EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Certificate chain question

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#12331
Posted: 02/07/2010 13:35:40
by Roland . (Basic support level)
Joined: 02/07/2010
Posts: 7

Hello,

We are working with the PKI and SSL (client) boxes (and XML but that's irrelevant). I'm using a HTTPSClient to connect with a webservice, using a private certificate which is supplied in PFX form.
I'm able to build the SSL connection, by giving the HTTPSClient the certificates from the chain one by one, by X509Certificate objects, which are loaded from already splitted PEM files etc.

The way we want it to work is to install the PFX certificate in Windows and let our application get it from the Windows storage. Another possibility is to load it from the PFX file into a X509Certificate object.
Both cases leave us with an certificate object which only seem to contain the original certificate + key, not the other certificates in the chain. The Chain property of that certificate object is also empty.

So, how do I get the certificates in the chain out of that certificate object, to give to the HTTPSClient separately?

(When viewing the certificate in Windows dialogs, the chain is visible, they are all there in the pfx file, or in the Windows certificate entry)

Thanks in advance.
#12332
Posted: 02/07/2010 14:55:59
by Ken Ivanov (EldoS Corp.)

Thank you for contacting us.

Use TElMemoryCertStorage class and its LoadFromStreamPFX() to load multiple certificates stored in a single PFX file. Once loaded, you can access individual certificates using the Certificates[] property.

If an end-entity certificate is taken from one of Windows system stores, it is your task to build the chain by browsing all the system stores and searching for the certificates forming the chain up to the root one.
#12333
Posted: 02/07/2010 15:07:36
by Eugene Mayevski (EldoS Corp.)

If you load the certificate from PFX, then it's easy -- create an instance of TElMemoryCertStorage and use it's LoadFrom*PFX() method to load all certificates from the PFX. You don't even need to get the chain - just assign storage to ClientCertStorage property of TElHTTPSClient.


With Windows certificate storage the procedure is more complicated. You need to set SystemStores property to the list of stores, which includes at least MY, CA and ROOT. This is where the chain elements are most likely to be located.
Next you need to find the index of the certificate that you need in TElWinCertStorage. Next, iterate through Chains[] property and find the index of the chain, which is equal to the index of certificate. Example (in pseudocode):

CertIdx = FindCertificate();
for i = 0 to Storage.ChainCount - 1
{
if Storage.Chains[i] == CertIdx then
{
Chain = BuildChain(i);
break;
}
}

The chain is a new object that you need to delete when it's not needed anymore.

After you get the chain,


Sincerely yours
Eugene Mayevski
#12335
Posted: 02/07/2010 15:36:41
by Roland . (Basic support level)
Joined: 02/07/2010
Posts: 7

Hmm, I tried the LoadFromStreamPFX on a memory certificate storage, and after that the certificate count was 1. So I didn't continue with that because I thought it wasn't taking all of the certificates either.
#12337
Posted: 02/08/2010 14:22:30
by Roland . (Basic support level)
Joined: 02/07/2010
Posts: 7

I was typing a big reply here, but then I saw the storage property was ClientCertStorage. I wasn't paying attention, I was using the CertStorage (non-client)

It works very good now, just do LoadFrom*PFX and it works. Thanks.

But why can't I find the ClientCertStorage on the online documentation of the HTTPSClient class? Then I would've found it much sooner I think.
I see that I can't assign a Windows cert storage to it, so it'll probably only accept MemoryCertStorages.

When I want to integrate it with Windows cert storage, isn't it possible to just find the Certificate in the Windows storage object, and with that certificate object do HTTPSClient.ClientCertStorage.Add( certificateobject ); ?
I will try this myself another time.
#12339
Posted: 02/08/2010 15:51:49
by Roland . (Basic support level)
Joined: 02/07/2010
Posts: 7

Oh, another question. Because of the SSL I can't check it myself, but how does the HTTPSClient handle 'special' chars.
My instructions are to do a HTTP Post, with some XML given as a paramater (named 'body'). It will contain carriege returns and linefeeds, and likely unicode chars etc. How should I present this data to the HTTPSClient post function? Does it do all of this conversion (so it's HTTP valid) itself? Maybe then I can just give a stringlist containing body=xmlmessage, or a stringstream? Thanks in advance.
If it weren't for SSL and if I had any view on the server side, I would find out myself. Now it reads my message as invalid, but that could be because of anything at this time.
#12341
Posted: 02/08/2010 23:25:29
by Eugene Mayevski (EldoS Corp.)

Quote
Roland . wrote:
But why can't I find the ClientCertStorage on the online documentation of the HTTPSClient class? Then I would've found it much sooner I think. I see that I can't assign a Windows cert storage to it, so it'll probably only accept MemoryCertStorages.


It's described in the ancestor class.

Windows Certificate storage is not accepted because it contains lots of certificates, and you don't want to send them all, do you?

Quote
Roland . wrote:
When I want to integrate it with Windows cert storage, isn't it possible to just find the Certificate in the Windows storage object, and with that certificate object do HTTPSClient.ClientCertStorage.Add( certificateobject ); ?


That's how it's supposed to be used.

Quote
Roland . wrote:
My instructions are to do a HTTP Post, with some XML given as a paramater (named 'body'). It will contain carriege returns and linefeeds, and likely unicode chars etc. How should I present this data to the HTTPSClient post function? Does it do all of this conversion (so it's HTTP valid) itself? Maybe then I can just give a stringlist containing body=xmlmessage, or a stringstream? Thanks in advance.


This has been discussed just recently in another topic, "HTTPS Post". Please read it.


Sincerely yours
Eugene Mayevski
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 1527 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!