WSE600: Unable to unwrap a symmetric key using the private key of

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Can someone help with the following problem. I am sending an encrypted SOAP
message to a .NET 2.0 + WSE 3.0 web service. When .NET attempts to decrypt
the message it cannot read the private key of the X509 token it requires (or
so it says). I have followed the instructions in the error message and given
the userid full access to the certificate. I have also tried running .NET
under my administrators userid which was used to create the self-signed
certificate using makecert and it still says it cant access it.

So, my belief is that the error message is misleading. Ive googled on it
and tried every suggestion I can see. Ive re-installed .NET and WSE 3 on
another machine and still get the same problem. Ive rebuilt the apps, given
access to all directories above the private key, tried several different
combinations of makecert options and still cant crack it.

I need to understand what I can do to debug the error. Is there internal
trace I can switch on?

Here is the stack trace I get back in my requesting application

System.Web.Services.Protocols.SoapException: Server was unable to process
request. ---> System.Security.Cryptography.CryptographicException: WSE600:
Unable to unwrap a symmetric key using the private key of an X.509
certificate. Please check if the account 'TEST\admin' has permissions to read
the private key of certificate with subject name 'CN=MSFT9' and thumbprint
'BAF779D423F509BC5CD55E9AF0475AC8468521C9'. --->
System.Security.Cryptography.CryptographicException: WSE593: Unable to
decrypt the key. Please check if the process has the right permission to
access the private key. --->
System.Security.Cryptography.CryptographicException: Bad Key..... at
System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32
hr).. at System.Security.Cryptography.Utils._DecryptKey(SafeKeyHandle
hPubKey, Byte key, Int32 dwFlags).. at
System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(Byte rgb,
Boolean fOAEP).. at
Microsoft.Web.Services3.graphy.RSA15KeyExchangeFormatter.DecryptKey(Byte
cipherKey).. --- End of inner exception stack trace ---.. at
Microsoft.Web.Services3.Security.Cryptography.RSA15KeyExchangeFormatter.DecryptKey(Byte
cipherKey).. at Microsoft.Web.Services3.Security.EncryptedKey.Decrypt().. ---
End of inner exception stack trace ---.. at
Microsoft.Web.Services3.Security.EncryptedKey.Decrypt().. at
Microsoft.Web.Services3.Security.Security.LoadXml(XmlElement element).. at
Microsoft.Web.Services3.Security.SecurityInputFilter.ProcessMessage(SoapEnvelope
envelope).. at
Microsoft.Web.Services3.Security.Wse2PipelinePolicy.LegacyFilterWrapper.ProcessMessage(SoapEnvelope
envelope).. at
Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope envelope)..
at Microsoft.Web.Services3.WseProtocol.FilterRequest(SoapEnvelope
requestEnvelope).. at
Microsoft.Web.Services3.WseProtocol.RouteRequest(SoapServerMessage message)..
at System.Web.Services.Protocols.SoapServerProtocol.Initialize().. at
System.Web.Sevices.Protocols.ServerProtocolFactory.Create(Type type,
HttpContext context, HttpRequest request, HttpResponse response, Boolean&
abortProcessing).. --- End of inner exception stack trace ---</

I am using Windows XP with IIS 5.1, .NET 2 and WSE 3.0

Thanks, Dan
 
Hi Dan,

As for the WSE private key accessing issue, based on the error message, it
does be likely that the user account doesn't have sufficient permission to
access the private key.

For the WSE 3.0 service application(client and server), are you using the
Visual Studio 2005's add-in wizard to create the security policy(sign and
encrypt the soap messages)?

Also, for modifying the certificate private key permission, are you using
the wsecertificate3.exe utility? For testing, you can manually use some
..net code to load the certificate and try viewing certificate privatekey
info to see whether it report error. e.g.

