asked on

Trying to decrypt soap call with EncryptedXML but getting "Unable to retrieve the decryption key"

I'm using EncryptedXML to decrypt a SOAP message. I'm loading the certificate manually and trying to decrypt the message. But I'm getting the following error:

Unable to retrieve the decryption key.

Open in new window

Here is my code:

stream.Position = 0;
var doc = new XmlDocument();
doc.PreserveWhitespace = true;
doc.Load(stream);

var clientCertEnc = new X509Certificate2(@"C:\certificates\xxxxxt.pfx", "xxxxxx");
var privateKeyRSAA = (RSACryptoServiceProvider)clientCertEnc.PrivateKey;

var exml = new EncryptedXml(doc);
exml.AddKeyNameMapping("KeyIdentifier", privateKeyRSAA);
exml.DecryptDocument();

Open in new window

Here is my xml:

<s:Envelope 
        xmlns:s="http://www.w3.org/2003/05/soap-envelope" 
        xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <s:Header>
            <VsDebuggerCausalityData 
                xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo4tYpt6X40FEk+VSAe5mc8MAAAAAP497cBuXfk+uFIOY80O0iuLtIW56q7hLktgVYPhbnHMACQAA
            </VsDebuggerCausalityData>
            <o:Security s:mustUnderstand="1" 
                xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                <o:BinarySecurityToken u:Id="uuid-10490fb0-8ee0-4a4c-a8db-77242c9a3b7f-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIF+TCCBOGgAwIBAgIQIWv3OdE866kXP/....t</o:BinarySecurityToken>
                <e:EncryptedKey Id="_0" 
                    xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                    <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" 
                            xmlns="http://www.w3.org/2000/09/xmldsig#" />
                    </e:EncryptionMethod>
                    <KeyInfo 
                        xmlns="http://www.w3.org/2000/09/xmldsig#">
                        <o:SecurityTokenReference>
                            <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">j0ZKFBmTz3Kj0cQ82rq63MYAR+0=</o:KeyIdentifier>
                        </o:SecurityTokenReference>
                    </KeyInfo>
                    <e:CipherData>
                        <e:CipherValue>ANCElFZ5v....==</e:CipherValue>
                    </e:CipherData>
                    <e:ReferenceList>
                        <e:DataReference URI="#_2" />
                    </e:ReferenceList>
                </e:EncryptedKey>
                <Signature 
                    xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <SignedInfo>
                        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                        <Reference URI="#_1">
                            <Transforms>
                                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </Transforms>
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                            <DigestValue>akiomlPdi6j1h6r9NDqmh9G1GD0=</DigestValue>
                        </Reference>
                    </SignedInfo>
                    <SignatureValue>LIjqWD/BXsoA0XNR7hv...==</SignatureValue>
                    <KeyInfo>
                        <o:SecurityTokenReference>
                            <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-10490fb0-8ee0-4a4c-a8db-77242c9a3b7f-2" />
                        </o:SecurityTokenReference>
                    </KeyInfo>
                </Signature>
            </o:Security>
        </s:Header>
        <s:Body u:Id="_1">
            <e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" 
                xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
                <e:CipherData>
                    <e:CipherValue>3kESnJnhc8K.....</e:CipherValue>
                </e:CipherData>
            </e:EncryptedData>
        </s:Body>
    </s:Envelope>

Open in new window

I'm not sure what the second parameter for the exml.AddKeyNameMapping should be. But I feel that is where my error is occurring.

Kyle Abrahams, PMP

Try using this to get the private key:

X509Certificate2 cert = new X509Certificate2("filename.pfx", "password", X509KeyStorageFlags.Exportable);
//cert.PrivateKey.ToString();

Open in new window

HItesh Rana

ASKER

Unfortunately I'm getting the same error. I believe the error is not getting the key but this line:

I'm not sure "KeyIdentifier" is the right parameter.

exml.AddKeyNameMapping("KeyIdentifier", privateKeyRSAA);

Open in new window

Kyle Abrahams, PMP

That's just a string that handles the name.

Your issue is here:
var privateKeyRSAA = (RSACryptoServiceProvider)clientCertEnc.PrivateKey;

https://msdn.microsoft.com/en-us/library/system.security.cryptography.xml.encryptedxml.addkeynamemapping(v=vs.110).aspx

The second parameter takes the algorithm variable as the parameter which should then decrypt the XML for you.

