none
The EncryptedKey clause was not wrapped with the required encryption token 'System.IdentityModel.Tokens.X509SecurityToken'.” RRS feed

  • Question

  • I'm very new to WCF , and would like to a webservice client to consume java webservice setup by a service provider.

    Service Provider confirmed the request received by them successfully and replied. however my application prompt error message of "The EncryptedKey clause was not wrapped with the required encryption token 'System.IdentityModel.Tokens.X509SecurityToken'.”"

    hope someone can help me on this, has been stuck on this for 2 weeks.

    This is the expecting Request (generate by SOAPUI)

    <?xml version="1.0" encoding="UTF-8"?>
    <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
       <soap:Header>
          <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
             <xenc:EncryptedKey Id="EncKeyId-73D71E3AEB6DD6F63F1425291920588736">
                <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                   <wsse:SecurityTokenReference>
                      <ds:X509Data>
                         <ds:X509IssuerSerial>
                            <ds:X509IssuerName>C=AU,L=Sydney,O=Macquarie Bank Limited,CN=Macquarie Bank Limited Issuing CA NTSYDASP106</ds:X509IssuerName>
                            <ds:X509SerialNumber>142703842424814724926635</ds:X509SerialNumber>
                         </ds:X509IssuerSerial>
                      </ds:X509Data>
                   </wsse:SecurityTokenReference>
                </ds:KeyInfo>
                <xenc:CipherData>
                   <xenc:CipherValue>KSA/QNFIwZzOJUOSrjsCBpien8WR6VDAb//57kmu++6J/ehZCiWix4Pgms22oFUCoYOC0RW3hSnt8W899tHaHglMzm2EghO7MrxUqcIZwksRYwcAwxlvs4JXohhyZZzRifhCnj3ViJnsJB1vfuSp5z9VEHw4OKKNoj/C/EeHJ8DwmZ51WYDSprwM4VGyneR9bxywY5V2IkzIpQwvbP+mqb6F6L7/0XgstgRssYetcTCMovRlJS0KL9SfWaDC8lwRfMmn61puKFDuY6Yl0FAYZJr7/xHfxHPGnnyUybrAiFqlpV9qjeoXsjU0+8VjmL5yYuLNwKc4rXkLChzJTUcMnQ==</xenc:CipherValue>
                </xenc:CipherData>
                <xenc:ReferenceList>
                   <xenc:DataReference URI="#EncDataId-683" />
                </xenc:ReferenceList>
             </xenc:EncryptedKey>
             <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-681">
                <ds:SignedInfo>
                   <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                   <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                   <ds:Reference URI="#id-682">
                      <ds:Transforms>
                         <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                      </ds:Transforms>
                      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                      <ds:DigestValue>r/tbdhQGC+SLVzhIjaeUUwnWctU=</ds:DigestValue>
                   </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>MGUFbBjKhV25OHIwrcA/tKf1oBes9cBG+2xI14ILv505xSffgoQ548Nop7IKFqC4WSVtCx7/Ios5
    wmysRbGv1tNB44F8eeregRPqgtjsgiKZxF6rhInHOZCYQ+CG9DNd/qYga9nizmsv1ssQ0mzw6P3s
    yvYndCe6i+9MPtEHwvn/nz4/BfK4kE+BaVHTYofCnEca64PGPyFJWCY0ETqwbyjPOM9FUXc1Su9Q
    UL9GWY2AVrGDOkQT3y+lFq7qYSDya6zcIW4P5vgW+094RpFTqJyQBLGZejVlFz5eDwnf3t9+jjqv
    qyMZBIwzq0OvOE+vsOXpnnJNdwb8kEdxYRElsg==</ds:SignatureValue>
                <ds:KeyInfo Id="KeyId-73D71E3AEB6DD6F63F1425291920572733">
                   <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-73D71E3AEB6DD6F63F1425291920572734">
                      <ds:X509Data>
                         <ds:X509IssuerSerial>
                            <ds:X509IssuerName>CN=Macquarie Bank Limited Issuing CA NTSYDASP106,O=Macquarie Bank Limited,L=Sydney,C=AU</ds:X509IssuerName>
                            <ds:X509SerialNumber>95887256840536385079532</ds:X509SerialNumber>
                         </ds:X509IssuerSerial>
                      </ds:X509Data>
                   </wsse:SecurityTokenReference>
                </ds:KeyInfo>
             </ds:Signature>
             <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-680">
                <wsu:Created>2015-03-02T10:25:20.572Z</wsu:Created>
                <wsu:Expires>2015-03-02T10:30:20.572Z</wsu:Expires>
             </wsu:Timestamp>
          </wsse:Security>
          <Action xmlns="http://www.w3.org/2005/08/addressing">http://www.macquarie.com/esi/common/1.0/getAuthenticationExpiryResponse</Action>
          <MessageID xmlns="http://www.w3.org/2005/08/addressing">urn:esi:10213781</MessageID>
          <RelatesTo xmlns="http://www.w3.org/2005/08/addressing">urn:Vendor software name:Software Version:123456789</RelatesTo>
       </soap:Header>
       <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-682">
          <xenc:EncryptedData Id="EncDataId-683" Type="http://www.w3.org/2001/04/xmlenc#Content">
             <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
             <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                   <wsse:Reference URI="#EncKeyId-73D71E3AEB6DD6F63F1425291920588736" />
                </wsse:SecurityTokenReference>
             </ds:KeyInfo>
             <xenc:CipherData>
                <xenc:CipherValue>/MhNGT5gBa3izEvUAM/RhIstJiuR0ayeXd3pNgoFy26gPcMFxJ/Gs4L0u2/5o5CjZy26y7g5fHXH
    YGAR6Mn5518/HV7gtxB2h4UM2O4zrNLVL3pQw2AQLlS90JB1eCTzjgormQEIi0xDk1C38A6DJoOR
    XU4zHlaEI8NtnWeStmDeoYEolAWkab2CULXGGAf8QPFQbauyZV4az7Fkdc8eaiM8qSJDxoE81WbO
    Iy66GJ78xmSoBgYdI4iRn/QGhxx1RXc0OLdrrPocAcIV5VB3rUPducbiNlQ/eV/6IhiyOts1QHOe
    7sbLjO0gBZugO7mIUotq6dH5ZsJVas7RXr0Wh1G23sVrCxlcl2rXjkrq5tlepVQyR3OTsShsNbdC
    x6JZRivjDbqLIOK0yApaNI+4lFnexBOtMrEEbfBYnok1B2HCDfb9lSur0GnpxkaK41jWSzdQ+/yt
    sSfrzD4Ak/hE0oVz+7AWyEcJGm1sdvnQm6o=</xenc:CipherValue>
             </xenc:CipherData>
          </xenc:EncryptedData>
       </soap:Body>
    </soap:Envelope>


