My dear Sirs, I need to sign an xml to comply with the XMLDSig standard, it must also comply with the XAdES-BES standard. in C#, in this format:
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="xmldsig-8096cc3f-7d73-411f-8e7896cd0">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256">
</ds:SignatureMethod>
<ds:Reference Id="xmldsig-8096cc3f-7d73-411f-8e70-48b152896cd0-ref0"
URI="#CV3220627253095794000010100000000209051986238">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature">
</ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
<ds:DigestValue>qQPFv+nWie8pbwUlgBWD2H9hzZtK/E=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#xmldsig-809d73-411f-8e70-48b152896cd0-keyinfo">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
<ds:DigestValue>O6vdUpwOQh9H5BFTwrdOEnSkFi0653Gvh4=</ds:DigestValue>
</ds:Reference>
<ds:Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#xmldsig-8096cc3f-7d73-
70-48b152896cd0-signedprops">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
<ds:DigestValue>13x9mrEZtldUEgHofrznSCKTrL1RPQtJxeD/Idgb9Nc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue Id="xmldsig-8096cc3f-7d73-411f-8e70-48b152896cd0-sigvalue">
IP2H4P8VqoMyer5TlFOg7ElkVA=
</ds:SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="xmldsig-8096cc3f-7d73-411f-8e70-
48b152896cd0-keyinfo">
<ds:X509Data>
<ds:X509Certificate>
MIIQyDy3ReOT5Usgx/lS7szPaf7J1mptx7J7nMNFW
DG26JjBKF+xbHM4=
</ds:X509Certificate>
<ds:X509IssuerSerial>
<ds:X509IssuerName>cn=TesteSispCA</ds:X509IssuerName>
<ds:X509SerialNumber>691455013706561</ds:X509SerialNumber>
</ds:X509IssuerSerial>
<ds:X509SubjectName>c=CV,o=A Economia E Gestao ,2.5.4.97=CV-2530994,ou=Fatura
Eletronica,cn=AB,1.2.840.113549.1.9.1=miaegestao</ds:X509SubjectName>
</ds:X509Data>
</ds:KeyInfo>
<ds:Object><xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#"
xmlns:xades141="http://uri.etsi.org/01903/v1.4.1#" Target="#xmldsig-8096cc3f-7d73-411f-8e70-
48b152896cd0"><xades:SignedProperties Id="xmldsig-8096cc3f-7d73-411f-8e70-48b152896cd0-
signedprops"><xades:SignedSignatureProperties><xades:SigningTime>2022-06-27T14:41:01.782-
01:00</xades:SigningTime><xades:SigningCertificate><xades:Cert><xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
<ds:DigestValue>6/OH7zBR7dT/W6fwYi/WR58ld3jabGYQOKSPpwOuxF0=</ds:DigestValue>
</xades:CertDigest><xades:IssuerSerial><ds:X509IssuerName>cn=TesteSispCA</ds:X509IssuerName>
<ds:X509SerialNumber>6914550136706561</ds:X509SerialNumber></xades:IssuerSerial></xades:Cert>
</xades:SigningCertificate></xades:SignedSignatureProperties></xades:SignedProperties>
<xades:UnsignedProperties><xades:UnsignedSignatureProperties><xades:SignatureTimeStamp>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315">
</ds:CanonicalizationMethod>
<xades:EncapsulatedTimeStaJKoZIhvcNAQcCoIIVVjCCFVICAQMxDzANBglghkgBZQMEAg
Kl6iR0xeKdnc</xades:EncapsulatedTimeStamp></xades:SignatureTimeStamp>
</xades:UnsignedSignatureProperties></xades:UnsignedProperties></xades:QualifyingProperties>
</ds:Object>
</ds:Signature>
I signed one but it just gives the error Unable to verify signature. Reference '#CV3220624253095794000010100000002707385730942' cannot be validated.
It seems like the problem is that you provide to the validator a ds:Signature alone, without the referencing signed data.
I.e. you have the reference with Id="xmldsig-8096cc3f-7d73-411f-8e70-48b152896cd0-ref0", referencing an XML node by its URI attribute : URI="#CV3220627253095794000010100000000209051986238".
As defined within XMLDSig "4.4.3.2 The Reference Processing Model", a reference starting from '#' character refers a node within the current XML document, containing the signature.
