Modify namespace prefix in soap security header (timestamp)

Question

Modify namespace prefix in soap security header (timestamp)

Erwin Paul Kuiper 1

Dear reader,

I am writing code to consume a soap web service with both transport security and message security. Three certificates will be used for this:

a private key certificate for the transport security
another private key certificate for the signature
a public key certificate for the message encryption

I have written a custom ClientCredentials class to make it possible to add two client certificates to the request, because by default you can only add one. This all seems to work fine. Without a timestamp everything seems to work. The message will be decrypted and the authentication succeeds.
But when I add a timestamp, the receiver of the message is getting an error that there is no signed timestamp present in the request.
That's a strange error because I can see that there really is a signed timestamp in the message.
I am not sure, but it seems that the timestamp is not being recognized by the receiver because of the timestamp namespace prefix.
My message has a namespace prefix u for the timestamp. The receiver of the message did have success with a message that has a wsu namespace prefix for the timestamp. So I am wondering if this could be the reason that my message is being rejected.

Is there a way to modify the namespace prefix of the Timestamp element of a soap message?

This is the element that is being created by default:

     <u:Timestamp u:Id="uuid-f0fe5620-a332-42ea-8520-f045137ee92e-1">  
        <u:Created>2022-12-15T14:24:29.157Z</u:Created>  
        <u:Expires>2022-12-15T14:29:29.157Z</u:Expires>  
     </u:Timestamp>

I want this to be:

     <wsu:Timestamp wsu:Id="uuid-f0fe5620-a332-42ea-8520-f045137ee92e-1">  
        <wsu:Created>2022-12-15T14:24:29.157Z</wsu:Created>  
        <wsu:Expires>2022-12-15T14:29:29.157Z</wsu:Expires>  
     </wsu:Timestamp>

I tried to write a MessageFormatter and I can add namespace prefixes with this for the body, but this doesn't seem to work for the security headers.
I think a MessageInspector is too late because the message is already being signed at that stage.
So I really don't have any idea how I can do this.
Any help would be appreciated.

Kind regards,
Erwin Kuiper

QiYou-MSFT 4,341 Reputation points Microsoft External Staff

2022-12-30T10:08:50.273+00:00
[ServiceBehavior(Name = "SoapService", Namespace = "")]

Has this been tried?

3 answers

Your answer

QiYou-MSFT 4,341 Reputation points Microsoft External Staff

2022-12-30T10:08:50.273+00:00

[ServiceBehavior(Name = "SoapService", Namespace = "")]

Has this been tried?

Answer 1

Thank you, I have read it and I have tried it out, but you can't modify the security headers in this way. Only elements in de body of the message.

But I know now that my problem doesn't seem to be caused by the namespace prefix. I have been testing something with SoapUI. The receiver enabled the policy that requires a timestamp but disabled the policy that the timestamp must be signed. When I sent a message with SoapUI and I manually added a timestamp (not signed) to the message, I got an OK response back. I tried this both with a u: prefix and with a wsu: prefix in the timestamp and I got an OK response back in both cases. So the namespace prefix doesn't seem to make any difference.

When I send a message with a signed timestamp and a signed body and the receiver enables the require signed timestamp policy, the receiver get's the message "No signed timestamp present in Request". That's strange because when I look in the XML, I see that the timestamp is present and I see that there are two references in the Signature element: one for the timestamp and one for the body. When I validate the signature of this message with SignedXml, I get a valid result back. So the signature seems to be valid. When I modify one character in the timestamp or when I modify one character in the body, then the validation of the signature fails. So the signature really seems to be based on the body and the timestamp.

I actually have no idea what could be wrong. We use transport security and message security, all based on three certificates: one for the transport security, one for the message security encryption and one for the message security signature. The transport security is working fine. The encryption and decryption is also working fine. There is only a problem with the signature of the timestamp, but as I said, when I validate the signature with SignedXml, I get a valid result back.

QiYou-MSFT 4,341 Reputation points Microsoft External Staff

2023-01-20T02:42:32.76+00:00

Actually, I think you're a senior developer. I also don't know what the problem is. I think it might be that the receiver can't handle the problem of identifying this timestamp and then erupting. But speaking of solutions, I think this problem needs to be solved from the bottom of the WCF. This is a somewhat deep question. Imagine that the namespaces of many of Microsoft's own controls are not very easy to modify. So I think if we want to change this thing, we might have to contact the WCF dev maintainers.
Erwin Paul Kuiper 1 Reputation point

2023-01-20T14:02:11.4533333+00:00

Today the problem finally has been solved.

It was a configuration issue on the side of the receiver. They still can't exactly explain why this was causing this error, but they changed the order of checking the certificate and checking the ws-security headers and now it works. I now get an OK response back.

So what they do now is that they first check the ws-security headers and after that they check the certificate. Before today they first checked the certificate and after that they checked the ws-security headers. So changing this order solved the problem.

So now we have a working solution with both transport security and message security (with encryption and a signature).

Thanks for your time. It was difficult for me to find out if the problem was caused by the receiver or by the messages that I was sending.
QiYou-MSFT 4,341 Reputation points Microsoft External Staff

2023-01-24T09:42:45.7333333+00:00

@Erwin Paul Kuiper

I'm glad you solved the problem. I'm sure you can go further and further on this technique.

Best Regards

Qi You

Answer 2

QiYou-MSFT 4,341 Microsoft External Staff

Hi @Erwin Paul Kuiper

I think this can help you.

Example

0 comments

Answer 3

Erwin Paul Kuiper 1

How can I modify the namespace prefix of the Timestamp element from u: to wsu: with this attribute?

In the soap message that I am sending to the receiver, I want the change the <u: Timestamp> element to <wsu:Timestamp>.

0 comments

Share via

Modify namespace prefix in soap security header (timestamp)

3 answers

Your answer