none
Consuming a transport and message level secured Java SOAP web service with WCF client - issue with signature confirmation RRS feed

  • Question

  • We are required to consume a Java webservice which requires encrypt message with service key and sign with the client key and add the client key as binary token in the request. The message should be sent through https as well. The response is encrypted with the client public key and a signature confirmation is added.

    I am able to create a wcf client with custom binding which uses AsymmetricSecurityBindingElement and send the request successfully. Server is responding with 200. However I am getting security validation exception from client side.

    1. When I set the message security version to WSSecurity11WS and RequireSignatureConfirmation = true , I get the error " The security header element 'SignatureConfirmation with the 'SC-ddb13d7b-461f-403c-b995-ba84db7fca41' id must be signed.”

    2. When I set the message security version to WSSecurity11WS and RequireSignitureConfirmation =false, I get “Signature confirmation is not expected in the security header.” (to bypass signiture confirmation)

    3. When I set message security version to WSSecurity10WS which doesn't support signitureconfirmation, the client fails to read the signature node as WS10 doesn't support signature confirmation. ( Message security verification failed. ---> System.Xml.XmlException: Cannot read the token from the 'SignatureConfirmation' )

    Below is the snippet of the code I am using and snippet of the request and response header

    My question,

    1. Is there a way I can  intercept and remove the signitureconfirmation from the response and then use
      with RequireSignatureConfirmation= false? I thought off Clientmessageinspector but the validation may happen before I intercept.
    2. Is there a mechanism to specify encrypt and sign only for the request and expect “encrypt” only for the response? It looks like that is what the java service is doing if I am getting this right
    var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.Never);
                initiator.RequireDerivedKeys = false;
                var recipient = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient);
                recipient.RequireDerivedKeys = false;
    
    
                var sec = new AsymmetricSecurityBindingElement(initiator, recipient)
                {
    
                    MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10,
                    IncludeTimestamp = false,
                    AllowSerializedSigningTokenOnReply = true,
                    MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.EncryptBeforeSign,
                    EnableUnsecuredResponse = true,
                    DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128,
                    RequireSignatureConfirmation = true,
                    SecurityHeaderLayout = SecurityHeaderLayout.Lax
    
    
                };
    
    
                CustomBinding customBinding = new CustomBinding();
                customBinding.Elements.Add(sec);
                customBinding.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));
                customBinding.Elements.Add(new HttpsTransportBindingElement());
    
               var client= new FFROperationsClient(customBinding, 
               new EndpointAddress(
                   new Uri("myJavawebservice.com/webservice"),
                   new DnsEndpointIdentity("dns entry name")));
    
                client.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode =
                   System.ServiceModel.Security.X509CertificateValidationMode.PeerOrChainTrust;
                client.ClientCredentials.ServiceCertificate.DefaultCertificate = serviceCertificate;
    

