EldoS | Feel safer!

Software components for data protection, secure storage and transfer

TSA server login method

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#19556
Posted: 03/22/2012 08:40:05
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Hello experts
I have successfully signed and timespamped PDF document with your library when login method to TSA server is "user name/password". But my TSA server also offers possibility to login with certificate. My certificate (on my smart card) is certified to access TSA server to send TSA requests(that I have verified with their sample test application).
I did found my self how to authenticate with user name password, but I couldn't find how to do it with certificate. Could you please tell me how to authenticate with certificate to TSA server using you library.
Thanks
ingbabic
#19557
Posted: 03/22/2012 09:04:12
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

In fact I have found that if I set my TElHTTPSClient like this:
Code
TElHTTPSClient httpClient = new TElHTTPSClient();
httpClient.ClientCertStorage = storage;


where storage is my TElPKCS11CertStorage it is sufficient :). Please tell me for what I can use OnCertificateValidate event. For now I put just
Code
        void httpClient_OnCertificateValidate(object Sender, TElX509Certificate X509Certificate, ref bool Validate)
        {
            Validate = true;
        }

so that it works for me, but what is, if I can say, typical implementation of this event. Thanks.
#19558
Posted: 03/22/2012 09:16:26
by Eugene Mayevski (EldoS Corp.)

All our samples include the code which uses TElX509CertificateValidator class for validating certificates in OnCertificateValidate event handler. Please take a look at those samples.


Sincerely yours
Eugene Mayevski
#19559
Posted: 03/22/2012 10:56:27
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Well I search for word OnCertificateValidate in sample directory fr om package that I bought and I found 24 occurences

  • In 10 of those the implementation was Validate=true; without any warning
  • In 4 it was the same implementation with warning never do this in real life.
  • In 5 it was the same implementation (Validate=true;) but with warning and one hyperlink where we can see how to do it. Unfortunatelly hyperlink http://www.eldos.com/sbb/articles/1966.php does not work.


At last I have found 5 samples where there is some implementation. I did not noticed them because they are in MailBlackBox, FTPBlackBox HTTPBlackBox and SSLBlackBox for which I'm not generally interested in.
I have put same implementation as I have found in one of those samples:
Code
            TSBCertificateValidity Validity = TSBCertificateValidity.cvInvalid;
            int Reason = 0;
            if ((X509Certificate.Chain == null) || (X509Certificate.Chain.get_Certificates(0) == X509Certificate))
            {
                certificateValidator.ValidateForSSL(X509Certificate, "", "", TSBHostRole.hrServer, storage, false, false, DateTime.Now, ref Validity, ref Reason);
                Validate = (Validity == TSBCertificateValidity.cvOk) || (Validity == TSBCertificateValidity.cvSelfSigned);
            }
            else
                Validate = true;

when I set certificateValidator.CheckCRL = false then it works, but if I set certificateValidator.CheckCRL = true then validation fails with code SBX509.Unit.vrCRLNotVerified=128. What do I have to do to be able to check certificate revocation list?
#19560
Posted: 03/22/2012 11:33:58
by Eugene Mayevski (EldoS Corp.)

Thank you for pointing at samples' problem. Indeed, by "all our samples" I referenced SSL-related samples which you were not interested in. There exist certain samples where validation is simplified as it's not a core functionality of the sample. We will review all samples now to ensure that they all include the same information (or use TElX509CertificateValidator).

As for CRL question: the help topic for TElX509CertificateValidator contains description (quoted below) about what has to be done, and samples do include the corresponding code right after the call to SetLicenseKey. Here's the quote:

Quote
To retrieve Certificate Revocation Lists (CRLs) TElX509CertificateValidator uses pluggable TElCRLRetriever class and it's descendants. HTTP CRL Retriever class is located in SBHTTPCRL unit / namespace. In .NET edition you need to reference SBHTTPCRL namespace from your code, then call SBHTTPCRL.Unit.RegisterHTTPCRLRetrieverFactory() method. In VCL edition this class is activated automatically when you add SBHTTPCRL unit to Uses clause. In ActiveX edition HTTP CRL Retriever is used always. Note: use of HTTP CRL Retriever requires a license for SSLBlackbox client-only package (or one of packages, which include SSLBlackbox). Alternatively you can disable CRL checks.


There's a similar instruction for OCSP there.

Please search for RegisterHTTPCRLRetrieverFactory in the source code.


Sincerely yours
Eugene Mayevski
#19574
Posted: 03/23/2012 04:51:31
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Ok, but the problem is that when I set MandatoryCRLCheck to true, validation fails with Validity = cvInvalid and Reason=128, which would mean vrCRLNotVerified or Certificate Revocation List for this certificate could not be retrieved and/or validated. Then I get

Quote
Connection failed (error code is 75784)


which would mean ERROR_SSL_BAD_CERTIFICATE.

