EldoS | Feel safer!

Software components for data protection, secure storage and transfer

WinCE 5 Certificate Store

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#16463
Posted: 05/17/2011 17:07:46
by Tim Hickenlooper (Standard support level)
Joined: 05/16/2011
Posts: 4

I am adding new communication functionality to an existing application which was written in VB.NETCF 2.0 on WinCE 5.0. The Ethernet communication works and now I am adding SSL/TLS for communication to our server. I have ported your sample application, SSWLSocketDemo_VS2008, to my development system, but I get an exception thrown on the CertificateValidator.InitializeWinStorages() line in the Init method. The exception is "Failed to open storage".

Any help would be greatly appreciated!
#16464
Posted: 05/17/2011 17:25:21
by Ken Ivanov (EldoS Corp.)

Thank you for contacting us.

It seems that one or more system certificate storages are absent on your device. As a quick-and-dirty solution, please do the following:

1) set the UseSystemStorages property of the certificate validator component to false. This will tell him not to load certificates from system stores automatically.

2) extend certificate validator initialization section with the following code:

Code
TElWinCertStorage root = new TElWinCertStorage();
root.ReadOnly = true;
root.SystemStores.BeginUpdate();
try
{
  root.SystemStores.Add("Root");
  root.SystemStores.Add("Trust");
  root.SystemStores.Add("TrustedPublisher");
  root.SystemStores.Add("AuthRoot");
  root.SystemStores.Add("TrustedPeople");
  root.SystemStores.Add("ROOT");
}
finally
{
  root.SystemStores.EndUpdate();
}
root.PreloadCertificates();
CertificateValidator.AddTrustedCertificates(root);

TElWinCertStorage ca = new TElWinCertStorage();
ca.ReadOnly = true;
ca.SystemStores.BeginUpdate();
try
{
  ca.SystemStores.Add("CA");
  ca.SystemStores.Add("UserDS");
  ca.SystemStores.Add("ADDRESSBOOK");
}
finally
{
  ca.SystemStores.EndUpdate();
}
ca.PreloadCertificates();
CertificateValidator.AddKnownCertificates(ca);


3) The above code will be throwing an exception. Please do the following to find out the store that is causing the problem:
- comment out all the .Add() invocations,
- uncomment them one by one until your application starts throwing "Failed to open storage" exceptions.
#16477
Posted: 05/18/2011 12:20:03
by Tim Hickenlooper (Standard support level)
Joined: 05/16/2011
Posts: 4

Thank you for the fast response.

I have added the code. When it runs, with nothing commented out, there are no exceptions thrown...I step through each line and everything works. It sounds like this was not the expected result. I wonder if the build of WinCE is missing something - I use Platform Builder to make a custom WinCE for our product and have added recently the CryptoAPI(1.0 and 2.0 "certificates") so I think I have everything this is needed.

When I run the code, the SecureClient.OnCertificateValidate handler will return valid if I include a test for "cvSelfSigned", which is what our test server is using, but then the connection gets closed, I believe by the server.

Any more ideas?

I greatly appreciate your help.
#16478
Posted: 05/18/2011 13:44:36
by Ken Ivanov (EldoS Corp.)

Thank you for checking. As a matter of fact, it is normal that the above code does not give you exceptions, as I have excluded loading of blocked certificates from the code I posted. So now I can say for sure that the problem is caused by the "Disallowed" store. We will add an extra checkup for this in future SecureBlackbox builds.

Quote
When I run the code, the SecureClient.OnCertificateValidate handler will return valid if I include a test for "cvSelfSigned", which is what our test server is using, but then the connection gets closed, I believe by the server.

