Navigation

Home
Gemalto

Search

Categories

 
 
 
 
 
 
 
 
 
 

On this page

WSE502 : Cannot find the target element
Writing a generic SoapClient using WSE
Welcome Marc
OASIS X509 Token profile - ValueType and EncodingType attributes
DNA : Real identity ?
Sixth Law : The Law of Human Integration
ClickOnce Vs Windows Installer
Updater Application Block - An Excellent piece of work
Using NAnt custom tasks of .NET Smartcard SDK
Gates declares death of passwords using Cryptoflex.NET
Axalto Declares World’s First Commercial Deployment of Microsoft .NET-based Smart Card

Archive

March, 2007 (2)
February, 2007 (1)
July, 2006 (1)
June, 2006 (1)
March, 2006 (3)
December, 2005 (3)
October, 2005 (1)
July, 2005 (6)
May, 2005 (1)
March, 2005 (4)
February, 2005 (1)
January, 2005 (3)
December, 2004 (1)
November, 2004 (4)
October, 2004 (1)
September, 2004 (5)
August, 2004 (3)
July, 2004 (5)

Blogroll

 .NET Security Blog
 Aaron Skonnard
 Andre Durand
 Andy's InfoCard Blog
 Craig Burton
 Dave Kearns
 Don Box
 Gunnar Peterson
 James McGovern
 Jamie Lewis
 Jeffrey Schlimmer
 John Kemp
 Kim Cameron
 Pat Peterson
 Paul Madsen
 Rico Mariani
 Sara gates
 Scott C Lemon
 Steve Maine
 Tim Ewald
 Tom Scavo

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

RSS 2.0 | Atom 1.0 | CDF

Send mail to the author(s) E-mail

Sign In
Pick a theme:

 Tuesday, March 15, 2005
WSE502 : Cannot find the target element
Tuesday, March 15, 2005 9:49:38 AM (Central Standard Time, UTC-06:00) ( )
I do not know if anybody else have got this exception but I did and am stuck in such a way that I may have to leave all the benefits of WSE just for the workaround to this problem/exception.

So here is the problem,

I am receiving a SoapMessage which has some custom soap headers and these headers are signed using X509Security token (WSS). SoapInputFilter of WSE is processing these headers and throws exception with message WSE502: Cannot find target element referenced by URI "msgHdr". When I look into the SoapMessage there is a custom header which has an
attribute by the name of "id" with value "msgHdr". [Please note that "id" has a lowercase "i"]

I investigated more and here are my findings.

WSE is looking for elements which contains the attribute by the local name of "Id" and which has the type ID (xml schema datatype) and then comparing the URI of Refererence element of Signature element to the value of this "Id" attribute. If they match WSE is happy and verify the signature.

Seeing this behavior I thought why WSE is looking for "Id" only, I could have a custom header where I define an attribute which has a name "id" or "itsMyId" which has xml schema type ID. Why would WSE only entertain "Id. ?

I started looking at the OASIS WSS profile (oasis-200401-wss-soap-message-security-1.0)  and found out section 4 has
something which explains the WSE behavior. Section 4 says that since the SoapClients or intermediaries may not know the xml schema of the elements they are processing for signature verification, it would be good if SoapProcessor presume that the element being referenced by Siganture\Reference has an attribute wsu:Id whose type is ID.

I think this is what WSE follows and hence the response.

But .. there is a big but here. WSS talks about wsu:Id as an optimization and helper and it does not exclude the possibility of having "id" or "itsMyId".

Here the SoapClient needs to tell WSE that this is the schema I am using for the Soap message in response and this is the attribute for a given element that should be used while SecurityInputFilter is processing the signature. How to do that ?..... I could not find any way to specify this.
Comments [2] | Trackback | # 
 Thursday, March 10, 2005
Writing a generic SoapClient using WSE
Thursday, March 10, 2005 5:39:50 PM (Central Standard Time, UTC-06:00) ( )
A typical SoapClient class looks like this:
 
public class MyClient : SoapClient{
   public MyClient(EndpointReference ref) : base(ref) { }
 
    public SoapEnvelope MyMethod(SoapEnvelope envelope){
        return base.SendRequestResponse("MyServerMethod",envelope);
    }
}
 
The problem of this approach is that it gives you a flexibility of specifying endpointreference but not the SoapAction. Your client could have been talking to many web services and I felt it would have been good to have one client, so I wrote ....
 
public class MyGenericClient : SoapClient{
    private string soapAction;
    public MyClient(string soapAction,EndpointReference ref) : base(ref) {
      this. soapAction = soapAction;
    }
 
    public SoapEnvelope InvokeService(SoapEnvelope envelope){
        return base.SendRequestResponse( soapAction,envelope);
    }
}
 
Pretty easy huh......what I figured out looking into WSE was that if you specify SoapMethod attribute then the value of attribute is considered to be a SoapAction and if you do not then WSE takes the first parameter of SendRequestResponse and put that as the SoapAction.
Comments [0] | Trackback | # 
Welcome Marc
Thursday, March 10, 2005 5:12:59 PM (Central Standard Time, UTC-06:00) ( )
Marc talbot, my fellow developer at Axalto has also started blogging. He joined us 3 months back in Ausitn for .NET Smartcard development. You will be seeing lot of goodies and tips on the usage of .NET Smartcard and SDK.
 
