EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Self-signed certificate

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#12509
Posted: 02/20/2010 10:46:19
by neil young (Standard support level)
Joined: 11/05/2007
Posts: 96

Hi,
a) I've created two self-signed certificates, both with the extensions we discussed lately (the RELOAD stuff).
b) I have a TLS client, who reads a PFX copy of his self-signed cert at startup and stuffs it into the ClientCertStorage property of his TElSecureClient object
c) The same with the server, but the server puts his certificate into the CertStorage property. ClientCertStorage is empty.

Both parties come together and exchange the certs (client auth is enabled). But while I'm trying to execute InternalValidate on the server, I'm getting cvStorageError.

Should I get this for self-signed certificates?

Regards
#12511
Posted: 02/20/2010 11:10:35
by Eugene Mayevski (EldoS Corp.)

TElSecureServer.CertStorage property contains certificates, used to authenticate the server.

To validate client's authentication on the server you need to load client's certificate into some storage and assign this storage to TElSecureServer.ClientCertStorage property.


Sincerely yours
Eugene Mayevski
#12513
Posted: 02/20/2010 13:30:29
by neil young (Standard support level)
Joined: 11/05/2007
Posts: 96

Cool. This is the code in OnCertificateValidate. Works (ReloadTLSServer is a descendant of TElSecureServer):

Quote
TElMemoryCertStorage clientStorage = new TElMemoryCertStorage();
clientStorage.Add(X509Certificate, false);
(Sender as ReloadTLSServer).ClientCertStorage = clientStorage;

Thanks.
Regards
#12514
Posted: 02/20/2010 14:12:04
by neil young (Standard support level)
Joined: 11/05/2007
Posts: 96

Again me: On client side I don't use OnCertificateNeededEx to provide the certificate. Instead I'm loading the cert during intialisation into a TElMemoryCertStorage, which is assigned to ClientCertStorage. This _seems_ to work, at least the client pushes the cert to the server. Is this basically OK?

Generally I have difficulties to figure out, what the correct certificate validation procedure is. I have had a look into the knowledge base as well as into the samples and the forum, but couldn't find one answer for all. Obviously there are many ways to Rome? But what is the best?

Right now, I'm working with self-signed certificates, but later on I have to verify the certificates against a CA. Is this behavior correct in general?

1) Self signed without root CA
Server
* Init: Read the local cert into TElMemoryCertStorage and assign this to CertStorage
* Validation: Read the received certificate into a TElMemoryCertStorage and assign this to ClientStorage. Call server.InternalValidate() in order to validate.

Client
* Init: Read the local cert into TElMemoryCertStorage and assign this to
ClientStorage
* Validation: ??

2) Signed with root CA
Server
* Init: Read the local cert into TElMemoryCertStorage and assign this to CertStorage, read the root certificate into the same storage
* Validation: Read the received certificate into a TElMemoryCertStorage and assign this to ClientStorage. Call server.InternalValidate() in order to validate.

Client
* Init: Read the local cert into TElMemoryCertStorage and assign this to
ClientStorage, read the root certificate into the same storage
* Validation: ??

Validation is performed in OnCertificateValidate on both ends.


Or am I totally wrong?
#12517
Posted: 02/22/2010 02:06:39
by Ken Ivanov (EldoS Corp.)

Quote
On client side I don't use OnCertificateNeededEx to provide the certificate. Instead I'm loading the cert during intialisation into a TElMemoryCertStorage, which is assigned to ClientCertStorage. This _seems_ to work, at least the client pushes the cert to the server. Is this basically OK?

Yes. The client certificate can be passed to the component either via OnCertificateNeededEx event or by assigning the storage object to the ClientCertStorage property.

There is really no unique way for peer certificate validation. The exact procedure depends on the public key infrastructure being used. For example, the server may issue certificates directly to the clients without the use of external CA. In this case, it would only have to browse over the list of the certificates it has issued to validate the connecting client. On the other hand, if external CA is used, deep validation along with revocation checks should be performed. If the application uses common PKI infrastructure that relies on Windows system trust settings, certificate trust level is to be obtained basing on the contents of the local system certificate stores etc., etc., etc.

