Secure MTOM endpoint does not interoperate with WCF client

[glassfishrobot]

This is the issue that was reported by deepak to kirill. The bug is that with WCF Sept CTP, indigo client fails with WSIT Secure MTOM endpoints. Look at the end of the description for Kirills' evaluation of the problem on WCF client side and possible workarounds.

HEre is the mail from Deepak with details on the failure:

---

Am trying to run MTOM interop scenarios with the private plug-fest CTP, that was provided by Indigo team. When I run Indigo client against Tango endpoint, all SOAP1.1 sign-only MTOM scenarios fail throwing same exception.

Am not getting any exception on the Tango endpoint side. The exception thrown by the Indigo client is what is in the subject of the mail. The exception stack-trace, from Indigo client and SOAP message logs, obtained from the Tango endpoint side are attached. They both are from EchoBinaryAsString scenario (but the exception is the same for all scenarios).

Just FYI, didn't see this issue in SOAP1.1 sign+encrypt MTOM scenarios.

Can you please ask your team to investigate this issue?

Thanks, -Deepak

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.ServiceModel.Security.MessageSecurityException: Message security verification failed. ---> System.ArgumentNullException: Value cannot be null. Parameter name: ns at System.Xml.XmlBaseWriter.WriteXmlnsAttribute(String prefix, String ns) at System.IdentityModel.CanonicalizationDriver.WriteTo(Stream canonicalStream) at System.IdentityModel.ExclusiveCanonicalizationTransform.ProcessReaderInput(XmlReader reader, SignatureResourcePool resourcePool, HashStream hashStream) at System.IdentityModel.ExclusiveCanonicalizationTransform.ProcessAndDigest(Object input, SignatureResourcePool resourcePool, HashAlgorithm hash, DictionaryManager dictionaryManger) at System.IdentityModel.ExclusiveCanonicalizationTransform.ProcessAndDigest(Object input, SignatureResourcePool resourcePool, String digestAlgorithm, DictionaryManager dictionaryManager) at System.IdentityModel.TransformChain.TransformToDigest(Object data, SignatureResourcePool resourcePool, String digestMethod, DictionaryManager dictionaryManager) at System.IdentityModel.Reference.ComputeDigest() at System.IdentityModel.Reference.EnsureDigestValidityIfIdMatches(String id, Object resolvedXmlSource) at System.IdentityModel.StandardSignedInfo.EnsureDigestValidityIfIdMatches(String id, Object resolvedXmlSource) at System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.EnsureDigestValidityIfIdMatches(SignedInfo signedInfo, String id, XmlDictionaryReader reader, Boolean doSoapAttributeChecks, MessagePartSpecification signatureParts, MessageHeaderInfo info, Boolean checkForTokensAtHeaders) at System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.ExecuteMessageProtectionPass(Boolean hasAtLeastOneSupportingTokenExpectedToBeSigned) at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout) at System.ServiceModel.Security.MessageSecurityProtocol.ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, Message& message, SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) at System.ServiceModel.Security.AsymmetricSecurityProtocol.VerifyIncomingMessageCore(Message& message, String actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) — End of inner exception stack trace —

Server stack trace: at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) at System.ServiceModel.Channels.SecurityChannelFactory1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelFactory1.SecurityRequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at IMtomTest.EchoBinaryAsString(Byte[] array) at MtomTestClient.EchoBinaryAsString(Byte[] array) — End of inner exception stack trace — at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object[] arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner) at System.RuntimeMethodHandle.InvokeMethodFast(Object target, Object[] arguments, Signature sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner) at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean skipVisibilityChecks) at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture) at System.RuntimeType.InvokeMember(String name, BindingFlags bindingFlags, Binder binder, Object target, Object[] providedArgs, ParameterModifier[] modifiers, CultureInfo culture, String[] namedParams) at Microsoft.Xws.Test.Suite.Util.WsdlTestUtilities.DynamicProxy.DynamicObject.CallMethod(String method, Object[] parameters) at XwsInterop.HostedClient.HostedClientSoapImpl.TestMtomMethods(DynamicProxy proxy, Boolean enableSecurity, String operationName) at XwsInterop.HostedClient.HostedClientSoapImpl.runScenario(String featureName, String scenarioName, HostedClientParameter[] parameters)

