We continue our journey in WCF error messages. Today’s error is actually somehow related to the first cryptic WCF error message. The use case here again includes X.509 certificates. This time we are just using xml digital signature without encryption. When we run our client we get the following error:
Since we already know how to configure wcf tracing we did just that on the server. Surprisingly enough the trace contained no error! Furthermore, the message logs in the server shows that the server got a valid request and even sent the correct response. Hmmm…
The next step is to configure tracing and logging at the client. The logging seems fine and the trace log shows us the same exception “Cannot resolve KeyInfo…”.
What happened is exactly the same as with last time: The client and the server are not using matching X.509 certificates. As suggested there, you should verify the correctness of the X.509 references in web/app.config. If that doesn't help - remove and reinstall the relevant certificates from the windows certificate store.
@YaronNaveh
13 comments:
Could not find a suitable section so I written here, how to become a moderator for your forum, that need for this?
I am getting an error like this now except it is not from WCF to WCF, but from a gSoap client to a WCF service.
In the trace log for the service I see the following:
Cannot resolve KeyInfo for verifying signature: KeyInfo 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = LocalIdKeyIdentifierClause(LocalId = 'X509Token', Owner = 'System.IdentityModel.Tokens.X509SecurityToken')
)
', available tokens 'SecurityTokenResolver
(
TokenCount = 0,
)
'.
It works fine with a WCF client.
The certificate used by gsoap is the service certificate from WCF, exported as PFX file and then converted to a PEM file. (as far as I know gsoap can only handle PEM...)
If it is indeed a certificate problem then I guess it is not possible to just convert stuff to PEM? Or is there still something else?
Sangman - try to compare between the working request (wcf client) and non working soap request (gsoap). What are the differences?
It turns out that there was a little error in my gsoap source code. I made a proxy and then for the soap struct inside of it I did proxy.soap = soap_new1(...)
Removing this fixed that error but caused new ones.
Right now I am just using signatures without encryption, as you'd expect this too works fine between WCF service and client but not with a gsoap client.
The underlying error is this:
System.Security.Cryptography.CryptographicException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
A mismatch occurred on the algorithm for the transform.
This makes me believe that WCF is expecting a different algorithm than what gsoap uses to sign the message. Gsoap signs using RSA-SHA1. The only other options are HMAC shared key (though I prefer using public/private key pairs) or DSA-SHA1 which I read WCF does not support. It doesn't look like RSA is supported either though so I might be out of luck.
What the differences between the messages are concerned, the WS-Addressing stuff and body are the same, the security header though does have some differences. All that Gsoap sends is the signature and timestamp. WCF sends the timestamp, encryptedkey, derivedkeytokens etc. I can sortof recreate that packet by also adding an encryptedkey in gsoap but that creates yet another error on the WCF side:
System.Xml.XmlException, System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Cannot read KeyIdentifierClause from element 'KeyIdentifier' with namespace 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'. Custom KeyIdentifierClauses require custom SecurityTokenSerializers, please refer to the SDK for examples.
No idea what's going on here. I'm inclined to think gsoap is just not compatible with secure WCF services.
hi, I am also facing the same issue but in available token section i am getting count 2.
Has this anything to do with the error?
could be, try to recheck the certificates match
Hello Yaron, you're my last hope. I searched for days on google but no luck. I encountered the problem you describe, but the certificate is ok, I deleted it and installed and tested, but the error continues. What can I do?
Thanks for your help and forgive my bad english!
hi
do you build the client, the server or both? are both wcf? do you get the error when parsing the response?
I build a wcf client for a Java web service, i see the correct response with soaupUI, Fiddler and Visual Studio logger, but receive the error on the c# code and the response don't break the error wall......
(second reply, i don't see precedent)
can you send me the request, response and your config?
Can i send all to you with e-mail?
yes
Hi Yaron,
I have been struggling with the exact same issue for over a week.
I shall await your reply to sangman!
Post a Comment