HItesh Rana
asked on
Trying to decrypt soap call with EncryptedXML but getting "Unable to retrieve the decryption key"
I'm using EncryptedXML to decrypt a SOAP message. I'm loading the certificate manually and trying to decrypt the message. But I'm getting the following error:
Here is my code:
Here is my xml:
I'm not sure what the second parameter for the exml.AddKeyNameMapping should be. But I feel that is where my error is occurring.
Unable to retrieve the decryption key.
Here is my code:
stream.Position = 0;
var doc = new XmlDocument();
doc.PreserveWhitespace = true;
doc.Load(stream);
var clientCertEnc = new X509Certificate2(@"C:\certificates\xxxxxt.pfx", "xxxxxx");
var privateKeyRSAA = (RSACryptoServiceProvider)clientCertEnc.PrivateKey;
var exml = new EncryptedXml(doc);
exml.AddKeyNameMapping("KeyIdentifier", privateKeyRSAA);
exml.DecryptDocument();
Here is my xml:
<s:Envelope
xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<VsDebuggerCausalityData
xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo4tYpt6X40FEk+VSAe5mc8MAAAAAP497cBuXfk+uFIOY80O0iuLtIW56q7hLktgVYPhbnHMACQAA
</VsDebuggerCausalityData>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:BinarySecurityToken u:Id="uuid-10490fb0-8ee0-4a4c-a8db-77242c9a3b7f-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIF+TCCBOGgAwIBAgIQIWv3OdE866kXP/....t</o:BinarySecurityToken>
<e:EncryptedKey Id="_0"
xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
xmlns="http://www.w3.org/2000/09/xmldsig#" />
</e:EncryptionMethod>
<KeyInfo
xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">j0ZKFBmTz3Kj0cQ82rq63MYAR+0=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>ANCElFZ5v....==</e:CipherValue>
</e:CipherData>
<e:ReferenceList>
<e:DataReference URI="#_2" />
</e:ReferenceList>
</e:EncryptedKey>
<Signature
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>akiomlPdi6j1h6r9NDqmh9G1GD0=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>LIjqWD/BXsoA0XNR7hv...==</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-10490fb0-8ee0-4a4c-a8db-77242c9a3b7f-2" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_1">
<e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content"
xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<e:CipherData>
<e:CipherValue>3kESnJnhc8K.....</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
I'm not sure what the second parameter for the exml.AddKeyNameMapping should be. But I feel that is where my error is occurring.
ASKER
Unfortunately I'm getting the same error. I believe the error is not getting the key but this line:
I'm not sure "KeyIdentifier" is the right parameter.
I'm not sure "KeyIdentifier" is the right parameter.
exml.AddKeyNameMapping("KeyIdentifier", privateKeyRSAA);
That's just a string that handles the name.
Your issue is here:
var privateKeyRSAA = (RSACryptoServiceProvider) clientCert Enc.Privat eKey;
https://msdn.microsoft.com/en-us/library/system.security.cryptography.xml.encryptedxml.addkeynamemapping(v=vs.110).aspx
The second parameter takes the algorithm variable as the parameter which should then decrypt the XML for you.
Your issue is here:
var privateKeyRSAA = (RSACryptoServiceProvider)
https://msdn.microsoft.com/en-us/library/system.security.cryptography.xml.encryptedxml.addkeynamemapping(v=vs.110).aspx
The second parameter takes the algorithm variable as the parameter which should then decrypt the XML for you.
ASKER
I'm a bit lost. Okay so I currently have this:
Why is rsaKey wrong?
From the link it says the second parameter is:
The symmetric key to map to keyName
X509Certificate2 clientCertEnc = new X509Certificate2(@"C:\certificates\xxxx.pfx", "xxxx", X509KeyStorageFlags.Exportable);
var rsaKey = (RSACryptoServiceProvider)clientCertEnc.PrivateKey;
var exml = new EncryptedXml(doc);
exml.AddKeyNameMapping("KeyIdentifier", rsaKey);
exml.DecryptDocument();
Why is rsaKey wrong?
From the link it says the second parameter is:
The symmetric key to map to keyName
ASKER
If you look at the last post you can see they are doing the same thing I am.
https://stackoverflow.com/questions/29849107/telling-dotnet-which-private-key-to-use-to-decrypt-incoming-xml-documents
https://stackoverflow.com/questions/29849107/telling-dotnet-which-private-key-to-use-to-decrypt-incoming-xml-documents
How are you encrypting the XML?
ASKER
I'm not the client is encrypting it on their with a public key. I'm trying to decrypt it (the encrypted key) on my end with the private key.
Basically I'm getting these two values from the soap body:
The encrypted key is = Header > Security > EncryptedKey > CipherData > CipherValue. So it would be ANCElFZ5v....==
The body is Body > EncryptedData > CipherData > CipherValue. So it would be 3kESnJnhc8K.....
The first step is to decrypt the encrypted key. Then the second step is to use the decrypted encrypted key to decrypt the soap body.
This is how the soap body looks like:
Basically I'm getting these two values from the soap body:
The encrypted key is = Header > Security > EncryptedKey > CipherData > CipherValue. So it would be ANCElFZ5v....==
The body is Body > EncryptedData > CipherData > CipherValue. So it would be 3kESnJnhc8K.....
The first step is to decrypt the encrypted key. Then the second step is to use the decrypted encrypted key to decrypt the soap body.
This is how the soap body looks like:
<s:Envelope
xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<VsDebuggerCausalityData
xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo4tYpt6X40FEk+VSAe5mc8MAAAAAP497cBuXfk+uFIOY80O0iuLtIW56q7hLktgVYPhbnHMACQAA
</VsDebuggerCausalityData>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:BinarySecurityToken u:Id="uuid-10490fb0-8ee0-4a4c-a8db-77242c9a3b7f-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIF+TCCBOGgAwIBAgIQIWv3OdE866kXP/....t</o:BinarySecurityToken>
<e:EncryptedKey Id="_0"
xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
xmlns="http://www.w3.org/2000/09/xmldsig#" />
</e:EncryptionMethod>
<KeyInfo
xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">j0ZKFBmTz3Kj0cQ82rq63MYAR+0=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>ANCElFZ5v....==</e:CipherValue>
</e:CipherData>
<e:ReferenceList>
<e:DataReference URI="#_2" />
</e:ReferenceList>
</e:EncryptedKey>
<Signature
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>akiomlPdi6j1h6r9NDqmh9G1GD0=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>LIjqWD/BXsoA0XNR7hv...==</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-10490fb0-8ee0-4a4c-a8db-77242c9a3b7f-2" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_1">
<e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content"
xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<e:CipherData>
<e:CipherValue>3kESnJnhc8K.....</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
see if this helps you:
https://gist.github.com/yaronn/6765830
They are encrypting it with a public key for which you have the private key . . . correct?
https://gist.github.com/yaronn/6765830
They are encrypting it with a public key for which you have the private key . . . correct?
ASKER
Thank you for the article. I seen several articles by Yaronn. I did what he suggested.
This post talks about it:
https://www.experts-exchange.com/questions/29094171/Decrypt-encrypted-key-from-SOAP-message.html
This post talks about it:
https://www.experts-exchange.com/questions/29094171/Decrypt-encrypted-key-from-SOAP-message.html
Going to be jumping over on that message and requesting to delete this one.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Open in new window