WCF Sign With Certificate using UserNameOverTransport security

Question

I trying to connect to a Java Service with some special security requirements It should go through https, use username Authentication and the body should be signed using a digital certificate.

The message should look like this:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.pines.colpatria.com/">
  <soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsse:UsernameToken wsu:Id="UsernameToken-12" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <wsse:Username>username</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">CleartextPassword</wsse:Password>
        <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">47uxAPDBQ9+08VQwMKpwBw==</wsse:Nonce>
        <wsu:Created>2012-04-02T16:44:56.652Z</wsu:Created>
      </wsse:UsernameToken>
      <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-5B113CBB86C1CDE6BA133338509660810" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIGRzCCBS+gAwIBAgIQEKUzpntcNVROheEPzOI11zANBgkqhkiG9w0BAQUFADCCAU8xcjBwBgNVBAkTaUNSIDcgTiAyNi0yMCBQIDE4IC0gaHR0cDovL3d3dy5jZXJ0aWNhbWFyYS5jb20gLSBURUxTIDU3LTEtNzQ0MjcyNyA1Ny0wMTgwMDAxODE1MzEgLSBpbmZvQGNlcnRpY2FtYXJhLmNvbTEPMA0GA1UEBxMGQk9HT1RBMRkwFwYDVQQIExBESVNUUklUTyBDQVBJVEFMMQswCQYDVQQGEwJDTzErMCkGA1UECxMiQ0VSVElDQU1BUkEgUy5BLiAtIE5JVCA4MzAwODQ0MzMgNzFFMEMGA1UEChM8Q0VSVElDQU1BUkEgUy5BLiAtIFNPQ0lFREFEIENBTUVSQUwgREUgQ0VSVElGSUNBQ0lPTiBESUdJVEFMMSwwKgYDVQQDEyNBQyBJTlRFUk1FRElBIERFTU8gQ0VSVElDQU1BUkEgUy5BLjAeFw0xMTA5MzAxNTMyMzFaFw0xMjA5MzAxNTMyMzFaMIHDMQswCQYDVQQGEwJDTzEPMA0GA1UEBxMGQk9HT1RBMSAwHgYDVQQKExdPTElNUElBIE1BTkFHRU1FTlQgUy5BLjEgMB4GA1UEAxMXT0xJTVBJQSBNQU5BR0VNRU5UIFMuQS4xLDAqBgkqhkiG9w0BCQEWHXNvcG9ydGVAb2xpbXBpYW1hbmFnZW1lbnQuY29tMRowGAYKKwYBBAGBtWMCAxMKOTAwMDMyNzc0NDEVMBMGA1UECBMMQ1VORElOQU1BUkNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApOZhKSdfp1rVBXoahaTyXcOlUfRy6aYYuX4YNhkt0vYWxXFfsLTYSZOVTKZnUvklNEGBV70nzyqN8ZSXy3/jJ1yp965wRjcLHEFHwR42ABe1PK3fQMwsdqlpWkWWz0Pg02VwpHbLwcmDR41YTlnHCmPXzokVrT5YeteKViaWsrhUS4OvSajD7Y9aQ17uHoQusxjtBapA2wF551wMViICfYWqCamcYZRwGb1AlnuAF7vbRNveThy8mgvhHKiLaK13PxvaoOFusc8/429Dxdj1HMwt00g9MY1Nr24YtwHtJn+kVY8ocnghe4kVsAlnJ2Y0evHAPozRaFLFxY2E2dy6dwIDAQABo4IBpjCCAaIwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCA/gwJwYDVR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcDATARBglghkgBhvhCAQEEBAMCBaAwHQYDVR0OBBYEFGVAMg3XiBrJPcjeOgXcA+6cGHHZMB8GA1UdIwQYMBaAFEM61wg0nEqdr0ZKhe9fFWthjbtoMIGQBgNVHSAEgYgwgYUwgYIGCysGAQQBgbVjMgFQMHMwKwYIKwYBBQUHAgEWH2h0dHA6Ly93d3cuY2VydGljYW1hcmEuY29tL2RwYy8wRAYIKwYBBQUHAgIwOBo2Q2VydGlmaWNhZG8gZW1pdGlkbyBwb3IgbGEgQ0EgRGVtbyBkZSBDZXJ0aWNhbWFyYSBTLkEuMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3BkZW1vLmNlcnRpY2FtYXJhLmNvbTA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vd3d3LmNlcnRpY2FtYXJhLmNvbS9jYWRlbW8uY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCVcPRROZHgjjMzY1rM/gTK0cjN0CcO4KLht/nNPFUGIlVXDy21zhy2qOe2xF/IFnvU1vdVIaBzKdamILamfHrpYgsIZS5qqUJayI0E9Y+6cKHVTBgKOS1Yj0u7v2BP5wx+43d4wr2EuAsiQgClSQjrG3HP4rx7vnl8e6vn7uiEGzDJD1H0wQXHpYIWJGaLgn6B1xnFNZEbH4PxlpIsTU+/0Y+Y/GHab8tVDGv18AxtGXTkasuRuoYa/oA8mJI/BpfHYTpoS07euKYqhj1ujbTc6Y5dCGxiYEub4xhRMjJBxTEfsDYqJKsYYGyrWMXcncpNwQHWNDj6OOwKvspC3jg2</wsse:BinarySecurityToken>
      <ds:Signature Id="Signature-10" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#id-11">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>UQDWhRGwU6vhHsggA7k3IGEpShM=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
          lDfT2Rol8AEjTq654f36HK7TwlEYJFMw/Q8PXRvoW12aLHdZkB9mndVTJvdsTdoW4C51qyjjsD0I
          xHaCtHgpbpnEe9vihLJuQs4tDkS1t/IjPeMdsgi2P3VxcKyeEJRc37TX+IX5jR42GrAXZGZ5GwSa
          rEpbpuWQSFhbJBQWRAInDbIpIkKV4jmiSbHHpeiI9Uvv8u6ZNXEx5vuoeia5AYtnCFtxkTcg0ukJ
          EZabIPiNIybYFnqBwFcPiIajfnAGl2QSm6Mdz9aiD4tVHXKGaySjY6/IoIomQ0lVMZzW/F3ZA8GA
          yvkZq4223hxCGcffvsAPePecFwun+QwcA9MR1Q==
        </ds:SignatureValue>
        <ds:KeyInfo Id="KeyId-5B113CBB86C1CDE6BA133338509660911">
          <wsse:SecurityTokenReference wsu:Id="STRId-5B113CBB86C1CDE6BA133338509660912" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:Reference URI="#CertId-5B113CBB86C1CDE6BA133338509660810" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
    <wsa:Action>http://myserveraddress/service/execCommandRequest</wsa:Action>
    <wsa:MessageID>uuid:948a7f98-42f2-422a-9b0f-07e74c6a7ce7</wsa:MessageID>
    <wsa:To>https://myserveraddress/service</wsa:To>
  </soapenv:Header>
  <soapenv:Body wsu:Id="id-11" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <web:execCommand>
      <arg0>1</arg0>
      <!--Optional:-->
      <arg1>1</arg1>
    </web:execCommand>
  </soapenv:Body>
</soapenv:Envelope>

