EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Webservice with root certificate (server side)

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#20807
Posted: 07/17/2012 12:06:56
by Eduardo Helminsky (Standard support level)
Joined: 08/20/2010
Posts: 102

Hi

I received a public certificate from one of my suppliers and they want a connection with my company with their webservice using https. So far, so good.

My doubt is: I only have the certificate from the supplier and as I know I need to provide it to Memory Certificate Storage. Am I right ?

In other words: I have already used https connection using my own certificate and everything is working fine. If I just add this certificate (SAP root) I have to add it ?

Thanks in advance
Eduardo
#20808
Posted: 07/17/2012 12:48:56
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

If I understood you right and you've received a server certificate for their web service, then you should add it to TElSimpleSSLClient.CertStorage storage.
#20809
Posted: 07/17/2012 15:08:09
by Eduardo Helminsky (Standard support level)
Joined: 08/20/2010
Posts: 102

How is the best way to add it ? Using Serial Number or using Subject ?
#20810
Posted: 07/17/2012 15:48:59
by Ken Ivanov (EldoS Corp.)

Eduardo,

The task is actually a wee bit more tricky.

Basically, each time you are connecting to the web service you have to check the genuineness of the certificate it provides. This can be done in a variety of ways, with two of them being 'de facto' standards:

- perform validation of the entire certificate chain, starting from the certificate provided by the service up to the root CA certificate. This approach, normally used by web browsers, is reasonable if you need to connect to an initially unknown set of destinations (so you can't prepare a list of certificates corresponding to them beforehand).

- treat the certificate of the web service as 'explicitly trusted'; store the certificate they've sent you somewhere with the application, and simply compare the certificate you receive from the web service to this locally stored certificate. This approach is acceptable if you need to connect to a limited set of known destinations, so you can maintain a list of the corresponding certificates locally.

That is, if you only have to connect to a single web service, you can keep their certificate near the application and use it as a 'specimen' each time you connect to the web service. You can compare the certificates inside the handler of the OnCertificateValidate event; simply check that their binary forms (which can be accessed through the CertificateBinary and CertificateSize properties) are identical.

Quote
In other words: I have already used https connection using my own certificate and everything is working fine. If I just add this certificate (SAP root) I have to add it ?

This can be the case if you pass Validate = true back from the OnCertificateValidate event handler in your current code. However, doing this is not normal, as it puts all the security provided by the protocol down.
#20817
Posted: 07/18/2012 05:19:04
by Eduardo Helminsky (Standard support level)
Joined: 08/20/2010
Posts: 102

Innokentiy Ivanov

Let me review something:

1) I have two Certificates storage
FWinCert: TElWinCertStorage;
FMemCert: TElMemoryCertStorage;

2) I add to "memory" only the certificates I need (the chain)

var FCert: TElX509Certificate;
begin
FMemCert.Clear;
FWinCert.SystemStores.Clear;
FWinCert.SystemStores.Add('MY');
FWinCert.SystemStores.Add('CA');
FWinCert.SystemStores.Add('ROOT');

for nI := 0 to FWinCert.Count-1 do begin
FCert := FWinCert.Certificates[nI];
cAux := BinaryToString(FCert.SerialNumber);
if UpperCase(cAux) = UpperCase(cCertSerialNumber) then begin
FMemCert.Add(FCert,True);
nK := FWinCert.GetIssuerCertificate(FCert);
while nK <> -1 do begin
FCACert := FWinCert.Certificates[nK];
FMemCert.Add(FCACert);
nK := FWinCert.GetIssuerCertificate(FCACert);
end;
break;
end;
end;

3) In the event "OnCertificateValidate" the application receive each certificate in X509Certificate variable. Then I have to loop throught the FMemCert, find the certificate, if not there is a problem but if it is find
then I have to check X509Certificate.CertificateBinary (and CertificateSize) against with one that was found ?

I donