Security token in the message transmitted by SSL
I need WCF to provide a soap header like this:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
<wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-1D82AB9733B359236712457035776561"></wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-2">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#Timestamp-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms> <ds:DigestMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>
</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-1D82AB9733B359236712457035776562">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-1D82AB9733B359236712457035776563">
<wsse:Reference URI="#CertId-1D82AB9733B359236712457035776561" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
<wsu:Created>2009-06-22T20:46:17Z
</wsu:Created>
<wsu:Expires>2009-06-22T20:51:17Z
</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</SOAP-ENV:Header>
where the timestamp and body parts / items will be digitally signed with a direct reference certificate included in the message (BinarySecurityToken) and confidentiality will only be enforced at the transport layer using SSL (a service served by IIS). I am currently using the TransportSecurityBindingElement and HttpsTransportBinding classes, but still I cannot get the soap header as I want ... The problem (according to the message trace) is that the BinarySecurityToken element is missing attributes like id, EncodingType, ValueType and message body not signed (I have set the ProtectionLevel contract for login)
So, if anyone has skills with this, I would be very grateful.
This is a shot in the dark since I don't know any WCF, but I know how to subscribe to a SOAP message.
The required parameter is the "Id" or "wsu: Id" attribute on your SOAP body element. The signature will use this identifier as a reference for the signed data. In the example you posted, this is done in the wsu: Timestamp element - it has the id
wsu:Id="Timestamp-1"
And then the signature uses that as a link:
<ds:Reference URI="#Timestamp-1">
And in this example, the signature also references:
<ds:Reference URI="#id-3">
Which one I assume is the id of the example body.
I'm not sure how your toolkit API attaches ids, but you will definitely need it for anything you sign.
EncodingType and ValueType are a little more complex. I'm afraid I don't know what's on my head. My temptation would be to try and get the IDs correct and then see if it all falls into place. It could be.
source to share