We are creating a WCF Service that has to conform to a pre-defined WSDL. One of the requirements is that the Timestamp, all WS-addressing and and message body should be signed.
To achieve this, we added the following CustomBinding;
var secBE = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
secBE.EnableUnsecuredResponse = true;
secBE.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign;
secBE.IncludeTimestamp = true;
secBE.DefaultAlgorithmSuite = SecurityAlgorithmSuite.TripleDesRsa15;
secBE.AllowSerializedSigningTokenOnReply = true;
secBE.RecipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToInitiator;
//Create binding element for encoding
var mtomBE = new MtomMessageEncodingBindingElement(MessageVersion.Soap11WSAddressing10, Encoding.UTF8);
//Create binding element for transport
var httpsBE = new HttpsTransportBindingElement();
httpsBE.RequireClientCertificate = false;
httpsBE.AuthenticationScheme = AuthenticationSchemes.Anonymous;
CustomBinding binding = new CustomBinding();
binding.Elements.Add(secBE);
binding.Elements.Add(mtomBE);
binding.Elements.Add(httpsBE);
The client certificate is used, but we host the endpoint on Azure and the certificate will be moved to a 'X-ARR-ClientCert'-header so we can't make use of the built-in certificate validator that's enabled using RequireClientCertificate = true.
I've enabled a trace and the following exception is thrown when receiving a request from the client:
<ExceptionType>System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>The security header element 'Timestamp' with the 'wssecurity_signature_id_1803' id must be signed.</Message>
When looking at the request message, the following headers are included;
<MessageHeaders>
<wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:BinarySecurityToken>
<!-- Removed-->
</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ds soapenc soapenv wsa wsse xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#wssecurity_signature_id_1799">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1800">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1801">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="p324 soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1802">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1803">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsse wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1804">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue><!-- Removed--></ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#x509bst_1805" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="wssecurity_signature_id_1803"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2021-04-07T07:25:47.641Z</wsu:Created>
</wsu:Timestamp>
</wsse:Security>
<wsa:To wsu:Id="wssecurity_signature_id_1802"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><!-- Removed--></wsa:To>
<wsa:Action wsu:Id="wssecurity_signature_id_1804"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><!-- Removed--></wsa:Action>
<wsa:MessageID wsu:Id="wssecurity_signature_id_1799"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">uuid:44bf184f-c7af-4efc-9385-cda168692d60</wsa:MessageID>
<wsa:ReplyTo wsu:Id="wssecurity_signature_id_1800"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
</wsa:ReplyTo>
</MessageHeaders>
I have no control over the request message that is sent to our WCF service, so everything has to be fixed server-side. Why is the timestamp not detected as signed?
I changed a few things and it started working. Firstly the AsymmetricSecurityBindingElement;
Then, I added a custom MessageEncodingBindingElement that implements a custom MessageEncoder. This encoder adds the To and MessageID headers although I do not think this was the problem.