Oct 18, 2006 2:38:37 PM com.sun.xml.wss.impl.filter.DumpFilter process INFO: ==== Received Message Start ==== <?xml version="1.0" encoding="UTF-8"?> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1"> 2006-10-18T09:08:39.640Z</u:Created> 2006-10-18T09:13:39.640Z</u:Expires> </u:Timestamp> <o:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" u:Id="uuid-14f9af59-b20e-4afc-a130-6a5ce65d8986-642">MIIDDDCCAfSgAwIBAgIQM6YEf7FVYx/tZyEXgVComTANBgkqhkiG9w0BAQUFADAwMQ4wDAYDVQQKDAVPQVNJUzEeMBwGA1UEAwwVT0FTSVMgSW50ZXJvcCBUZXN0IENBMB4XDTA1MDMxOTAwMDAwMFoXDTE4MDMxOTIzNTk1OVowQjEOMAwGA1UECgwFT0FTSVMxIDAeBgNVBAsMF09BU0lTIEludGVyb3AgVGVzdCBDZXJ0MQ4wDAYDVQQDDAVBbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoqi99By1VYo0aHrkKCNT4DkIgPL/SgahbeKdGhrbu3K2XG7arfD9tqIBIKMfrX4Gp90NJa85AV1yiNsEyvq+mUnMpNcKnLXLOjkTmMCqDYbbkehJlXPnaWLzve+mW0pJdPxtf3rbD4PS/cBQIvtpjmrDAU8VsZKT8DN5Kyz+EZsCAwEAAaOBkzCBkDAJBgNVHRMEAjAAMDMGA1UdHwQsMCowKKImhiRodHRwOi8vaW50ZXJvcC5iYnRlc3QubmV0L2NybC9jYS5jcmwwDgYDVR0PAQH/BAQDAgSwMB0GA1UdDgQWBBQK4l0TUHZ1QV3V2QtlLNDm+PoxiDAfBgNVHSMEGDAWgBTAnSj8wes1oR3WqqqgHBpNwkkPDzANBgkqhkiG9w0BAQUFAAOCAQEABTqpOpvW+6yrLXyUlP2xJbEkohXHI5OWwKWleOb9hlkhWntUalfcFOJAgUyH30TTpHldzx1+vK2LPzhoUFKYHE1IyQvokBN2JjFO64BQukCKnZhldLRPxGhfkTdxQgdf5rCK/wh3xVsZCNTfuMNmlAM6lOAg8QduDah3WFZpEA0s2nwQaCNQTNMjJC8tav1CBr6+E5FAmwPXP7pJxn9Fw9OXRyqbRA4v2y7YpbGkG2GI9UvOHw6SGvf4FRSthMMO35YbpikGsLix3vAsXWWi4rwfVOYzQK0OFPNi9RMCUdSH06m9uLWckiCxjos0FQODZE9l4ATGy9s9hNVwryOJTw==</o:BinarySecurityToken>

