Monday, December 11, 2017

Controling SOAP security header “mustUnderstand” attribute in WCF client

I was recent tasked with connecting .NET WCF with an older java soap service.  Unfortunately the service was not standard and needed more WCF customization than normal, starting with the security.
I needed to include both a client x509 certificate for the Transport tunnel, and a username/password combination in the soap header itself.  By playing around with the web.config binding configurations I could have eventually achieved this.  However that was not the end of the customizations it needed.
This service needed the EncodedMustUnderstand flag set to false for the security header.  Back with WSE that used to be a very simple flag to set, but for some reason Microsoft decided to remove that capability from WCF.  One guy claimed to find a simple fix for this, however his fix did not work for me.
Throughout the years since WCF has been introduced many people have had this or very similar issues when dealing with Java based SOAP services.  I have yet to find someone who has discovered a good solution.  In my own two week journey to solving this issue I had to do some pretty serious customization to WCF.  By sharing my discoveries here I hope to help other people shorted the time they spend enduring the same pain.
The first thing I did was to create an extension method for the service allowing me to create a CustomBinding for it.  This method served as the hub to which I attached various other classes and methods as I built them.  It seems daunting, and it really is.  Separating out the various ideas into their own files was the approach I took to keeping the major areas of functionality separate in my head.

Base Helper Class
using System;
using System.Configuration;
using System.ServiceModel;
using System.ServiceModel.Channels;
using System.ServiceModel.Security;
using System.ServiceModel.Security.Tokens;

namespace Services
{
    public static class ClientHelper
    {

        public static PClient Initialize(this PClient client)
        {
            var urlConfig = ConfigurationManager.AppSettings["Url"].ToString();

            if (string.IsNullOrEmpty(urlConfig))
                throw new Exception("Missing Url Config");

            var url = new UrlSecurityConfig(urlConfig);

            //System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;

            var security = SecurityBindingElement.CreateCertificateOverTransportBindingElement();
            security.IncludeTimestamp = true;
            security.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
            security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
            security.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters()); // add specific username security feature
            security.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
            security.EnableUnsecuredResponse = true;

            //security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11;
            //security.EndpointSupportingTokenParameters.SignedEncrypted.Add(new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToRecipient)); // add specific x509 cert security            security.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters()); // add specific username security feature
            //security.DefaultAlgorithmSuite = new Basic128Sha256Rsa15Sha1AlgorithmSuite(); // when we need to tweak the security suite


            //var encoding = new TextMessageEncodingBindingElement();
            //encoding.MessageVersion = MessageVersion.CreateVersion(EnvelopeVersion.Soap11, AddressingVersion.None);// MessageVersion.Soap11;
            ////encoding.MessageVersion = MessageVersion.Soap11WSAddressingAugust2004;
            //encoding.WriteEncoding = Encoding.UTF8;


            var transport = new HttpsTransportBindingElement();
            transport.MaxReceivedMessageSize = 20000000; // 20 megs
            transport.RequireClientCertificate = false;
            transport.TransferMode = TransferMode.Buffered;
            transport.DecompressionEnabled = false;

            CustomBinding binding = new CustomBinding();
            binding.Elements.Add(security);
            //binding.Elements.Add(encoding); // add normal encoding
            binding.Elements.Add(new MustUnderstandOffBindingElement("UTF-8", "text/xml", MessageVersion.Soap11)); // add custom encoder
            binding.Elements.Add(transport);

            var x509Config = ConfigurationManager.AppSettings["x509"].ToString();
            var X509Cert = Common.Get509Cert(x509Config);

            // THIS IS WHEN THE CERT NEEDS A SPECIFIC DOMAIN IDENTITY SPECIFIED
            //var identity = EndpointIdentity.CreateX509CertificateIdentity(X509Cert);
            //var address = new EndpointAddress(new Uri(url), identity);
            ////var binding = new WSHttpBinding(SecurityMode.Message);
            ////binding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;
            //var factory = new ChannelFactory<CoAServices_v1r21_P>(binding, address);
            ////factory.Endpoint.EndpointBehaviors.Remove(typeof(System.ServiceModel.Description.ClientCredentials));
            ////factory.Endpoint.EndpointBehaviors.Add(new Services.WsNonceCustomCredentials());
            //factory.Credentials.UserName.UserName = username;
            //factory.Credentials.UserName.Password = password;
            //factory.Credentials.ClientCertificate.Certificate = X509Cert;
            //factory.Credentials.ServiceCertificate.DefaultCertificate = X509Cert;

            client.Endpoint.Binding = binding;
            client.Endpoint.Address = new EndpointAddress(url.Url);
            //client.Endpoint.EndpointBehaviors.Add(new ExClientBehavior()); // adding a custom behavior built in a custom class
            //client.Endpoint.EndpointBehaviors.Add(new MustUnderstandBehavior(false)); // create a behavior with the MustUnderstand attribute set to false, does not work for headers