    Request

    <s:Envelope
        xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
        xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <s:Header>
            <ActivityId CorrelationId="a119881d-9deb-4347-aea4-bce1efa91e45"
                xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">00000000-0000-0000-0000-000000000000
            </ActivityId>
            <o:Security s:mustUnderstand="1"
                xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                <o:BinarySecurityToken u:Id="uuid-f4534c8f-3265-4b73-ae37-0847137b4721-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIEVzCCAr+gAwIBAgIELLUTUTANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUQxETAPBgNVBAcTCEJldGhlc2RhMQwwCgYDVQQKEwNISFMxDDAKBgNVBAsTA1BTQzERMA8GA1UEAxMIRmFpIENoYW4wHhcNMTkwNjEzMTYzNzEyWhcNMjAwNjEyMTYzNzEyWjBcMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUQxETAPBgNVBAcTCEJldGhlc2RhMQwwCgYDVQQKEwNISFMxDDAKBgNVBAsTA1BTQzERMA8GA1UEAxMIRmFpIENoYW4wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDXXA+mer4t4465464565456456456456zJl/kNcmjSOkdSdJ38oXbScRdDcCIiX3Hh7Ute3pTaFRjusIeyMVYIeNPKPLkZU7HWzLF44E5omAZ6dYw2rb3CTVfcUZdabrgQBpxDIkY3EX0EIk++h0NawilH1JJms9h/jf37Vftb7SwJq9GpJLG1i6cv4EPJtm2uGmEBa95gAqDNOvOSVF2c9fIrAjxMqkgzoJ0vDxYsaeLGb+VTUQX7wb96q/d87GWeRVPes2jiBTRH13WAcfX4b/7toDm7LpbQabHE29Zovy6p4S9C68mH3V1c6Ozs+dYU+SdOS1gohKNf1NLBCr+mGG7RJ9/lBlrv10W53hXLKtazfpuiKVbvsfNIUyC7vtbQcjLxd3O6Gclkxdy7OKAPK0nEG1nLAfZk6G5sKSl3EbNocxYxvvPsxkB0PllfRo+JbfU2pA/tiphkKtkaF5oUmLgph3ujBYr8FOB7S5vVwIUtJi1h0AmLOLMxhuTvjfwyCGwyIfKLl0xKHeK/My6VdiX2Pfdec=</o:BinarySecurityToken>
                <e:EncryptedKey Id="_0"
                    xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                    <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
                            xmlns="http://www.w3.org/2000/09/xmldsig#"/>
                        </e:EncryptionMethod>
                        <KeyInfo
                            xmlns="http://www.w3.org/2000/09/xmldsig#">
                            <o:SecurityTokenReference>
                                <o:Reference URI="#uuid-f4534c8f-3265-4b73-ae37-0847137b4721-1"/>
                            </o:SecurityTokenReference>
                        </KeyInfo>
                        <e:CipherData>
                            <e:CipherValue>R8SxG3EDDGVQs5qANORghwIk9ZmTy13URqXJYCsdfsdfsdfsdfsdfULVyZis68hjTNOIS6XJcYxMwfLVyDAUaN+oMDwuOwZJr93xMqurhJ4BNwXlHLI2Foi8VH/ZW7EnwbOJfRBXG7Vf5QyTqqlFTiVZQbYRLeHTSZIkwZTGI+1PhwQA1m4bOEsOKx+ibKXabI+2xaQSfDwxzu5SgD8lqZ9mrkyQr4rIzcH+y3EX0n9/mVaf9pUmojhnHi04R/EVew5IaVhwNO7fa/YTohMtsZoJe/8WFLYuYtL6Qmm/YOogd+AsqrSsyqCq2yCQoxo80vMca0deHQWCsA1wG8oQxv+kiZgQj9dZ2AY0rlVyk62vfXaL3P7CxmRH0rUrFOUI6hCz1lqvOBCv/KGgs7UwSbNud2trtjRsYJwpM34Z02WYLGYlcRQ1cA8/PzvzhbAdRm3QShrgzsws1Q8Rw/UwoY0kKVCeY3P3j+g5Jel9Dgrc3VZq4lXe1SIijLCPnDSQrNCx6</e:CipherValue>
                        </e:CipherData>
                    </e:EncryptedKey>
                    <Signature
                        xmlns="http://www.w3.org/2000/09/xmldsig#">
                        <SignedInfo>
                            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                            <Reference URI="#_2">
                                <Transforms>
