WSE Client – WCF service Interop

I wanted to put up this sample using the Feb CTP.
Basically it uses WSE 3.0 and WCF to demostrate both AnonymousCertificate configuration and MutualCertificate configuration using the service custom binding Configuration and the WSE policy file.

The point is that WSE uses MessageVersion.Soap11WSAddressingAugust2004 or MessageVersion.Soap12WSAddressingAugust2004 basically will need a custom binding for this.

CustomValidators and Chaining of Validators

I was looking into custom certificate validators sample and was quite curious on how I could chain the certificate validation and where Martin helped me out with this and this is prietty much how he put it.


 Here is a validator implementation that accepts self-issued certs, certs in the trusted people store and certs that chain to a trusted root CA;

class CustomValidator : X509CertificateValidator
{
 public CustomValidator()
 {
 }

 public override void Validate(X509Certificate2 cert)
 {
  if (cert.Subject == cert.Issuer)
   return;
  else
   X509CertificateValidator.PeerOrChainTrust.Validate ( cert );
 }
}
 

If you wanted to do peer/chain and then extra checking, you’d reverse the order;

class CustomValidator : X509CertificateValidator
{
 public CustomValidator()
 {
 }

 public override void Validate(X509Certificate2 cert)
 {
  X509CertificateValidator.PeerOrChainTrust.Validate ( cert );

   if ( !CertIsOK ( cert )) 
     throw new SecurityTokenException ( “Certificate is not OK” (;

 }

  private bool CertIsOK ( X509Certificate2 cert )
  {
     bool bRet = false;

     // Perform checks here and set bRet to true if all checks are passed.

     return bRet;
  }
}


So basically what you can do is set the X509ValidationMode to None and then test your code. That way no matter whats wrong with the certificate, no checks will be done and the certificate will be accepted, then fix the certificate problem.

Security at both Message and Transport Level

When using webservices we usually want the messages encrypted and also use SSL. This configuration as of now is not supported out of the box. We could use either tranport or message or a type called TransportWithMessageCredentials.
The 3rd type does not encrypt the soap message at the Message level but only supplies the claims(credentials) at this level. The security is pretty much provided at the Transport Level as the name should suggest.
The only binding that provides this out of the box is the following

<

netMsmqBinding>
   <binding name=”test”>
       <security mode=”Both”></security>
    </binding>
</netMsmqBinding>

WsHttpBinding provides a mixed mode but not both.
You can get a full listing here Predefined Bindings.

Incase you do want to use this you have to create a custom binding specifying each element. The behavior element can be used to specify the credentials that the message level security would use and the tranport can use say the server certificate from IIS. The snippet below shows a bare skeleton of this kind of binding.

<

customBinding>
     <binding name=”Binding1″>
           <security authenticationMode=”SecureConversation”
                           requireSecurityContextCancellation=”true”>
           </security>
           <textMessageEncoding messageVersion=”Soap12WSAddressing10″ writeEncoding=”utf-8″/>
           <httpsTransport/>
      </binding>
</customBinding>

Validating the Certificate Chain

Ususally when tesitng with different certificates we usually need to check if the certificate chain is valid and this snippet came in quite handy in many places.

 

static bool BuildChain(){        X509Certificate2 cert = LookupCertificate(StoreName.My, StoreLocation.LocalMachine, "CN=Localhost");        X509Chain chain = new X509Chain();            return chain.Build(cert); }static X509Certificate2 LookupCertificate(StoreName storeName,                                        StoreLocation storeLocation,                                        string subjectDistinguishedName){    X509Store store = null;    try    {        store = new X509Store(storeName, storeLocation);        store.Open(OpenFlags.ReadOnly);        X509Certificate2Collection certs =             store.Certificates.Find(                    X509FindType.FindBySubjectDistinguishedName,                    subjectDistinguishedName,                     false);        if (certs.Count != 1)        {            throw new Exception("Certificate not found or more than one certificate found");        }        return (X509Certificate2)certs[0];    }    finally    {        if (store != null)             store.Close();    }}

Hope still lives

I got a comment saying that the stuff I write about does not “FIT” me. Well just for curiosity sake what do you think will “FIT” me.
Anyway this post it not about me but about life and Hope. Its about a friend I have and a friend I believe was necessary for me. I know that there is good and there is hope. But proof is hard to find. We know different quotes about hardwork and hope and consistent focus. But there are few gems like this guy who prove these right.
When Dax (aka Rohit Rathish aka pottan) got through his first attempt in the Civil services he was diasspointed as he did not get the IFS as he had dreamt all his life. This year he finally showed up with a mind blowing 45th Rank in his exams assuring him his choice. The point is that this guy has been preparing for this since the time he ever knew he wanted to be something. This is something that many poeple die to achieve, not the fact that you reach your goal but the fact that you know exactly where you want to be. You will never bend down in front of anyone for figuring who you are and where you want to be.

This is the most important story that I would love to tell any one. A story that is not mine. Its Rohit’s story and many people would look upto him and still wonder how does one do it. The people you can look upto the people who give you reason and hope. The point is you know you will do it and it shall be done. BIG FISH