How to read XML document security values

So lets say I have this xml document

<s:Envelope 
        xmlns:s="http://www.w3.org/2003/05/soap-envelope" 
        xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <s:Header>
            <VsDebuggerCausalityData 
                xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo4tYpt6X40FEk+VSAe5mc8MAAAAAP497cBuXfk+uFIOY80O0iuLtIW56q7hLktgVYPhbnHMACQAA
            </VsDebuggerCausalityData>
            <o:Security s:mustUnderstand="1" 
                xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                <o:BinarySecurityToken u:Id="uuid-10490fb0-8ee0-4a4c-a8db-77242c9a3b7f-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIF+TCCBOGgAwIBAgIQIWv3OdE866kXP/....t</o:BinarySecurityToken>
                <e:EncryptedKey Id="_0" 
                    xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                    <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" 
                            xmlns="http://www.w3.org/2000/09/xmldsig#" />
                    </e:EncryptionMethod>
                    <KeyInfo 
                        xmlns="http://www.w3.org/2000/09/xmldsig#">
                        <o:SecurityTokenReference>
                            <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">j0ZKFBmTz3Kj0cQ82rq63MYAR+0=</o:KeyIdentifier>
                        </o:SecurityTokenReference>
                    </KeyInfo>
                    <e:CipherData>
                        <e:CipherValue>ANCElFZ5v....==</e:CipherValue>
                    </e:CipherData>
                    <e:ReferenceList>
                        <e:DataReference URI="#_2" />
                    </e:ReferenceList>
                </e:EncryptedKey>
                <Signature 
                    xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <SignedInfo>
                        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                        <Reference URI="#_1">
                            <Transforms>
                                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </Transforms>
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                            <DigestValue>akiomlPdi6j1h6r9NDqmh9G1GD0=</DigestValue>
                        </Reference>
                    </SignedInfo>
                    <SignatureValue>LIjqWD/BXsoA0XNR7hv...==</SignatureValue>
                    <KeyInfo>
                        <o:SecurityTokenReference>
                            <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-10490fb0-8ee0-4a4c-a8db-77242c9a3b7f-2" />
                        </o:SecurityTokenReference>
                    </KeyInfo>
                </Signature>
            </o:Security>
        </s:Header>
        <s:Body u:Id="_1">
            <e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" 
                xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
                <e:CipherData>
                    <e:CipherValue>3kESnJnhc8K.....</e:CipherValue>
                </e:CipherData>
            </e:EncryptedData>
        </s:Body>
    </s:Envelope>

Open in new window


What is the encrypted key and cipherText?
I'm thinking the encrypted key is Header > Security > EncryptedKey > CipherData > CipherValue
So it would be ANCElFZ5v....==

I'm thinking the cipherText is  Body > EncryptedData > CipherData > CipherValue
So it would be 3kESnJnhc8K.....

Is that correct?

The reason I'm asking this question is because I want to decrypt a soap message.
I have the following code which I found online.  Currently when I use the code I think its getting the wrong values for the encrypted key and cipher values.  Well its the not getting the values I think it would be.

var doc = new XmlDocument();
doc.PreserveWhitespace = true;
doc.Load(stream);

var encryptedKey = doc.GetElementsByTagName( "e:EncryptedKey" )[0].InnerText;
var cipherText = doc.GetElementsByTagName( "e:CipherValue" )[1].InnerText;
var cipher = Convert.FromBase64String( cipherText );

var clientCert = new X509Certificate2( //PULL IN YOUR CLIENT CERTIFICATE HERE );
var rsa = (RSACryptoServiceProvider)clientCert.PrivateKey;
byte [] key = rsa.Decrypt(Convert.FromBase64String(encryptedKey), false);

SymmetricAlgorithm alg = new TripleDESCryptoServiceProvider();
alg.KeySize = 192;
alg.Mode = CipherMode.CBC;
alg.Padding = PaddingMode.ISO10126;
            
byte[] IV = new byte[8];
Array.Copy(cipher, IV, 8);
MemoryStream ms = new MemoryStream( cipher , IV.Length, cipher.Length-IV.Length);
CryptoStream csDecrypt = new CryptoStream( ms, alg.CreateDecryptor(key, IV ), CryptoStreamMode.Read);
byte [] fromEnc = new byte[cipher.Length];
csDecrypt.Read(fromEnc, 0, fromEnc.Length);

string messageBody = UTF8Encoding.UTF8.GetString(fromEnc);
XmlDocumentFragment bodyElement = doc.CreateDocumentFragment();
bodyElement.InnerXml = messageBody;

var body = (XmlNode)doc.GetElementsByTagName("s:Body")[0];
body.ReplaceChild( bodyElement, body.FirstChild );

doc.DocumentElement.RemoveChild( doc.GetElementsByTagName( "s:Header" )[0] );

Open in new window

LVL 1
HItesh RanaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
There is a DataEncryptionKey  which is used for encrypting the Data. The DEK is in turn encrypted by an KeyEncryptionKey. Both the encryptedKey and encryptedData is send over SOAP.

So in context to your sample shared,

e:EncryptedKey is encrypted DEK (using the KEK which is RSA key pair using OAEP padding (PKCS#1 v2)
  <e:CipherValue>ANCElFZ5v....==</e:CipherValue>

e:CipherData is encrypted Data (using the DEK which is AES key of 128 bit length, using CBC block cipher chainin)
  <e:CipherValue>3kESnJnhc8K.....</e:CipherValue>
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HItesh RanaAuthor Commented:
Thanks for clarifying this for me. I appreciate it.  So if I wanted to update the code I would do the following:

var encryptedKey = Get the value from  Header > Security > EncryptedKey > CipherData >    //doc.GetElementsByTagName( "e:EncryptedKey" )[0].InnerText;
var cipherText =   Get the value from Body > EncryptedData > CipherData > CipherValue >  //doc.GetElementsByTagName( "e:CipherValue" )[1].InnerText;

Open in new window


change this
SymmetricAlgorithm alg = new TripleDESCryptoServiceProvider();
alg.KeySize = 192;
alg.Mode = CipherMode.CBC;
alg.Padding = PaddingMode.ISO10126;

Open in new window


to this:
SymmetricAlgorithm alg = new AesCryptoServiceProvider();
alg.KeySize = 128;
alg.Mode = CipherMode.CBC;
alg.Padding = PaddingMode.PKCS7;

Open in new window


Do you see anything else I need to change?
0
btanExec ConsultantCommented:
looks alright
0
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

HItesh RanaAuthor Commented:
I was not sure about the

alg.Padding = PaddingMode.PKCS7;

Open in new window


Since I did not see it in this line
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />

Open in new window

0
btanExec ConsultantCommented:
this is the default padding otherwise it is PaddingMode.Zeros
https://www.w3.org/TR/xmlenc-core1/#sec-Padding
0
HItesh RanaAuthor Commented:
Got it.   Thanks for all your help.  I really appreciate it.  I will change my code and let you know if I have any other problems.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
C#

From novice to tech pro — start learning today.