Please excuse me for getting a little off-topic with my problem, but the good news is, that while using XFire, composing- and verifying the signature really works out quite good through the WSS4J handlers. At least while there is XFire at both ends (e.g. Client, providing the signature and Server authenticating the user based on it).
Could someone help me with putting an x509 certificate into an SOAP request with a web service client implemented in .NET way? Sure there must be an easy way! At first I tried creating Web Reference with Visual c# 2005 (express ed). So far the only way I found is to provide some certificate through the ClientCertificates collection of the proxy class generated by Web Reference of the visual studio project. Tried to generate the certificate in numerous ways (first using openssl tool and then the makecert.exe utility). The certificate had both, the public key and the private key. With makecert.exeeven tried to turn on enhanced key usage of "Client Authentication" (-eku 1.3.6.1.5.5.7.3.2). Any attempt to get some Header into the SOAP request has failed that way, but the request itself looks OK. Meaning that if the demanding of the signature could be turned off, the service would work. Here is an example of the request made using the regular Web Reference way (just without any Header or signature): ===> start of the request example <=== <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:xsd="http://www.w3.org/2001/XMLSchema";> <soap:Body> <someMethod xmlns="http://service.somewhere.around.there";> <in0> <ANumber xmlns="http://criteria.service.somewhere.around.here ">222</ANumber> <BNumber xmlns="http://criteria.service.somewhere.around.here ">234</BNumber> <a1Number xsi:nil="true" xmlns=" http://criteria.service.somewhere.around.here"; /> <a2Number xsi:nil="true" xmlns=" http://criteria.service.somewhere.around.here"; /> </in0> </call> </soap:Body> </soap:Envelope> ===> end of the request example <=== After that I tried installing and using of Web Service Enhancements (v3.0). Definitely there is some SOAP Header. No signature tough. The test client got its configuration using WSE configuration tool (WseConfigEditor3.exe). I tried to configure it to insert just a signature without any encryption. I could provide the app.config and wse3policyCache.config generated (and used), when needed. But the real problem is that there is actually too many options for me to experiment with (without any real picture, what could they mean). The other problem is that somehow the format of the request is different. Could WSE provide the same kind of request as the ordinary "Web Reference" way does?? An example of the request generated in WSE3 way: ===> start of the request example <=== <soap:Envelope xmlns:xop="http://www.w3.org/2004/08/xop/include"; xmlns:wsa=" http://schemas.xmlsoap.org/ws/2004/08/addressing"; xmlns:wsse=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";> <soap:Header> <wsa:Action>SomeMethodRequest</wsa:Action> <wsa:MessageID>urn:uuid:f6428642-aaf7-4b63-934e-96234576e64d</wsa:MessageID> <wsa:To>http://localhost:17001/helin-ws/services/SomeService</wsa:To> <wsse:Security> <wsu:Timestamp wsu:Id="Timestamp-bd825f06-3fe1-408b-8c41-d70d349f316c"> <wsu:Created>2007-02-06T12:35:30Z</wsu:Created> <wsu:Expires>2007-02-06T12:40:30Z</wsu:Expires> </wsu:Timestamp></wsse:Security> </soap:Header> <soap:Body> <SomeMethodRequest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns=" http://service.somewhere.around.there";> <ANumber xmlns="http://criteria.service.somewhere.around.here ">222</ANumber> <BNumber xmlns="http://criteria.service.somewhere.around.here ">234</BNumber> <a1Number xsi:nil="true" xmlns=" http://criteria.service.somewhere.around.here"; /> <a2Number xsi:nil="true" xmlns=" http://criteria.service.somewhere.around.here"; /> </SomeMethodRequest> </soap:Body> </soap:Envelope> ===> end of the request example <=== Response sent by the Web Service: ===> start of the response <=== <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xsd= "http://www.w3.org/2001/XMLSchema"; xmlns:xsi=" http://www.w3.org/2001/XMLSchema-i nstance"><soap:Body><soap:Fault><faultcode>soap:Client</faultcode><faultstring>W SS4JInHandler: security processing failed (actions mismatch)</faultstring></soap :Fault></soap:Body></soap:Envelope> ===> end of the response <=== At the end of the message, let me put an example of how a valid request could look (looks almost like the "Web Reference" way and contains both, signature and the certificate used): ===> start of the valid request example <=== <soap:Envelope xmlns:soap=" http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xsd=" http://www.w3.org/2001/XMLSchema"; xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance";> <soap:Header> <wsse:Security soap:mustUnderstand="1" xmlns:wsse=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd "> <ds:Signature Id="Signature-3012109" xmlns:ds=" http://www.w3.org/2000/09/xmldsig#";> <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:CanonicalizationMethod Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns:ds=" http://www.w3.org/2000/09/xmldsig#"; /> <ds:SignatureMethod Algorithm=" http://www.w3.org/2000/09/xmldsig#rsa-sha1"; xmlns:ds=" http://www.w3.org/2000/09/xmldsig#"; /> <ds:Reference URI="#id-4726378" xmlns:ds=" http://www.w3.org/2000/09/xmldsig#";> <ds:Transforms xmlns:ds=" http://www.w3.org/2000/09/xmldsig#";> <ds:Transform Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns:ds=" http://www.w3.org/2000/09/xmldsig#"; /> </ds:Transforms> <ds:DigestMethod Algorithm=" http://www.w3.org/2000/09/xmldsig#sha1"; xmlns:ds=" http://www.w3.org/2000/09/xmldsig#"; /> <ds:DigestValue xmlns:ds=" http://www.w3.org/2000/09/xmldsig# ">CpmHNkxoY2ztW3YK/0lN4wIHkUQ=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> DRY/iVi8ZWbfsBQPVytnOa2W277ILzMRe0rqExd3BuC6TBZDwa+tfDLm1Qz+EFeDS+uJTszk7vHN F1qThB7BmGK2DKpEsHqGBXlgYzMt5QX04fMRnBcyRR9S7pzVc6r+T2LN/0njzaWgvEe9BXUh F1qThB7BmGK2DKpEsHqGBXlgYzMt5QX04fMRnBcyRR9S7pzVc6r+Wos2 1c1v7pn5a3aJI4N3t5E= </ds:SignatureValue> <ds:KeyInfo Id="KeyId-24434368" xmlns:ds=" http://www.w3.org/2000/09/xmldsig#";> <wsse:SecurityTokenReference wsu:Id="STRId-29298269" xmlns:wsse=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:X509IssuerSerial xmlns:ds=" http://www.w3.org/2000/09/xmldsig#";> <ds:X509IssuerName xmlns:ds=" http://www.w3.org/2000/09/xmldsig#";>CN=12345</ds:X509IssuerName> <ds:X509SerialNumber xmlns:ds=" http://www.w3.org/2000/09/xmldsig#";>1162977904</ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soap:Header> <soap:Body wsu:Id="id-4726378" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd "> <someMethod xmlns="http://service.somewhere.around.there";> <in0> <ANumber xmlns="http://criteria.service.somewhere.around.here"; xsi:nil="true" /> <BNumber xmlns="http://criteria.service.somewhere.around.here"; xsi:nil="true" /> <a1Number xmlns="http://criteria.service.somewhere.around.here"; xsi:nil="true" /> <a2Number xmlns="http://criteria.service.somewhere.around.here"; xsi:nil="true" /> </in0> </call> </soap:Body> </soap:Envelope> ===> end of the valid request example <=== -- Martin
