Saturday, October 11, 2008

Cryptic WCF error messages (part 2 of N)

@YaronNaveh


We continue our journey in WCF error messages. Today’s error is actually somehow related to the first cryptic WCF error message. The use case here again includes X.509 certificates. This time we are just using xml digital signature without encryption. When we run our client we get the following error:


Cannot resolve KeyInfo for verifying signature: KeyInfo 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = X509IssuerSerialKeyIdentifierClause(Issuer = 'CN=Root Agency', Serial = '-52580476043899823005482728065021010894')
)
', available tokens 'SecurityTokenResolver
(
TokenCount = 1,
TokenEntry[0] = (AllowedReferenceStyle=External, Token=System.IdentityModel.Tokens.X509SecurityToken, Parameters=System.ServiceModel.Security.Tokens.X509SecurityTokenParameters:
InclusionMode: Never
ReferenceStyle: Internal
RequireDerivedKeys: False
X509ReferenceStyle: Any)
)
'.


Since we already know how to configure wcf tracing we did just that on the server. Surprisingly enough the trace contained no error! Furthermore, the message logs in the server shows that the server got a valid request and even sent the correct response. Hmmm…
The next step is to configure tracing and logging at the client. The logging seems fine and the trace log shows us the same exception “Cannot resolve KeyInfo…”.

What happened is exactly the same as with last time: The client and the server are not using matching X.509 certificates. As suggested there, you should verify the correctness of the X.509 references in web/app.config. If that doesn't help - remove and reinstall the relevant certificates from the windows certificate store.

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!

13 comments:

Anonymous said...

Could not find a suitable section so I written here, how to become a moderator for your forum, that need for this?

Sangman said...

I am getting an error like this now except it is not from WCF to WCF, but from a gSoap client to a WCF service.

In the trace log for the service I see the following:

Cannot resolve KeyInfo for verifying signature: KeyInfo 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = LocalIdKeyIdentifierClause(LocalId = 'X509Token', Owner = 'System.IdentityModel.Tokens.X509SecurityToken')
)
', available tokens 'SecurityTokenResolver
(
TokenCount = 0,
)
'.

It works fine with a WCF client.

The certificate used by gsoap is the service certificate from WCF, exported as PFX file and then converted to a PEM file. (as far as I know gsoap can only handle PEM...)

If it is indeed a certificate problem then I guess it is not possible to just convert stuff to PEM? Or is there still something else?

Yaron Naveh (MVP) said...

Sangman - try to compare between the working request (wcf client) and non working soap request (gsoap). What are the differences?

Sangman said...

It turns out that there was a little error in my gsoap source code. I made a proxy and then for the soap struct inside of it I did proxy.soap = soap_new1(...)

Removing this fixed that error but caused new ones.

Right now I am just using signatures without encryption, as you'd expect this too works fine between WCF service and client but not with a gsoap client.

The underlying error is this:
System.Security.Cryptography.CryptographicException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
A mismatch occurred on the algorithm for the transform.

This makes me believe that WCF is expecting a different algorithm than what gsoap uses to sign the message. Gsoap signs using RSA-SHA1. The only other options are HMAC shared key (though I prefer using public/private key pairs) or DSA-SHA1 which I read WCF does not support. It doesn't look like RSA is supported either though so I might be out of luck.

What the differences between the messages are concerned, the WS-Addressing stuff and body are the same, the security header though does have some differences. All that Gsoap sends is the signature and timestamp. WCF sends the timestamp, encryptedkey, derivedkeytokens etc. I can sortof recreate that packet by also adding an encryptedkey in gsoap but that creates yet another error on the WCF side:

System.Xml.XmlException, System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Cannot read KeyIdentifierClause from element 'KeyIdentifier' with namespace 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'. Custom KeyIdentifierClauses require custom SecurityTokenSerializers, please refer to the SDK for examples.

No idea what's going on here. I'm inclined to think gsoap is just not compatible with secure WCF services.

Chandan Mahajan said...

hi, I am also facing the same issue but in available token section i am getting count 2.
Has this anything to do with the error?

Yaron Naveh (MVP) said...

could be, try to recheck the certificates match

Anonymous said...

Hello Yaron, you're my last hope. I searched for days on google but no luck. I encountered the problem you describe, but the certificate is ok, I deleted it and installed and tested, but the error continues. What can I do?
Thanks for your help and forgive my bad english!

Yaron Naveh (MVP) said...

hi

do you build the client, the server or both? are both wcf? do you get the error when parsing the response?

Anonymous said...

I build a wcf client for a Java web service, i see the correct response with soaupUI, Fiddler and Visual Studio logger, but receive the error on the c# code and the response don't break the error wall......
(second reply, i don't see precedent)

Yaron Naveh (MVP) said...

can you send me the request, response and your config?

Anonymous said...

Can i send all to you with e-mail?

Yaron Naveh (MVP) said...

yes

Digvijay Chauhan said...

Hi Yaron,

I have been struggling with the exact same issue for over a week.

I shall await your reply to sangman!