            //// replace normal credencials with custom ones that generate Nonce:
            //client.ChannelFactory.Endpoint.Behaviors.Remove<System.ServiceModel.Description.ClientCredentials>();
            //client.ChannelFactory.Endpoint.Behaviors.Add(new Services.WsNonceCustomCredentials());

            client.ClientCredentials.UserName.UserName = url.UserName;
            client.ClientCredentials.UserName.Password = url.Password;

            client.ClientCredentials.ClientCertificate.Certificate = X509Cert;
            //client.ClientCredentials.ServiceCertificate.DefaultCertificate = X509Cert;
            //client.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
            //client.ClientCredentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;

            return client;
            //return factory.CreateChannel();
        }

    }


}


As you can see, there is lots of commented out code to plug in various pieces of functionality.  I ended up not needing half of it, but there was no point in throwing away code that functioned.  For the purposes of this post, only the commented out ExClientBehavior lines and the custom Nonce credencials will be discussed in addition to the working lines of code.

One of the first steps I took was to create a helper class with a method to get my x509 certificate.  I later added a method to do some basic url config parsing.  This ended up being the easiest part of the whole process.

EDIT: A quick side note, when generating the code below for this blog post, it kept wanting to rename X509Certificate2Collection and other class names as 17bH1SYLoBdGsBaDedPR2EE3JUt8oRS7qd.  A very odd quirk, but I have seen that weird name in several Microsoft posts as well, so apparently I am not the only one who has had that issue when writing posts. 

EDIT2: It turns out the weird renaming was caused by a Chrome extension I am running called uBlock.  So if you see something similar, then check your extensions.  In my case, white listing the blogger domain fixed the issue.

Common Helper Methods
using System;
using System.Linq;
using System.Security.Cryptography.X509Certificates;

namespace Services
{
    public static class Common
    {
        public static X509Certificate2 Get509Cert(string LocationConfig)
        {
            var locationParts = LocationConfig.Split(':');
            if (locationParts.Length < 2)
                throw new Exception("Invalid X509 Config");

            X509Certificate2 cer = new X509Certificate2();
            X509Store store = locationParts[0] == "CurrentUser" ? new X509Store(StoreLocation.CurrentUser) : new X509Store(StoreLocation.LocalMachine);

            store.Open(OpenFlags.ReadOnly);

            X509Certificate2Collection cers = store.Certificates.Find(X509FindType.FindBySubjectName, locationParts[1], false);
            if (cers.Count == 0)
            {
                throw new Exception("Can't find X509 Cert.");
            }

            var cert = cers[0];

            store.Close();
            return cert;
        }
    }

    public class UrlSecurityConfig
    {
        public string Url { get; protected set; }
        public string UserName { get; protected set; }
        public string Password { get; protected set; }

        public UrlSecurityConfig(string config)
        {
            if(!config.Contains('@'))
            {
                Url = config;
                return;
            }

            var uendStart = config.LastIndexOf('@');
            var uStart = config.Substring(0, config.IndexOf('/') + 2);
            var uEnd = config.Substring(uendStart + 1);
            Url = uStart + uEnd;

            var nameEnd = config.IndexOf(':', uStart.Length + 1);
            UserName = config.Substring(uStart.Length, nameEnd - uStart.Length);
            Password = config.Substring(nameEnd + 1, uendStart - nameEnd - 1);
        }
    }
}

After trying all sorts of ways to get into the security header using existing settings, I finally decided to write my own custom Behavior.  This code I copied directly from someone else's post who was struggling with something very similar.  Unfortunately, I got a rude shock when I found out that the security headers are not part of the request sent to the behavior.

Without access to those I was unable to modify them, although in testing I discovered that I was unable to affect the output of the headers here anyway despite the code looking like it was working correctly when I stepped through it.  Perhaps I still have something slightly off.

