locked
Sign SOAP message with client’s certificate RRS feed

  • Question

  • I have to use transport security (HTTPS) because I’m using streaming on this particular binding. The other requirement I have is that every SOAP message coming from client has to be digitally signed with client’s certificate.

    I found this for WSE 2.0 http://msdn.microsoft.com/en-us/library/ms819963.aspx

    But how can I do that for WCF?

    Friday, December 4, 2009 7:17 PM

Answers

  • It depends in the message security version you will use. You can configure this property on the security custom binding channel.

    For newer versions I think there will be two signatures: A "big" signature that signs the message and it will not use the certificate but a symmetric generated key (which is encrypted by the server cert). And a "small" signature which will sign a small chunk of the message (maybe the big signatuere itself or the timestamp) and it will be with the certificate.

    For older security versions your certificate will be used to sign whole of the message.

    For the exact version details you'll need to find out...

    I don't think it should matter to you either way - not sure why you have this requirement.

    http://webservices20.blogspot.com/
    WCF Security, Performance And Testing Blog
    • Proposed as answer by Yaron Naveh Saturday, December 5, 2009 12:30 PM
    • Marked as answer by Riquel_Dong Thursday, December 10, 2009 1:39 AM
    Saturday, December 5, 2009 12:30 PM

All replies

  • you cannot use message security with streaming.
    either turn off streaming or do not use digital signature.
    another option is to use the chunking channel (google for it) but it someone on the other side expects a specific format not sure it will work.

    http://webservices20.blogspot.com/
    WCF Security, Performance And Testing Blog
    Friday, December 4, 2009 10:59 PM
  • Right, I cannot use message security with streaming.

    Say, for example, instead of streaming I use chunking channel with certificate authentication and negotiateServiceCredential disabled.

    The binding will be custom (required for chunking channel) but will look something like this:

    <binding

                <security mode="Message">

                            <message clientCredentialType="Certificate" negotiateServiceCredential="false" />

                </security>

    </binding>

     

    Then, on a client end, I’ll provide certificate for ClientCredentials…

     

    The big question for me here is if the client certificate I provided will be used to sign messages. I know that service public key certificate will be used by client to encrypt messages but what about message digital signatures?

     

    Friday, December 4, 2009 11:42 PM
  • It depends in the message security version you will use. You can configure this property on the security custom binding channel.

    For newer versions I think there will be two signatures: A "big" signature that signs the message and it will not use the certificate but a symmetric generated key (which is encrypted by the server cert). And a "small" signature which will sign a small chunk of the message (maybe the big signatuere itself or the timestamp) and it will be with the certificate.

    For older security versions your certificate will be used to sign whole of the message.

    For the exact version details you'll need to find out...

    I don't think it should matter to you either way - not sure why you have this requirement.

    http://webservices20.blogspot.com/
    WCF Security, Performance And Testing Blog
    • Proposed as answer by Yaron Naveh Saturday, December 5, 2009 12:30 PM
    • Marked as answer by Riquel_Dong Thursday, December 10, 2009 1:39 AM
    Saturday, December 5, 2009 12:30 PM