I trying to connect to a Java Service with some special security requirements
It should go through https, use username Authentication and the body should be signed using a digital certificate.
The message should look like this:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.pines.colpatria.com/">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-12" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>username</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">CleartextPassword</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">47uxAPDBQ9+08VQwMKpwBw==</wsse:Nonce>
<wsu:Created>2012-04-02T16:44:56.652Z</wsu:Created>
</wsse:UsernameToken>
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-5B113CBB86C1CDE6BA133338509660810" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIGRzCCBS+gAwIBAgIQEKUzpntcNVROheEPzOI11zANBgkqhkiG9w0BAQUFADCCAU8xcjBwBgNVBAkTaUNSIDcgTiAyNi0yMCBQIDE4IC0gaHR0cDovL3d3dy5jZXJ0aWNhbWFyYS5jb20gLSBURUxTIDU3LTEtNzQ0MjcyNyA1Ny0wMTgwMDAxODE1MzEgLSBpbmZvQGNlcnRpY2FtYXJhLmNvbTEPMA0GA1UEBxMGQk9HT1RBMRkwFwYDVQQIExBESVNUUklUTyBDQVBJVEFMMQswCQYDVQQGEwJDTzErMCkGA1UECxMiQ0VSVElDQU1BUkEgUy5BLiAtIE5JVCA4MzAwODQ0MzMgNzFFMEMGA1UEChM8Q0VSVElDQU1BUkEgUy5BLiAtIFNPQ0lFREFEIENBTUVSQUwgREUgQ0VSVElGSUNBQ0lPTiBESUdJVEFMMSwwKgYDVQQDEyNBQyBJTlRFUk1FRElBIERFTU8gQ0VSVElDQU1BUkEgUy5BLjAeFw0xMTA5MzAxNTMyMzFaFw0xMjA5MzAxNTMyMzFaMIHDMQswCQYDVQQGEwJDTzEPMA0GA1UEBxMGQk9HT1RBMSAwHgYDVQQKExdPTElNUElBIE1BTkFHRU1FTlQgUy5BLjEgMB4GA1UEAxMXT0xJTVBJQSBNQU5BR0VNRU5UIFMuQS4xLDAqBgkqhkiG9w0BCQEWHXNvcG9ydGVAb2xpbXBpYW1hbmFnZW1lbnQuY29tMRowGAYKKwYBBAGBtWMCAxMKOTAwMDMyNzc0NDEVMBMGA1UECBMMQ1VORElOQU1BUkNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApOZhKSdfp1rVBXoahaTyXcOlUfRy6aYYuX4YNhkt0vYWxXFfsLTYSZOVTKZnUvklNEGBV70nzyqN8ZSXy3/jJ1yp965wRjcLHEFHwR42ABe1PK3fQMwsdqlpWkWWz0Pg02VwpHbLwcmDR41YTlnHCmPXzokVrT5YeteKViaWsrhUS4OvSajD7Y9aQ17uHoQusxjtBapA2wF551wMViICfYWqCamcYZRwGb1AlnuAF7vbRNveThy8mgvhHKiLaK13PxvaoOFusc8/429Dxdj1HMwt00g9MY1Nr24YtwHtJn+kVY8ocnghe4kVsAlnJ2Y0evHAPozRaFLFxY2E2dy6dwIDAQABo4IBpjCCAaIwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCA/gwJwYDVR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcDATARBglghkgBhvhCAQEEBAMCBaAwHQYDVR0OBBYEFGVAMg3XiBrJPcjeOgXcA+6cGHHZMB8GA1UdIwQYMBaAFEM61wg0nEqdr0ZKhe9fFWthjbtoMIGQBgNVHSAEgYgwgYUwgYIGCysGAQQBgbVjMgFQMHMwKwYIKwYBBQUHAgEWH2h0dHA6Ly93d3cuY2VydGljYW1hcmEuY29tL2RwYy8wRAYIKwYBBQUHAgIwOBo2Q2VydGlmaWNhZG8gZW1pdGlkbyBwb3IgbGEgQ0EgRGVtbyBkZSBDZXJ0aWNhbWFyYSBTLkEuMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3BkZW1vLmNlcnRpY2FtYXJhLmNvbTA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vd3d3LmNlcnRpY2FtYXJhLmNvbS9jYWRlbW8uY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCVcPRROZHgjjMzY1rM/gTK0cjN0CcO4KLht/nNPFUGIlVXDy21zhy2qOe2xF/IFnvU1vdVIaBzKdamILamfHrpYgsIZS5qqUJayI0E9Y+6cKHVTBgKOS1Yj0u7v2BP5wx+43d4wr2EuAsiQgClSQjrG3HP4rx7vnl8e6vn7uiEGzDJD1H0wQXHpYIWJGaLgn6B1xnFNZEbH4PxlpIsTU+/0Y+Y/GHab8tVDGv18AxtGXTkasuRuoYa/oA8mJI/BpfHYTpoS07euKYqhj1ujbTc6Y5dCGxiYEub4xhRMjJBxTEfsDYqJKsYYGyrWMXcncpNwQHWNDj6OOwKvspC3jg2</wsse:BinarySecurityToken>
<ds:Signature Id="Signature-10" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-11">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>UQDWhRGwU6vhHsggA7k3IGEpShM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
lDfT2Rol8AEjTq654f36HK7TwlEYJFMw/Q8PXRvoW12aLHdZkB9mndVTJvdsTdoW4C51qyjjsD0I
xHaCtHgpbpnEe9vihLJuQs4tDkS1t/IjPeMdsgi2P3VxcKyeEJRc37TX+IX5jR42GrAXZGZ5GwSa
rEpbpuWQSFhbJBQWRAInDbIpIkKV4jmiSbHHpeiI9Uvv8u6ZNXEx5vuoeia5AYtnCFtxkTcg0ukJ
EZabIPiNIybYFnqBwFcPiIajfnAGl2QSm6Mdz9aiD4tVHXKGaySjY6/IoIomQ0lVMZzW/F3ZA8GA
yvkZq4223hxCGcffvsAPePecFwun+QwcA9MR1Q==
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-5B113CBB86C1CDE6BA133338509660911">
<wsse:SecurityTokenReference wsu:Id="STRId-5B113CBB86C1CDE6BA133338509660912" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Reference URI="#CertId-5B113CBB86C1CDE6BA133338509660810" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
<wsa:Action>http://myserveraddress/service/execCommandRequest</wsa:Action>
<wsa:MessageID>uuid:948a7f98-42f2-422a-9b0f-07e74c6a7ce7</wsa:MessageID>
<wsa:To>https://myserveraddress/service</wsa:To>
</soapenv:Header>
<soapenv:Body wsu:Id="id-11" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<web:execCommand>
<arg0>1</arg0>
<!--Optional:-->
<arg1>1</arg1>
</web:execCommand>
</soapenv:Body>
</soapenv:Envelope>
I had tested succesfully the service using SoapUI, but I need to make a .NET client using WCF, but I don’t know how to do this.
I’ve been trying using the following binding, but it creates correctly the username token (although it doesnt create the nonce or the created element but that’s not a problem) but it doesn’t sign the body
<basicHttpBinding>
<binding name="PinesPortBinding">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
How can i programatically sign the body using a certificate, and validate the signature of the response?
Is there anyother way to do it?
You can do it but you need to create the binding from code.
This sample is not exactly what you need – but it shows you how to create a binding from code and define it to use certificate and a username token. You also need to set ProtectionLevel.Sign on your contracts. Also the username token format you need contains nonce and timestamp which WCF does not emit by default. I think it might work anyway so for now leave this.
Here is the code and again you may need to customize it.