGtvbnRyYXR1YSBpcmFrdXJyaS5MaW1pdGFjaW9uZXMgZGUgZ2FyYW50aWFzIGVuIHd3dy5pemVucGUuY29tIENvbnN1bHRlIGVsIGNvbnRyYXRvIGFudGVzIGRlIGNvbmZpYXIgZW4gZWwgY2VydGlmaWNhZG8wNwYIKwYBBQUHAQEEKzApMCcGCCsGAQUFBzABhhtodHRwOi8vb2NzcC5pemVucGUuY29tOjgwOTQwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5pemVucGUuY29tL2NnaS1iaW4vY3JsaW50ZXJuYTIwDQYJKoZIhvcNAQELBQADggIBAA3j/BL9pg0kepku0d+kSnHFLIiiIqQoHuqgvYmv6NTxXSscUcbyl2YezlNd1nNf3/H0uic3AeHszCF4r2hWM9o2qsYYg6MSV14oALfF5Vt+EAxR5Pjxg/nQn5Hrt/CwKyzygUHiN8HfyfZTS2EaaH9pWcO71kxEaDeLkYtNch4S6Ys8jNrNtaETunj1fTVLPRkC6jE7tKTVy/61Kcx+42ilE3S2/lrwnIgVSS8lZQ8BAGLRFO7oFiAtSRbRq93nF0+KbFAzKPRuHEcauz/56hUpkig7OME+67SB9Qp48duv5KFm7oht6wI2TLCA1Fjg1XIYeSq8Rv73OJz6eNhW1iS4UgQaVSAzpdRMqCWbGXlnv2/F5RYiJtpV6HeFz4//h+RfDSi8+Gnz7Bs+cBMMzs56gyPmfYvmqn3/V5x9a2iD6xFzz9pwEXDch/O3KAEj0E8BFbIQGu1FbSwtdcgh502Aw/UFDs68UizMQe+yGG31FqnvbIRfgZw+qx2I5Pdody7V2fTBfZDxPXiNecBWqo8Wb/CZxaI8qQ0wU0crrtXG/5CvmWa8D7HE4RjL13zzSOK65hFVr5X9u/LTB2z9sbB2Jv5hbsSxzHIJtIlwIxQpPYw60F/U/m87uox75tBMFQ8R4+aTHpBmPLwsPTbphlJTUKvQaK06BY4hnhR+1byO</wsse:BinarySecurityToken>
    <ds:Signature Id="Signature-24959" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
    <ds:Reference URI="#CertId-4717041D9F2F977B7E151800507638124958">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
    <ds:DigestValue>iepgroRNu7ixq7e2lfN+Ra6w7TQ=</ds:DigestValue>
    </ds:Reference>
    <ds:Reference URI="#Timestamp-24958">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
    <ds:DigestValue>A35aL6DpYTjXpZATlInbM23CbzA=</ds:DigestValue>
    </ds:Reference>
    <ds:Reference URI="#id-24960">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
    <ds:DigestValue>dU5PRzbgwJOdar6kSwEfKdfuRjk=</ds:DigestValue>
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>KGBlqqzc....
    </ds:SignatureValue>
    <ds:KeyInfo Id="KeyId-4717041D9F2F977B7E151800507638124959">
    <wsse:SecurityTokenReference wsu:Id="STRId-4717041D9F2F977B7E151800507638124960" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsse:Reference URI="#CertId-4717041D9F2F977B7E151800507638124958" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"></wsse:Reference>
    </wsse:SecurityTokenReference>
    </ds:KeyInfo>
    </ds:Signature>
    <wsu:Timestamp wsu:Id="Timestamp-24958" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsu:Created>2018-02-07T12:04:36.381Z</wsu:Created>
    <wsu:Expires>2018-02-07T12:05:35.381Z</wsu:Expires>
    </wsu:Timestamp>
    </wsse:Security>
    </soapenv:Header>
    <soapenv:Body wsu:Id="id-24960" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <EnviarFacturaResponse xmlns="">
    <return>
    <resultado>
    <codigo>100</codigo>
    <descripcion>SOAP eskaeraren sinadura ez da zuzena./La firma de la petición SOAP no es válida</descripcion>
    <codigoSeguimiento></codigoSeguimiento>
    </resultado>
    <factura xsi:nil="true"></factura>
    </return>
    </EnviarFacturaResponse>
    </soapenv:Body>
    </soapenv:Envelope>




    What I get with my code is:

    <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
    <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <o:BinarySecurityToken u:Id="uuid-d6503e5a-ce7a-422f-8f3e-bd078d3ce4a4-86" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIIpzCCB4+gAwIBAgIQYXdS.....</o:BinarySecurityToken>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
    <Reference URI="#_1">
    <Transforms>
    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
    <DigestValue>zz7daqdyjgNa7E+gq4echEmJJ0Q=</DigestValue>
    </Reference>
    <Reference URI="#uuid-dd2de1b1-650d-4e02-8b17-6deb063aac48-15">
    <Transforms>
    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
    <DigestValue>L5DPIqVYV6/UABwYd3URUKzKiWw=</DigestValue>
    </Reference>
    </SignedInfo>
    <SignatureValue>Z37U7N1AogE.....==</SignatureValue>
    <KeyInfo>
    <o:SecurityTokenReference>
    <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-d6503e5a-ce7a-422f-8f3e-bd078d3ce4a4-86"></o:Reference>
    </o:SecurityTokenReference>
    </KeyInfo>
    </Signature>
    <u:Timestamp u:Id="uuid-dd2de1b1-650d-4e02-8b17-6deb063aac48-15">
    <u:Created>2018-02-07T12:04:33.662Z</u:Created>
    <u:Expires>2018-02-07T12:09:33.662Z</u:Expires>
    </u:Timestamp>
    </o:Security>
    </s:Header>
    <s:Body u:Id="_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <enviarFactura xmlns="https://webservice.face.gob.es">
    <request xmlns="">
    <correo>jbarreras@serkonten.com</correo>
    <factura>
    <factura>77u/PD....</factura>
    <nombre>45F121687</nombre>
    <mime>application/xml</mime>
    </factura>
    <anexos xsi:nil="true"></anexos>
    </request>
    </enviarFactura>
    </s:Body>
    </s:Envelope>




    As I always do, I have created a DLL from visual studio, which is referenced from AX2012.
    From AX I use this code.

    try
        {
    
            addressHeaderCollection  = new System.ServiceModel.Channels.AddressHeaderCollection();
    
            endpointIdentity        = System.ServiceModel.EndpointIdentity::CreateDnsIdentity(endpointIdentityDNS);
            endpointAddress         = new System.ServiceModel.EndpointAddress(new      System.Uri(endPointAddressUri),endpointIdentity,addressHeaderCollection);
            endPoint                = proxyPortClient.get_Endpoint();
            endPoint.set_Address(endPointAddress);
    
    
            messageSecurityVersion = System.ServiceModel.MessageSecurityVersion::get_WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10();
            
            aSymmetricSecurityBindingElement = System.ServiceModel.Channels.SecurityBindingElement::CreateMutualCertificateDuplexBindingElement(messageSecurityVersion);
            //aSymmetricSecurityBindingElement = new System.ServiceModel.Channels.AsymmetricSecurityBindingElement();
                                                    
    
            //aSymmetricSecurityBindingElement.set_MessageSecurityVersion(messageSecurityVersion);
            aSymmetricSecurityBindingElement.set_DefaultAlgorithmSuite(System.ServiceModel.Security.SecurityAlgorithmSuite::get_Basic128Rsa15());
    
            X509SecurityTokenParameters2 = new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters();
            X509SecurityTokenParameters2.set_InclusionMode(System.ServiceModel.Security.Tokens.SecurityTokenInclusionMode::AlwaysToRecipient);
            X509SecurityTokenParameters2.set_RequireDerivedKeys(false);
            X509SecurityTokenParameters2.set_X509ReferenceStyle(System.ServiceModel.Security.Tokens.X509KeyIdentifierClauseType::Any);
            X509SecurityTokenParameters2.set_ReferenceStyle(System.ServiceModel.Security.Tokens.SecurityTokenReferenceStyle::Internal);
            aSymmetricSecurityBindingElement.set_InitiatorTokenParameters(X509SecurityTokenParameters2);
    
            X509SecurityTokenParameters3 = new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters();
            X509SecurityTokenParameters3.set_InclusionMode(System.ServiceModel.Security.Tokens.SecurityTokenInclusionMode::Never);
            X509SecurityTokenParameters3.set_RequireDerivedKeys(false);
            X509SecurityTokenParameters3.set_X509ReferenceStyle(System.ServiceModel.Security.Tokens.X509KeyIdentifierClauseType::Any);
            X509SecurityTokenParameters3.set_ReferenceStyle(System.ServiceModel.Security.Tokens.SecurityTokenReferenceStyle::Internal);
            aSymmetricSecurityBindingElement.set_RecipientTokenParameters(X509SecurityTokenParameters3);
    
            aSymmetricSecurityBindingElement.set_MessageProtectionOrder(System.ServiceModel.Security.MessageProtectionOrder::SignBeforeEncrypt);
            aSymmetricSecurityBindingElement.SetKeyDerivation(false);
            aSymmetricSecurityBindingElement.set_AllowSerializedSigningTokenOnReply(true);
            aSymmetricSecurityBindingElement.set_SecurityHeaderLayout(System.ServiceModel.Channels.SecurityHeaderLayout::LaxTimestampLast);
            aSymmetricSecurityBindingElement.set_EnableUnsecuredResponse(true);
            aSymmetricSecurityBindingElement.set_IncludeTimestamp(true);
            aSymmetricSecurityBindingElement.set_ProtectTokens(false);
            aSymmetricSecurityBindingElement.set_KeyEntropyMode(System.ServiceModel.Security.SecurityKeyEntropyMode::CombinedEntropy);
    
    
    
            // Firma token begin        
    
            //si en initiator añado "once" si que aparece referenciado en keyinfo y aparece el BST, pero no se firma
            //ver si habria que intentar seguir mirando como firmar este token initiarior o si es el otro el que se debria de firmar...ver la diferencia entre los 3 y cual es
            //el principal
            //X509SecurityTokenParameters1 = new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters();
            //X509SecurityTokenParameters1.set_InclusionMode(System.ServiceModel.Security.Tokens.SecurityTokenInclusionMode::AlwaysToRecipient);
            //X509SecurityTokenParameters1.set_RequireDerivedKeys(false);
            //X509SecurityTokenParameters1.set_X509ReferenceStyle(System.ServiceModel.Security.Tokens.X509KeyIdentifierClauseType::IssuerSerial);
            //X509SecurityTokenParameters1.set_ReferenceStyle(System.ServiceModel.Security.Tokens.SecurityTokenReferenceStyle::Internal);
    
            //supportingTokenParameters = aSymmetricSecurityBindingElement.get_EndpointSupportingTokenParameters();
            //supportingTokenParameters = aSymmetricSecurityBindingElement.get_OptionalEndpointSupportingTokenParameters();
            //securityTokenParameters = aSymmetricSecurityBindingElement.get_InitiatorTokenParameters();
            //supportingTokenParameters = new System.ServiceModel.Security.Tokens.SupportingTokenParameters();
            //supportingTokenParameters.SetKeyDerivation(false);
            //collectionBase = supportingTokenParameters.get_Signed();
            //info(strFmt("%1",collectionBase.get_Capacity()));
            //securityTokenParameters = collectionBase.get_Item(0);
            //securityTokenParameters.set_InclusionMode(System.ServiceModel.Security.Tokens.SecurityTokenInclusionMode::AlwaysToInitiator);
            //collectionBase.Add(X509SecurityTokenParameters2);
            //collectionBase.Add(supportingTokenParameters);
    
            // Firma token end
    
            bindingElementCollection = new System.ServiceModel.Channels.BindingElementCollection();
            //customBinding = new System.ServiceModel.Channels.CustomBinding(bindingElementCollection);
            //customBinding = new System.ServiceModel.Channels.CustomBinding();
            //bindingElementCollection = customBinding.CreateBindingElements();
    
            bindingElementCollection.Add(aSymmetricSecurityBindingElement);
    
            messageVersion = System.ServiceModel.Channels.MessageVersion::CreateVersion(System.ServiceModel.EnvelopeVersion::get_Soap11(),
                                                                                        System.ServiceModel.Channels.AddressingVersion::get_None());
            textMessageEncodingBindingElement = new System.ServiceModel.Channels.TextMessageEncodingBindingElement(messageVersion,System.Text.Encoding::get_UTF8());
            bindingElementCollection.Add(textMessageEncodingBindingElement);
    
            httpsTransportBindingElement = new System.ServiceModel.Channels.HttpsTransportBindingElement();
            httpsTransportBindingElement.set_MaxBufferSize(5000000);
            httpsTransportBindingElement.set_MaxReceivedMessageSize(5000000);
            httpsTransportBindingElement.set_RequireClientCertificate(true);
            bindingElementCollection.Add(httpsTransportBindingElement);
    
            customBinding = new System.ServiceModel.Channels.CustomBinding(bindingElementCollection);
    
    
            endPoint.set_Binding(customBinding);
    