cKAacjEMSvEgtvmeq1n9X+Fkr58= Igln6gsoTkr4ATT9AKFz/8xnQmQ= UtKmlgHfNeF1AKc9Ft274U8zIhk1auiCIWXlL+/Q+KYRW225EJFHio50rFOqdpk+jtSanYzbZydc0GedZ6PPDzEL0hrucpatyQUc7RxRSbzTnUfHcOwHCsmZLgwLHwHjDIF8tbacYLutOlcDIHN0IoXhHom2jXGV04yTmtC8sho= 4pim4pKe7qmH5ISS5I2b6q+U4KCg6ZyE4Lqwxp/mjb3gqL3gpqLhsrXgqKPojJ3jgqDvvqniubTmiZbmkajsuJ3pkq3jsa3lmI/vsIzovYftlanjjr7nq53lnbTqpI/krZjjpbLkk5TuuIDih43jr53gpo7qj4ThspngqbDlhZfvk6fhkqXguZXororkrZXkjJvorrDlr7DlvpXrm6nrtJjloInov7Dgvp3Spe61jOq/h+ejmeyGm+ibgeCwiOaEreu5ie6Ng+yVj+mUnOC7kuyPjOKTpeu6kuSfj+yOreSNlu6XgeKfiOSeueeCguSPsemJjeqgjeG7re+fn+Ipei5gO6FqeuTpOG0qOS6keWnhuKrq+WrveK9vuyqlu6jn+uNt+WAi+qhhuiYhuq3vueznemgo+Oqr+hl+eViOmRm+SymeKnnOqWkuO9heOTqOK9jeOLpOafk+GQqea8iOOAicea4YGr65q674aq55S77Kye6Y6m7rOR6ZCv56OA77Oi55GQ756t7KC767er7pGO4qyw6JuK67Sw76eO4aO35LSN5qGK65KG5IGL6qO+4aqB75iC4q6v77Ka5ouC7ZK15JGv4oCC6pms55ab752E6Kyz4ouo5r6R5pKw6KG3LO2PmeKzuuaijOq3pOeciuebveSrv9607oSJ5Zu455S64ZyS65OM6qCgyLTrhZ7ssLzrgp3ptqPshKHpnpThl73ioKziv6Dtnqvih4/koZDutIrpv7zmj6Lktp/plJ3pgb/ks6HpkbDonovtnr/vrJrqjbbnvIXugrDvk6Xohrnntr3svLXgo6/vhp/stbrvlJDlmqvru7PsnIzsnZbmopfrt5vTjeOiq+2YuOWUu+K6reW3teaet+e0p+Clme6AnOiak+afq+GOsOeqqO2EoeC0puG6nu6BseqKr+mRhOqpr+aCq+y6vOOAr+erlu+fueyYqOC0tui6qw== ==== Received Message End ==== Oct 18, 2006 2:38:38 PM com.sun.xml.wss.impl.filter.DumpFilter process INFO: ==== Sending Message Start ==== 2006-10-18T09:08:37Z 2006-10-18T09:13:37Z ALOYiapSLE4n8aQzRFqhuTfsK/I= DJtJa0r/5DKxJ1/WNjgi00zh6Cs= k0CCele+ksQZTMod5+48MVgxN7bF/UstnKlmhFexM0zoKenfzKdHrNRjO4luxNegeO5NQ9GssOrZ DVR5m5foPs8/Mr7AMi8PDS58k0FrZ9t2w6TXBwr8mNGTzkghS6sororR2Q/ae0I0g72W1dE3jjc3 f50uWuHsWZaseGc7TBc= Xeg55vRyK3ZhAEhEf+YT0z986L0= ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????,??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ==== Sending Message End ==== ---------- Deepak's end of mail -------------- Here is the problem on indigo side and possible workaround we can do to interoperate. This is from Kirill's mail: ---------- The bug is: we throw if the PrefixList contains a prefix that is not declared in scope of the element being canonicalized. The correct behavior would be to simply ignore the prefix, since it is superfluous (it's presence in the PrefixList does not affect canonicalization output). Mail below contains illustration and possible workarounds you could do on your side. I'd be happy to discuss this further. Take the following message sent by WSIT couple weeks ago. We will throw during the canonicalization of the s:Body, because ns2 and ns3 are declared on the child of the Body and are not known at the s:Body level. We will canonicalize the Timestamp correctly, since S, wsse and wsu are declared in scope of the Timestamp element (i.e. on the element itself or one of it's ancestors). ... .... ... ... ... Workarounds: .Net 3.0 would accept the message above with either of the following changes. 1) Remove ns2 and ns3 from the PrefixList. Strictly speaking you don't need to them inside the PrefixList, since they are declared at the inner node of the Body - presence of these prefixes in the PrefixList makes no difference for the canonicalization output. 2) Another workaround is to do what I believe you used to do in the earlier bits * emit ns2 and ns3 prefixes at s:Body node - the node being canonicalized. ---------------- #### Environment Operating System: All Platform: All #### Affected Versions [current]

[glassfishrobot]

Reported by vivekp@java.net

[glassfishrobot]

ashutoshshahi@java.net said: This bug occurred with non optimized security; with optimized security, which is now the default, it should no longer be an issue as we use only three prefixes - S, wsu, and wsse inside prefix list - and all of them are declared on the soap envelope itself.

Can someone verify if this is still an issue as I do not have the setup to run Indigo to Tango test. I am marking this issue as fixed

[glassfishrobot]

mmatula@java.net said: This issue was fixed before we created 1.0 branch, so the fix is in 1.0 -> setting target milestone to say so.

[glassfishrobot]

Was assigned to ashutoshshahi@java.net

[glassfishrobot]

This issue was imported from java.net JIRA WSIT-209

[glassfishrobot]

Marked as fixed on Tuesday, July 22nd 2008, 10:44:57 am