Therefore, you shall provide the originally signed content with Id="CV3220627253095794000010100000000209051986238" within the same document as the signature to the validator, without extracting the signature element.
Then the validator shall be able to correctly de-reference the signed content.
In case you do not want to share the signed content together with the signature, you may consider a detached signature format. In a detached format the signature is present within a separate file than the original signed document.
Related
I need to talk with some external WebServices, using SOAP with XML Signature (xmldsig), over HTTPS.
WCF seems to be the actual way to do it with .NET/C#. I tried some (many) things, but without succes. The signature isn't exactly the same as what's awaited by the remote server, and I always get an invalid signature message (without more information).
I have a "projet" with SoapUI wich allow me to see what's needed. But I can't get exactly the same thing with WCF. I think I need to use a custom binding, but it's really not obvious, and I'm rather a WCF newbie han an expert.
From a message like that :
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:axw="http://www.axway.com">
<soapenv:Header/>
<soapenv:Body>
<axw:ws_liste_adherents>
<axw:adherent>XXXXX</axw:adherent>
</axw:ws_liste_adherents>
</soapenv:Body>
</soapenv:Envelope>
With a given certificate (+ password), I have to build a message like this (I replaced some content with XXXXX) :
<soapenv:Envelope xmlns:axw="http://www.axway.com" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ds:Signature Id="SIG-797BAE4CD3371CB59B14999468343185" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="axw soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-797BAE4CD3371CB59B14999468343164">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="axw" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>RCb3MTzUAr9dwAlG2ossgryTrTI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>NhTdqGTLFdgoXbwehGnWeX+zbz5GDAd2cjT39/5acDstEMjdUt5U4zzc7wsAaHf0skH+M5/yFLF8
T11aHhCZWaN/RDNg7kP47lvovMFeOwjYx2zs4LLFedAXcKtI7LjQtvA90r2zqYe4JykuD1LbOHjy
CCiU7ZrPGAsOB4rIyvz3gV3WfWR+MMpjgw6FsZ1ZujSOk4ezNPZk9R0wjm4MPbIHG+hUzQol6J4v
LYkZQKoMIPDOnz6cYf0RFTnZRBL8cf/Brq5NiN946145yj/+ElYjRzYQvo3Vex4EdZM5S4Rpk1vv
t+OyKkv5CbBcvrewdlYY/QdtsSakHo5OXcGbcA==</ds:SignatureValue>
<ds:KeyInfo Id="KI-797BAE4CD3371CB59B14999468343112">
<wsse:SecurityTokenReference wsu:Id="STR-797BAE4CD3371CB59B14999468343133">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">XXXXXXXXXXXXXXXXXXXXX==</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-797BAE4CD3371CB59B14999468343164" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<axw:ws_liste_adherents>
<axw:adherent>XXXX</axw:adherent>
</axw:ws_liste_adherents>
</soapenv:Body>
</soapenv:Envelope>
Is really WCF the right tool ? Is using a custom binding to right way to do it ?
Some help will be welcome, as I'm totaly stuck now.
Thanks.
I am sending saml 2.0 logout request to ADFS and getting logout response with status code: "urn:oasis:names:tc:SAML:2.0:status:Requester".
I have checked Name ID value and it is equal to the name ID on Assertion.
I don't see any error on ADFS logs.