            //Firma Body
            contractDescription = endpoint.get_Contract();
            contractDescription.set_ProtectionLevel(System.Net.Security.ProtectionLevel::Sign);
    
            this.ClientCredentials(ProxyPortClient.get_ClientCredentials(),pemFile);
            clientCredentials = ProxyPortClient.get_ClientCredentials();
    
    
        }
    
        catch
        {
            // Get the .NET Type Exception
            exception = CLRInterop::getLastException();
    
            // Go through the inner exceptions
            while(exception)
            {
                // Print the exception to the infolog
                info(CLRInterop::  getAnyTypeForObject(exception.ToString()));
    
                // Get the inner exception for more details
                exception = exception.get_InnerException();
            }
        }


    I need a wsse:SecurityTokenReference and wsse:Reference for for the Binary Security Token.


    Please, I would be very grateful if someone would indicate to me that I may be doing wrong or that I may be missing ....

    thanks in advance


    Wednesday, February 7, 2018 2:09 PM

All replies

  • Hi Jabier,

    What is the Service Type which you are consuming? Do you send request to WCF or Java Service?

    For BinarySecurityToken, I suggest you check whether links below are helpful.

    # BinarySecurityToken with wcf

    https://stackoverflow.com/questions/31115673/binarysecuritytoken-with-wcf

    # BinarySecurityToken header

    https://social.msdn.microsoft.com/Forums/vstudio/en-US/c301635a-9c29-4c7e-ac8d-6b47a909fda9/binarysecuritytoken-header?forum=wcf

    Best Regards,

    Tao Zhou


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, February 8, 2018 5:53 AM
  • Hi,

    How can I know what type is the service i am consuming?

    If I follow the steps of the links that you propose, yes, I can change my request, but this I had done before.
    For example, now I get the BTS referenced in "SecurityTokenReference", but it is not in "SignedInfo".

    <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
    <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <o:BinarySecurityToken u:Id="uuid-7970424d-739a-4b43-a57f-12b8edd7c026-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIIpzCCB....</o:BinarySecurityToken>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
    <Reference URI="#_1">
    <Transforms>
    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
    <DigestValue>zz7daqdyjgNa7E+gq4echEmJJ0Q=</DigestValue>
    </Reference>
    <Reference URI="#uuid-3bcddfa5-53a0-4bd1-b81c-af4cf07158e4-1">
    <Transforms>
    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
    <DigestValue>cJw6HAM4ozqpkAMjnrusFdUUt8k=</DigestValue>
    </Reference>
    </SignedInfo>
    <SignatureValue>.......</SignatureValue>
    <KeyInfo>
    <o:SecurityTokenReference>
    <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-7970424d-739a-4b43-a57f-12b8edd7c026-2"></o:Reference>
    </o:SecurityTokenReference>
    </KeyInfo>
    </Signature>
    <u:Timestamp u:Id="uuid-3bcddfa5-53a0-4bd1-b81c-af4cf07158e4-1">
    <u:Created>2018-02-08T08:38:09.045Z</u:Created>
    <u:Expires>2018-02-08T08:43:09.045Z</u:Expires>
    </u:Timestamp>
    </o:Security>
    </s:Header>
    <s:Body u:Id="_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <enviarFactura xmlns="https://webservice.face.gob.es">
    <request xmlns="">
    <correo>jbarreras@serkonten.com</correo>
    <factura>
    <factura>77u/PD94bWw...</factura>
    <nombre>45F121687</nombre>
    <mime>application/xml</mime>
    </factura>
    <anexos xsi:nil="true"></anexos>
    </request>
    </enviarFactura>
    </s:Body>
    </s:Envelope>


    What I have to achieve is that the BTS is referenced in "SignedInfo", along with the body and timestamp and also this referenced in "SecurityTokenReference".

    The the BinarySecurityToken needs to be signed.

    I think the answer may be how to play with the properties of aSymmetricSecurityBindingElement (InitiatorTokenParameters,RecipientTokenParameters and EndPointSupportingTokenParameters), because, depending on how it is changed, I get one thing or another, but I never get what I want,
    I do not understand very well what they serve and what I have to indicate in each one.

    For example, if i add the following code line:

    EndpointSupportingTokenParameters.Signed.Add(new X509SecurityTokenParameters())

    another BTS appears, I have 2, this is referenced in signedInfo.

    If i add InitiatorTokenParameters(once) and ReciepientTokenParameters(never), in the KeyInfo / SecurityTokenReference element, a KeyIdentifier element is added instead of a Reference element:

    thanks in advance


    Thursday, February 8, 2018 8:53 AM
  • Hi Jabier,

    >> How can I know what type is the service i am consuming?

