| Groups | Blog | Home |
dotnet web services enhancements : WSE 3.0 custom signature
I'm trying to create the following scenario: 1. Internet Explorer client initiates a command to presentation server. 2. presentation server calls a web service. 3. web service is configured with a policy which requires x509 signature - returns an exception along with the digest value needed to be signed. 4. Internet Explorer receives the 'signature request' and signs it using a smart card and CAPICOM. client automatically retries the same command and sends the same button click to presentation server. 5. presentation server calls the web service and this time the custom client policy assertion detects the browser signed the message and builds the ws-security elements. 6. service accepts the request and everyone are happy. Right now I'm a bit stuck in stage 5. I'm able to load the client certificate from the browser and construct an X590SecurityToken, from that I create a MessageSignature and try to manually create the reference to the soap body and insert the SignatureValue to what the client signed in CAPICOM. the problem is that when I finish it's still trying to sign the message using the x509 security token and naturally throws an exception about only having the public key and not the private. Any idea how I override that process and just insert the signature by myself? I don't mind veryfying it by myself in the server side using another custom policy assertion. Thanks! Avner Peled avnerus@gmail.com
Thanks for your reply!
I'm actually already using a custom policy assertion...maybe it wasn't understood but I did write in stage 5 "custom client policy assertion" :) I've made some advancement today. My problem was that inside my ClientOutputFilter I was creating a message signature with an X509SecurityToken which I generated from the base64 certificate I got from the browser client. but turns out that X509SecurityToken has a "Key" property which is an RSAOEP KeyAlgorithm which has a SignatureFormatter which uses a locally stored private key to sign the stream. So now I've replaced all of those! in my custom SignatureFormatter I override Sign() and instead of signing I return the stream to the client so it will sign using javascript, try again and then in the Sign() retry I will return what the client signed. I will continue this tomorrow... [quoted text, click to view] Pablo Cibraro [MVP] wrote:
> Hi Avner, > > In order to create a custom signature, you have to develop a custom > SecurityAssertion (You can create a SecurityAssertion deriving your class > from one of the existing assertions like UsernameForCertificate or > MutualCertificate11Assertion or the base class SecurityAssertion). > A security assertion creates 4 filters: > > a.. ClientOutputFilter: for outgoing messages on the client > a.. ClientInputFilter: for incoming messages on the client > a.. ServiceOutputFilter: for outgoing messages on the service > a.. ServiceInputFilter: for incoming messages on the service > > For more details, take a look to this article, > http://msdn.microsoft.com/msdnmag/issues/06/02/WSE30/default.aspx > > You will have to create a custom ClientOutput filter to add the custom > message signature, and a custom ServiceInput filter to validate it. > > Regards, > Pablo Cibraro. > > > > <avnerus@gmail.com> wrote in message > news:1162155881.112637.292260@i42g2000cwa.googlegroups.com... > > Hello! > > I'm trying to create the following scenario: > > > > 1. Internet Explorer client initiates a command to presentation server. > > 2. presentation server calls a web service. > > 3. web service is configured with a policy which requires x509 > > signature - returns an exception along with the digest value needed to > > be signed. > > 4. Internet Explorer receives the 'signature request' and signs it > > using a smart card and CAPICOM. client automatically retries the same > > command and sends the same button click to presentation server. > > 5. presentation server calls the web service and this time the custom > > client policy assertion detects the browser signed the message and > > builds the ws-security elements. > > 6. service accepts the request and everyone are happy. > > > > Right now I'm a bit stuck in stage 5. > > I'm able to load the client certificate from the browser and construct > > an X590SecurityToken, > > from that I create a MessageSignature and try to manually create the > > reference to the soap body and insert the SignatureValue to what the > > client signed in CAPICOM. the problem is that when I finish it's still > > trying to sign the message using the x509 security token and naturally > > throws an exception about only having the public key and not the > > private. > > Any idea how I override that process and just insert the signature by > > myself? I don't mind veryfying it by myself in the server side using > > another custom policy assertion. > > > > Thanks! > > > > Avner Peled > > avnerus@gmail.com > >
Hi Avner,
In order to create a custom signature, you have to develop a custom SecurityAssertion (You can create a SecurityAssertion deriving your class from one of the existing assertions like UsernameForCertificate or MutualCertificate11Assertion or the base class SecurityAssertion). A security assertion creates 4 filters: a.. ClientOutputFilter: for outgoing messages on the client a.. ClientInputFilter: for incoming messages on the client a.. ServiceOutputFilter: for outgoing messages on the service a.. ServiceInputFilter: for incoming messages on the service For more details, take a look to this article, http://msdn.microsoft.com/msdnmag/issues/06/02/WSE30/default.aspx You will have to create a custom ClientOutput filter to add the custom message signature, and a custom ServiceInput filter to validate it. Regards, Pablo Cibraro. [quoted text, click to view] <avnerus@gmail.com> wrote in message news:1162155881.112637.292260@i42g2000cwa.googlegroups.com... > Hello! > I'm trying to create the following scenario: > > 1. Internet Explorer client initiates a command to presentation server. > 2. presentation server calls a web service. > 3. web service is configured with a policy which requires x509 > signature - returns an exception along with the digest value needed to > be signed. > 4. Internet Explorer receives the 'signature request' and signs it > using a smart card and CAPICOM. client automatically retries the same > command and sends the same button click to presentation server. > 5. presentation server calls the web service and this time the custom > client policy assertion detects the browser signed the message and > builds the ws-security elements. > 6. service accepts the request and everyone are happy. > > Right now I'm a bit stuck in stage 5. > I'm able to load the client certificate from the browser and construct > an X590SecurityToken, > from that I create a MessageSignature and try to manually create the > reference to the soap body and insert the SignatureValue to what the > client signed in CAPICOM. the problem is that when I finish it's still > trying to sign the message using the x509 security token and naturally > throws an exception about only having the public key and not the > private. > Any idea how I override that process and just insert the signature by > myself? I don't mind veryfying it by myself in the server side using > another custom policy assertion. > > Thanks! > > Avner Peled > avnerus@gmail.com >
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |