0

How can I verify that my WCF message has been signed? I've got my setup running and working just fine, but need to be able to inspect the signature on the server side. How is this done? I'm using MsmqIntegrationBinding, and signing it with an X509Certificate2.

var binding = new MsmqIntegrationBinding(MsmqIntegrationSecurityMode.Transport)
            {
                SerializationFormat = MsmqMessageSerializationFormat.Binary,
                Security = new MsmqIntegrationSecurity()
                {
                    Mode = MsmqIntegrationSecurityMode.Transport,
                    Transport = new MsmqTransportSecurity()
                    {
                        MsmqAuthenticationMode = MsmqAuthenticationMode.Certificate,
                        MsmqProtectionLevel = System.Net.Security.ProtectionLevel.Sign
                    }
                }
            };

EndpointAddress address = new EndpointAddress("myaddress");
ChannelFactory<IMyMessage> channelFactory = new ChannelFactory<IMyMessage>(binding, address);

channelFactory.Credentials.ClientCertificate.Certificate = my_x509certificate2;
IMyMessage channel = channelFactory.CreateChannel();

//create message and send using the channel
Random
  • 1,896
  • 3
  • 21
  • 33

1 Answers1

0

Annotate either your service or your operation with this:

[OperationContract(ProtectionLevel = ProtectionLevel.EncryptAndSign)]

This will basically enforce it on the server side / operation will not be invoked unless message is signed and encrypted.

If you need more reference, check ProtectionLevel on MSDN:

http://msdn.microsoft.com/en-us/library/aa347692.aspx

Admir Tuzović
  • 10,997
  • 7
  • 35
  • 71
  • Well, could be the signing wasn't working. I now get an error "The request message must be protected. This is required by an operation of the contract... The protection must be provided by the binding ('MsmqIntegrationBinding','http://tempuri.org/')." – Random Mar 22 '13 at 20:01
  • Well that's what this annotation does, it requires both signing and encryption on server side before operation is invoked. – Admir Tuzović Mar 22 '13 at 20:34
  • So, now I have to determine why it's not happening with the way I have it set up. – Random Mar 25 '13 at 15:45
  • This is how to ensure the message is signed and/or encrypted, but not verify (message inspection my be my solution). – Random Apr 07 '13 at 23:55