Hi,
I have this policy on client and server side:
<wsp:Policy wsu:Id="SignMessage"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator";>
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedElements
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<sp:XPath
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
/soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp
</sp:XPath>
</sp:SignedElements>
<sp:SignedParts
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<sp:Body />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
When I uncomment <SignedElements> then Timestamp reference is doubled but
messsage is VALID.
But when <SignedElements> is commented there is only one timestamp reference
but message is INVALID.
Valid message:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<soapenv:Header
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>
<wsse:Security soap:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="X509-B1B71365459EB8BA9113946113597143">MIIC/DCCAeSgAwIBAgIEUxhIQzANBgkqhkiG9w0BAQsFADBAMQ0wCwYDVQQKDARGaW5hMQ0wCwYDVQQLDARTSU5GMSAwHgYDVQQDDBdzZXJ2ZXIuaW50cmFuZXQuZmluYS5ocjAeFw0xNDAzMDYxMDA1MTNaFw0xNTAzMDYxMDA1MTNaMEAxDTALBgNVBAoMBEZpbmExDTALBgNVBAsMBFNJTkYxIDAeBgNVBAMMF3NlcnZlci5pbnRyYW5ldC5maW5hLmhyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkl6mOrZANHW7eDHXPUJ8GyGU4IhpweENifEQBA2CiNrcNnqzw6MrxqCsNJmf86yVpOSswkYnLLlGBRyKyY1SkqOr8r7hprbtRcz2xtYNQ+lJfR8tHEAqWMd2uBSevVeHZ7W8Ry0OuQXxs1lFgjejIg7yl1BnJuYqtFDHuiFf/E/HYslEw8hFkix4Fbni+lCyanaUkCcBzYTFHJK8PUAr+0CE5ak2HcnElVwumuPSOWPBqxvQ33HcOVEoqGXAXxA5aD9UkUEAibO6n3IUktkBwCjx6CkNvmHm4Ys2Rf9kDRjX9Lc+sR0jd0tBLsqthSJcomYtqK4YNEBfWMsl9EYolwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAqaBteQ2Gxr/7HRfL4oHCvItaNmrIKl8KSIaGTChygLt0Mae3eXsZHbECGICggEGaYIobU6ZjFBYUKc7G8Y6vsrr17Ue1Z1ITGsXx1Iu9aR4bLQXOz4cGegGgETV8u4OYmIanpqEOKw32HUF3ARIYJ6XLo7yWlmFBkXzSyb3SBWlBGiAmaSMbwKH8XbQK5WPp6oD9Vwhqwf9897hFCixWfNJui6cfLfVZAQNtFxXWBZuTwCP265vfTUj32SJGvRHPIWSkw/igUKiChpWOjsuti9X77W9VyhoGItqDZ5cdpeBSusJn4lanyLbD89m0Hdo4wLrRKQYBDW8oRR0HUllrc</wsse:BinarySecurityToken>
<wsu:Timestamp wsu:Id="TS-B1B71365459EB8BA9113946113596981">
<wsu:Created>2014-03-12T08:02:39.698Z</wsu:Created>
<wsu:Expires>2014-03-12T08:07:39.698Z</wsu:Expires>
</wsu:Timestamp>
<ds:Signature Id="SIG-B1B71365459EB8BA9113946113597146"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#TS-B1B71365459EB8BA9113946113596981">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Q2jek5hQtEJMmmPUMYZUdk6BO/k=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_B1B71365459EB8BA9113946113596982">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>8sujJKvSraZMQBV7ptRxzR89J4Y=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#TS-B1B71365459EB8BA9113946113596981">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Q2jek5hQtEJMmmPUMYZUdk6BO/k=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>ZLoYk9F55lQdrUMTaG4+4A1WgdICUeofLAusaTTD46SXsi/F+gFTo+LfL0RW/QYDsM48Qo1RRXh7AJ4oZskpnfxdsYzw1BLg9O38whNoLQ6XGLIA5OFARFodnYOex5D3ytSjsRhcCEQqPgdjc/q7uGfYpTpybBvgFSmR6dWLMCEP6vPeFhtwHNJtMM0AhphbtbSeCNqF0Y871cXBt8ckFuxFazQnI1ywER8uD4z1XGNuTo4iO8EzpyAobFnzN0gb5j4wymyo6RhOmuILT9WASQ4UWD27GJegS2PKXEVpSRWCV/rOSyEfqBBl5DrzgCB4eV9OX4clB92mO2EtDYbXDg==</ds:SignatureValue>
<ds:KeyInfo Id="KI-B1B71365459EB8BA9113946113597144">
<wsse:SecurityTokenReference
wsu:Id="STR-B1B71365459EB8BA9113946113597145">
<wsse:Reference
URI="#X509-B1B71365459EB8BA9113946113597143"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soap:Body wsu:Id="_B1B71365459EB8BA9113946113596982"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<sad:SendAccountingDocumentAckMsg
xmlns:sad="http://fina.hr/ebox/ws/SendAccountingDocument/v0.1";>
<bwsc:MessageAck
xmlns:bwsc="http://fina.hr/eracun/boxwebservicecomponents";>
<bwsc:MessageID>9fd6f1e6-75f9-475c-bd1b-5cf583218579</bwsc:MessageID>
<bwsc:MessageAckID>1</bwsc:MessageAckID>
<bwsc:MessageType>12</bwsc:MessageType>
<bwsc:AckStatus>ACCEPTED</bwsc:AckStatus>
<bwsc:AckStatusCode>1</bwsc:AckStatusCode>
<bwsc:AckStatusText>Poruka_zaprimljena</bwsc:AckStatusText>
</bwsc:MessageAck>
</sad:SendAccountingDocumentAckMsg>
</soap:Body>
</soap:Envelope>
Is doubled reference really the problem ?
Shall another side be capable to valid this message even with doubled
reference ?
How can I fix this problem ?
Thanks.
--
View this message in context:
http://cxf.547215.n5.nabble.com/Timestamp-valid-only-with-double-timestamp-reference-tp5741140.html
Sent from the cxf-user mailing list archive at Nabble.com.