Custom Behavior Classes
using System;
using System.ServiceModel;
using System.ServiceModel.Channels;
using System.ServiceModel.Description;
using System.ServiceModel.Dispatcher;
using System.ServiceModel.Configuration;

namespace Services
{
    public class ExClientBehavior : IEndpointBehavior
    {
        #region IEndpointBehavior Members

        public void AddBindingParameters(ServiceEndpoint endpoint, BindingParameterCollection bindingParameters)
        {
            // no op
        }

        public void ApplyClientBehavior(ServiceEndpoint endpoint, ClientRuntime clientRuntime)
        {
            ExInspector inspector = new ExInspector();
            clientRuntime.MessageInspectors.Add(inspector);
            //clientRuntime.ValidateMustUnderstand = false;

        }

        public void ApplyDispatchBehavior(ServiceEndpoint endpoint, EndpointDispatcher endpointDispatcher)
        {

            // no op
        }

        public void Validate(ServiceEndpoint endpoint)
        {
            // no op
        }

        #endregion
    }


    public class ExClientBehaviorExtensionElement : BehaviorExtensionElement
    {
        public override Type BehaviorType
        {
            get { return typeof(ExClientBehavior); }
        }

        protected override object CreateBehavior()
        {
            return new ExClientBehavior();
        }
    }

    public class ExInspector : IClientMessageInspector
    {

        #region IClientMessageInspector Members

        public void AfterReceiveReply(ref Message reply, object correlationState)
        {
            // no op
            return;
        }

        public object BeforeSendRequest(ref Message request, IClientChannel channel)
        {
            MessageBuffer buffer = request.CreateBufferedCopy(int.MaxValue);

            Message newMessage = buffer.CreateMessage();

            while (newMessage.Headers.Count > 0)
                newMessage.Headers.RemoveAt(0);
            
            foreach (var info in request.Headers)
            {
                newMessage.Headers.Add(MessageHeader.CreateHeader
                    (
                        info.Name,
                        info.Namespace,
                        string.Empty,
                        false,
                        string.Empty,
                        info.Relay
                    )
                );
            }


            request = newMessage;

            return null;
        }

        #endregion
    }
}

My next approach was to try writing my own Custom Encoder.  Many people had stated that was the way to get at the stream both as it was heading out the door, and as it was coming back in before it hit the service code.  I copied Microsoft's code and directions from here, here, and here.

I immediately started running into problems due to that class name rewrite in Microsoft's web posts that I mentioned earlier.  It took me a little while to create names that all worked and referenced each other correctly.

I could have handled the pain it had taken to get this far, but it wasn't over yet.  Microsoft's code has a flaw in it that resulted in a loop which consistently generated stack overflow errors.  I later discovered that the error centered around the "this.factory = factory;" line.  It generated an internal reference to the parent object that the parent then referenced causing a recursive infinite loop.

If there had been any sort of decent error that would have been easy to find and work through.  Unfortunately, these were the errors and Inner Exceptions that it kept generating:

Message: An error occurred while making the HTTP request to https://service. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.

Message: The underlying connection was closed: An unexpected error occurred on a send.

Message: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
Stepping through the code did show me that a stack overflow was occurring, but it was not obvious that it was a recursive reference that was causing it.  And, since my code had been copied from an official Microsoft website, my first instinct was to trust it and look elsewhere.  So I spent a long time looking at the exceptions and trying to figure out what they could mean.

During this time I spent a lot of time in Fiddler working with the returning soap message and tweaking it to see how it would affect .net.  I discovered that it is actually possible to strip off the characters surrounding the soap envelope that trigger the HTTP.SYS error in .net.  This allowed me to test the service even when sending from an HTTP source rather than the required HTTPS source.

I finally ended up with this working code.  You will notice that the primary difference from Microsoft's classes is the replacement for the "mustUnderstand" line, which was the hack I put in to toggle that flag as the message went out the door.