This is my Logout request:
<?xml version="1.0"?>
<samlp:LogoutRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" Destination="https://IDP_adfs.xxx.com/adfs/ls/" ID="id007471cfceb449239be1a6a48d28ae89" IssueInstant="2015-01-05T15:30:56.3978094Z">
<saml:Issuer>https://SP.xxx.com</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#id007471cfceb449239be1a6a48d28ae89">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>GsF...t/uwM=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>qY5RIT/eT9Tgkg7dj...IPn/2STu7iepIQ==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIC5jCCAc...qAdOYsuKUgO9WNers=</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<saml:NameID Format="http://schemas.xmlsoap.org/claims/UPN">user#xxx.com</saml:NameID>
<samlp:SessionIndex>_48b8991b-d3c4-4f8a-9c8b-a86e0a718c95</samlp:SessionIndex>
</samlp:LogoutRequest>
This is my Logout Response:
<?xml version="1.0"?>
<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_79573c99-c8d3-4ea3-8b53-e15551128318" Version="2.0" IssueInstant="2015-01-05T15:31:02.954Z" Destination="https://SP.xxx.com/Account/logout/" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="id007471cfceb449239be1a6a48d28ae89">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://IDP_Adfs.xxx.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_79573c99-c8d3-4ea3-8b53-e15551128318">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>B/badvPpTrEuKZsqOvBQM54CIJ8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>cWIEl5wY3...lIiQDltacRcjxyw==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC2jCCAcKgAwIBA...LmlI6oFWC3Lw=</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"/>
</samlp:Status>
</samlp:LogoutResponse>
This is my saml response with the assertion:
<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_8b594b16-6505-4da6-9f4c-0d0d301bedb1" Version="2.0" IssueInstant="2015-01-05T14:25:40.241Z" Destination="https://SP.xxx.com/" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_e32452c1-8651-49cc-b17b-87b45b9b4a52">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://IDP_Adfs.xxx.com/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_d6df6a72-99de-4935-8153-0db0d6f4b3f6" IssueInstant="2015-01-05T14:25:40.241Z" Version="2.0">
<Issuer>http://IDP_Adfs.xxx.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_d6df6a72-99de-4935-8153-0db0d6f4b3f6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>LUFxx...MY8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>svLLi2ooLayZCvYCrZlDnLJAt2K7SzUcNSPS7m1Qlb1UUXZWoznd5gqusXRRrGazx6AVdnpcLgI6LVZ7xirOUBGpFxNZO7q/0zkyvzY7/lwhO4RTqtTHL2QlJTwapalWXZ9FCw0kTbmLgwgZaaqRUee5hE1kpDrIpusJXU9L9Abc/UBLZhAcstTaXDVUvCF/FH2dz2Kv9P07pV5Kcy0RvQWeJ5IkDZHefDYNsm+9Y+2V3kuPC4Ry54/7cxWc2DvDcYaKxht88/J2MA2kOqzF60Ty2Ka1hy1GpCviVO8X+SfWtgOpGcjj0NxJGSwqIcgF5PGXYfgR5sLF66xaY1t+9w==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC2jCCAcKgA...lI6oFWC3Lw=</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="http://schemas.xmlsoap.org/claims/UPN">user#xxx.com</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_e32452c1-8651-49cc-b17b-87b45b9b4a52" NotOnOrAfter="2015-01-05T14:30:40.241Z" Recipient="https://SP.xxx.com/"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2015-01-05T14:25:40.241Z" NotOnOrAfter="2015-01-05T15:25:40.241Z">
<AudienceRestriction>
<Audience>https://SP.xxx.com</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">
<AttributeValue>user#xxx.com</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>user#xxx.com</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/claims/CommonName">
<AttributeValue>User User</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2015-01-05T14:25:40.225Z" SessionIndex="_d6df6a72-99de-4935-8153-0db0d6f4b3f6">
<AuthnContext>
<AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
I am using HTTP-POST binding to send the logout request and get the logout response.
There is a problem with my logout request according to "urn:oasis:names:tc:SAML:2.0:status:Requester" status code, but unfortunately i don't find it.
urn:oasis:names:tc:SAML:2.0:status:Requester means that ADFS didn't "like" the request and blames the source of the request. As Hans Z points out there should be something in the ADFS log and trace files. If there are no messages then do check your ADFS patch and hotfix levels.
Now the problem in the above message. For signout there must be two correct identifications: NameID and SessionIndex. Although you seem to have edited the XML, which makes anything I write speculative.... The problem could be the SessionIndex.
In the assertion: AuthnStatement#SessionIndex="_d6df6a72-99de-4935-8153-0db0d6f4b3f6" In the LogoutRequest-SessionIndex has value _48b8991b-d3c4-4f8a-9c8b-a86e0a718c95
I have not looked at other possible errors, because you seem to have edited the XML. The validating parser would refuse it for that reason and thus miss other possible problems.
