Home » .Net Framework

Signing/Encrypting a Web-Service client call with X509 using the WCF


I have a project in where I need to make a Web-Service call to a server that requires that I Sign my request using X.509.   The company that has the service pointed me to the following article for instructions on how to make the call from C# and .NET 2.0:  How to: Sign a SOAP Message Using an X.509 Certificate (http://msdn.microsoft.com/en-us/library/ms819963.aspx).

However, this article makes use of the WSE and this is no longer supported in .NET 3.5.  I am using Visual Studio 2008 and as far as I can tell, I need to get my X.509 certificate and add it to the client certificate list, but I can't figure out how to actually SIGN the message.

This is my code:

            // I created a standard Web-Reference to the Web-Service.  To use it I just create the object 
            CustomService.PaymentAuthorization service = new CustomService.PaymentAuthorization();

            System.Security.Cryptography.X509Certificates.X509Certificate2 cert =
                new System.Security.Cryptography.X509Certificates.X509Certificate2("c:\\temp\\certificate.pfx", "certPassword");

            // This returns True.
            bool hasPrivate = cert.HasPrivateKey;

            // This returns the private Key
            System.Security.Cryptography.AsymmetricAlgorithm privateKey = cert.PrivateKey;

            // This tells me that the certificate was issued by Verisign
            System.Security.Cryptography.X509Certificates.X500DistinguishedName distName = cert.IssuerName;

            // And this tells me that my certificate is still valid.
            DateTime expiration = cert.NotAfter;

            // Add the certificate to the Web Service

            // Make the call to the Web-Service
            CustomService.paymentInfo req = ser.AuthorizePayment("Payment Parameter");
If I run this code, in the last line I get an exception that reads "Security requirements are not satisfied because the security header is not present in the incoming message."  and the company's IT department claim that it's because I am not signing the the message.

As an added complexity, the company might request that I use a second certificate to Encrypt the Web-Service call and I'm at a loss here.

Using WCF, how would I tell the Web-Service to sign and/or encrypt the SOAP message using the specified X.509 key?   I have been reading documents on WCF for two days now and I can't seem to figure it out.

Anyone have information on where I can get instructions on how to use the WCF to Sign/Encrypt a Web-Service request using X.509?


5 Answers Found


Answer 1

The Wcf model is a little different. You configure on each contract what is the expected ProtectionLevel (e.g. encryption, signature). Then in the binding configuration you configure the certificates. If you can get from IT a sample of a working envelope publish it here and we will try to help.

Answer 2

I realize that the WCF is a little different.  The question is where is the documentation that specifies how this is done.   

I spoke to the IT department in the company and they have no idea on how to get you a sample working envelope.  Currently they support the old WSE way of doing things.  They point me to the document How to: sign  a SOAP Message Using an X.509 Certificate and claim that I must do the equivalent.

From what I can tell, In the WSE way of doing things, there are two approaches to signing and/or encrypting my c# Web-Service request  for their service:

How to: Sign a SOAP Message Using an X.509 Certificate (derive from the WebServicesClientProtocol class) How to: Sign a SOAP Message Using an X.509 Certificate (creating a custom policy assertion)
Is there documentation that explains how to do the same using the WCF?  Or a book?  A video?   It's hard to believe that Microsoft phased out WSE without creating equivalent documentation for the WCF.  But I hav ebeen searching for this documentation for three days now to no avail.

Best regards.


Answer 3

By the way, the closest I came to a document that explains how to do this would be Message Security with Mutual Certificates , but this example is not for interacting with a Web-Service and gives no information as to how you could specify signing and.or encrypting the SOAP message in a Web-Service.


Answer 4

Hi Ivan,

WCF use different model for secure message. And for the x509  based message encrypting or signing, it is supported in wcf  by many various security binding elements. for example those message level security bindings that will require server  certificate(like wshttpbinding+ username or certificate authentication) can both sign  and encrypt soap message.

#Securing Messages Using Message Security

#How to: Use Certificate Authentication and Message Security in WCF Calling from Windows Forms

For your server-side service, does it provide WSDL metadata document? What is the client  authentication type it uses, username or certificate or others? Also, when you use message layer security(which will encrypt or sign the soap message), you can also use ProtectionLevel to control detailed secured part in entire WCF message:

#Understanding Protection Level


Answer 5


I am looking for information to do the exact same task (exactly the same as your title) and have run into the same "lacking" resources.  I have a legacy project that works well with WSE2, but the client-side DLL has shown itself to be problematic while debugging in VS2008.  Any luck with your project?  If so, would you mind sharing the client and server  side plumbing to get this to work with WCF?  IF not, did you find any helpful resources?





<< Previous      Next >>

Microsoft   |   Windows   |   Visual Studio   |   Sharepoint   |   Azure