EldoS | Feel safer!

Software components for data protection, secure storage and transfer

[.NET CF] TElX509CertificateValidator.ValidateForSSL() returns error

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#13760
Posted: 06/28/2010 01:39:47
by JIHOON LEE (Basic support level)
Joined: 06/24/2010
Posts: 4

Hi,

Now I'm trying to test "SSLSocketDemo" on .NET Compact Framework 2.0

I moved every code of desktop version to .net cf project. I encountered no error when i compiled it.

But when i'm debugging those code, its validation doesn't work like desktop edition.

Code
void SecureClient_OnCertificateValidate(object Sender, SBX509.TElX509Certificate X509Certificate, ref bool Validate)
        {
            try
            {
                if ((X509Certificate.Chain == null) || (X509Certificate.Chain.get_Certificates(0) == X509Certificate))
                {
                    TSBCertificateValidity Validity = TSBCertificateValidity.cvInvalid;
                    int Reason = -1;

                    _CertificateValidator.ValidateForSSL(X509Certificate,
                        ((IPEndPoint)_ClientSocket.RemoteEndPoint).Address.ToString(),
                        ((IPEndPoint)_ClientSocket.RemoteEndPoint).Address.ToString(),
                        SBConstants.TSBHostRole.hrServer, null, false, false, DateTime.Now, ref Validity, ref Reason);

                    if (Validity == TSBCertificateValidity.cvOk)
                    {
                        Validate = true;
                    }
                    else
                    {
                        Validate = false;
                    }
                }
                else
                {
                    Validate = true;
                }
            }
            catch (Exception ex)
            {
                Debug.WriteLine(ex.Message);
            }
        }


I used a certificate from CA(Thawte) to test validation. In case of desktop version returns "cvOK". but .net cf version returns "cvInvalid" and "Reason" is "0x20(SB_CERT_VALIDITY_REASON_UNKNOWN_CA)".

when I'm running desktop version, ValidateForSSL takes few seconds. but in case of .net cf, ValidateForSSL returns immediately. I've attached a source code.

Waiting any help. Thanks


[ Download ]
#13761
Posted: 06/28/2010 01:53:13
by Eugene Mayevski (EldoS Corp.)

The error code is self-explanatory - one of CA certificates that make a certificate chain could not be located on the device. You can use OnAfterCertificateValidation event to learn, what exactly certificate in the chain failed validation.


Sincerely yours
Eugene Mayevski
#13762
Posted: 06/28/2010 02:35:17
by JIHOON LEE (Basic support level)
Joined: 06/24/2010
Posts: 4

Thank you. Mr.Mayevski

Can I ask you more about CA certificates?

I've done nothing to desktop version to add CA certificates. But it works fine.
I guess that my internet browser activities added CA certificates to storage without recognition.

But my WINCE device doesn't have internet explorer. so I guess i have to add CA certificates manually. Am I right?

if my idea is right. How can I add CA certificates to WINCE or Windows Mobile device?

Thank you
#13763
Posted: 06/28/2010 05:43:30
by Eugene Mayevski (EldoS Corp.)

CA certificates are usually pre-installed into the system and updated with software updates. You can do the following (in code): get the complete certificate chain on desktop in some way, save it to PFX file,

The easiest way to collect certificates on desktop is to add all certificates, passed to TElX509CertificateValidator.OnAfterCertificateValidation event, to TElMemoryCertStorage object, then use object's SaveToStreamPFX() method. You get a PFX.

On device load them back into TElMemoryCertStorage object using LoadFromStreamPFX method, then add to TElWinCertStorage in the following way:

1) end-entity certificate is ignored.
2) intermediate CA certificates go to CA certificate storage (see TElWinCertStorage.SystemStores property)
3) the final, root CA certificate (IF it is present) goes to ROOT certificate storage (see TElWinCertStorage.SystemStores property). Root certificate is always self-signed (it's IssuerRDN and SubjectRDN properties are equal).


Sincerely yours
Eugene Mayevski
#13766
Posted: 06/28/2010 07:46:34
by JIHOON LEE (Basic support level)
Joined: 06/24/2010
Posts: 4

Code
private const string PATH_LG_PFX = @"Hard Disk\LG ELECTRONICS INC.pfx";
        private const string PATH_TCSC_PFX = @"\Hard Disk\Thawte Code Signing CA.pfx";
        private const string PATH_TPSC_PFX = @"\Hard Disk\Thawte Premium Server CA.pfx";
        
(...)