    and this is request generated by me.

    <?xml version="1.0" encoding="UTF-8"?>
    <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
       <s:Header>
          <VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPownxHQH+T9lIj6D7e3aO3bkAAAAATfkTJ73F5UijVWXhvKNWpAoa6VSW+tdPrGPz/e9K1wUACQAA</VsDebuggerCausalityData>
          <To xmlns="http://www.w3.org/2005/08/addressing">http://www.macquarie.com/esi/common/v1</To>
          <MessageID xmlns="http://www.w3.org/2005/08/addressing">urn:TPP:v1:urn:uuid:25f88cfc-7c21-4421-b892-b362baaa35fe</MessageID>
          <Action xmlns="http://www.w3.org/2005/08/addressing">http://www.macquarie.com/esi/common/1.0/getAuthenticationExpiryRequest</Action>
          <o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
             <u:Timestamp u:Id="uuid-af069436-9584-4b0c-919a-dd12d424a089-2">
                <u:Created>2015-03-02T10:48:59.315Z</u:Created>
                <u:Expires>2015-03-02T10:53:59.315Z</u:Expires>
             </u:Timestamp>
             <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#" Id="_0">
                <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
                <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                   <o:SecurityTokenReference>
                      <X509Data>
                         <X509IssuerSerial>
                            <X509IssuerName>CN=Macquarie Bank Limited Issuing CA NTSYDASP106, O=Macquarie Bank Limited, L=Sydney, C=AU</X509IssuerName>
                            <X509SerialNumber>95887256840536385079532</X509SerialNumber>
                         </X509IssuerSerial>
                      </X509Data>
                   </o:SecurityTokenReference>
                </KeyInfo>
                <e:CipherData>
                   <e:CipherValue>Ittv30rv9dOE3C6AGvRCuCQXs3s/kIe3M2BCGkTR1UB/TAZSXs27sgZlgyNv0bu95UqBKaAj7o+EZiXx66ScxJJpXNUEDyLtJ/p3OrhcddrxzN8+gRM2QeaVq0YEBEuGNfrM1EHZEv/j670Y1oxzMYf93xj52X7fOHXqM877GoruVF/voqVVzayVBifYfQh7E60KFPDUd5pDtXdd5RWj4XZw66JDYWYjFkW3O8J23ZYC2xjNR90u+xLfV/rKs8C4M25XdjvAwjCtNI9PbCiCfZ5JeMFtwwq1izXBfq7yvp9jabdyCmlJstA8RC+o4y1WtzlRcBVlIJpB7xpR8r8w8g==</e:CipherValue>
                </e:CipherData>
                <e:ReferenceList>
                   <e:DataReference URI="#_2" />
                </e:ReferenceList>
             </e:EncryptedKey>
             <o:UsernameToken u:Id="uuid-99cafb0e-21e2-4241-a74a-7a20dccb3ffc-6">
                <o:Username>navHtoYe8f8S4pAkOZkZID6t9GQ=</o:Username>
                <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">f2+5XVfDzH6oDYzWoHkZMcpuDQ0=</o:Password>
             </o:UsernameToken>
             <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                <SignedInfo>
                   <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                   <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                   <Reference URI="#_1">
                      <Transforms>
                         <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                      </Transforms>
                      <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                      <DigestValue>MsfnKtdHcNazKCIoqAnMtSlv59Y=</DigestValue>
                   </Reference>
                   <Reference URI="#uuid-af069436-9584-4b0c-919a-dd12d424a089-2">
                      <Transforms>
                         <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                      </Transforms>