    For this, you may need to confirm with the Developer of the Service which you are consuming.

    >> For example, now I get the BTS referenced in "SecurityTokenReference", but it is not in "SignedInfo"

    Is the generated content of BinarySecurityToken right? Is it only the position wrong or its position and content both are wrong?

    >> What I have to achieve is that the BTS is referenced in "SignedInfo", along with the body and timestamp and also this referenced in "SecurityTokenReference"

    What do you mean by this? After checking your expected SOAP Request, BinarySecurityToken is not in the SignedInfo either. Do you receive any error with current SOAP Request?

    Best Regards,

    Tao Zhou


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Friday, February 9, 2018 3:01 AM
  • hello,

    the service i am consuming is a Java service.


    >>is the generated content of BinarySecurityToken right? Is it only the position wrong or its position >>and content both are wrong?

    Only the positions is wrong

    >>What do you mean by this? After checking your expected SOAP Request, BinarySecurityToken is >>not in the SignedInfo either. Do you receive any error with current SOAP Request?

    in the sample request of my first post "CertId-4717041D9F2F977B7E151800507638124958" is in BinarySecurityToken, in SignedInfo and in keyInfo


    As I said, after a lot of reading, I came to the conclusion that to get the request that the provider requires, I needed MutualCertificateDuplex with CustomBiding..and then I started to assemble the client with AsymmetricSecurityBindingElement ....

    The provider only gives me a pdf with the characteristics of the service and with an example of request.
    With the different requests that I have obtained, the server always returns me that the signature is incorrect.
    After contacting the provider, he tells me that I have to sign the token, the body and the timestamp and that I'm not doing it.
    I need to get a request like this:

    <?xml version="1.0" encoding="UTF-8"?>
    <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
    <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasisopen.
    org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <wsse:BinarySecurityToken wsu:Id="CertId-AF69D5714A03B66EEA146183039572919"
    ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
    EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-
    1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurityutility-
    1.0.xsd">..removed...
    </wsse:BinarySecurityToken>
    <ds:Signature Id="Signature-20" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <ds:Reference URI="#CertId-AF69D5714A03B66EEA146183039572919">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ds:DigestValue>p9HSwTSV2JzJ2kftt9t1i+RevV0=</ds:DigestValue>
    </ds:Reference>
    <ds:Reference URI="#Timestamp-19">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ds:DigestValue>lqtnqy6bn8DS7K2YFG9FHJyIFso=</ds:DigestValue>
    </ds:Reference>
    <ds:Reference URI="#id-21">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ds:DigestValue>wfrbTmuhCzWGVmSr7VZhQbFF37Q=</ds:DigestValue>
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>j3vicJDyRJz9OBpeEPZbkzDGR7QAtB7kNfkec2k8I2OvWW430h//msExGuOjFMY/NARmr6mRlx8FjC
    mz5lD7DpSMNcRipjsJY4eWby4vNc+4FTje4Qqf/GX8KWbE40MI+6cZoy5PxOK+6S/U+ky16UBW VQICqncbjI5LMu+kYK8=
    </ds:SignatureValue>
    <ds:KeyInfo Id="KeyId-AF69D5714A03B66EEA146183039572920">
    <wsse:SecurityTokenReference wsu:Id="STRId-AF69D5714A03B66EEA146183039572921"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsse:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-
    1.0#X509v3" URI="#CertId-AF69D5714A03B66EEA146183039572919"/></wsse:SecurityTokenReference>
    </ds:KeyInfo>
    </ds:Signature>
    <wsu:Timestamp wsu:Id="Timestamp-19" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-
    200401-wss-wssecurity-utility-1.0.xsd">
    <wsu:Created>2016-04-28T07:59:55.729Z</wsu:Created>
    <wsu:Expires>2016-04-28T08:00:54.729Z</wsu:Expires>
    </wsu:Timestamp>
    </wsse:Security>
    </soapenv:Header>
    <soapenv:Body wsu:Id="id-21" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurityutility-
    1.0.xsd">
    <anularFactura xmlns="https://webservice.face.gob.es">
    <numeroRegistro xmlns="">2016/000000001</numeroRegistro>
    <motivo xmlns="">Factura incorrecta</motivo>
    </anularFactura>
    </soapenv:Body>
    </soapenv:Envelope>