//Validator
                _CertificateValidator = new SBCertValidator.TElX509CertificateValidator();
                _CertificateValidator.CheckCRL = false;
                _CertificateValidator.CheckOCSP = false;
                _CertificateValidator.CheckValidityPeriodForTrusted = true;
                _CertificateValidator.IgnoreCAKeyUsage = false;
                _CertificateValidator.IgnoreSystemTrust = false;
                _CertificateValidator.MandatoryCRLCheck = false;
                _CertificateValidator.MandatoryOCSPCheck = false;
                _CertificateValidator.Tag = null;
                _CertificateValidator.UseSystemStorages = true;
                _CertificateValidator.ValidateInvalidCertificates = false;
                _CertificateValidator.OnAfterCertificateValidation += new TSBAfterCertificateValidationEvent(CertificateValidator_OnAfterCertificateValidation);
          
                _CertificateValidator.InitializeWinStorages();


                //Certificate Storage
                _MemCertStorage = new TElMemoryCertStorage(null);

                FileStream fs = new FileStream(PATH_LG_PFX, FileMode.Open, FileAccess.Read);
                int Ret = _MemCertStorage.LoadFromStreamPFX(fs, "password", 0);
                fs.Close();

                fs = new FileStream(PATH_TCSC_PFX, FileMode.Open, FileAccess.Read);
                Ret = _MemCertStorage.LoadFromStreamPFX(fs, "password", 0);                
                fs.Close();

                fs = new FileStream(PATH_TPSC_PFX, FileMode.Open, FileAccess.Read);
                Ret = _MemCertStorage.LoadFromStreamPFX(fs, "password", 0);
                fs.Close();                            
                

                _WinCertStorage = new TElWinCertStorage(null);
                _WinCertStorage.SystemStores.Add("ROOT");
                _WinCertStorage.SystemStores.Add("CA");


                for (int i = 0; i < _MemCertStorage.Count; i++)
                {
                    try
                    {
                        TElX509Certificate cert = _MemCertStorage.get_Certificates(i);                      

                        if(!cert.SelfSigned)
                        {
                            _WinCertStorage.Add(cert, "CA", false, false, true);
                        }
                        else
                        {
                            _WinCertStorage.Add(cert, "ROOT", false, false, true);
                        }
                        
                    }
                    catch (Exception ex1)
                    {
                        Debug.WriteLine(ex1.Message);
                    }
                }


Thank you. Mr.Mayevski
It was great help. As you told me. I've exported 3 pfx files from my PC and copied them to my WINCE device.

As a result, It works but only when I disabled CRL & OCSP features.
I've tried to write codes as you told me. but I guess that there're something wrong in my codes.

Can I ask you one more advice? Thank you.
#13767
Posted: 06/28/2010 08:07:22
by Eugene Mayevski (EldoS Corp.)

Please read the help topic about ElX509CertificateValidator class attentively. It contains detailed instructions regarding CRL and OCSP checks.


Sincerely yours
Eugene Mayevski
#13771
Posted: 06/29/2010 01:29:15
by JIHOON LEE (Basic support level)
Joined: 06/24/2010
Posts: 4

Thank you Mr.Mayevski

I've changed my codes a little bit. Instead of using TElX509CertificateValidator, I used TElMemoryCertStorage.Validate() functions.

I added root certificate files to TElMemoryCertStorage before I validate server's certificate by using TElMemoryCertStorage.LoadFromStreamPFX().

Then, It works fine.
Code
//Certificate Storage
                _MemCertStorage = new TElMemoryCertStorage();                                
                              
                try
                {
                    FileStream fs = new FileStream(PATH_TCSC_PFX, FileMode.Open, FileAccess.Read);
                    int Ret = _MemCertStorage.LoadFromStreamPFX(fs, "password", 0);
                    fs.Close();
                }
                catch (Exception e2)
                {
                    Debug.WriteLine(e2.Message);
                }


                try
                {
                    FileStream fs = new FileStream(PATH_TPSC_PFX, FileMode.Open, FileAccess.Read);
                    int Ret = _MemCertStorage.LoadFromStreamPFX(fs, "password", 0);
                    fs.Close();
                }
                catch (Exception e3)
                {
                    Debug.WriteLine(e3.Message);
                }              

(...)


void SecureClient_OnCertificateValidate(object Sender, SBX509.TElX509Certificate X509Certificate, ref bool Validate)
        {
            try
            {
                if ((X509Certificate.Chain == null) || (X509Certificate.Chain.get_Certificates(0) == X509Certificate))
                {
                    TSBCertificateValidity Validity = TSBCertificateValidity.cvInvalid;
                    int Reason = -1;

                    Validity = _MemCertStorage.Validate(X509Certificate, ref Reason, DateTime.Now);

                    if (Validity == TSBCertificateValidity.cvOk)
                    {
                        Validate = true;
                    }
                    else
                    {
                        Validate = false;
                    }                  
                }
                else
                {
                    Validate = true;
                }
            }
            catch (Exception ex)
            {
                Debug.WriteLine(ex.Message);
            }
        }
#13772
Posted: 06/29/2010 06:21:46
by Eugene Mayevski (EldoS Corp.)

This is a bad approach. TElCustomCertStorage.Validate performs only a fraction of checks, needed for correct validation. Use of TElX509CertificateValidator is strongly recommended.


Sincerely yours
Eugene Mayevski
Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.

Reply

Statistics

Topic viewed 2729 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!