13

I need to consume a web service secured with WS-Security from ASP.NET.

I'm testing the service with SoapUI, being the envelop request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://aduana.gov.py/webservices">
   <soapenv:Header/>
   <soapenv:Body>
      <web:agregarGuia>
         <!--Optional:-->
         <guia>?</guia>
         <!--Optional:-->
         <autenticacion>
            <!--Optional:-->
            <codAduana>?</codAduana>
            <!--Optional:-->
            <firmaWSAA>?</firmaWSAA>
            <!--Optional:-->
            <idUsuario>?</idUsuario>
            <!--Optional:-->
            <ticketWSAA>?</ticketWSAA>
         </autenticacion>
      </web:agregarGuia>
   </soapenv:Body>
</soapenv:Envelope>

And the response I get is:

<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
   <env:Header/>
   <env:Body>
      <env:Fault>
         <faultcode>env:Server</faultcode>
         <faultstring>org.jboss.ws.core.CommonSOAPFaultException: This service requires &lt;wsse:Security>, which is missing.</faultstring>
      </env:Fault>
   </env:Body>
</env:Envelope>

So I contacted the service provider and they told me that the use of WS-Security is mandatory to invoke the service. Therefore, the SOAP message sent to the server must be digitally signed with my certificate.

The problem is I don't know how to do that. So far I added a Service Reference and I'm passing the mentioned certificate in code:

var srvRef = new DnaSoapClient(); 
srvRef.ClientCredentials.ClientCertificate.Certificate = theCert;
var response = srvRef.agregarManifiesto( dnaManifiesto );

I have googled around and some folks recommend WCF. I'm building an ASP.NET 4.5 application. What are my options with this scenario? I need to know how to sign the message using my certificate.

EDIT 1: I was able to advance the issue, now I can send the SOAP message signed with the certificate and I'm close to finish my task. Now I fail in setting the correct elements in Security tag, I edited the question to show both envelope, the correct one and mine.

Correct: this is an sample envelope for a correct request

<soapenv:Header>
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-B259DAB3D28E48CB6A140000796019094">MIIC9TCCAd2gAwIBAgIIUiM4nWs8kfcwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UEAwwIQWRtaW5DQTExFTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwHhcNMTQwMzIwMTkxMTIwWhcNMTgxMjIwMTQzNzEzWjBBMRQwEgYDVQQDDAtjb3VyaWVyLnRudDEOMAwGA1UECwwFc29maWExDDAKBgNVBAoMA2RuYTELMAkGA1UEBhMCcHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOS71x5+ChwGzWs4VlLgkePbU8/zFHUrrE8nFNVsukMCc5q5hCK8/CeNM+mxImilLdJrGoC2/000lQetB9B3AqIrAdOfBFU4/qsAlgWI+kt2jnUsJMLRjQfxhAKMeX4RUb0CmTcsnXtWlFvYFFjiUi9nUJVSxCsmldVFgLIAHRPjAgMBAAGjfzB9MB0GA1UdDgQWBBTCwBBmU7f/4SmNz7GNJ25ILkPuhjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFDF+1hOSdgg2DFOUofnnXdx9TxjeMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEBAALVVGGNsTSMcfDBwkkNQH3MpfiNTo/mhH8ahqUVN1+5BIwWstv8fH0Sl9ea1XShKLPDfDIx8WSzUUIt/93f74B3a3oMpBtbVEiku2BKUp5cJfkYe2c5zPOxk3nzmQwcEoB++RgX9DJOtUkKA/It2IM9/8ggUyjceJQCpBRiA9Kg7+h3HfmOKNn+9/pNu498JXhSRKa8Jr4pp/1udYRk+W8sKGEBtAU9MvL3y0AbvLhUD+MZyvpHGB17fslC8Nnd5EBQH8hQD+DWGepyCBIlb0NA13YEoLMcRKDcWvSPd0UGWo2G0IOeUZaGuzzIz2n04QrXvnqQKAOFd9yH2VfGtWE=</wsse:BinarySecurityToken>
    <ds:Signature Id="SIG-96" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ec:InclusiveNamespaces PrefixList="soapenv web" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
        </ds:CanonicalizationMethod>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"></ds:SignatureMethod>
        <ds:Reference URI="#id-95" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
              <ec:InclusiveNamespaces PrefixList="web" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
            </ds:Transform>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"></ds:DigestMethod>
          <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">whvAdAkypsWVXHXbIz/T54n0dBw=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>
        MdHy5mceNtQWUD5WmVOzZU8roxD3EQkQmcZA9LsfhBcp3cFAD3P1qJJ9EyrRFBs5yCiYDY716Wzh
        M+tFybt1+EujXZZ3ytk4XaahkexNAG51iup1wvw0Km+nsj4u/x8DzTA/J9EG3ZdTSUrIVBsFcEQa
        TF4BwUAgGBS87xqL5zc=
      </ds:SignatureValue>
      <ds:KeyInfo Id="KI-B259DAB3D28E48CB6A140000796019095">
        <wsse:SecurityTokenReference wsu:Id="STR-B259DAB3D28E48CB6A140000796019096" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
          <wsse:Reference URI="#X509-B259DAB3D28E48CB6A140000796019094" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"></wsse:Reference>
        </wsse:SecurityTokenReference>
      </ds:KeyInfo>
    </ds:Signature>
    <wsu:Timestamp wsu:Id="TS-94">
      <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2014-05-13T19:06:00.188Z</wsu:Created>
      <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2014-05-13T19:07:00.188Z</wsu:Expires>
    </wsu:Timestamp>
  </wsse:Security>
</soapenv:Header>

