WCF Soap client unable to resolve URI in signature to compute digest

Question

I am trying to consume a SOAP 1.1 web service that runs on top of Oracle Web Logic, from a WCF client. The service implements the standard Oasis WS-Security 1.2, with body signing and encryption (sign before encrypt) and algorithms Basic256Sha256, and LaxTimestampLast configuration layout.

I am able to send the message signed and encrypted, with the expected format:

<s:Envelope 
    xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" 
    xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
        <o:Security s:mustUnderstand="1" 
            xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <e:EncryptedKey Id="_0" 
                xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" 
                        xmlns="http://www.w3.org/2000/09/xmldsig#"/>
                </e:EncryptionMethod>
                <KeyInfo 
                    xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <o:SecurityTokenReference>
                        <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">h5cRJR6NnWrnf3PvAPJ4iB70Tow=</o:KeyIdentifier>
                    </o:SecurityTokenReference>
                </KeyInfo>
                <e:CipherData>
                    <e:CipherValue>fOgGM...Ixw==</e:CipherValue>
                </e:CipherData>
                <e:ReferenceList>
                    <e:DataReference URI="#_2"/>
                </e:ReferenceList>
            </e:EncryptedKey>
            <o:BinarySecurityToken u:Id="uuid-792fca62-dad8-442e-b720-d52f48768dd0-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIFf...O2A8=</o:BinarySecurityToken>
            <Signature 
                xmlns="http://www.w3.org/2000/09/xmldsig#">
                <SignedInfo>
                    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <Reference URI="#_1">
                        <Transforms>
                            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </Transforms>
                        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <DigestValue>0OiBt3eXZek5bJ9d9CFsduwbtQVoFY3DvFqxfnQz7Dg=</DigestValue>
                    </Reference>
                    <Reference URI="#uuid-a1958c98-41b5-40d4-bdaa-2c0948d4f526-1">
                        <Transforms>
                            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </Transforms>
                        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <DigestValue>PtcCDNfz7ocVM86qgSnDFnUUJnVz6E884Ll9QeV6Wfg=</DigestValue>
                    </Reference>
                    <Reference URI="#uuid-792fca62-dad8-442e-b720-d52f48768dd0-1">
                        <Transforms>
                            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </Transforms>
                        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <DigestValue>SezODccgkQ2rfYtKfSxAC14igVpLxbfQtKChSddDf+c=</DigestValue>
                    </Reference>
                </SignedInfo>
                <SignatureValue>j6XPB.../ow==</SignatureValue>
                <KeyInfo>
                    <o:SecurityTokenReference>
                        <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">D5Myi4vs+Af3Dg1ByUs1kCKm55E=</o:KeyIdentifier>
                    </o:SecurityTokenReference>
                </KeyInfo>
            </Signature>
            <u:Timestamp u:Id="uuid-a1958c98-41b5-40d4-bdaa-2c0948d4f526-1">
                <u:Created>2017-11-06T20:43:29.722Z</u:Created>
                <u:Expires>2017-11-06T20:48:29.722Z</u:Expires>
            </u:Timestamp>
        </o:Security>
    </s:Header>
    <s:Body u:Id="_1" 
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
        xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" 
            xmlns:e="http://www.w3.org/2001/04/xmlenc#">
            <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
            <e:CipherData>
                <e:CipherValue>L7f+O...Rw7jHL</e:CipherValue>
            </e:CipherData>
        </e:EncryptedData>
    </s:Body>
</s:Envelope>

However, when getting the response:

<?xml version='1.0' encoding='UTF-8'?>
<S:Envelope 
    xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" 
    xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
    <env:Header>
        <wsse:Security 
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" S:mustUnderstand="1">
            <ns1:EncryptedKey 
                xmlns:ns1="http://www.w3.org/2001/04/xmlenc#" Id="18iq0thuJbDO21Gk">
                <ns1:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                    <ns2:DigestMethod 
                        xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                </ns1:EncryptionMethod>
                <ns3:KeyInfo 
                    xmlns:ns3="http://www.w3.org/2000/09/xmldsig#">
                    <wsse:SecurityTokenReference 
                        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
                        xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" 
                        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="str_nczorGBwzUSf1PJG">
                        <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">D5Myi4vs+Af3Dg1ByUs1kCKm55E=</wsse:KeyIdentifier>
                    </wsse:SecurityTokenReference>
                </ns3:KeyInfo>
                <ns1:CipherData>
                    <ns1:CipherValue>VLX9L...jTQ==</ns1:CipherValue>
                </ns1:CipherData>
                <ns1:ReferenceList>
                    <ns1:DataReference URI="#XgzvGdpjeeFiU0AH"/>
                </ns1:ReferenceList>
            </ns1:EncryptedKey>
            <wsse11:SignatureConfirmation 
                xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" 
                xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="sigconf_gF2mG4MS0QT3gGyg" Value="j6XPB.../ow=="/>
            <dsig:Signature 
                xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                <dsig:SignedInfo>
                    <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <dsig:Reference URI="#Timestamp_be1msZa7e60oVdtW">
                        <dsig:Transforms>
                            <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </dsig:Transforms>
                        <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <dsig:DigestValue>mWxC8kSZIGKE1KTyVWbr2YgOmE1UqVNV3lS4vdM4kdM=</dsig:DigestValue>
                    </dsig:Reference>
                    <dsig:Reference URI="#Body_fr2ndXxiUtwuP3Y2">
                        <dsig:Transforms>
                            <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </dsig:Transforms>
                        <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <dsig:DigestValue>ZztOfa8rAv2aaMUxxKaYAPgUbEfIZRe/1ZRgPacmAlc=</dsig:DigestValue>
                    </dsig:Reference>
                    <dsig:Reference URI="#sigconf_gF2mG4MS0QT3gGyg">
                        <dsig:Transforms>
                            <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </dsig:Transforms>
                        <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <dsig:DigestValue>AfX4C1zXqAIX1pEHPw7PHEhf/g/8JWACJqgX7p63RkI=</dsig:DigestValue>
                    </dsig:Reference>
                    <dsig:Reference URI="#str_RLjzz112Lwz91VZF">
                        <dsig:Transforms>
                            <dsig:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
                                <wsse:TransformationParameters>
                                    <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                </wsse:TransformationParameters>
                            </dsig:Transform>
                        </dsig:Transforms>
                        <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <dsig:DigestValue>gRa3zakGn13XISoKpekB3zl0iDqb/LmNy7+aMDtzKIY=</dsig:DigestValue>
                    </dsig:Reference>
                </dsig:SignedInfo>
                <dsig:SignatureValue>xlVJb...EPZg==</dsig:SignatureValue>
                <dsig:KeyInfo>
                    <wsse:SecurityTokenReference 
                        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
                        xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" 
                        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="str_RLjzz112Lwz91VZF">
                        <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">h5cRJR6NnWrnf3PvAPJ4iB70Tow=</wsse:KeyIdentifier>
                    </wsse:SecurityTokenReference>
                </dsig:KeyInfo>
            </dsig:Signature>
            <wsu:Timestamp 
                xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp_be1msZa7e60oVdtW">
                <wsu:Created>2017-11-06T20:43:30Z</wsu:Created>
                <wsu:Expires>2017-11-06T20:44:30Z</wsu:Expires>
            </wsu:Timestamp>
        </wsse:Security>
    </env:Header>
    <S:Body 
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body_fr2ndXxiUtwuP3Y2">
        <ns1:EncryptedData 
            xmlns:ns1="http://www.w3.org/2001/04/xmlenc#" Id="XgzvGdpjeeFiU0AH" Type="http://www.w3.org/2001/04/xmlenc#Content" MimeType="text/xml">
            <ns1:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
            <ns1:CipherData>
                <ns1:CipherValue>GT08G...PqanY</ns1:CipherValue>
            </ns1:CipherData>
        </ns1:EncryptedData>
    </S:Body>
</S:Envelope>

The client test fails with this error:

Test Name:  TestMethod_CodedCustomBinding
Test FullName:  Integration.TestServiceClient.Tests.CodeClientTests.TestMethod_CodedCustomBinding
Test Source:    C:\Source\Integration.TestServiceClient.Tests\CodeClientTests.cs : line 207
Test Outcome:   Failed
Test Duration:  0:00:00.9372511

Result StackTrace:  
at System.IdentityModel.StandardSignedInfo.EnsureAllReferencesVerified()
   at System.IdentityModel.SignedXml.CompleteSignatureVerification()
   at System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.ExecuteMessageProtectionPass(Boolean hasAtLeastOneSupportingTokenExpectedToBeSigned)
   at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
   at System.ServiceModel.Security.MessageSecurityProtocol.ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, Message& message, SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
   at System.ServiceModel.Security.AsymmetricSecurityProtocol.VerifyIncomingMessageCore(Message& message, String actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
   at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
 --- End of inner exception stack trace ---

Server stack trace: 
   at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Integration.ServiceClient.TestServiceClient.ServiceWs.notify(notifyRequest request)
   at Integration.ServiceClient.TestServiceClient.ServiceWsClient.Integration.ServiceClient.TestServiceClient.ServiceWs.notify(notifyRequest request) in C:\Source\Integration.ServiceClient\Service References\TestServiceClient\Reference.cs:line 994
   at Integration.ServiceClient.TestServiceClient.ServiceWsClient.notify(Int64 idNotification) in C:\Source\Integration.ServiceClient\Service References\TestServiceClient\Reference.cs:line 1000
   at Integration.TestServiceClient.Tests.CodeClientTests.TestMethod_CodedCustomBinding() in C:\Source\Integration.TestServiceClient.Tests\CodeClientTests.cs:line 212
Result Message: 
Test method Integration.TestServiceClient.Tests.CodeClientTests.TestMethod_CodedCustomBinding threw exception: 
System.ServiceModel.Security.MessageSecurityException: Message security verification failed. ---> System.Security.Cryptography.CryptographicException: Unable to resolve the '#str_RLjzz112Lwz91VZF' URI in the signature to compute the digest.

However, the URI is present in the SecurityTokenReference tag inside the Signature > KeyInfo tag. Any idea about why this reference is not being found during the signature validation, and what can be done to resolve this error?

score 0 · Answer 1 · answered Nov 12 '17 at 07:02

Please note:

you cannot use CertificateOverTransport and sign the message body.

WCF will not allow this, if you are doing this.

in this case, try using MutualCertificateDuplex and change your protection level to none: ProtectionLevel.None if you are not interested in signing the response.

If this fails, try to add custom binding to your WCF:

<customBinding>
        <binding name="NewBinding0">
            <textMessageEncoding messageVersion="Soap11" />
            <security authenticationMode="MutualCertificateDuplex" includeTimestamp="false"
                messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
                <secureConversationBootstrap />
            </security>
            <httpTransport />
        </binding>
</customBinding>

This will allow your certificate to be digested correctly.

WCF Soap client unable to resolve URI in signature to compute digest

1 Answers1