I have to use a webservice that requires me to sign the SOAP Header, the resulting XML must look like this:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
<wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-869FA65AC981B550EF133970680723210" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">MIID0jCCArqgAwIBAgIBBDANBgkqhkiG9w0B...(long Base64 string here)...4a7AXPA==</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-7">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-8">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>i6nAseheCMiozKeQRwlJsUDlV8A=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
i9v0zDtvxu9mH+iPfYoiLL30vMrfgHlcIr9UOtIX1+QcM+nBL0jI+JFcYlNUVgzIFddn/RYxSiGK
4/amTXHIKxeyI2E/UnX/ajX70t1Pv0boM/i6klZScxmsncgX05ZOQ1AIMLtkSSclK6/vzCFReOmJ
R6WQs+axGAjF39AqdCQ=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-869FA65AC981B550EF133970680723311">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-869FA65AC981B550EF133970680723312" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#CertId-869FA65AC981B550EF133970680723210" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-8">
<XmlContent>Some content here</XmlContent>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Of course, I must sign it following the OASIS specification (http://docs.oasisopen.
org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf).
But I have no idea of where I should start. I'm already able to sign a XML tag, but I never had to sign the SOAP message header following the OASIS specification.
All I need to worry is about creating the SOAP XML message and sign its header, the process of actually sending the SOAP message to the webservice is another thing. We can't consume the webservice directly in Visual Studio, that's why I'm not asking how to actually send it, I just have to create the SOAP message.
Yes, I already have the client's certificate and password, which I can instantiate like this:
X509Certificate2 certificate = new X509Certificate2(this.PfxLocation, this.PfxPassword);
I suppose I must create the header string manually, including the wsse:security and all the strings. But as I already said before, I have no idea where to start, where do I get the BinarySecurityToken, how do I add the ds namespace in the signature, among other things.
So, where could I start to resolve this problem? Is there already a solution in C# that I can use?
I am working on sending an XML message to a government agency (using that government agency's specifications, so I have no control over what the resulting XML needs to look like), and I am using C# for my development (company policy).
Two people that are far better than myself with C# and internet technologies reviewed the XML before I did, and informed me that WCF would not support the methods that were required to generate the signature on the XML document (this was a bit of a relief, since I haven't developed any WCF projects, and frightening, since I understand WCF be a mature web technology).
So, I ended up using a combination of LINQ to XML and System.Xml to generate the message, and attempt to sign it.
Here's a bit of a trimmed down sample of the XML:
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap-sec="http://schemas.xmlsoap.org/security/2000-12"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:cns="http://customNamespace1.com"
xmlns:cnt="http://customNamespace2.com"
>
<soapenv:Header>
<ns2:Element1 xmlns:ns2="http://namespace2.element1.com" wsu:Id="id-1">
...
</ns2:Element1>
<ns2:Element2 xmlns:ns2="http://namespace2.element2.com/" wsu:Id="id-2">
...
</ns2:Element2>
<wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<wsu:Timestamp wsu:Id="id-3">
...
</wsu:Timestamp>
<wsse:UsernameToken wsu:Id="id-4">
...
</wsse:UsernameToken>
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-5bf699c7-5336-4695-b395-88d2b984fe54" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
...
</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-6" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="SOAP-ENV cnt soap-sec soapenv sp cns wsdl wsp wsse wsu xs xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="SOAP-ENV cnt soap-sec soapenv sp cns wsdl wsp wsse wsu xs xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="SOAP-ENV cnt soap-sec soapenv sp cns wsdl wsp wsse wsu xs xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="SOAP-ENV cnt soap-sec soapenv sp cns wsdl wsp wsse xs xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="SOAP-ENV cnt soap-sec soapenv sp cns wsdl wsp wsu xs xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-5">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="SOAP-ENV cnt soap-sec sp cns wsdl wsp wsse wsu xs xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
...
</ds:SignatureValue>
<ds:KeyInfo Id="KI-ABDCFEC7595B7819C213402151542862">
<wsse:SecurityTokenReference wsu:Id="STR-ABDCFEC7595B7819C213402151542863">
<wsse:Reference URI="#SecurityToken-5bf699c7-5336-4695-b395-88d2b984fe54" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-5">
<ns5:bodyelement xmlns:ns4="http://namespace4.com/" xmlns:ns3="http://namespace3.com/" xmlns:ns2="http://bodynamespace2.com/" xmlns:ns5="http://namespace5.com/">
...
