Re: Unable to unwrap a symmetric key using the private key of an X.509

Hi,

The problem is related to the certificate store on the web service side.
You installed the certificate in "OtherPeople" store but the policy points
to the store "My", which is the personal store..

1. You should change the policy to use "AddressBook" or
2. You should install the certificate in the "Personal" store.

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax

"Chris Fink" <ChrisFink@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:16E52BF2-5D81-400E-A640-DD037840ACD8@xxxxxxxxxxxxxxxx
I have walked through all of the WSE 3 Hands on Labs and got everything
working fine. When I create my own certificate and install it in the
stores,
my client application that is consuming my WSE enabled webservice receives
the following error (noted at the very bottom of this post).

My objective here is to create and secure a service application
(webservice)
using an x509 test cert that requests a client certificate; and to create
a
test client to consume this service.

Following the makecert command that I used:
makecert -pe -n "CN=DecisionOne Corporation" -ss root -sr localmachine
DecisionOneEBSServices.cer

I installed this cert along with the embedded private key to the following
stores:
Current User - personal, trusted root, and other people stores
Local Computer - personal, trusted root, and other people stores

Using the WSE 3.0 certificates tool, I gave FULL access to Everyone and
the
ASPNET user for all the 6 stores.

I enabled allow test roots in my WSE 3.0 settings>security for BOTH the
client and the webservice.

Following is the policy file for my client:
<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
<extensions>
<extension name="usernameForCertificateSecurity"
type="Microsoft.Web.Services3.Design.UsernameForCertificateAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="mutualCertificate11Security"
type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="x509"
type="Microsoft.Web.Services3.Design.X509TokenProvider,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="DellCertPolicy">
<mutualCertificate11Security establishSecurityContext="false"
renewExpiredSecurityContext="true" requireSignatureConfirmation="true"
messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
ttlInSeconds="300">
<clientToken>
<x509 storeLocation="CurrentUser" storeName="My"
findValue="CN=DecisionOne Corporation"
findType="FindBySubjectDistinguishedName" />
</clientToken>
<serviceToken>
<x509 storeLocation="LocalMachine" storeName="AddressBook"
findValue="CN=DecisionOne Corporation"
findType="FindBySubjectDistinguishedName" />
</serviceToken>
<protection>
<request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />
</protection>
</mutualCertificate11Security>
<requireActionHeader />
</policy>
</policies>

Following is the policy file for my webservice:
<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
<extensions>
<extension name="usernameForCertificateSecurity"
type="Microsoft.Web.Services3.Design.UsernameForCertificateAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="mutualCertificate11Security"
type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="x509"
type="Microsoft.Web.Services3.Design.X509TokenProvider,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="DellCertPolicy">
<mutualCertificate11Security establishSecurityContext="false"
renewExpiredSecurityContext="true" requireSignatureConfirmation="true"
messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
ttlInSeconds="300">
<serviceToken>
<x509 storeLocation="LocalMachine" storeName="My"
findValue="CN=DecisionOne Corporation"
findType="FindBySubjectDistinguishedName" />
</serviceToken>
<protection>
<request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />
</protection>
</mutualCertificate11Security>
<requireActionHeader />
</policy>
</policies>

And finally, the ERROR from the event viewer.

Event Type: Error
Event Source: Microsoft WSE 3.0
Event Category: None
Event ID: 0
Date: 6/12/2006
Time: 2:27:58 PM
User: N/A
Computer: WMDVFRA002
Description:
System.ApplicationException: WSE841: An error occured processing an
outgoing
fault response. ---> System.Web.Services.Protocols.SoapException:
System.Web.Services.Protocols.SoapException: Server was unable to process
request. ---> System.Security.Cryptography.CryptographicException: WSE600:
Unable to unwrap a symmetric key using the private key of an X.509
certificate. Please check if the account 'WMDVFRA002\ASPNET' has
permissions
to read the private key of certificate with subject name 'CN=DecisionOne
Corporation' and thumbprint
32213F525B6DD6A8FDCA2D1E0876B873F44C759B'. --->
System.Security.Cryptography.CryptographicException: WSE593: Unable to
decrypt the key. Please check if the process has the right permission to
access the private key. --->
System.Security.Cryptography.CryptographicException: Bad Key.

at
System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32
hr)
at System.Security.Cryptography.Utils._DecryptKey(SafeKeyHandle hPubKey,
Byte[] key, Int32 dwFlags)
at System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(Byte[]
rgb, Boolean fOAEP)
at
Microsoft.Web.Services3.Security.Cryptography.RSA15KeyExchangeFormatter.DecryptKey(Byte[]
cipherKey)
--- End of inner exception stack trace ---
at
Microsoft.Web.Services3.Security.Cryptography.RSA15KeyExchangeFormatter.DecryptKey(Byte[]
cipherKey)
at Microsoft.Web.Services3.Security.EncryptedKey.Decrypt()
--- End of inner exception stack trace ---
at Microsoft.Web.Services3.Security.EncryptedKey.Decrypt()
at Microsoft.Web.Services3.Security.Security.LoadXml(XmlElement element)
at Microsoft.Web.Services3.Security.Security.CreateFrom(SoapEnvelope
envelope, String localActor, String serviceActor)
at
Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessage(SoapEnvelope
envelope)
at Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope
envelope)
at Microsoft.Web.Services3.WseProtocol.FilterRequest(SoapEnvelope
requestEnvelope)
at Microsoft.Web.Services3.WseProtocol.RouteRequest(SoapServerMessage
message)
at System.Web.Services.Protocols.SoapServerProtocol.Initialize()
at System.Web.Services.Protocols.ServerProtocolFactory.Create(Type type,
HttpContext context, HttpRequest request, HttpResponse response, Boolean&
abortProcessing)
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---


Any help is appreciated, I am out of options. My thoughts are that I
created the certificate or installed it incorrectly.
Thanks very much!


.

Relevant Pages

  • Re: Unable to unwrap a symmetric key using the private key of an X
    ... the certificate (public and private key) is ... installed in the personal store of both local computer and current user and I ... The problem is related to the certificate store on the web service side. ... You installed the certificate in "OtherPeople" store but the policy points ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Programmatically installing Client Root Certificates
    ... You install root certificates into the "root" store. ... the certificate to the root store. ...
    (microsoft.public.platformsdk.security)
  • Re: RPC over HTTP 1st time w/ Vista - Trouble installing Certificate
    ... And do NOT select automatic store - you need to put it in the Root store. ... The reason is that the elevated user is not the same as the regular user, and the default is to put it in the user's store. ... From waht i can tell everything is setup correctly, but the only thing that isn't going as planned is the installation of the certificate. ... Normally I have the user go to the mail.mycompany.com/exchange and install the certificate at the warning that pops up. ...
    (microsoft.public.windows.server.sbs)
  • Importing a PFX file using X509Certificate2 from ASP fails
    ... An administrator on the machine where the ASP.NET/COM+ application runs should install the certificate in the machine certificate store, ... The ASP.NET/COM+ application code should use the installed certificate rather than attempt to install one from a PFX file. ...
    (microsoft.public.dotnet.security)
  • Re: Active Directory Federation Services
    ... that is associated with their profile and the machine itself has a store. ... Just wanted to let you know that I got the cert problem fixed. ... the user certificate store. ... FSP was looking for certs in the local ...
    (microsoft.public.windows.server.active_directory)