Marc has worked in sales for a good period of time and our research lab will (actually already) be getting benefits from his experiences with the customers.
Comments [10] | Trackback | # 
 Friday, March 04, 2005
OASIS X509 Token profile - ValueType and EncodingType attributes
Friday, March 04, 2005 7:00:29 PM (Central Standard Time, UTC-06:00) ( )
Faced some problems because of the misleading specification. The xml sample in the document http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf shows that ValueType and EncodingType are wsse:X509v3 and wsse:Base64Binary respectively but these are not the correct values. Correct values are http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 and http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary for ValueType and EncodingType respectively.
 
Would have been good if Section 3.1 of wss x509 token profile specification has mentioned it explicitly instead of making it vague which coupled with incorrect example makes it very error prone.
Comments [1] | Trackback | # 
 Wednesday, February 02, 2005
DNA : Real identity ?
Wednesday, February 02, 2005 5:22:26 PM (Central Standard Time, UTC-06:00) ( )
I must say this is the most  beautifully phrased identity mapping I have seen
 
Your DNA is you. You are your DNA. It is not assigned to you nor can you change it. It is your identity. Everything else is simply a "handle", a shortcut or nickname for the identity that is you.
 
Scott  presents valid arguments against this perspective saying DNA is not 100% unique (fraternal twins and cloning) but his second argument that DNA does not mean anything in jungles of New zealand does not sound appealing to me. I mean whatever means of identity (token, certificate ...) you come up with, there will be a part of world which would not recognize it.
 
DNA coupled with hand prints (which are different for even fraternal twins) makes an interesting case.
 
Another important thing to see in his phrase is notion of "handle". I think every thing comes down to the fact that how secure, portable and efficient your handle is. Hey, am I saying Smartcards are the best handles :)
 
The phrase above is invention of Dave Kearns . I am a big fan of  newsletter on identity management by Dave.
Comments [16] | Trackback | # 
 Tuesday, January 25, 2005
Sixth Law : The Law of Human Integration
Tuesday, January 25, 2005 8:13:50 PM (Central Standard Time, UTC-06:00) ( )
Basically this Law says that identity system must define human user as one of the component in distributed systems and communication between human-machine should be protected against attacks.
 
Kim writes more,
    Returning to the discussion we've just had about the problems with today's browsers, I would summarize my thinking by saying we have done a pretty good job of cryptographically securing the channel between web servers and browsers - a channel that might extend for thousands of miles.  But we haven't done a very good job at all of setting up the two or three foot channel between the browser and the human who uses it.  And this is the channel that is attacked by phishers. 
 
I tried to solve the problem of Phishing and unsecured browser-human channel by providing an alternative to address bar (I know Kim is not a big fan of 'yet another address bar'). The alternative is that if user has identified his Service provider he/she can store the link to it as a metadata in Smartcard and once he has successfully pinned his Smartcard, this meta data will be extracted (securely) by some custom control in browser. I used this approach in Liberty LECP profile demo using .NET Smartcard storing the list of service providers as Xml metadata.
 
I feel that if we can achieve such kind of interaction [friendly enough for non-technical users] with the human element in distributed systems we should be good ? ....... Please comment.
Comments [2] | Trackback | # 
 Saturday, January 22, 2005
ClickOnce Vs Windows Installer
Saturday, January 22, 2005 12:08:53 PM (Central Standard Time, UTC-06:00) ( )
Michael Sanford has a written a great article on comparison of ClickOnce and Windows installer technologies showing the differences in the features and when its ideal to use a particular
technology.
 
Message I got from this article that ClickOnce is not eliminating the Windows Installer but complement Windows installer by providing a robust, secure and easy way to update the applications installed using installer.
 
 
Comments [1] | Trackback | # 
Updater Application Block - An Excellent piece of work
Saturday, January 22, 2005 11:56:55 AM (Central Standard Time, UTC-06:00) ( )
Although all the application blocks from Microsoft patterns and practices are great the one that I have liked the most and actually using in my product is UAB [Updater Application Block]. For a while I was playing around with version 1 posted here until last month I realized gotdotnet.com has a workspace for UAB and enhanced the application block in substantial way. UAB is in its version 2 now.
 
