WSE configuration allows to configure the algorithms we use for encryption:
Some scenarios work great with RSA15 but when we change it to RSAOAEP we may see this exception from the WSE party:
Let's see what in the message that WCF sent to WSE may cause this:
We can see that the encryptedKey is indeed encrypted with the RSAOAEP algorithm. Also the RSAOAEP RFC states that:
Hence the DigestMethod element.
So why WSE throws an exception when a mandatory parameter is specified? Let's look at a WSE generated message to see if it produces anything different:
Looks the same to me. So let's drill down into the WSE stack to understand the root cause. The error seems to be thrown from within this method:
Ok so we are comparing the current message parameters (value) to some default value (this._parameters). But what is this default? Let's look in the ctor:
Oh boy. WSE2 compares xml fragments as strings! So it sees this:
as different from this:
While the above fragments have the same xml semantics.
Just in order to convince my self this is the issue, I have manually changed the soap so that it will have the WSE-style digest. This worked like a charm. This kind of gives us the general solution here which is to build a WSE filter that changes the soap format to the one WSe expects. Note that you can only change non-signed soap parts, which is usually the case with the encrypted key. The easier option of course is to revert to the RSA15 algorithm.
And let's not forget the main point which is to never compare xml as a string. What's next? get this blog rss updates or register for mail updates!
2 comments:
Very nice gotcha. BTW, what is the best .Net class for XML comparisons? Would you recommend our old fellow "MSXML Diff and Patch" or something else?
Moshe
In truth, I was't very impressed with any api I saw so far for xml comparison. For the basic scenarios they were ok, but when prefix games were added and especialy when schema semantics was required, they all failed.
If you can try to build an xml comparison class based on your domain.
Post a Comment