views:

855

answers:

2

I am trying to get a WCF service configured with message security (no transport security) such that it can communicate with Java clients. I have been using SoapUI to test, and have overcome numerous hurdles. Now, WCF seems to be authenticating the message, but it is routing it to the operation without decrypting it. I am getting the following internal exception:

System.Runtime.Serialization.SerializationException

OperationFormatter encountered an invalid Message body. Expected to find node type 'Element' with name 'SaySomething' and namespace 'http://ecollege.com/securityspike/'. Found node type 'Element' with name 'xenc:EncryptedData' and namespace 'http://www.w3.org/2001/04/xmlenc#'

I have tried everything and read everything I can, and I have found nothing similar, nor found any solution. I am hoping someone might know what the deal is and be able to help me out. Below is my WCF service configuration and SoapUI message:

WCF Service Custom Binding Configuration

<customBinding>
  <binding name="custom">
    <security
      defaultAlgorithmSuite="Basic128Rsa15"
      authenticationMode="MutualCertificate"
      securityHeaderLayout="Lax"
      includeTimestamp="false"
      keyEntropyMode="ClientEntropy"
      messageProtectionOrder="EncryptBeforeSign"
      messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
      requireSignatureConfirmation="false"
      requireSecurityContextCancellation="false"
      allowSerializedSigningTokenOnReply="true">
      <localServiceSettings detectReplays="false" />
    </security>
    <textMessageEncoding messageVersion="Soap11" writeEncoding="utf-8" />
    <httpTransport />
  </binding>
</customBinding>

SoapUI Original Message

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sec="http://ecollege.com/securityspike/"&gt;
   <soapenv:Header/>
   <soapenv:Body>
      <sec:SaySomething>
         <sec:message>
            <sec:Message>Hello from SoapUI!</sec:Message>
         </sec:message>
      </sec:SaySomething>
   </soapenv:Body>
</soapenv:Envelope>