Custom Encoder Classes
using System;
using System.Text;
using System.ServiceModel.Channels;
using System.ServiceModel.Description;
using System.IO;
using System.Xml;

namespace Services
{
    public class MustUnderstandOffBindingElement : MustUnderstandOffBindingElement, IWsdlExportExtension
    {
        private MessageVersion msgVersion;
        private string mediaType;
        private string encoding;
        private XmlDictionaryReaderQuotas readerQuotas;

        MustUnderstandOffBindingElement(MustUnderstandOffBindingElement binding)
            : this(binding.Encoding, binding.MediaType, binding.MessageVersion)
        {
            this.readerQuotas = new XmlDictionaryReaderQuotas();
            binding.ReaderQuotas.CopyTo(this.readerQuotas);
        }

        public MustUnderstandOffBindingElement(string encoding, string mediaType,
            MessageVersion msgVersion)
        {
            if (encoding == null)
                throw new ArgumentNullException("encoding");

            if (mediaType == null)
                throw new ArgumentNullException("mediaType");

            if (msgVersion == null)
                throw new ArgumentNullException("msgVersion");

            this.msgVersion = msgVersion;
            this.mediaType = mediaType;
            this.encoding = encoding;
            this.readerQuotas = new XmlDictionaryReaderQuotas();
        }

        public MustUnderstandOffBindingElement(string encoding, string mediaType)
            : this(encoding, mediaType, MessageVersion.Soap11WSAddressing10)
        {
        }

        public MustUnderstandOffBindingElement(string encoding)
            : this(encoding, "text/xml")
        {

        }

        public MustUnderstandOffBindingElement()
            : this("UTF-8")
        {
        }

        public override MessageVersion MessageVersion
        {
            get
            {
                return this.msgVersion;
            }

            set
            {
                if (value == null)
                    throw new ArgumentNullException("value");
                this.msgVersion = value;
            }
        }


        public string MediaType
        {
            get
            {
                return this.mediaType;
            }

            set
            {
                if (value == null)
                    throw new ArgumentNullException("value");
                this.mediaType = value;
            }
        }

        public string Encoding
        {
            get
            {
                return this.encoding;
            }

            set
            {
                if (value == null)
                    throw new ArgumentNullException("value");
                this.encoding = value;
            }
        }

        // This encoder does not enforces any quotas for the unsecure messages. The 
        // quotas are enforced for the secure portions of messages when this encoder
        // is used in a binding that is configured with security. 
        public XmlDictionaryReaderQuotas ReaderQuotas
        {
            get
            {
                return this.readerQuotas;
            }
        }

        #region IMessageEncodingBindingElement Members
        public override MessageEncoderFactory CreateMessageEncoderFactory()
        {
            return new MustUnderstandOffEncoderFactory(this.MediaType,
                this.Encoding, this.MessageVersion);
        }

        #endregion


        public override BindingElement Clone()
        {
            return new MustUnderstandOffBindingElement(this);
        }

        public override IChannelFactory<TChannel> BuildChannelFactory<TChannel>(BindingContext context)
        {
            if (context == null)
                throw new ArgumentNullException("context");

            context.BindingParameters.Add(this);
            return context.BuildInnerChannelFactory<TChannel>();
        }

        public override bool CanBuildChannelFactory<TChannel>(BindingContext context)
        {
            if (context == null)
                throw new ArgumentNullException("context");

            return context.CanBuildInnerChannelFactory<TChannel>();
        }

        public override IChannelListener<TChannel> BuildChannelListener<TChannel>(BindingContext context)
        {
            if (context == null)
                throw new ArgumentNullException("context");

            context.BindingParameters.Add(this);
            return context.BuildInnerChannelListener<TChannel>();
        }

        public override bool CanBuildChannelListener<TChannel>(BindingContext context)
        {
            if (context == null)
                throw new ArgumentNullException("context");

            context.BindingParameters.Add(this);
            return context.CanBuildInnerChannelListener<TChannel>();
        }

        public override T GetProperty<T>(BindingContext context)
        {
            if (typeof(T) == typeof(XmlDictionaryReaderQuotas))
            {
                return (T)(object)this.readerQuotas;
            }
            else
            {
                return base.GetProperty<T>(context);
            }
        }

        #region IWsdlExportExtension Members

        void IWsdlExportExtension.ExportContract(WsdlExporter exporter, WsdlContractConversionContext context)
        {
        }

        void IWsdlExportExtension.ExportEndpoint(WsdlExporter exporter, WsdlContractConversionContext context)
        {
            // The MessageEncodingBindingElement is responsible for ensuring that the WSDL has the correct
            // SOAP version. We can delegate to the WCF implementation of TextMessageEncodingBindingElement for this.
            TextMessageEncodingBindingElement mebe = new TextMessageEncodingBindingElement();
            mebe.MessageVersion = this.msgVersion;
            ((IWsdlExportExtension)mebe).ExportEndpoint(exporter, context);
        }

