WSE 2.0 and Encryption
-
Hi all, Sorry in advance if the C# forum is the wrong place for this question, but none of the others looked quite right either... I am trying to implement asymmetrical encryption on a web service using WSE 2.0. The example the MS includes in the Quick Start Examples that come with WSE works just fine, but I am trying to switch from the x509 cert that they provide to one that I created with makecert. Trouble is: I keep getting an error message saying that the key is bad when WSE 2.0 attempts the encryption. My certs have private keys and the users under which both the client and server are running have full control over the directories that contain the private key files... Has anyone managed to get this to work? Can you tell me what command line arguements you passed to makecert? Any guidance appreciated. Thanks, Bill
-
Hi all, Sorry in advance if the C# forum is the wrong place for this question, but none of the others looked quite right either... I am trying to implement asymmetrical encryption on a web service using WSE 2.0. The example the MS includes in the Quick Start Examples that come with WSE works just fine, but I am trying to switch from the x509 cert that they provide to one that I created with makecert. Trouble is: I keep getting an error message saying that the key is bad when WSE 2.0 attempts the encryption. My certs have private keys and the users under which both the client and server are running have full control over the directories that contain the private key files... Has anyone managed to get this to work? Can you tell me what command line arguements you passed to makecert? Any guidance appreciated. Thanks, Bill
Bill Dean wrote: I keep getting an error message saying that the key is bad when WSE 2.0 attempts the encryption. Please be specific: what is the exception type and message? What are you doing in code when the exception is thrown? Without this information, I can only guess that you're having one of three problems:
- The X.509 certificate is not signed with the necessary OIDs that identify the certificate for client and/or server authentication.
- Since you made this certificate yourself, you most likely used a self-signing certificate authority (CA). You must add the CA to the trusted certificate store for the machine.
- The ceritifcate is not accessible because you've stored the private key into another user's ceritifcate store (like your local user's or the administrative store), or because the ASPNET user accountcannot access private keys by default and you're not impersonating another user (or running ASP.NET under a different user context).
I'm going to assume that since you have WSE 2.0 installed you have the Help 2 topics installed as well, so please read ms-help://MS.WSE20.1033/wse/html/34caf185-5484-42b3-98ea-3f17f3fc1f16.htm[^] and follow the links for more information. If you post the specific exception type and message - as well as any other relevent data or code - we may be able to provide a better answer. This posting is provided "AS IS" with no warranties, and confers no rights. Software Design Engineer Developer Division Sustained Engineering Microsoft [My Articles] [My Blog]
-
Bill Dean wrote: I keep getting an error message saying that the key is bad when WSE 2.0 attempts the encryption. Please be specific: what is the exception type and message? What are you doing in code when the exception is thrown? Without this information, I can only guess that you're having one of three problems:
- The X.509 certificate is not signed with the necessary OIDs that identify the certificate for client and/or server authentication.
- Since you made this certificate yourself, you most likely used a self-signing certificate authority (CA). You must add the CA to the trusted certificate store for the machine.
- The ceritifcate is not accessible because you've stored the private key into another user's ceritifcate store (like your local user's or the administrative store), or because the ASPNET user accountcannot access private keys by default and you're not impersonating another user (or running ASP.NET under a different user context).
