none
Consuming Java Secure Web Service via WCF Client RRS feed

  • Question


  • Hi All,

    I need to call the secured java web service from WCF Client, so that I need to Sign the SOAP body. I have installed the Client certificate (Client.PFX) as well as server certificate (Server.DER) on my computer.

    Note: I load the client certificate from the file & server certificate from Trusted People certification store of my computer.

    I am getting the following exception while calling service.

    Cannot resolve KeyInfo for verifying signature: KeyInfo 'SecurityKeyIdentifier ( IsReadOnly = False, Count = 1, Clause[0] = X509IssuerSerialKeyIdentifierClause(Issuer =
    'EMAILADDRESS=sisunix@csebo.it,CN=CSE Consorzio scarl,OU=PD03_UNIX,O=CSE,L=San Lazzaro di Savena,ST=Bologna,C=IT', Serial = '432') ) ', available tokens
    'SecurityTokenResolver ( TokenCount = 1, TokenEntry[0] = (AllowedReferenceStyle=External, Token=System.IdentityModel.Tokens.X509SecurityToken,
    Parameters=System.ServiceModel.Security.Tokens.X509SecurityTokenParameters: InclusionMode: Never ReferenceStyle: Internal RequireDerivedKeys: False X509ReferenceStyle: Any) )

    Any help is appreciated.......

    Code for service call:

    //Loads client certificate from file
                    CompassClient.ClientCredentials.ClientCertificate.Certificate = CompassUtility.GetX509Certificate2PFX(CompassPFX, CompassPfxPassword);
    
            // Loads Server certificate from Certificate store
                    CompassClient.ClientCredentials.ServiceCertificate.SetDefaultCertificate(System.Security.Cryptography.X509Certificates.StoreLocation.CurrentUser,       
    
    StoreName.TrustedPeople, X509FindType.FindBySubjectName, "w1svcf.test.csebo.it");   
                    CompassClient.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerTrust;
                    CompassClient.ClientCredentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;
    
                   //PROTECTION LEVEL
                    CompassClient.Endpoint.Contract.ProtectionLevel =  System.Net.Security.ProtectionLevel.Sign;
    
                    //BINDING
                    CompassClient.Endpoint.Binding = new CompassTestBinding();
    
                    //ENDPOINT BEHAVIOUR
                    CompassClient.Endpoint.Behaviors.Add(new CompassEndPointBehavior());
    
                    //CALLING SERVICE METHOD
                    var searchResult = CompassClient.ricercaOperazione(t);

    Code for Binding:

    var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.Never);
                    var recipient = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.Never);
                    var bindingElement = new AsymmetricSecurityBindingElement(initiator, recipient);
                    bindingElement.IncludeTimestamp = true;
                    bindingElement.SecurityHeaderLayout = SecurityHeaderLayout.LaxTimestampLast;
                    bindingElement.MessageSecurityVersion =         
    
    MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
                    bindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256Sha256;
                    bindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
                    bindingElement.SetKeyDerivation(false);
                    bindingElementCollection.Add(bindingElement);
    
            //Message Encoding
                    var textMessageEncoding = new TextMessageEncodingBindingElement();
                    textMessageEncoding.MessageVersion = MessageVersion.Soap11;
                    textMessageEncoding.WriteEncoding = Encoding.UTF8;
                    bindingElementCollection.Add(textMessageEncoding);
    
                    //Transport Binding
                    var httpsTBE = new HttpsTransportBindingElement();
                    httpsTBE.UseDefaultWebProxy = true;
                    httpsTBE.RequireClientCertificate = true;
                    bindingElementCollection.Add(httpsTBE);
    
    


    Issue:

    When I run the application I am able to see the soap response from Java Web service using trace mechanism.

    But WCF throws the following exception

    Cannot resolve KeyInfo for verifying signature: KeyInfo 'SecurityKeyIdentifier ( IsReadOnly = False, Count = 1, Clause[0] = X509IssuerSerialKeyIdentifierClause(Issuer =
    'EMAILADDRESS=sisunix@csebo.it,CN=CSE Consorzio  scarl,OU=PD03_UNIX,O=CSE,L=San Lazzaro di Savena,ST=Bologna,C=IT', Serial = '432') ) ', available tokens
    'SecurityTokenResolver ( TokenCount = 1, TokenEntry[0] = (AllowedReferenceStyle=External, Token=System.IdentityModel.Tokens.X509SecurityToken,
    Parameters=System.ServiceModel.Security.Tokens.X509SecurityTokenParameters: InclusionMode: Never ReferenceStyle: Internal RequireDerivedKeys: False X509ReferenceStyle: Any) )


    Request SOAP message:

    <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
    <srtoken
    
    xmlns="http://svcf.csebo.it/srtoken">B2B_MIIC3QYJKoZIhvcNAQcCoIICzjCCAsoCAQExCzAJBgUrDgMCGgUAMIGVBgkqhkiG9w0BBwGggYcEgYQ8ZWJpZGVud3MgcGNfaWQ9I
    
    lRLR04iIHZlcnNpb249IjAxMDAiPjxhYmk+MTkyNzU8L2FiaT48Y2VydGlmaWNhdG8+ODlkMDM4YmYyMjEwOGZkNjAzODljMzZlOTVhMzkyODUxNzdjMTNlOTwvY2VydGlmaWN
    
    hdG8+PC9lYmlkZW53cz4xggIeMIICGgIBATB8MHcxCzAJBgNVBAYTAklUMQ4wDAYDVQQIEwVJVEFMWTEPMA0GA1UEBxMGQklFTExBMRQwEgYDVQQKEwtCQU5DQSB
    
    TRUxMQTESMBAGA1UECxMJRUNPTU1FUkNFMR0wGwYDVQQDExRHZXN0UGF5IENvbXBhc3MgVEVTVAIBDDAJBgUrDgMCGgUAoHkwGAYJKoZIhvcNAQkDMQsGCSq
    
    GSIb3DQEHATAaBgoqhkiG9w0BCRkDMQwxCgQI/PB6dUiZ50swHAYJKoZIhvcNAQkFMQ8XDTE0MTIwNTE0Mzc1OFowIwYJKoZIhvcNAQkEMRYEFHlVMr1tYNZp3SlrIo9DwKs
    
    GHHruMA0GCSqGSIb3DQEBAQUABIIBAAPvbSP3/EPCkzBn5iQfd0Glacl50j595NB1vKdllOuG3QuAAhkmT/EL5ktrCPLub/NY3P1FmnBkxYOERIp38q5sNhI++ZX/WqU6YfRahexPwK
    
    ox2SJx4WI7kuBvqsu0NmlndWeFX4nHlYoMutrxlHnmqq4L5ehMu7HnLaQz/1ASEEiQJmV+E0UaXnevpeAZPOAQkY4i9gL1Gkm569QywF6VRfoClOBYOTjP1qzsIQ9Nknp9N7U0MV53
    
    JhhKxSksbnbvPpTFxVSCsdo5WOVwCd6JOkyYF5mEFrsykXat3XB9ryf9YA+E11UWGzzrD2BSEfJD8YDJrkdOgK1pgqK3YIc=</srtoken>
    <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
    <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></SignatureMethod>
    <Reference URI="#_1">
    <Transforms>
    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>
    <DigestValue>FIInEl818Y9iEhW28o4OQ0ctrx+4Z2PKCvPdQY3khkQ=</DigestValue>
    </Reference>
    <Reference URI="#uuid-3c010ed3-ad9a-485c-a449-d8ba8171c0c7-1">
    <Transforms>
    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>
    <DigestValue>pPrtha5hPKNtKNFHFkXPaBw0Oq7mnBAsAHfytiSCJjE=</DigestValue>
    </Reference>
    </SignedInfo>
    <SignatureValue>W3UA6Vnv9ncLcJqxps5vRkEVrO4xp06JeJnRvb8POohend0+BgKx5VOigGF7NIlCD6F4+21xTwnerT2OHns/pQM8Xdl6puDL7SoorGHBn9zH+hn8yq+vEYL9/f+fAiDL
    
    sPPY1tTC96UpxnuG3nvuB2FDjyugvomM3aN3mHm1MSDD4nfKDihQtWqKzhZIvXHQAQUeWgSJ7ya4+5kPc7QBCGmBqiqaFWLYHBD9mVfcKbVVDcUhJMPob3A8A8+nSIhLcmXy0
    
    6GU+8SJG4zJA6AolicDnVKQWWUs7579k4AetgeToLN0ksFLNLm2feVyDo3IHgNgBAb3TgnolQrOaXLSow==</SignatureValue>
    <KeyInfo>
    <o:SecurityTokenReference>
    <X509Data>
    <X509IssuerSerial>
    <X509IssuerName>CN=GestPay Compass TEST, OU=ECOMMERCE, O=BANCA SELLA, L=BIELLA, S=ITALY, C=IT</X509IssuerName>
    <X509SerialNumber>12</X509SerialNumber>
    </X509IssuerSerial>
    </X509Data>
    </o:SecurityTokenReference>
    </KeyInfo>
    </Signature>
    <u:Timestamp u:Id="uuid-3c010ed3-ad9a-485c-a449-d8ba8171c0c7-1">
    <u:Created>2014-12-05T14:37:58.711Z</u:Created>
    <u:Expires>2014-12-05T14:42:58.711Z</u:Expires>
    </u:Timestamp>
    </o:Security>
    </s:Header>
    <s:Body u:Id="_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <ricercaOperazioneInput xmlns="http://eb.csebo.it/ewallet/bo/ricerca">
    <idOrdine xmlns="">ORD-43789061446</idOrdine>
    <idMerchant xmlns="">PV20130418124351730866</idMerchant>
    <importo xmlns="">2</importo>
    </ricercaOperazioneInput>
    </s:Body>
    </s:Envelope>

    Response Soap Message:

