EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Access to WinStorage as IUSR

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#110
Posted: 05/03/2006 07:32:21
by Matthias Hanft (Basic support level)
Joined: 04/28/2006
Posts: 15

Hello,

I have written a COM server with Delphi which uses SBB IOHandler for SSL certificate verification. The root certs to verify against are taken from ElWinCertStorage like this:


ElWinCertStorage.GetAvailableStores(myStores);
myList.Append('*** '+IntToStr(myStores.Count)+' System Stores ***');
for I:=0 to Pred(myStores.Count) do begin
ElWinCertStorage.SystemStores.Append(myStores[I]);
myList.Append(myStores[I]+#9+ElWinCertStorage.GetStoreFriendlyName(myStores[I]))
end;
myList.Append('*** '+IntToStr(ElWinCertStorage.Count)+' Certificates ***');
for I:=0 to Pred(ElWinCertStorage.Count) do
with ElWinCertStorage.Certificates[I] do
myList.Append(StorageName+#9+SubjectName.CommonName);


This gives, run by a "normal" program, a "myList" like:
*** 14 System Stores ***
My Eigene Zertifikate
Root Vertrauenswürdige Stammzertifizierungsstellen
Trust Organisationsvertrauen
CA Zwischenzertifizierungsstellen
UserDS Active Directory-Benutzerobjekt
(and so on)
*** 258 Certificates ***
AuthRoot Baltimore EZ by DST
AuthRoot Belgacom E-Trust Primary CA
AuthRoot Certiposte Classe A Personne
AuthRoot Certiposte Serveur
AuthRoot Class 1 Primary CA
AuthRoot Class 2 Primary CA
AuthRoot Class 3 Primary CA
(and so on)

But when this is executed as COM object created by an ASP script in IIS, it runs under the restricted user IUSR_<machinename>. With the same code as above, I get only 10 instead of 14 stores (which wouldn't matter), but - zero certificates! So my COM object cannot verify the server's SSL certificate against the Windows storage.

What must I do to allow the IUSR_<machinename> account to access the Windows Root Certs? Since they seem to be stored deeply within Windows itself, I have not found any file or so where I just could give the IUSR read/execute access rights (as is sufficient to run the COM server itself).

Thank you & best regards

Matthias
#111
Posted: 05/03/2006 08:55:36
by Eugene Mayevski (EldoS Corp.)

The certificates are stored in registry. You are accessing the storage from "current user" point of view, i.e. you access the certificates located in HKCU registry key. Since the service doesn't have access to "current user" key, your code fails.
You can try the following:

Code
ElWinCertStorage.AccessType := atLocalMachine;


This way, the certificates located in HKLM will be accessed.


Sincerely yours
Eugene Mayevski
#112
Posted: 05/03/2006 10:52:44
by Matthias Hanft (Basic support level)
Joined: 04/28/2006
Posts: 15

Quote
ElWinCertStorage.AccessType := atLocalMachine;

Ahhh.. the "AccessType" property is not mentioned in my version of the SBB help file.

But it seems that nothing has changed... Do you happen to know where in HKLM the certs are stored? I couldn't find them (at least, not by their names). Maybe it would suffice to grant read access to IUSR on that registry branch.

Matthias
#113
Posted: 05/03/2006 11:24:48
by Eugene Mayevski (EldoS Corp.)

I took the property from the help file which is available for download on the web site.

HKLM certificates are accessible system-wide (i.e. for all accounts). This is the purpose of this type of storage.

GetAvailableStores() has second parameter with the same functionality as AccessType. This method doesn't use AccessType property. The same applies to GetAvailablePhysicalStores()

BTW using

ElWinCertStorage.SystemStores.Append(myStores[I]);

without calling BeginUpdate/EndUpdate causes the storage to be reopened each time you call Appened. This is *very* slow.


Sincerely yours
Eugene Mayevski
#114
Posted: 05/04/2006 00:55:18
by Matthias Hanft (Basic support level)
Joined: 04/28/2006
Posts: 15

Hmmm... I have investigated this further: The IUSR account is member of the local "Guests" user group. This group seems to have pretty restricted rights (maybe even not to the complete HKLM?!).

I have made just a short demo program to show the differences:

ElWinCertStorage:=TElWinCertStorage.Create(nil);
myOutput.Append('After Create: '+IntToStr(ElWinCertStorage.Count)+' Certificates');
ElWinCertStorage.AccessType:=atLocalMachine;
myOutput.Append('After atLocalMachine: '+IntToStr(ElWinCertStorage.Count)+' Certificates');
ElWinCertStorage.SystemStores.Append('Root');
myOutput.Append('After Append(''Root''): '+IntToStr(ElWinCertStorage.Count)+' Certificates');


Run as a normal user, it shows:

After Create: 0 Certificates
After atLocalMachine: 0 Certificates
After Append('Root'): 107 Certificates


With "Run as..." and a guest group member account, it shows:

After Create: 0 Certificates
After atLocalMachine: 0 Certificates
After Append('Root'): 0 Certificates


With Delphi's "Attach to process", I can even debug this program when run as a guest user, but somehow I couldn't find out how SBB loads the certs into ElWinCertStorage: The "Append('Root')" seems to be just a TStringList.Append, and after that, the FCtxList.Count is automagically set to 107... :?:

If I could trace into the very point where the Wincerts are loaded into ElWinCertStorage, maybe I could find out the last missing access bit... (except if Windows generally disables cert access from guest users - I really hope it doesn't...)

Matthias
#115
Posted: 05/04/2006 01:18:47
by Eugene Mayevski (EldoS Corp.)

Quote
Matthias Hanft wrote:
If I could trace into the very point where the Wincerts are loaded into ElWinCertStorage, maybe I could find out the last missing access bit... (except if Windows generally disables cert access from guest users - I really hope it doesn't...)


I think that even for IUSR account you can put some certificates to it's certificate storage using Microsoft Management Console or just by running CertDemo under IUSR account.

You can trace the code by checking ElWinCertStorage.Open() method.


Sincerely yours
Eugene Mayevski
#116
Posted: 05/04/2006 01:40:50
by Matthias Hanft (Basic support level)
Joined: 04/28/2006
Posts: 15

The hint with CertDemo was a good one :) because there are the Windows ROOT certs available when run as a guest user. So, I just have to look how it's done in CertDemo and what the differences are to my approach. (I hope I do find some differences :D .)

Thank you for your help so far - I'll post the solution here when I have found it...

Matthias
Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.

Reply

Statistics

Topic viewed 7217 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!