This is really great piece of work and would recommend people to use it.
Comments [0] | Trackback | # 
 Friday, December 17, 2004
Using NAnt custom tasks of .NET Smartcard SDK
Friday, December 17, 2004 5:54:08 PM (Central Standard Time, UTC-06:00) ( )

Ant & NAnt have been the pioneers in recent times for automating the build and as Ant/NAnt guys describe their fascinating software - its kind of Make but without Make wrinkles. I have been a great fan of this stuff for a long time now. NET Smartcard SDK offers the custom NAnt tasks to automate the interactions with .NET Smartcard. I am going to describe here the custom tasks we have for .NET Smartcard.

If you are not familiar with NAnt please visit http://nant.sourceforge.net/

Below are described the custom NAnt tasks available for .NET Smartcard framework SDK.

  • LoaderTask             
         <target name="build" description="load and execute assembly">
         
              <load file="bin\debug\Test1.exe" todir="C:\Pub" execute="true"
                                                          reload="true" serviceName="test"/>        
 
 
               <load todir="D:\Pub">
                       <fileset basedir=".">
                            <includes name="Rijndael.bin"/>
                            <includes name="server\AppConfig.xml"/>
                       </fileset>
              </load>

         </target>
 
 
         This is most used task and also part of Server template in VS.NET 2003. Let's look at the attributes
 
 Name Description Required
file

File to be loaded in the card. You can specify the full or relative path.

     YES
todir On card directory in which to download the Test1.exe     YES
execute Run the executable [ This creates a .NET Smartcard service]     NO
reload If 'file' is already loaded in the assembly this will first remove the service installed & delete the file before downloading it again     NO
serviceName This is needed if you specify reload attribute since name of the service is needed to uninstall it.     NO
 
  • Delete2Task
        <delete2 file="D:\Pub\Rijndael.bin"/>
        <delete2 file="C:\Pub\server.exe" unregister="MyServiceUri.apdu"/>
       
        Delete task has 2 as a suffix to distinguish it from regular delete task.

       

Name Description Required
file

Full path to the on-card file to be deleted.

   YES
unregister If file to be deleted is an executable then name of the attribute is to be specified as value of this attribute   YES

  • ExecuteAssemblyTask       

        <execute file="C:\MyDir\MyProfile.exe"/>

        <execute>
            <fileset basedir="C:\MyDir2">
                <includes name="server1.exe"/>
                <includes name="server2.exe"/>
            </fileset>
        </execute>
 
There are still more tasks to write for administrating the card.
 
Running the build file from CardExplorer
 
 

Changing the path to NAnt binaries

.NET Smartcard SDK installs the NAnt binaries (shown below). The folder also contains netCard.NAntTasks.dll assembly which contain the above mentioned task. If you already have NAnt installed on your PC or want to download an updated version, you should add a path variable NANT_HOME in System settings & copy the netCard.NAntTasks.dll into the bin folder of NANT_HOME. If NANT_HOME is not defined, SDK takes [INSTALL_DIR]\3rdParty\NAnt as the default path for NAnt.

Comments [0] | Trackback | # 
 Tuesday, November 16, 2004
Gates declares death of passwords using Cryptoflex.NET
Tuesday, November 16, 2004 2:44:55 PM (Central Standard Time, UTC-06:00) ( )

http://www.techworld.com/opsys/news/index.cfm?NewsID=2627

"The move towards smart cards is the way forward," said Gates in his keynote at IT Forum, in Copenhagen this morning. "The idea is to have a smart card that connects up in the best way - a .Net based smart card."

Microsoft partner Axalto "has done a super job on this", said Gates. "We will be using their smartcards internally - each employee will use those to get in and out of the buildings as we used to connect to our machines. We're requring them. We will completely replace passwords."

By having .Net capability, said Gates, "we think this brings different logic down to the card itself, giving a richness and continuity to the platform that only exists in that .Net environment." Axalto said this was the first commercial deployment of Axalto’s .Net-based smart cards.

Comments [1] | Trackback | # 
Axalto Declares World’s First Commercial Deployment of Microsoft .NET-based Smart Card
Tuesday, November 16, 2004 2:41:03 PM (Central Standard Time, UTC-06:00) ( )

For the press release goto: http://www.axalto.com/Company/press/news.asp?id=220

Finally its out of the lab as the product which is not only going to make systems secure but revolutionize the Smartcard technology with the help of excellent on-card & off-card application developement framework i.e .NET.

 

Comments [0] | Trackback | #