</ns5:bodyelement>
</soapenv:Body>
</soapenv:Envelope>
Here is some of the code that I have been trying (3 different methods for trying to get the uri fragment to work). I am only posting a portion of the code here, since it took over 200 lines of code to generate the appropriate XML, which I am now attempting to sign:
RSACryptoServiceProvider rsacsp = (RSACryptoServiceProvider)Key;
SignedXml xmlWSig = new SignedXml(myDoc);
xmlWSig.SigningKey = Key;
xmlWSig.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl;
XmlDsigExcC14NTransform canMethod = (XmlDsigExcC14NTransform)xmlWSig.SignedInfo.CanonicalizationMethodObject;
canMethod.InclusiveNamespacesPrefixList = "SOAP-ENV cns soap-sec soapenv sp cnt wsdl wsp wsse wsu xs xsi";
Uri uri = new Uri("#id-1");
Reference ref1 = new Reference(uri.ToString());
XmlDsigExcC14NTransform transform1 = new XmlDsigExcC14NTransform("SOAP-ENV cns soap-sec soapenv sp cnt wsdl wsp wsse wsu xs xsi");
ref1.AddTransform(transform1);
ref1.DigestMethod = "http://www.w3.org/2001/04/xmlenc#sha256";
xmlWSig.AddReference(ref1);
Reference ref2 = new Reference("#id-2");
XmlDsigExcC14NTransform transform2 = new XmlDsigExcC14NTransform("SOAP-ENV cns soap-sec soapenv sp cnt wsdl wsp wsse wsu xs xsi");
ref2.AddTransform(transform2);
ref2.DigestMethod = "http://www.w3.org/2001/04/xmlenc#sha256";
xmlWSig.AddReference(ref2);
Reference ref3 = new Reference("");
ref3.Uri = "#id-3";
XmlDsigExcC14NTransform transform3 = new XmlDsigExcC14NTransform("SOAP-ENV cns soap-sec soapenv sp cnt wsdl wsp wsse xs xsi");
ref3.AddTransform(transform3);
ref3.DigestMethod = "http://www.w3.org/2001/04/xmlenc#sha256";
xmlWSig.AddReference(ref3);
//repeat things for id-4, and id-5
KeyInfo myKeyInfo = new KeyInfo();
myKeyInfo.AddClause(new RSAKeyValue((RSA)Key));
xmlWSig.KeyInfo = myKeyInfo;
xmlWSig.ComputeSignature();
XmlElement signedXmlElement = xmlWSig.GetXml();
Key is the private key grabbed from the X509 Certificate (and is what should be used as the key to sign the document). myDoc is the System.Xml XmlDocument that I have generated that I need to insert the signature into.
Method #1 Gives me a System.UriFormatException: Invalid URI: The Format of the URI could not be determined.
Method #2 Gives me a System.Security.Cryptography.CryptograpicException: Malformed reference element (if I drop the # from the Uri, it gives me a System.UriFormatException: Invalid URI: The URI is empty).
Method #3 Gives me the same errors as Method #2.
From all of the documentation on using Uris for signatures, using just a Uri Fragment is allowed (assuming that the element being referenced is inside the same document), but the Uri class in C# doesn't seem to accept Fragments as an acceptable Uri.
The Reference class also seems to be requiring the full Uri, and not just a Fragment.
I'm open to any suggestions for how I can properly generate the signature in this XML using the specifications.
UPDATE: While the SignedXml + Reference + Transform seems like the best solution, I'm now beginning to believe that .NET has a major gap in these libraries, and dropping down to some lower-level libraries in order to generate the signature might be necessary.
Unfortunately, I'm still struggling with trying to tell what libraries would be needed and the algorithm for finding what needs to be signed. My understanding of the Exclusive Canonicalization was that you were only signing the elements specified by the prefixes listed in the InclusiveNamespaces PrefixList, but the URI in the Reference specifies the sub-document that the signature should be over, but the elements inside the specified elements don't use most of the included namespaces. Am I understanding the way that these References are supposed to work?
Looks like I may have to duplicate the algorithm of doing the URI + the Inclusive Namespaces for myself (still need to figure out how that will work), and convert those elements into byte arrays. Then use lower-level libraries for signatures.
Something like this:
RSACryptoServiceProvider rsa = (RSACryptoServiceProvider)cert.PrivateKey;
signedMessage = rsa.SignData(originalMessage, CryptoConfig.MapNameToOID("SHA1"));
Then, signedMessage can be converted into a Base64 string, and inserted into each of the appropriate Digest Values.