=======================
X509Store store = new X509Store(StoreName.My,StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);

X509Certificate2Collection certs =
store.Certificates.Find(X509FindType.FindBySubjectName,
"WSE2QuickStartServer", false);

if (certs.Count > 0)
{
Console.WriteLine(certs[0].PrivateKey.ToXmlString(true));
}
======================

If the above code can correctly access the private key info, we may have to
look for something else within the service or host environment.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi Steven,

Thanks for responding so quickly. I tried your suggestion below. At first,
I was unable to print out the private key, but I realised that was because I
had it marked as not exportable, so I generated a new one and could print it.

I used the following makecert command to do this.

makecert -n -pe "CN=MSFTC" -ss TrustedPeople -sr localmachine -r -sky
exchange -e 01/01/2010 -b 01/01/2006 c:\msftc.cer

I thought to make the test as realistic as possible, I would do it in a .NET
webservice so I constructed a simple web service that returns a String and
got it to return the private key. Again this was successful.

- <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
- <soap:Body>
- <EchoResponse xmlns="http://tempuri.org/">

<EchoResult><RSAKeyValue><Modulus>3gAOOqX9JNLBLhg91CHxMCGej1vP1dt31jOCOUiZWKWb4SYsrIz9oHJRn9Ghmya+mYvji50D7M/sTdxI6JZg9d6HqV6977BqYHzDyAZzbzHBLmQel0Y2vCWyxihAVcfMyYCaraYd5qz9BMEqjnQMeNFigS4FC3UWNji4/le7Uuk=</Modulus><Exponent>AQAB</Exponent><P>+hAzUIQK3Dc11umolYAKzZutfxY72MgV46G05k0STJeIg6/1TbHwpKSNc+YZVhXMhnto/bklqXKBjJEfXbZINQ==</P><Q>40VMIF0aVQwnzekjVI3x4fYD3JOnOj08x4Uwk3Ekp1vvBfWphQ2OCSY/ElYneQL5yddjomJciPhaqct+xoQ+ZQ==</Q><DP>0bKwNX7lVJJ/9b9v/h6n8I/ySDau7TWtFXzPpKlRBSW19yihfwwPDyJm9KAq8wPIxaXL/6k5qgU6GlTAhueLWQ==</DP><DQ>fVu66tsP7DthNUXUdA47jky5wpA7HHesr8z6h0lQU3P1Os9PaxGX99n9zipxaWFH0Jqa3XXt3qtGrwOM8Qj+tQ==</DQ><InverseQ>VO8ehPPYW0nSsay4Ok3bzP+je3rmvoeD4zP2BhzcZ1z6Rm5ckgtsncm+vil7YuOP9u9jPzyH4DwnxC1ELB77BQ==</InverseQ><D>KDqSWYZizR1z7EpwSdSsxDATb58Plo1iteo3mvHQ+ANqr+4fAlW6UCznJbLzOg5XU7PJ1C7r2yoChEl63MsDXrQoxvhXnkpUY2uGO+lZaNq2iE3T+COevKJ8XobBBZ0WMIgz+C/NV8Mi8pWbQW62yo4grnNY8oqmSnVLEBPFL0E=</D></RSAKeyValue></EchoResult>
</EchoResponse>
</soap:Body>
</soap:Envelope>


I then tried my client application using the newly generated key and the
secure .NET service still returns the same error:

System.Security.Cryptography.CryptographicException: WSE600: Unable to unwrap
a symmetric key using the private key of an X.509 certificate. Please check
if the account 'MACHINE\admin' has permissions to read the private key of
certificate with subject name 'CN=MSFTC' and thumbprint
'908DD2C1CD1105D88D03FE27470136670F8C19B8'. --


In answer to your other questions below, yes I did use the Visual Studio
2005 plugin to generate the service. I then tweaked the wse config to get it
how I wanted it.