Could you please elaborate a little on the way you validate certificates in? A piece of your validation code would help much. Besides, do you handle the OnError event (please handle it if you don't), and is it fired by the component?
#16479
Posted: 05/18/2011 15:19:12
by Tim Hickenlooper (Standard support level)
Joined: 05/16/2011
Posts: 4

The certificate validate routine is a slightly modified version of SecureClientCertificateValidate(...) from your sample code...here is the modified routine:

Code
Private Sub SecureClientCertificateValidate(ByVal sender As [Object], ByVal certificate As SBX509.TElX509Certificate, ByRef validate As Boolean) Handles SecureClient.OnCertificateValidate
        WriteLog("SecureClientCertificateValidate: Enter")
        Dim Validity As SBX509.TSBCertificateValidity = SBX509.TSBCertificateValidity.cvInvalid
        Dim Reason As Integer = 0
        Dim IP As IPEndPoint = DirectCast(ClientSocket.RemoteEndPoint, IPEndPoint)

        Try
            If certificate.Chain Is Nothing OrElse certificate.Chain.Certificates(0) Is certificate Then
                CertificateValidator.ValidateForSSL(certificate, strURL, IP.Address.ToString, SBConstants.TSBHostRole.hrServer, Nothing, False, False, DateTime.Now, Validity, Reason)
                validate = (Validity = SBX509.TSBCertificateValidity.cvOk) OrElse (Validity = SBX509.TSBCertificateValidity.cvSelfSigned)
                WriteLog("SecureClientCertificateValidate: (" + Validity.ToString + ") " + validate.ToString)

            Else
                WriteLog("SecureClientCertificateValidate: not tested")
                validate = True
            End If

        Catch ex As Exception
            WriteLog("SecureClientCertificateValidate: Error " + ex.ToString)
            Dim s As String = ex.ToString
        End Try

        validate = False

    End Sub


I have WriteLog calls sprinkled around to track the sequence..here's a segment of the interesting part from the log file:

Quote
14:16:30, SecureClientCertificateValidate: Enter
14:16:30, CertificateValidator_OnAfterCertificateValidation: cvInvalid, 512, True
14:16:30, CertificateValidator_OnAfterCertificateValidation: cvSelfSigned, 0, True
14:16:30, SecureClientCertificateValidate: (cvSelfSigned) True
14:16:30, SecureClientSend: count = 7
14:16:30, AsyncSendCallback
14:16:30, SecureClient_OnError: 75784, True, False
14:16:30, SecureClientCloseConnection: crError
14:16:30, Reset


It looks like I'm getting a Bad_Certificate error. I don't know why I'm getting two OnAfterCertificateValidation events...the first fails and the second passes with a cvSelfSigned status.

This same code running on my PC works so there has got to be something with the way the certificate is being handled or checked...I still have the initialization code from your first reply. The PC version uses the CertificateValidator.InitializeWinStorages() and then sets the UseSystemSorages to True. Sort of feels like the certificate isn't getting saved?

Thanks for you time!
#16480
Posted: 05/18/2011 15:54:22
by Ken Ivanov (EldoS Corp.)

According to the Validator's log, validation fails due to vrIdentityMismatch (512) reason. This code is returned if the URL of the web site does not match the URL stated in the certificate. First of all, please check that the value of the strURL variable in your code is correct.

OnAfterCertificateValidation is fired twice due to specifics of the implementation of the ValidateForSSL() method. Comparing to the "main" Validate() method, ValidateForSSL() throws an additional OnAfterCertificateValidation call if certificate fields (domain name, key usage) do not fit a particular SSL connection.
#16481
Posted: 05/18/2011 16:58:00
by Tim Hickenlooper (Standard support level)
Joined: 05/16/2011
Posts: 4

This is the problem with this self-signed certificate.

Is there an easy way to just accept the certificate and move on - this can be done on browsers with user permission. Can I do this in code with your components?

You have been a real life saver on my lack of knowledge in this area!
#16482
Posted: 05/18/2011 17:07:19
by Ken Ivanov (EldoS Corp.)

Yes - just comment out all the validator-related code inside the OnCertificateValidate event handler, and pass the validate parameter set to True back to the component. However, as you understand, this is not a recommended behavior for real-world applications (yet it is acceptable for debug purposes).
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 2097 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!