0

I have a WCF web service with message security and consuming it from a java web application created with Netbeans with a project using Metro (WSIT+jaxws). All works fine using standard algorithmSuite Basic256 but when I use Basic256Sha256 which is a requirement on the service I get a runtime error saying "SOAPFaultException: An error occurred when verifying security for the message.". When I look i service log it says "The algorithm 'http://www.w3.org/2000/09/xmldsig#hmac-sha1' is not accepted for operation 'SymmetricSignature' by algorithm suite Basic256Sha256.". The question is how I change the client to use SHA2 (Sha256). I'm using Certificate as client credential type.

WCF Binding:

        <!-- MESSAGE SECURITY -->
        <binding name="myMessageBinding">
          <transactionFlow />
          <security defaultAlgorithmSuite="Basic256Sha256" 
                    authenticationMode="SecureConversation"
                    messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
            <secureConversationBootstrap defaultAlgorithmSuite="Basic256Sha256"
                                         authenticationMode="MutualCertificate" requireDerivedKeys="false"
                                         messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
                                         requireSignatureConfirmation="true" />
          </security>
          <textMessageEncoding />
          <httpTransport />
        </binding>
Niklas Fischer
  • 11
  • 3

1 Answers1

1

SecurityAlgorithmSuite.IsSymmetricSignatureAlgorithmSupported returns an unsupported algorithm for symetric signature error because Basic256Sha256 uses

http://www.w3.org/2001/04/xmldsig-more#hmac-sha256

as the algorithm used for signature generation and validation and

http://www.w3.org/2001/04/xmlenc#sha256

as the digest algorithm to be applied to the signed object to create or validate the hash for the xml signature.

http://www.w3.org/2000/09/xmldsig#hmac-sha1

is valid as symmetric signature for

  • Default
  • Basic256
  • Basic256Rsa15

using

http://www.w3.org/2000/09/xmldsig#sha1

as digest algorithm.

It seems like your Java client is not using the same algorithm to sign the SOAP message, check the SignedInfo SignatureMethod element in the message received from the Java client for

Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"

to ensure that the client is not signing using the same algorithm.

vzamanillo
  • 9,905
  • 1
  • 36
  • 56