none
Timestamp must be signed error in response RRS feed

  • Question

  • For starters, I know you'd think this is a duplicate but if you read them you'll notice that some people say that deleting the timestamp will fix it and others tell otherwise.

    I'm trying to connect to a Java SOAP Webservice with certificates by using .Net 3.5 but when I receive the response it throws an error : "The security header element 'Timestamp' with the 'Timestamp-984' id must be signed."


        var b = new CustomBinding();
        b.Name = "AVbinding";
        b.CloseTimeout = new TimeSpan(0, 1, 0);  
      b.OpenTimeout = new TimeSpan(0, 1, 0);  
      b.ReceiveTimeout = new TimeSpan(0, 10, 0);  
      b.SendTimeout = new TimeSpan(0, 1, 0);   
     
    AsymmetricSecurityBindingElement security = new AsymmetricSecurityBindingElement();  
      security.IncludeTimestamp = true;   
     security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12;
        
    security.RecipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToInitiator);
        security.InitiatorTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToRecipient);
        security.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
        security.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic256Sha256Rsa15;
        
       security.AllowSerializedSigningTokenOnReply = true; 
       security.AllowInsecureTransport = true;
       security.EnableUnsecuredResponse = true;
       security.RequireSignatureConfirmation = true; 
       security.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
    
        ExtensionElement extensionElement = new ExtensionElement();
        b.Elements.Add(security);
        b.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));
        HttpsTransportBindingElement httpsBinding = new HttpsTransportBindingElement();  
      b.Elements.Add(httpsBinding);
        string certMapPath = Server.MapPath("~/App_Data");
        X509Certificate2 cert = new X509Certificate2(certMapPath + "\\_CERTNAME_", "X");
    
        X509Certificate2 serCert = new X509Certificate2(certMapPath + "\\_CERTNAME2_.cer");
        AsymmetricAlgorithm key = new System.Security.Cryptography.RSACryptoServiceProvider();
        key.FromXmlString("_KEY_");
        cert.PrivateKey = key;
        client.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.Sign;

    Question is, what do I have to do?


    My request :

    <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <s:Header>
        <ActivityId CorrelationId="7d9e44cb-cecd-4c49-9a71-79a2ad04a2ec" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">63bde0b8-8953-41b8-b5c2-a69c712346b6</ActivityId>
        <VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo3dbGZWnrwhDouJE+VgKu4MAAAAAzmpHur/flUSUy0rxOVAJ8Nk4GsFjc6xOg46yQ3o0ZMQACQAA</VsDebuggerCausalityData>
        <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <o:BinarySecurityToken>
        <!-- Removed-->
        </o:BinarySecurityToken>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
        <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></SignatureMethod>
        <Reference URI="#_2">
        <Transforms>
        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>
        <DigestValue>Z4OHoIS/bVCWIROLBFcxjfJuXv0ebA/SO8WQWuPTrQo=</DigestValue>
        </Reference>
        <Reference URI="#uuid-f52585e9-3358-46f6-8e9f-9a16b5c0f29b-1">
        <Transforms>
        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>   <DigestValue>Pnp4gaKUnboMFE2LgLdsFzPBL+7fHqXacVg/MR7AS6c=</DigestValue>
        </Reference>
        </SignedInfo>    <SignatureValue>NSE/peVOxXheXOqyNT1qx7uZPOhSms35fmJxlf4lBuODD9tz8/TCwzmAAdDArGwc6VJmdw1jVX5tNchYvAqignsPRgTwB+tSbMvUZ6UMwOgHZWRh8rXjYw34EhdEWWBzg0U1ves6ynY88vJW0oFyWiiFcNGkEuy140X7h/Ev+3I=</SignatureValue>
        <KeyInfo>
        <o:SecurityTokenReference>
        <o:Reference URI="#uuid-da5ccb9b-2c40-4ede-9079-c94abf912843-2"></o:Reference>
        </o:SecurityTokenReference>
        </KeyInfo>
        </Signature>
        <u:Timestamp u:Id="uuid-f52585e9-3358-46f6-8e9f-9a16b5c0f29b-1">
        <u:Created>2013-03-04T09:27:15.087Z</u:Created>
        <u:Expires>2013-03-04T09:32:15.087Z</u:Expires>
        </u:Timestamp>
        </o:Security>
        </s:Header>
        <s:Body u:Id="_2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">    <getAvailabilityRequest xmlns="_url_">
        <userID xmlns="">_UserID_</userID>
        <password xmlns="">_pass_</password>
        <requestID xmlns="">_request_</requestID>
        <SystemIdentifier xmlns="">?</SystemIdentifier> 
       </getAvailabilityRequest>
      </s:Body>
    </s:Envelope>


