WCF message security with certificate and both client and service signing

3
votes

We are attempting to implement message security between a client and WCF service using x509 certificates. The client sends the soap security headers and the service verifies the headers as expected. The problem is that the service is not signing it’s response message with security headers which we need. I believe below includes all of the information that is needed but let me know if you need anything else. Thanks!

The service’s web.config:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.web>
    <customErrors mode="Off" />
  </system.web>
  <system.serviceModel>
    <services>
      <service name="RealIdCardService.AetnaNavigator" behaviorConfiguration="serviceCredentialBehavior">
        <endpoint address="" contract="RealIdCardService.IAetnaNav" binding="wsHttpBinding" bindingConfiguration="InteropCertificateBinding"></endpoint>
        <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="serviceCredentialBehavior">
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceMetadata httpsGetEnabled="true" />
          <serviceCredentials>
            <!--certificate storage path in the server-->
            <serviceCertificate findValue="WcfClient" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="TrustedPeople" />
            <issuedTokenAuthentication allowUntrustedRsaIssuers="true" />
            <!--certificate storage path in the client-->
            <clientCertificate>
              <certificate findValue="WcfServer" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="TrustedPeople" />
              <authentication certificateValidationMode="PeerTrust" revocationMode="NoCheck" />
            </clientCertificate>
          </serviceCredentials>
        </behavior>
          </serviceBehaviors>
    </behaviors>
    <bindings>
      <wsHttpBinding>
        <binding name="InteropCertificateBinding">
          <security mode="TransportWithMessageCredential">           
            <!--security mode of certificate 
             establishSecurityContext="true"-->
            <message negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="false" clientCredentialType="Certificate" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
  </system.serviceModel>
  <system.web>
    <compilation debug="true" />
  </system.web>
    <system.webServer>
        <handlers>
            <remove name="StaticFile" />
        </handlers>
    </system.webServer>
</configuration>

The client’s app.config:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.serviceModel>
      <behaviors>
        <endpointBehaviors>
          <behavior>
            <!-- 
        The clientCredentials behavior allows one to define a certificate to present to a service.
        A certificate is used by a client to authenticate itself to the service and provide message integrity.
        This configuration references the "client.com" certificate installed during the setup instructions.
        -->
            <clientCredentials>
              <clientCertificate findValue="WcfServer" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="TrustedPeople"/>

              <serviceCertificate>
                <defaultCertificate findValue="qanav2.sourceonedirect.com"
                               storeLocation="LocalMachine"
                               storeName="TrustedPeople" x509FindType="FindBySubjectName" />
                <authentication revocationMode="NoCheck" certificateValidationMode="PeerTrust"
                                trustedStoreLocation="LocalMachine" />

              </serviceCertificate>
            </clientCredentials>
          </behavior>
        </endpointBehaviors>
      </behaviors>
        <bindings>
            <wsHttpBinding>
                <binding name="WSHttpBinding_RealIdCardService" closeTimeout="00:01:00"
                    openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
                    bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
                    maxBufferPoolSize="524288" maxReceivedMessageSize="655360"
                    messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
                    allowCookies="false">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="1638400"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                    <reliableSession ordered="true" inactivityTimeout="00:10:00"
                        enabled="false" />
                    <security mode="TransportWithMessageCredential">
                        <transport clientCredentialType="None" proxyCredentialType="None"
                            realm="" />
                        <message clientCredentialType="Certificate" negotiateServiceCredential="true"
                            algorithmSuite="Default" establishSecurityContext="false" />
                    </security>
                </binding>
            </wsHttpBinding>
        </bindings>
        <client>
            <endpoint address="https://qanav2.sourceonedirect.com/AetnaNavigator/RealIdCardService.svc"
                binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_RealIdCardService"
                contract="RealIdCardService" name="WSHttpBinding_RealIdCardService" />
        </client>
    </system.serviceModel>
</configuration>