    I think my problem is similar or the same as the one explained in this link:

    https://api.queryxchange.com/q/27_45800793/signing-binarysecuritytoken-without-making-copy-and-including-39-securitytokenreference-reference-39-instead-of-39-securitytokenreference-keyidentifier-39/


    I need:

    <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#CertId-AF69D5714A03B66EEA146183039572919"> <ds:Transforms>

    <ds:KeyInfo Id="KeyId-AF69D5714A03B66EEA146183039572920">
    <wsse:SecurityTokenReference wsu:Id="STRId-AF69D5714A03B66EEA146183039572921"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsse:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-
    1.0#X509v3" URI="#CertId-AF69D5714A03B66EEA146183039572919"/></wsse:SecurityTokenReference>
    </ds:KeyInfo>



    Friday, February 9, 2018 7:41 AM
  • Hi Jabier,

    >> Only the positions is wrong

    If you send the SOAP Request with the right position in SOAPUI, will the server return right response?

    If it will, I suggest you try Message Inspectors to modify the request before sending it.

    # WCF Extensibility – Message Inspectors

    https://blogs.msdn.microsoft.com/carlosfigueira/2011/04/18/wcf-extensibility-message-inspectors/

    Best Regards,

    Tao Zhou


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, February 12, 2018 6:01 AM
  • Hi,

    Are you sure that in that way my problem will be solved?


    I commented that the problem was the position of the reference, but the problem really is that I do not know how to make the request comply with WS-Security 1.0 X.509 Token Profile.
    What I need is that what is said in the documentation of WS-Security 1.0 X.509 Token Profile, in section 3.3.2

    3.3.2 Reference to a Binary Security Token
    290 The signed data SHOULD contain a core bare name reference (as defined by the XPointer specification [XPointer]) to
    291 the<wsse:BinarySecurityToken> element that contains the security token referenced, or a core reference
    292 to the external data source containing the security token.
    293 The following example shows a certificate embedded in a <wsse:BinarySecurityToken> element and
    294 referenced by URI within a signature. The certificate is included in the <wsse:Security> header as a
    295 <wsse:BinarySecurityToken> element with identifier binarytoken. The scope of the signature
    296 defined by a <ds:Reference> element within the <ds:SignedInfo> element includes the signing
    297 certificate which is referenced by means of the URI bare name pointer #binarytoken. The <ds:KeyInfo>
    298 element specifies the signing key by means of a <wsse:SecurityTokenReference> element which
    299 contains a <wsse:Reference> element which references the certificate by means of the URI bare name pointer
    300 #binarytoken.
    301 <S11:Envelope xmlns:S11="...">
    302 <S11:Header>
    303 <wsse:Security
    304 xmlns:wsse="..."
    305 xmlns:wsu="...">
    306 <wsse:BinarySecurityToken
    307 wsu:Id="binarytoken"
    308 ValueType="wsse:X509v3"
    309 EncodingType="wsse:Base64Binary">
    310 MIIEZzCCA9CgAwIBAgIQEmtJZc0…
    311 </wsse:BinarySecurityToken>
    312 <ds:Signature
    313 xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    314 <ds:SignedInfo>…
    315 <ds:Reference URI="#body">…</ds:Reference>
    316 <ds:Reference URI="#binarytoken">…</ds:Reference>
    317 </ds:SignedInfo>
    318 <ds:SignatureValue>HFLP…</ds:SignatureValue>
    319 <ds:KeyInfo>
    320 <wsse:SecurityTokenReference>
    321 <wsse:Reference URI="#binarytoken" />
    322 </wsse:SecurityTokenReference>
    323 </ds:KeyInfo>
    324 </ds:Signature>
    325 </wsse:Security>
    326 </S11:Header>
    327 <S11:Body wsu:Id="body"
    328 xmlns:wsu="...">
    329 …
    330 </S11:Body>
    331 </S11:Envelope>

    Tuesday, February 13, 2018 3:26 PM
  • Hi Jabier,

    >>Are you sure that in that way my problem will be solved?

    It denpends on what is the expected SOAP Request, and how could we create it.

    For your origianl description, only the position of the BinarySecurityToken is wrong, so, I suggest you to change the location before sending the request. 

    Is there any other different?

    Best Regards,

    Tao Zhou


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    Thursday, February 22, 2018 3:59 AM
  • Hi Jabier, 

    did you ever get this working? I am facing exactly the same issue. TimeStamp signed with ref in signed info, Body signed with ref in signed info, binary security token signed but ref is missing in signed info. 

    So... If you resolved this issue, I am pretty curious on how you did it.

    Wednesday, May 15, 2019 10:51 PM