Regardless of whether it is on the client or server side, WSE always decrypts the SecurityInputFilter implementation message because symmetric encryption requires an encryption key derived from the public key. You need to create a method that SecurityInputFilter can call to get the symmetric key, and then you can use the key and algorithm information contained in EncryptedData to help you find the correct shared key and encryption algorithm. This method must be implemented in a class derived from Microsoft.Web.Services.Security.IDecryptionKeyProvider. In my example, the Decryptionkeyprovider.getdecryptionkey method returns a symmetric key, as follows:
Public decryptionkey Getdecryptionkey (String Encalgorithmuri,
KeyInfo KeyInfo)
{
Recreate the same 16 bytes used to represent the 128-bit key
SymmetricAlgorithm mysymalg = new TripleDESCryptoServiceProvider ();
Mysymalg.key = keybytes;
MYSYMALG.IV = ivbytes;
Re-create a symmetric encryption key
DecryptionKey MyKey = new Symmetricdecryptionkey (MYSYMALG);
return MyKey;
}
Even if they are not used in my approach, WSE will pass the URI of the KeyInfo element and the cryptographic algorithm to this method, deciding which shared key or encryption algorithm to use to generate the symmetric key
In order for SecurityInputFilter to access the Getdecryptionkey method, the following configuration information must be added to the application's configuration file (that is, the app.config file)
<configuration>
...
<microsoft.web.services>
<security>
<decryptionkeyprovider
Type= "MyClient Assembly.decryptionkeyprovider,
Myclientassembly "/>
</security>
The Type property cannot have any excessive spaces or any line wrapping. They only contain the content above to enhance readability, which can also be modified using the WSE Setup tool. Once the Decryptionkeyprovider class is added to the client and WSE security support is configured, WSE will automatically intercept the encrypted data, and a 2-time development platform for standards-based Web Services allows you to programmatically program the client.
Use the X.509 certificate to encrypt the SOAP message
As I mentioned earlier, asymmetric operations have a certain cost. When transferring large amounts of data, in terms of performance, using asymmetric algorithms to encrypt the data will appear impractical, WSE on this issue, implemented a pseudo-asymmetric encryption (Pseudo-asymmetric encryption). Compared to asymmetric encrypted packets, WSE uses an asymmetric algorithm and a public backup of the X.509 certificate to encrypt the symmetric key, which is actually used to encrypt the message. When the message is received, SecurityInputFilter gets the private key associated with the X.509 certificate, decrypts the symmetric key, and decrypts the message body with the decrypted key. In order for this example to work properly, a X.509 certificate from a trusted certificate (which supports encryption) must appear in the personal certificate closet of the current user account on the client machine, and the private key of the certificate must also appear in the account of the local machine in the server that is responsible for the Web service. In addition, a certificate in the CA certificate chain must appear in the client's trusted storage room so that WSE knows that it can trust the X.509 certificate that is accepted.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
