RST/RSTR full sequence needed
Hi all,
So far I haven't been able to find a tool that would be able to verify that a given RST/RSTR pair is valid. So as I need to do that, I would need a RST/RSTR pair with the SRV and STS certificate that were used during the encryption process (private key available please) to write a verifier for my own RSTR generation.
This pair of RST/RSTR MUST have been generated by WCF and MUST include all the NONCE data (not removed like in the logs you can get from WCF). With the Nonce removed, this tracing is totally useless to solve interoperability issues! The funny thing is that the trace gives the RSTR before decryption... no comment! On second thought... normally if you don't have the private key of the STS certificate you cannot do anything with the tracing even with the Nonce, so why remove those Nonce? Because even if you have the private key of the certificates with this trace you cannot do anything at all!!! (sorry I repeat myself!)
Anyone out there could produce this?
A warm thank you for the person who could provide me with such data.
Thks
Olivier
PS: I don't need the decrypted RST or RSTR... with the STS certificate I can get everything I need. I think that I don't need the SRV certifcate neither, it is just used to sign the RST.
PS2: Eventually, is there any possiblity to get a trace from WCF that doesn't REMOVE the NONCE values? SO I could make my own RST/RSTR pair.
[1458 byte] By [
orouit] at [2007-12-23]
Olivier.
I'm not sure I understand what you mean when you say 'a given RST/RSTR pair is valid'. Can you elaborate? If you want to know which RST a given RSTR is in response to, you could look at the wsa:RelatesTo (or the SignatureConfirmation value if SigConf is enabled).
The only way to get traces without us suppressing certain fields would be to write your own tracer.
Gudge
Thanks for your concern,
I have developed a STS without using at all WCF (but with .NET & C#), I get the messages at the lowest level. As I couldn't find any tool to verify the RSTR I generate I wrote one myself.
However to validate my verifier I would need a reference pair (RST/RSTR with the necessary certifcates) that I could use to check my verifier.
I'm going to post the code of the verifier when it's advanced enough. So far I only support AES128 symmetric algorithm because this is the only version we have so far in our smartcard. I need few days to make it more general than verifying my own profile of RSTR!
If I understand there is no way to get a usefull trace from WCF, specially at the WS-SecureConversation level, I already have a complete tracing for my own code.
Currently I'm not far from the solution because I'm able to extract the claims form my complete RSTR, the last pb maybe in the signature at the WS-SecureConversation level. Interoperability testing is really a tough topic with Cardspace and WCF... It took us quite some time to figure out that MS doesn't exactly follow the standard for key derivation with "WS-SecureConversation" being replaced by "WS-SecureConversationWS-SecureConversation". I hope that there are not too many things like this in the MS implementation!
Thks & rgds
Olivier
Thks Michele,
I already use the trace since quite some time but the pb is that the trace removes the Nonce used to compute the DerivedKey which makes it useless...
However we finally managed to run a complete sample on WCF CTP of July and on separate machines, then with etherreal we "sniffed" the exchanges between the client/STS and I finally managed to get my RST/RSTR reference :-)
Now I should be able to see why my RSTR is rejected by the framework and also improve my Validation program because the configuration we are using now is a bit different from the previous one!
Interoperability issue is a long way, but I think I could see the exit of the tunnel soon!
Thks to all
Olivier
