 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / September 2005signature policy
Hello, I have the following scenario: I have a web service who must authenticate every request to make sure it originates from someone who has a x.509 certificate issued by a specific CA, let's say BIS. Let's say that the web service has BIS's private key. I want to use policy to enforce all this. I've pretty much done all this, but I need some clarification. So, now my web service has a request policy that says something like: <wssp:Integrity wsp:Usage="wsp:Required"> <wssp:TokenInfo> <!--The SecurityToken element within the TokenInfo element describes which token type must be used for Signing.--> <wssp:SecurityToken wse:IdentityToken="true"> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X 509v3</wssp:TokenType> <!--I need to make sure the x.509 signing certificate is issued by a specific CA--> <wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer> <wssp:Claims> </wssp:Claims> </wssp:SecurityToken> </wssp:TokenInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From) wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts> </wssp:Integrity> Basically, I use <wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>. But I think I need more than verifying the CN, don't I? CN is the friendly name, right? I think I should be verifying some sort of serial number from the issuer, correct? How can I do it? Thanks a lot Hi Andrei, Yes, that's a friendly name for the certificate issuer. Someone can make a certificate with the same issuer name and send you a message signed with that certificate, therefore you won't notice the difference. You should check the certificate's subject key. (That key is unique for certificate). <wssp:Integrity wsp:Usage="wsp:Required"> <wssp:TokenInfo> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X 509v3</wssp:TokenType> <wssp:Claims> <wssp:X509Extension OID="2.5.29.14" MatchType="wssp:Exact"> BcLNPjKXLfEhsLo+XErJhWEzgF8= </wssp:X509Extension> </wssp:Claims> </wssp:SecurityToken> </wssp:TokenInfo> Regards, Pablo Cibraro www.lagash.com > Hello, > [quoted text clipped - 35 lines] > > Thanks a lot Thanks Pablo, you understood my question. Can you please comment a little? I mean, the claim you wrote: <wssp:X509Extension OID="2.5.29.14" MatchType="wssp:Exact"> > BcLNPjKXLfEhsLo+XErJhWEzgF8= </wssp:X509Extension> does it refer to the issuer of the certificate used for signing or to the actual certificate used? What is OID...? And what is that string (BcLNP...)? Is it the string presented by WSE Certificate tool for the issuer's certificate (I mean BIS's certificate)? Thanks a lot for your time. > Hi Andrei, > Yes, that's a friendly name for the certificate issuer. [quoted text clipped - 58 lines] > > > > Thanks a lot Sure, each certificate has a kind of GUID or key, which is a hash ( Usually called "Subject key" ). If you specify that key in your policy, your web service will only accept messages signed with that certificate ( The certificate that owns the subject key ). You can find the "subject key" assigned to a certificate with the certificate tool shipped in WSE. (In the tool, after opening a certificate, you will find this key as "Windows key identifier". It's a base 64 hash) Regards, Pablo Cibraro www.lagash.com > Thanks Pablo, you understood my question. Can you please comment a little? > I [quoted text clipped - 84 lines] >> > >> > Thanks a lot Thanks Pablo. But I'm not sure we understand each other. I want the web service to accept only messages signed with a certificate issued by someone (let's say BIS), not messages signed with a particular certificate. And I know the public part of BIS's certificate. So I guess my policy should include something about "Token Issuer", and something about BIS's certificate's GUID. As you can see from my initial post, I managed to specify the issuer's frendly name, but not it's GUID. Did I understand something wrong? Again, thanks a lot for your help. > Sure, each certificate has a kind of GUID or key, which is a hash ( Usually > called "Subject key" ). [quoted text clipped - 97 lines] > >> > > >> > Thanks a lot If I want to read this value from a WSE X509Certificate object, what is the relevant property? TIA, Keith > Sure, each certificate has a kind of GUID or key, which is a hash ( Usually > called "Subject key" ). [quoted text clipped - 97 lines] > >> > > >> > Thanks a lot Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.