Using the configuration below we have implemented message security using WCF and WS-security. Note that we use clientCredentialType=Certificate.
Now my questions are:
- Does the configuration below represent a cryptographically secure way to verify the identity of the client?
- The client uses a certificate with a know private key as client credentials. In what manner can the server verify this certificate given that the server has the corresponding public key?
- What happens when a WCF client uses a certificate as client credentials? Is information about the cert. included in the SOAP message? Or is there an element included signed with the cert.? Or what?
Server WCF configuration:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="srv">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
<serviceCredentials>
<serviceCertificate x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" findValue="ServerCert"/>
<clientCertificate>
<authentication certificateValidationMode="Custom" customCertificateValidatorType="CertValidator, WcfService1"/>
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="ServerBinding">
<security mode="Message">
<message clientCredentialType="Certificate" negotiateServiceCredential="false" establishSecurityContext="false"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="WcfService1.Service1" behaviorConfiguration="srv">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="ServerBinding" contract="WcfService1.IService1"/>
</service>
</services>
</system.serviceModel>
Client WCF configuration:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WsHttpBinding_IService1">
<security mode="Message">
<message clientCredentialType="Certificate" negotiateServiceCredential="false" establishSecurityContext="false"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost.fiddler:49694/Service1.svc" binding="wsHttpBinding"
bindingConfiguration="WsHttpBinding_IService1" contract="ServiceReference1.IService1"
name="WsHttpBinding_IService1" behaviorConfiguration="endpBehavior">
<identity>
<certificateReference findValue="ServerCert" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="endpBehavior">
<clientCredentials>
<clientCertificate findValue="ClientCert" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
The server configuration results in the following policy element in the wsdl:
<wsp:Policy wsu:Id="WSHttpBinding_IService1_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:EncryptSignature/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
<sp:RequireSignatureConfirmation/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Note that this question is also asked on Stack Overflow.