Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / October 2004

Tip: Looking for answers? Try searching our database.

How does WSE2 search for private key given X509 certificate?

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Bo Yan - 28 Oct 2004 01:24 GMT
Hello,

My soap service tries to decrypt soap request messages encrypted with the
server's X509 certificate.
How does WSE2 search for the private key when the coming soap request
inlcuding the WHOLE X509 certificate in the soap header?
I know WSE2 will search for the X509 cert from the specified cert store(say,
machine's) and try to extract the private key from it when given a
X509SubjectKeyIdentifier.
But when I use JWSDP1.4 to send a SOAP request with X509 encryption, it
writes the whole X509 certificate used for the encryption into the SOAP
header rather than use the X509SubjectKeyIdentifier. And, in my prototype
app, WSE2 can not find the corresponding private key which can be found when
using a WSE2 client. Does WSE2 search for the private key only in the
coming-in X509 certificate if there is any?
The following are the error message generated by WSE2 and the input of soap
request.

Thank you very much for any help!

------------------------------------
       <faultstring>System.Web.Services.Protocols.SoapHeaderException:
Server unavailable, please try later ---&gt;
System.InvalidOperationException: Private Key is not available
  at
Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider.Decry
pt(Byte[] ciphertext, Boolean useOAEP)
  at
Microsoft.Web.Services2.Security.Cryptography.RSA15KeyExchangeFormatter.Decr
yptKey(Byte[] cipherKey)
-------------------------------------
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0
="http://abc.org/" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <env:Header>
   <wsse:Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-
open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
     <wsse:BinarySecurityToken
    EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-
open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
wssecurity-utility-1.0.xsd" wsu:Id="Id2247969495683731141">
    MIIBxDCCAW6gAwIBAgIQYpjr4FOk3IFNSd3lJj6ItzANBgkqhkiG9w0BAQQFADAWMRQwEg
YDVQQD
    EwtSb290IEFnZW5jeTAeFw0wMzA3MDgxODQ4MTBaFw0zOTEyMzEyMzU5NTlaMB8xHTAbBg
NVBAMT
    FFdTRTJRdWlja1N0YXJ0U2VydmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLkq
glArIn
    ukRlDwXbcjN3zxfsjeaLd+IvfyD5o35pUjpTkPwPXmApScr8UVQxB5JDRSVlMz1lUQ6CBL
FLGIAQ
    OpbPKn2oul3VmKAf9nRQf9PLU+biWozZXkhebIya43D75r5+
5NUq1RbQiCC4qIobRqUdg6adujBY
    333wJy4YgwIDAQABo0swSTBHBgNVHQEEQDA+gBAS5AktBh0dTwCNYSHcFmRjoRgwFjEUMB
IGA1UE
    AxMLUm9vdCBBZ2VuY3mCEAY3bACqAGSKEc+
41KpcNfQwDQYJKoZIhvcNAQEEBQADQQAGSGNKz1gZ
    qbXN8JYl0PQM7ngkHfW1mQ88NRYADmoHw5A/rUZDHAPs5HLSn3i5iXlRwT91v3SU6iuaAi
d+Mwyq
     </wsse:BinarySecurityToken>
     <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    <xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <wsse:SecurityTokenReference>
        <wsse:Reference URI="#Id2247969495683731141"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-
token-profile-1.0#X509v3" />
            </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
            <xenc:CipherValue>Omk+vX85Qzocq0v+
2NfkTe/DyI/jc+dyl030VQJrHtFvJRrwyvFfq4eoBSk22vAPmdcbbcBXTWq9
       
        /HvtYAEndbOrjeXedPNKJGp4KAwnNH6kjQZxe/YYVbdm3ksglC/vkO3FcEMqCAhD
w1zeMcKArhbp
                8LVBWZQP2t1sLgFJPFU=
            </xenc:CipherValue>
        </xenc:CipherData>
        <xenc:ReferenceList>
            <xenc:DataReference URI="#Id2505756989155604811" />
        </xenc:ReferenceList>
    </xenc:EncryptedKey>
    <wsu:Timestamp xmlns:wsu="http://docs.oasis-
open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <wsu:Created>2004-10-22T06:34:45Z</wsu:Created>
    </wsu:Timestamp>
</wsse:Security>
</env:Header
Reply to this Message
Softwaremaker - 28 Oct 2004 14:15 GMT
Hi,

I blog about this here
http://dotnetjunkies.com/WebLog/softwaremaker/archive/2004/10/20/29158.aspx

WS-Security DOESNT allow for the sending of any Private Key over SOAP. It
will (usually) send the Binary representation of the X509 over during
digital signatures as we cannot assume that everyone has our Public Keys.

