Tuesday, November 3, 2015

Send signed SOAP request without encrypting the header and body in BizTalk Server using WS-Security


Simply follow all the required steps mentioned in my previous post and then create a custom behaviour extension to disable the encryption by using the following code in the AddBindingParameters function.

 
You can get the complete code for the behvior from this link.

Build the downloaded solution and GAC the DLL.

Update the machine.config for both 64 and 32 bit with the following entry.

<behaviorExtensions>
<add name="SignSoapRequestBehavior" type="WCF.Behavior.SignSoapRequest.SignSoapRequestBehaviorExtensionElement, WCF.Behavior.SignSoapRequest, Version=1.0.0.0, Culture=neutral, PublicKeyToken=ba7175b2b6205a29" />
...

Add this bahvior to the send port.

BizTalk will produce the SOAP request with both the header and body signed as shown below (for clarity most of encrypted content has been skipped from this output):
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
 <s:Header>
  <a:Action s:mustUnderstand="1" u:Id="_2">http://example.com</a:Action>
  <a:MessageID u:Id="_3">urn:uuid:78e28d0b-4944-48f7-86e1-16deef77cfdd</a:MessageID>
  <a:ReplyTo u:Id="_4">
   <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
  </a:ReplyTo>
  <a:To s:mustUnderstand="1" u:Id="_5">http://localhost:6600/BradyContractService/ReceiveContract.svc</a:To>
  <o:Security s:mustUnderstand="1" xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
   <u:Timestamp u:Id="uuid-9a964984-1374-485c-97bc-bdb76408d981-1">
    <u:Created>2015-11-03T07:28:27.508Z</u:Created>
    <u:Expires>2015-11-03T07:33:27.508Z</u:Expires>
   </u:Timestamp>
   <o:BinarySecurityToken u:Id="uuid-c2fe0a8f-ca9f-41c7-8f4b-6357ebdc5a09-2" ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIDuTCCAqG...mNi0</o:BinarySecurityToken>
   <Signature xmlns="
http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
     <CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
     <SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
     <Reference URI="#_1">
      <Transforms>
       <Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </Transforms>
      <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue>ee6Ma40RghCCEzDnDA4VZNJynBM=</DigestValue>
     </Reference>
     <Reference URI="#_2">
      <Transforms>
       <Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </Transforms>
      <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue>0TSzFgakSshEA4QJJOFiDguAmaA=</DigestValue>
     </Reference>
     <Reference URI="#_3">
      <Transforms>
       <Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </Transforms>
      <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue>iDbgU1OHYaUGdFWCXjmuzgSAqlE=</DigestValue>
     </Reference>
     <Reference URI="#_4">
      <Transforms>
       <Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </Transforms>
      <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue>l6mMmQ2LE9VFtjaA6Qc4GKBXURw=</DigestValue>
     </Reference>
     <Reference URI="#_5">
      <Transforms>
       <Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </Transforms>
      <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue>QhNTDZm5G+hGSpv/fkTQ0sHlFSE=</DigestValue>
     </Reference>
     <Reference URI="#uuid-9a964984-1374-485c-97bc-bdb76408d981-1">
      <Transforms>
       <Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </Transforms>
      <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue>WzEWN6/iE6FnafJg4G9se5dB7yE=</DigestValue>
     </Reference>
    </SignedInfo>
    <SignatureValue>jRu...kWSjsJWA70vc/lRw==</SignatureValue>
    <KeyInfo>
     <o:SecurityTokenReference>
      <o:Reference ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-c2fe0a8f-ca9f-41c7-8f4b-6357ebdc5a09-2"/>
     </o:SecurityTokenReference>
    </KeyInfo>
   </Signature>
  </o:Security>
 </s:Header>
 <s:Body u:Id="_1">
  <Dummy>Sample Request</Dummy>
 </s:Body>
</s:Envelope>

Cheers
Rohit C. M. Sharma

2 comments:

Anonymous said...

i'm doing the similar task recently.. the different is it not signing all header part, it only sign "to" and "timestamp" nodes; i think it can be done by add
var soapRequestIncluded = new MessagePartSpecification(false,new XmlQualifiedName[]{new XmlQualifiedName("",""),new XmlQualifiedName("","")});
Am'i right ??
another one is add key info by add "SubjectKryIdentifierReference" as below :


GgRDzyeIenAuXgE90yHwWjpjKII=


how can i do that in BizTalk?

Anonymous said...

keyinfo XML is like :
{KeyInfo}
{wsse:SecurityTokenReference}
{wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"}GgRDzyeIenAuXgE90yHwWjpjKII={/wsse:KeyIdentifier}
{/wsse:SecurityTokenReference}
{/KeyInfo}

Post a Comment