WCF client using WS-Security to call java web service

Question

Log OUTPUT

25/05/2012 2:08:57 PM org.jcp.xml.dsig.internal.dom.DOMXMLSignature validate
FINE: Reference[#uuid-26810b23-330b-49c0-af30-59c2a8211341-1] is valid: true
25/05/2012 2:08:57 PM org.jcp.xml.dsig.internal.dom.DOMReference dereference
FINE: URIDereferencer class name: org.jcp.xml.dsig.internal.dom.DOMURIDereferencer
25/05/2012 2:08:57 PM org.jcp.xml.dsig.internal.dom.DOMReference dereference
FINE: Data class name: org.jcp.xml.dsig.internal.dom.ApacheNodeSetData
25/05/2012 2:08:57 PM org.jcp.xml.dsig.internal.dom.ApacheCanonicalizer transform
FINE: Created transform for algorithm: http://www.w3.org/2001/10/xml-exc-c14n#
25/05/2012 2:08:57 PM org.jcp.xml.dsig.internal.dom.ApacheCanonicalizer transform
FINE: ApacheData = true
25/05/2012 2:08:57 PM org.jcp.xml.dsig.internal.dom.DOMReference validate
FINE: Expected digest: q9/MlLVrhvl21tGGmxuBVh1V4Mc=
25/05/2012 2:08:57 PM org.jcp.xml.dsig.internal.dom.DOMReference validate
FINE: Actual digest: bFCOsfjajqOmn3mWNcMw+HRtyPM=
25/05/2012 2:08:57 PM org.jcp.xml.dsig.internal.dom.DOMXMLSignature validate
**FINE: Reference[#e23c17af-c76f-4aaf-bc28-33c5261a253d] is valid: false
25/05/2012 2:08:57 PM org.jcp.xml.dsig.internal.dom.DOMXMLSignature validate
FINE: Couldn't validate the References**
org.apache.ws.security.WSSecurityException: The signature or decryption was invalid
at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:393)
at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:188)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:304)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:203)
at au.gov.mca.uhi.security.dsig.XWSSDigitalSignatureProcessorTest.testVerifyWithWSS4J(XWSSDigitalSignatureProcessorTest.java:355)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:611)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:44)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:15)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:41)
at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:20)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:28)
at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:31)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:44)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:180)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:41)
at org.junit.runners.ParentRunner$1.evaluate(ParentRunner.java:173)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:28)
at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:31)
at org.junit.runners.ParentRunner.run(ParentRunner.java:220)
at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:45)
at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:460)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:673)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:386)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:196)