Mine, this is not working

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <s:Header>
    <VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPowmum40QT95GqsY7XPKT7LIAAAAAvMwgorinWU+AVOWH+3TPjP6NBU03AZtHqle8GLRYcYAACQAA</VsDebuggerCausalityData>
    <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <u:Timestamp u:Id="_0">
        <u:Created>2014-05-15T21:30:20.723Z</u:Created>
        <u:Expires>2014-05-15T21:35:20.723Z</u:Expires>
      </u:Timestamp>
      <o:BinarySecurityToken u:Id="uuid-16d1441d-2f30-40a0-ae4e-ec5d557d2261-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIC9jCCAd6gAwIBAgIINNZyZplkQHgwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UEAwwIQWRtaW5DQTExFTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwHhcNMTQwMzIwMTgzMjQ3WhcNMTgxMjIwMTQzNzEzWjBCMRUwEwYDVQQDDAxjb3Vycmllci5kaGwxDDAKBgNVBAsMA09QUzEOMAwGA1UECgwFREhMUFkxCzAJBgNVBAYTAlBZMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGoP0dxByIfto/hqJCOhobTdwQJ3AxJkqUeSNFnprAH8zi6HjBJhzkXptqXiR9GZR1H4U3UaN6aczKVh2PaPqU8ooTxjST0ywWBgXA1WP3ukrybUKxpSvqmiRJ/cANAYLovL+gmh2v/fqPiLs7vsgT+zj1330wRGqtrokYPMjlbQIDAQABo38wfTAdBgNVHQ4EFgQU6IHB4XfP7+rbryy1Ru8kFcfSDqcwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBQxftYTknYINgxTlKH5513cfU8Y3jAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQB3NQC+0/VmC7A1MStKdc2NctTo7P+mhvIBe54U/Vs8I5vXiatKz01BzHIbl7chjP063V4YTtehDCGkwUTtARqpkua7RfdlMqsmcr1s3qnD4lUpGuAeVW0Wsrhu1xGjPf02fTBdD3yyGWCeUiNvKuoweeATlGyB/VlHJaZHN4HuJCnWlPic6uUUMBYqrOOa+wJr/OCFHqkEiBsUihD6ergj7AeAAFcG41GI2ZjVWK/PEB71sbQqqGgLpigAS9f8PNMm+TnQuizrvLPKm3hanOKYr9ORrbWjZCL3dva1YobK4ykvUYpncj6YsOtuDi62RcHYjT7IF9UoeZHBE2vePc+K</o:BinarySecurityToken>
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
          <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <Reference URI="#_0">
            <Transforms>
              <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <DigestValue>pM8KraJSLZumo77gD9+JF2f8eBU=</DigestValue>
          </Reference>
        </SignedInfo>
        <SignatureValue>MZ9ZTKeGj5KNUEn4R6cQhRhOdK0frNK1O5KRGbM+YqfvzlVwVKQ6n7p9rncbtrdGsLg3CVwUVwB7PBF78tDx3p0LjF/Eg015t6qouSyK/92qL3oRz/8TbqLKpe/1uySdmGhrqPrVlTDF2rHuFGwmQVSILyUVLg/nW7K+EDwS/Lg=</SignatureValue>
        <KeyInfo>
          <o:SecurityTokenReference>
            <o:Reference URI="#uuid-16d1441d-2f30-40a0-ae4e-ec5d557d2261-2"/>
          </o:SecurityTokenReference>
        </KeyInfo>
      </Signature>
    </o:Security>
  </s:Header> 
</s:Envelope>
Null
  • 1,950
  • 9
  • 30
  • 33
Diane
  • 428
  • 2
  • 6
  • 16
  • What happens when you use the `DnaSoapClient`? – John Saunders May 14 '14 at 19:24
  • @JohnSaunders the service explode in my face with java.lang.NullPointerException. That is why i decided to test it with SoapUI. – Diane May 14 '14 at 19:29
  • 1
    But `NullPointerException` is clearly a bug in the server. Can you talk to the server people and ask them if something you're sending them triggers their bug? It's possible that your side is actually working, and that the service has a bug. – John Saunders May 14 '14 at 19:31
  • @JohnSaunders yes, they are aware of this and are working in a proper response, but the fact is that im not being able to passing Security and this service need it. – Diane May 14 '14 at 19:36
  • How do you know you're not passing security? You could be passing it, and then the server gets the `NullPointerException`. – John Saunders May 14 '14 at 19:38
  • @JohnSaunders they says that im not signing the message. The request they receive from me is: – Diane May 14 '14 at 19:43
  • Ok, then you _both_ have a bug! BTW, I wonder if their WSDL properly indicates that they need the message signed. It doesn't work with soapUI either, and I think soapUI _can_ do WS-Security (if the WSDL says that is required). Does the WSDL have any "policy" elements in it? – John Saunders May 14 '14 at 19:45
  • @JohnSaunders, No policy element in their WSDL. Here you can see. https://secure.aduana.gov.py/test/tere/serviciotere?WSDL – Diane May 14 '14 at 19:54
  • 2
    Ok, then you'll need to do some stuff in code, and I don't know how. This is a bad WSDL. The service requires security but the WSDL says that the service does _not_ require security, so WCF isn't providing it. You'll have to do something to change the binding configuration in code before accessing the service. – John Saunders May 14 '14 at 19:58
  • Ok @JohnSaunders, I appreciate your help, I will keep investigating about it and will be posting the solution here once i get one. – Diane May 14 '14 at 20:04
  • @JohnSaunders, I was able to advance the issue, now i can send the SOAP message signed with the certificate and I'm close to finish my task. Now i fail in setting the correct elemtents in Security tag, I edited the question to show both envelope, the correct one and mine. – Diane May 15 '14 at 21:48
  • 1
    You should create an answer showing what you have achieved so far, and how you did it. Keep the answer updated as you get further. When you're done, you'll be able to accept the answer, and even get upvotes from other users. – John Saunders May 15 '14 at 22:34
  • @JohnSaunders i have posted the solution to this question as you suggested. – Diane May 18 '14 at 20:33

