JAVA web service consumed by WCF CustomBinding client - SAML certificate errors on response - cert not found?

Question

Getting the following exception on a response from a JAVA based service (test harness set up using SOAP UI which I'm testing off).

On the client side I'm using a WCF service with CustomBinding using the following configuration. I'm implementing IClientMessageInspector and IEndpointBehavior on the service client just to edit the SOAP headers on the way out. This is accepted by the server and the correct response is being sent. The WCF service just cant seem to handle it

I don't have any access to the source for the service, just the test harness in SoapUI

//Load the certificate from a file
        X509Certificate2 certificate =
            new X509Certificate2(@"D:\certs.pfx",
                                 "password");

        //Specify the address to be used for the client.
        EndpointAddress address = new EndpointAddress("https://servername:8089/site/ws");

        BasicHttpBinding bTHttpBinding = new BasicHttpBinding(BasicHttpSecurityMode.TransportWithMessageCredential);                        

        BindingElementCollection bec = bTHttpBinding.CreateBindingElements();
        TransportSecurityBindingElement tsp = bec.Find<TransportSecurityBindingElement>();                        
        HttpsTransportBindingElement httpsBinding = bec.Find<HttpsTransportBindingElement>();            
        TextMessageEncodingBindingElement encoding = bec.Find<TextMessageEncodingBindingElement>();            
        httpsBinding.RequireClientCertificate = true;

        CustomBinding binding = new CustomBinding(tsp, encoding, httpsBinding);                  
        binding.CloseTimeout = TimeSpan.FromMinutes(15);
        binding.OpenTimeout = TimeSpan.FromMinutes(15);
        binding.ReceiveTimeout = TimeSpan.FromMinutes(15);
        binding.SendTimeout = TimeSpan.FromMinutes(15);

        // Create the message inspector
        Saml20Extension extentionBehaviour = new Saml20Extension();

        ClientService.enquiryRequestClient client = new enquiryRequestClient(binding, address);

Exception on reply:

Cannot resolve KeyInfo for unwrapping key: KeyInfo 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = X509IssuerSerialKeyIdentifierClause(Issuer = 'CN=test_facility', Serial =        '12342342423')
)
', available tokens 'SecurityTokenResolver
(
TokenCount = 0,
)
'.

Avenue's I've explored:

• Serial number for the cert is in the format 8F 23 0c 81 whereas the message response has the format 12342342423 - maybe it cant find the certificate in the store? Does it use the issue name AND serial or does it try both seperately in an attempt to find a match?

• negotiateServiceCredential attribute in app.config - I cant seem to set this to off for a CustomBinding set in code - anyone know how to do this?

I'm really stumpted on this one, thinking about just going back to the barre bones and doing the whole thing from scratch.

SSL Certificate errors are being ignored on the client side using the following code

ServicePointManager
.ServerCertificateValidationCallback += 
(sender, cert, chain, sslPolicyErrors) => true;

SOAP RESPONSE (Encrypted)

