SOAP WCF add Signature and BinarySecurityToken to header

问题

The bounty expires in 7 days. Answers to this question are eligible for a +100 reputation bounty. Cieja is looking for an answer from a reputable source.

I need something more, Signature must be within a Security tag inside Header tag, with a BinarySecurityToken element

Just like:

<soapenv:Header> <!-- extrac of the example file -->
  <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-D53CCD6983E4CE0BD7142791021078262">
        MIIDbDgg4iF74cqiF6NcnzBnD9qA2MB6hSo38e0RISilEFSzWikDqBtOjgm7ux9fdeHojDm4uvhsSfbEyGmGTAQRzg9yIiD3ovjOzuZsf+I3HWS9F6xl6sb2+wvYXD4DFk/OD+N7UszGsoWFZg
    </wsse:BinarySecurityToken>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          .....
    </ds:Signature>

I can programmatically populate xml element directly from the Client cert like this:

var cert = new X509Certificate2(ClientCertificateFilePath, ClientCertificatePassword);
        var export = cert.Export(X509ContentType.Cert, ClientCertificatePassword);
        var base64 = Convert.ToBase64String(export);

The question is how to add Signature and BinarySecurityToken to the header?

回答1:

Manually coding a SOAP envelop to call the service might be a choice.
Here are some discussions about how to add SOAP headers.
What is the Java Apache CXF equivalent of C# WCF AddressHeader?
This commonly due to that the web service on the server-side are not WCF, therefore, we may not be able to call services through WCF.
In my opinion, the above SOAP envelop format decides the channel shape of the binding used by WCF, this might be compatible with the WCF service which authenticates the client with a certificate.

BasicHttpBinding binding = new BasicHttpBinding();
            binding.Security.Mode = BasicHttpSecurityMode.TransportWithMessageCredential;
            binding.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.Certificate;

When the server authenticates the client with a certificate, the client uses the same binding type and provides a certificate to the server, with attaching the signature of the certificate in the SOAP envelope. Below is the Http traffic during the communicating with the server-side captured by Fiddler. their soap envelop are similar.

More information about authenticating the client with a certificate, please refer to the below link.
https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/message-security-with-a-certificate-client
https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/transport-security-with-certificate-authentication
Feel free to let me know if there is anything I can help with.

来源：https://stackoverflow.com/questions/61767441/soap-wcf-add-signature-and-binarysecuritytoken-to-header