                                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                </Transforms>
                                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                <DigestValue>9JvsHOvvM3EETI0xqXKxQDZyOf0=</DigestValue>
                            </Reference>
                        </SignedInfo>
                        <SignatureValue>nULRhs4VS8AMN3wS8oxpZi06BLdqAJSAQmCunymVGcXSA52dc8/8CzvqaQeMxwImA5skrq6SoS621dz1VYeu4oHdxVP34kjoYLNSNDzOGZ+PWiU5WArC/AtghBY7slwcSIn6EWTFbvsPTJ2G6SwGiiRlXaJb8FOVDiyErlhiAwF4/HWB+2LbVhFllLfwkWbH+ltB/zUOz+SmkbP/ek0Rkdmdqw1+la7aVghbVC38DFaavkuAe1s+tDGndwRjbyWDhiEdRKFHgIjPMQS43zE2DqImPzuV5RscYzWgTalWqifsI12elCHRnmDLlWFY9HROeKSmLLDt77poqsie2xVQP4xwyQzJzVAbBYWem7Y3OI3dH6eXYUnHKq/IztA4gMcAkxBx0qG2Z7jf3XvAzOV78pD5tg+Q58JWZw9KDV7Dt7a4EPIJ5Qrrkc5bfKWhNUdyzsD0jV73KKjf3u8ZQ5OI0grodsRpaO9GVRR08zKGps6CnUgoyBAwc7pVVADxjOAr</SignatureValue>
                        <KeyInfo>
                            <o:SecurityTokenReference>
                                <X509Data>
                                    <X509IssuerSerial>
                                        <X509IssuerName>My issuer name</X509IssuerName>
                                        <X509SerialNumber>830561273</X509SerialNumber>
                                    </X509IssuerSerial>
                                </X509Data>
                            </o:SecurityTokenReference>
                        </KeyInfo>
                    </Signature>
                    <e:ReferenceList
                        xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                        <e:DataReference URI="#_1"/>
                    </e:ReferenceList>
                </o:Security>
            </s:Header>
            <s:Body u:Id="_2"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xmlns:xsd="http://www.w3.org/2001/XMLSchema">
                <e:EncryptedData Id="_1" Type="http://www.w3.org/2001/04/xmlenc#Content"
                    xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                    <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></e:EncryptionMethod>
                    <KeyInfo
                        xmlns="http://www.w3.org/2000/09/xmldsig#">
                        <o:SecurityTokenReference
                            xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                            <o:Reference URI="#_0"></o:Reference>
                        </o:SecurityTokenReference>
                    </KeyInfo>
                    <e:CipherData>
                        <e:CipherValue>SnfWRtawG15bdeDwNLokCCVloeZIhP8kQGsfdffd3l37HFsJxWc/K1yq+bdGr8YYl8BPfbRaaWxfRx8qNz6hTL8JJk6pUdsI6wJRsOFcIRMJQN2BM/RGIOr5Q+v9HPzMCP9n7s6vz49qvCOuGf9JCro/SxJgwGQ22LcYNPOoFk4afQiHjfRNaodMQBpGiGtox+zYkD80b8yg1HreYB0G4H8dYes34veeNMVY6aaL6fqRzpW66w3pfzErOSxvZyrqU7vHcVyuiMVoA9GJo/qcpUlRW/M5l/TRgLoF8oWuxTjM551i5oMDsuPHd5ufskqgzD5gyBuQslJIyCXoSMKu4442sOy9Ie8NrDTPYq8CW6Obt5ljae11zeLRxADfDbcXGlOHGgRQiaLz/70ykp2FypwAi8Yjn1KjRD/p7mqs/NL+ePpQHvBhsR8p46zF3LRrDGgoGTL4XWICdtETdm87/tuUWLHNbap9Nli7qZeNUrVmShz+h7PLlI0WKM5gLGn6hGAVRXuBN/vYTqDHz/O+qYDja3BlE4L728Sao1wkhUdDqqcLgKQ1TCUGLKUdklTEhFbm7pJdEspdcL1oUbHq+jA==</e:CipherValue>
                    </e:CipherData>
                </e:EncryptedData>
            </s:Body>
        </s:Envelope>

