|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Signed XML Private Key X509 Certificate WSE 2.0 Issue\ErrorsXML downstream to their server. I need to sign the XML with a X509 certificate private key and then send a (.cer) version of that certificate downstream with the public key so that the client can validate the signature. I am using VB.NET framework 1.1 and WSE 2.0 SP3 extensions. The certificates (several types were tried) were created using several tools including Makecert, a Local CA implementation, and SecureBlackbox.net tools. All certs were verified to have private keys, were self signed, and had extremely liberal access authority assigned. My issue is when I retrieve the cert using WSE 2.0 using the following code: Dim myStore As X509CertificateStore = X509CertificateStore.LocalMachineStore(X509CertificateStore.MyStore) Dim myCerts As Microsoft.Web.Services2.Security.X509.X509CertificateCollection = myStore.FindCertificateByKeyIdentifier(keyIdentifer) Dim myCert As Microsoft.Web.Services2.Security.X509.X509Certificate = Nothing myCert = myCerts(0) When I stop and look at the cert key (private) I see the following: {Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider} [Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider]: {Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider} KeyExchangeAlgorithm: <error: an exception of type: {System.NotSupportedException} occurred> KeySize: 1024 LegalKeySizes: <error: an exception of type: {System.NotSupportedException} occurred> SignatureAlgorithm: http://www.w3.org/2000/09/xmldsig#rsa-sha1 The later signedXml.ComputeSignature() fails with the following error: An unhandled exception of type 'System.NotSupportedException' occurred in microsoft.web.services2.dll Additional information: DecryptValue If I use a newly created RSACryptoServiceProvider to sign the message ComputeSignature works fine. It also works fine with the same certs in Whidbey NET 2.0 with the X509Certificate2 class but I can’t use this on my project. I have banged my head for three days. Any help or guidance would be appreciated. I might not even use certs. Why not load your private key via your private
..snk file and sign the xml with that. The client can grab the public key from the client assembly (which is signed at compile time with using the ..snk file) to verify the signature. -- Show quoteHide quoteWilliam Stacey [MVP] "diadem" <dia***@discussions.microsoft.com> wrote in message news:2E1654AC-3388-41D1-AE79-C463FDBF9C1B@microsoft.com... >I am working a project for a client where we are required to send a signed > XML downstream to their server. I need to sign the XML with a X509 > certificate private key and then send a (.cer) version of that certificate > downstream with the public key so that the client can validate the > signature. > > I am using VB.NET framework 1.1 and WSE 2.0 SP3 extensions. The > certificates > (several types were tried) were created using several tools including > Makecert, a Local CA implementation, and SecureBlackbox.net tools. All > certs > were verified to have private keys, were self signed, and had extremely > liberal access authority assigned. > > My issue is when I retrieve the cert using WSE 2.0 using the following > code: > > Dim myStore As X509CertificateStore = > X509CertificateStore.LocalMachineStore(X509CertificateStore.MyStore) > > Dim myCerts As > Microsoft.Web.Services2.Security.X509.X509CertificateCollection = > myStore.FindCertificateByKeyIdentifier(keyIdentifer) > > Dim myCert As Microsoft.Web.Services2.Security.X509.X509Certificate = > Nothing > myCert = myCerts(0) > > When I stop and look at the cert key (private) I see the following: > > {Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider} > > [Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider]: > {Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider} > KeyExchangeAlgorithm: <error: an exception of type: > {System.NotSupportedException} occurred> > KeySize: 1024 > LegalKeySizes: <error: an exception of type: > {System.NotSupportedException} occurred> > SignatureAlgorithm: http://www.w3.org/2000/09/xmldsig#rsa-sha1 > > The later signedXml.ComputeSignature() fails with the following error: > > An unhandled exception of type 'System.NotSupportedException' occurred in > microsoft.web.services2.dll > > Additional information: DecryptValue > > > If I use a newly created RSACryptoServiceProvider to sign the message > ComputeSignature works fine. It also works fine with the same certs in > Whidbey NET 2.0 with the X509Certificate2 class but I can't use this on my > project. > > I have banged my head for three days. Any help or guidance would be > appreciated. > The message exchange happens via HTTP post and the downstream client is a