I'm going to assume that since you have WSE 2.0 installed you have the Help 2 topics installed as well, so please read ms-help://MS.WSE20.1033/wse/html/34caf185-5484-42b3-98ea-3f17f3fc1f16.htm[^] and follow the links for more information. If you post the specific exception type and message - as well as any other relevent data or code - we may be able to provide a better answer. This posting is provided "AS IS" with no warranties, and confers no rights. Software Design Engineer Developer Division Sustained Engineering Microsoft [My Articles] [My Blog]
Thanks Heath, I should know better than to post such a detail-bare question. My bad. My client application is a .net web application, running on the same machine that the web service runs on: a win2kpro development machine. I am trying to: 1) sign the request from the client with an x509 cert. 2) sign the response with an x509 cert, and 3) encrypt the response with an x509 cert. 1) and 2) are no problem. But when I add the code for 3) I get this exception:
System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ComponentModel.Win32Exception: Bad Key at Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider.Encrypt(Byte[] plaintext, Boolean useOAEP) at Microsoft.Web.Services2.Security.Cryptography.RSA15KeyExchangeFormatter.EncryptKey(Byte[] plainKey) at Microsoft.Web.Services2.Security.EncryptedKey.Encrypt() at Microsoft.Web.Services2.Security.EncryptedKey.GetXml(XmlDocument document) at Microsoft.Web.Services2.Security.Security.SerializeXml(SoapEnvelope document) at Microsoft.Web.Services2.Security.SecurityOutputFilter.ProcessHeader(Security security, SoapEnvelope envelope) at Microsoft.Web.Services2.Security.SecurityOutputFilter.ProcessMessage(SoapEnvelope envelope) at Microsoft.Web.Services2.Pipeline.ProcessOutputMessage(SoapEnvelope envelope) at Microsoft.Web.Services2.WebServicesExtension.AfterSerializeServer(SoapServerMessage message) --- End of inner exception stack trace ---
This exception is reported by the client and occurs sometime after the
returnin the web method is called. The stack trace is:SoapHeaderException: System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ComponentModel.Win32Exception: Bad Key
at Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider.Encrypt(Byte[] plaintext, Boolean useOAEP)
at Microsoft.Web.Services2.Security.Cryptography.RSA15KeyExchangeFormatter.EncryptKey(Byte[] plainKey)
at Microsoft.Web.Services2.Security.EncryptedKey.Encrypt()
at Microsoft.Web.Services2.Security.EncryptedKey.GetXml(XmlDocument document)
at Microsoft.Web.Services2.Security.Security.SerializeXml(SoapEnvelope document)
at Microsoft.Web.Services2.Security.SecurityOutputFilter.ProcessHeader(Security security, SoapEnvelope envelope)
at Microsoft.Web.Services2.Security.SecurityOutputFilter.ProcessMessage(SoapEnvelope envelope)
at Microsoft.Web.Services2.Pipeline.ProcessOutputMessage(Soap -
Thanks Heath, I should know better than to post such a detail-bare question. My bad. My client application is a .net web application, running on the same machine that the web service runs on: a win2kpro development machine. I am trying to: 1) sign the request from the client with an x509 cert. 2) sign the response with an x509 cert, and 3) encrypt the response with an x509 cert. 1) and 2) are no problem. But when I add the code for 3) I get this exception:
System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ComponentModel.Win32Exception: Bad Key at Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider.Encrypt(Byte[] plaintext, Boolean useOAEP) at Microsoft.Web.Services2.Security.Cryptography.RSA15KeyExchangeFormatter.EncryptKey(Byte[] plainKey) at Microsoft.Web.Services2.Security.EncryptedKey.Encrypt() at Microsoft.Web.Services2.Security.EncryptedKey.GetXml(XmlDocument document) at Microsoft.Web.Services2.Security.Security.SerializeXml(SoapEnvelope document) at Microsoft.Web.Services2.Security.SecurityOutputFilter.ProcessHeader(Security security, SoapEnvelope envelope) at Microsoft.Web.Services2.Security.SecurityOutputFilter.ProcessMessage(SoapEnvelope envelope) at Microsoft.Web.Services2.Pipeline.ProcessOutputMessage(SoapEnvelope envelope) at Microsoft.Web.Services2.WebServicesExtension.AfterSerializeServer(SoapServerMessage message) --- End of inner exception stack trace ---
This exception is reported by the client and occurs sometime after the
returnin the web method is called. The stack trace is:SoapHeaderException: System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ComponentModel.Win32Exception: Bad Key
at Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider.Encrypt(Byte[] plaintext, Boolean useOAEP)
at Microsoft.Web.Services2.Security.Cryptography.RSA15KeyExchangeFormatter.EncryptKey(Byte[] plainKey)
at Microsoft.Web.Services2.Security.EncryptedKey.Encrypt()
at Microsoft.Web.Services2.Security.EncryptedKey.GetXml(XmlDocument document)
at Microsoft.Web.Services2.Security.Security.SerializeXml(SoapEnvelope document)
at Microsoft.Web.Services2.Security.SecurityOutputFilter.ProcessHeader(Security security, SoapEnvelope envelope)
at Microsoft.Web.Services2.Security.SecurityOutputFilter.ProcessMessage(SoapEnvelope envelope)