    Response

    <SOAP-ENV:Envelope
        xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
        <SOAP-ENV:Header>
            <wsse:Security
                xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" SOAP-ENV:mustUnderstand="1">
                <xenc:EncryptedKey
                    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-209832b7-1159-4cd6-9f3a-3a49bfb3a3c5">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
                    <ds:KeyInfo
                        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <wsse:SecurityTokenReference>
                            <ds:X509Data>
                                <ds:X509IssuerSerial>
                                    <ds:X509IssuerName>myservice certificate issuer name</ds:X509IssuerName>
                                    <ds:X509SerialNumber>7305613443</ds:X509SerialNumber>
                                </ds:X509IssuerSerial>
                            </ds:X509Data>
                        </wsse:SecurityTokenReference>
                    </ds:KeyInfo>
                    <xenc:CipherData>
                        <xenc:CipherValue>K0ZXdE0gbu6uufYDklDXEaeGkdPuhJwBp7hem9tELVKnaPyKTwBwV+8rcHab7BvcJ0bM+n/O3kWR&#13;
    u+w6BmAl2CTIh5KR5myt1LbkpQ6Ep3Ne/jWjQl4vxzehyzPoPB/G/MP/crsilvKl+lS16s3ZQpia&#13;
    IPH3fxvUWVKjFy3mNI1b/iuJTZls4vPVBmQs7ji9q14TnNf9NyMWqaz//oUMJjAWzrAxIZ16UQcn&#13;
    lxgrQ3g/TZefHLpVhTAE9ZEQbKvgLTzaRLeXRk/HJ2anX3454545vi9W7XM8QEhKhA2i2eEYGhWI6w&#13;
    wlQe4/y07vRTHDClrOvezoVsFZAJ+VbI+cpqUHOgenq+he5q64J29LiKSa4MzUoj9Ty1txPfAjKb&#13;
    dQuSfXNmfTjTtsLQqbxMvofJTPUzb5fT0ImxPm+Dg/DI/xzuG70o3yu01yKZv9kDvLC6JXcYPkhm&#13;
    s94PmRpwbzGmbyC21f6yAALO7qb/9+WZvZZQcpGgjUZ5K5kXeUYE1U6Y</xenc:CipherValue>
                    </xenc:CipherData>
                    <xenc:ReferenceList>
                        <xenc:DataReference URI="#ED-7f0a44e1-603e-4b6c-8752-c8c442ce5325"/>
                    </xenc:ReferenceList>
                </xenc:EncryptedKey>
                <wsse11:SignatureConfirmation
                    xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" Value="nULRhs4VS8AMN3xxxwS8oxpZxxxxi06BLdqAJSAQmCunymVGcXSA52dc8/8CzvqaQeMxwImA5skrq6SoS62&#13;&#10;1dz1VYeu4oHdxVP34kjoYLNSNDzOGZ+PWiU5WArC/AtghBY7slwcSIn6EWTFbvsPTJ2G6SwGiiRl&#13;&#10;XaJb8FOVDiyErlhiAwF4/HWB+2LbVhFllLfwkWbH+ltB/zUOz+SmkbP/ek0Rkdmdqw1+la7aVghb&#13;&#10;VC38DFaavkuAe1s+tDGndwRjbyWDhiEdRKFHgIjPMQS43zE2DqImPzuV5RscYzWgTalWqifsI12e&#13;&#10;lCHRnmDLlWFY9HROeKSmLLDt77poqsie2xVQP4xwyQzJzVAbBYWem7Y3OI3dH6eXYUnHKq/IztA4&#13;&#10;gMcAkxBx0qG2Z7jf3XvAzOV78pD5tg+Q58JWZw9KDV7Dt7a4EPIJ5Qrrkc5bfKWhNUdyzsD0jV73&#13;&#10;KKjf3u8ZQ5OI0grodsRpaO9GVRR08zKGps6CnUgoyBAwc7pVVADxjOAr" wsu:Id="SC-b876a9c6-454b-438e-a9fe-a71aae84441f"/>
                </wsse:Security>
            </SOAP-ENV:Header>
            <SOAP-ENV:Body>
                <xenc:EncryptedData
                    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-7f0a44e1-603e-4b6c-8752-c8c442ce5325" Type="http://www.w3.org/2001/04/xmlenc#Content">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
                    <ds:KeyInfo
                        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <wsse:SecurityTokenReference
                            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                            xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
                            <wsse:Reference URI="#EK-209832b7-1159-4cd6-9f3a-3a49bfb3a3c5"/>
                        </wsse:SecurityTokenReference>
                    </ds:KeyInfo>
                    <xenc:CipherData>
                        <xenc:CipherValue>uwj6njA3leUlX+GHY+zj93DrEhZPguNuhyXZ7Xi+gLHxFqUDy31RlDvaR/50M+Q+A6C03yhJSfKD&#13;
    mR0ocRpHFdPrtDW4kKHokas//Dd9h3gEJr48yq6POL6VS9rsdfsdf/9DHl/l7VI21cYTHecYT6NCg9i/q0&#13;
    tW9F3X/HdO2zo01re94LCm3Ba1/uIJg6FC3qdWMvPcf9bQ56DjwOknLHgMS0IFVzKykpSUqQ33ZG&#13;
    KkWUfJpYPiwS8UfNjpwZ3enjL+wo6NbngHM8dFS8z8by7EAYThbZ27J/NlgwdgIRZWEqJGo=</xenc:CipherValue>
                    </xenc:CipherData>
                </xenc:EncryptedData>
            </SOAP-ENV:Body>
        </SOAP-ENV:Envelope>

    Tuesday, March 17, 2020 4:12 PM

All replies

  • Hi,
    I am not sure your request format is right. I suggest you consult your service provider for the particular format of the request, then we try to use custombinding to construct the request. 
    The SymmetricSecurityBindingElement also could create similar  format of the request.
    https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/securitybindingelement-authentication-modes
    Also, the order of the signing and the encryption is generally configured in the below attribute.
    messageProtectionOrder="SignBeforeEncrypt"

    It should accord with the server configuration.
    [ServiceContract(ProtectionLevel =System.Net.Security.ProtectionLevel.Sign)]

    Best Regards
    Abraham Qian
    Thursday, March 19, 2020 9:39 AM
    Moderator