I am trying to get a WCF service configured with message security (no transport security) such that it can communicate with Java clients. I have been using SoapUI to test, and have overcome numerous hurdles. Now, WCF seems to be authenticating the message, but it is routing it to the operation without decrypting it. I am getting the following internal exception:
System.Runtime.Serialization.SerializationException
OperationFormatter encountered an invalid Message body. Expected to find node type ‘Element’ with name ‘SaySomething’ and namespace ‘http://ecollege.com/securityspike/‘. Found node type ‘Element’ with name ‘xenc:EncryptedData’ and namespace ‘http://www.w3.org/2001/04/xmlenc#‘
I have tried everything and read everything I can, and I have found nothing similar, nor found any solution. I am hoping someone might know what the deal is and be able to help me out. Below is my WCF service configuration and SoapUI message:
WCF Service Custom Binding Configuration
<customBinding>
<binding name="custom">
<security
defaultAlgorithmSuite="Basic128Rsa15"
authenticationMode="MutualCertificate"
securityHeaderLayout="Lax"
includeTimestamp="false"
keyEntropyMode="ClientEntropy"
messageProtectionOrder="EncryptBeforeSign"
messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
requireSignatureConfirmation="false"
requireSecurityContextCancellation="false"
allowSerializedSigningTokenOnReply="true">
<localServiceSettings detectReplays="false" />
</security>
<textMessageEncoding messageVersion="Soap11" writeEncoding="utf-8" />
<httpTransport />
</binding>
</customBinding>
SoapUI Original Message
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sec="http://ecollege.com/securityspike/">
<soapenv:Header/>
<soapenv:Body>
<sec:SaySomething>
<sec:message>
<sec:Message>Hello from SoapUI!</sec:Message>
</sec:message>
</sec:SaySomething>
</soapenv:Body>
</soapenv:Envelope>
SoapUI Secured Message
<soapenv:Envelope xmlns:sec="http://ecollege.com/securityspike/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-E4A1994D222819B9E91267220999421261" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIB9DCCAWGgAwIBAgIQCdc8f7wHY5NIPPv+42iHmzAJBgUrDgMCHQUAMBUxEzARBgNVBAMTClJvb3RDQVRlc3QwHhcNMTAwMjI1MTcyMzM1WhcNMzkxMjMxMjM1OTU5WjAYMRYwFAYDVQQDEw13Y2ZDbGllbnRDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCw8RJdTARFL+1bbFptcYkIsuBCiJam9rBR14CBKxlvsAVI70F63aDUctYxGKhJgpTOGZyqtVtgawoFf/oPVGSm7yRDR5XcuhqwoQ7IMHxAVKLyNaiE/ZtYb3RTcIC7y1JS2n/DHKu+KK4T2FVhBEZYVhOYP/u4SOvGK6X6uahy4wIDAQABo0owSDBGBgNVHQEEPzA9gBDhcQFxXO88N5H8wWmVu2LGoRcwFTETMBEGA1UEAxMKUm9vdENBVGVzdIIQSgymJZg5k5xJ3Qs97Rs+fTAJBgUrDgMCHQUAA4GBAFumlUh7/DKBwWHvqgcGUFIMx/VtbvlEfyKMIIrdce1I7dPON4+TRf+kho1nf7zbxrioN0s3RfNapiFPkiBndGbyQjoojfq2PRttcbBXgyyaDg3s6Yg95r4ytMn4G9wDICdiW42RKReCZA1PJA55DWtFqWNrUgnDq/uTttHQdOB+</wsse:BinarySecurityToken>
<ds:Signature Id="Signature-125" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-126">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>TY3WWW+3MjAXCj70Ao8g4owVfwc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>sJS23J31T+EiH9ZcpOBWm9VZDgINsBLWncC9q+Qzhqab/KIY3/hs+Xn2oD6JKPo3/mOIqZ/ZMDMj
KSUKRghYbsGYrUl4Z/37hbmg5ZLaA/XxLMy8cmfXi2FhgebTwFX2Zm3nptCELFaMqcufEV9KBDtv
98/2H4K63ZJa39YW9Tk=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-E4A1994D222819B9E91267220999421262">
<wsse:SecurityTokenReference wsu:Id="STRId-E4A1994D222819B9E91267220999422263" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Reference URI="#CertId-E4A1994D222819B9E91267220999421261" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<xenc:EncryptedKey Id="EncKeyId-E4A1994D222819B9E91267220999410260">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=RootCATest</ds:X509IssuerName>
