SOAP Клиент с WS-Security и WS-Policy

Question

Мне нужно использовать Soap веб-сервис, который подписывает сообщения с использованием WS-Security. У меня есть 2 сертификата, один безотказность, который отвечает за подписание сообщений, и один за проверку подлинности и шифрование. Элемент тела конверта SOAP должен быть подписан - как для запроса, так и для ответа. Это также включает в себя Soap неисправности. Получившийся XML должен выглядеть так:

<soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
   <soap11:Header>
      <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <wsu:Timestamp wsu:Id="Id-0001587982588185-00000000537f5db2-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsu:Created>2020-04-27T10:16:28Z</wsu:Created>
            <wsu:Expires>2020-04-27T10:17:28Z</wsu:Expires>
         </wsu:Timestamp>
         <wsse:BinarySecurityToken wsu:Id="Id-0001587982588185-ffffffffe0f1812c-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIE9DCCA9ygAwIBAgILAcc/li8vpYhTplkwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MSMwIQYDVQQDDBpCdXlwYXNzIENsYXNzIDMgVGVzdDQgQ0EgMzAeFw0xODA4MjExMTA4MjNaFw0yMTA4MzEyMTU5MDBaMFoxCzAJBgNVBAYTAk5PMRQwEgYDVQQKDAtTVEFUTkVUVCBTRjEOMAwGA1UECwwFRWxodWIxETAPBgNVBAMMCFN0YXRuZXR0MRIwEAYDVQQFEwk5NjI5ODY2MzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbU9edlhT5V7hIo4WTNZMUt6QZw87+JkvSYuKooXXmcBojCSZfC+Mm2jI4CQG/qI0Yix6sze1qAvVlJzL97xelxa6ApocfK3M5BQShDwydSvYGplfVC3/8gDSjZfBpXkyYOPgaNX2mcmORkBd9A04cwdzLJ01HuAXH1QKo21dvB6nCcYJI6ZiN+He5KmIeDsoaMBL20LuxDn0ZFIHSJ7S564lxDfAQa7Ekkr92dEChp+kBt4Y0s864Fj+TnGb8vpS/feifSJyN1pbta65UnrmiU06zIrDtyUKPCAlQoZ+lsyiIIGqrXcTXk6XflWGTjd3dX92QSRHcfnyXut9c3suvAgMBAAGjggHCMIIBvjAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFD+u9XgLkqNwIDVfWvr3JKBSAfBBMB0GA1UdDgQWBBTCNHTigTi+ELg7tFBgfsmKkTKAtDAOBgNVHQ8BAf8EBAMCBkAwFgYDVR0gBA8wDTALBglghEIBGgEAAwIwgbsGA1UdHwSBszCBsDA3oDWgM4YxaHR0cDovL2NybC50ZXN0NC5idXlwYXNzLm5vL2NybC9CUENsYXNzM1Q0Q0EzLmNybDB1oHOgcYZvbGRhcDovL2xkYXAudGVzdDQuYnV5cGFzcy5uby9kYz1CdXlwYXNzLGRjPU5PLENOPUJ1eXBhc3MlMjBDbGFzcyUyMDMlMjBUZXN0NCUyMENBJTIwMz9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0MIGKBggrBgEFBQcBAQR+MHwwOwYIKwYBBQUHMAGGL2h0dHA6Ly9vY3NwLnRlc3Q0LmJ1eXBhc3Mubm8vb2NzcC9CUENsYXNzM1Q0Q0EzMD0GCCsGAQUFBzAChjFodHRwOi8vY3J0LnRlc3Q0LmJ1eXBhc3Mubm8vY3J0L0JQQ2xhc3MzVDRDQTMuY2VyMA0GCSqGSIb3DQEBCwUAA4IBAQBg4pRQGNcstYu2gqrOclm+bGuByh6WS/yIfOZBFe9sn+c1y6SZbLQh+fQHmRIImsMTVOmH2VM3wsVPYbHu9vNQSi89Doontaa3wxBYCxxZJcxh1Y/bxVZr0yjkSBAXYFycHd4DvwgDJyD0+zFj+EVCLG6PssxAaTIAjGzIsfnEJ83XiQ6E5WvTVAvy2SIGFOZYgq0FlN0YMfvRE41z0Z3b4rVk/pjXgbQyBbPlZ8xC3lOiD3FNZfkncNF9FK3HwbEwsxOEaO1iXL9f6biWn9tXjCQccHzvm5+Z7br8iqlSegDgPgfO0CGAWccACrzFtVPmeycdmGyCSjQlpt/gatiA</wsse:BinarySecurityToken>
         <dsig:Signature Id="Id-0001587982588185-ffffffffe0f1812c-3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
            <dsig:SignedInfo>
               <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
               <dsig:Reference URI="#Id-0001587982588185-ffffffffe0f1812c-2">
                  <dsig:Transforms>
                     <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  </dsig:Transforms>
                  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                  <dsig:DigestValue>uZpj3v5cmJfn5e/g4r9xTevBzaw=</dsig:DigestValue>
               </dsig:Reference>
               <dsig:Reference URI="#Id-0001587982588185-00000000537f5db2-1">
                  <dsig:Transforms>
                     <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  </dsig:Transforms>
                  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                  <dsig:DigestValue>1r7GzBELenqrJTlvBEXLmY1Nuas=</dsig:DigestValue>
               </dsig:Reference>
            </dsig:SignedInfo>
            <dsig:SignatureValue>IWKNNHjAdT2UyoUcjcKs5NT/pumzS1N9Ena512dGqitnTBWKhfzaqiGknfIoUd1m
o/3pxAUTTMyIYYVBWGg244R4hzwn/K6EcddgBCa4JeRyTmKRNlNGU78BfBQ4LNSA
dDG0Ubpx8xiala4dP8In2LMUcUvunAnHV080QrPwA5ssP50NoJw7T5jY0v68/iF8
EXd6CZ00b1W/4q7548yLPKNBJr6+tvcjeRERUWvVZamPOnKI+MJA8Xk2uTY7UVbB
4gjFbmbqzqaMoUSZtB8LbUPCqDS8oyIo0nBI+cwafaZeWVkGkxmXYPyHxpfBSWLQ
htgaE5mWp6wjoZlxP4MB7A==</dsig:SignatureValue>
            <dsig:KeyInfo Id="Id-0001587982588185-ffffffffe0f1812c-4">
               <wsse:SecurityTokenReference wsu:Id="Id-0001587982588185-ffffffffe0f1812c-5" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                  <wsse:Reference URI="#Id-0001587982588185-ffffffffe0f1812c-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
               </wsse:SecurityTokenReference>
            </dsig:KeyInfo>
         </dsig:Signature>
      </wsse:Security>
   </soap11:Header>
   <soap11:Body wsu:Id="Id-0001587982588185-ffffffffe0f1812c-2" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <soap11:Fault>
         <faultcode>soap11:Client</faultcode>
         <faultstring>Message is not valid</faultstring>
      </soap11:Fault>
   </soap11:Body>
</soap11:Envelope>

