Specifying Reference URI of #Body while digitally signing SOAP request - using WCF

Question

I am using a WCF client to talk to a non-WCF web service.

This web service requires that the body of the SOAP message is signed, however, I am having trouble generating a valid SOAP request.

I have implemented a ClientMessageInspector which inherits from IClientMessageInspector, where I modify the message in the BeforeSendRequest method to add the XML digital signature. I use the SignedXML class to do this.

I am using the IBM Web Services Validation Tool for WSDL and SOAP to check whether my digital signature verifies.

My problem is that when I specify a full namespaced reference in the Reference URI, the IBM tools that I'm using say that I have a valid signature. From the XML Digital Signature specifications, I should just be able to reference the attribute, without the namespace, however, when I do this, I don't get a valid digital signature.

This is the SOAP request I am currently generating, which my tools say has a valid signature, but the web service doesn't like it:

<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" 
            xmlns:s="http://www.w3.org/2003/05/soap-envelope" 
            xmlns:soapsec="http://schemas.xmlsoap.org/soap/security/2000-12" 
            xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <s:Header>
    <soapsec:Signature>
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
          <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
          <Reference URI="http://schemas.xmlsoap.org/soap/security/2000-12#Body">
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <DigestValue>4mt5wluUTu5tpR2d5UemVSLvqTs=</DigestValue>
          </Reference>
        </SignedInfo>
        <SignatureValue>UZ7HzfE3GxIY9hg...</SignatureValue>
        <KeyInfo>
          <X509Data>
            <X509Certificate>MIIEkTCCA3mgAwIBAgIQCu...</X509Certificate>
          </X509Data>
          <KeyValue>
            <RSAKeyValue>
              <Modulus>0C3e9HDx5Yq6FLUxIgjJ...</Modulus>
              <Exponent>AQAB</Exponent>
            </RSAKeyValue>
          </KeyValue>
        </KeyInfo>
      </Signature>
    </soapsec:Signature>
  </s:Header>
  <s:Body soapsec:id="Body">
    .... SOAP Body Here ...
  </s:Body>
</s:Envelope>

This is the SOAP request I want to be generating, but my tools say this has an invalid signature, and the web service also tells me the signature is invalid:

<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" 
            xmlns:s="http://www.w3.org/2003/05/soap-envelope" 
            xmlns:soapsec="http://schemas.xmlsoap.org/soap/security/2000-12" 
            xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <s:Header>
    <soapsec:Signature>
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
          <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
          <Reference URI="#Body">
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <DigestValue>4mt5wluUTu5tpR2d5UemVSLvqTs=</DigestValue>
          </Reference>
        </SignedInfo>
        <SignatureValue>UZ7HzfE3GxIY9hg...</SignatureValue>
        <KeyInfo>
          <X509Data>
            <X509Certificate>MIIEkTCCA3mgAwIBAgIQCu...</X509Certificate>
          </X509Data>
          <KeyValue>
            <RSAKeyValue>
              <Modulus>0C3e9HDx5Yq6FLUxIgjJ...</Modulus>
              <Exponent>AQAB</Exponent>
            </RSAKeyValue>
          </KeyValue>
        </KeyInfo>
      </Signature>
    </soapsec:Signature>
  </s:Header>
  <s:Body soapsec:id="Body">
    .... SOAP Body Here ...
  </s:Body>
</s:Envelope>

And here is the code I have in BeforeSendRequest to create the signature, and modify the message accordingly:

    public object BeforeSendRequest(ref System.ServiceModel.Channels.Message request, System.ServiceModel.IClientChannel channel)
    {
        XmlDocument doc = new XmlDocument();
        doc.PreserveWhitespace = true;
        doc.LoadXml(request.ToString());

        // Add the required namespaces to the SOAP Envelope element, if I don't do this, the web service I'm calling returns an error
        string soapSecNS = "http://schemas.xmlsoap.org/soap/security/2000-12";
        string soapEnvNS = "http://www.w3.org/2003/05/soap-envelope";

        //Get the header element, so that we can add the digital signature to it
        XmlNode headerNode = doc.GetElementsByTagName("Header", soapEnvNS)[0];

        // Set the ID attribute on the body element, so that we can reference it later
        XmlNode bodyNode = doc.GetElementsByTagName("Body", soapEnvNS)[0];

        ((XmlElement)bodyNode).RemoveAllAttributes();
        ((XmlElement)bodyNode).SetAttribute("id", soapSecNS, "Body");