Here is the config file

<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
<extensions>
<extension name="mutualCertificate10Security"
type="Microsoft.Web.Services3.Design.MutualCertificate10Assertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="x509"
type="Microsoft.Web.Services3.Design.X509TokenProvider,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="AppPolicy">
<mutualCertificate10Security establishSecurityContext="false"
renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false"
ttlInSeconds="300">
<serviceToken>
<x509 storeLocation="LocalMachine" storeName="TrustedPeople"
findValue="CN=MSFTC" findType="FindBySubjectDistinguishedName" />
</serviceToken>
<protection>
<request signatureOptions="IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeSoapBody" encryptBody="false" />
</protection>
</mutualCertificate10Security>
</policy>
</policies>


For modifying the file permissions I am using WseCertificate3.exe

Thanks, Dan



Steven Cheng said:
Hi Dan,

As for the WSE private key accessing issue, based on the error message, it
does be likely that the user account doesn't have sufficient permission to
access the private key.

For the WSE 3.0 service application(client and server), are you using the
Visual Studio 2005's add-in wizard to create the security policy(sign and
encrypt the soap messages)?

Also, for modifying the certificate private key permission, are you using
the wsecertificate3.exe utility? For testing, you can manually use some
.net code to load the certificate and try viewing certificate privatekey
info to see whether it report error. e.g.

=======================
X509Store store = new X509Store(StoreName.My,StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);

X509Certificate2Collection certs =
store.Certificates.Find(X509FindType.FindBySubjectName,
"WSE2QuickStartServer", false);

if (certs.Count > 0)
{
Console.WriteLine(certs[0].PrivateKey.ToXmlString(true));
}
======================

If the above code can correctly access the private key info, we may have to
look for something else within the service or host environment.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.
Click to expand...
 
Thanks for your reply Dan,

So the problem is not quite specific to access permission since access to
the private key in non-webservice code work correctly. As you mentioned
that the certificate is generated through makecert.exe, then have you turn
on the "AllowTestRoot" setting for your WSE webservice?

=============
<microsoft.web.services3>
<security>
<x509 allowTestRoot="true" />
===============

this is required when you use test certificate that is hasn't a trusted
root.

BTW, if possible, I suggest you use a windows server (which has certificate
service installed), you can simulate a real world certificate (and trust
CA) scenario in this way.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi Steven,

I do have allowTestRoot set as well as several other options. Here is the
extract from my configuration

<microsoft.web.services3>
<policy fileName="wse3policyCache.config"/>
<security>
<x509 verifyTrust="true" allowTestRoot="true" revocationMode="Offline"
verificationMode="TrustedPeopleOrChain" storeLocation="LocalMachine"/>
<binarySecurityTokenManager>
<add
valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
<keyAlgorithm name="RSA15"/>
</add>
</binarySecurityTokenManager>
</security>
<diagnostics>
<trace enabled="true" input="c:\InputTrace.webinfo"
output="c:\OutputTrace.webinfo"/>
<detailedErrors enabled="true"/>
</diagnostics>
</microsoft.web.services3>


Is there any way to turn on internal trace in .NET and WSE 3, to see why the
problem is occuring?

I will investigate the windows server option that you mentioned.

Thanks, Dan
 
Hi Dan,

Have you got any further progress on this? Whether the windows certificate
service issued certificates work for your scenario? For WSE 3.0, so far
there is no other internal trace that can tracking the certificate
negotiate or processing. All the trace available is only the input/output
trace for SOAP messaging or processing.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi Dan,

Have you got any further progress on this issue? If there is still anything
we can help, please feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi Steven,

I havent made any progress. I did a clean install of Windows 2000 and tried
from that to see if I got a different result to Windows XP but the problem is
the same. For the time being, I have decided not to persue this any further
as it is taking too much time. I dont have access to a Windows 2003 server
so have not tried that approach.

Thanks for your help,
Dan
 
Thanks for your followup Dan,

I'm sorry to hear that the problem still remains. Anyway, if you continue
to work on this issue later and need any help, please feel free to post
here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top