Java implementation on Apache. No opourtunity for exchanging assemblies, only certs, thanks Show quoteHide quote "William Stacey [MVP]" wrote: > I might not even use certs. Why not load your private key via your private > ..snk file and sign the xml with that. The client can grab the public key > from the client assembly (which is signed at compile time with using the > ..snk file) to verify the signature. > > -- > William Stacey [MVP] > > "diadem" <dia***@discussions.microsoft.com> wrote in message > news:2E1654AC-3388-41D1-AE79-C463FDBF9C1B@microsoft.com... > >I am working a project for a client where we are required to send a signed > > XML downstream to their server. I need to sign the XML with a X509 > > certificate private key and then send a (.cer) version of that certificate > > downstream with the public key so that the client can validate the > > signature. > > > > I am using VB.NET framework 1.1 and WSE 2.0 SP3 extensions. The > > certificates > > (several types were tried) were created using several tools including > > Makecert, a Local CA implementation, and SecureBlackbox.net tools. All > > certs > > were verified to have private keys, were self signed, and had extremely > > liberal access authority assigned. > > > > My issue is when I retrieve the cert using WSE 2.0 using the following > > code: > > > > Dim myStore As X509CertificateStore = > > X509CertificateStore.LocalMachineStore(X509CertificateStore.MyStore) > > > > Dim myCerts As > > Microsoft.Web.Services2.Security.X509.X509CertificateCollection = > > myStore.FindCertificateByKeyIdentifier(keyIdentifer) > > > > Dim myCert As Microsoft.Web.Services2.Security.X509.X509Certificate = > > Nothing > > myCert = myCerts(0) > > > > When I stop and look at the cert key (private) I see the following: > > > > {Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider} > > > > [Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider]: > > {Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider} > > KeyExchangeAlgorithm: <error: an exception of type: > > {System.NotSupportedException} occurred> > > KeySize: 1024 > > LegalKeySizes: <error: an exception of type: > > {System.NotSupportedException} occurred> > > SignatureAlgorithm: http://www.w3.org/2000/09/xmldsig#rsa-sha1 > > > > The later signedXml.ComputeSignature() fails with the following error: > > > > An unhandled exception of type 'System.NotSupportedException' occurred in > > microsoft.web.services2.dll > > > > Additional information: DecryptValue > > > > > > If I use a newly created RSACryptoServiceProvider to sign the message > > ComputeSignature works fine. It also works fine with the same certs in > > Whidbey NET 2.0 with the X509Certificate2 class but I can't use this on my > > project. > > > > I have banged my head for three days. Any help or guidance would be > > appreciated. > > > > > You could still send the public key in the xml doc as a xml or base64
string. I don't know, however, if your Java client can use RSACryptoServiceProvider to verify the sig however. Can you call .Net framework inside your Java client? -- Show quoteHide quoteWilliam Stacey [MVP] "diadem" <dia***@discussions.microsoft.com> wrote in message news:A5FECD22-FFF0-4835-B15A-0CE6275FA493@microsoft.com... > The message exchange happens via HTTP post and the downstream client is a > Java implementation on Apache. No opourtunity for exchanging assemblies, > only > certs, thanks > > "William Stacey [MVP]" wrote: > >> I might not even use certs. Why not load your private key via your >> private >> ..snk file and sign the xml with that. The client can grab the public >> key >> from the client assembly (which is signed at compile time with using the >> ..snk file) to verify the signature. >> >> -- >> William Stacey [MVP] >> >> "diadem" <dia***@discussions.microsoft.com> wrote in message >> news:2E1654AC-3388-41D1-AE79-C463FDBF9C1B@microsoft.com... >> >I am working a project for a client where we are required to send a >> >signed >> > XML downstream to their server. I need to sign the XML with a X509 >> > certificate private key and then send a (.cer) version of that >> > certificate >> > downstream with the public key so that the client can validate the >> > signature. >> > >> > I am using VB.NET framework 1.1 and WSE 2.0 SP3 extensions. The >> > certificates >> > (several types were tried) were created using several tools including >> > Makecert, a Local CA implementation, and SecureBlackbox.net tools. All >> > certs >> > were verified to have private keys, were self signed, and had extremely >> > liberal access authority assigned. >> > >> > My issue is when I retrieve the cert using WSE 2.0 using the following >> > code: >> > >> > Dim myStore As X509CertificateStore = >> > X509CertificateStore.LocalMachineStore(X509CertificateStore.MyStore) >> > >> > Dim myCerts As >> > Microsoft.Web.Services2.Security.X509.X509CertificateCollection = >> > myStore.FindCertificateByKeyIdentifier(keyIdentifer) >> > >> > Dim myCert As Microsoft.Web.Services2.Security.X509.X509Certificate = >> > Nothing >> > myCert = myCerts(0) >> > >> > When I stop and look at the cert key (private) I see the following: >> > >> > {Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider} >> > >> > [Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider]: >> > {Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider} >> > KeyExchangeAlgorithm: <error: an exception of type: >> > {System.NotSupportedException} occurred> >> > KeySize: 1024 >> > LegalKeySizes: <error: an exception of type: >> > {System.NotSupportedException} occurred> >> > SignatureAlgorithm: http://www.w3.org/2000/09/xmldsig#rsa-sha1 >> > >> > The later signedXml.ComputeSignature() fails with the following error: >> > >> > An unhandled exception of type 'System.NotSupportedException' occurred >> > in >> > microsoft.web.services2.dll >> > >> > Additional information: DecryptValue >> > >> > >> > If I use a newly created RSACryptoServiceProvider to sign the message >> > ComputeSignature works fine. It also works fine with the same certs in >> > Whidbey NET 2.0 with the X509Certificate2 class but I can't use this on >> > my >> > project. >> > >> > I have banged my head for three days. Any help or guidance would be >> > appreciated. >> > >> >> >> They already have their end built in Java and I'm only reacting to a
previously agreed data exchange plan. We won't do Java, they won't do .NET or a true web service, They won't do a pre-shared secret. The only solution seems to be using certs for signing on our end, and validating on thiers. Thanks for the reply! Show quoteHide quote "William Stacey [MVP]" wrote: > You could still send the public key in the xml doc as a xml or base64 > string. I don't know, however, if your Java client can use > RSACryptoServiceProvider to verify the sig however. Can you call .Net > framework inside your Java client? > > -- > William Stacey [MVP] > > "diadem" <dia***@discussions.microsoft.com> wrote in message > news:A5FECD22-FFF0-4835-B15A-0CE6275FA493@microsoft.com... > > The message exchange happens via HTTP post and the downstream client is a > > Java implementation on Apache. No opourtunity for exchanging assemblies, > > only > > certs, thanks > > > > "William Stacey [MVP]" wrote: > > > >> I might not even use certs. Why not load your private key via your > >> private > >> ..snk file and sign the xml with that. The client can grab the public > >> key > >> from the client assembly (which is signed at compile time with using the > >> ..snk file) to verify the signature. > >> > >> -- > >> William Stacey [MVP] > >> > >> "diadem" <dia***@discussions.microsoft.com> wrote in message > >> news:2E1654AC-3388-41D1-AE79-C463FDBF9C1B@microsoft.com... > >> >I am working a project for a client where we are required to send a > >> >signed > >> > XML downstream to their server. I need to sign the XML with a X509 > >> > certificate private key and then send a (.cer) version of that > >> > certificate > >> > downstream with the public key so that the client can validate the > >> > signature. > >> > > >> > I am using VB.NET framework 1.1 and WSE 2.0 SP3 extensions. The > >> > certificates > >> > (several types were tried) were created using several tools including > >> > Makecert, a Local CA implementation, and SecureBlackbox.net tools. All > >> > certs > >> > were verified to have private keys, were self signed, and had extremely > >> > liberal access authority assigned. > >> > > >> > My issue is when I retrieve the cert using WSE 2.0 using the following > >> > code: > >> > > >> > Dim myStore As X509CertificateStore = > >> > X509CertificateStore.LocalMachineStore(X509CertificateStore.MyStore) > >> > > >> > Dim myCerts As > >> > Microsoft.Web.Services2.Security.X509.X509CertificateCollection = > >> > myStore.FindCertificateByKeyIdentifier(keyIdentifer) > >> > > >> > Dim myCert As Microsoft.Web.Services2.Security.X509.X509Certificate = > >> > Nothing > >> > myCert = myCerts(0) > >> > > >> > When I stop and look at the cert key (private) I see the following: > >> > > >> > {Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider} > >> > > >> > [Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider]: > >> > {Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider} > >> > KeyExchangeAlgorithm: <error: an exception of type: > >> > {System.NotSupportedException} occurred> > >> > KeySize: 1024 > >> > LegalKeySizes: <error: an exception of type: > >> > {System.NotSupportedException} occurred> > >> > SignatureAlgorithm: http://www.w3.org/2000/09/xmldsig#rsa-sha1 > >> > > >> > The later signedXml.ComputeSignature() fails with the following error: > >> > > >> > An unhandled exception of type 'System.NotSupportedException' occurred > >> > in > >> > microsoft.web.services2.dll > >> > > >> > Additional information: DecryptValue > >> > > >> > > >> > If I use a newly created RSACryptoServiceProvider to sign the message > >> > ComputeSignature works fine. It also works fine with the same certs in > >> > Whidbey NET 2.0 with the X509Certificate2 class but I can't use this on > >> > my > >> > project. > >> > > >> > I have banged my head for three days. Any help or guidance would be > >> > appreciated. > >> > > >> > >> > >> > > > No problem. Good luck and let us know the solution if possible. Cheers!
