2

I am stuck with an interoperatibility issue. I am from .net and have to consume a Java Secured Service by signing request using x509 certificate. I have WSDL and generated service reference in .net wcf client and added x509 certificate credentials in app.config but the client does not generate the expected SOAP Payload (traced in fiddler) and java service throws error. Is there a way WCF client generate payload as expected by java?

Below is the Working Request Payload given by Java Guys.

<soapenv:Envelope xmlns:smok="http://www.javaServer.org/schemas/SmokeTest" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <ds:Signature Id="SIG-53" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces PrefixList="smok soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </ds:CanonicalizationMethod>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#id-52">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces PrefixList="smok" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>dCnj2a+0wptrFSyWzEgwetSTHmM=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
          WgD3P8DWPG4eWXzXiD9+LZosn7ggRPpIC1OAmq9bn0s1HuGhM/fZozfDhEDn5sAF9RtVFiAZxC03
          4tW+cuxC5jAHH4GYQud6s5h5sGwvhLshQNVdI6HBBFQWr+J3mUEBbUCExJ6HEe1i2v0+dMQNWezo
          E1Ot7klNGxXedHzrlZw=
        </ds:SignatureValue>
        <ds:KeyInfo Id="KI-DE6BE13CF8D5419B66135109740345572">
          <wsse:SecurityTokenReference wsu:Id="STR-DE6BE13CF8D5419B66135109740345573">
            <ds:X509Data>
              <ds:X509IssuerSerial>
                <ds:X509IssuerName>CN=VeriSign Class 1 Individual Subscriber CA - G3,OU=Persona Not Validated,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US</ds:X509IssuerName>
                <ds:X509SerialNumber>51921456535433584705342517836423530149</ds:X509SerialNumber>
              </ds:X509IssuerSerial>
            </ds:X509Data>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
  </soapenv:Header>
  <soapenv:Body wsu:Id="id-52" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <smok:HelloRequest>
      <smok:Name>Hello from Heruwala</smok:Name>
    </smok:HelloRequest>
  </soapenv:Body>
</soapenv:Envelope>
Dhaval
  • 113
  • 7

1 Answers1

1

Use a customBinding with security.mode of "mutualCertificate" as explained here. If this fails please publish how your request looks life (via Fiddler or Wcf logging) so we can compare it. One expected difference is that the certificate will appear as binary token and not X509Data. I do not expect the server to fail because of this. In case it does you can fix that by creating the whole custom binding from code. When you need to create the security element it will be something like this:

SecurityBindingElement sec =
                SecurityBindingElement.CreateMutualCertificateBindingElement(
                  MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10, false);
X509SecurityTokenParameters x509Params = new X509SecurityTokenParameters();
x509Params.X509ReferenceStyle = X509KeyIdentifierClauseType.IssuerSerial;
((AsymmetricSecurityBindingElement) sec).InitiatorTokenParameters = x509Params;

or by hard coding the X509Data in a custom encoder.

Yaron Naveh
  • 23,560
  • 32
  • 103
  • 158
  • @yaron-navesh Hi Yaron, finally I ended up writing custom logic using httpWebRequest to post signed xml and this is how I consumed the Java Service.

    Now the new challenge is Java guys are expecting me to create .net Service which can verify the signature of above signed XML. Here too, I tried almost all wcf configurations but no Luck.     – Dhaval Nov 08 '12 at 15:30