Securing Web Services with X.509 Certificates - Encrypting the Body with a Certificate

(Page 3 of 4 )

Now you're going to use a certificate to encrypt the data sent in the body of the message. You'll use the public certificate found in Current User\Other People to encrypt the message and WSE 2.0 will use the private certificate found on Local Machine\Personal to decrypt the message.

You'll continue working in SecureInvoiceB.sln for this step.

1. Open InvoiceManagerForm.vb in the SecureInvoiceClient project.
   
2. Return to the ConfigureProxy method in InvoiceManagerForm.vb. You're going to add code to this method to encrypt the body of the message. The first thing you need to do is call GetX509Token to retrieve the server token from the Current User\Other People certificate store as illustrated here:
   
   ...
   ' Retreive client certificate for signing
   Dim clientToken As X509SecurityToken = GetX509Token( _  
      "gBfo0147lM6cKnTbbMSuMVvm FY4=", X509CertificateStore.MyStore) Dim serverToken As X509SecurityToken = GetX509Token(
      "bBwPfItvKp3b6TNDq+14qs58 VJQ=",  
     X509CertificateStore.Other People)
   ... 
   
3. Then, towards the end of the method, instantiate an EncryptedData object based on the serverToken you retrieved from the certificate store and add it to the proxy's RequestSoapContext.Security. Elements collection as illustrated here:
   
   ... ' ConfigureProxy
   ' Retreive client certificate for signing
   Dim clientToken As X509SecurityToken = GetX509Token( _ 
      "gBfo0147lM6cKnTbbMSuMVvm FY4=", X509CertificateStore.MyStore) Dim serverToken As X509SecurityToken = GetX509Token( _  
    "bBwPfItvKp3b6TNDq+14qs58VJQ
   =", _
     X509CertificateStore. OtherPeople)
   ' Add UsernameToken for authentication purposes proxy.RequestSoapContext. Security.Tokens.Add(login. Token)
   ' Must add client token to message for signature processing proxy.RequestSoapContext. Security.Tokens.Add(client Token) proxy.RequestSoapContext. Security.Elements.Add( _
      new MessageSignature(clientToken))
   ' Encrypt the body proxy.RequestSoapContext. Security.Elements.Add(
      new EncryptedData(serverToken))
   ...
   
4. When the Web service receives the encrypted message, it needs to know which certificate store to look for the certificate in. Open web.config in the SecureInvoiceB project and add a storeLocation="LocalMachine" attribute to the x509 element in configuration/microsoft.web. services2/security.
   
   ... 
     <microsoft.web. services2>
       <diagnostics>
         <trace enabled="true" input="InputTrace.webinfo" output="OutputTrace.webinfo"
   />
       </diagnostics>
       <security>
         ...
         <x509 storeLocation="Local Machine" allowTestRoot="true" /> 
       </security> 
     </microsoft.web.services2>
   ... 
   
   
5. Open WseSecurityHelpers.vb in the SecureInvoiceServiceB project and uncomment the call to CheckForEncryption in the GetUsernameToken method. This makes it so the service requires encryption again.
   
6. Before you can run the application, you have to give the ASPNET account read access to the private key of the server certificate. Otherwise it won't be able to read it during the decryption process. 
   
7. Press Start | Run, and enter WseCertificate2.exe to launch the WSE X.509 Certificate Tool.
   
8. Change the Certificate Location to Local Computer and Store Name to Personal and press the Open Certificate button.
   
9. Select the WSE2QuickStartServer certificate and press OK. Then,
   press the View Private Key File Properties… button.
   
10. Navigate to the Security tab and give the local machine's ASPNET account read access to the private key using the Add… button.
    
    Note: If the Security tab is not present, click Start | Control Panel | Folder Options. In the View tab, click to deselect the Use Simple File Sharing (Recommended) option at the bottom of the Advanced Settings list and click Apply followed by Ok Then, click Cancel and repeat from step i. 
    
    
11. In the Enter the object names to select box, type ASPNET and click Check Names.
    
12. Click OK to close the dialog. 
    
13. Click Apply. 
    
14. Click OK. 
    
15. Close the WSE X.509 Certificate Tool. 
    
16. Return to Visual Studio .NET 2003. 
    
17. Build the solution and run the client application. Verify that everything works.
    
18. Close the Invoice Manager application.
    
19. Refresh and view the OutputTrace.webinfo pane in Visual Studio .NET 2003.
    
    Notice that the body of the SOAP message is now encrypted, and as a result, you should no longer be able to read it. It should look something like this:
    
     <soap:Body wsu:Id="Id-79aed0a2-5188-424f-8a2b-db57a98b29f0"> 
      <xenc:EncryptedData Id="EncryptedContent-1c657bca-d574-474f-b84b-1e42cb109943" Type="http://www.w3.org/2001
    /04/xmlenc#Content" xmlns:xenc="http://www.w3.org/
    2001/04/xmlenc#"> 
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/
    2001/04/xmlenc#aes128-cbc" />
       <xenc:CipherData> <xenc:CipherValue>r6Ef04DoBQzxj
    Wdd8MIioIxKSzn2cJNU0qXVn5DgDS8GD
    6GGAT7w42k757udPXHSRFRhsE4qZspxD
    6LKwhJD
    /A==</xenc:CipherValue>  
       </xenc:CipherData> 
       </xenc:EncryptedData> </soap:Body>

 

Next: Encrypting a UsernameToken with a Certificate >>
 

More Visual Basic.NET Articles
More By MSDN Virtual Labs

Comments On: Securing Web Services with X.509 Certificates

· We hope you found this exercise from MSDN Virtual Labs to be educational and...   >>> Post your comment now!