        #endregion
    }

    public class MustUnderstandOffEncoderFactory : MessageEncoderFactory
    {
        private MessageEncoder encoder;
        private MessageVersion version;
        private string mediaType;
        private string charSet;

        internal MustUnderstandOffEncoderFactory(string mediaType, string charSet, MessageVersion version)
        {
            this.version = version;
            this.mediaType = mediaType;
            this.charSet = charSet;
            this.encoder = new MustUnderstandOffEncoder(this);

        }

        public override MessageEncoder Encoder
        {
            get
            {
                return this.encoder;
            }
        }

        public override MessageVersion MessageVersion
        {
            get
            {
                return this.version;
            }
        }

        internal string MediaType
        {
            get
            {
                return this.mediaType;
            }
        }

        internal string CharSet
        {
            get
            {
                return this.charSet;
            }
        }
    }

    public class MustUnderstandOffEncoder : MessageEncoder
    {
        private XmlWriterSettings writerSettings;
        private string contentType;

        private string _MediaType;
        private MessageVersion _MessageVersion;

        public MustUnderstandOffEncoder(MustUnderstandOffEncoderFactory factory)
        {
            _MediaType = factory.MediaType;
            _MessageVersion = factory.MessageVersion;

            this.writerSettings = new XmlWriterSettings();
            this.writerSettings.Encoding = Encoding.GetEncoding(factory.CharSet);
            //this.writerSettings.ConformanceLevel = ConformanceLevel.Fragment;
            //this.writerSettings.OmitXmlDeclaration = true;
            this.contentType = string.Format("{0}; charset={1}",
                        _MediaType, this.writerSettings.Encoding.HeaderName);
        }

        public override string ContentType
        {
            get
            {
                return this.contentType;
            }
        }

        public override string MediaType
        {
            get
            {
                return _MediaType;
            }
        }

        public override MessageVersion MessageVersion
        {
            get
            {
                return _MessageVersion;
            }
        }

        public override bool IsContentTypeSupported(string contentType)
        {
            if (base.IsContentTypeSupported(contentType))
            {
                return true;
            }
            if (contentType.Length == this.MediaType.Length)
            {
                return contentType.Equals(this.MediaType, StringComparison.OrdinalIgnoreCase);
            }
            else
            {
                if (contentType.StartsWith(this.MediaType, StringComparison.OrdinalIgnoreCase)
                    && (contentType[this.MediaType.Length] == ';'))
                {
                    return true;
                }
            }
            return false;
        }

        public override Message ReadMessage(ArraySegment<byte> buffer, BufferManager bufferManager, string contentType)
        {
            byte[] msgContents = new byte[buffer.Count];
            Array.Copy(buffer.Array, buffer.Offset, msgContents, 0, msgContents.Length);
            bufferManager.ReturnBuffer(buffer.Array);

            MemoryStream stream = new MemoryStream(msgContents);
            return ReadMessage(stream, int.MaxValue);
        }

        public override Message ReadMessage(Stream stream, int maxSizeOfHeaders, string contentType)
        {
            XmlReader reader = XmlReader.Create(stream);
            return Message.CreateMessage(reader, maxSizeOfHeaders, this.MessageVersion);
        }

        public override ArraySegment<byte> WriteMessage(Message message, int maxMessageSize, BufferManager bufferManager, int messageOffset)
        {
            MemoryStream stream = new MemoryStream();
            XmlWriter writer = XmlWriter.Create(stream, this.writerSettings);
            message.WriteMessage(writer);
            writer.Close();

            string decoded = Encoding.UTF8.GetString(stream.ToArray());
            decoded = decoded.Replace("mustUnderstand=\"1\"", "mustUnderstand=\"0\"");
            stream.Close();
            byte[] messageBytes = System.Text.Encoding.UTF8.GetBytes(decoded);
            int messageLength = messageBytes.Length;

            //byte[] messageBytes = stream.GetBuffer();
            //int messageLength = (int)stream.Position;
            //stream.Close();

            int totalLength = messageLength + messageOffset;
            byte[] totalBytes = bufferManager.TakeBuffer(totalLength);
            Array.Copy(messageBytes, 0, totalBytes, messageOffset, messageLength);

            ArraySegment<byte> byteArray = new ArraySegment<byte>(totalBytes, messageOffset, messageLength);
            return byteArray;
        }

        public override void WriteMessage(Message message, Stream stream)
        {
            XmlWriter writer = XmlWriter.Create(stream, this.writerSettings);
            message.WriteMessage(writer);
            writer.Close();
        }
    }

}

While that is all the code I ended up using.  There is one more class I wanted to share for completeness.  During my research, at one point I thought my problem was stemming from passing in username and password security credentials in the header without a nonce and time stamp.