SoapUI Secured Message

<soapenv:Envelope xmlns:sec="http://ecollege.com/securityspike/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"&gt;
   <soapenv:Header>
      <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
         <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-E4A1994D222819B9E91267220999421261" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"&gt;MIIB9DCCAWGgAwIBAgIQCdc8f7wHY5NIPPv+42iHmzAJBgUrDgMCHQUAMBUxEzARBgNVBAMTClJvb3RDQVRlc3QwHhcNMTAwMjI1MTcyMzM1WhcNMzkxMjMxMjM1OTU5WjAYMRYwFAYDVQQDEw13Y2ZDbGllbnRDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCw8RJdTARFL+1bbFptcYkIsuBCiJam9rBR14CBKxlvsAVI70F63aDUctYxGKhJgpTOGZyqtVtgawoFf/oPVGSm7yRDR5XcuhqwoQ7IMHxAVKLyNaiE/ZtYb3RTcIC7y1JS2n/DHKu+KK4T2FVhBEZYVhOYP/u4SOvGK6X6uahy4wIDAQABo0owSDBGBgNVHQEEPzA9gBDhcQFxXO88N5H8wWmVu2LGoRcwFTETMBEGA1UEAxMKUm9vdENBVGVzdIIQSgymJZg5k5xJ3Qs97Rs+fTAJBgUrDgMCHQUAA4GBAFumlUh7/DKBwWHvqgcGUFIMx/VtbvlEfyKMIIrdce1I7dPON4+TRf+kho1nf7zbxrioN0s3RfNapiFPkiBndGbyQjoojfq2PRttcbBXgyyaDg3s6Yg95r4ytMn4G9wDICdiW42RKReCZA1PJA55DWtFqWNrUgnDq/uTttHQdOB+&lt;/wsse:BinarySecurityToken&gt;
         <ds:Signature Id="Signature-125" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"&gt;
            <ds:SignedInfo>
               <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/&gt;
               <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/&gt;
               <ds:Reference URI="#id-126">
                  <ds:Transforms>
                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/&gt;
                  </ds:Transforms>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/&gt;
                  <ds:DigestValue>TY3WWW+3MjAXCj70Ao8g4owVfwc=</ds:DigestValue>
               </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>sJS23J31T+EiH9ZcpOBWm9VZDgINsBLWncC9q+Qzhqab/KIY3/hs+Xn2oD6JKPo3/mOIqZ/ZMDMj
KSUKRghYbsGYrUl4Z/37hbmg5ZLaA/XxLMy8cmfXi2FhgebTwFX2Zm3nptCELFaMqcufEV9KBDtv
98/2H4K63ZJa39YW9Tk=</ds:SignatureValue>
            <ds:KeyInfo Id="KeyId-E4A1994D222819B9E91267220999421262">
               <wsse:SecurityTokenReference wsu:Id="STRId-E4A1994D222819B9E91267220999422263" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"&gt;
                  <wsse:Reference URI="#CertId-E4A1994D222819B9E91267220999421261" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/&gt;
               </wsse:SecurityTokenReference>
            </ds:KeyInfo>
         </ds:Signature>
         <xenc:EncryptedKey Id="EncKeyId-E4A1994D222819B9E91267220999410260">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/&gt;
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"&gt;
               <wsse:SecurityTokenReference>
                  <ds:X509Data>
                     <ds:X509IssuerSerial>
                        <ds:X509IssuerName>CN=RootCATest</ds:X509IssuerName>
                        <ds:X509SerialNumber>-146698624100943020459804947660733868602</ds:X509SerialNumber>
                     </ds:X509IssuerSerial>
                  </ds:X509Data>
               </wsse:SecurityTokenReference>
            </ds:KeyInfo>
            <xenc:CipherData>
               <xenc:CipherValue>og/+4qWGOAZ8jlk2VZeTGP5++lF0aAyaqFSeuIGrGyblklIWf+lkmHydFK2j4ade7tpeiBKHxtcxPR87OpK3pCyStpN36pdqHOdDsy/pozrc7b6zn9IrwXC/WjhIXVQiPZZfpHk0B75ByJq+2laIVbqpeYmGQLaj3ocl/AooGdQ=</xenc:CipherValue>
            </xenc:CipherData>
            <xenc:ReferenceList>
               <xenc:DataReference URI="#EncDataId-124"/>
            </xenc:ReferenceList>
         </xenc:EncryptedKey>
      </wsse:Security>
   </soapenv:Header>
   <soapenv:Body wsu:Id="id-126" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"&gt;
      <xenc:EncryptedData Id="EncDataId-124" Type="http://www.w3.org/2001/04/xmlenc#Content"&gt;
         <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/&gt;
         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"&gt;
            <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
               <wsse:Reference URI="#EncKeyId-E4A1994D222819B9E91267220999410260"/>
            </wsse:SecurityTokenReference>
         </ds:KeyInfo>
         <xenc:CipherData>
            <xenc:CipherValue>2v9lbteE7Vh5zbw0yZHxX9srTRh6N/uOxsCnjY1/ShDQvExCDcuVCfgfpXxdbCWRHcH1QTIJ9Wv1
vG17WA1c7AdnVZfyAmGsXYNn2ZhIq3dQeUKbgDnhfT16NOPeXUtdd+EUb5p+Iw1JrktXmKK+jpX6
7Kp/Wv1vaxN9xfZfygqBrdgrjJYyihlQoKI0UEpc3QoKW6Zwp3hJcf52gLJwBb2Sxcc8Nnnr83GM
15SGv9rEIpYzJKvebwiha1/bby+mULEvlNrtsER7GyjG94Eu+0BjsPPYMwt4E6iV0umMuZF8Su8o
MWYXby+aaUs4QOGsWJSAJWrICIWfZDM/VjOj76OAzc3vKL/lLNJskQ5XYdOWzjYz5v6qZ5C4mTV7
ZNWM3cnLe40CtguuzYHooPyjpcE9MEsP5oVm4ns2dVZvsaF/lYxQZHsRDRNxkEC19pkK</xenc:CipherValue>
         </xenc:CipherData>
      </xenc:EncryptedData>
   </soapenv:Body>
</soapenv:Envelope>

