hash values do not match from client RRS feed

  • Question

  • Hello All,

    I am trying to consume an external webservice. I have no control over it. I was able to get a working SOAP UI request. The request uses two certificates and one usernametoken with nonce.

    See screenshots in SOAP UI where I have configured the keystore, Outgoing WS Configuration, Incoming WS Configuration



    My doubt is with using the wrong certificate for either signing or encryption. And so error:Hash values do not match.

    WCF code 

    proxy = new ProxyGeneration.MHSClient(PeerCustomBinding(), new EndpointAddress(new Uri(""), EndpointIdentity.CreateDnsIdentity("DPMedsHistory"), new AddressHeaderCollection()));
    proxy.ClientCredentials.UserName.UserName = "user";
    proxy.ClientCredentials.UserName.Password = "pwd";
    proxy.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "LMWARD");
    proxy.ClientCredentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "DPMedsHistory");
    proxy.ClientCredentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;

    private CustomBinding PeerCustomBinding()
                AsymmetricSecurityBindingElement secBE = AsymmetricSecurityBindingElement.CreateMutualCertificateDuplexBindingElement();
                secBE.AllowSerializedSigningTokenOnReply = true;
                secBE.DefaultAlgorithmSuite = SecurityAlgorithmSuite.TripleDesRsa15;
               secBE.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
               X509SecurityTokenParameters x509ProtectionParameters = new X509SecurityTokenParameters();
               x509ProtectionParameters.RequireDerivedKeys = false;
               secBE.InitiatorTokenParameters = x509ProtectionParameters;
               secBE.RecipientTokenParameters = x509ProtectionParameters;
               secBE.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
               secBE.RequireSignatureConfirmation = false;
               secBE.IncludeTimestamp = false;
               // Add Username Token as a supporting token to the client credential
               // As documented here:
               UserNameSecurityTokenParameters usernameTokParam = new UserNameSecurityTokenParameters();
               usernameTokParam.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
               usernameTokParam.RequireDerivedKeys = false;
              TextMessageEncodingBindingElement enc = new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8);
                HttpsTransportBindingElement b = new HttpsTransportBindingElement();
                b.RequireClientCertificate = true;
                CustomBinding be = new CustomBinding();
                return be;

    This request needs signing and encryption. Soap UI first uses signing and then encrytption. So that is the MessageProtectionorder SignBeforeEncrypt.

    As per my understanding, it uses the client certificate to sign and server cert to encrypt. In SOAP UI KeyPair.jks is used for both signing and encryption. Only the alias names vary. This makes sense because I have imported the private key into this keypair and did some steps for the server cert.

    For signing: Soap UI uses alias name lmward in keypair.jks(screen shot 1). .

    proxy.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "LMWARD");

    For encryption, SOAP UI uses alias name server1.(screenshot2)


    StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "DPMedsHistory");

    This is not the alias name used in SOAP UI.

    Long story short: How do I do the same as soap Ui does in WCF code.

    I am getting 'Hash values do not match from client' referring to a signature, 
     The current expression is /*[local-name()='Envelope' and (namespace-uri(='' or namespace-uri()='')]/*[local-name()='Body' and (namespace-uri()='' or namespace-uri()='')]. Found the element for the expression. Name "s:Body", reference ID "#_1".
    Accept set
    Evaluating signature reference '_1'Current XPath expression '/*[local-name()='Envelope']/*[local-name()='Body']' covered by signature 
    Signer status: 'Extracted the certificate chain from the BinarySecurityToken having format x509'Jun 26 15:25:30 DP303-MedsHistory_PTE [info] wsgw(MedsHistoryWSP): trans(157350727)[request][]: Reject set: Hash values do not match.

    So it is failing in the signature part. Am I using the wrong certifcates or alias names. Soap UI uses the same keypair with different alias names for signing and encryption. Please suggest on how would I do the same in WCF code?

    This is by far the most complicated request i've done. So pardon me for my questions

    Thank  you



    Wednesday, July 24, 2013 4:54 AM


  • Hi,

    When occur this error, please try to enable the tracing to find the casue.

    The following configuration taken from MSDN can be applied to enable tracing on your wcf service.

          <source name="System.ServiceModel"
                  switchValue="Information, ActivityTracing"
                  propagateActivity="true" >
                 <add name="xml"/>
          <source name="System.ServiceModel.MessageLogging">
                <add name="xml"/>
          <source name="myUserTraceSource"
                  switchValue="Information, ActivityTracing">
                <add name="xml"/>
            <add name="xml"
                 initializeData="Error.svclog" />
    Best Regards.

    Amy Peng
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Friday, July 26, 2013 4:08 AM