        XmlWriterSettings settings2 = new XmlWriterSettings();
        settings2.Encoding = new System.Text.UTF8Encoding(false);

        // Load the certificate we want to use for signing
        SignedXmlWithId signedXml = new SignedXmlWithId(doc);
        X509Certificate2 cert = new X509Certificate2("C:\\myCertificate.pfx", "myPassword");

        signedXml.SigningKey = cert.PrivateKey;

        //Populate the KeyInfo element correctly, with the public cert and public key
        Signature sigElement = signedXml.Signature;
        KeyInfoX509Data x509Data = new KeyInfoX509Data(cert);
        sigElement.KeyInfo.AddClause(x509Data);

        RSAKeyValue rsaKeyValue = new RSAKeyValue((RSA)cert.PublicKey.Key);
        sigElement.KeyInfo.AddClause(rsaKeyValue);

        // Create a reference to be signed, only sign the body of the SOAP request, which we have given an 
        // ID attribute to, in order to reference it correctly here
        Reference reference = new Reference();
        reference.Uri = soapSecNS + "#Body";

        // Add the reference to the SignedXml object.
        signedXml.AddReference(reference);

        // Compute the signature.
        signedXml.ComputeSignature();

        // Get the XML representation of the signature and save
        // it to an XmlElement object.
        XmlElement xmlDigitalSignature = signedXml.GetXml();

        XmlElement soapSignature = doc.CreateElement("Signature", soapSecNS);
        soapSignature.Prefix = "soapsec";
        soapSignature.AppendChild(xmlDigitalSignature);

        headerNode.AppendChild(soapSignature);

        // Make sure the byte order mark doesn't get written out
        XmlDictionaryReaderQuotas quotas = new XmlDictionaryReaderQuotas();
        Encoding encoderWithoutBOM = new System.Text.UTF8Encoding(false);

        System.IO.MemoryStream ms = new System.IO.MemoryStream(encoderWithoutBOM.GetBytes(doc.InnerXml));

        XmlDictionaryReader xdr = XmlDictionaryReader.CreateTextReader(ms, encoderWithoutBOM, quotas, null);

        //Create the new message, that has the digital signature in the header
        Message newMessage = Message.CreateMessage(xdr, System.Int32.MaxValue, request.Version);
        request = newMessage;

        return null;
    }

Does anybody know how I can set the Reference URI to #Body, but also have a valid XML Signature?

Answer 1

Since I was trying to generate a signature for a SOAP request, I got around this by subclassing SignedXml, overriding GetIdElement, so that I can return whatever element it is that I'm looking for. In this case, the id element will belong to the namespace http://schemas.xmlsoap.org/soap/security/2000-12

public class SignedXmlWithId : SignedXml
{
    public SignedXmlWithId(XmlDocument xml)
        : base(xml)
    {
    }

    public SignedXmlWithId(XmlElement xmlElement)
        : base(xmlElement)
    {
    }

    public override XmlElement GetIdElement(XmlDocument doc, string id)
    {
        // check to see if it's a standard ID reference
        XmlElement idElem = base.GetIdElement(doc, id);

        if (idElem == null)
        {
            // I've just hardcoded it for the time being, but should be using an XPath expression here, and the id that is passed in
            idElem = (XmlElement)doc.GetElementsByTagName("Body", "http://schemas.xmlsoap.org/soap/security/2000-12")[0];
        }

        return idElem;
    }
}

I've also realised that using tools such as IBM Web Services Validation Tool for WSDL and SOAP to validate the digital signature of the SOAP request doesn't work. Instead I'm using the following method to verify signatures:

    public static bool verifyDigitalSignatureForString(string msgAsString)
    {
        XmlDocument verifyDoc = new XmlDocument();
        verifyDoc.PreserveWhitespace = true;
        verifyDoc.LoadXml(msgAsString);

        SignedXmlWithId verifyXml = new SignedXmlWithId(verifyDoc);
        // Find the "Signature" node and create a new
        // XmlNodeList object.
        XmlNodeList nodeList = verifyDoc.GetElementsByTagName("Signature");

        // Load the signature node.
        verifyXml.LoadXml((XmlElement)nodeList[0]);

        if (verifyXml.CheckSignature())
        {
            Console.WriteLine("Digital signature is valid");
            return true;
        }
        else
        {
            Console.WriteLine("Digital signature is not valid");
            return false;
        }
    }