-- William Stacey [MVP] I'm not really an XML person, but this following information may be useful
in the interop sig-validation process: http://www.jensign.com/JavaScience/dotnet/XMLHash - Mitch Show quoteHide quote "diadem" <dia***@discussions.microsoft.com> wrote in message news:4DEE035F-B68C-4ADD-8C84-693B5B992D63@microsoft.com... > They already have their end built in Java and I'm only reacting to a > previously agreed data exchange plan. We won't do Java, they won't do .NET or > a true web service, They won't do a pre-shared secret. The only solution > seems to be using certs for signing on our end, and validating on thiers. > Thanks for the reply! > > "William Stacey [MVP]" wrote: > >> You could still send the public key in the xml doc as a xml or base64 >> string. I don't know, however, if your Java client can use >> RSACryptoServiceProvider to verify the sig however. Can you call .Net >> framework inside your Java client? >> >> -- >> William Stacey [MVP] >> >> "diadem" <dia***@discussions.microsoft.com> wrote in message >> news:A5FECD22-FFF0-4835-B15A-0CE6275FA493@microsoft.com... >> > The message exchange happens via HTTP post and the downstream client is a >> > Java implementation on Apache. No opourtunity for exchanging assemblies, >> > only >> > certs, thanks >> > >> > "William Stacey [MVP]" wrote: >> > >> >> I might not even use certs. Why not load your private key via your >> >> private >> >> ..snk file and sign the xml with that. The client can grab the public >> >> key >> >> from the client assembly (which is signed at compile time with using the >> >> ..snk file) to verify the signature. >> >> >> >> -- >> >> William Stacey [MVP] >> >> >> >> "diadem" <dia***@discussions.microsoft.com> wrote in message >> >> news:2E1654AC-3388-41D1-AE79-C463FDBF9C1B@microsoft.com... >> >> >I am working a project for a client where we are required to send a >> >> >signed >> >> > XML downstream to their server. I need to sign the XML with a X509 >> >> > certificate private key and then send a (.cer) version of that >> >> > certificate >> >> > downstream with the public key so that the client can validate the >> >> > signature. >> >> > >> >> > I am using VB.NET framework 1.1 and WSE 2.0 SP3 extensions. The >> >> > certificates >> >> > (several types were tried) were created using several tools including >> >> > Makecert, a Local CA implementation, and SecureBlackbox.net tools. All >> >> > certs >> >> > were verified to have private keys, were self signed, and had extremely >> >> > liberal access authority assigned. >> >> > >> >> > My issue is when I retrieve the cert using WSE 2.0 using the following >> >> > code: >> >> > >> >> > Dim myStore As X509CertificateStore = >> >> > X509CertificateStore.LocalMachineStore(X509CertificateStore.MyStore) >> >> > >> >> > Dim myCerts As >> >> > Microsoft.Web.Services2.Security.X509.X509CertificateCollection = >> >> > myStore.FindCertificateByKeyIdentifier(keyIdentifer) >> >> > >> >> > Dim myCert As Microsoft.Web.Services2.Security.X509.X509Certificate = >> >> > Nothing >> >> > myCert = myCerts(0) >> >> > >> >> > When I stop and look at the cert key (private) I see the following: >> >> > >> >> > {Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider} >> >> > >> >> > [Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider]: >> >> > {Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider} >> >> > KeyExchangeAlgorithm: <error: an exception of type: >> >> > {System.NotSupportedException} occurred> >> >> > KeySize: 1024 >> >> > LegalKeySizes: <error: an exception of type: >> >> > {System.NotSupportedException} occurred> >> >> > SignatureAlgorithm: http://www.w3.org/2000/09/xmldsig#rsa-sha1 >> >> > >> >> > The later signedXml.ComputeSignature() fails with the following error: >> >> > >> >> > An unhandled exception of type 'System.NotSupportedException' occurred >> >> > in >> >> > microsoft.web.services2.dll >> >> > >> >> > Additional information: DecryptValue >> >> > >> >> > >> >> > If I use a newly created RSACryptoServiceProvider to sign the message >> >> > ComputeSignature works fine. It also works fine with the same certs in >> >> > Whidbey NET 2.0 with the X509Certificate2 class but I can't use this on >> >> > my >> >> > project. >> >> > >> >> > I have banged my head for three days. Any help or guidance would be >> >> > appreciated. >> >> > >> >> >> >> >> >> >> >> >> I am working on a similar scenario and running into the same issue. Did u
find a solution to the problem? pls let me know. Thanks in advance. And I am ALSO working on what sounds like is the EXACT same scenario... so
close I suspect we (diadem and I) may be trying to communicate to the same Java shop (would R1 mean anything to you, diadem?). If you could tell us how you solved this problem, it would be MUCH appreciated! Thanks, Brad Show quoteHide quote "Vivek Mehra" wrote: > I am working on a similar scenario and running into the same issue. Did u > find a solution to the problem? pls let me know. > Thanks in advance. > 
Other interesting topics
Questions and observations about CAS and the StrongNameIdentityPermssionAttribute.
Security for a pluggable application [ANN][X-POST] Goliath.NET Obfuscator... Implementing Kerberos Authentication Limiting exe permissions SetOwner problem? C#.NET app to run on Win 2003 from another Win2003 on the local net? Get the user email Providing persistent storage in a locked down environment Securing .NET Assemblies |
|||||||||||||||||||||||
