Microsoft KB Archive/922779

= You may receive a WSE590 exception in Web Services Enhancements 3.0 for Microsoft .NET when you try to implement OASIS Web Services Security 1.0 =

Article ID: 922779

Article Last Modified on 11/22/2007

-

APPLIES TO


 * Microsoft Web Services Enhancements for Microsoft .NET 2.0
 * Microsoft .NET Framework 2.0
 * Microsoft Visual Studio 2005 Standard Edition
 * Microsoft Visual Studio 2005 Professional Edition
 * Microsoft Visual Studio 2005 Express Edition

-



SYMPTOMS
When you try to implement OASIS Web Services Security (WS-Security) 1.0, you may receive a WSE590 exception in Microsoft Web Services Enhancements 3.0 for Microsoft .NET (WSE).



CAUSE
This problem occurs when the SecurityTokenReference class does not contain a KeyIdentifier element. Instead, the security token reference relies on the  digital signature element to identify the certificate. However, WSE 3.0 does not correctly parse the value of the  digital signature element.



WORKAROUND
To work around this problem, create and add a KeyIdentifier element to match the key that is used to sign the original message. You have to override the ProcessMessage method to modify the EncryptedKey element that identifies the subnode of the KeyInfo element. Then you have to remove the subnode of the KeyInfo element.

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

The following XML code sample adds a KeyIdentifier element to the node of the EncryptedKey element.     MIGfMa0GCSq   OU=Secure Server Certification Authority, O=&quot;RSA Data Security, Inc.&quot;, C=US 51387446156789182432449128610772276634</ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> </EncryptedKey> The following sample application shows how to override the ProcessMessage method of the SoapFilter class. public override SoapFilterResult ProcessMessage(SoapEnvelope envelope) {           XmlNamespaceManager nsmanager = new XmlNamespaceManager(envelope.NameTable); nsmanager.AddNamespace(&quot;wsse&quot;, &quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd&quot;) nsmanager.AddNamespace(&quot;soapenv&quot;, &quot;http://schemas.xmlsoap.org/soap/envelope/&quot;); nsmanager.AddNamespace(&quot;ds&quot;, &quot;http://www.w3.org/2000/09/xmldsig#&quot;); nsmanager.AddNamespace(&quot;soapenc&quot;, &quot;http://schemas.xmlsoap.org/soap/encoding/&quot;); nsmanager.AddNamespace(&quot;e&quot;, &quot;http://www.w3.org/2001/04/xmlenc#&quot;); try {               XmlNodeList KeyInfoNodeList = envelope.SelectNodes(&quot;/soapenv:Envelope/soapenv:Header/wsse:Security/e:EncryptedKey/ ds:KeyInfo&quot;, nsmanager); XmlNodeList SecurityTokenReferenceNodeList = KeyInfoNodeList[0].SelectNodes(&quot;wsse:SecurityTokenReference&quot;, nsmanager); XmlNodeList EncryptedKeyNodeList = envelope.SelectNodes(&quot;/soapenv:Envelope/soapenv:Header/wsse:Security/e:EncryptedKey&quot;, nsmanager);

SecurityTokenReference mySecurityTokenReference = new SecurityTokenReference((XmlElement)SecurityTokenReferenceNodeList[0]); KeyIdentifier myKeyIdentifier = new KeyIdentifier(&quot;MIGfMa0GCSq&quot;); mySecurityTokenReference.KeyIdentifier = myKeyIdentifier; KeyInfoNodeList[0].RemoveAll; KeyInfoNodeList[0].AppendChild(mySecurityTokenReference.GetXml(envelope));

EncryptedKey key = new EncryptedKey((XmlElement)EncryptedKeyNodeList[0]); EncryptedKeyToken key2 = new EncryptedKeyToken((XmlElement)EncryptedKeyNodeList[0]); EncryptedKeyTokenManager manager = new EncryptedKeyTokenManager; manager.VerifyToken(key2); }           catch (Exception e)            { Console.WriteLine(e.ToString); }           return base.ProcessMessage(envelope); } When the application overrides the ProcessMessage method in a derived class, the application processes the message that is contained in a SOAP envelope. The ProcessMessage method returns the value of the SoapFilterResult class. This class determines whether to continue to process the message to the next SOAP filter in the pipeline or to exit the process.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
For more information about the set of core classes that are used in WSE-enabled applications, visit the following Microsoft Developer Network (MSDN) Web site:

http://msdn2.microsoft.com/en-us/library/microsoft.web.services3.aspx

For more information about the set of core classes that help secure SOAP messages, visit the following MSDN Web site:

http://msdn2.microsoft.com/en-us/library/microsoft.web.services3.security.aspx

For more information about XML Digital Signature, visit the following MSDN Web site:

http://msdn2.microsoft.com/en-us/library/ms996502.aspx

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Keywords: kbtshoot kbxml kbprb kbwebservices KB922779

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.