Is there anything else except RegisterHTTPCRLRetrieverFactory?
#19575
Posted: 03/23/2012 04:55:07
by Vsevolod Ievgiienko (EldoS Corp.)

Hello.

You should also add RegisterLDAPCRLRetrieverFactory to retrieve CRLs stored in LDAP and read this article http://www.eldos.com/security/articles/7545.php to understand how TElX509CertificateValidator works.
#19578
Posted: 03/23/2012 07:27:05
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Hello Vsevolod
I have really tried to find more info on the site, but still I have the problem. Somewhere I have found that OnBeforeCRLRetrieverUse event have to registered to set properties of ElHTTPCRLRetriever. But when my code reach that event, ref SBCRLStorage.TElCustomCRLRetriever Retriever is null. If I register, what you have told LDAPCRLRetrieverFactory, then Retriever parameter is object of a type TElLDAPCRLRetriever, but what can I do with it? I am using ElHTTPSClient to set my authentiocation information.
#19579
Posted: 03/23/2012 07:34:09
by Vsevolod Ievgiienko (EldoS Corp.)

Quote
but what can I do with it? I am using ElHTTPSClient to set my authentiocation information.

Most likely you should do nothing with it. Retrievers are used internally to download CRLs. Do you still get ERROR_SSL_BAD_CERTIFICATE if RegisterLDAPCRLRetrieverFactory is called?
#19582
Posted: 03/23/2012 08:09:46
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Yes, error is the same. Here is my code for events:
Code
void httpClient_OnCertificateValidate(object Sender, TElX509Certificate X509Certificate, ref bool Validate)
{
    TSBCertificateValidity Validity = TSBCertificateValidity.cvInvalid;
    int Reason = 0;
    if ((X509Certificate.Chain == null) || (X509Certificate.Chain.get_Certificates(0) == X509Certificate))
    {
        certificateValidator.ValidateForSSL(X509Certificate, "", "", TSBHostRole.hrServer, storage, false, false, DateTime.Now, ref Validity, ref Reason);
        Validate = (Validity == TSBCertificateValidity.cvOk) || (Validity == TSBCertificateValidity.cvSelfSigned);
    }
    else
        Validate = true;
}


void certificateValidator_OnBeforeCRLRetrieverUse(object Sender, TElX509Certificate Certificate, TElX509Certificate CACertificate, SBX509Ext.TSBGeneralName NameType, string Location, ref SBCRLStorage.TElCustomCRLRetriever Retriever)
{
    if (Retriever != null)
    {
        if (Retriever.GetType() == typeof(SBHTTPCRL.TElHTTPCRLRetriever))
        {
            ((SBHTTPCRL.TElHTTPCRLRetriever)Retriever).HTTPClient.RequestParameters.Username = httpClient.RequestParameters.Username;
            ((SBHTTPCRL.TElHTTPCRLRetriever)Retriever).HTTPClient.RequestParameters.Password = httpClient.RequestParameters.Password;
            ((SBHTTPCRL.TElHTTPCRLRetriever)Retriever).HTTPClient.ClientCertStorage = httpClient.ClientCertStorage;
        }
        else if (Retriever.GetType() == typeof(SBLDAPCRL.TElLDAPCRLRetriever))
        {
            //...
        }
    }
}


and I have made
Code
SBHTTPCRL.Unit.RegisterHTTPCRLRetrieverFactory();
SBLDAPCRL.Unit.RegisterLDAPCRLRetrieverFactory();
SBHTTPOCSPClient.Unit.RegisterHTTPOCSPClientFactory();

right after SBUtils.Unit.SetLicenseKey.

My certificate validator is initialized like this
Code
certificateValidator = new TElX509CertificateValidator();
certificateValidator.CheckCRL = true;
certificateValidator.CheckOCSP = true;
certificateValidator.CheckValidityPeriodForTrusted = true;
certificateValidator.IgnoreCAKeyUsage = false;
certificateValidator.IgnoreSystemTrust = false;
certificateValidator.MandatoryCRLCheck = true;
certificateValidator.MandatoryOCSPCheck = true;
certificateValidator.Tag = null;
certificateValidator.UseSystemStorages = true;
certificateValidator.ValidateInvalidCertificates = false;

certificateValidator.InitializeWinStorages();
certificateValidator.OnBeforeCRLRetrieverUse += new TSBBeforeCRLRetrieverUseEvent(certificateValidator_OnBeforeCRLRetrieverUse);
certificateValidator.OnAfterCertificateValidation += new TSBAfterCertificateValidationEvent(certificateValidator_OnAfterCertificateValidation);
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 3622 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!