HItesh Rana

ASKER

I'm a bit lost. Okay so I currently have this:

X509Certificate2 clientCertEnc = new X509Certificate2(@"C:\certificates\xxxx.pfx", "xxxx", X509KeyStorageFlags.Exportable);
var rsaKey = (RSACryptoServiceProvider)clientCertEnc.PrivateKey;

var exml = new EncryptedXml(doc);
exml.AddKeyNameMapping("KeyIdentifier", rsaKey);
exml.DecryptDocument();

Open in new window

Why is rsaKey wrong?

From the link it says the second parameter is:
The symmetric key to map to keyName

HItesh Rana

ASKER

If you look at the last post you can see they are doing the same thing I am.

https://stackoverflow.com/questions/29849107/telling-dotnet-which-private-key-to-use-to-decrypt-incoming-xml-documents

Kyle Abrahams, PMP

How are you encrypting the XML?

HItesh Rana

ASKER

I'm not the client is encrypting it on their with a public key. I'm trying to decrypt it (the encrypted key) on my end with the private key.

Basically I'm getting these two values from the soap body:
The encrypted key is = Header > Security > EncryptedKey > CipherData > CipherValue. So it would be ANCElFZ5v....==
The body is Body > EncryptedData > CipherData > CipherValue. So it would be 3kESnJnhc8K.....

The first step is to decrypt the encrypted key. Then the second step is to use the decrypted encrypted key to decrypt the soap body.

This is how the soap body looks like:

<s:Envelope 
        xmlns:s="http://www.w3.org/2003/05/soap-envelope" 
        xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <s:Header>
            <VsDebuggerCausalityData 
                xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo4tYpt6X40FEk+VSAe5mc8MAAAAAP497cBuXfk+uFIOY80O0iuLtIW56q7hLktgVYPhbnHMACQAA
            </VsDebuggerCausalityData>
            <o:Security s:mustUnderstand="1" 
                xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                <o:BinarySecurityToken u:Id="uuid-10490fb0-8ee0-4a4c-a8db-77242c9a3b7f-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIF+TCCBOGgAwIBAgIQIWv3OdE866kXP/....t</o:BinarySecurityToken>
                <e:EncryptedKey Id="_0" 
                    xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                    <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" 
                            xmlns="http://www.w3.org/2000/09/xmldsig#" />
                    </e:EncryptionMethod>
                    <KeyInfo 
                        xmlns="http://www.w3.org/2000/09/xmldsig#">
                        <o:SecurityTokenReference>
                            <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">j0ZKFBmTz3Kj0cQ82rq63MYAR+0=</o:KeyIdentifier>
                        </o:SecurityTokenReference>
                    </KeyInfo>
                    <e:CipherData>
                        <e:CipherValue>ANCElFZ5v....==</e:CipherValue>
                    </e:CipherData>
                    <e:ReferenceList>
                        <e:DataReference URI="#_2" />
                    </e:ReferenceList>
                </e:EncryptedKey>
                <Signature 
                    xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <SignedInfo>
                        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                        <Reference URI="#_1">
                            <Transforms>
                                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </Transforms>
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                            <DigestValue>akiomlPdi6j1h6r9NDqmh9G1GD0=</DigestValue>
                        </Reference>
                    </SignedInfo>
                    <SignatureValue>LIjqWD/BXsoA0XNR7hv...==</SignatureValue>
                    <KeyInfo>
                        <o:SecurityTokenReference>
                            <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-10490fb0-8ee0-4a4c-a8db-77242c9a3b7f-2" />
                        </o:SecurityTokenReference>
                    </KeyInfo>
                </Signature>
            </o:Security>
        </s:Header>
        <s:Body u:Id="_1">
            <e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" 
                xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
                <e:CipherData>
                    <e:CipherValue>3kESnJnhc8K.....</e:CipherValue>
                </e:CipherData>
            </e:EncryptedData>
        </s:Body>
    </s:Envelope>

Open in new window

Kyle Abrahams, PMP

see if this helps you:
https://gist.github.com/yaronn/6765830

They are encrypting it with a public key for which you have the private key . . . correct?

HItesh Rana

ASKER

Thank you for the article. I seen several articles by Yaronn. I did what he suggested.

This post talks about it:
https://www.experts-exchange.com/questions/29094171/Decrypt-encrypted-key-from-SOAP-message.html

Kyle Abrahams, PMP

Going to be jumping over on that message and requesting to delete this one.

This question needs an answer!

Become an EE member today

7 DAY FREE TRIAL

Members can start a 7-Day Free trial then enjoy unlimited access to the platform.

View membership options

Learn why we charge membership fees

We get it - no one likes a content blocker. Take one extra minute and find out why we block content.

Trying to decrypt soap call with EncryptedXML but getting &quot;Unable to retrieve the decryption key&quot;

Trying to decrypt soap call with EncryptedXML but getting "Unable to retrieve the decryption key"