I dont know much about JWSDP1.4 on why and how it sends the
binarySecurityToken over. However, the X509SubjectKeyIdentifier is embedded
in the binarySecurityToken. Can you map the binarySecurityToken to a X509
Digital Cert ? If you can do that successfully, find out if the
SubjectKeyIdentifier property of the cert corresponds to the Private Key
certificate that is supposed to be in your keystore.

hth.
Signature

Thank you.

Regards,
Softwaremaker
http://www.softwaremaker.net/blog

=========================================

> Hello,
>
[quoted text clipped - 21 lines]
> System.InvalidOperationException: Private Key is not available
>    at

Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider.Decry
> pt(Byte[] ciphertext, Boolean useOAEP)
>    at

Microsoft.Web.Services2.Security.Cryptography.RSA15KeyExchangeFormatter.Decr
> yptKey(Byte[] cipherKey)
> -------------------------------------
[quoted text clipped - 57 lines]
> </wsse:Security>
> </env:Header
Reply to this Message
Bo Yan - 28 Oct 2004 23:58 GMT
Dear hth,
Thank you for your reply. Let me make my question more clear.
There is NO Private Key in the soap request. JWSDP1.4(the client) does send
the X509 certificate to the soap server, including the public key of the
sever, with which to encrypt its request message.
To verify the correctness of the embeded x509 cert, I copied the embeded
BinarySecurityToken to a C# application, created an instance of
Microsoft.Web.Services2.Security.X509.X509Certificate successfully with WSE2
API. The X509SubjectKeyIdentifier is exactly the one in the cert store with
a private key. Actually, the x509 cert attached in my original question is
just the X509 Certificate of WSE2QuickStartServer.
My question is, will WSE2 go to certificate store to search for the x509
cert and private key in it if there is the same certificate already in the
coming soap request only with a public key?
I totally agree it does not make any sense to embed private key into SOAP
request, but it does make sense to embed the referenced X509 certificate
(with public key only) into a request.
Thanks,
Bo

> Hi,
>
[quoted text clipped - 16 lines]
>
> hth.
Reply to this Message
Softwaremaker - 29 Oct 2004 02:49 GMT
> Dear hth,
> Thank you for your reply. Let me make my question more clear.
[quoted text clipped - 10 lines]
> cert and private key in it if there is the same certificate already in the
> coming soap request only with a public key?

[Softwaremaker] Yes, WSE2 does set to look for the corresponding PrivateKey
pair of the same certificate in the specified keyStore, provided you tell it
to look for it in the right place via the config file.

> I totally agree it does not make any sense to embed private key into SOAP
> request, but it does make sense to embed the referenced X509 certificate
[quoted text clipped - 22 lines]
> >
> > hth.
Reply to this Message
Bo Yan - 29 Oct 2004 03:36 GMT
Thanks once again for the very quick reply, but your answer raised another
question.
After I deleted the x509 certificate with private key from the cert store,
when calling the WSE2 soap server using WSE2 client(so
X509SubjectKeyIdentifier is used), the error message is "<faultstring>
Microsoft.Web.Services2.Security.SecurityFault: Referenced security token
could not be retrieved", which is in my expectation.
But when jwsdp client is used(i.e. the x509 cert embeded), the error usage
is "System.InvalidOperationException: Private Key is not available".
Why does WSE give such a error message even it can not find the x509 cert in
the cert store? No one will expect it find the private key from the coming
soap header. What makes the error messages so different for the two incoming
requests?

Thanks and cheers,
Bo

>> Dear hth,
>> Thank you for your reply. Let me make my question more clear.
[quoted text clipped - 16 lines]
> provided you tell it to look for it in the right place via the config
> file.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.