0

I am accessing an external java-based web service I have no control over from a WCF client, using dual certificates for encryption and signature as well as custom binding. I am getting a successful response from the server but WCF is throwing a MessageSecurityException : The 'Action', 'http://www.w3.org/2005/08/addressing' required message part was not signed.

My custom binding:

private CustomBinding GetCustomBinding()
{
    CustomBinding binding = new CustomBinding();
    binding.OpenTimeout = new TimeSpan(0, 0, 20);
    binding.CloseTimeout = new TimeSpan(0, 0, 20);
    binding.SendTimeout = new TimeSpan(0, 5, 0);
    binding.ReceiveTimeout = new TimeSpan(0, 5, 0);

    var userNameToken = new UserNameSecurityTokenParameters();
    userNameToken.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;

    var securityElement = new AsymmetricSecurityBindingElement();
    securityElement.EnableUnsecuredResponse = true;
    securityElement.IncludeTimestamp = true;
    securityElement.RecipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.Never);
    securityElement.InitiatorTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient);
    securityElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128Rsa15;
    securityElement.SecurityHeaderLayout = SecurityHeaderLayout.Strict;
    securityElement.SetKeyDerivation(false);
    securityElement.EndpointSupportingTokenParameters.Signed.Add(userNameToken);
    securityElement.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.SignBeforeEncrypt;
    securityElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
    binding.Elements.Add(securityElement);

    var encodingElement = new TextMessageEncodingBindingElement();
    encodingElement.MessageVersion = MessageVersion.Soap11WSAddressing10;
    encodingElement.WriteEncoding = Encoding.UTF8;
    encodingElement.ReaderQuotas.MaxArrayLength = 50000000;
    encodingElement.ReaderQuotas.MaxStringContentLength = 50000000;
    binding.Elements.Add(encodingElement);

    var httpsElement = new HttpsTransportBindingElement();
    httpsElement.MaxBufferSize = 50000000;
    httpsElement.MaxReceivedMessageSize = 50000000;
    httpsElement.MaxBufferPoolSize = 50000000;
    httpsElement.UseDefaultWebProxy = true;
    binding.Elements.Add(httpsElement);

    return binding;
}

Now I don't care if that Action element is signed or not, or even if it's not there at all, but hacking the response to remove the tag altogether results in a 'No signature message parts were specified for messages with the '' action.' exception.

How can I configure my client to accept the Action and other addressing elements in the response message as they are? Alternatively, what can I change them to so WCF will let them pass?

Spiny Norman
  • 8,277
  • 1
  • 30
  • 55
user3349365
  • 1
  • 1

1 Answers1

0

To override the default checking of the remote Secure Sockets Layer (SSL) certificate used for authentication, specify this on client:

ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(delegate { return true; });

To investigate the certificate errors, check the sslPolicyErrors parameter of the RemoteCertificateValidationCallback delegate (Link to MSDN manual page).

BolandT
  • 74
  • 7
  • Unfortunately, that didn't work - sslPolicyErrors parameter has value of None. It isn't certificates that's the problem, I don't think, it's the format of the response message that I want to disable checking of. – user3349365 Mar 17 '14 at 00:16