How to read XML document security values

So lets say I have this xml document

<s:Envelope 
        xmlns:s="http://www.w3.org/2003/05/soap-envelope" 
        xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <s:Header>
            <VsDebuggerCausalityData 
                xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo4tYpt6X40FEk+VSAe5mc8MAAAAAP497cBuXfk+uFIOY80O0iuLtIW56q7hLktgVYPhbnHMACQAA
            </VsDebuggerCausalityData>
            <o:Security s:mustUnderstand="1" 
                xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                <o:BinarySecurityToken u:Id="uuid-10490fb0-8ee0-4a4c-a8db-77242c9a3b7f-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIF+TCCBOGgAwIBAgIQIWv3OdE866kXP/....t</o:BinarySecurityToken>
                <e:EncryptedKey Id="_0" 
                    xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                    <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" 
                            xmlns="http://www.w3.org/2000/09/xmldsig#" />
                    </e:EncryptionMethod>
                    <KeyInfo 
                        xmlns="http://www.w3.org/2000/09/xmldsig#">
                        <o:SecurityTokenReference>
                            <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">j0ZKFBmTz3Kj0cQ82rq63MYAR+0=</o:KeyIdentifier>
                        </o:SecurityTokenReference>
                    </KeyInfo>
                    <e:CipherData>
                        <e:CipherValue>ANCElFZ5v....==</e:CipherValue>
                    </e:CipherData>
                    <e:ReferenceList>
                        <e:DataReference URI="#_2" />
                    </e:ReferenceList>
                </e:EncryptedKey>
                <Signature 
                    xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <SignedInfo>
                        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                        <Reference URI="#_1">
                            <Transforms>
                                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </Transforms>
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                            <DigestValue>akiomlPdi6j1h6r9NDqmh9G1GD0=</DigestValue>
                        </Reference>
                    </SignedInfo>
                    <SignatureValue>LIjqWD/BXsoA0XNR7hv...==</SignatureValue>
                    <KeyInfo>
                        <o:SecurityTokenReference>
                            <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-10490fb0-8ee0-4a4c-a8db-77242c9a3b7f-2" />
                        </o:SecurityTokenReference>
                    </KeyInfo>
                </Signature>
            </o:Security>
        </s:Header>
        <s:Body u:Id="_1">
            <e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" 
                xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
                <e:CipherData>
                    <e:CipherValue>3kESnJnhc8K.....</e:CipherValue>
                </e:CipherData>
            </e:EncryptedData>
        </s:Body>
    </s:Envelope>

Open in new window


What is the encrypted key and cipherText?
I'm thinking the encrypted key is Header > Security > EncryptedKey > CipherData > CipherValue
So it would be ANCElFZ5v....==

I'm thinking the cipherText is  Body > EncryptedData > CipherData > CipherValue
So it would be 3kESnJnhc8K.....

Is that correct?

The reason I'm asking this question is because I want to decrypt a soap message.
I have the following code which I found online.  Currently when I use the code I think its getting the wrong values for the encrypted key and cipher values.  Well its the not getting the values I think it would be.

var doc = new XmlDocument();
doc.PreserveWhitespace = true;
doc.Load(stream);

var encryptedKey = doc.GetElementsByTagName( "e:EncryptedKey" )[0].InnerText;
var cipherText = doc.GetElementsByTagName( "e:CipherValue" )[1].InnerText;
var cipher = Convert.FromBase64String( cipherText );

var clientCert = new X509Certificate2( //PULL IN YOUR CLIENT CERTIFICATE HERE );
var rsa = (RSACryptoServiceProvider)clientCert.PrivateKey;
byte [] key = rsa.Decrypt(Convert.FromBase64String(encryptedKey), false);

SymmetricAlgorithm alg = new TripleDESCryptoServiceProvider();
alg.KeySize = 192;
alg.Mode = CipherMode.CBC;
alg.Padding = PaddingMode.ISO10126;
            
byte[] IV = new byte[8];
Array.Copy(cipher, IV, 8);
MemoryStream ms = new MemoryStream( cipher , IV.Length, cipher.Length-IV.Length);
CryptoStream csDecrypt = new CryptoStream( ms, alg.CreateDecryptor(key, IV ), CryptoStreamMode.Read);
byte [] fromEnc = new byte[cipher.Length];
csDecrypt.Read(fromEnc, 0, fromEnc.Length);

string messageBody = UTF8Encoding.UTF8.GetString(fromEnc);
XmlDocumentFragment bodyElement = doc.CreateDocumentFragment();
bodyElement.InnerXml = messageBody;

var body = (XmlNode)doc.GetElementsByTagName("s:Body")[0];
body.ReplaceChild( bodyElement, body.FirstChild );

doc.DocumentElement.RemoveChild( doc.GetElementsByTagName( "s:Header" )[0] );

Open in new window

LVL 1
HItesh RanaAsked:
Who is Participating?
 
btanExec ConsultantCommented:
There is a DataEncryptionKey  which is used for encrypting the Data. The DEK is in turn encrypted by an KeyEncryptionKey. Both the encryptedKey and encryptedData is send over SOAP.

So in context to your sample shared,

e:EncryptedKey is encrypted DEK (using the KEK which is RSA key pair using OAEP padding (PKCS#1 v2)
  <e:CipherValue>ANCElFZ5v....==</e:CipherValue>

e:CipherData is encrypted Data (using the DEK which is AES key of 128 bit length, using CBC block cipher chainin)
  <e:CipherValue>3kESnJnhc8K.....</e:CipherValue>
0
 
HItesh RanaAuthor Commented:
Thanks for clarifying this for me. I appreciate it.  So if I wanted to update the code I would do the following:

var encryptedKey = Get the value from  Header > Security > EncryptedKey > CipherData >    //doc.GetElementsByTagName( "e:EncryptedKey" )[0].InnerText;
var cipherText =   Get the value from Body > EncryptedData > CipherData > CipherValue >  //doc.GetElementsByTagName( "e:CipherValue" )[1].InnerText;

Open in new window


change this
SymmetricAlgorithm alg = new TripleDESCryptoServiceProvider();
alg.KeySize = 192;
alg.Mode = CipherMode.CBC;
alg.Padding = PaddingMode.ISO10126;

Open in new window


to this:
SymmetricAlgorithm alg = new AesCryptoServiceProvider();
alg.KeySize = 128;
alg.Mode = CipherMode.CBC;
alg.Padding = PaddingMode.PKCS7;

Open in new window


Do you see anything else I need to change?
0
 
btanExec ConsultantCommented:
looks alright
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
HItesh RanaAuthor Commented:
I was not sure about the

alg.Padding = PaddingMode.PKCS7;

Open in new window


Since I did not see it in this line
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />

Open in new window

0
 
btanExec ConsultantCommented:
this is the default padding otherwise it is PaddingMode.Zeros
https://www.w3.org/TR/xmlenc-core1/#sec-Padding
0
 
HItesh RanaAuthor Commented:
Got it.   Thanks for all your help.  I really appreciate it.  I will change my code and let you know if I have any other problems.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.