at Microsoft.Web.Services2.Pipeline.ProcessOutputMessage(SoapFor starters, make sure the CA that signed your X.509 certificate is installed into the trusted CA store of your machine. If that fails I can look into it more. The certificate must be trusted, however, which is one likely cause of "Bad key" (it could also be that you didn't enable the right attributes for the key to sign and encrypt data, so be sure to check that as well). This posting is provided "AS IS" with no warranties, and confers no rights. Software Design Engineer Developer Division Sustained Engineering Microsoft [My Articles] [My Blog]
-
For starters, make sure the CA that signed your X.509 certificate is installed into the trusted CA store of your machine. If that fails I can look into it more. The certificate must be trusted, however, which is one likely cause of "Bad key" (it could also be that you didn't enable the right attributes for the key to sign and encrypt data, so be sure to check that as well). This posting is provided "AS IS" with no warranties, and confers no rights. Software Design Engineer Developer Division Sustained Engineering Microsoft [My Articles] [My Blog]
Thanks for the follow-up Heath. The cert is self-signed, so I am assuming that I need to add the certificate itself to my trusted CA store...right? Assuming this is correct, I exported the cert from Local Computer \ Personal and then imported it into Local Machine \ Trusted Root Authority...but the problem remains. How can I tell for sure if it is trusted? How can I tell if I have enable[ed] the right attributes for the key to sign and encrypt data? Thank for entertaining my questions...I've been through the WSE2.0 docs 1/2 a dozen times and cannot find the answer, so I am a little at whit's end. Any other good sources of documentation? Bill
-
Thanks for the follow-up Heath. The cert is self-signed, so I am assuming that I need to add the certificate itself to my trusted CA store...right? Assuming this is correct, I exported the cert from Local Computer \ Personal and then imported it into Local Machine \ Trusted Root Authority...but the problem remains. How can I tell for sure if it is trusted? How can I tell if I have enable[ed] the right attributes for the key to sign and encrypt data? Thank for entertaining my questions...I've been through the WSE2.0 docs 1/2 a dozen times and cannot find the answer, so I am a little at whit's end. Any other good sources of documentation? Bill
Actually, you must add the CA (the CA was self-signed, and then used to sign your certificate - at least that's what you were supposed to do) to the trusted CA store. If you don't, then the security implementation won't trust your certificate you use to sign and encrypt data because it doesn't trust what signed it. Read a very old tutorial of mine about certificates and using OpenSSL at http://www.devhood.com/Tutorials/tutorial_details.aspx?tutorial_id=209[^]. It may provide some limited insight. You should not be using your self-signed CA for signing and encrypting data. You use that to sign certificates for certain purposes, and the CA must be set up to be able to sign with those privileges. My tutorial covers that, and there's a lot of information on the web about X.509, which is beyond the scope of this article. You can look at the certificate in Windows to see what it is signed to do. Just double-click the file assuming it's in a format that Windows understands (like an X.509 DER file - a binary DER-encoded file). There usually have .pfx extensions (but of course the extension is meaningless if the file format isn't correct). This posting is provided "AS IS" with no warranties, and confers no rights. Software Design Engineer Developer Division Sustained Engineering Microsoft [My Articles] [My Blog]
-
Actually, you must add the CA (the CA was self-signed, and then used to sign your certificate - at least that's what you were supposed to do) to the trusted CA store. If you don't, then the security implementation won't trust your certificate you use to sign and encrypt data because it doesn't trust what signed it. Read a very old tutorial of mine about certificates and using OpenSSL at http://www.devhood.com/Tutorials/tutorial_details.aspx?tutorial_id=209[^]. It may provide some limited insight. You should not be using your self-signed CA for signing and encrypting data. You use that to sign certificates for certain purposes, and the CA must be set up to be able to sign with those privileges. My tutorial covers that, and there's a lot of information on the web about X.509, which is beyond the scope of this article. You can look at the certificate in Windows to see what it is signed to do. Just double-click the file assuming it's in a format that Windows understands (like an X.509 DER file - a binary DER-encoded file). There usually have .pfx extensions (but of course the extension is meaningless if the file format isn't correct). This posting is provided "AS IS" with no warranties, and confers no rights. Software Design Engineer Developer Division Sustained Engineering Microsoft [My Articles] [My Blog]