                      <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                      <DigestValue>VBvkgY6I42+9snZsZ1RwoMiFTEM=</DigestValue>
                   </Reference>
                   <Reference URI="#uuid-99cafb0e-21e2-4241-a74a-7a20dccb3ffc-6">
                      <Transforms>
                         <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                      </Transforms>
                      <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                      <DigestValue>lMb1lH7gqlPmHtWeA1sfu61i78c=</DigestValue>
                   </Reference>
                </SignedInfo>
                <SignatureValue>CScv9VgnEkYozS5XVGLH5FmOzlTN/m8YcLwzesAUlHMglrB+J+VmmjvRwNcpw0SpLnQegOYhw9Y3QDuoS0E5Z44wRSmZokHLdEXirotUwF/ngU0pOXbbIpJDgMI+JydLUQpM1cahcURV1baKY6dPGQ6fOvmfmTmnv7OSqabfk8a5g0SFHnsM+qG9GWvUGm4s7htMzC6Yl6odr8JpQggoZ94heekCzL1+UgFd7P12sjaGEgk6dqNnaHpNIjQECDfCuXfMl0NlZb2FJpCDOh/E4Tjk48G/HfGY4j4Qj3UuzTMV+6Gu60hVZxjQbPUgoATrM1/OLOkD0qFNlILw8pouhA==</SignatureValue>
                <KeyInfo>
                   <o:SecurityTokenReference>
                      <X509Data>
                         <X509IssuerSerial>
                            <X509IssuerName>CN=Macquarie Bank Limited Issuing CA NTSYDASP106, O=Macquarie Bank Limited, L=Sydney, C=AU</X509IssuerName>
                            <X509SerialNumber>142703842424814724926635</X509SerialNumber>
                         </X509IssuerSerial>
                      </X509Data>
                   </o:SecurityTokenReference>
                </KeyInfo>
             </Signature>
          </o:Security>
       </s:Header>
       <s:Body xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" u:Id="_1">
          <e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#" Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content">
             <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
             <e:CipherData>
                <e:CipherValue>uonwhbzpQ2hyXrSLHTR4i6FOCKeqxO9BotTJLHvRVvniDRuzUckwOG9I2C0HAllbcoABJ3dU0NnoykGHSCzErg4eJYkHvPcyLWKFMcSqsuAlAVywaxwWhxRL9o07QYooY+01Co0fLHR18IJYz+gmOBixvmW8f1ntDrldDQs2WyWThgzBoz4HTK8hMQj2DFw9wnzY1AFmyHtnuDbSt0aUZDT8Le79Y26pVOBMOU4hf+1AHeHmLpS4w6QMVqghp6vWhu+ZASePNaSKvRRbGJaQrA==</e:CipherValue>
             </e:CipherData>
          </e:EncryptedData>
       </s:Body>
    </s:Envelope>


    Exeception caught "The EncryptedKey clause was not wrapped with the required encryption token 'System.IdentityModel.Tokens.X509SecurityToken'.”"

    Codes:

    private void Test1()
            {
                var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.Never);
                var recipient = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.Never);
                var sec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
                sec.InitiatorTokenParameters = initiator;
                sec.RecipientTokenParameters = recipient;
                sec.IncludeTimestamp = true;
                sec.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());
                sec.SecurityHeaderLayout = SecurityHeaderLayout.LaxTimestampFirst;
    
                sec.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128Rsa15;
                sec.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
                
                sec.SetKeyDerivation(false);
                sec.AllowSerializedSigningTokenOnReply = true;
    
    
                
