I have a ASMX web service (SOAP 1.1) that requires to sign all SOAP requests with certificate (private key) using WS-Security.
When the ASMX service receives the request, it will authenticate it using the public key of the certificate.
After the operation is done, the response sent back to the client will not be signed!
That's the security requirements...
I've created the proxy via 'Add Service Reference' and the client's app.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<client>
<endpoint
name="endpoint1"
address="http://1.1.1.1/Test.asmx"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_ITest"
behaviorConfiguration="TestBehavior"
contract="ITest" >
</endpoint>
</client>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ITest">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="TestBehavior">
<clientCredentials>
<clientCertificate storeLocation="LocalMachine" storeName="My"
x509FindType="FindByThumbprint" findValue="xxxxxxxxxxxxxxx" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
According to the scenario I've described:
Am I using the correct binding?
clientCredentialType value should be 'Certificate' or 'None' ?
The tag 'serviceCertificate' is needed ?
4.What is the correct configuration for my scenario?
If you know some useful links that could be suitable for my scenario, please supply them.
Thanks in advance :)
EDIT #1:
Request
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action wsu:Id="Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800">XXXXXXXXXXX</wsa:Action>
<wsa:MessageID wsu:Id="Id-3beeb885-12a4-4b65-b14c-0tmj6ad21855">YYYYYYYYYY</wsa:MessageID>
<wsa:ReplyTo wsu:Id="Id-10c46143-cb53-4a8e-9e83-ef374e40aa54">
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To wsu:Id="Id-17c40943-cs53-4a8e-9e83-ef374e40ab70">
<wsa:Address>http://.../TestOperation</wsa:Address>
</wsa:To>
<wsse:Security soap:mustUnderstand="1" >
<wsu:Timestamp wsu:Id="Timestamp-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685">
<wsu:Created wsu:Id="Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800">2002-08-22T00:26:15Z</wsu:Created>
<wsu:Expires wsu:Id="Id-10c46143-cb53-4a8e-9e83-ef374e40aa54">2002-08-22T00:31:15Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d">MIICeDCC...kE9</wsse:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>wRUq.........</DigestValue>
</Reference>
<Reference URI="#Id-3beeb885-12a4-4b65-b14c-0tmj6ad21855">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>8gIo.........</DigestValue>
</Reference>
<Reference URI="#Id-10c46143-cb53-4a8e-9e83-ef374e40aa54">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>zx4h.........</DigestValue>
</Reference>
<Reference URI="#Id-17c40943-cs53-4a8e-9e83-ef374e40ab70">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>UjdN.........</DigestValue>
</Reference>
<Reference URI="#Timestamp-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>34ff.........</DigestValue>
</Reference>
<Reference URI="#Id-f10674fd-b999-47c9-9568-c11fa5e5405b"">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>ss67.........</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>tBSsaZi........</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soap:Header>
<soap:Body wsu:Id="Id-f10674fd-b999-47c9-9568-c11fa5e5405b">
...
</soap:Body>
</soap:Envelope>
Respose:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action>http://.../TestOperationResponse</wsa:Action>
<wsa:MessageID>YYYYYYYYYY</wsa:MessageID>
<wsa:RelatesTo>WWWWWWWWWW</wsa:RelatesTo>
<wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
<wsse:Security>
<wsu:Timestamp wsu:Id="Timestamp-c0kjk2d4-o83d-4fa5-abfa-bd485afdjj80">
<wsu:Created>2002-08-22T00:26:15Z</wsu:Created>
<wsu:Expires>2002-08-22T00:31:15Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body>
<Response>
...
</Response>
</soap:Body>
</soap:Envelope>
EDIT #2:
The generated request:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<a:Action soap:mustUnderstand="1" u:Id="_2">XXXXXXXXXXX</a:Action>
<a:MessageID u:Id="_3">YYYYYYYYYY</a:MessageID>
<a:ReplyTo u:Id="_4">
<a:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uID...</VsDebuggerCausalityData>
<a:To soap:mustUnderstand="1" u:Id="_5">
<a:Address>http://1.1.1.1/Test.asmx</a:Address>
</a:To>
<o:Security soap:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685-1">
<u:Created>2002-08-22T00:26:15Z</u:Created>
<u:Expires>2002-08-22T00:31:15Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken u:Id="uuid-e00c8062-83d2-4f04-88fc-996218e7bb3d-2"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIICeDCC...kE9</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>wRUq.........</DigestValue>
</Reference>
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>8gIo.........</DigestValue>
</Reference>
<Reference URI="#_3">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>zx4h.........</DigestValue>
</Reference>
<Reference URI="#_4">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>UjdN.........</DigestValue>
</Reference>
<Reference URI="#_5">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>34ff.........</DigestValue>
</Reference>
<Reference URI="#uuid-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>ss67.........</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>tBSsaZi........</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#uuid-e00c8062-83d2-4f04-88fc-996218e7bb3d-2"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</soap:Header>
<soap:Body u:Id="_1">
...
</soap:Body>
</soap:Envelope>
Issues with this request are:
- Id format: Id="Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800" (asmx proxy) VS Id="_2" (WCF proxy)
- 'VsDebuggerCausalityData' tag presence. How do I get rid of it?
- Timestamp Id format: Id="Timestamp-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685" (asmx proxy) VS Id="uuid-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685-1" (WCF proxy)
- 'Created' and 'Expires' tags in Timestamp doesn't have Id attribute.
- BinarySecurityToken Id format: Id="SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d" (asmx proxy) VS Id="uuid-e00c8062-83d2-4f04-88fc-996218e7bb3d-2" (WCF proxy)
The fault I get when I make a call to the ASMX service:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"">
<soap:Header>
<wsa:Action>http://schemas.xmlsoap.org/ws/2004/08/addressing/fault</wsa:Action>
<wsa:MessageID>YYYYYYYYYY</wsa:MessageID>
<wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
</soap:Header>
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>
System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ApplicationException: WSE842: The service pipeline could not be created. ---> System.ApplicationException: WSE2012: X509TokenProvider is unable to provide an X.509 token. There are multiple certificates store that match the find value of 'xxx'.
at Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLocation location, StoreName storeName, String findValue, X509FindType findType)
at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken()
at Microsoft.Web.Services3.Design.MutualCertificate10Assertion.ServiceInputFilter..ctor(MutualCertificate10Assertion assertion)
at Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateServiceInputFilter(FilterCreationContext context)
at Microsoft.Web.Services3.Design.Policy.CreateServicePipeline(PipelineCreationContext context)
at Microsoft.Web.Services3.PolicyAttribute.Microsoft.Web.Services3.IPipelineProvider.CreateServicePipeline(PipelineCreationContext context)
at Microsoft.Web.Services3.Pipeline.TryCreate(Type type, Boolean forClient)
at Microsoft.Web.Services3.WseProtocol.CreateProtocolPipeline()
at Microsoft.Web.Services3.WseProtocol.RouteRequest(SoapServerMessage message)
at System.Web.Services.Protocols.SoapServerProtocol.Initialize()
at System.Web.Services.Protocols.ServerProtocolFactory.Create(Type type, HttpContext context, HttpRequest request, HttpResponse response, Boolean& abortProcessing)
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
</faultstring>
<faultfactor>http://1.1.1.1/Test.asmx</faultfactor>
</soap:Fault>
</soap:Body>
</soap:Envelope>
I assume the problem is at the server, because the 'xxx' findValue is associated with the server and not with my client certificate.
How can I fix this?