1 Answers1

17

I managed to get this working i post the solution here for others. To summarize, the task at hand was to consume a web service written in java with ws-security features. Let me clarify that this should be a easy task if the web service developer consciously write a good wsdl and/or they are collaborative people. Unfortunately they are not any. If you are in this case you have to be armed with SoapUI and Fiddler to take the service by your self. The first thing is with SoapUI get the Soap version that the service use, that will define the type of binding you can use, in my case it was Soap 1.1 and in convination with ws-security force me to use customBinding because wsHttpBinding only support Soap 1.2 and basicBinding is not that flexible to consume a WS-Security enabled service.
After sessions of tests-errors and a lot of Fiddler to read the server responses i finally came out with the following binding. All done by configuration, no code involved:

  <system.serviceModel>
    <bindings>

        <binding name="MyBinding" >          
      <textMessageEncoding messageVersion="Soap11"/>
      <security authenticationMode="MutualCertificate" enableUnsecuredResponse="true" allowSerializedSigningTokenOnReply="true"
                messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
                includeTimestamp="false">
      </security>
      <httpsTransport />
        </binding>

      </customBinding>


    </bindings>
    <behaviors>
      <endpointBehaviors>
        <behavior name="ClientCertificateBehavior">
          <clientCredentials>
            <clientCertificate findValue="xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx"
                               storeLocation="CurrentUser" storeName="My" 
                               x509FindType="FindByThumbprint" />

            <serviceCertificate>
              <defaultCertificate findValue="xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx" 
                                  storeLocation="CurrentUser" storeName="My"
                                  x509FindType="FindByThumbprint"/>
              <authentication certificateValidationMode="None" />
            </serviceCertificate> 
          </clientCredentials>

        </behavior>

      </endpointBehaviors>

    </behaviors>
    <client>

      <endpoint address="https://secure.aduana.gov.py/test/tere/serviciotere"
        binding="customBinding" bindingConfiguration="MyBinding"
        contract="serviciotereSoap" name="serviciotereSoap"  behaviorConfiguration="ClientCertificateBehavior">
        <identity>
          <dns value="tere_test"/>
        </identity> 
      </endpoint>

    </client>
  </system.serviceModel>

. Replace xx with your certificates Thumbprint hex values) . Resources that helped me sort the differents issues: this and here

Diane
  • 428
  • 2
  • 6
  • 16
  • 14
    Don't blame java developers for their lack of humor. Imagine if somebody took C# and removed properties, delegates, events, LINQ, lambdas, async/await, proper generics, value types, and almost every other awesome language feature you use daily, and forced you to code without them. You'd be in a bad mood too, and probably not willing to help anyone either ;) – Federico Berasategui May 19 '14 at 02:16
  • Hey im with same shitty problem here. ATM im getting a "Could not locate certificate by key identifier". Any clue? I have installed certificates – pata Apr 04 '18 at 15:14