How can I configure WCF to only sign the TimeStamp header

I am trying to configure my WCF client to create a SOAP 1.1 request that includes WS-Addressing, WS-Security and TLS.

The security requirements are that the message includes a Username Token, TimeStamp and that the TimeStamp is signed using an included BinarySecurityToken.

I have used the example from the following link to create my WCF client binding. I have slightly modified the the example (see below) so that HTTPS is used as the transport mechanism and the MessageSecurity is based on UsernameOverTransport.

            HttpsTransportBindingElement httpsTransport = new HttpsTransportBindingElement();            
        // the message security binding element will be configured to require 2 tokens:
        // 1) A username-password encrypted with the service token
        // 2) A client certificate used to sign the message

        // Instantiate a binding element that will require the username/password token in the message (encrypted with the server cert)
        TransportSecurityBindingElement messageSecurity = SecurityBindingElement.CreateUserNameOverTransportBindingElement();

        // Create supporting token parameters for the client X509 certificate.
        X509SecurityTokenParameters clientX509SupportingTokenParameters = new X509SecurityTokenParameters();
        // Specify that the supporting token is passed in message send by the client to the service
        clientX509SupportingTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
        // Turn off derived keys
        clientX509SupportingTokenParameters.RequireDerivedKeys = false;
        // Augment the binding element to require the client's X509 certificate as an endorsing token in the message
        messageSecurity.EndpointSupportingTokenParameters.Endorsing.Add(clientX509SupportingTokenParameters);

        // Create开发者_JAVA百科 a CustomBinding based on the constructed security binding element.
        return new CustomBinding(messageSecurity, httpsTransport);

The SOAP messages that are generated by this client are very close to meeting the requirements of the service I am calling, the only issue is that the wsa:To address is being signed as well as the TimeStamp address.

Is there a way to specify exactly which WCF headers are signed? As I need to restrict the client only sign the TimeStamp header.

With custom message headers you can do this:

//... rest of MessageContract

[MessageHeader(ProtectionLevel = ProtectionLevel.Sign)]
string MyCustomHeader;

//... rest of MessageContract

But I don't believe that will work with your situation since your attempting to sign a soap header that is inserted by your custom binding. To modify these headers you'll likely need to implement the IClientMessageInspector interface and add a custom behavior to the client configuration to sign the TimeStamp header. Not sure how you would access the certificate to do the signing but this may give you a good start.

I know it's an old question but I've been asked about this a couple of times.

I managed to achieve this by specifying the messageVersion as Soap11 instead of Soap11WSAddressing10 and then manually adding the WS-Addresing headers afterwards which avoided the need to manually implement the signing mechanism.