Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / November 2005

Tip: Looking for answers? Try searching our database.

WSE 3 - How to decrypt a soap message using an x509?

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Russ - 03 Nov 2005 07:39 GMT
Hi Guys,

Just wondering if someone has an example of how to decrypt a soap message
that has been encrypted with a x509 certificate. The how to included in the
wse 3 documentation doesn't have any code examples, and the wse 2
documention heads down a completely different path.

Any examples that you might have would be greatly appreciated.

Cheers,
Russ
Reply to this Message
Steven Cheng[MSFT] - 03 Nov 2005 14:38 GMT
Hi Russ,

Welcome to WebService newsgroup.
As for WSE3, it has further simplified our work on securing webservice at
message level (comparing to the WSE2 securing model).  Generally, we use
declarative security assertions to provide message securing. And there
exists some buildin Turkey scenarios such as UsernameOverX509...   So the
encrypting/ decrypting is what the WSE component will do, we do not need to
do much of them.   Also, if you want to manually decrypte the soap message
which has been encrypted at serverside, we'd also determine how is it
encrypting at clientside.  What's the detailed condition in your scenario?

Thanks,

Steven Cheng
Microsoft Online Support

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
From: "Russ" <ausername12345@online.nospam>
Subject: WSE 3 - How to decrypt a soap message using an x509?
Date: Thu, 3 Nov 2005 17:39:07 +1100
Lines: 13
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <#pjNPFE4FHA.3592@TK2MSFTNGP12.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
NNTP-Posting-Host: adsl-83-165.swiftdsl.com.au 218.214.83.165
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.webservices.enhancements:5234
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements

Hi Guys,

Just wondering if someone has an example of how to decrypt a soap message
that has been encrypted with a x509 certificate. The how to included in the
wse 3 documentation doesn't have any code examples, and the wse 2
documention heads down a completely different path.

Any examples that you might have would be greatly appreciated.

Cheers,
Russ
Reply to this Message
Russ - 03 Nov 2005 21:26 GMT
Hey Steven,

I have just been following the how to guide for 'Encrypt a Soap message
using an x.509 certificate'.

So, taking that I've already found the certificate for signing and
encryption (I have two different certificates for each), the snippets of
code would be...

---------
//Showing object types
           X509Certificate2 x509Signing = null;
           X509Certificate2 x509Encryption = null;
---------
//Showing the signing of the document
           if (x509Signing != null)
           {
               Console.WriteLine("Certificate found: Signing document");

               security.Tokens.Add(new X509SecurityToken(x509Signing));
               security.Elements.Add(new MessageSignature(new
X509SecurityToken(x509Signing)));
               security.Timestamp.TtlInSeconds = 600;
           }
---------
//Showing the encrypting of the document
           if (x509Encryption != null)
           {
               Console.WriteLine("Certificate found: Encrypting document");

               security.Elements.Add(new EncryptedData(new
X509SecurityToken(x509Encryption)));
           }
---------

All of these are implemented within a CustomSecurityFilter, which inherits
SendSecurityFilter, and overrides SecureMessage, which is where this code is
in.

As I mentioned, the how to guides demonstrate the signing and verification
of signatures, but only shows encryption, without a decryption example.

Thanks again for helping with this.

Cheers,
Russ

> Hi Russ,
>
[quoted text clipped - 48 lines]
> Cheers,
> Russ
Reply to this Message
Steven Cheng[MSFT] - 04 Nov 2005 16:58 GMT
Thanks for your response Russ,

I think the decryption in input filter will be something similiar with
encryption in the output filter....
Anyway, I'll try wrting a simple test example. I'll update you as soon as
possible.

Thanks,

Steven Cheng
Microsoft Online Support

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
From: "Russ" <ausername12345@online.nospam>
References: <#pjNPFE4FHA.3592@TK2MSFTNGP12.phx.gbl>
<rlFWivH4FHA.3220@TK2MSFTNGXA01.phx.gbl>
Subject: Re: WSE 3 - How to decrypt a soap message using an x509?
Date: Fri, 4 Nov 2005 07:26:19 +1100
Lines: 109
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <#IDwfTL4FHA.3976@TK2MSFTNGP15.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
NNTP-Posting-Host: adsl-83-165.swiftdsl.com.au 218.214.83.165
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.webservices.enhancements:5246
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements

Hey Steven,

I have just been following the how to guide for 'Encrypt a Soap message
using an x.509 certificate'.

So, taking that I've already found the certificate for signing and
encryption (I have two different certificates for each), the snippets of
code would be...

---------
//Showing object types
           X509Certificate2 x509Signing = null;
           X509Certificate2 x509Encryption = null;
---------
//Showing the signing of the document
           if (x509Signing != null)
           {
               Console.WriteLine("Certificate found: Signing document");

               security.Tokens.Add(new X509SecurityToken(x509Signing));
               security.Elements.Add(new MessageSignature(new
X509SecurityToken(x509Signing)));
               security.Timestamp.TtlInSeconds = 600;
           }
---------
//Showing the encrypting of the document
           if (x509Encryption != null)
           {
               Console.WriteLine("Certificate found: Encrypting document");

               security.Elements.Add(new EncryptedData(new
X509SecurityToken(x509Encryption)));
           }
---------

All of these are implemented within a CustomSecurityFilter, which inherits
SendSecurityFilter, and overrides SecureMessage, which is where this code
is
in.