Я сделал:

 var client = new Client();
    client.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByThumbprint, "xxxx");// here I put the encryption certificate
                    client.ClientCredentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByThumbprint, "xxxxx");// here I put the signing certificate 

 client.CallMethodDoSearch(request);

в app.config У меня есть:

   <bindings>
          <customBinding>
            <binding name="NameSoapBinding">
              <security defaultAlgorithmSuite="Default" authenticationMode="MutualCertificate"
                requireDerivedKeys="false" includeTimestamp="true" messageProtectionOrder="SignBeforeEncrypt"
                messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
                requireSignatureConfirmation="false">
                <localClientSettings detectReplays="true" />
                <localServiceSettings detectReplays="true" />
              </security>
              <textMessageEncoding messageVersion="Soap11" />
              <httpTransport />
            </binding>
          </customBinding>
        </bindings>

и

<endpoint address="https://someUrl" binding="customBinding" 
            bindingConfiguration="NameSoapBinding" 
            contract="Service.Name" name="Name">
    <identity>
      <dns value="DNS Name" />           
    </identity>   

Я получаю: От другой стороны была получена незащищенная или неправильно защищенная ошибка. См. Внутреннее исключение FaultException для получения кода ошибки и подробностей . Внутреннее исключение: Ошибка безопасности и inst.StackTrace:

в System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage (IMessage reqMsg, IMessage retMsg) в System.Runtime.Remoting.Proxies. RealProxy.PrivateInvoke (MessageData & msgData, тип Int32)