SOAP Security Token

 <o:Security s:mustUnderstand="1"
            xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <u:Timestamp u:Id="uuid-26810b23-330b-49c0-af30-59c2a8211341-1">
    <u:Created>2012-05-25T03:58:21.289Z</u:Created>
    <u:Expires>2012-05-25T04:03:21.289Z</u:Expires>
  </u:Timestamp>
  <o:BinarySecurityToken u:Id="uuid-bf155ac7-0ca3-459f-acb5-d8acf3a882d4-2"
                         ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIF1zCCBL+gAwIBAgIDBHONMA0GCSqGSIb3DQEBBQUAMH8xCzAJBgNVBAYTAkFVMQwwCgYDVQQKEwNHT1YxGzAZBgNVBAsTEk1lZGljYXJlIEF1c3RyYWxpYTFFMEMGA1UEAxM8VGVzdCBNZWRpY2FyZSBBdXN0cmFsaWEgT3JnYW5pc2F0aW9uIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTExMDkyMDA2MzkwMFoXDTE2MDgxNDA1NDMwOFowgZExCzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNBQ1QxFDASBgNVBAcTC1RVR0dFUkFOT05HMRowGAYDVQQKExFUZXN0IExvY2F0aW9uIDAyNzEaMBgGA1UECxMRVGVzdCBMb2NhdGlvbiAwMjcxJjAkBgNVBAMTHVRlc3QgTG9jYXRpb24gMDI3IDo1NjU3MDUwMDkxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzEdwMFSGslbPo9jTWar8g1pEf+Y3/ppErJUyr92JYqWlIxIU2iHpsx/xKi8wiPgn6ZDrWmULqXaI7xTwjBlaYvBuz7CJ3rfXXk74Fx4VnoGBqxnMiE4ineaxEcOsaL6C/BJnrSEwVJ8PWt1nMguQcmfJhsOV9FWCcGz7FpL4tGkXIa4TG1IEOxgyYPYUH0glcUzAaBd+PGOw9PRts/cW7NugQ7BRP7Q3tNO/T9c2E+2TDaDGUAAhtBHZp1YNTGHSUaBk9LtRWBFt7l/V5amd992tyNci4sy0woyYqcHSbdNBYJGEjs5ZoQUtnLqR37hjHxvp+FBAvh/VKSg36RzQ/wIDAQABo4ICRzCCAkMwDAYDVR0TAQH/BAIwADAwBgNVHREEKTAngSV0ZXN0LmxvY2F0aW9uMDI3QGh1bWFuc2VydmljZXMuZ292LmF1ME8GCCsGAQUFBwEBBEMwQTA/BggrBgEFBQcwAYYzaHR0cDovL29jc3AuY2VydGlmaWNhdGVzLWF1c3RyYWxpYS5jb20uYXUvbWFvY2EucGt4MIIBIQYDVR0gBIIBGDCCARQwggEQBgoqJNL+gHcBBgECMIIBADCBywYIKwYBBQUHAgIwgb4agbtDZXJ0aWZpY2F0ZXMgaXNzdWVkIHVuZGVyIHRoaXMgQ1AgbXVzdCBvbmx5IGJlIHJlbGllZCBvbiBieSBlbnRpdGllcyB3aXRoaW4gdGhlIENvbW11bml0eSBvZiBJbnRlcmVzdCwgdW5sZXNzIG90aGVyd2lzZSBhZ3JlZWQsIGFuZCBub3QgZm9yIHB1cnBvc2VzIG90aGVyIHRoYW4gdGhvc2UgcGVybWl0dGVkIGJ5IHRoaXMgQ1AuMDAGCCsGAQUFBwIBFiRodHRwOi8vd3d3Lm1lZGljYXJlYXVzdHJhbGlhLmdvdi5hdS8wGQYJKiSjkJUXAc4ZBAwWCjU2NTcwNTAwOTEwDgYDVR0PAQH/BAQDAgeAMBMGA1UdIwQMMAqACEB3qFEIQ4yzMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9tYS10ZXN0LXBraS9NQU9DQUNSTHMvbGF0ZXN0LmNybDARBgNVHQ4ECgQIQ8IlQG3+PcIwDQYJKoZIhvcNAQEFBQADggEBAJW0OQRaUmXt0hiov8xHLFrlwOWdkWHFL/9/zmZlFuBNhpZPgYcXpLjC1S3cA5btWAFwMYMBa8igWsvjhFyjjKYhxMlYgnJzKQx2sc6pUXuId2qhGhikWmgzT+Wdy6soP8FKJPLSwBlkTUVq8ep+yIfBx3tYfnK79n/+FX1bz52/nFZmnpZwkEhTB8f9y/GuyzO/pt0F9bel4txZPj36XIHF0k/9SuzpLzwkmAy+89tWu0L4+0J8CLkgfiGprPKW6HByJZWmZyAqs9UIOy2FXnL/CdozZKXnxmEIgTCkcPgSs0olm/A/Wfv4wdsPrNWMmqGL73AoSfM2wgHmQ9k4mPU=</o:BinarySecurityToken>
  <wsse:UsernameToken wsu:Id="e23c17af-c76f-4aaf-bc28-33c5261a253d"
                      xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsse:Username>user1</wsse:Username>
    <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">icnriCyW09WOpQABOeQqFEiqxwY=</wsse:Password>
    <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">wbwf0IRtQBA6fsrmpQd8fA==</wsse:Nonce>
    <wsu:Created>2012-05-25T13:58:21Z</wsu:Created>
  </wsse:UsernameToken>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <Reference URI="#_1">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>8Po0d4s3JJB1Xh4vdB6+7M/ivoA=</DigestValue>
      </Reference>
      <Reference URI="#_2">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>Azl0elmnUzxTSLUuwfWf6DLT8h8=</DigestValue>
      </Reference>
      <Reference URI="#_3">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>h1iD7HzEK+uslbPRHjwN2zt7zhc=</DigestValue>
      </Reference>
      <Reference URI="#_4">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>WZ3YS9m3NBoROTnEKUEJ/bNmMDw=</DigestValue>
      </Reference>
      <Reference URI="#_5">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>k69pykploFPkXhw5ogDHcjcJUI0=</DigestValue>
      </Reference>
      <Reference URI="#_6">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>TSr1cnqSoYmoEIURjA5OZB/iyS0=</DigestValue>
      </Reference>
      <Reference URI="#uuid-26810b23-330b-49c0-af30-59c2a8211341-1">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>wSsjhUgRFAN3by438s7ZvGSSgCw=</DigestValue>
      </Reference>
      <Reference URI="#e23c17af-c76f-4aaf-bc28-33c5261a253d">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>q9/MlLVrhvl21tGGmxuBVh1V4Mc=</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>t/piYSnEwCIzqMxC0LQs9fxUla2BKA0GkMI4oLLqZdkthCo9LNvxJP8Luf1d91CEETZ5B4FsQI7QtcA+qHya78K5s+mzn8/2zhEGzAYxkaLeDCUvrad10Mlqssh5AhLbxonZ4/7mDs1v5+s7EVqM0tjpc0tHK0vmroNz0qnAxjCZqEEYpK3/uJ4iwO86khk5pQwqArrwUAqV26/8sXi6c5CfoZcGaVzjIKSAuc+ybV0O42c5OECMe+9G5ZJAkRkw+korLSKgeslLZa18+g/x7WMeUmbo9wiPLuT5kdvIkGRpPN22CQYeSblTFly26J5LIaPdZFSBIAOT3bYs6G4bxA==</SignatureValue>
    <KeyInfo>
      <o:SecurityTokenReference>
        <o:Reference URI="#uuid-bf155ac7-0ca3-459f-acb5-d8acf3a882d4-2"/>
      </o:SecurityTokenReference>
    </KeyInfo>
  </Signature>
</o:Security>
    <SignatureValue>t/piYSnEwCIzqMxC0LQs9fxUla2BKA0GkMI4oLLqZdkthCo9LNvxJP8Luf1d91CEETZ5B4FsQI7QtcA+qHya78K5s+mzn8/2zhEGzAYxkaLeDCUvrad10Mlqssh5AhLbxonZ4/7mDs1v5+s7EVqM0tjpc0tHK0vmroNz0qnAxjCZqEEYpK3/uJ4iwO86khk5pQwqArrwUAqV26/8sXi6c5CfoZcGaVzjIKSAuc+ybV0O42c5OECMe+9G5ZJAkRkw+korLSKgeslLZa18+g/x7WMeUmbo9wiPLuT5kdvIkGRpPN22CQYeSblTFly26J5LIaPdZFSBIAOT3bYs6G4bxA==</SignatureValue>
    <KeyInfo>
      <o:SecurityTokenReference>
        <o:Reference URI="#uuid-bf155ac7-0ca3-459f-acb5-d8acf3a882d4-2"/>
      </o:SecurityTokenReference>
    </KeyInfo>
  </Signature>
</o:Security>

