I have implemented a SOAP client based on the code in this thread Client to send SOAP request and received response however I would now like to extend this to allow us to encrypt the soap message using X509 certs and tripleDes and wondered if there was a starting point. the output payload i am looking for will need to include an xml segment based on schema http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd and probably also include headers, anybody have any links to behind the scenes with soap encryption.
I have found this Creating Signed SOAP Message as a String with C# aqrticle which seems to be having a similiar issue, where is the theory behind creating the hash values for soap signing.
Bit late to my own funeral but it appears the solution is here:
Creating Signed SOAP Message as a String with C#
Related
I try to implement WCF Client (C#) to consume a specific web service from NEXI. Service required a WS-Security (signature & encryption) and client authentication.
In documentation specific standards.
WS-Security Spec.
In accordance with the WS-Interoperability Basic Profile 2.0 the Secure WebServices Interface uses SOAP 1.1 with an HTTP Binding and specifies additional requirements.
1.Hashing algorithm must be SHA256
2.Signature Algorithm must be RSAWithSHA1
3.Encryption Algorithm must be AES256
4.Certificates used MUST have a key length of 2048 bits
5.Certificates used MUST have been generated using only SHA-256 as a hashing algorithm
6.Certificates used for signature and encryption MUST be issued by known Certificate Authority
7.Certificates needs to be exchanged between parties
8.Parties have to manage multiple certificate for the same purpose (signature and/or encryption) to overcome any gap when certificate renewal occurs. Parties have to exchange renewed certificate at least 30 days before current certificate expires.
9.All SOAP messages MUST be serialized using UTF-8 character encoding of the Unicode character set
10.Use SOAP Request-Response Message Exchange Pattern as specified in SOAP 1.1 (see http://www.w3.org/TR/2000/NOTE-SOAP-20000508/)
11.A correctly processed client request MUST be answered with a server response, consisting of a HTTP response with a 200 Status Code containing a soap:Envelope element
12.The soap:Envelope element MUST contain a soap:Header child element
13.The soap:Body element MUST contain exactly one, namespace-qualified child element
14.The soap:Body element MUST have a wsu:ID attribute with a unique value that enables it to be included in the signature and encrypted
15.Encription Key must be encrypted and included in soap:Header “xenc:EncryptedKey”
16.The wsse:Security element in request messages MUST contain exactly one wsu:Timestamp
17.SignedParts and EncryptedParts:
a.SignedParts: wsu:Timestamp (the request timestamp)
b.EncryptedParts: Body.
I am looking for a solution or help to setup all this requirements to single request.
I tried the implementation in SOAPUI but I am not able to meet all the requirements. I also tried to create a WCF client in .NET. but I am not able to set individual namespaces and I don't know how to create a request that meets all the requirements.
Expectations:
The request according the documentation should look like:
Request:
Request
Response:
Response
I am working on a WCF client to consume a third party web service over which I have no control. It works with a custom binding and WS Security. No app.config, all through code. I can successfully send requests and receive responses. However, it seems .Net cannot decrypt the service responses, so I have to do it manually. I have implemented a custom encoder and overriden the ReadMessage method. I have access to the raw SOAP response. I have seen code in MSDN as well as a blog where they explain how to decrypt the response. I read the oasis specifications for the response xml schema. The response contains a reference to the x509 certificate that has the private key necessary to decrypt the session key, so then the body can be decrypted. According to the documentation of the service I am trying to consume, and pretty much everywhere I've read, I should use the private key of the certificate I used to sign my request, but I get an Exception saying the key is incorrect. I then tried every possible certificate with a private key in all my certificate stores to see if one of them would successfully decrypt the message but all of them failed. If I understand it right, this means the service expects me to decrypt the message with a private key I don't have. I'm rather new to WCF and web services themselves, so I might be missing something.
Do you know what could be happening? Or maybe I am understanding something wrong. Any help will be greatly appreciated.
Thanks
So, here is my million dollar question. I want to consume a service hosted by a third party, and therefore for the set up we exchanged X509 certificates. I sent them ours and we got theirs. I added their self signed certificate in the certificate store. Now, I have tried to connect to the services with soapUI, where i need to create a JKS file with my private key to connect, and use the WSSE headers for username, password, nonce and TTL and it works just fine.
But, I want to write a WCF c# client to communicate with the service, and adding my certificate to the client credentials in the config or through code does not work. Can someone please let me know how to use the private key for out going messages using WCF?
I have tried both these things, but not sure where am i going wrong...
proxy.ClientCredentials.ClientCertificate.Certificate = new X509Certificate2(#"C:\soapUI\soapUI\Agency1\certificates\myprivatekey.pfx", "Pwd");
proxy.ClientCredentials.ServiceCertificate.DefaultCertificate = new X509Certificate2(#"C:\soapUI\soapUI\Agency1\certificates\myprivatekey.pfx", "Pwd");
i have also added the correct wsu and wsse headers to the soap envelope. When i take the soap envelope from the WCF client to SOAPUI, it works, but not from WCF itself. So i am pretty sure its the difference in how the private keys are being used. So any line of thought will be helpful.
In this article, we will start with transport and message security understanding. We will then see simple code samples of how to implement transport and message security using WsHTTP bindings. We will also see the differences between ‘BasicHttpBinding’ and ‘WsHttpBinding’ with the help of a simple code. WCF security is a huge topic by itself, but I am sure with this article you will get a quick start of how to go about WCF security.
http://www.codeproject.com/Articles/36732/WCF-FAQ-Part-3-10-security-related-FAQ
I'm sending a JSON result back to a javascript (Jquery) on my IIS/MVC4 website.
The json contains a string value of around 60-100 letters.
Currently it is being sent in clear text with no encyption at all.
What would be the simplest method to encrypt just this message between the javascript client and the .net C# backend?
The encryption dosent have to be superb, but just enough that you cant figure/bruteforce out the contents in under 1 hour.
Keep in mind that everyone has the javascript so I cant just use a common key for all clients.
I was thinking something along the line of an RSA encryption where the client generates a keypair and sends its public key back with the request and the server uses this to encrypt the value.. I cant find any examples of this though so I'm very open to suggestions.
Run the entire webpage over SSL (HTTPS). The server and browser will take care of encryption for you.
I'd like to sign a Soap request (.NET 3.5, C#) with a certificate stored in the computer (reading of certificate is ok).
I don't want the request to be encrypted (that's what I get when I change Security.Mode and Security.Message properties on WSHttpBinding). I am looking for a signed Soap header.
After reading tons of articles on MSDN, blog, StackOverflow... I came up with this approach: using IClientMessageInspector and method BeforeSendRequest. I can set a breakpoint in it and see my request, but how to modify its XML content?
Modifying the message is possible - for sample code and explanations see
http://www.codeproject.com/KB/WCF/ExtendingWCF_PartI.aspx
http://wcfpro.wordpress.com/2011/03/29/iclientmessageinspector/
http://weblogs.asp.net/paolopia/archive/2007/08/23/writing-a-wcf-message-inspector.aspx
Basically you copy the Message to an XML Doc as a buffered copy, modify the XML, then create a new Message from that modified XML and assign the new Message to the ref Message param...