This is a feature Microsoft apparently purposefully excluded because they felt it was less secure and should not be promoted.  Fortunately I ended up not needing it, but I feel for those who do need it and must deal with Microsoft taking the ability away from them because they think they know better than the developer.

Here is the class I ended up using successfully to fix this particular issue.  I copied it almost verbatim from Rick Strahl's Blog.

Custom Credentials Classes
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.ServiceModel;
using System.ServiceModel.Description;
using System.ServiceModel.Security;
using System.IdentityModel.Tokens;
using System.Security.Cryptography;

namespace Services
{
    public class WsNonceCustomCredentials : ClientCredentials
    {
        public WsNonceCustomCredentials() { }

        protected WsNonceCustomCredentials(WsNonceCustomCredentials cc) : base(cc) { }

        public override System.IdentityModel.Selectors.SecurityTokenManager CreateSecurityTokenManager()
        {
            return new WsNonceCustomSecurityTokenManager(this);
        }

        protected override ClientCredentials CloneCore()
        {
            return new WsNonceCustomCredentials(this);
        }
    }

    public class WsNonceCustomSecurityTokenManager : ClientCredentialsSecurityTokenManager
    {
        public WsNonceCustomSecurityTokenManager(WsNonceCustomCredentials cred) : base(cred) { }

        public override System.IdentityModel.Selectors.SecurityTokenSerializer CreateSecurityTokenSerializer(System.IdentityModel.Selectors.SecurityTokenVersion version)
        {
            return new WsNonceCustomTokenSerializer(System.ServiceModel.Security.SecurityVersion.WSSecurity11);
        }
    }

    public class WsNonceCustomTokenSerializer : WSSecurityTokenSerializer
    {
        public WsNonceCustomTokenSerializer(SecurityVersion sv) : base(sv) { }

        protected override void WriteTokenCore(System.Xml.XmlWriter writer,
                                                System.IdentityModel.Tokens.SecurityToken token)
        {
            UserNameSecurityToken userToken = token as UserNameSecurityToken;
            if (userToken == null) return;

            string tokennamespace = "o";

            DateTime created = DateTime.Now;
            string createdStr = created.ToString("yyyy-MM-ddThh:mm:ss.fffZ");

            // unique Nonce value - encode with SHA-1 for 'randomness'
            // in theory the nonce could just be the GUID by itself
            string phrase = Guid.NewGuid().ToString();
            var nonce = GetSHA1String(phrase);

            // in this case password is plain text
            // for digest mode password needs to be encoded as:
            // PasswordAsDigest = Base64(SHA-1(Nonce + Created + Password))
            // and profile needs to change to
            //string password = GetSHA1String(nonce + createdStr + userToken.Password);

            string password = userToken.Password;

            writer.WriteRaw(string.Format(
            "<{0}:UsernameToken u:Id=\"" + token.Id +
            "\" xmlns:u=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
            "<{0}:Username>" + userToken.UserName + "</{0}:Username>" +
            "<{0}:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText\">" +
            password + "</{0}:Password>" +
            "<{0}:Nonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">" +
            nonce + "</{0}:Nonce>" +
            "<u:Created>" + createdStr + "</u:Created></{0}:UsernameToken>", tokennamespace));
        }

        protected string GetSHA1String(string phrase)
        {
            SHA1CryptoServiceProvider sha1Hasher = new SHA1CryptoServiceProvider();
            byte[] hashedDataBytes = sha1Hasher.ComputeHash(Encoding.UTF8.GetBytes(phrase));
            return Convert.ToBase64String(hashedDataBytes);
        }

    }
}

My final assessment of the situation is that Microsoft really screwed things up by removing this feature from WCF.  However, with a lot of work, it is possible to hack the change back in.  Hopefully Microsoft will fix this problem some day.  Whether it is an oversight or a feature on their part, the decision they made was a bad one for those of us actually having to do the work to undo what they did.