If you are going to use certificates generated by third-party CA's integrated into the global PKI infrastructure, you will have to implement the validation procedure as described in the RFC 5280, chapter 6. This is not an easy task, but validating certificates in such way is required to guarantee the authenticity of the peer.

SBB 7.2 includes TElX509CertificateValidator component which implements this validation procedure. However, as you said that you do not have plans on upgrading, you will have to implement such functionality yourself if you plan to use global or big enterprise-wide PKI infrastructure.

InternalValidate() method and CertStorage property only provide means for very basic certificate validation. They are only suitable for the simplest cases when there is a list of explicitly trusted certificates to check the received certificate against.
#12522
Posted: 02/22/2010 03:41:34
by neil young (Standard support level)
Joined: 11/05/2007
Posts: 96

Thanks for the answer. If I say "Server" I always mean the server component of a RELOAD node, which consists of server and client.

Let's start with self signed certificates for both, the server and the client component. What would I have to do in order to validate? Is InternalValidate on both ends sufficient?

In future the overlay's enrollment server will act as a CA, the enrollment server is also the instance, which issues certificates.

Regards
#12526
Posted: 02/22/2010 05:37:55
by Ken Ivanov (EldoS Corp.)

Quote
Let's start with self signed certificates for both, the server and the client component. What would I have to do in order to validate? Is InternalValidate on both ends sufficient?

No. At least you should check the correctness of the information contained in the certificate and the correspondence of the certificate to the entity who provides it. InternalValidate() only validates the integrity of the certificate signature and thus only guarantees that the certificate is not corrupted.
#12527
Posted: 02/22/2010 07:30:14
by neil young (Standard support level)
Joined: 11/05/2007
Posts: 96

Hmm. I think, that doesn't help me much...
What I do currently on "server" side:

1) Having setup TElSecureServer.CertStorage with the local certificate
2) Creating TElMemoryStorage from the received certificate and set this to ClientCertStorage
3) OnCertificateValidate: Calling TElSecureServer.InternalValidate

At least I get an OK and the self-signed information

But what do I have to do on my "client" side? TElSecureClient is setup with the local certificate. What do I have do do with the received server certificate in order to achieve basic validation? Client.Internalvalidate fails...

Regards
#12529
Posted: 02/22/2010 08:20:58
by Ken Ivanov (EldoS Corp.)

The server-side steps are correct, but you will need to have the certificates of all your potential clients locally and put them to the storage bound to ClientCertStorage property before calling InternalValidate().

Quote
But what do I have to do on my "client" side? TElSecureClient is setup with the local certificate. What do I have do do with the received server certificate in order to achieve basic validation? Client.Internalvalidate fails...

The steps are exactly the same. The only difference is that you should assign the storage object containing known server certificates to the CertStorage property.

What exactly failure do you get with InternalValidate()?
#12531
Posted: 02/22/2010 09:42:16
by neil young (Standard support level)
Joined: 11/05/2007
Posts: 96

Quote
The server-side steps are correct, but you will need to have the certificates of all your potential clients locally and put them to the storage bound to ClientCertStorage property before calling InternalValidate().


Oops, that seems to be impossible to do.. In that case I would drop the validation and get the required values out of the certificate only... I need to get the NodeID from the certificate, that's all I need to know.


Quote
The steps are exactly the same. The only difference is that you should assign the storage object containing known server certificates to the CertStorage property.

What exactly failure do you get with InternalValidate()?

I didn't put the server's certificate into the CertStorage...

What, if I put the received certificate into a memory storage, assign this to ClientCertStorage (in server case) or CertStorage (in client case) and call InternalValidate? A short-circuit? Or a real validation? What do I need more for self-signed certificates?
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 4192 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!