The request from the client showing the message security:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <s:Header>
    <a:Action s:mustUnderstand="1">http://service.sourceOne.realIdcard.com/RealIdCardService/getImage</a:Action>
    <a:MessageID>urn:uuid:5d1170db-cc7f-485b-9d19-e88edb49a957</a:MessageID>
    <a:ReplyTo>
      <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
    </a:ReplyTo>
    <a:To s:mustUnderstand="1" u:Id="_1">https://qanav2.sourceonedirect.com/AetnaNavigator/RealIdCardService.svc</a:To>
    <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <u:Timestamp u:Id="_0">
        <u:Created>2011-08-11T16:39:51.548Z</u:Created>
        <u:Expires>2011-08-11T16:44:51.548Z</u:Expires>
      </u:Timestamp>
      <o:BinarySecurityToken u:Id="uuid-8c46f875-8e7c-449d-ba8b-c9263a04db89-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIBsTCCAV+gAwIBAgIQW2xiwVBnILpOlvTOe4BlezAJBgUrDgMCHQUAMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5MB4XDTExMDgxMTE0NTA1M1oXDTM5MTIzMTIzNTk1OVowFDESMBAGA1UEAxMJV2NmU2VydmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4xaSGyke2NPJfXOHtZBz3yHXIjl0nA4WxKWY5Ettgs0DxUU7UKONgEKTloYnkmmiiHjRHzbClfaAbPrDQEe/DihmohWKDGa6aQ1Cat+CsZDGDgLhIcv85n1uLNriA5CJ2ebwgOoh6VxOLOQvjfNGBGfQBSZDe7DMOPntjO7ryhQIDAQABo0swSTBHBgNVHQEEQDA+gBAS5AktBh0dTwCNYSHcFmRjoRgwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3mCEAY3bACqAGSKEc+41KpcNfQwCQYFKw4DAh0FAANBACfb7CnUN1dfyAgWbrxgwMr7wZgUo467YgT2+nOwiWlbbYJcqTx/5FkeVg3XXsaI2VINhUURrzvtJxFosKDzNR4=</o:BinarySecurityToken>
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
          <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <Reference URI="#_0">
            <Transforms>
              <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <DigestValue>3Lo6p2VdFuYvSkrkqqxY06OseoM=</DigestValue>
          </Reference>
          <Reference URI="#_1">
            <Transforms>
              <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <DigestValue>n/l/ydDWJXU8w/T5oZhXNoH2ZI0=</DigestValue>
          </Reference>
        </SignedInfo>
        <SignatureValue>cLvhF1zEuaizz+SyaqKRWDmE/HF64ODiP0E6B1jEkRWwNdyp7qwgtZaTQj8qcJKYGi76HpZm6DOd+Re0561h/o8o/vD+ijVHvMZc0AF12MN/HgItNBmYF6ify0y6g9PLlc0SFCGc/1aeLDj5yZylYTmMdqgps77q0kCV8s6hmWo=</SignatureValue>
        <KeyInfo>
          <o:SecurityTokenReference>
            <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-8c46f875-8e7c-449d-ba8b-c9263a04db89-1"/>
          </o:SecurityTokenReference>
        </KeyInfo>
      </Signature>
    </o:Security>
  </s:Header>
  <s:Body>
    <getImage xmlns="http://service.sourceOne.realIdcard.com/">
      <arg0 xmlns:i="http://www.w3.org/2001/XMLSchema-instance"></arg0>
    </getImage>
  </s:Body>
</s:Envelope>

The response from the service without the certificate based security:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <s:Header>
    <a:Action s:mustUnderstand="1">http://service.sourceOne.realIdcard.com/RealIdCardService/getImageResponse</a:Action>
    <a:RelatesTo>urn:uuid:5d1170db-cc7f-485b-9d19-e88edb49a957</a:RelatesTo>
    <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <u:Timestamp u:Id="_0">
        <u:Created>2011-08-11T16:39:57.496Z</u:Created>
        <u:Expires>2011-08-11T16:44:57.496Z</u:Expires>
      </u:Timestamp>
    </o:Security>
  </s:Header>
  <s:Body>
    <getImageResponse xmlns="http://service.sourceOne.realIdcard.com/">
      <getImageResult xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
        <CumbID>W261748481</CumbID>
        <HMOID i:nil="true"/>
        <IDCardImage>/9j/QAxb/wATayS9uZhG </IDCardImage>
        <MailDate>7/1/2011 12:00:00 AM</MailDate>
      </getImageResult>
    </getImageResponse>
  </s:Body>
</s:Envelope>
1
wcfsoapcertificatewcf-securityws-security

1 Answers

8
votes

Your security setting is completely wrong based on your description. You want signatures in message? => you need message security but you are using transport security and only passing certificate as client identification. That has several implications:

  • Client connects to service over HTTPS - it validates trust to certificate used by service to build HTTPS connection
  • HTTPS itself (transport security) ensures encryption and integrity on the transport level
  • Certificate is only for client authentication - service doesn't have any certificate (certificate you configured is not used).
    • Client passes the certificate (public key) to the service and use its private key to sign headers.
    • Service receives the certificate and validate that it trust it
    • Service uses received public key to validate signatures
    • Service process the request and returns response
    • Service doesn't have any own certificate and client doesn't expect any => it cannot sign headers (client certificate cannot be used as well because service doesn't know clients private key)
  • Client receives the response and it is simply trusted because it returns over established HTTPS connection

If you want to have signatures in both request and response you must move to full message security (HTTPS will not be needed) which means changing security mode from TransportWithMessageSecurity to Message. After that both client and service will have its own certificate and use them to secure each message separately. By default whole content of your message will be also encrypted and signed. If you don't want it you must configure ProtectionLevel on your contracts.