I have a WCF SOAP service that responds with licensing information. The client will save the SOAP response and load it every time the program loads, verifying the user is not passed the expiration date etc. Because of this, one of the requirements of the response is to have a signature such that the client can run the data through some encryption algorithm and check the result against the signature that was sent over to verify nothing has been changed about the file. This is nothing new, this is XML signing. However, the service is written with DataContractSerializer, so I can't just take the data, create an XML signature, and inject that straight into the SOAP response.
I know WsHttpBinding has some security features, the WS-Security page on MSDN describes the Ws binding protocol WRT to SOAP as having the ability to...
Identify the entity or entities involved with the message.
Prove that the entities have the correct group memberships.
Prove that the entities have the correct set of access rights.
Prove that the message has not changed.
but I can't find exactly how it does that last part. Looking at the SOAP response I get with WsHttpBinding on, I see CipherData and CipherValue, but researching that leads me to believe that's more to do with the actual message encryption, not content validation. I see something like ValidateResponse and ValidateResult, but those look like spaces for another endpoint to validate the information, and this product needs to work on devices not connected to the internet once the file is gotten from this service.
I know I could theoretically just put all the data into a variable and SHA256 it and tell my client to do the same process but that's dirty and very unstandardized. I feel like there should be an equivalent to XML Signatures for SOAP responses but I can't find anything through searching.