I had tested succesfully the service using SoapUI, but I need to make a .NET client using WCF, but I don't know how to do this.

I've been trying using the following binding, but it creates correctly the username token (although it doesnt create the nonce or the created element but that's not a problem) but it doesn't sign the body

<basicHttpBinding>
 <binding name="PinesPortBinding">
  <security mode="TransportWithMessageCredential">
   <transport clientCredentialType="None" proxyCredentialType="None" realm="" />
   <message clientCredentialType="UserName" algorithmSuite="Default" />
  </security>
 </binding>
</basicHttpBinding>

How can i programatically sign the body using a certificate, and validate the signature of the response?

Is there anyother way to do it?

Answer 1

You can do it but you need to create the binding from code. This sample is not exactly what you need - but it shows you how to create a binding from code and define it to use certificate and a username token. You also need to set ProtectionLevel.Sign on your contracts. Also the username token format you need contains nonce and timestamp which WCF does not emit by default. I think it might work anyway so for now leave this.

Here is the code and again you may need to customize it.

 var b = new CustomBinding();

            var sec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
            sec.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());
            sec.MessageSecurityVersion =
                MessageSecurityVersion.
                    WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
            sec.IncludeTimestamp = false;
            sec.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.EncryptBeforeSign;

            b.Elements.Add(sec);
            b.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));
            b.Elements.Add(new HttpsTransportBindingElement());


            var c =
                new ServiceReference1.SimpleServiceSoapClient(b, new EndpointAddress(new Uri("https://www.bankhapoalim.co.il/"), new DnsEndpointIdentity("WSE2QuickStartServer"), new AddressHeaderCollection()));

            c.ClientCredentials.UserName.UserName = "yaron";
            //c.ClientCredentials.UserName.Password = "1234";

            c.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode =
                System.ServiceModel.Security.X509CertificateValidationMode.None;
            c.ClientCredentials.ServiceCertificate.DefaultCertificate = new X509Certificate2(@"C:\Program Files\Microsoft WSE\v2.0\Samples\Sample Test Certificates\Server Public.cer");

            c.ClientCredentials.ClientCertificate.Certificate = new X509Certificate2(@"C:\Program Files\Microsoft WSE\v2.0\Samples\Sample Test Certificates\Client Private.pfx", "wse2qs");

            c.EchoString("1");