I have tried almost everything I could i have used inspector and encoder to do this but so far no luck, any help will be appreciated. Please

Current Code:

        AsymmetricSecurityBindingElement securityBindingElement = new AsymmetricSecurityBindingElement();
        securityBindingElement.EndpointSupportingTokenParameters.Signed.Add(new UsernameTokenParameters());
        X509SecurityTokenParameters initiator
                = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial,
                                                                                    SecurityTokenInclusionMode.AlwaysToRecipient);
        initiator.RequireDerivedKeys = false;
        initiator.ReferenceStyle = SecurityTokenReferenceStyle.Internal;

        securityBindingElement.InitiatorTokenParameters = initiator;
        X509SecurityTokenParameters recipient
                = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial,
                                                                                    SecurityTokenInclusionMode.AlwaysToInitiator);
        recipient.RequireDerivedKeys = false;
        securityBindingElement.RecipientTokenParameters = initiator;
        securityBindingElement.SetKeyDerivation(false);
        securityBindingElement.IncludeTimestamp = true;
        securityBindingElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128;
        securityBindingElement.MessageSecurityVersion = MessageSecurityVersion
                                .WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
        X509SecurityTokenParameters tokenParameters = new X509SecurityTokenParameters();
        tokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
        tokenParameters.RequireDerivedKeys = false;
        securityBindingElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;

        HttpTransportBindingElement httpBindingElement = new HttpTransportBindingElement();

        CustomBinding binding = new CustomBinding();
        binding.Elements.Add(securityBindingElement);
        binding.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap12WSAddressing10, Encoding.UTF8));
        //binding.Elements.Add(new CustomEncoderBindingElement());
        binding.Elements.Add(httpBindingElement);
        EndpointAddress serviceAddress = new EndpointAddress(new Uri("http://xya.com"),
                                                                                                                 EndpointIdentity.CreateDnsIdentity(
                                                                                                                    "Test Location 027 :5657050091"),
                                                                                                                 new AddressHeaderCollection());
        ChannelFactory<DhsUserAuthUploadHposDvaStatementsPortTypeChannel> channelFactory =
            new ChannelFactory<DhsUserAuthUploadHposDvaStatementsPortTypeChannel>(binding, serviceAddress);
        UsernameClientCredentials credentials = new UsernameClientCredentials(new UsernameInfo("user1", "user1"));
        credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerTrust;
        credentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByThumbprint,
                                                                                                 "6c1a76f952028e092cea367d40d6cf5833d9d3a3");
        credentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.CurrentUser, StoreName.TrustedPeople,
                                                                                                                 X509FindType.FindByThumbprint,
                                                                                                                 "6c1a76f952028e092cea367d40d6cf5833d9d3a3");
        channelFactory.Endpoint.Behaviors.Remove(typeof(ClientCredentials));
        channelFactory.Endpoint.Behaviors.Add(credentials);
        var client = channelFactory.CreateChannel();
        client.upload();            

I have tried almost everything I could i have used inspector and encoder to do this but so far no luck, any help will be appreciated.

Answer 1

The challenge here is that you need a username token with message digest + created + nonce AND you need it signed. If you have any way to dismiss one of this requirements it will be easier. Otherwise here is a direction, it will require some work.

1. check out this project. it is your friend to help you create the username token in the requested format.

2. In order to create the security binding element use

   SecurityBindingElement.CreateMutualCertificateBindingElement()

   then as you did above add to it the user name token (the one form item #1).

   note you will be required to sepcify a service certificate. you probably don't have or need one, so just supply any dummy certificate in the service credentials property, it can even be the same one as the client certificate.

3. If you have not done so already decorate your contracts (reference.cs?) with:

   [ServiceContract(ProtectionLevel = ProtectionLevel.Sign)]

   since (as it seems from the partial soap envelope) you only use signature and not encryption.