Encrypt SOAP messages with WSE (6

Encrypt encrypted messages sent externally

I have modified the previous GetXmlDocument method so that it can use the X.509 asymmetric encryption technique implemented by WSE. Encrypted response message, the Findcertificatebysubjectstring method can be used to receive a public backup of the client certificate, a client certificate from a personal storage room from the local machine account. This certificate is then used to create a new X.509 security token that will be added to the SoapContext security token set of the response message. In addition, the namespace referenced in the symmetric encryption example should be appended with a using indicator to refer to a Microsoft.WebServices.Security.X509 namespace. The GetXmlDocument method code is as follows:

Create a simple XML document for return

XmlDocument myDoc = new XmlDocument ();

Mydoc.innerxml =

"<encryptedresponse>this is sensitive data.</encryptedresponse>";

"<EncryptedResponse> here is sensitive data .</encryptedresponse>";



SoapContext of the response message

SoapContext mycontext = Httpsoapcontext.responsecontext;



Open and read the personal certificate store for the local machine account

X509CertificateStore Mystore =

X509certificatestore.localmachinestore (

X509certificatestore.mystore);

Mystore.openread ();



Find all certificates named "My Certificates", and then add all matching certificates to the certificate collection

X509CertificateCollection MyCerts =

Mystore.findcertificatebysubjectstring ("My Certificate");

X509Certificate myCert = null;



Find the first certificate in the collection

if (Mycerts.count > 0)

{

MyCert = Mycerts[0];

}



Make sure we have a certificate that can be used for encryption

if (MyCert = null | |!mycert.supportsdataencryption)

{

throw new ApplicationException ("Service isn't able to"

Encrypt the response ");



return null;

}

Else

{

Use a valid certificate to create a security token

X509SecurityToken MyToken = new X509SecurityToken (MyCert);

WSE will use this tag to encrypt the text of the message.

WSE generates a KEYINFO element to request a certificate that was used to decrypt the message on the client



EncryptedData myencdata = new EncryptedData (MyToken);

Add encrypted data elements to the SoapContext of the response message

MYCONTEXT.SECURITY.ELEMENTS.ADD (Myencdata);



return MYDOC;

}

Based on the previous approach, the WSE pipeline produces the following elements with corresponding security headers, redaction, and key information:

<?xml version= "1.0" encoding= "Utf-8"?>

<soap:envelope xmlns:soap= "http://schemas.xmlsoap.org/soap/envelope/"

Xmlns:xsi= "Http://www.w3.org/2001/XMLSchema-instance"

xmlns:xsd= "Http://www.w3.org/2001/XMLSchema" >

<soap:Header>

<wsu:timestamp

xmlns:wsu= "Http://schemas.xmlsoap.org/ws/2002/07/utility" >

<wsu:Created>2003-02-11T01:34:01Z</wsu:Created>

<wsu:Expires>2003-02-11T01:39:01Z</wsu:Expires>

</wsu:Timestamp>

<wsse:security soap:mustunderstand= "1"

xmlns:wsse= "Http://schemas.xmlsoap.org/ws/2002/07/secext" >

<xenc:encryptedkey

Type= "Http://www.w3.org/2001/04/xmlenc#EncryptedKey"

xmlns:xenc= "http://www.w3.org/2001/04/xmlenc#" >

<xenc:encryptionmethod

algorithm= "Http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>

<keyinfo xmlns= "http://www.w3.org/2000/09/xmldsig#" >

<wsse:SecurityTokenReference>

<wsse:keyidentifier valuetype= "Wsse:x509v3" >

ymlkvwxyd8vuguyliuiydeaqqpw=

</wsse:KeyIdentifier>

</wsse:SecurityTokenReference>

</KeyInfo>

<xenc:CipherData>

<xenc:ciphervalue>uj64addf3fd59xsaq=ã ' â...</xenc:ciphervalue>

</xenc:CipherData>

<xenc:ReferenceList>

<xenc:datareference uri=

"#EncryptedContent -608eef8b-4104-4469-95b6-7cb4703cfa03"/>

</xenc:ReferenceList>

</xenc:EncryptedKey>

</wsse:Security>

</soap:Header>

<soap:body xmlns:wsu= "Http://schemas.xmlsoap.org/ws/2002/07/utility"

Wsu:id= "Id-70179c5b-4975-4932-9ecd-a58feb34b0d3" >

<xenc:encrypteddata

Id= "Encryptedcontent-608eef8b-4104-4469-95b6-7cb4703cfa03"

Type= "Http://www.w3.org/2001/04/xmlenc#Content"

xmlns:xenc= "http://www.w3.org/2001/04/xmlenc#" >

<xenc:encryptionmethod

algorithm= "HTTP://WWW.W3.ORG/2001/04/XMLENC#TRIPLEDES-CBC"/>

<xenc:CipherData>

<xenc:CipherValue>

4o1b4befwbju6tzuaygfraax0ugtaykcw2klibuzpjli...z8i2yphn4+w==

</xenc:CipherValue>

</xenc:CipherData>

</xenc:EncryptedData>

</soap:Body>

</soap:Envelope>

Note that in this encrypted message, the EncryptedKey element, which is encrypted by asymmetric encryption, contains the symmetric encryption key that is used to encrypt the message body. The referencelist element refers to the id attribute of the EncryptedData element of the message body. Although I did not do so in my example, marking the message so that the container can verify that the sender is actually a good idea. For more information on using WSE to mark messages, see Ws-security authentication and Digital signatures with Web Services enhancements