Two signatures in WCF SOAP request

Question

I'm trying to consume an external web service (as far as I can see it is an axis2/apache service) with a .NET 3.5 WCF client.

The service expects incoming messages to be signed and encrypted using x509 certificates. Signing and encrypting seems to work so far, but WCF adds a second <signature> element in the SOAP header, which confuses the remote web service.

I am unable to get rid of this second signature element. What I found while researching the matter is, that this signature is used to sign the first signature.

My WCF configuration currently uses a custom binding with the following security settings:

<security messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
     authenticationMode="MutualCertificate"
     securityHeaderLayout="Lax"
     defaultAlgorithmSuite="Basic128"
     includeTimestamp="false"
     keyEntropyMode="CombinedEntropy"
     requireDerivedKeys="false"
     messageProtectionOrder="SignBeforeEncrypt"
     requireSignatureConfirmation="true">

Anybody has an idea as what I have to change to make this work?

A sample SOAP request generated by my client looks like this:

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
        <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <e:EncryptedKey Id="uuid-0a13788c-6cb3-4fe2-940b-1e220d15230e-3" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
                </e:EncryptionMethod>
                <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <o:SecurityTokenReference>
                        <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"><!-- ... --></o:KeyIdentifier>
                    </o:SecurityTokenReference>
                </KeyInfo>
                <e:CipherData>
                    <e:CipherValue><!-- ... --></e:CipherValue>
                </e:CipherData>
                <e:ReferenceList>
                    <e:DataReference URI="#_2"/>
                </e:ReferenceList>
            </e:EncryptedKey>
            <o:BinarySecurityToken>
                <!-- Removed-->
            </o:BinarySecurityToken>
            <Signature Id="_0" xmlns="http://www.w3.org/2000/09/xmldsig#">
                <SignedInfo>
                    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
                    <Reference URI="#_1">
                        <Transforms>
                            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </Transforms>
                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <DigestValue><!-- ... --></DigestValue>
                    </Reference>
                </SignedInfo>
                <SignatureValue><!-- ... --></SignatureValue>
                <KeyInfo>
                    <o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
                        <o:Reference ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" URI="#uuid-0a13788c-6cb3-4fe2-940b-1e220d15230e-3"/>
                    </o:SecurityTokenReference>
                </KeyInfo>
            </Signature>
            <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                <SignedInfo>
                    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <Reference URI="#_0">
                        <Transforms>
                            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </Transforms>
                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <DigestValue><!-- ... --></DigestValue>
                    </Reference>
                </SignedInfo>
                <SignatureValue><!-- ... --></SignatureValue>
                <KeyInfo>
                    <o:SecurityTokenReference>
                        <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-9618ae47-8bcd-4a96-b56e-800759a0ee57-7"/>
                    </o:SecurityTokenReference>
                </KeyInfo>
            </Signature>
        </o:Security>
    </s:Header>
    <s:Body u:Id="_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
            <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
            <e:CipherData>
                <e:CipherValue><!-- ... --></e:CipherValue>
            </e:CipherData>
        </e:EncryptedData>
    </s:Body>
</s:Envelope>

Answer 1

Turns out I was using the wrong messageSecurityVersion value. With a value of WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10 only a single signature is added to the SOAP header.

Afterwards the server was able to understand the requests. Some tweaks to the defaultAlgorithmSuite and now service and client are talking and understanding each other.