Decrypt WCF callback with Certificate from Azure Blob Storage

Question

I am totally new to WCF and I am consuming a secure WCF service with a customBinding (theirs not mine).

var sbe = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
        sbe.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());
        sbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
        sbe.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256Rsa15;
        sbe.AllowSerializedSigningTokenOnReply = true;
        sbe.IncludeTimestamp = true;
        sbe.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
        sbe.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign;

EDIT:

Decided to Simplify with new requirements to see if that helps.

I would like to have a single callback endpoint, it uses a single contract and uses the above binding. The problem is that the messages that are being sent to this service will be encrypted by different certificates (our clients public certificates).

I don't want to have hundreds of endpoints where I can explicitly specify the certificate used for decryption, as we may need to modify/add/delete and as i've already found out, you cant do that after serviceHost has been opened and we can't take service down/restart it.

Is it possible to intercept the message, decrypt it and pass it along somehow? (i'm looking at message interception now to see if this is possible).

Answer 1

Message Interception and Decryption

Please refer this link Decrypting a security token using WCF

While dealing with Mutual Certificate authentication you have the private key of the client certificate.

Using Message Inspectors one can intercept the incoming messages and decrypt the same using the private key of the client certificate.

Message Inspectors

Use the AfterReceiveReply event on the consumer side of the WCF service to override the decryption logic in WCF

public void AfterReceiveReply(ref Message reply, object correlationState)
{}

The Message Inspectors would have to be included in the binding extensions of the config file

<extensions>
  <behaviorExtensions>
    <add name="customMessageInspector" type="WCFComponents.CustomMessageInspector.CustomMessageInspectorBehaviorElement, WCFComponents"/>
  </behaviorExtensions>
</extensions>

And this behavior would have to be included in the WCF proxy endpoint behavior

var behavior = new CustomMessageInspectorBehavior();
        _serviceProxy.Endpoint.Behaviors.Add(behavior);

Download the Sample WCF Message Inspector project here

You will have to do WCF customization to achieve this.

Hope this helps