WSE600: Unable to unwrap a symmetric key using the private key of

RE: WSE600: Unable to unwrap a symmetric key using the private key of

Hi Dan,

As for the WSE private key accessing issue, based on the error message, it
does be likely that the user account doesn't have sufficient permission to
access the private key.

For the WSE 3.0 service application(cli ent and server), are you using the
Visual Studio 2005's add-in wizard to create the security policy(sign and
encrypt the soap messages)?

Also, for modifying the certificate private key permission, are you using
the wsecertificate3 .exe utility? For testing, you can manually use some
..net code to load the certificate and try viewing certificate privatekey
info to see whether it report error. e.g.

=============== ========
X509Store store = new X509Store(Store Name.My,StoreLo cation.LocalMac hine);
store.Open(Open Flags.ReadOnly) ;

X509Certificate 2Collection certs =
store.Certifica tes.Find(X509Fi ndType.FindBySu bjectName,
"WSE2QuickStart Server", false);

if (certs.Count 0)
{
Console.WriteLi ne(certs[0].PrivateKey.ToX mlString(true)) ;
}
=============== =======

If the above code can correctly access the private key info, we may have to
look for something else within the service or host environment.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



=============== =============== =============== =====

Get notification to my posts through email? Please refer to

ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

=============== =============== =============== =====



This posting is provided "AS IS" with no warranties, and confers no rights.

RE: WSE600: Unable to unwrap a symmetric key using the private key

Hi Steven,

Thanks for responding so quickly. I tried your suggestion below. At first,
I was unable to print out the private key, but I realised that was because I
had it marked as not exportable, so I generated a new one and could print it.

I used the following makecert command to do this.

makecert -n -pe "CN=MSFTC" -ss TrustedPeople -sr localmachine -r -sky
exchange -e 01/01/2010 -b 01/01/2006 c:\msftc.cer

I thought to make the test as realistic as possible, I would do it in a .NET
webservice so I constructed a simple web service that returns a String and
got it to return the private key. Again this was successful.

- <soap:Envelop e xmlns:soap="htt p://schemas.xmlsoap .org/soap/envelope/"
xmlns:xsi="http ://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http ://www.w3.org/2001/XMLSchema">
- <soap:Body>
- <EchoResponse xmlns="http://tempuri.org/">

<EchoResult><RS AKeyValue><Modu lus>3gAOOqX9JNL BLhg91CHxMCGej1 vP1dt31jOCOUiZW KWb4SYsrIz9oHJR n9Ghmya+mYvji50 D7M/sTdxI6JZg9d6HqV 6977BqYHzDyAZzb zHBLmQel0Y2vCWy xihAVcfMyYCaraY d5qz9BMEqjnQMeN FigS4FC3UWNji4/le7Uuk=</Modulus><Expone nt>AQAB</Exponent><P>+hA zUIQK3Dc11umolY AKzZutfxY72MgV4 6G05k0STJeIg6/1TbHwpKSNc+YZVh XMhnto/bklqXKBjJEfXbZI NQ==</P><Q>40VMIF0aVQ wnzekjVI3x4fYD3 JOnOj08x4Uwk3Ek p1vvBfWphQ2OCSY/ElYneQL5yddjomJ ciPhaqct+xoQ+ZQ ==</Q><DP>0bKwNX7lV JJ/9b9v/h6n8I/ySDau7TWtFXzPpK lRBSW19yihfwwPD yJm9KAq8wPIxaXL/6k5qgU6GlTAhueL WQ==</DP><DQ>fVu66tsP 7DthNUXUdA47jky 5wpA7HHesr8z6h0 lQU3P1Os9PaxGX9 9n9zipxaWFH0Jqa 3XXt3qtGrwOM8Qj +tQ==</DQ><InverseQ>VO 8ehPPYW0nSsay4O k3bzP+je3rmvoeD 4zP2BhzcZ1z6Rm5 ckgtsncm+vil7Yu OP9u9jPzyH4Dwnx C1ELB77BQ==</InverseQ><D>KDq SWYZizR1z7EpwSd SsxDATb58Plo1it eo3mvHQ+ANqr+4f AlW6UCznJbLzOg5 XU7PJ1C7r2yoChE l63MsDXrQoxvhXn kpUY2uGO+lZaNq2 iE3T+COevKJ8Xob BBZ0WMIgz+C/NV8Mi8pWbQW62yo 4grnNY8oqmSnVLE BPFL0E=</D></RSAKeyValue></EchoResult>
</EchoResponse>
</soap:Body>
</soap:Envelope>


I then tried my client application using the newly generated key and the
secure .NET service still returns the same error:

System.Security .Cryptography.C ryptographicExc eption: WSE600: Unable to unwrap
a symmetric key using the private key of an X.509 certificate. Please check
if the account 'MACHINE\admin' has permissions to read the private key of
certificate with subject name 'CN=MSFTC' and thumbprint
'908DD2C1CD1105 D88D03FE2747013 6670F8C19B8'. --


In answer to your other questions below, yes I did use the Visual Studio
2005 plugin to generate the service. I then tweaked the wse config to get it
how I wanted it.

