X509 Turn-Key Scenarios for WSE 3.0
If you got the chance to look into the WSE 3.0 code, maybe you noticed that it comes with two turn-key scenarios for X509 tokens, “CertificateMutualAuthenticationProfileAssertion” and “MutualCertficateAssertion” (This assertion adds some new features from WS 1.1).
Both scenarios are completely different, so I decided to write this post to describe how they work and how the keys are interchanged in each one.
First of all, I will give a brief description about a new class “EncryptedKeyToken” introduced in this version of WSE.
This introduction is really important since this token is used in many places for the assertions to encrypt messages.
What is an “EncryptedKeyToken” ?
Asymmetric keys require more CPU cycles than symmetric keys to encrypt data.
Therefore, when a SOAP message is encrypted or digitally signed using an X509SecurityToken security token, an EncryptedKeyToken containing a symmetric session key is generated to encrypt the SOAP message. That session key is encrypted using the public key of the asymmetric key pair associated with the X509SecurityToken.
This token also existed in the previous versions of WSE, but it was something internal and the developer could not use it as he can do now.
Turn-key scenarios for X509 tokens
CertificateMutualAuthenticationProfileAssertion1. Client Output Filter
a. Signs the message with the client token, which is an X509 token containing the client private key. Adds the client token to the message
b. Creates an EncryptedKeyToken with a session key using the X509 service token (Public key). This token is used to encrypt the message, and after that, it is added to the message.
2. Service Input Filter
a. Gets the EncryptedKeyToken and the X509 client token from the message.
b. Validates the EncryptedKeyToken with the X509 service token configured in the server.
c. Decrypts the message using the EncryptedKeyToken received in the message.
d. Verifies the message signature using the X509 client token received in the message.
3. Service Output Filter
a. Creates an EncryptedKeyToken with a session key using the X509 client token received in the request message. Encrypts the message with that token. The token is added to the response message.
b. Signs the message using the X509 service token (Private key). This token is not added to the message since the client has the service public key.
4. Client Input Filter
a. Gets the EncryptedKeyToken from the response message.
b. Validates the EncryptedKeyToken with the X509 client token configured in the client.
c. Decrypts the response message using the EncryptedKeyToken
d. Verifies the signature using the X509 service token configured in the client. (Public key).
1. Client Output Filter
a. Creates an EncryptedKeyToken with a session key using the X509 service token (Public key).
b. Adds the configured X509 client token in the message.
c. Signs and encrypts the request message using the EncryptedKeyToken. (Including the X509 client token).
2. Service Input Filter
a. Gets the EncryptedKeyToken and the X509 client token from the message.
b. Validates the EncryptedKeyToken with the X509 service token configured in the server.
c. Decrypts the message using the EncryptedKeyToken.
d. Verifies the signature using the EncryptedKeyToken.
3. Service Output filter
a. Signs and encrypts the message using the EncryptedKeyToken received in the request message.
4. Client Input filter
a. Decrypts the message and verifies the signature using the EncryptedKeyToken created in the Client output filter.