    Response :

    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
        <SOAP-ENV:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
        <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-932">
        <wsu:Created>2013-03-04T09:27:24.013Z</wsu:Created>
        <wsu:Expires>2013-03-04T09:32:24.013Z</wsu:Expires>
        </wsu:Timestamp>
        <wsse:BinarySecurityToken>
        <!-- Removed-->
        </wsse:BinarySecurityToken>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-930">
        <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256">
    </ds:SignatureMethod>
        <ds:Reference URI="#id-931">
        <ds:Transforms>
        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
        <ds:DigestValue>+/NJN562AUh5U5T4VXGRbdU28+JLmW2bdHg1gLf/SWg=</ds:DigestValue>
        </ds:Reference>
        <ds:Reference URI="#SigConf-929">
        <ds:Transforms>
        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
        <ds:DigestValue>uzljMoX3dAm90+8P10b2/xE5OooNeP81NDtlefCBoc8=</ds:DigestValue>
        </ds:Reference>
        </ds:SignedInfo> 
       <ds:SignatureValue>Fixb+0TnwQ2KfLqywusmwcKF8OvoBP/bLqIKfLadyV1U97+NZKzcMrSJjSD0a0sDhJZ+lo/KoHVE    KBY12ZZDP9xE+k9LHAlWZIq3a2gvBkTFR3p5NcYFQM4cbA/x/bvpEqDyzqYSoXnXMOG46DFn5klo    DO0PJkMiXKvLBhrCpZtM26AovD5WQlD694EeIXt4jey15zvGzKz88eNfHqNiYa1Wu2HuOTcnSJRv    hQKHmJKpDzn9+ZSohsULVR5xtGFQD7GWL6LLFEMqthD2a10KMan43Qd62SMUcB64o+l/M+l89+Oo    AbE0S2GXP3vvSa3ZoGduktWlyNlC7Qz/Iww0Qg==    </ds:SignatureValue>
        <ds:KeyInfo Id="KeyId-83F04DBB53B92E8E1F1362389243499698">
        <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-83F04DBB53B92E8E1F1362389243499699" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
       <wsse:Reference URI="#CertId-83F04DBB53B92E8E1F1362389243499697" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"></wsse:Reference>    </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        </ds:Signature>
        <wsse11:SignatureConfirmation xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Value="NSE/peVOxXheXOqyNT1qx7uZPOhSms35fmJxlf4lBuODD9tz8/TCwzmAAdDArGwc6VJmdw1jVX5tNchYvAqignsPRgTwB+tSbMvUZ6UMwOgHZWRh8rXjYw34EhdEWWBzg0U1ves6ynY88vJW0oFyWiiFcNGkEuy140X7h/Ev+3I=" wsu:Id="SigConf-929"></wsse11:SignatureConfirmation>
        </wsse:Security>
        </SOAP-ENV:Header>
        <SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-931">
        <ns3:getAvailabilityResponse xmlns:ns3="_URL_" xmlns="">
        <RequestID>_requestID_</RequestID>
        <HORAStatus>Available</HORAStatus>
        <Version>1.32.0</Version>
        </ns3:getAvailabilityResponse> 
       </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>


    Monday, March 4, 2013 10:43 AM

Answers

  • Hi, a same thread here, sounds that you can achieve your goal with a custom message encoder.

    http://stackoverflow.com/questions/15199181/timestamp-must-be-signed-error-in-response

    A blog about message encoder, hope it can give you some ideas.

    http://blogs.msdn.com/b/carlosfigueira/archive/2011/11/09/wcf-extensibility-message-encoders.aspx

    Tuesday, March 5, 2013 9:23 AM