Jump to navigation

Poupou's Corner of the Web

Looking for perfect security? Try a wireless brick.
Otherwise you may find some unperfect stuff here...


WS-Security - slow but steady progress

I know I promised to keep quiet during PDC but it's not really started so... anyway no one started bloging about it yet, so my promise isn't broken ;-).

After much more time than anticipated, actually much more classes implemented than I expected (which is a more positive view of my time), I can now use Mono's WSE implementation to encrypt a request, using a X.509 certificate, to a web service.

I did so by modifying my previous example (the one I copied from an MSDN article):

[STAThread] static void Main(string[] args) { Username proxy = new Username (); UsernameToken tok = new UsernameToken ("poupou", "password", PasswordOption.SendHashed); proxy.RequestSoapContext.Security.Tokens.Add (tok); X509Certificate x509 = X509Certificate.CreateCertFromFile (@"..\..\server.cer"); X509SecurityToken xst = new X509SecurityToken (x509); EncryptedData ed = new EncryptedData (xst); proxy.RequestSoapContext.Security.Elements.Add (ed); try { Console.WriteLine (proxy.PersonnalHello ()); } catch (Exception e) { Console.WriteLine (e.ToString ()); } }

This generates the following SOAP request. Apart from the (missing) routing headers this is very similar to the Microsoft WSE version would generate. Which is why IIS had no problem decrypting it.

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" ...> <soap:Header> <wsu:Timestamp xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"> <wsu:Created>2003-10-25T19:58:29Z</wsu:Created> <wsu:Expires>2003-10-25T20:03:29Z</wsu:Expires> </wsu:Timestamp> <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext"> <wsse:UsernameToken wsu:Id="SecurityToken-45a0ef45-6d9d-408a-bd99-17f15e0bccc1" ...> <wsse:Username>poupou</wsse:Username> <wsse:Password Type="wsse:PasswordDigest">v76oaS0a8xct5vQ16vbafBIEPig=</wsse:Password> <wsse:Nonce>i43pLvPilkHAc5cJDG9twQ==</wsse:Nonce> <wsu:Created>2003-10-25T19:58:29Z</wsu:Created> </wsse:UsernameToken> <xenc:EncryptedKey Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference> <wsse:KeyIdentifier ValueType="wsse:X509v3">AuGnMlSu/cCkMjb2/iNqA3Iosfc=</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </KeyInfo> <xenc:CipherData> <xenc:CipherValue>yziZ+MYDRTuFEnNAEH6d7eH3ZK7fK0WlQf/fWWvBJsqA1+9nHCp3w9B/9oEIC8tgv1T/ ...</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#EncryptedContent-96e3ddc5-be73-4aef-a244-d7b8aa26121e" /> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security> </soap:Header> <soap:Body wsu:Id="Id-38917d98-eeab-41e4-b640-6f3a033f8da8" xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"> <xenc:EncryptedData Id="EncryptedContent-96e3ddc5-be73-4aef-a244-d7b8aa26121e" ...> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /> <xenc:CipherData> <xenc:CipherValue>kq9yNn7L4rUbo/rOvOi4ZVcH4RVxvOrVf4H4UTVYVhMS8aBPA15uaiHDbJ6YjLZ04M/DPG7VK3M= </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </soap:Body> </soap:Envelope>

But if you remember the first post you may notice that this sample really don't do much. That's because there's (almost) nothing in the soap body, the interesting part was the UsernameToken which is unencrypted. Well the promised sample is for another time.

Talking of the beast I still haven't figured out how to generate the UsernameToken signing key, but I know from the newsgroup that I'm not the only one looking. Anyone at the PDC can extract this information from some (drunk and/or supportive) MS WSE guy ? I can name a few if this helps... >:-)

10/25/2003 23:34:50 | Comments

The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.