EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Client Cert for SOAP

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#11660
Posted: 11/12/2009 17:17:38
by Chris Thornton (Basic support level)
Joined: 11/12/2009
Posts: 2

Hello Eldos,
I am writing a SOAP client that will need to attach a client-side certificate for presentation to the server (actually a Cisco ACE device). My understanding of the process is that I would read a cert from a .pfx or .pem file, and insert into the http by calling InternetSetOption. ex:
WinInet.InternetSetOption( Data, INTERNET_OPTION_CLIENT_CERT_CONTEXT, PCertContext, Sizeof( CERT_CONTEXT ) )

Using the CertDemo application, I see how to load the cert. But I don't see a way to make that cert available to InternetSetOption directly. I CAN load into a store, and that'll work. But I'd rather not make any assumptions about what certs may or may not be in the "my" or machine stores. I'd rather just grab the cert from a disk file, pre-emptively load it into the THTTPReqResp, and be done with it.

We have BlackBox, and I think I can just use a few of your libraries, using the CertDemo app as a template. I've just got the disconnect between loading the cert, and making it available to the THTTPReqResp. I'm currently exploiting the OnBeforePost event:
HTTPRIO1.HTTPWebNode.OnBeforePost := OnBeforePost2

And then in OnBeforePost2, I load the cert. And then I'm not sure what to do next. I found an example somewhere that dealt with Capicom, and I don't want to go down that road...
Any guidance is appreciated!
--
Chris Thornton
#11668
Posted: 11/13/2009 10:57:35
by Ken Ivanov (EldoS Corp.)

Thank you for contacting us.

SBB does not use CryptoAPI (except when dealing with certificates available in the system stores), and that's why it cannot give you a CERT_CONTEXT object unless the certificate is stored in one of the system stores. So the only solution would be to put the client certificate to some system store before HTTPS authentication is performed and remove it from there once the authentication is over. There is no need in using MY or any other predefined store -- you can create an individual store for your application's purposes.

For the certificates originating from Windows system store, use TElX509Certificate.CertHandle property to get the PCCERT_CONTEXT pointer.
#11696
Posted: 11/16/2009 16:33:21
by Chris Thornton (Basic support level)
Joined: 11/12/2009
Posts: 2

Thanks, this is helpful.
I don't have TElX509Certificate.CertHandle though. Maybe too old? I see the PCCERT_CONTEXT mentioned in the source code, SBX509 and SBWinCrypt. That code seems pretty low-level though.
I find that If I just load the cert into the win storage, everything works. But if there are multiple certs, the user is prompted with a dialog box. And I've been told that we probably WILL have multiple certs.

Ah, here's our version:
SecureBlackbox - version 4.0.64 - Released Neverember 32, 2005
Am I correct that it's too old to have the exposed CertHandle?
#11698
Posted: 11/16/2009 23:47:18
by Ken Ivanov (EldoS Corp.)

Yes, version 4 is quite old and does not expose this property.

As an option, you can use CryptoAPI to list system certificates and obtain the needed PCCERT_CONTEXT object. The corresponding code can be extracted from SBB (see the implementation of TElWinCertStorage.Open method). In general words, you need to open the store with CertOpenStore function and then list the certificates contained in it with CertEnumCertificatesInStore function until the needed one is found.
#14298
Posted: 08/26/2010 06:21:40
by mitja lojk (Basic support level)
Joined: 08/26/2010
Posts: 6

Hi!
I have a problem, with a webservice, that I've created using WSDL_Importer in Delphi6.
It connects to an https:\\.. URL, and when I try to communicate the response is :

Quote

"A certificate is required to complete client authentication - URL:https://testeizm.....


I've learned, that probably the problem should be solved using WinInet.InternetSetOption ,to set the proper certificate before trying to connect. (on THTTPRIO OnBeforePost )

Is there any sample on, how to do it with Blackbox components like TElWinCertStorage ,TElCustomCertStorage ....

I've already checked the samples on the BlackBox installation, but I don't find anything useful.
#14299
Posted: 08/26/2010 07:35:19
by Eugene Mayevski (EldoS Corp.)

SecureBlackbox doesn't work with THTTPRIO due to bad design of the latter. We just can't hook there in any way. I recommend using RemObjects for SOAP. It's great itself and you can use secureBlackbox with it


Sincerely yours
Eugene Mayevski
Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.

Reply

Statistics

Topic viewed 22098 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!