I need to call an old IBM Websphere webservice, that requires transport and message security via a couple of certificates.
I have it all working in SoapUI, which sends a SOAP message that signs the body with RSA-SHA1. And we get the correct response back. Yay!
I can't get it work work in code, via a simple c# console app. (.NET Framework)
I'm not sure which type of SecurityBindingElement to use. The closest one to working seems to be provided by SecurityBindingElement.CreateMutualCertificateBindingElement().
My code reaches the webservice which responds with a SOAP fault:
ERRO00001 The Verification Type configuration 'asymmetric' does not allow algorithm 'http://www.w3.org/2000/09/xmldsig#hmac-sha1'
I've tried all the DefaultAlgorithmSuites and none produce RSA-SHA1, and it may be because Microsoft no longer supports SHA1?
- Can we provide an 'RSA-SHA1' algorithm to WCF?
- Build the soap XML without WCF and use a SignedXML node for the body maybe?
- Is there another way?
Working SOAP (Produced by SoapUI):
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:v1="http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/Service/V1.1" xmlns:v11="http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/Namespace/Common/Core/V1.1">
<soap:Header xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-32C491BB4DA90C1EBD165647963666325">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-32C491BB4DA90C1EBD165647963666529" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="wsa soap v1 v11" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-32C491BB4DA90C1EBD165647963666328">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="v1 v11" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</ds:SignatureValue>
<ds:KeyInfo Id="KI-32C491BB4DA90C1EBD165647963666326">
<wsse:SecurityTokenReference wsu:Id="STR-32C491BB4DA90C1EBD165647963666327">
<wsse:Reference URI="#X509-32C491BB4DA90C1EBD165647963666325" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
<wsa:Action>http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</wsa:Action>
<wsa:From>
<wsa:Address>https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</wsa:Address>
</wsa:From>
<wsa:MessageID>uuid:84eacffc-0f1b-496a-bd0e-571a5d880aa7</wsa:MessageID>
<wsa:To>http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</wsa:To>
</soap:Header>
<soap:Body wsu:Id="id-32C491BB4DA90C1EBD165647963666328" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<v1:GetCheckResultRequest>
<v11:RequestID>624f95e5-6a96-483f-b0b8-a483c49d7bee</v11:RequestID>
</v1:GetCheckResultRequest>
</soap:Body>
</soap:Envelope>
My binding code:
private Binding GetCustomBinding2()
{
var secBE = SecurityBindingElement.CreateMutualCertificateBindingElement();
/*
var secBE = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
// ERRO00001: XPath expression /*[local-name()='Envelope']/*[local-name()='Body'] not covered by signature
var secBE = SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
var secBE = SecurityBindingElement.CreateMutualCertificateBindingElement();
// ERRO00001 *The Verification Type configuration 'asymmetric' does not allow algorithm 'http://www.w3.org/2000/09/xmldsig#hmac-sha1'*
The servive provider wants the signature signed with rsa-sha1
... but his algorithm suite doesn't exist in .NET anymore ??
var secBE = SecurityBindingElement.CreateCertificateSignatureBindingElement();
// Exception: contract only supports the OneWay operation
var secBE = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement();
// ERRO00001: The request could not be accepted because it failed to be authenticated
*/
TextMessageEncodingBindingElement textEncBE = new TextMessageEncodingBindingElement
{
MessageVersion = MessageVersion.Soap12WSAddressingAugust2004,
WriteEncoding = System.Text.Encoding.UTF8
};
HttpsTransportBindingElement httpsBE = new HttpsTransportBindingElement
{
RequireClientCertificate = true
};
var myBinding = new CustomBinding();
myBinding.Elements.Add(secBE);
myBinding.Elements.Add(textEncBE);
myBinding.Elements.Add(httpsBE);
return myBinding;
}
The SOAP produced by my code (which gets error response):
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1" u:Id="_4">http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</a:Action>
<a:From u:Id="_5">
<a:Address>https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</a:Address>
</a:From>
<a:MessageID u:Id="_6">urn:uuid:60b141dd-4b5c-4647-ba8d-1fa008f6e0de</a:MessageID>
<ActivityId CorrelationId="b6dcd628-083b-41f3-ae23-99297c462fe0" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">4fc61092-3f74-4eb6-96b7-ec9d5fc9ea15</ActivityId>
<a:ReplyTo u:Id="_7">
<a:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1" u:Id="_8">https://nss-ws-train.acic.gov.au/nss-ws/CheckResultRetrieval</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-25cd3298-de48-48db-9817-e2917bdc6999-2">
<u:Created>2022-07-01T00:38:35.634Z</u:Created>
<u:Expires>2022-07-01T00:43:35.634Z</u:Expires>
</u:Timestamp>
<e:EncryptedKey Id="uuid-25cd3298-de48-48db-9817-e2917bdc6999-1" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"></DigestMethod>
</e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
<c:DerivedKeyToken u:Id="_0" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<o:SecurityTokenReference>
<o:Reference URI="#uuid-25cd3298-de48-48db-9817-e2917bdc6999-1"></o:Reference>
</o:SecurityTokenReference>
<c:Offset>0</c:Offset>
<c:Length>24</c:Length>
<c:Nonce>
<!-- Removed-->
</c:Nonce>
</c:DerivedKeyToken>
<o:BinarySecurityToken>
<!-- Removed-->
</o:BinarySecurityToken>
<Signature Id="_1" xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"></SignatureMethod>
<Reference URI="#_3">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>vbETU40K2domiAcXqpzYTQ437EY=</DigestValue>
</Reference>
<Reference URI="#_4">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>PyYM/+DKjoRYkl7vU1lKJPiRuw8=</DigestValue>
</Reference>
<Reference URI="#_5">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>R0gx/VuYg6cr+gLizmfhPDLsoVM=</DigestValue>
</Reference>
<Reference URI="#_6">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>mLvPIB+nD1Pb4QgC8rlSiP+qNY4=</DigestValue>
</Reference>
<Reference URI="#_7">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>AEOH0t2KYR8mivgqUGDrgMtxgEQ=</DigestValue>
</Reference>
<Reference URI="#_8">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>FWeslFLS8iZvexCL1qCDVK1vgCY=</DigestValue>
</Reference>
<Reference URI="#uuid-25cd3298-de48-48db-9817-e2917bdc6999-2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>zVaxtlzJdEfXOTATlPVnmWy+se4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>wfxV8qPS7PlV4iwNJdcJCbXm4EQ=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#_0"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>NllOt3h9JKZjTLRAkNz2WDoSAr0=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#uuid-46c8f1fb-7662-4518-a329-664b8a2fc292-1"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetCheckResultRequest xmlns="http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
<RequestID xmlns="http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">hello</RequestID>
</GetCheckResultRequest>
</s:Body>
</s:Envelope>
