Introduction

In parts one and two we learned how to setup a server to accept a user card and we also learned how to enable a user to submit a card. In the following sections we're going to learn how to decrypt the card that has been sent to us by the card selector. Once the card has been decrypted we're going to access the information contained within the card and display it within a web page.

Decrypting the Card

So, once a user has selected and sent a card to our application what do we do with it? Well, for starters, the information that’s transmitted to use is over a secure SSL connection and in addition to that, the ticket information is also encrypted. It’s XML but we have a little work to do before we can actually read and consume it.

If you go back to the sample application you created you’ll recall that the encrypted token is submitted as a standard HTTP variable called xmlToken. This was the name given to the informationcard Object you created. In order to view this token you need to create a page called cardprocessor.aspx. This was the target of the form. In our application it will be the responsibility of cardprocessor.aspx to extract and decrypt the token. It will then simply display the information contained within the card.

<%@ Page Language="C#" Debug="true" ValidateRequest="false"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<script runat="server">
  protected void Page_Load(object sender, EventArgs e) 
  {
    Label1.Text = Request.Params["xmlToken"];
  }
</script>

<html>
  <head id="Head1" runat="server">
  <title>CardProcessor test page</title>
</head>

<body> 
  <form id="form1" runat="server">
    <div>
      The value of the token is:
      <asp:Label ID="Label1" runat="server" Text="Label"></asp:Label>
    </div>
  </form>
</body>
</html>

This is a very simple form with one goal, to display the contents of the card that is submitted. Starting with login.htm, select a card. This will then redirect you to cardprocessor.aspx and you’ll be able to see the encrypted card details. It should look something like this snippet.

1H3mV/pJAlVZAst/Dt0rqbBd67g=e+63xBFdkPYFxOn0oIIj0bJ4P5l4Dl8f4neqZgI +91R+eUGPrJPPfCd40Ilf66cWIz1Lr3po2nI2huF5wWqEOAoqutcHT BiMaFUAUNnrQbIdySxCsv…

Fortunately Microsoft has, as part of the sample kit you downloaded, included a type called Token which takes care of all the decryption and processing of the XML Card. I’m not going to cover this class in detail as it mainly contains Certificate based decryption, which is outside the scope of this article. If you are interested in it however, do open the class and take a look.This will allow you to roll your own class if you see fit. To begin, the xmlToken string must be decrypted.

From the sample you downloaded you should be able to find, in the website/App_Code directory, a file called TokenProcessor.cs. This file contains the Token class I just mentioned. Add this file into your own App_Code directory in Visual Studio. Once you’ve done this you’ll need to modify CardProcessor.aspx to call this class so that we can access the details of our Identity Card.

Remove the <script> block from CodeProcessor.aspx and open the code-behind page. Add the following code to the Page_Load method:

Token t = new Token(Request.Params["xmlToken"]);
ClaimSet claims = t.IdentityClaims;
foreach(Claim c in claims)
{
  Response.Write(c.ClaimType + ":" + c.Resource.ToString() + "<BR />");
}

Showing the Card information

You’ll need to imports the System.IdentityModel.Claims namespace and also the Microsoft.IdentityModel.TokenProcessor namespace for the code to compile correctly. This code will decrypt the token, access the claims within the token and output them to the page. If you navigate back to Login.htm, select a card to submit and send it, you should see a page with this information on it:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname:Tomas
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname:McGuinness
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress: tomas@idontwantspam.net
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier: dio5cXHTu3V4nr92C/6/fXVuWBpQ5cUvYr5hiFTQis0=

These are the four pieces of information contained within the card that I submitted. The privatepersonalidentifier uniquely identifies our card.

Now, a word of warning. The first time I ran this application I got an exception:

System.Security.Cryptography.CryptographicException: Keyset does not exist

A quite search on Google (where would I be without it?) and I found the answer within an MSDN forum thread. Since the card is encrypted using the Fabrikam certificate, our application needs read access to the private key component of that certificate in order to decrypt it our card. Follow the steps outlined in this post. It basically involves granting read permissions on the private key to the ASPNET user. If you are using IIS 6, grant permission to the NETWORK SERVICE user instead. The FindPrivateKey.exe should be in the bin directory of the sample you downloaded. If you can’t find please email me and I can supply you with it.

Conclusion

So that’s it. You’ve just completed a simple end to end application that uses CardSpace. Where do we go from here?

If you currently have a website that requires users to create an account before they can access the features you can now present them with an alternative. Instead of using a username to identify them, you can use the value contained within the privatepersonalidentifier. That was they can simply submit the same card to identify themselves to your website.

Having done this there should be one question on your mind; What if your user is sitting in an internet café and wants to access your site? Their Identity Card is sitting on their PC potentially thousands of miles away. Are they required to create a new account? I’m going to cover these particular scenarios in detail in several posts I’m planning for my blog.

If you have any comments or questions please don’t hesitate to contact me. I hope you’ve learned as much from reading these posts as I have from writing them.

References

Microsoft’s CardSpace: Part 1 – Getting started
Microsoft's CardSpace: Part 2 - Creating and using your first identity card

About Tomas McGuinness

Tom McGuinness is currently working as an application developer for Barclays Capital in London. He has worked primarily in web application development for a variety of companies. View complete profile

---

Discussion

Subject	Author	Date
Can't resolve this Error	Mohamed Elwaer	3/5/2008 1:45 PM
Dear i want more details to resolve this erroe  System.Security.Cryptography.CryptographicException: Keyset does not exist Thanks Mohamed Elwaer m_elwaer@hotmail.com Reply | Permanent link
RE: Can't resolve this Error	Sonu Kapoor	3/5/2008 1:49 PM
Did you followed the steps described in the article about this error? A quite search on Google (where would I be without it?) and I found the answer within an MSDN forum thread. Since the card is encrypted using the Fabrikam certificate, our application needs read access to the private key component of that certificate in order to decrypt it our card. Follow the steps outlined in this post. It basically involves granting read permissions on the private key to the ASPNET user. If you are using IIS 6, grant permission to the NETWORK SERVICE user instead. The FindPrivateKey.exe should be in the bin directory of the sample you downloaded. If you can’t find please email me and I can supply you with it. [MVP since 2005] [MCAD] Webmaster of DotNetSlackers Question or Suggestion? Feel free to ask my any .NET question Our Posting FAQ Reply | Permanent link

---

Please login to rate or to leave a comment.