A lot more work than I had hoped for, but if .NET doesn't support URI Fragments, I guess I have to do what I have to do.
Due to the complexity of this solution, I'm definitely open to alternatives if anybody has something smoother.
EDIT: After several hours of pouring over the canonicalization documentation, it looks like the exclusive canonicalization is more about what namespaces you insert into the XML when ripping it out to sign it. If the namespace isn't directly used, and isn't included in the inclusive namespace prefix list, you don't add that namespace to the elements that you are signing prior to signing them. This still seems odd to me, since you don't necessarily want that namespace in the element inside the fuller context of the XML, and signing it means that it can't change, but you're not including it.
UPDATE: after many hours of testing, I did finally get this to work. But it had lots, and lots of very hideous code. Essentially, I had to pull each element that we were signing out into a copy, and manually update the namespaces that were included in that element, and then generate the hash from that (including performing the more complete transform at this time). But it did work.
Turns out that the reason .NET wasn't accepting it was because of the wsu namespace prefix.
flipping the wsu:Id= to be just id= was able to generate the signature at least.
Then, I came across this:
'Malformed Reference Element' when adding a reference based on an Id attribute with SignedXml class
This used drastically less code than my previous answer to develop, and is much easier to read/maintain.
I was assigned to create a client for a web service. I have no previous experience with web services and I have been trying with no success.
The web service is hosted at https://ws.conf.ebs.health.gov.on.ca:1441/EDTService/EDTService
I was able to create the proxy classes with Visual Studio 2012 and create a basic client that was rejected by the service since it did not include any of the security specifications that the services require.
The following are extract from the documentation, that is available at http://www.health.gov.on.ca/en/pro/publications/ohip/default.aspx
The WS-Security section includes:
Technical specifications of the WSS 1.1
• Identity requirements;
• Signing requirements ;
• Encryption requirements; and
• Time stamps
IDP
To ensure confidentiality and integrity of sensitive information within the message, sender software must use public key technology to sign the SOAP headers and body.
The signing certificate can be any available certificate and can be self signed.
If any response data is specified to be encrypted, by the specific web service technical specification, the data will be encrypted using, at least, the AES128-CBC symmetric encryption algorithm with the public key belonging to the signer of the initial SOAP request. The encryption algorithm may be increased based on the specific web service technical specification.
My goal is to create a wcf client that can access this service. So far this is what I have done and it does not work:
This example tries to upload a file to the server:
EndpointAddress address = new EndpointAddress("https://ws.conf.ebs.health.gov.on.ca:1441/EDTService/EDTService");
//MCEDT userID and password
string userId = "abcdefg";
string password = "password";
//MOH Id
string mohId = "123456";
//Vendor Conformance Key
string key = "1234abcd-eeee-aaaa-ffff-abcdef123456";
public void upload()
{
Console.WriteLine("Uploading....");
//Specify the binding to be used for the client.
WSHttpBinding binding = new WSHttpBinding(SecurityMode.TransportWithMessageCredential);
binding.SendTimeout = new TimeSpan(0, 10, 0);
UsernameToken ut = new UsernameToken(userId, password, PasswordOption.SendHashed);
EDTDelegateClient client = new EDTDelegateClient(binding,address);
//Capture before send and after receive events
client.Endpoint.Behaviors.Add(new InspectorBehavior());
ebs_header EBS = new ebs_header();
EBS.AuditId = "123456789";
EBS.SoftwareConformanceKey = confomanceKey;
//The MCEDT service will only support the IDP security model in its first release.
idp_header IDP = new idp_header();
IDP.ServiceUserMUID = mohId;
msa_header MSA = new msa_header();
MSA.UserID = userId;
//data to upload
//sample claim provided by OHIP
uploadData data = new uploadData();
data.description = claim_file;
data.content = File.ReadAllBytes(#"..\..\" + claim_file);
uploadRequest ur = new uploadRequest();
ur.upload = new uploadData[1];
ur.upload[0] = data;
try
{
resourceResult result = client.upload(EBS, MSA, IDP, ur.upload);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
}
}
I I believe that what I have done so far is in line with the technical requirements:
" The electronic system constructs a SOAP message using appropriate values and inserts the EBS and IDP headers into the SOAP message header with the user name and password (for the IDP in a WS-Security Username token). The SOAP headers and body are then digitally signed to guarantee message integrity and source. If any request data is specified to be encrypted, by the specific web service technical specification, it will use the public key of the EBS system."
but I don't know how to sign the headers and body and how to encrypt the data.
