WS Security: Encryption and Authentication with certificates

Home » Forums » Project: WSO2 Web Services Framework for PHP (WSO2 WSF/PHP)
koen.thomeer.be's picture
Submitted by koen.thomeer.be on August 31, 2010 - 03:48
I started last week with WSO2 WSF/PHP. The goal is, that I want create a WS, that: 1. has encrypted communication on request and answer 2. where the server can authenticate the client, by his certificate But reading the Security Manual (http://cpw.ict-health.be/docs/security_manual.html#3), there are things I don't understand: (Alice=client, Bob=server) PART I: Question on Encryption ** 8.3.1. Encryption on the Client Side The manual says we need 2 certificates: $rec_cert = ws_get_cert_from_file("../keys/bob_cert.cert"); $pvt_key = ws_get_key_from_file("../keys/alice_key.pem") For encryption we do only need the public key that is in bob_cert. I think we need alice_key.pem to decrypt the response from the server. ** 8.3.2. Encryption on the Server Side Another 2 certificates: $pub_key = ws_get_cert_from_file("../keys/alice_cert.cert"); $pvt_key = ws_get_key_from_file("../keys/bob_key.pem"); I understand we need bob_key: to decrypt the message from the client. And also alice_cert: to encrypt the response to the client. But the biggest problem is: how do we get alice cert? There will be more clients then one, and therefore there will be multiple client certs? (That is the logic of WS!) Would it be more logic that alice_cert is included in het request? 1. How can we include alice_cert in the request? 2. And how con the server extract alice_cert from the request? Part II: Question on authentication. ** 8.3.3. Signing on the Client Side The manual says that we need 3 certificates:: $my_cert = ws_get_cert_from_file("../keys/alice_cert.cert"); $my_key = ws_get_key_from_file("../keys/alice_key.pem"); $rec_cert = ws_get_cert_from_file("../keys/bob_cert.cert"); The first two I understand: alice_key is for signing the request and alice_cert is to know who has signed the request. 1. But why do we need bob_cert? (2. do we need to check the signature, or does WSF/PHP this?) 2. How can the server extract the certificate from the request? I need it to know who did sign the message (authentication)!!
‹ PHP: Random Fatal Error: Attempt to destruct pending exception WSFault Bug, converting SOAP 1.1 to 1.2 ›
koen.thomeer.be's picture

How can I see the signing authentication certificate in PHP?

Submitted by koen.thomeer.be on August 31, 2010 - 12:47.
PART I has been solved: WSService automaticaly extracts the client certificate and uses it to encrypt the message for the response. But PART II stays unsolved: 1. I want to see in PHP the signing certificate of the client. 2. Is it also possible to see the complete request of the client on server side, like in $client->getLastRequest() on client side? It would solve the first problem, but it is also usefull to use in logbooks.
nandika's picture

Re

Submitted by nandika on August 31, 2010 - 21:01.
You can use a tool like Tcpmon or Wireshark to view the exchanged messages. The receiver certificate is need to verify the server response. Regards Nandika
koen.thomeer.be's picture

But that means it is

Submitted by koen.thomeer.be on August 31, 2010 - 21:28.
But that means it is impossible to integrate the client certificate in the PHP code of the webservice? Tcpmon and Wireshark are not integrated in PHP, so I can do nothing with it. Can I call this a bug? I mean: what is the sense of signing a message as client, when the server can't see who has signed?
koen.thomeer.be's picture

PART I & II NOT SOLVED

Submitted by koen.thomeer.be on September 1, 2010 - 11:41.
OK, I did test it further: 1. extraction of the client cert is apparently not possible (PART II). I did put it on https://wso2.org/jira/browse/WSFPHP-448 . This has different security concerns! 2. BUT, apparently PART I is not solved neither. I created the policy with: $policy = new WSPolicy(array("security"=>array( "sign" => TRUE, "encrypt" => TRUE, "algorithmSuite" => "Basic256Rsa15", "securityTokenReference" => "EmbeddedToken"))); and the security token with: $sec_token = new WSSecurityToken(array( "privateKey" => $pvt_key, "certificate" => $cert)); for the webservice. I thought that WSF/PHP would be smart and use the public key from the request to encrypt the response. BUT IT DOESN'T. I have to put the client certificate in the code: but this has no sense for a webservice. A webservice is for multiple clients! You can see my request and response here: http://cpw.ict-health.be/SOAP_Request_Enc.xml http://cpw.ict-health.be/SOAP_Response_Enc.xml In the response, you see that soapenv:Body is not encrypted! The solution would be: A. extract the client certificate from the request to make it available in the PHP code. That would also resolve PART II. The only problem is that we have to save it on the filesystem and recall it with ws_get_cert_from_file . B. Make WSF/PHP a little bit smarter :-), that it uses the client public key directly from the request.
nandika's picture

Re

Submitted by nandika on September 2, 2010 - 00:48.
WSF/PHP has the support for multiple clients. IN such scenarios, you need to build a keystore. check the keystore sample. Regards Nandika
koen.thomeer.be's picture

Thanks, i did check. But

Submitted by koen.thomeer.be on September 3, 2010 - 05:45.
Thanks, i did check. But there are still some problems: 1. How can we know in the PHP script who is the client (authentication)? 2. For a signed request: how can I store the message in my database (non-repudiation)? One inconvenience with a keystore: I have to know all my client certificates. This is against the logic of PKI, where both party's thrust a commen CA. The webservice should only check that the client certificate has been signed by the CA he trusts. (authentication) Afterwards he can check the contents of the certificate to give him acces to certain data/tools (authorization). And some practical questions about the keystore: 1. How does WSF/PHP knows which key in the store he has to use for signing, which one for encryption and which one for decryption? Can I combine encryption and signing when I use a keystore? 2. Why is there a "user" in WSSecurityToken? The "password" is for unlocking the keystore, I suppose. Thanks!!!
dennis.kavanagh.six3systems.com's picture

Web Service read into IS

Submitted by dennis.kavanagh... on December 13, 2010 - 06:54.
Hello, How can I use a Web Service to read Autheticators into wso2 IS and where do they get stored so that I can usem them in XCML? Thank You,
superworm711.yahoo.com's picture

response is not encrypted!

Submitted by superworm711.ya... on July 4, 2011 - 12:15.
why in the response, body is not encrypted???? are there any errors or bugs in this case?
superworm711.yahoo.com's picture

Please help me to this problem

Submitted by superworm711.ya... on July 15, 2011 - 17:09.
can anybody help me to explain this problem? why wsf/php do not encrypt response messsage?
library project main code
Popular Content
Learn Cloud
Learn
Cloud

How to deploy a web application in StratosLive using Carbon Studio
The WSO2 Application Server is a reliable application server that can host your enterprise web applications. The WSO2 Application Server as a Service is offered in StratosLive, the WSO2 Platform as a Service. This article explains how a simple web application can be developed and deployed from Carbon Studio to the WSO2 Application Server...
more>

Latest Webinar
KPI definition with Business Activity Monitor 2.0
Different groups within an organization need to monitor different Key Performance Indicators (KPIs) - An operations team will be interested in the response times of business services and loads of each service,..
Thursday, February 9th 2012, 09.00 AM (PST)
Register Now!

Thursday, February 9th 2012, 10.00 AM (GMT)
Register Now!