Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / October 2004

Tip: Looking for answers? Try searching our database.

BUG: Failed to encrypt outgoing messages with non WSE2QuickStartClient certificate

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Alex Shirshov - 01 Oct 2004 17:35 GMT
Hello, All!

It seems a bug.
Steps:
1. Make test certificate. For instance like that
[cmd]
makecert -ss My -sr CurrentUser -sk test -n "CN=test"
[/cmd]
2. Open ResponseEncryption example from wse2.0 quick starts
3. Find
[code]
If token Is Nothing OrElse token.Certificate.GetName() <>
"CN=WSE2QuickStartClient" Then
[/code]
in ResponseEncryptService.asmx.vb file and replace it on
[code]
If token Is Nothing then
[/code]
4. Open WseCertificate2.exe tool to get windows key identifier for test
certificate, which was generated at the first step.
5. Find
[code]
Public Shared ClientBase64KeyId As String = "gBfo0147lM6cKnTbbMSuMVvmFY4="
[code]
in the AppBase.vb file and replace the identifier on that, which we have got
at step four. For instance
[code]
Public Shared ClientBase64KeyId As String = "GUlw/4Z8+Bzqv3ZM/OyixPgZdtM="
[/code]
6. Run the solution

Expected results:
Symbol: FABRIKAM
       Name:                   Fabrikam, Inc.
       Last Price:             120
       Previous Change:        5.5%

Symbol: CONTOSO
       Name:                   Contoso Corp.
       Last Price:             50.07
       Previous Change:        1.15%

Actual results:
System.ComponentModel.Win32Exception: Bad Key
  at
Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider.Decry
pt(Byte[] ciphertext, Boolean useOAEP)
  at
Microsoft.Web.Services2.Security.Cryptography.RSA15KeyExchangeFormatter.Decr
yptKey(Byte[] cipherKey)
  at Microsoft.Web.Services2.Security.EncryptedKey.Decrypt()
  at Microsoft.Web.Services2.Security.Security.LoadXml(XmlElement element)
  at
Microsoft.Web.Services2.Security.SecurityInputFilter.ProcessMessage(SoapEnve
lope envelope)
  at Microsoft.Web.Services2.Pipeline.ProcessInputMessage(SoapEnvelope
envelope)
  at Microsoft.Web.Services2.InputStream.GetRawContent()
  at Microsoft.Web.Services2.InputStream.get_Length()
  at System.Xml.XmlScanner..ctor(TextReader reader, XmlNameTable ntable)
  at System.Xml.XmlTextReader..ctor(String url, TextReader input,
XmlNameTablent)
  at System.Xml.XmlTextReader..ctor(TextReader input)
  at
System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClient
Message message, WebResponse response, Stream responseStream, Boolean
asyncCall)
  at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String
methodName, Object[] parameters)
  at
ResponseEncryptCodeClient.ResponseEncryptClient.StockServiceWse.StockQuoteRe
quest(String[] symbols) in D:\Program Files\Microsoft
WSE\v2.0\Samples\VB\QuickStart\ResponseEncryption\Code\ResponseEncryptCodeCl
ient\ResponseEncryptProxy.vb
:line 52
  at
ResponseEncryptCodeClient.ResponseEncryptClient.ResponseEncryptClient.Run()
in D:\Program Files\Microsoft
WSE\v2.0\Samples\VB\QuickStart\ResponseEncryption\Code\ResponseEncryptCodeCl
ient\ResponseEncryptClient.vb:line 90
  at
ResponseEncryptCodeClient.ResponseEncryptClient.ResponseEncryptClient.Main(S
tring[] args) in D:\Program Files\Microsoft
WSE\v2.0\Samples\VB\QuickStart\ResponseEncryption\Code\ResponseEncryptCodeCl
ient\ResponseEncryptClient.vb:line 57

The same bug I can reproduce with another examples and if needed I could
provide them.

With best regards, Alex Shirshov.
Reply to this Message
Hervey Wilson [MSFT] - 02 Oct 2004 01:55 GMT
> Hello, All!
>
[quoted text clipped - 4 lines]
> makecert -ss My -sr CurrentUser -sk test -n "CN=test"
> [/cmd]

It's not a bug. You must include "-sky exchange" if you want to use the
certificate for encryption. Without this, it's a signing-only
certificate. You should also make sure that you use the makecert.exe
from the latest Platform SDK, do NOT use the one from the .NET Framework
SDK.

Signature

This posting is provided "AS IS", with no warranties, and confers no rights.

Reply to this Message
Alex Shirshov - 04 Oct 2004 11:28 GMT
Hello, Hervey!
You wrote  on Fri, 01 Oct 2004 17:55:22 -0700:

[Sorry, skipped]

HWM> It's not a bug. You must include "-sky exchange" if you want to use
HWM> the certificate for encryption. Without this, it's a signing-only
HWM> certificate. You should also make sure that you use the makecert.exe
HWM> from the latest Platform SDK, do NOT use the one from the .NET
HWM> Framework SDK.

Thank you very much. It helps.

With best regards, Alex Shirshov.
Reply to this Message
DotNet Ed - 05 Oct 2004 13:00 GMT
I am still using one that is slightly earlier than the one on .NET Framework
v1.1, why? because the one in the v1.1 does not support the -pe switch.

It is very confusing for users to have so many versions of makecert.exe. The
results it gives sometimes give not much help as to why it failed either.

> > Hello, All!
> >
[quoted text clipped - 10 lines]
> from the latest Platform SDK, do NOT use the one from the .NET Framework
> SDK.
Reply to this Message
Hervey Wilson [MSFT] - 06 Oct 2004 07:28 GMT
> I am still using one that is slightly earlier than the one on .NET Framework
> v1.1, why? because the one in the v1.1 does not support the -pe switch.
>
> It is very confusing for users to have so many versions of makecert.exe. The
> results it gives sometimes give not much help as to why it failed either.

We understand, the WSE team tried hard to have the version in the .NET
Framework 1.1 SDK updated before it shipped but were unsuccessful. The
master version of makecert.exe can be found in the Platform SDK, this is
the version you should use.

Using the correct version of makecert.exe along with the right set of
switches can make all the difference in the world as to whether the
certificates will then work with WSE. Some problems that we've recently
resolved regarding makecert include:

- not using "-sky exchange" to generate a certificate capable of encrypting.

- not using "-sk <keyname>" to generate different keys for each
certificate. This one can cause all kinds of mischief from failure to
retrieve tokens to inability to recover the private key.

Signature

This posting is provided "AS IS", with no warranties, and confers no rights.

Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.