Re: WSE 3 - How to decrypt a soap message using an x509?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hi Steven,

I've been looking into this over the weekend, and have come up with the
following things that might be of interest.

The decryption step seems to be happening automagically, I did even get a
bit of a scare that it seemed to be happening every single time, even after
I had deleted the private key off the computer, but I guess now that the key
had been cached or something, as another test today showed that the pipeline
was throwing a ws-fault exception when it couldn't get the private key.

So, I gather that the encrypted message is including the serial number of
the certificate, so that the server can find that certificate in the
certificate manager to decrypt the message. However, I don't understand how
it would know where to look for that private key certificate (I've had it
placed in the Local Computer/Personal 'area'). My initial thoughts were
similar to yours, in that you would have to manually select the certificate
that you wanted to decrypt the message with, and then decrypt the message
and capture any errors that might occur.

I think that my next question for this is going to be down the lines of how
to capture the ws-fault on the server side, since it seems to just directly
send it back to the client, as I would need to make both sides aware of the
error.

Cheers,
Russ

"Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:qI5tUiV4FHA.3220@xxxxxxxxxxxxxxxxxxxxxxxx
> Thanks for your response Russ,
>
> I think the decryption in input filter will be something similiar with
> encryption in the output filter....
> Anyway, I'll try wrting a simple test example. I'll update you as soon as
> possible.
>
> Thanks,
>
> Steven Cheng
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
> --------------------
> From: "Russ" <ausername12345@xxxxxxxxxxxxx>
> References: <#pjNPFE4FHA.3592@xxxxxxxxxxxxxxxxxxxx>
> <rlFWivH4FHA.3220@xxxxxxxxxxxxxxxxxxxxx>
> Subject: Re: WSE 3 - How to decrypt a soap message using an x509?
> Date: Fri, 4 Nov 2005 07:26:19 +1100
> Lines: 109
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
> X-RFC2646: Format=Flowed; Original
> Message-ID: <#IDwfTL4FHA.3976@xxxxxxxxxxxxxxxxxxxx>
> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
> NNTP-Posting-Host: adsl-83-165.swiftdsl.com.au 218.214.83.165
> Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
> Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.dotnet.framework.webservices.enhancements:5246
> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
>
> Hey Steven,
>
> I have just been following the how to guide for 'Encrypt a Soap message
> using an x.509 certificate'.
>
> So, taking that I've already found the certificate for signing and
> encryption (I have two different certificates for each), the snippets of
> code would be...
>
> ---------
> //Showing object types
> X509Certificate2 x509Signing = null;
> X509Certificate2 x509Encryption = null;
> ---------
> //Showing the signing of the document
> if (x509Signing != null)
> {
> Console.WriteLine("Certificate found: Signing document");
>
> security.Tokens.Add(new X509SecurityToken(x509Signing));
> security.Elements.Add(new MessageSignature(new
> X509SecurityToken(x509Signing)));
> security.Timestamp.TtlInSeconds = 600;
> }
> ---------
> //Showing the encrypting of the document
> if (x509Encryption != null)
> {
> Console.WriteLine("Certificate found: Encrypting
> document");
>
> security.Elements.Add(new EncryptedData(new
> X509SecurityToken(x509Encryption)));
> }
> ---------
>
> All of these are implemented within a CustomSecurityFilter, which inherits
> SendSecurityFilter, and overrides SecureMessage, which is where this code
> is
> in.
>
> As I mentioned, the how to guides demonstrate the signing and verification
> of signatures, but only shows encryption, without a decryption example.
>
> Thanks again for helping with this.
>
> Cheers,
> Russ
>
> "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
> news:rlFWivH4FHA.3220@xxxxxxxxxxxxxxxxxxxxxxxx
>> Hi Russ,
>>
>> Welcome to WebService newsgroup.
>> As for WSE3, it has further simplified our work on securing webservice at
>> message level (comparing to the WSE2 securing model). Generally, we use
>> declarative security assertions to provide message securing. And there
>> exists some buildin Turkey scenarios such as UsernameOverX509... So the
>> encrypting/ decrypting is what the WSE component will do, we do not need
>> to
>> do much of them. Also, if you want to manually decrypte the soap
>> message
>> which has been encrypted at serverside, we'd also determine how is it
>> encrypting at clientside. What's the detailed condition in your
>> scenario?
>>
>> Thanks,
>>
>> Steven Cheng
>> Microsoft Online Support
>>
>> Get Secure! www.microsoft.com/security
>> (This posting is provided "AS IS", with no warranties, and confers no
>> rights.)
>>
>>
>>
>>
>> --------------------
>> From: "Russ" <ausername12345@xxxxxxxxxxxxx>
>> Subject: WSE 3 - How to decrypt a soap message using an x509?
>> Date: Thu, 3 Nov 2005 17:39:07 +1100
>> Lines: 13
>> X-Priority: 3
>> X-MSMail-Priority: Normal
>> X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>> X-RFC2646: Format=Flowed; Original
>> Message-ID: <#pjNPFE4FHA.3592@xxxxxxxxxxxxxxxxxxxx>
>> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
>> NNTP-Posting-Host: adsl-83-165.swiftdsl.com.au 218.214.83.165
>> Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
>> Xref: TK2MSFTNGXA01.phx.gbl
>> microsoft.public.dotnet.framework.webservices.enhancements:5234
>> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
>>
>> Hi Guys,
>>
>> Just wondering if someone has an example of how to decrypt a soap message
>> that has been encrypted with a x509 certificate. The how to included in
>> the
>> wse 3 documentation doesn't have any code examples, and the wse 2
>> documention heads down a completely different path.
>>
>> Any examples that you might have would be greatly appreciated.
>>
>> Cheers,
>> Russ
>>
>>
>>
>
>
>


.

Relevant Pages

  • Re: DRA is Decrypting Files when it shouldnt be!!!
    ... an administrator had taken the effort to create one and import it into Local ... >> encryption to get the RA to decrypt encrypted files. ... > When you encrypted the files, the default RA certificate was used. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: DRA is Decrypting Files when it shouldnt be!!!
    ... EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE an RA ... encryption to get the RA to decrypt encrypted files. ... > user' EFS certificate private key, create an RA, and not be able to decrypt ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS: Access Denied...but why?
    ... >I'm unable to decrypt it with either the explorer ... one for encryption and one for recovery...both are ... If so you should have backed up the recovery certificate & private key as ...
    (microsoft.public.win2000.security)
  • Re: DRA is Decrypting Files when it shouldnt be!!!
    ... > EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE an RA ... > encryption to get the RA to decrypt encrypted files. ... the default RA certificate was used. ... certificate and private key only when needed). ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Problem with EFS in W2K....help!
    ... are being followed to import the certificate AND the EFS private key for the recovery ... Just importing the certificate in a .cer file ... > decrypt the files.... ...
    (microsoft.public.win2000.security)