    <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1">
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-833">
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod>
    <ds:Reference URI="#Timestamp-832">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
    <ds:DigestValue>QVkDpfXGCFPPGPGbjpenpc/yJaBDMbF/e8l2SsbyZhA=</ds:DigestValue>
    </ds:Reference>
    <ds:Reference URI="#id-834">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
    <ds:DigestValue>S+/qFjtMuGjE8Vt9zln5ApAKsdIoKS8uD//HBqlYwtE=</ds:DigestValue>
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>gdi+GccajTlcWfKSmncUd7v89ENv4yaiJckjYcB4wxIBEZToJbjrWEsIA+IbnHLeEUscBgeBcTLZ
    /5srHUrLHwXm2S3jadj10oVbeB3j1rTS+qqh3vqC37hLmJhW9KeinYNIzt4UUj2A1uQXBUDc3HWq
    ppV5XVDTbbGBMlb/jxGRE3D86C9pEoCEyo5eUHd418p+N+/MZjSD3RHdp33sL+BPgH+uwJ9DCa1t
    9X2Gwy4FieSjSV2jZJuF6oksoCzYaqDGzQbKZ6I+cBwnDkKzHH7IcTfkNV6SlRlIIecn8h8muOYV
    RaeDhQKaxupiKHV6/8JHGH5pK01DURyTV4txXQ==
    </ds:SignatureValue>
    <ds:KeyInfo Id="KeyId-B9B0D355D9189C64971417790282215833">
    <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-B9B0D355D9189C64971417790282215834">
    <ds:X509Data>
    <ds:X509IssuerSerial>
    <ds:X509IssuerName>EMAILADDRESS=sisunix@csebo.it,CN=CSE Consorzio scarl,OU=PD03_UNIX,O=CSE,L=San Lazzaro di Savena,ST=Bologna,C=IT</ds:X509IssuerName>
    <ds:X509SerialNumber>432</ds:X509SerialNumber>
    </ds:X509IssuerSerial>
    </ds:X509Data>
    </wsse:SecurityTokenReference>
    </ds:KeyInfo>
    </ds:Signature>
    <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-832">
    <wsu:Created>2014-12-05T14:38:02.215Z</wsu:Created>
    <wsu:Expires>2014-12-05T14:43:02.215Z</wsu:Expires>
    </wsu:Timestamp>
    </wsse:Security>
    </soap:Header>
    <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-834">
    <ns2:ricercaOperazioneOutput xmlns:ns2="http://eb.csebo.it/ewallet/bo/ricerca" xmlns:ns3="http://eb.csebo.it/ewallet/bo/initServerService"
    
    xmlns:ns4="http://eb.csebo.it/ewallet/exception" end="1417790282213" start="1417790281746" wsid="W1_SVCF_02_Test_0">
    <esitoOperazione xmlns="">
    <esito>OK</esito>
    <codice>ESITO_0100</codice>
    <descrizione>Operazione non trovata</descrizione>
    </esitoOperazione>
    </ns2:ricercaOperazioneOutput>
    </soap:Body>
    </soap:Envelope>


       
    Tuesday, December 9, 2014 1:42 AM

All replies

  • Use a customBinding with security.mode of "mutualCertificate" as explained here. If this fails please publish how your request looks life (via Fiddler or Wcf logging) so we can compare it. One expected difference is that the certificate will appear as binary token and not X509Data. I do not expect the server to fail because of this. In case it does you can fix that by creating the whole custom binding from code. When you need to create the security element it will be something like this:

    SecurityBindingElement sec =
                    SecurityBindingElement.CreateMutualCertificateBindingElement(
                      MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10, false);
    X509SecurityTokenParameters x509Params = new X509SecurityTokenParameters();
    x509Params.X509ReferenceStyle = X509KeyIdentifierClauseType.IssuerSerial;
    ((AsymmetricSecurityBindingElement) sec).InitiatorTokenParameters = x509Params;

    or by hard coding the X509Data in a custom encoder.

    Wednesday, December 10, 2014 10:46 AM
  • Hi Jieng Sungdsg,

    First of all, thanks for your Response.

    I tried out with the binding element as you said, but getting the same error.

    The above SOAP Request & Response message were taken from Log.

    I am able to Send Request to Java Web Service, but not able to Process the Soap Response.
    Probably WCF client could not understand the below part in the SOAP Response.

    <ds:KeyInfo Id="KeyId-B9B0D355D9189C64971417790282215833">
    <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-B9B0D355D9189C64971417790282215834">
    <ds:X509Data>
    <ds:X509IssuerSerial>
    <ds:X509IssuerName>EMAILADDRESS=sisunix@csebo.it,CN=CSE Consorzio scarl,OU=PD03_UNIX,O=CSE,L=San Lazzaro di Savena,ST=Bologna,C=IT</ds:X509IssuerName>
    <ds:X509SerialNumber>432</ds:X509SerialNumber>
    </ds:X509IssuerSerial>
    </ds:X509Data>
    </wsse:SecurityTokenReference>
    </ds:KeyInfo>

    I have no control over the java web service. I need to do something in WCF Client application.


    I can see Soap Response only has the pointer (IssuerName & Serial number) to the Certificate, but WCF client expects full certificate as a part of the SOAP response.

    How can I resolve this issue?

    Looking forward to your response.....

    Thursday, December 11, 2014 6:54 PM
  • Hi,

    did you find any solution for this problem :)

    Sunday, May 10, 2020 7:14 PM