As I mentioned, the how to guides demonstrate the signing and verification
of signatures, but only shows encryption, without a decryption example.

Thanks again for helping with this.

Cheers,
Russ

> Hi Russ,
>
[quoted text clipped - 48 lines]
> Cheers,
> Russ
Reply to this Message
Russ - 07 Nov 2005 07:24 GMT
Hi Steven,

I've been looking into this over the weekend, and have come up with the
following things that might be of interest.

The decryption step seems to be happening automagically, I did even get a
bit of a scare that it seemed to be happening every single time, even after
I had deleted the private key off the computer, but I guess now that the key
had been cached or something, as another test today showed that the pipeline
was throwing a ws-fault exception when it couldn't get the private key.

So, I gather that the encrypted message is including the serial number of
the certificate, so that the server can find that certificate in the
certificate manager to decrypt the message. However, I don't understand how
it would know where to look for that private key certificate (I've had it
placed in the Local Computer/Personal 'area'). My initial thoughts were
similar to yours, in that you would have to manually select the certificate
that you wanted to decrypt the message with, and then decrypt the message
and capture any errors that might occur.

I think that my next question for this is going to be down the lines of how
to capture the ws-fault on the server side, since it seems to just directly
send it back to the client, as I would need to make both sides aware of the
error.

Cheers,
Russ

> Thanks for your response Russ,
>
[quoted text clipped - 134 lines]
>> Cheers,
>> Russ
Reply to this Message
Steven Cheng[MSFT] - 07 Nov 2005 15:35 GMT
Thanks for your followup Russ,

First, yes, you're right, the decryption of the message is done by the WSE
runtime rather than by our handle. However, this doesn't means that we do
need to do anything. The WSE3.0 is based on PolicyAssertion, when we
manually do the encryting in the ClientOutputFilter's "SecureMessage"
method,  we also need to do some work in the ServiceInputFilter's
"ValidateMessage" method, there we should retrieve the key information(used
to encrypte the message at client) and compare it with our server key info,
if match ,add the serverkey info(which contains private key....) into
Security context so that the runtime can use the property private key to
decrypte the encrypted package.....

So for "how does the server know where to find the certificate contains
private key....), first, it retrieve the encryption key info from the
security headers (WSE inserted for us when performing encryption..., could
be the serial number as you mentioned...). Then, serverside code need to
compare this with our serverside configured server certificate, and if
match, add the server certificate (as a SecurityToken) into context.... (
this is what our custom assertion 's server filter need to do...)

Actually, you can use reflector tool to view the build-in Turkey security
Assertions (like AnonymousForCertificate...)'s code, which just follow this
model....

Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
From: "Russ" <ausername12345@online.nospam>
References: <#pjNPFE4FHA.3592@TK2MSFTNGP12.phx.gbl>
<rlFWivH4FHA.3220@TK2MSFTNGXA01.phx.gbl>
<#IDwfTL4FHA.3976@TK2MSFTNGP15.phx.gbl>
<qI5tUiV4FHA.3220@TK2MSFTNGXA01.phx.gbl>
Subject: Re: WSE 3 - How to decrypt a soap message using an x509?
Date: Mon, 7 Nov 2005 18:24:38 +1100
Lines: 181
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <ujA#Sx24FHA.1476@TK2MSFTNGP10.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
NNTP-Posting-Host: adsl-83-165.swiftdsl.com.au 218.214.83.165
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.webservices.enhancements:5271
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements

Hi Steven,

I've been looking into this over the weekend, and have come up with the
following things that might be of interest.

The decryption step seems to be happening automagically, I did even get a
bit of a scare that it seemed to be happening every single time, even after
I had deleted the private key off the computer, but I guess now that the
key
had been cached or something, as another test today showed that the
pipeline
was throwing a ws-fault exception when it couldn't get the private key.

So, I gather that the encrypted message is including the serial number of
the certificate, so that the server can find that certificate in the
certificate manager to decrypt the message. However, I don't understand how
it would know where to look for that private key certificate (I've had it
placed in the Local Computer/Personal 'area'). My initial thoughts were
similar to yours, in that you would have to manually select the certificate
that you wanted to decrypt the message with, and then decrypt the message
and capture any errors that might occur.

I think that my next question for this is going to be down the lines of how
to capture the ws-fault on the server side, since it seems to just directly
send it back to the client, as I would need to make both sides aware of the
error.

Cheers,
Russ

> Thanks for your response Russ,
>
[quoted text clipped - 39 lines]
> encryption (I have two different certificates for each), the snippets of
> code would be...

> ---------
> //Showing object types
[quoted text clipped - 92 lines]
>> Cheers,
>> Russ
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.