The certificates are provided with all the technical specifications and we have the proper information for user and password. It is only my lack of knowledge what is stopping to finish this project.
Thanks in advance to the community for the help.
Edit #1: Sample Message from Docs:
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:msa="http://msa.ebs.health.ontario.ca/"
xmlns:idp="http://idp.ebs.health.ontario.ca/"
xmlns:edt="http://edt.health.ontario.ca/"
xmlns:ebs="http://ebs.health.ontario.ca/">
<soapenv:Header>
<ebs:EBS wsu:Id="id-4"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<SoftwareConformanceKey>444361ee-277f-7732-c684-7a9923jfgh1b</SoftwareConformanceKey>
<AuditId>124355467675</AuditId>
</ebs:EBS>
<idp:IDP wsu:Id="id-3"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ServiceUserMUID>1111222</ServiceUserMUID>
</idp:IDP>
<wsse:Security soapenv:mustUnderstand="1"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="X509-04FD51796CB607011413612828891871">MIIF0zCCBLugAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBzzELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAm9uMREwDwYDVQQHEwhraW5nc3RvbjEpMCcGA1UEChMgSGVhbHRoIFNvbHV0aW9ucyBEZWxpdmVyeSBCcmFuY2gxJTAjBgNVBAsTHEVsZWN0cm9uaWMgQnVzaW5lc3MgU2VydmljZXMxJzAlBgNVBAMTHkVCUyBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWc2Vhbi5jYXJzb25Ab250YXJpby5jYTAeFw0xMjA0MjkxNjAyMjNaFw0xNDA0MzAxNjAyMjNaMIGUMQswCQYDVQQGEwJDQTELMAkGA1UECBMCb24xETAPBgNVBAcTCGtpbmdzdG9uMSkwJwYDVQQKEyBIZWFsdGggU29sdXRpb25zIERlbGl2ZXJ5IEJyYW5jaDElMCMGA1UECxMcRWxlY3Ryb25pYyBCdXNpbmVzcyBTZXJ2aWNlczETMBEGA1UEAxQKRUJTX0NsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEEvvZ96t117651bJXIa8AaE69N1klliJvhrXFxtV2JcKoJHZG19Em6nFtxznvrfjHjQCOJXgREq0YLJmIHgIaIggug9g4oZhZoSXm11b0k+l9sI0uV1UQxSPvKZbptLw3JuY3E8iHoBTBY4TZDg0yfuuk5kpwT0JCqn8Pcoi2Oq2rQtEdnQ0TG5/lofJAMDRzBpK1ETnNOjzCeAkR3wHPec++q2nTuY9QFYntpOyk5JksRVuuIsR5OCW6rjFXTF7CJ84qxWloXmWl4M3yKDTi3ouD36Gplgo8fi2HLpNqVBDLCm7Acv8klkc0EyiFOpBzhEYWAVIIwC9ovybXRjg0CAwEAAaOCAfEwggHtMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgSwMEsGCWCGSAGG+EIBDQQ+FjxTU0wgQ2xpZW50IGNlcnRpZmljYXRlIHZhbGlkIG9ubHkgZm9yIE1PSExUQy9IU0MgRUJTIFRlc3RpbmcwHQYDVR0OBBYEFKV6tGi2SztsTcIPYFkZcKr4yLJMMIIBBAYDVR0jBIH8MIH5gBT/qI53Ggvfsdz34whLQ2gDg+PhW6GB1aSB0jCBzzELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAm9uMREwDwYDVQQHEwhraW5nc3RvbjEpMCcGA1UEChMgSGVhbHRoIFNvbHV0aW9ucyBEZWxpdmVyeSBCcmFuY2gxJTAjBgNVBAsTHEVsZWN0cm9uaWMgQnVzaW5lc3MgU2VydmljZXMxJzAlBgNVBAMTHkVCUyBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWc2Vhbi5jYXJzb25Ab250YXJpby5jYYIJAOnNHCT34+b/MCEGA1UdEgQaMBiBFnNlYW4uY2Fyc29uQG9udGFyaW8uY2EwJgYDVR0RBB8wHYEbZGVyZXlrLmZlcm5hbmRlc0BvbnRhcmlvLmNhMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOCAQEAJqCht181F8rUUNQ8jHa42kdKH+FDF0ISuklbg5MARHo+wt1laltaMeaXdESnLJBNGvcgxPZ4StYMdCH8mOEWYftCy5nkyGQCuOd2GpaJ3Hj50bjZ9vZUYyUBPUmwIEP2v75QQe62fHTqza/VjA0I5eMGMKa3URHsTdfNdnEJjtmHdxWRjAjjrHpHQWE0e1QtG+ZV1ved0f5OzDvdylbvrm4S0mgCifk8qEvZtNSoDp37MmSFr5fFmo91BqT23xAgzUKra428dw4T1EKJYEd6pNssNS4XCQ6bTx0Au3mW5iINtiaYQP8rlSykwaJ+dFAtBG00kdGpebf1prvq4H91eA==</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-6" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ebs edt idp msa