Home/ Questions/Q 8798543
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T00:07:17+00:00

I have a wcf client where I am required to use both certificate and

  • 0

I have a wcf client where I am required to use both certificate and username security.

Within the header signature that I output, two reference elements exist. One maps (via URI) to the UsernameToken and my understanding is that the other reference element should map to the SecurityTokenReference, but it isn’t.

The security section of my outgoing soap header is as follows

<o:UsernameToken u:Id="uuid-89f26492-f6ad-4e9d-9106-03ae8dfd6774-1"     xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
 <o:Username>xxxxxxx</o:Username>
 <o:Password o:Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-    profile-1.0#PasswordText">xxxxxxx</o:Password>
</o:UsernameToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
 <SignedInfo>
  <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <Reference URI="#_1">
   <Transforms>
    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
   </Transforms>
   <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>FNjRLXvhojvaLY/4MhdtsK1cicE=</DigestValue>
  </Reference>
  <Reference URI="#uuid-89f26492-f6ad-4e9d-9106-03ae8dfd6774-1">
   <Transforms>
    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
   </Transforms>
   <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>ZhCGi22F57ASm5YGVjLxe/s5wyY=</DigestValue>
  </Reference>
 </SignedInfo>
 <SignatureValue>CvxcSSur/epImkRyDh8AywiE3E6GabKzhQhGm/ISpHroWFEryIgpFCStZpGdvt6/QxXskgIiP39eQQILRm1CsTFBZkzP+mb1ktis2OlyiGOFfVNnOXVseOktMGt1WpeNlssFNk0prP9gy5EU3lWwxENvHFy8/IZZWCR8A4Cm+yA=</SignatureValue>
 <KeyInfo>
  <o:SecurityTokenReference>
   <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-89f26492-f6ad-4e9d-9106-03ae8dfd6774-3"/>
  </o:SecurityTokenReference>
 </KeyInfo>
</Signature>

You can see that one Reference URI maps to the Id of the UsernameToken, but the other Reference URI is #_1 when I am expecting it to be #uuid-89f26492-f6ad-4e9d-9106-03ae8dfd6774-3 (the URI of the SecurityTokenReference)

My code to create the custom binding is as follows

    private System.ServiceModel.Channels.Binding GetBinding()
    {
        System.ServiceModel.Channels.AsymmetricSecurityBindingElement asbe = new AsymmetricSecurityBindingElement();
        asbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
        asbe.InitiatorTokenParameters = new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters();
        asbe.RecipientTokenParameters = new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters();
        asbe.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.SignBeforeEncrypt;
        asbe.SecurityHeaderLayout = SecurityHeaderLayout.Strict;
        asbe.IncludeTimestamp = false;
        asbe.SetKeyDerivation(false);
        asbe.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128Rsa15;

        asbe.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());

        CustomBinding myBinding = new CustomBinding();
        myBinding.Elements.Add(asbe);
        myBinding.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));

        HttpsTransportBindingElement httpsBindingElement = new HttpsTransportBindingElement();
        httpsBindingElement.RequireClientCertificate = true;
        myBinding.Elements.Add(httpsBindingElement);

        return myBinding;
    }

Does anyone know what config setting(s) I need to change to get the reference sucessfully mapping to the SecurityToken?

Just a note that this question is really a sub question of my main issue which I’ve detailed at How to make WCF Client conform to specific WS-Security – sign UsernameToken and SecurityTokenReference. It looks like signing the certificate is not something that can be done via ootb config or property settings, so the answer may lie in writing the signature block manually. This is what I’m looking at next.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Finally solved the issue which I’ve posted on the related question – How to make WCF Client conform to specific WS-Security – sign UsernameToken and SecurityTokenReference

    • 0