Here is the config file

<policies xmlns="http://schemas.microso ft.com/wse/2005/06/policy">
<extensions>
<extension name="mutualCer tificate10Secur ity"
type="Microsoft .Web.Services3. Design.MutualCe rtificate10Asse rtion,
Microsoft.Web.S ervices3, Version=3.0.0.0 , Culture=neutral ,
PublicKeyToken= 31bf3856ad364e3 5" />
<extension name="x509"
type="Microsoft .Web.Services3. Design.X509Toke nProvider,
Microsoft.Web.S ervices3, Version=3.0.0.0 , Culture=neutral ,
PublicKeyToken= 31bf3856ad364e3 5" />
</extensions>
<policy name="AppPolicy ">
<mutualCertific ate10Security establishSecuri tyContext="fals e"
renewExpiredSec urityContext="t rue" requireSignatur eConfirmation=" false"
messageProtecti onOrder="SignBe foreEncrypt" requireDerivedK eys="false"
ttlInSeconds="3 00">
<serviceToken >
<x509 storeLocation=" LocalMachine" storeName="Trus tedPeople"
findValue="CN=M SFTC" findType="FindB ySubjectDisting uishedName" />
</serviceToken>
<protection>
<request signatureOption s="IncludeSoapB ody" encryptBody="tr ue" />
<response signatureOption s="IncludeSoapB ody" encryptBody="tr ue" />
<fault signatureOption s="IncludeSoapB ody" encryptBody="fa lse" />
</protection>
</mutualCertifica te10Security>
</policy>
</policies>


For modifying the file permissions I am using WseCertificate3 .exe

Thanks, Dan



"Steven Cheng[MSFT]" wrote:

RE: WSE600: Unable to unwrap a symmetric key using the private key

Thanks for your reply Dan,

So the problem is not quite specific to access permission since access to
the private key in non-webservice code work correctly. As you mentioned
that the certificate is generated through makecert.exe, then have you turn
on the "AllowTestR oot" setting for your WSE webservice?

=============
<microsoft.web. services3>
<security>
<x509 allowTestRoot=" true" />
===============

this is required when you use test certificate that is hasn't a trusted
root.

BTW, if possible, I suggest you use a windows server (which has certificate
service installed), you can simulate a real world certificate (and trust
CA) scenario in this way.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.

RE: WSE600: Unable to unwrap a symmetric key using the private key

Hi Steven,

I do have allowTestRoot set as well as several other options. Here is the
extract from my configuration

<microsoft.web. services3>
<policy fileName="wse3p olicyCache.conf ig"/>
<security>
<x509 verifyTrust="tr ue" allowTestRoot=" true" revocationMode= "Offline"
verificationMod e="TrustedPeopl eOrChain" storeLocation=" LocalMachine"/>
<binarySecurity TokenManager>
<add
valueType="http ://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
<keyAlgorithm name="RSA15"/>
</add>
</binarySecurityT okenManager>
</security>
<diagnostics>
<trace enabled="true" input="c:\Input Trace.webinfo"
output="c:\Outp utTrace.webinfo "/>
<detailedErro rs enabled="true"/>
</diagnostics>
</microsoft.web.s ervices3>


Is there any way to turn on internal trace in .NET and WSE 3, to see why the
problem is occuring?

I will investigate the windows server option that you mentioned.

Thanks, Dan




"Steven Cheng[MSFT]" wrote:

RE: WSE600: Unable to unwrap a symmetric key using the private key

Hi Dan,

Have you got any further progress on this? Whether the windows certificate
service issued certificates work for your scenario? For WSE 3.0, so far
there is no other internal trace that can tracking the certificate
negotiate or processing. All the trace available is only the input/output
trace for SOAP messaging or processing.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.

RE: WSE600: Unable to unwrap a symmetric key using the private key

Hi Dan,

Have you got any further progress on this issue? If there is still anything
we can help, please feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.

RE: WSE600: Unable to unwrap a symmetric key using the private key

Hi Steven,

I havent made any progress. I did a clean install of Windows 2000 and tried
from that to see if I got a different result to Windows XP but the problem is
the same. For the time being, I have decided not to persue this any further
as it is taking too much time. I dont have access to a Windows 2003 server
so have not tried that approach.

Thanks for your help,
Dan


"Steven Cheng[MSFT]" wrote:

RE: WSE600: Unable to unwrap a symmetric key using the private key

Thanks for your followup Dan,

I'm sorry to hear that the problem still remains. Anyway, if you continue
to work on this issue later and need any help, please feel free to post
here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.