Signature failed core validation error

Question

I have designed a WCF.net client that sends a SOAP request to the vendor. To meet vendor WS security requirements , I have to create a custom SOAP header and send request with the custom header to the web service on the vendor side. So i created a custom header by implementing a new class derieved from MessageHeader (see below)

public class SignOnlyMessageHeader : MessageHeader
{
    private const string PREFIX_CP = "wsse";

    public string m_Username { get; set; }
    public string m_Envelope { get; set; }

    public SignOnlyMessageHeader(string Username, string Envelope)
    {
        m_Username = Username;
        m_Envelope = Envelope;
    }

    public override string Name
    {
        get { return "wsse:Security"; }
    }

    public override string Namespace
    {
        get { return null; }
    }

    public override bool MustUnderstand
    {
        get
        {
            return false;
        }
    }

    protected override void OnWriteStartHeader(XmlDictionaryWriter writer, MessageVersion messageVersion)
    {
        base.OnWriteStartHeader(writer, messageVersion);
        writer.WriteXmlnsAttribute(PREFIX_CP, "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
    }

    protected override void OnWriteHeaderContents(XmlDictionaryWriter writer, MessageVersion messageVersion)
    {
        writer.WriteStartElement(PREFIX_CP, "UsernameToken", null);
        writer.WriteAttributeString("wsu:Id", "UsernameToken-20");
        writer.WriteXmlnsAttribute("wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
        writer.WriteElementString(PREFIX_CP, "Username", null, m_Username);
        writer.WriteEndElement();
        SignXmlFile(writer);
    }

    public void SignXmlFile(XmlDictionaryWriter writer)
    {
        string certificatePath = "C:\\Users\\22428-cert.p12";
        System.Security.Cryptography.X509Certificates.X509Certificate2 cert = new X509Certificate2(certificatePath, "changeit");

        // Create a new XML document.
        XmlDocument doc = new XmlDocument();

        // Format the document to ignore white spaces.
        doc.PreserveWhitespace = false;
        doc.LoadXml(m_Envelope);

        // Create a SignedXml object.
        SignedXml signedXml = new SignedXml(doc);

        // Add the key to the SignedXml document. 
        //signedXml.SigningKey = Key;
        signedXml.SigningKey = cert.PrivateKey;

        // Create a new KeyInfo object.
        KeyInfo keyInfo = new KeyInfo();
        keyInfo.Id = "";

        // Load the certificate into a KeyInfoX509Data object
        // and add it to the KeyInfo object.
        KeyInfoX509Data keyInfoData = new KeyInfoX509Data();
        keyInfoData.AddCertificate(cert);
        keyInfo.AddClause(keyInfoData);
        // Add the KeyInfo object to the SignedXml object.
        signedXml.KeyInfo = keyInfo;

        signedXml.SignedInfo.CanonicalizationMethod = "http://www.w3.org/2001/10/xml-exc-c14n#";

        // Create a reference to be signed.
        Reference reference = new Reference();
        reference.Uri = "";

        // Add an enveloped transformation to the reference.
        XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform();
        reference.AddTransform(env);
        reference.DigestMethod = "http://www.w3.org/2001/04/xmlenc#sha256";

        // Add the reference to the SignedXml object.
        signedXml.AddReference(reference);
        signedXml.Signature.Id = "";

        // Compute the signature.
        signedXml.ComputeSignature();

        // Get the XML representation of the signature and save
        // it to an XmlElement object.
        XmlElement xmlDigitalSignature = signedXml.GetXml();

        // Check the signature and return the result.
        if (!signedXml.CheckSignature(new X509Certificate2(certificatePath, "changeit"), true))
        {
            Console.WriteLine("invalid signature");
        }

        xmlDigitalSignature.WriteTo(writer);
    }

So after creating the custom header class, I overrode the IClientMessageInspector.BeforeSendRequest method to intercept the outgoing request and add my custom header to the soap request. See code below,

    object IClientMessageInspector.BeforeSendRequest(ref System.ServiceModel.Channels.Message request, IClientChannel channel)
    {
        request.Headers.RemoveAt(0);
        SignOnlyMessageHeader header = new SignOnlyMessageHeader("x509user", env);
        request.Headers.Add(header);
        return null;
    }

The end result is I am intercepting the SOAP request and correctly replacing the current header with the custom header. Before the request is sent out , I checked the updated the SOAP request (placed a breakpoint) , the structure matches EXACTLY what the vendor requested. But I receive an error after the request is processed at vendor side. It only says "Signature failed core validation". I think I am correctly signing the entire envelop in the "SignXmlFile" method. I even checked the validity within the method (if (!signedXml.CheckSignature(new X509Certificate2(certificatePath, "changeit"), true))), the statement returns a false which indicates signature is valid.

What am I doing wrong ?

Answer 1

Well I tried and tried, something with the way I am intercepting the header and after i inject the header with the Signature ..the validation is failing. As a work around, I striped out the entire header from my .net client. I am routing my request with just the soap baod to a XML gateway, we configured the gateway to intercept the request and add the necessary header init and forward the request to the external vendor. It worked.