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
  <SOAP-ENV:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
        <wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
          <xenc:EncryptedKey Id="EncKeyId-882E1CD1112C4D3FD61335190122478230">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <wsse:SecurityTokenReference>
            <ds:X509Data>
              <ds:X509IssuerSerial>
                <ds:X509IssuerName>CN=test_vendor</ds:X509IssuerName>
                <ds:X509SerialNumber>1328712805</ds:X509SerialNumber>
              </ds:X509IssuerSerial>
            </ds:X509Data>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
          <xenc:CipherValue>Fp63Batmb8JJL/+6l9atqi4hrWCshmhcOlqRFtblVkNIcJH1f1YV4Koh23uZ5OB2nPuq4px16LUQVTv5ZbSnYQfuO9MklSofFX/B1944bd7VBIcy+WyfYOoVSy7kKy80DY8wzUBNtOC0tWwM2vVPuIYRs16ijuF23KtBx1T89Kc=</xenc:CipherValue>
        </xenc:CipherData>
        <xenc:ReferenceList>
          <xenc:DataReference URI="#EncDataId-138"/>
        </xenc:ReferenceList>
      </xenc:EncryptedKey>
      <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-882E1CD1112C4D3FD61335190122465226" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIBpzCCARCgAwIBAgIETzKMfzANBgkqhkiG9w0BAQUFADAYMRYwFAYDVQQDDA10ZXN0X2ZhY2lsaXR5MB4XDTEyMDIwODE0NTM1MVoXDTE3MDIwODE0NTM1MVowGDEWMBQGA1UEAwwNdGVzdF9mYWNpbGl0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvzdwlxcpwRKGzLvpqYoS4NEbhbx/jV6Z6kyXgJ0IWLZAW20oWmxPwumsqkKr6bWX2NWbGrka6w1e9+iZFBKiBq5zzxJKusCJQtPjuYwjaTGjVTFnixHp9sKnjIEprKyarceG00WzCVdtuI1NpNp8dgemzA6FFt1ESwwELq+rKvECAwEAATANBgkqhkiG9w0BAQUFAAOBgQAokX6HZhhEj7Bfo0Z8ZeoZeYFB8pHrN5A6927cJx17EXWVv0Mwn/+fDgTAhtsN9DB68CFNejox8mM0+KewjsgT4z80YxMHGlpM13z4c8+iMiQcJ7cISScTBaTONOtDqK1WNtci8biNjnLn7+4Z4fw17jlttN0dPHC3fvGywh6TkQ==</wsse:BinarySecurityToken>
      <ds:Signature Id="Signature-136" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#id-137">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>fWmhVWpkcFWreSSpA4DaLWBc6kE=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>GmPo9AIJLCrmR7+FIlsYnSCJPZIw5ls3kdSG4/Zv9AwL0eono9XV6cdmXfoHEmhyd3zaF583g14aAtGpJbErKZZ96nNKnjiB0gchghZY7gBDabv94aUJw2q7BehADvFatdgYab/cOp9ONT6yOl4nZ1gzDaAxVh7NvMLoH1EYmiY=</ds:SignatureValue>
        <ds:KeyInfo Id="KeyId-882E1CD1112C4D3FD61335190122465227">
          <wsse:SecurityTokenReference wsu:Id="STRId-882E1CD1112C4D3FD61335190122465228" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:Reference URI="#CertId-882E1CD1112C4D3FD61335190122465226" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
    <saml:Assertion ID="_54d0c8395de26c3e44730df2c9e8d3e9" IssueInstant="2012-02-17T10:40:36.806Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
      <saml:Issuer>CN=test_facility</saml:Issuer>
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
          <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <Reference URI="#_54d0c8395de26c3e44730df2c9e8d3e9">
            <Transforms>
              <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
              <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <DigestValue>/nNfJuKr83umcry7vguJkSWyfKs=</DigestValue>
          </Reference>
        </SignedInfo>
        <SignatureValue>pVBcgvqr1Ndms5sZXV5cupiC3ADd7kycuEaETuCLzpcJLmGaTsP5NkfCfyIuvYBZe3MjfnOQ81AquFYljw5SPYd8nItqss/9zOzJeZ0aL/bJxfovNBb4cv92nghncXA2MGTWWdH63+FkajlE7x/U81QkCdVBXJRVVXNsR0dMxAY=</SignatureValue>
        <KeyInfo>
          <X509Data>