                CustomBinding myBinding = new CustomBinding();
                myBinding.Elements.Add(sec);
                myBinding.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));
                myBinding.Elements.Add(new HttpsTransportBindingElement());
    
    
                string clientCertThumbprint = "2f83f7c05ae96718d114ca4e6b49d194144ff315".ToUpper();
                string serviceCertThumbprint = "d54d6d6b39ae1935717e447d8a540af74a4aa75d".ToUpper();
                X509Certificate2 clientCertificate = new X509Certificate2(txtCertpath.Text + "belldirect_com_au.pfx", "paris123");
                X509Certificate2 serviceCertificate = new X509Certificate2(txtCertpath.Text + "esiServer_Macquarie_Bank.cer");
    
    
                EndpointIdentity identity = EndpointIdentity.CreateDnsIdentity("esiServer");
                
                EndpointAddress endpoint = new EndpointAddress(new Uri(txtEndpoint.Text), identity, new AddressHeaderCollection());
                
    
                System.Net.ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(OnValidationCallback);
    
                using (Common.Common10Client proxy = new Common.Common10Client(myBinding, endpoint))
                {
                    EndpointAddressBuilder builder = new EndpointAddressBuilder(proxy.Endpoint.Address);
                    builder.Headers.Add(AddressHeader.CreateAddressHeader("To", "http://www.w3.org/2005/08/addressing", "http://www.macquarie.com/esi/common/v1"));
                    builder.Headers.Add(AddressHeader.CreateAddressHeader("MessageID", "http://www.w3.org/2005/08/addressing", "urn:TPP:v1:" + new UniqueId()));
                    builder.Headers.Add(AddressHeader.CreateAddressHeader("Action", "http://www.w3.org/2005/08/addressing", "http://www.macquarie.com/esi/common/1.0/getAuthenticationExpiryRequest"));
                    proxy.Endpoint.Address = builder.ToEndpointAddress();
                    proxy.ClientCredentials.ClientCertificate.Certificate = clientCertificate;
                    proxy.ClientCredentials.ServiceCertificate.DefaultCertificate = serviceCertificate;
                    proxy.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
                    
                    proxy.ClientCredentials.UserName.UserName = txtUsername.Text;
                    proxy.ClientCredentials.UserName.Password = txtPassword.Text;
                    proxy.Endpoint.Behaviors.Add(new Testing.MyMessageInspector());
    
                    Common.AuthenticationExpiry response = proxy.getAuthenticationExpiry(new Common.AuthenticationExpiryRequest());
                    MessageBox.Show(response.ExpiryDate.ToShortDateString());
                }   
            }

    Monday, March 2, 2015 10:56 AM

Answers

All replies

  • Hi,

    For this situation, the error message above may be caused by certificate mismatch. About certificate authentication, first the token is encrypted using the Public of the certificate at client side. Then, at the server side the received token is decrypted using the private key of the certificate.

    In order for the service to decrypt the message sent by the client it must use an X.509 containing a private key that matches the public key in the X.509 that the client is using for encryption. So, you need make sure you are using the correct certificate by checking the X.509 references in your web/app.config.

    For more information, you could refer to:

    http://stackoverflow.com/questions/14750983/messagesecurityexception-the-encryptedkey-clause-was-not-wrapped-with-the-requi

    http://webservices20.blogspot.jp/2008/10/cryptic-wcf-error-messages-part-1-of-n.html

    Regards

    Tuesday, March 3, 2015 2:10 AM
    Moderator
  • Hi Kok,

    Did you resolve this issue?

    I also have integration with Macquarie and I cannot resolve auth.

    Thanks

    Thursday, April 23, 2015 1:39 PM
  • Yes. finally solved.

    I implemented CustomTextMessageBindingElement to decrypt the received message.

    not sure why .net doesn't decrypt properly
    Friday, April 24, 2015 12:49 AM
  • Hi Kok,

    Can you please send your email or skype contact on maksimetsa@ukr.net ?

    We would be grateful if you provide code or your contact(if there is condition).

    Macquarie integration was freeze us over months.

    Thanks!
    Saturday, April 25, 2015 1:25 AM
  • Hi Kok,

    Could you please show your code of decryption?

    We also build CustomBindingElement but we have trouble with message decryption using AES.

    Please help.

    Thanks.

    Tuesday, July 28, 2015 10:24 AM
  • Yes. finally solved.

    I implemented CustomTextMessageBindingElement to decrypt the received message.

    not sure why .net doesn't decrypt properly

    Hi Mate,

    Any chance I can contact you directly? I'm stuck exactly where you are.

    Monday, August 15, 2016 4:49 AM
  • Had the same problem. I was able to decrypt the response manually.

    However, it turned out to be bad certificate (self-signed). It was missing Subject Key Identifier.

    More info:

    https://stackoverflow.com/questions/46686785/wcf-the-encryptedkey-clause-was-not-wrapped-with-the-required-encryption-token
    Thursday, December 21, 2017 3:12 PM