MUTUAL CERTIFICATE SECURITY - Multiple signatures
Hi, I am sending soap message to indigo service. Message has two certificates(binarytokens) and signatures for every certificate. I succeded to implement that scenario on client using WSE. The problem is that WCF service throws ex:
Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.
System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator& usedTokenAuthenticator)
System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlDictionaryReader reader, Int32 position, Byte[] decryptedBuffer, SecurityToken encryptionToken, String idInEncryptedForm, TimeSpan timeout)
System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteReadingPass(XmlDictionaryReader reader)
System.ServiceModel.Security.LaxModeSecurityHeaderElementInferenceEngine.ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)
System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout)
System.ServiceModel.Security.MessageSecurityProtocol.ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, Message& message, SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
System.ServiceModel.Security.SymmetricSecurityProtocol.VerifyIncomingMessageCore(Message& message, String actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
System.ServiceModel.Channels.SecurityChannelListener`1.ServerSecurityChannel`1.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationState)
System.ServiceModel.Channels.SecurityChannelListener`1.SecurityReplyChannel.ProcessReceivedRequest(RequestContext requestContext, TimeSpan timeout)
System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveRequestAndVerifySecurityAsyncResult.ProcessInnerItem(RequestContext innerItem, TimeSpan timeout)
System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.OnInnerReceiveDone()
System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.InnerTryReceiveCompletedCallback(IAsyncResult result)
System.ServiceModel.Diagnostics.Utility.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
System.ServiceModel.AsyncResult.Complete(Boolean completedSynchronously)
System.ServiceModel.Channels.InputQueue`1.AsyncQueueReader.Set(Item item)
System.ServiceModel.Channels.InputQueue`1.EnqueueAndDispatch(Item item, Boolean canDispatchOnThisThread)
System.ServiceModel.Channels.InputQueue`1.EnqueueAndDispatch(T item, ItemDequeuedCallback dequeuedCallback, Boolean canDispatchOnThisThread)
System.ServiceModel.Channels.SingletonChannelAcceptor`3.Enqueue(QueueItemType item, ItemDequeuedCallback dequeuedCallback, Boolean canDispatchOnThisThread)
System.ServiceModel.Channels.HttpChannelListener.HttpContextReceived(HttpRequestContext context, ItemDequeuedCallback callback)
System.ServiceModel.Channels.SharedHttpTransportManager.OnGetContextCore(IAsyncResult result)
System.ServiceModel.Channels.SharedHttpTransportManager.OnGetContext(IAsyncResult result)
System.ServiceModel.Diagnostics.Utility.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
System.Net.LazyAsyncResult.Complete(IntPtr userToken)
System.Net.LazyAsyncResult.ProtectedInvokeCallback(Object result, IntPtr userToken)
System.Net.ListenerAsyncResult.WaitCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)
System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)
This scenario works with one certificate, and signatures for only that certificate. My scenario is that I need to sign soap envelope with more different certs. I think that WS-S allows this, but that Indigo secured binding has problem. I will post Soap message and service binding and behavior:
<
soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><soap:Header><FxHeader xmlns="http://www.pexim.net/bankadapterws/"><AccountCode xsi:nil="true" xmlns="http://www.pexim.net"/><GatewayId xsi:nil="true" xmlns="http://www.pexim.net"/><Limit xsi:nil="true" xmlns="http://www.pexim.net"/><Topic xmlns="http://www.pexim.net">ibank.retail.stmtrq</Topic><UserId xmlns="http://www.pexim.net">jddavis@ibank</UserId></FxHeader><wsa:Action wsu:Id="Id-10009be7-b770-4fc5-88ca-b8734f794392">http://www.pexim.net/bankadapter/RetrieveFullBalance</wsa:Action><wsa:MessageID wsu:Id="Id-1fa6023a-bcc0-4b13-8d53-d61ddf2652c5">urn:uuid:d5f41280-c9a2-42c8-bf76-a7dcdc3ffcb8</wsa:MessageID><wsa:ReplyTo wsu:Id="Id-4e081e2a-c295-44f5-ae29-b2eb8a42ea64"><wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address></wsa:ReplyTo><wsa:To wsu:Id="Id-571a7a89-776d-42cb-8e85-b5f5e7d47848">fx://meridian.banka/</wsa:To><wsse:Security soap:mustUnderstand="1"><wsu:Timestamp wsu:Id="Timestamp-576f829e-1424-4212-9dd4-2c701541c51d"><wsu:Created>2006-09-05T12:37:53Z</wsu:Created><wsu:Expires>2006-09-06T12:37:53Z</wsu:Expires></wsu:Timestamp><wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="SecurityToken-20ba59c8-466c-4edf-a92e-ae4e497d0f1d">MIIBxDCCAW6gAwIBAgIQxUSXFzWJYYtOZnmmuOMKkjANBgkqhkiG9w0BAQQFADAWMRQwEgYDVQQDEwtSb290IEFnZW5jeTAeFw0wMzA3MDgxODQ3NTlaFw0zOTEyMzEyMzU5NTlaMB8xHTAbBgNVBAMTFFdTRTJRdWlja1N0YXJ0Q2xpZW50MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+L6aB9x928noY4+0QBsXnxkQE4quJl7c3PUPdVu7k9A02hRG481XIfWhrDY5i7OEB7KGW7qFJotLLeMec/UkKUwCgv3VvJrs2nE9xO3SSWIdNzADukYh+Cxt+FUU6tUkDeqg7dqwivOXhuOTRyOI3HqbWTbumaLdc8jufz2LhaQIDAQABo0swSTBHBgNVHQEEQDA+gBAS5AktBh0dTwCNYSHcFmRjoRgwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3mCEAY3bACqAGSKEc+41KpcNfQwDQYJKoZIhvcNAQEEBQADQQAfIbnMPVYkNNfX1tG1F+qfLhHwJdfDUZuPyRPucWF5qkh6sSdWVBY5sT/txBnVJGziyO8DPYdu2fPMER8ajJfl</wsse:BinarySecurityToken><xenc:EncryptedKey Id="SecurityToken-3e0d3000-779d-4749-9911-306ccd96a53f" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/></xenc:EncryptionMethod><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">KGnQh22Xr3EsgKg0mOH8cP7Jy6s=</wsse:KeyIdentifier></wsse:SecurityTokenReference></KeyInfo><xenc:CipherData><xenc:CipherValue>pPZ6jAdrDNGLh4bmGBaJMvHc8GCRWXSpynhkKlh3XIy84RfgFruOPOrLC8xeeDLlSSMrJdNzjFqZdAmOb+RpTwfFQMlqhdlALCs67QnEleFbce5NHG29YrJgY+40INsNJIVOYc3YJ+plrlgQ7yndljDWUTO1oNqWZsjBrevuS7U=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#Enc-59415a74-2327-4d23-b51a-c571a2aaaa60"/></xenc:ReferenceList></xenc:EncryptedKey><Signature Id="Sig-0b08d0f4-67c1-43f6-83bf-beacaed1e180" xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/><Reference URI="#Id-10009be7-b770-4fc5-88ca-b8734f794392"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>XOGijHIf/ASXjPP4W+bPWNOhtGo=</DigestValue></Reference><Reference URI="#Id-1fa6023a-bcc0-4b13-8d53-d61ddf2652c5"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>YDX+a2c1P2jskulTwUUlo0fmvFw=</DigestValue></Reference><Reference URI="#Id-4e081e2a-c295-44f5-ae29-b2eb8a42ea64"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>cVMUUxW3Cej2WW12nWbgSdgJs5E=</DigestValue></Reference><Reference URI="#Id-571a7a89-776d-42cb-8e85-b5f5e7d47848"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>DbNQ1Qatk9QCJp3NzQYpNSNR4Ps=</DigestValue></Reference><Reference URI="#Timestamp-576f829e-1424-4212-9dd4-2c701541c51d"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>Ug/eBHhort8YPAop+v8uSJ0mnfM=</DigestValue></Reference><Reference URI="#Id-f430488f-7516-43af-a538-461be5efab1d"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>8IKRgyqTM/ihwkA9drjvkie/H28=</DigestValue></Reference></SignedInfo><SignatureValue>CvFDJbfVQjAyCFn+vTUA/4Z0peQ=</SignatureValue><KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI="#SecurityToken-3e0d3000-779d-4749-9911-306ccd96a53f" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/></wsse:SecurityTokenReference></KeyInfo></Signature><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#Sig-0b08d0f4-67c1-43f6-83bf-beacaed1e180"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>FCoWd0mLW+MtbnOsssnIIAuKWvw=</DigestValue></Reference></SignedInfo><SignatureValue>hLDcrgZaWb5TGtdCYHm6HVKgf+aKQM6+mdHlggNQ/hqu5bGhYrU3+dw9Gmolbz392yf7rv7AmwLRFuXAkSFX4oWTzm9lQKWdzgLvEVOWOwdiyvQR+Ejv+/VMPegxL/Bqy1gzkLYaKQxpkwXGNP/R5Qsv6kpcAcdgCzYZrKu6uWk=</SignatureValue><KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI="#SecurityToken-20ba59c8-466c-4edf-a92e-ae4e497d0f1d" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></KeyInfo></Signature><wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="SecurityToken-8a4bdc1c-099a-49be-b8c7-dc09cd4948bd">MIIBxDCCAW6gAwIBAgIQxUSXFzWJYYtOZnmmuOMKkjANBgkqhkiG9w0BAQQFADAWMRQwEgYDVQQDEwtSb290IEFnZW5jeTAeFw0wMzA3MDgxODQ3NTlaFw0zOTEyMzEyMzU5NTlaMB8xHTAbBgNVBAMTFFdTRTJRdWlja1N0YXJ0Q2xpZW50MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+L6aB9x928noY4+0QBsXnxkQE4quJl7c3PUPdVu7k9A02hRG481XIfWhrDY5i7OEB7KGW7qFJotLLeMec/UkKUwCgv3VvJrs2nE9xO3SSWIdNzADukYh+Cxt+FUU6tUkDeqg7dqwivOXhuOTRyOI3HqbWTbumaLdc8jufz2LhaQIDAQABo0swSTBHBgNVHQEEQDA+gBAS5AktBh0dTwCNYSHcFmRjoRgwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3mCEAY3bACqAGSKEc+41KpcNfQwDQYJKoZIhvcNAQEEBQADQQAfIbnMPVYkNNfX1tG1F+qfLhHwJdfDUZuPyRPucWF5qkh6sSdWVBY5sT/txBnVJGziyO8DPYdu2fPMER8ajJfl</wsse:BinarySecurityToken><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#Id-10009be7-b770-4fc5-88ca-b8734f794392"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>XOGijHIf/ASXjPP4W+bPWNOhtGo=</DigestValue></Reference><Reference URI="#Id-571a7a89-776d-42cb-8e85-b5f5e7d47848"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>DbNQ1Qatk9QCJp3NzQYpNSNR4Ps=</DigestValue></Reference><Reference URI="#Timestamp-576f829e-1424-4212-9dd4-2c701541c51d"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>SPR2h+IbDKN3GEUF8aVSNn51fAo=</DigestValue></Reference><Reference URI="#Id-f430488f-7516-43af-a538-461be5efab1d"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>8IKRgyqTM/ihwkA9drjvkie/H28=</DigestValue></Reference></SignedInfo><SignatureValue>hioIWxhjUHRTydnlcDub768w5/FM33m7gCG7AVfgUXHLAj4n08+Bouhfhf8+IpK42Ooq9j7yp5RsD5RM+0EXgKNtv+oVA0WIfoJzkAobndLcJ9Uu4AOF8dGDRCOoUw03aND3Tx6aBlTS7VevDQ7iCrcZ5aCNlVR8zAmeOwdGWl8=</SignatureValue><KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI="#SecurityToken-8a4bdc1c-099a-49be-b8c7-dc09cd4948bd" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></KeyInfo></Signature></wsse:Security></soap:Header><soap:Body wsu:Id="Id-f430488f-7516-43af-a538-461be5efab1d"><xenc:EncryptedData Id="Enc-59415a74-2327-4d23-b51a-c571a2aaaa60" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><xenc:CipherData><xenc:CipherValue>WMM5B80IrP87DR1LGQTaWZjBb+zSNl1j0UHU13WKIvK3RBf93dInqvvuiQjz1+wZ4c0++zk2CjqTMr2RVUKYPySeRoB2//xDCb9Kz81YEGCYUXPfoE9OXhBV4uEQXNbUqeh4Q85DeTnEi0TYRxiNzhTazjn2mD6n+vRwYJPpfEUKNoW4ax69LhC5ylQnsi5nCjNDX9oglvLe2oo4JICEGSaxPz5w2yQIt5oLoOnCBGMRdEfM/shmw45NcVA803Mn</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></
soap:Envelope>App config with service settings:
<
services><servicename="Pexim.FxClient.Api.AdapterTest.BankAdapter"behaviorConfiguration="WSEBehavior" >
<endpointaddress="fx://meridian.banka/"listenUri="http://localhost/FxApi/BankAdapterTest/Tracking"
binding="customBinding"
bindingConfiguration="TrackingBinding"
contract="Pexim.FxClient.Api.AdapterTest.IBankAdapter" />
<behaviorname="WSEBehavior"returnUnknownExceptionsAsFaults="true">
<serviceCredentials>
<serviceCertificatefindValue="CN=WSE2QuickStartServer"storeLocation="CurrentUser"storeName="My"x509FindType="FindBySubjectDistinguishedName"/>
<clientCertificate>
<authenticationcertificateValidationMode="PeerOrChainTrust" />
</clientCertificate>
</serviceCredentials>
<serviceMetadatahttpGetEnabled="true" />
<bindingname="TrackingBinding">
<securityauthenticationMode="MutualCertificate"securityHeaderLayout="Lax"
requireDerivedKeys="false"includeTimestamp="true"messageProtectionOrder="SignBeforeEncrypt"requireSignatureConfirmation="true"allowSerializedSigningTokenOnReply="true"></security>
<textMessageEncodingmessageVersion="Soap11WSAddressingAugust2004" />
<httpTransport />
</binding>
Can someone help me with this? Does this binding configuration can work with multiple signed messages and more than one certificate that is sent. Is this a bug in WCF?
Indigo Cowboy