<ds:X509SerialNumber>-146698624100943020459804947660733868602</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>og/+4qWGOAZ8jlk2VZeTGP5++lF0aAyaqFSeuIGrGyblklIWf+lkmHydFK2j4ade7tpeiBKHxtcxPR87OpK3pCyStpN36pdqHOdDsy/pozrc7b6zn9IrwXC/WjhIXVQiPZZfpHk0B75ByJq+2laIVbqpeYmGQLaj3ocl/AooGdQ=</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#EncDataId-124"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-126" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<xenc:EncryptedData Id="EncDataId-124" Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#EncKeyId-E4A1994D222819B9E91267220999410260"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>2v9lbteE7Vh5zbw0yZHxX9srTRh6N/uOxsCnjY1/ShDQvExCDcuVCfgfpXxdbCWRHcH1QTIJ9Wv1
vG17WA1c7AdnVZfyAmGsXYNn2ZhIq3dQeUKbgDnhfT16NOPeXUtdd+EUb5p+Iw1JrktXmKK+jpX6
7Kp/Wv1vaxN9xfZfygqBrdgrjJYyihlQoKI0UEpc3QoKW6Zwp3hJcf52gLJwBb2Sxcc8Nnnr83GM
15SGv9rEIpYzJKvebwiha1/bby+mULEvlNrtsER7GyjG94Eu+0BjsPPYMwt4E6iV0umMuZF8Su8o
MWYXby+aaUs4QOGsWJSAJWrICIWfZDM/VjOj76OAzc3vKL/lLNJskQ5XYdOWzjYz5v6qZ5C4mTV7
ZNWM3cnLe40CtguuzYHooPyjpcE9MEsP5oVm4ns2dVZvsaF/lYxQZHsRDRNxkEC19pkK</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>
WCF Secured Message
<s:Envelope
xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security
s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:BinarySecurityToken
u:Id="uuid-1aa5b3d3-f82a-4de3-a8cf-3c36d2042a9a-5"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
>MIIB9DCCAWGgAwIBAgIQCdc8f7wHY5NIPPv+42iHmzAJBgUrDgMCHQUAMBUxEzARBgNVBAMTClJv
b3RDQVRlc3QwHhcNMTAwMjI1MTcyMzM1WhcNMzkxMjMxMjM1OTU5WjAYMRYwFAYDVQQDEw13Y2ZD
bGllbnRDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCw8RJdTARFL+1bbFptcYkIsuBC
iJam9rBR14CBKxlvsAVI70F63aDUctYxGKhJgpTOGZyqtVtgawoFf/oPVGSm7yRDR5XcuhqwoQ7I
MHxAVKLyNaiE/ZtYb3RTcIC7y1JS2n/DHKu+KK4T2FVhBEZYVhOYP/u4SOvGK6X6uahy4wIDAQAB
o0owSDBGBgNVHQEEPzA9gBDhcQFxXO88N5H8wWmVu2LGoRcwFTETMBEGA1UEAxMKUm9vdENBVGVz
dIIQSgymJZg5k5xJ3Qs97Rs+fTAJBgUrDgMCHQUAA4GBAFumlUh7/DKBwWHvqgcGUFIMx/VtbvlE
fyKMIIrdce1I7dPON4+TRf+kho1nf7zbxrioN0s3RfNapiFPkiBndGbyQjoojfq2PRttcbBXgyya
Dg3s6Yg95r4ytMn4G9wDICdiW42RKReCZA1PJA55DWtFqWNrUgnDq/uTttHQdOB+</o:BinarySecurityToken>
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>CN=RootCATest</X509IssuerName>
<X509SerialNumber>-146698624100943020459804947660733868602</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>EX2mPLI7VpedG2WVzmBiYje+z/WppWsYO6Pg4/WwlQRv2rLaFmgF4cg8yn55dVyFStr9Me6jjq4s
+VS5s0t+IGVjCm17gCREC4r07FUTPFKtB5JR8lfcRFKriCMCkwnr4DLxzVKa/h9Mw+4DK4+mMkX+
lAO985cluGKhbmuWYhM=</e:CipherValue>
</e:CipherData>
<e:ReferenceList>
<e:DataReference URI="#_2"/>
</e:ReferenceList>
</e:EncryptedKey>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>r01NIZbDYv/a/od4dKmN2VF54NY=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>h/uzND4eoH5WOguIzwO9YurD2fEF0NBH9Bl5ipFjZaffyi+z2m2fYngujtcoxh8a6YPyMW3Us0Q0
//i79GEnkxCq0mBPbLJvLvtXFAuJpFZ9oOEKRqJ5Uqh8je6um0KJCiSFn74xy23OEG6fRbUJZkJP
IH8KnGhzqR1UGXkI49E=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
URI="#uuid-1aa5b3d3-f82a-4de3-a8cf-3c36d2042a9a-5"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_1">
<e:EncryptedData Id="_2"
Type="http://www.w3.org/2001/04/xmlenc#Content"
xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<e:CipherData>
<e:CipherValue>2VwP5Qcdyff6awcskzwtLktVQOB2UKFOFmFExNUJa0kJbT1gH1MzoIthuNx7bUHmAqGpnmrs6b2t
f4zpkZv8mZ8L41WBkrg2LGLCeBpXtmudpOdQ9KaEIXqXlRHUI6OutrsCKRWDTRlMD+Y2m0fM8sxF
5mp7lsGJUVzbpLcb4hduKI2RVkylxRMpqIgcDR4vj72ew52QMtrNdH5QZsouyBDeE2fc+imGKK9K
UcLlQbZRzLkv9oYzHicewaWnOeGr4dhkdn6eBropbK0gqxoxng==</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
To provide an answer for this question. As it turned out, I had the
messageProtectionOrdersetting configured incorrectly. The ultimate goal was to sign the message contents, then encrypt. SoapUI, as well as our business partner, were signing then encrypting the message, but since WCF was configured to encrypt (or decrypt) first then sign, it was unable to properly process secured messages usingSignBeforeEncrypt.Matching the WCF configuration to the SoapUI/Business Partner configuration resolved this issue.