WCF Secured Message

<s:Envelope 
  xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" 
  xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"&gt;
  <s:Header>
    <o:Security 
      s:mustUnderstand="1" 
      xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
      <o:BinarySecurityToken 
        u:Id="uuid-1aa5b3d3-f82a-4de3-a8cf-3c36d2042a9a-5" 
        ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" 
        EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
        >MIIB9DCCAWGgAwIBAgIQCdc8f7wHY5NIPPv+42iHmzAJBgUrDgMCHQUAMBUxEzARBgNVBAMTClJv
        b3RDQVRlc3QwHhcNMTAwMjI1MTcyMzM1WhcNMzkxMjMxMjM1OTU5WjAYMRYwFAYDVQQDEw13Y2ZD
        bGllbnRDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCw8RJdTARFL+1bbFptcYkIsuBC
        iJam9rBR14CBKxlvsAVI70F63aDUctYxGKhJgpTOGZyqtVtgawoFf/oPVGSm7yRDR5XcuhqwoQ7I
        MHxAVKLyNaiE/ZtYb3RTcIC7y1JS2n/DHKu+KK4T2FVhBEZYVhOYP/u4SOvGK6X6uahy4wIDAQAB
        o0owSDBGBgNVHQEEPzA9gBDhcQFxXO88N5H8wWmVu2LGoRcwFTETMBEGA1UEAxMKUm9vdENBVGVz
        dIIQSgymJZg5k5xJ3Qs97Rs+fTAJBgUrDgMCHQUAA4GBAFumlUh7/DKBwWHvqgcGUFIMx/VtbvlE
        fyKMIIrdce1I7dPON4+TRf+kho1nf7zbxrioN0s3RfNapiFPkiBndGbyQjoojfq2PRttcbBXgyya
        Dg3s6Yg95r4ytMn4G9wDICdiW42RKReCZA1PJA55DWtFqWNrUgnDq/uTttHQdOB+</o:BinarySecurityToken>
      <e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#"&gt;
        <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/&gt;
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"&gt;
          <o:SecurityTokenReference>
            <X509Data>
              <X509IssuerSerial>
                <X509IssuerName>CN=RootCATest</X509IssuerName>
                <X509SerialNumber>-146698624100943020459804947660733868602</X509SerialNumber>
              </X509IssuerSerial>
            </X509Data>
          </o:SecurityTokenReference>
        </KeyInfo>
        <e:CipherData>
          <e:CipherValue>EX2mPLI7VpedG2WVzmBiYje+z/WppWsYO6Pg4/WwlQRv2rLaFmgF4cg8yn55dVyFStr9Me6jjq4s
          +VS5s0t+IGVjCm17gCREC4r07FUTPFKtB5JR8lfcRFKriCMCkwnr4DLxzVKa/h9Mw+4DK4+mMkX+
          lAO985cluGKhbmuWYhM=</e:CipherValue>
        </e:CipherData>
        <e:ReferenceList>
          <e:DataReference URI="#_2"/>
        </e:ReferenceList>
      </e:EncryptedKey>
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"&gt;
        <SignedInfo>
          <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/&gt;
          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/&gt;
          <Reference URI="#_1">
            <Transforms>
              <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/&gt;
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/&gt;
            <DigestValue>r01NIZbDYv/a/od4dKmN2VF54NY=</DigestValue>
          </Reference>
        </SignedInfo>
        <SignatureValue>h/uzND4eoH5WOguIzwO9YurD2fEF0NBH9Bl5ipFjZaffyi+z2m2fYngujtcoxh8a6YPyMW3Us0Q0
        //i79GEnkxCq0mBPbLJvLvtXFAuJpFZ9oOEKRqJ5Uqh8je6um0KJCiSFn74xy23OEG6fRbUJZkJP
        IH8KnGhzqR1UGXkI49E=</SignatureValue>
        <KeyInfo>
          <o:SecurityTokenReference>
            <o:Reference 
              ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" 
              URI="#uuid-1aa5b3d3-f82a-4de3-a8cf-3c36d2042a9a-5"/>
          </o:SecurityTokenReference>
        </KeyInfo>
      </Signature>
    </o:Security>
  </s:Header>
  <s:Body u:Id="_1">
    <e:EncryptedData Id="_2" 
       Type="http://www.w3.org/2001/04/xmlenc#Content" 
       xmlns:e="http://www.w3.org/2001/04/xmlenc#"&gt;
      <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/&gt;
      <e:CipherData>
        <e:CipherValue>2VwP5Qcdyff6awcskzwtLktVQOB2UKFOFmFExNUJa0kJbT1gH1MzoIthuNx7bUHmAqGpnmrs6b2t
          f4zpkZv8mZ8L41WBkrg2LGLCeBpXtmudpOdQ9KaEIXqXlRHUI6OutrsCKRWDTRlMD+Y2m0fM8sxF
          5mp7lsGJUVzbpLcb4hduKI2RVkylxRMpqIgcDR4vj72ew52QMtrNdH5QZsouyBDeE2fc+imGKK9K
          UcLlQbZRzLkv9oYzHicewaWnOeGr4dhkdn6eBropbK0gqxoxng==</e:CipherValue>
      </e:CipherData>
    </e:EncryptedData>
  </s:Body>
</s:Envelope>
A: 

The best way to debug this is setting up a working WCF client to this service and comparing it soap to SoapUI.

Out of the blue, I would try to alter messageProtectionOrder and check the ProtectionLevel attribute on the contract (if exists).

Yaron Naveh
I have been comparing WCF messages to SoapUI messages. Outside of element order in the header, there is no difference. I have tried every messageProtectionOrder there is (as well as every other setting...however there are a HUGE number of setting combinations overall), and the contract has no protection level.
jrista
please publish the Wcf generated Soap
Yaron Naveh
Added a WCF request example.
jrista
A: 

To provide an answer for this question. As it turned out, I had the messageProtectionOrder setting configured incorrectly. The ultimate goal was to sign the message contents, then encrypt. SoapUI, as well as our business partner, were signing then encrypting the message, but since WCF was configured to encrypt (or decrypt) first then sign, it was unable to properly process secured messages using SignBeforeEncrypt.

Matching the WCF configuration to the SoapUI/Business Partner configuration resolved this issue.

jrista