I am trying to consume a Java SOAP service with wcf in .NET. Although I can send a request to the webservice and I get a response, my code throws the following exception with every response:
System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party.
After investigating the issue it turns out that with my configuration, the SOAP headers in de request are signed as well as the body, but they are not signed in the response. It seems I should tell wcf that the headers shouldn't be signed, but I have not been able to accomplish this. Any help would be appreciated.
Here is the binding that I use:
var binding = new CustomBinding();
var initiator = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.Never);
var recipient = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.Never);
var securityBindingElement = new AsymmetricSecurityBindingElement(initiator, recipient);
securityBindingElement.IncludeTimestamp = false;
securityBindingElement.EnableUnsecuredResponse = true;
binding.Elements.Add(securityBindingElement);
var textMessageEncoding = new TextMessageEncodingBindingElement
{
MessageVersion = MessageVersion.Soap11WSAddressing10,
WriteEncoding = Encoding.UTF8
};
binding.Elements.Add(textMessageEncoding);
var transportBindingElement = new HttpsTransportBindingElement
{
UseDefaultWebProxy = true,
RequireClientCertificate = true
};
binding.Elements.Add(transportBindingElement);
return binding;
This is the request I am sending:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1" u:Id="_3">urn:etoegang:1.9:bsn-koppelregister:DeassociateBSNRequest</a:Action>
<a:MessageID u:Id="_4">urn:uuid:258bd34d-a1ed-42c8-8bf0-039256b55cb6</a:MessageID>
<ActivityId CorrelationId="8c6addd4-7cde-4afd-a112-0634180beabb" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">067c1704-3428-4891-a0d8-54ca0960e356</ActivityId>
<a:ReplyTo u:Id="_5">
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1" u:Id="_6">https://simulator.eherkenning.nl/kr-simulator-1.9/services/BSNKRAssociation</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>wA5kpZvDRk+cc5Y5QJa4/ZkbvnI=</DigestValue>
</Reference>
<Reference URI="#_3">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>AtLNdwQtOpB+939+mECbmToeIpI=</DigestValue>
</Reference>
<Reference URI="#_4">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>08OvHoskB2j9qq0IjG6oOG+yziw=</DigestValue>
</Reference>
<Reference URI="#_5">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>k69pykploFPkXhw5ogDHcjcJUI0=</DigestValue>
</Reference>
<Reference URI="#_6">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>DGryA9qhfi+NZyoILEH/V94d0ho=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue><!-- REMOVED ---></SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<X509Data>
<X509IssuerSerial>
<X509IssuerName><!-- REMOVED ---></X509IssuerName>
<X509SerialNumber><!-- REMOVED ---></X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<!-- REMOVED -->
</s:Body>
And this is the response I am getting:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-9f731bee-4c9d-4077-9be7-3ff5e2859d03">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#id-1e140697-4c68-4117-90d6-daf8758ab99a">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>Uwk+AbgFqCSZT6M+4D3deIgwBeMi0EOOXN8bJTFWIG4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue><!-- REMOVED --></ds:SignatureValue>
<ds:KeyInfo Id="KI-013c2040-dc4d-4ae9-bf6a-cbaa9f144e90">
<wsse:SecurityTokenReference wsu:Id="STR-4eb51680-c51f-4fa8-b33a-8a10531dd830">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName><!-- REMOVED --></ds:X509IssuerName>
<ds:X509SerialNumber><!-- REMOVED --></ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
<Action xmlns="http://www.w3.org/2005/08/addressing">urn:etoegang:1.9:bsn-koppelregister:BSNKR_Association_Port:BSNKR_DeassociateBSN:Fault:DeassociateBSNFault</Action>
<MessageID xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:fdc4f1b4-9e35-459a-ad45-e05fb6fc83c8</MessageID>
<To xmlns="http://www.w3.org/2005/08/addressing">http://www.w3.org/2005/08/addressing/anonymous</To>
<RelatesTo xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:258bd34d-a1ed-42c8-8bf0-039256b55cb6</RelatesTo>
</soap:Header>
<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-1e140697-4c68-4117-90d6-daf8758ab99a">
<!-- REMOVED -->
</soap:Body>
I'v solved it by not using wcf but by generating the soap messages myself and implement the signing specific to my needs.