EldoS | Feel safer!

Software components for data protection, secure storage and transfer

WinCE 5 Certificate Store

Posted: 05/17/2011 17:07:46
by Tim Hickenlooper (Standard support level)
Joined: 05/16/2011
Posts: 4

I am adding new communication functionality to an existing application which was written in VB.NETCF 2.0 on WinCE 5.0. The Ethernet communication works and now I am adding SSL/TLS for communication to our server. I have ported your sample application, SSWLSocketDemo_VS2008, to my development system, but I get an exception thrown on the CertificateValidator.InitializeWinStorages() line in the Init method. The exception is "Failed to open storage".

Any help would be greatly appreciated!
Posted: 05/17/2011 17:25:21
by Ken Ivanov (Team)

Thank you for contacting us.

It seems that one or more system certificate storages are absent on your device. As a quick-and-dirty solution, please do the following:

1) set the UseSystemStorages property of the certificate validator component to false. This will tell him not to load certificates from system stores automatically.

2) extend certificate validator initialization section with the following code:

TElWinCertStorage root = new TElWinCertStorage();
root.ReadOnly = true;

TElWinCertStorage ca = new TElWinCertStorage();
ca.ReadOnly = true;

3) The above code will be throwing an exception. Please do the following to find out the store that is causing the problem:
- comment out all the .Add() invocations,
- uncomment them one by one until your application starts throwing "Failed to open storage" exceptions.
Posted: 05/18/2011 12:20:03
by Tim Hickenlooper (Standard support level)
Joined: 05/16/2011
Posts: 4

Thank you for the fast response.

I have added the code. When it runs, with nothing commented out, there are no exceptions thrown...I step through each line and everything works. It sounds like this was not the expected result. I wonder if the build of WinCE is missing something - I use Platform Builder to make a custom WinCE for our product and have added recently the CryptoAPI(1.0 and 2.0 "certificates") so I think I have everything this is needed.

When I run the code, the SecureClient.OnCertificateValidate handler will return valid if I include a test for "cvSelfSigned", which is what our test server is using, but then the connection gets closed, I believe by the server.

Any more ideas?

I greatly appreciate your help.
Posted: 05/18/2011 13:44:36
by Ken Ivanov (Team)

Thank you for checking. As a matter of fact, it is normal that the above code does not give you exceptions, as I have excluded loading of blocked certificates from the code I posted. So now I can say for sure that the problem is caused by the "Disallowed" store. We will add an extra checkup for this in future SecureBlackbox builds.

When I run the code, the SecureClient.OnCertificateValidate handler will return valid if I include a test for "cvSelfSigned", which is what our test server is using, but then the connection gets closed, I believe by the server.

Could you please elaborate a little on the way you validate certificates in? A piece of your validation code would help much. Besides, do you handle the OnError event (please handle it if you don't), and is it fired by the component?
Posted: 05/18/2011 15:19:12
by Tim Hickenlooper (Standard support level)
Joined: 05/16/2011
Posts: 4

The certificate validate routine is a slightly modified version of SecureClientCertificateValidate(...) from your sample code...here is the modified routine:

Private Sub SecureClientCertificateValidate(ByVal sender As [Object], ByVal certificate As SBX509.TElX509Certificate, ByRef validate As Boolean) Handles SecureClient.OnCertificateValidate
        WriteLog("SecureClientCertificateValidate: Enter")
        Dim Validity As SBX509.TSBCertificateValidity = SBX509.TSBCertificateValidity.cvInvalid
        Dim Reason As Integer = 0
        Dim IP As IPEndPoint = DirectCast(ClientSocket.RemoteEndPoint, IPEndPoint)

            If certificate.Chain Is Nothing OrElse certificate.Chain.Certificates(0) Is certificate Then
                CertificateValidator.ValidateForSSL(certificate, strURL, IP.Address.ToString, SBConstants.TSBHostRole.hrServer, Nothing, False, False, DateTime.Now, Validity, Reason)
                validate = (Validity = SBX509.TSBCertificateValidity.cvOk) OrElse (Validity = SBX509.TSBCertificateValidity.cvSelfSigned)
                WriteLog("SecureClientCertificateValidate: (" + Validity.ToString + ") " + validate.ToString)

                WriteLog("SecureClientCertificateValidate: not tested")
                validate = True
            End If

        Catch ex As Exception
            WriteLog("SecureClientCertificateValidate: Error " + ex.ToString)
            Dim s As String = ex.ToString
        End Try

        validate = False

    End Sub

I have WriteLog calls sprinkled around to track the sequence..here's a segment of the interesting part from the log file:

14:16:30, SecureClientCertificateValidate: Enter
14:16:30, CertificateValidator_OnAfterCertificateValidation: cvInvalid, 512, True
14:16:30, CertificateValidator_OnAfterCertificateValidation: cvSelfSigned, 0, True
14:16:30, SecureClientCertificateValidate: (cvSelfSigned) True
14:16:30, SecureClientSend: count = 7
14:16:30, AsyncSendCallback
14:16:30, SecureClient_OnError: 75784, True, False
14:16:30, SecureClientCloseConnection: crError
14:16:30, Reset

It looks like I'm getting a Bad_Certificate error. I don't know why I'm getting two OnAfterCertificateValidation events...the first fails and the second passes with a cvSelfSigned status.

This same code running on my PC works so there has got to be something with the way the certificate is being handled or checked...I still have the initialization code from your first reply. The PC version uses the CertificateValidator.InitializeWinStorages() and then sets the UseSystemSorages to True. Sort of feels like the certificate isn't getting saved?

Thanks for you time!
Posted: 05/18/2011 15:54:22
by Ken Ivanov (Team)

According to the Validator's log, validation fails due to vrIdentityMismatch (512) reason. This code is returned if the URL of the web site does not match the URL stated in the certificate. First of all, please check that the value of the strURL variable in your code is correct.

OnAfterCertificateValidation is fired twice due to specifics of the implementation of the ValidateForSSL() method. Comparing to the "main" Validate() method, ValidateForSSL() throws an additional OnAfterCertificateValidation call if certificate fields (domain name, key usage) do not fit a particular SSL connection.
Posted: 05/18/2011 16:58:00
by Tim Hickenlooper (Standard support level)
Joined: 05/16/2011
Posts: 4

This is the problem with this self-signed certificate.

Is there an easy way to just accept the certificate and move on - this can be done on browsers with user permission. Can I do this in code with your components?

You have been a real life saver on my lack of knowledge in this area!
Posted: 05/18/2011 17:07:19
by Ken Ivanov (Team)

Yes - just comment out all the validator-related code inside the OnCertificateValidate event handler, and pass the validate parameter set to True back to the component. However, as you understand, this is not a recommended behavior for real-world applications (yet it is acceptable for debug purposes).



Topic viewed 2312 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!