Thursday, November 14, 2013

Encrypt XML Content with X.509 Certificates

On MSDN, there is some help how to encrypt XML elements with certificates, for example here: How To: Encrypt XML Element with X.509 Certificates

However, what is missing, is advice about how to encrypt XML content, i.e. in the famous XML example
<root>
  <creditcard>
    <number>19834209</number>
    <expiry>02/02/2002</expiry>
  </creditcard>
</root>


you might not want to decrypt the whole <creditcard> element, but rather its two subnodes <number> and <expiry>. This is necessary when the http://www.w3.org/2001/04/xmlenc#Content standard is used.


I just reuse the code from the how-to-article and add specific lines for the content-encryption:

For Encryption, you use this method:

public static XmlDocument Encrypt(XmlDocument doc, string elementToEncryptName, X509Certificate2 cert)
{
    // Check the arguments.
    if (doc == null)
        throw new ArgumentNullException("doc");
    if (elementToEncryptName == null)
        throw new ArgumentNullException("elementToEncryptName");
    if (cert == null)
        throw new ArgumentNullException("cert");

    ////////////////////////////////////////////////
    // Find the specified element in the XmlDocument
    // object and create a new XmlElemnt object.
    ////////////////////////////////////////////////
    XmlElement elementToEncrypt = doc.GetElementsByTagName(elementToEncryptName)[0] as XmlElement;

    // Throw an XmlException if the element was not found.
    if (elementToEncrypt == null)
    {
        throw new XmlException("The specified element was not found");

    }

    //////////////////////////////////////////////////
    // Create a new instance of the EncryptedXml class
    // and use it to encrypt the XmlElement with the
    // a new random symmetric key.
    //////////////////////////////////////////////////

    // Create a 256 bit Rijndael key.
    RijndaelManaged sessionKey = new RijndaelManaged();
    sessionKey.KeySize = 128;

    // Set RSA crypto provider to certificate's public key
    RSACryptoServiceProvider alg = (RSACryptoServiceProvider) cert.PublicKey.Key;

    // Encrypt the content of the XML element
    EncryptedXml eXml = new EncryptedXml();
    byte[] encryptedElement = eXml.EncryptData(Encoding.UTF8.GetBytes(elementToEncrypt.InnerXml), sessionKey);

    ////////////////////////////////////////////////
    // Construct an EncryptedData object and populate
    // it with the desired encryption information.
    ////////////////////////////////////////////////

    EncryptedData edElement = new EncryptedData();
    edElement.Type = EncryptedXml.XmlEncElementContentUrl;
    //edElement.Id = encryptionElementId;

    // Create an EncryptionMethod element so that the
    // receiver knows which algorithm to use for decryption.
    edElement.EncryptionMethod = new EncryptionMethod(EncryptedXml.XmlEncAES128Url);

    // Encrypt the session key and add it to an EncryptedKey element.
    EncryptedKey ek = new EncryptedKey();

    byte[] encryptedKey = EncryptedXml.EncryptKey(sessionKey.Key, alg, true);

    ek.CipherData = new CipherData(encryptedKey);

    ek.EncryptionMethod = new EncryptionMethod(EncryptedXml.XmlEncRSAOAEPUrl);

    edElement.KeyInfo.AddClause(new KeyInfoEncryptedKey(ek));

    //// Create a new KeyInfo element.
    KeyInfo ki = new KeyInfo();
    ki.AddClause(new KeyInfoX509Data(cert, X509IncludeOption.EndCertOnly));

    // Add the KeyInfoName element to the
    // EncryptedKey object.
    ek.KeyInfo = ki;

    // Add the encrypted element data to the
    // EncryptedData object.
    edElement.CipherData.CipherValue = encryptedElement;

    ////////////////////////////////////////////////////
    // Replace the element from the original XmlDocument
    // object with the EncryptedData element.
    ////////////////////////////////////////////////////
    EncryptedXml.ReplaceElement(elementToEncrypt, edElement, true);
    sessionKey.Clear();

    return doc;
}


The decryption can be taken from the MSDN example:
public static XmlDocument Decrypt(XmlDocument doc)
{
    // Check the arguments. 
    if (doc == null)
        throw new ArgumentNullException("doc");

    // Decrypt the XML document, with the help of the private key from the certification store
    EncryptedXml exml = new EncryptedXml(doc);
    exml.DecryptDocument();

    return doc;
}


The calling code will be:

X509Certificate2 cert = new X509Certificate2("xxx.pfx", "xxx");
var encrypted = Encrypt(xmlDoc, "creditcard", cert);
var decrypted = Decrypt(encrypted);

Thursday, July 4, 2013

SftpException "List remote directory error"

If you get this error message in the BTS2013 SFTP adapter:

The Messaging Engine failed to add a receive location "TestFTP_FTPOUTIN" with URL "sftp://ehavftp6402.eha.net:22/IN/*.xml" to the adapter "SFTP". Reason: "Microsoft.BizTalk.Adapter.SftpInvoker.SftpException: List remote directory error.

... the adapter can't find the directory at the remote server. Just add a slash ("/") before the folder name in the FolderPath field of the Receive Location adapter configuration.

Tuesday, July 2, 2013

ActionNotSupported after WSCF

After using WSCF to generate code from a WSDL, I receveied an ActionNotSupported-Fault from the webservice. The exception said furthermore (in German):
Die Nachricht mit Action "http://www.energylink.at/datenplattform/ws20/ENERGYLINKTransaction" kann aufgrund einer fehlenden ContractFilter-Übereinstimmung beim EndpointDispatcher nicht verarbeitet werden. Mögliche Ursachen: Vertragskonflikt (keine Action-Ãœbereinstimmung zwischen Sender und Empfänger) oder ein Bindung/Sicherheit-Konflikt zwischen dem Sender und dem Empfänger.  Stellen Sie sicher, dass Sender und Empfänger über den gleichen Vertrag und die gleiche Bindung verfügen (einschließlich Sicherheitsanforderungen, z. B. "Message", "Transport", "None")

If you run into this exception, check the Action, that has been generated in the code for the interface. Most probably, a wrong action had been created. It has to be the same that is written in your WSDL.

Friday, May 24, 2013

Visual Studio 2013 enables Build and Deploy after Migration


Just to know when you migrate from VS2010 to VS2012: The configuration manager can change an inactive project so that it would be build and deployed. So just check the configuration manager after migrating.

EDIOverride Properties have been renamed

Short info: When migrating from BizTalk 2010 to BizTalk 2013, you have to adapt the EDIOverride properties. For example, the property Unb21 is now called UNB2_1.
The EDIOverride properties are stored in Microsoft.BizTalk.Edi.BaseArtifacts.dll.