soapenv"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#UsernameToken-2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ebs edt idp msa soapenv"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>peTHpiEd5ujPqxNuKGN0k4p7up8c0dFPuRXbpQ+eMwI=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#TS-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="wsse ebs edt idp msa soapenv"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>DqLqNQVHwzHRx7amwoYxEMwxN2g0/rND2I13WPP1Vhw=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ebs edt msa soapenv"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>K4IrndAA4zBmkumIfgKcluiKA8dmzwgGdKo5aq45LHg=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="edt idp msa soapenv"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>o92xRJQNwGz0Hv7DX87vSYUScX0qHL/bFGE3GmtUzQg=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-5">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ebs edt idp msa"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>svNyvvP+MrjIYlZFsg+bgw//8IPNVvIO9px3vYUfW3I=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
qDSZlgY/aTFOzzo1C4tx+1E8ertrbmBySRxEK6sJ1JCt/77TLV5PBGnAme9Ttdmzf6h7/qb4rBGL 76LM0PaCQ9xm3DTsSQOz/So82G+/kX8M9TPY9D44+dvlB+cXm9rPn2BLMSVwtJf0kwI22SmRzMTR 6a6jfNYkGga6ZwZC9NLfG5/KTvsyZ39vOdO3T5GYc15RSjHKVBggoWmKm7x5PHrhU+3gClEbtHP8+Fgmmd9PJOtl9WunzR7NpY79xRNGxmDmL8hLvE4+uIc//b6TvrbGB2t8IWb5e5Wdz+ssHgMm0802 wFwGXlVxvSHpEJroHz5OvRgh7PKGlUSZP9fWkg==
</ds:SignatureValue>
<ds:KeyInfo Id="KI-04FD51796CB607011413612828892812">
<wsse:SecurityTokenReference wsu:Id="STR-04FD51796CB607011413612828892813">
<wsse:Reference
URI="#X509-04FD51796CB607011413612828891871"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsse:UsernameToken wsu:Id="UsernameToken-2">
<wsse:Username>johndoe#examplemail.com</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">****</wsse:Password>
</wsse:UsernameToken>
<wsu:Timestamp wsu:Id="TS-1">
<wsu:Created>2013-02-19T14:08:08Z</wsu:Created>
<wsu:Expires>2013-02-19T14:08:38Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-5"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<edt:upload>
<upload>
<content>
<inc:Include href="cid:2341682853256" xmlns:inc="http://www.w3.org/2004/08/xop/include" />
</content>
<description>00123</description>
<resourceType>CL</resourceType>
</upload>
</edt:upload>
</soapenv:Body>
</soapenv:Envelope>
EDIT: See here a detailed solution to consume this EBS-EDT service
Since you have both username auth and x.509 signature you need to create the binding from code:
var sec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
sec.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());
sec.MessageSecurityVersion =
MessageSecurityVersion.
WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
sec.IncludeTimestamp = false;
sec.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.EncryptBeforeSign;
b.Elements.Add(sec);
b.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));
b.Elements.Add(new HttpsTransportBindingElement());
Then you need to sign the headers. Assuming you use a message contract (not a data contract) where headers are explicitly tagged with a MessageHeader attribute then add to it a property "ProtectionMode=ProtectionMode.Sign".