Security token in message transfered by SSL

Question

Hi,

I need in WCF ensure soap header like this:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"&gt;&lt;SOAP-ENV:Header&gt;
 <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
  <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-1D82AB9733B359236712457035776561"></wsse:BinarySecurityToken>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-2">
    <ds:SignedInfo>
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/&gt;
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/&gt;
     <ds:Reference URI="#Timestamp-1">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/&gt;
      </ds:Transforms>       <ds:DigestMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#sha1"/&gt;
      <ds:DigestValue>
      </ds:DigestValue>
     </ds:Reference>
     <ds:Reference URI="#id-3">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/&gt;
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/&gt;
      <ds:DigestValue>
      </ds:DigestValue>
     </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
    </ds:SignatureValue>
    <ds:KeyInfo Id="KeyId-1D82AB9733B359236712457035776562">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-1D82AB9733B359236712457035776563">
     <wsse:Reference URI="#CertId-1D82AB9733B359236712457035776561" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/&gt;
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
   </ds:Signature>
   <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
    <wsu:Created>2009-06-22T20:46:17Z
    </wsu:Created>
    <wsu:Expires>2009-06-22T20:51:17Z
    </wsu:Expires>
   </wsu:Timestamp>
  </wsse:Security>
 </SOAP-ENV:Header>

where timestamp and body parts/elements will be digitally signed by directly referenced certificate included in message (BinarySecurityToken) and confidentiality will be ensured only on transport level by SSL(IIS hosted service). Currently Iam using classes TransportSecurityBindingElement and HttpsTransportBinding, but yet I can't gain soap header like I want... Problem is (according to message tracing) that in BinarySecurityToken element is missing attributes like id, EncodingType, ValueType and message body isn't signed (I set ProtectionLevel to Sign in contract)

So if someone have skills with this I will very appreciate.

Answer 1

This is a shot in the dark, since I don't know any WCF, but I do know SOAP message signing.

A must-have is an attribute "Id" or "wsu:Id" in your SOAP body element. The signature will use that Id as the reference for the data being signed. In the example you posted, this is being done on the wsu:Timestamp element -- it has an id of

wsu:Id="Timestamp-1"

And then the signature uses that as a reference:

 <ds:Reference URI="#Timestamp-1">

And in the example the signature also references:

 <ds:Reference URI="#id-3">

Which, I assume, is the id of the body of the example.

I'm not sure how your toolkit's API attaches Ids, but you'll definitely need it on anything you sign.

EncodingType and ValueType are a little trickier. I'm afraid I don't know that one off the top of my head. My temptation would be to try to get the Ids right and then see if it all falls into place. It might.