            <X509Certificate>
              MIIBpzCCARCgAwIBAgIETzKMfzANBgkqhkiG9w0BAQUFADAYMRYwFAYDVQQDDA10ZXN0X2ZhY2ls
              aXR5MB4XDTEyMDIwODE0NTM1MVoXDTE3MDIwODE0NTM1MVowGDEWMBQGA1UEAwwNdGVzdF9mYWNp
              bGl0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvzdwlxcpwRKGzLvpqYoS4NEbhbx/jV6Z
              6kyXgJ0IWLZAW20oWmxPwumsqkKr6bWX2NWbGrka6w1e9+iZFBKiBq5zzxJKusCJQtPjuYwjaTGj
              VTFnixHp9sKnjIEprKyarceG00WzCVdtuI1NpNp8dgemzA6FFt1ESwwELq+rKvECAwEAATANBgkq
              hkiG9w0BAQUFAAOBgQAokX6HZhhEj7Bfo0Z8ZeoZeYFB8pHrN5A6927cJx17EXWVv0Mwn/+fDgTA
              htsN9DB68CFNejox8mM0+KewjsgT4z80YxMHGlpM13z4c8+iMiQcJ7cISScTBaTONOtDqK1WNtci
              8biNjnLn7+4Z4fw17jlttN0dPHC3fvGywh6TkQ==
            </X509Certificate>
          </X509Data>
        </KeyInfo>
      </Signature>
      <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">joe.bloggs@facility.ie</saml:NameID>
      </saml:Subject>
      <saml:Conditions NotBefore="2012-02-17T10:40:21.806Z" NotOnOrAfter="2012-02-17T10:41:06.806Z"/>
    </saml:Assertion>
    <wsa:Action SOAP-ENV:mustUnderstand="1">http://www.xxx.xx/xxxxxxxx/xxxxxxx</wsa:Action>
    <wsa:MessageID SOAP-ENV:mustUnderstand="1">uuid:7700f066-e7d7-4b1e-ab23-11171d9201bd</wsa:MessageID>
  </SOAP-ENV:Header>
  <SOAP-ENV:Body wsu:Id="id-137" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <xenc:EncryptedData Id="EncDataId-138" Type="http://www.w3.org/2001/04/xmlenc#Content">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
          <wsse:Reference URI="#EncKeyId-882E1CD1112C4D3FD61335190122478230"/>
        </wsse:SecurityTokenReference>
      </ds:KeyInfo>
      <xenc:CipherData>
        <xenc:CipherValue>
          ue42jSONk/kqp2MtxZbyn95RGTrwKd1jd61vo2O/IegbMZhIvWexQBnKthau0YE5Zwk/oKuJcOMM
          FkK8I165NXhxHjQAKs08USF3U1nwB4ApkPIroNcEWRqKJ1gK7lNrS4OeTVyK1HUWsTRRYHp4UUgb
          CJhOLa+ug74Fm5vj9/zL6Oqezr3TL9Oi5WdU9cweGmOfJ++zcqmcjTyewirVqT4VKZoGCvpRgGVR
          I/7St77lG/2yYMjCboejJbT8Ip2XiLL6ItMA/p+iyePMg4JyvR8v8/0fxF2rkLe2vamEEAab0+l1
          f9pANCCjvCj7giSUhIeLT0QVVa65Y9GzHOMTBxdQAMp6zlSWlpq7EaM1xQNq5cjKENQ3f6gKKBFu
          tZxBqDnRl9+XrD0DcBsVAyqv5d1uLSWIi2Mm9DiF23efGuCYAR2EGu1g81rRdU5Tk4KUMa4QUla5
          p+8jtGmtl2ktMr+3/8lwRqgMzqBKTiMFhHQhHQZe5FnKT/7JvycAKmx4LADOo1i2emc8s7NtsZlO
          OQqRovS2VP1A4uUYMFgAIsT2rLauVxKCZFDjFxLKKhyJLdmSzOophaL9Vr+FAzC7rA0t6J8prNdu
          mnwoYK9Hqly1RR7N9wgTN3TX2FHSlGgHcoJHZB2wBEoFHevQ+N9WNvcaE2w7Z02QdNRUBQBwn/2g
          pLDXf+8+2hNdMMe0xclmvfH1CSaHLuH1HPWJPMsNzNzAC4fFIkqy2XEUcMlQY+AT+fa+r/kqQHog
          L+B39IJtp7BZ811cwNZlbuw3LpE1IntArWjtxyvahJIeEsiKW9UGUIbLiNxtevpsKTlqV+kiY3qn
          acNRQYDQZuNZUka1jyN2pel6/3cdAlHF86bXO0dDX4jL3FXqp5QsoZcMnFu/wsD0dxg4BblsrxbA
          Cn4+LxXFzKR6sHbQXqUm7ROhvkIJRNPe1Bw49LARnTkdG8tMgQ9dYtMAvvZk8OPZnIaTyjwQu7DE
          MARmOKt7Bj/YvTHCH91hc2BzYBEn5vJPcmL705B6Vc0Zn2O+jB+MK87gR7Z4iSNJgvanEZ4897pZ
          YN5WYpf800y2GUYn2y46pwFF
        </xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Answer 1

please publish the full soap envelope.

I would guess WCF message security tries to parse the response. The thing is I'm not sure you want it - as I understand you have your own mechanism to parse the saml.

In this case you do not need the TransportSecurityBindingElement, the https is enough.

Answer 2

What kind of cert you are using? Self signed? Is it deployed in trusted CA repo on wcf host OS?