1

I have developed a test client in .NET to connect to a SOAP webservice (I do not have access to the server code):

Using fiddler, I got a successfully response and I am able to see the response message, but I always got a "System.ServiceModel.Security.MessageSecurityException" with this message:

Cannot resolve signature URI '#MsgBody' to calculate implicit value..

This is my code:

//Setup custom binding with HTTPS + Body Signing + Soap1.1
CustomBinding bindings = new CustomBinding();

//HTTPS Transport
HttpsTransportBindingElement transport = new HttpsTransportBindingElement();

//Body signing
AsymmetricSecurityBindingElement asec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10, true);

asec.SetKeyDerivation(false);
asec.AllowInsecureTransport = true;
asec.EnableUnsecuredResponse = true;
asec.SecurityHeaderLayout = SecurityHeaderLayout.LaxTimestampLast;
asec.IncludeTimestamp = true;
asec.InitiatorTokenParameters = new
System.ServiceModel.Security.Tokens.X509SecurityTokenParameters
{ InclusionMode = SecurityTokenInclusionMode.Never };
asec.RecipientTokenParameters = new
  System.ServiceModel.Security.Tokens.X509SecurityTokenParameters
{ InclusionMode = SecurityTokenInclusionMode.Never };
asec.MessageProtectionOrder =
  System.ServiceModel.Security.MessageProtectionOrder.EncryptBeforeSign;

asec.DefaultAlgorithmSuite =
  System.ServiceModel.Security.SecurityAlgorithmSuite.TripleDesRsa15;

asec.EndpointSupportingTokenParameters.Signed.Add(
  new X509SecurityTokenParameters());

//Setup for SOAP 11 and UTF8 Encoding
TextMessageEncodingBindingElement textMessageEncoding = new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8);

//Bind in order (Security layer, message layer, transport layer)
bindings.Elements.Add(asec);
bindings.Elements.Add(textMessageEncoding);
bindings.Elements.Add(transport);

// Configure identity and endpoint address
EndpointIdentity identity = EndpointIdentity.CreateDnsIdentity("w43sc Plataforma de Integracion");
AddressHeader[] addressHeaders = new AddressHeader[0];
AddressHeaderCollection headers = new AddressHeaderCollection(addressHeaders);
EndpointAddress url = new EndpointAddress(new Uri(@"https://svc.integracion.test.example.net/ctxweb/secured_ssl/x53jiGetIntermediacionWS"), identity, headers);
ClientServiceReference.IntermediacionPortTypeClient client = new ClientServiceReference.IntermediacionPortTypeClient(bindings, url);
client.ClientCredentials.ClientCertificate.Certificate = Config.x509clientCertificate;
// Specify a default certificate for the service.
X509Store store = new X509Store(StoreName.TrustedPeople, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certs = store.Certificates.Find(X509FindType.FindBySerialNumber, "118b", false);
X509Certificate2 serviceCertificate = null;
if (certs.Count > 0)
{
    serviceCertificate = certs[0];
}
client.ClientCredentials.ServiceCertificate.DefaultCertificate = serviceCertificate;
client.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;

client.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.Sign;
var vs = client.Endpoint.EndpointBehaviors.FirstOrDefault((i) => i.GetType().Namespace == "Microsoft.VisualStudio.Diagnostics.ServiceModelSink");
if (vs != null)
{
    client.Endpoint.Behaviors.Remove(vs);
}            

client.Open();

ClientServiceReference.Respuesta response = null;
//=====================================================================================
try
{
    response = client.peticionSincrona(peticion);
    Console.WriteLine("Response received");
}catch(System.ServiceModel.Security.MessageSecurityException messageSecurityException)
{
     Console.WriteLine(messageSecurityException.Message);
    if (messageSecurityException.InnerException != null)
    {
        Console.WriteLine(messageSecurityException.InnerException.Message);
    }
}
//=====================================================================================

if (client != null)
{
    if (client.State == System.ServiceModel.CommunicationState.Faulted)
        client.Abort();
    else
        client.Close();
}

And the response (I have removed the confidential data from body):

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <S:Header xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <Reference URI="#MsgBody">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <DigestValue>EWrV+35DziZc5ed5KKtEL97C5SY=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>
                SVvwXWHB/Td9L/h0PuOKhIe2CmbZGd+ONfKVJ0Be6zOVKlnmF2rFmuTHK49vQObN0S1OHrNc9Dat
                N2K0X0BcxxvsLQdl+jQeyswDzGORMsj9QVaZNNiATuQi9q9CDtbUFLCBP2KFt5lr2/BASr0GzoMo
                ZBKEaQnbacT+9yMciwnyuMxlspQ/48dhFLfcZo84MkCtFJ5MF76dnHflnkT3fQArGfH688fUYSDS
                y85l1UHKcyG4cUqOz8l1rPgek7yBZ0//EXEQU+v8ir7CxiOfBm/xvjcOkpD8rmflk9kmagU1CrC9
                VtkZORQNyxsG8jmzapmxo0caoKWcFWnWg2FbtA==
            </SignatureValue>
            <KeyInfo>
                <X509Data>
                    <X509Certificate>
                        <server_certificate>
                    </X509Certificate>
                </X509Data>
                <KeyValue>
                    <RSAKeyValue>
                        <Modulus>
                           <content_deleted>
                        </Modulus>
                        <Exponent>AQAB</Exponent>
                    </RSAKeyValue>
                </KeyValue>
            </KeyInfo>
        </Signature>
        <wsse:Security S:mustUnderstand="1"
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <wsse:BinarySecurityToken wsu:Id="bst_uk59PITZwfeJZtBp"
                ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
                EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
                xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                <server certificate here>
            </wsse:BinarySecurityToken>
            <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                <dsig:SignedInfo>
                    <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                    <dsig:Reference URI="#Timestamp_dYk8YhwKY7fXMHZL">
                        <dsig:Transforms>
                            <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </dsig:Transforms>
                        <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <dsig:DigestValue>geHmvIvEvHEzwTdO6KqtIQr1Ao8=</dsig:DigestValue>
                    </dsig:Reference>
                    <dsig:Reference URI="#MsgBody">
                        <dsig:Transforms>
                            <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </dsig:Transforms>
                        <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <dsig:DigestValue>EWrV+35DziZc5ed5KKtEL97C5SY=</dsig:DigestValue>
                    </dsig:Reference>
                    <dsig:Reference URI="#bst_uk59PITZwfeJZtBp">
                        <dsig:Transforms>
                            <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </dsig:Transforms>
                        <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        <dsig:DigestValue>BXwbmhjLVljiH/JzEjd+CxSGvw8=</dsig:DigestValue>
                    </dsig:Reference>
                </dsig:SignedInfo>
                <dsig:SignatureValue>
                    E4XsM14JlQaTw8xtRGAkOZkFrwTCt+dH4xsnb0Jt+/MW709ST7E+Onc+IUtxEF2rT6QoVxVxPsNNvcdmpxS9fY7j4KyJYuYuLtXNFeVoCa4JfAgfYnSTB79pn7iM//UrWzabCCfFpA9mmP/XyavKFwXynCh78v5IAy4y+XlcqSJCzKVO6lkxLy7jGOWtnJMIE7wtNSUFPD5sEr0EF7HR3m2+cf3/1nMrT3gffK5OF3PIcZULglW1PQELtr3tmSYs5LzedPsnxSWYv9lwwshu60VHG9mZpa0XFLBAxjgekuVxQGGJ+cR1SqNYgrVl8NupR9DzTl27pTxxOViKoilzhg==
                </dsig:SignatureValue>
                <dsig:KeyInfo>
                    <wsse:SecurityTokenReference
                        wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
                        wsu:Id="str_I3heBxrEjmLrXAP3"
                        xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
                        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                        <wsse:Reference URI="#bst_uk59PITZwfeJZtBp"
                            ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
                    </wsse:SecurityTokenReference>
                </dsig:KeyInfo>
            </dsig:Signature>
            <wsu:Timestamp wsu:Id="Timestamp_dYk8YhwKY7fXMHZL"
                xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                <wsu:Created>2023-03-18T17:53:58Z</wsu:Created>
                <wsu:Expires>2023-03-18T17:54:58Z</wsu:Expires>
            </wsu:Timestamp>
        </wsse:Security>
    </S:Header>
    <S:Body Id="MsgBody" xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
        <ns2:Respuesta xmlns="..."
            xmlns:ns2="...">
              Content of response here
        </ns2:Respuesta>
    </S:Body>
</soapenv:Envelope>

As you can see, the "MsgBody" URI exists on response. I have tried with many configurations, but I am not able to get it working. I compared the response with the SOAP UI one, and it is the same. The SOAP webservice, I think it is developed using Java.

Please, any help would be really appreciated.

Harith
  • 4,663
  • 1
  • 5
  • 20
dual
  • 21
  • 2
  • If you believe it's developed using Java, why did you tag C? – Harith Mar 18 '23 at 18:31
  • The client code (mine) use c# – dual Mar 18 '23 at 18:38
  • But C and C# are two different languages. I have edited the question and added the C# tag. – Harith Mar 18 '23 at 18:40
  • ok. Any ideas to solve the issue? – dual Mar 18 '23 at 19:27
  • Got no clue. Hopefully, someone from the relevant communities would contribute. – Harith Mar 19 '23 at 19:55
  • Don't know your exact use case, but maybe you coud ignore the verification error. Something similar has been proposed here: https://stackoverflow.com/a/2675183/1820778 – Pedro Mar 20 '23 at 08:09
  • it is not a SSL certificate issue. It seems that the SOAP envelope is malformed. But I can see in Fiddler software that the webservice response has 200 status code and the XML is valid (I have validated it against its schemas). Any ideas? – dual Mar 23 '23 at 08:07

0 Answers0