Reputation: 1109
WCF Client - Specifying the signature algorithm for WS-Security Timestamp signature
I have a WCF client that is sending a message to a non-WCF service and that service is having problems handling the HMAC-SHA1 signature method used to sign the WS-Security Timestamp element. Ideally, we'd like to use the RSA-SHA1 signature method but I have not been able to get WCF to use that signature method.
The binding I am using is a custom binding which is allowing me to send a SAML 2.0 token over HTTPS:
<customBinding>
<!-- This binding is a WS2007FederationHttpBinding without Secure Sessions that uses Text message encoding. -->
<binding
name="WS2007FederationHttpBinding_NoSecureSession_Text"
closeTimeout="00:01:00"
openTimeout="00:01:00"
receiveTimeout="00:10:00"
sendTimeout="00:01:00">
<security
authenticationMode="IssuedTokenOverTransport"
requireSignatureConfirmation="true"
securityHeaderLayout="Lax"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
keyEntropyMode="CombinedEntropy"
includeTimestamp="true">
<issuedTokenParameters
tokenType="urn:oasis:names:tc:SAML:2.0:assertion">
<!-- This describes the STS. That is, the URL, the binding to use, and its Identity -->
<issuer
address="http://hostname//STS.svc"
binding="ws2007HttpBinding"
bindingConfiguration="StsUserNameBindingConfiguration">
<identity>
<!-- This is the certificate used for signing on the STS. -->
<!-- Replace "sts-signing-certificate-thumbprint" with the actual thumbprint of the STS's signing certificate -->
<certificateReference
findValue="sts-signing-certificate-thumbprint"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindByThumbprint"/>
</identity>
</issuer>
</issuedTokenParameters>
<!-- This basically says "Don't use Secure Conversation" -->
<secureConversationBootstrap/>
</security>
<!-- Use Text Encoding -->
<textMessageEncoding/>
<!-- This says to use HTTPS when communicating with the remote service -->
<httpsTransport
requireClientCertificate="true"
maxBufferPoolSize="134217728"
maxReceivedMessageSize="134217728"
maxBufferSize="134217728"/>
</binding>
</customBinding>
The signature in the outgoing request looks like this:
<Signature
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference
URI="#_0">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>GZfW1RkyS4DHYFPHRnRuqNSo+qE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>rMzQ/kEV7AXcO3wm9hfQXNoX5r4=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference
b:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
xmlns:b="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_9f79359e-63dc-4e38-888c-6567dac4b41b</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
Notice the <SignatureMethod> is http://www.w3.org/2000/09/xmldsig#hmac-sha1
One interesting thing is that the HMAC-SHA1 algorithm is symmetric (one key to encrypt and decrypt) while RSA-SHA1 is asymmetric (requires one key to encrypt and one to decrypt). I think WCF uses the HMAC-SHA1 algorithm because it is symmetric and the SAML token being exchanged is the shared secret (key). It makes sense to use the SAML token as the shared key for a symmetric algorithm but is there an option available to force WCF to use an asymmetric algorithm like RSA-SHA1?
I have been able to get some slight modification of the signature method by changing the binding/security/defaultAlgorithmSuite attribute but the various options do not give me the ability to specify RSA-SHA1 here:
defaultAlgorithm = Default:
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
defaultAlgorithm = Basic256:
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
defaultAlgorithm = Basic256Rsa15:
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
defaultAlgorithm = Basic256Sha256:
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"/>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
defaultAlgorithm = Basic256Sha256Rsa15:
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"/>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
Is there a way I can force WCF to use RSA-SHA1 on the Timestamp signature?
Upvotes: 9
Views: 6965
Answers (1)
Reputation: 327
I think it is an interoperability issue. There is a similar issue in the link bellow.
http://www.fokkog.com/2011/01/ws-security-interoperability-issue.html
You can manually create and sign the token. Check this post:
Upvotes: 0
Related Questions
- Signing SOAP Message with XML Signature and WCF
- Configure WCF with client certificate signing XMLDsig, WS-Security or XADES
- How to change the timestamp security header in a wcf client?
- WCF Service with WS-Security requires Signed Timestamp only
- How to specify that the Timestamp that's part of WS-Security needs to be signed + fix error that client did not sign timestamp with id xxx?
- How to sign a SOAP request with WCF
- How to make WCF Client conform to specific WS-Security - sign UsernameToken and SecurityTokenReference
- How can i sign soap headers in WCF client
- is there any way to add Timestamp security header only in WCF?
- Sign outgoing message