Re: Object contains only the public half of a key pair. A private

---

• From: Chris Fink <ChrisFink@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 6 Jul 2006 09:06:02 -0700

---

Hi Pablo,

Thanks for your help. Being said that my objective is to consume my
customers WSE 3 webservice and that they have provided me their public key,
when I configuring my client to consume their webservice, what do I select
for the client key and server key? I wouldn't think that the customer would
need to provide me their private key?

Thanks

"Pablo Cibraro" wrote:

Hi,

You need to deploy the certificates in the following way:

1. Client Side:

- Client public and private keys
- Server public key

2. Service Side

- Client public key
- Service public and private keys

The mutualCertificate assertion works as follow:

1. The client signs the message using the client public and private keys. It
encryps the message using the service public key
2. The service decryps the message using the service private key. It
verifies the signature using the client public key
3. The service signs the response message using the service public and
private keys. It encrypts the message using the client public key
4. The client decryps the message using the client private key. It verifies
the signature using the service public key

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax

"Chris Fink" <ChrisFink@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D125BF8C-20A3-4F95-9958-8C7A15F8A9A4@xxxxxxxxxxxxxxxx

I am attempting to call a webservice secured with the WSE 3.0 toolkit and
am
receiving the following error message. My assumption is that I installed
the
certs in the wrong location. I placed my public + private key cert in
the
localmachine my store and placed the customer's public key in the
localmachine address store. I used cert tools to grant everyone full
access
to my cert on the machine.

<?xml version="1.0" encoding="utf-8"?>
<log>
<outputMessage utc="7/5/2006 6:34:50 PM"
messageId="urn:uuid:27867ccf-fcc5-400e-ba0c-739e005ab59d">
<processingStep description="Unprocessed message">
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";>
<soap:Body>
<Dispatch xmlns="http://xxx/webservices/";>
<messageType>test</messageType>
<correlationId>test</correlationId>
<messageBody>test</messageBody>
<userName>test</userName>
<applicationName>test</applicationName>
<instance>test</instance>
<postBackUrl>test</postBackUrl>
</Dispatch>
</soap:Body>
</soap:Envelope>
</processingStep>
<processingStep description="Entering SOAP filter
Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ClientOutputFilter"
/>
<processingStep description="Exception thrown: Object contains only the
public half of a key pair. A private key must also be provided."> at
System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte[]
rgbHash, String str)
at
Microsoft.Web.Services3.Security.Cryptography.RSASHA1SignatureFormatter.SignHash(Byte[]
rgbHash)
at
Microsoft.Web.Services3.Security.Cryptography.RSASHA1SignatureFormatter.Sign(Stream
data)
at
Microsoft.Web.Services3.Security.MessageSignature.BuildSignedInfo(SignatureFormatter
formatter)
at
Microsoft.Web.Services3.Security.MessageSignature.ComputeAsymmetricSignature(AsymmetricKeyAlgorithm
key)
at Microsoft.Web.Services3.Security.MessageSignature.ComputeSignature()
at Microsoft.Web.Services3.Security.Security.SerializeXml(SoapEnvelope
document)
at Microsoft.Web.Services3.Security.Security.Execute(SoapEnvelope
envelope)
at
Microsoft.Web.Services3.Security.SendSecurityFilter.ProcessMessage(SoapEnvelope
envelope)
at Microsoft.Web.Services3.Pipeline.ProcessOutputMessage(SoapEnvelope
envelope)</processingStep>
</outputMessage>
</log>

My policy file is as follows:

<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
<extensions>
<extension name="mutualCertificate11Security"
type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="x509"
type="Microsoft.Web.Services3.Design.X509TokenProvider,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="MyPolicy">
<mutualCertificate11Security establishSecurityContext="false"
renewExpiredSecurityContext="true" requireSignatureConfirmation="true"
messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
ttlInSeconds="300">
<clientToken>
<x509 storeLocation="LocalMachine" storeName="My"
findValue="CN=PublicKeyClient" findType="FindBySubjectDistinguishedName"
/>
</clientToken>
<serviceToken>
<x509 storeLocation="LocalMachine" storeName="AddressBook"
findValue="E=webfarm@xxxxxxx, CN=XXX, OU=Information Technology, O=Compl
Inc., L=Austin, S=TX, C=US" findType="FindBySubjectDistinguishedName" />
</serviceToken>
<protection>
<request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />
</protection>
</mutualCertificate11Security>
<requireActionHeader />
</policy>
</policies>

.

---

• Follow-Ups:
  • Re: Object contains only the public half of a key pair. A private
    • From: Pablo Cibraro

• References:
  • Object contains only the public half of a key pair. A private key
    • From: Chris Fink
  • Re: Object contains only the public half of a key pair. A private key
    • From: Pablo Cibraro

• Prev by Date: Re: Object contains only the public half of a key pair. A private key
• Next by Date: Re: Object contains only the public half of a key pair. A private
• Previous by thread: Re: Object contains only the public half of a key pair. A private key
• Next by thread: Re: Object contains only the public half of a key pair. A private
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Private & Public Key storage location ... with that you complete the 'certificate' to have both public and private key ... To view the complete cert, you access the cert mmc, ... its end & send only the public key to the CA along with the other websites ... The CA never know the private key of the website. ... (microsoft.public.inetserver.iis.security) Re: Private & Public Key storage location ... with that you complete the 'certificate' to have both public and private key ... To view the complete cert, you access the cert mmc, ... its end & send only the public key to the CA along with the other websites ... The CA never know the private key of the website. ... (microsoft.public.inetserver.iis.security) Re: Private & Public Key storage location ... When you got the server cert file, ... its end & send only the public key to the CA along with the other websites ... The CA never know the private key of the website. ... (microsoft.public.inetserver.iis.security) Re: Private & Public Key storage location ... client use the public key to ... corresponds to this certiticate' when you view the cert. ... it will has the private key as well. ... installed for your website, it will be sent to all the clients who connect ... (microsoft.public.inetserver.iis.security) Re: How to exchange certificate ? ... certificate store (I own ONLY a public key). ... >contained in a certificate store AND having an associated private key. ... you can test any cert for an associated private key using: ... (microsoft.public.platformsdk.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)