0

I'm trying to encrypt data on client side using WCF service certificate (public key) and decrypt it on server side using certificate private key. Do anyone know how to get access to current certificate in WCF service?

On client side it was easy to implement, I needed only to handle ServerCertificateValidationCallback.

I tried to access it by OperationContext.Current.ServiceSecurityContext.AuthorizationContext.ClaimSets, but everytime it is null in my service.

Hawex
  • 133
  • 13
  • WCF already uses certificates. I. You don't need to deal with certificates in code. `ServerCertificateValidationCallback` is only needed to *disable* certificate validation, a rather risky idea only suitable during debugging or when calling services whose owners let their certificates expire – Panagiotis Kanavos May 15 '19 at 10:29
  • Possibly a duplicate [How to enable HTTPS in WCF service](https://stackoverflow.com/questions/26784776/how-to-enable-https-in-wcf-service) – Panagiotis Kanavos May 15 '19 at 10:30
  • @Panagiotis Kanavos - I know, that WCF handles it. I just need to encrypt custom data on client side, just to make sure, that it will be encrypted end-to-end even if i use Transport security mode. – Hawex May 15 '19 at 10:32
  • In that case, the duplicate is *indeed* a duplicate - you need to *disable* HTTP connections, not use some custom encryption. HTTPS *encrypts* the data so you *are* sure they are encrypted end-to-end. Especially if you *don't* disable certificate validation. Debugging proxies or hacked routers use invalid certificates to intercept HTTPS traffic. With validation enabled (the default) WCF won't connect if there's any problem with the certificate – Panagiotis Kanavos May 15 '19 at 10:33
  • HTTPS connection does not provide end-to-end security, it's only point-to-point. I need to secure part of my request like in Message security mode, but by using Transport security mode. – Hawex May 15 '19 at 10:36
  • irst, that "point" is the target service. You can even specify the certificate you want. If you *don't* use that `ServerCertificateValidationCallback`, intermediaries won't be able to intercept your message. In any case, WCF itself though provides standards-base encryption [at the message level](https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/message-security-in-wcf). Again, you *don't* need to create your own encryption that won't work with anyone else – Panagiotis Kanavos May 15 '19 at 10:37
  • What you ask is described in [How to: Secure a Service with an X.509 Certificate](https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-secure-a-service-with-an-x-509-certificate). Claims have nothing to do with encryption anyway, they're only used in authentication and authorization. – Panagiotis Kanavos May 15 '19 at 10:40
  • @PanagiotisKanavos In my case i need to encrypt file, which will be send as response to client using stream. To achieve this I want to dynamically generate key for symmetric encryption, encrypt this key using certificate public key, and send it in method arguments. For security, I wan't to encrypt symmetric key before it will go to the transport layer. On the server side I just want to simply decrypt key using certificate private key, encrypt file and send it as stream to client. Is this a bad way to achieve this? How can I provide stream encryption before transport layer? – Hawex May 15 '19 at 11:05

0 Answers0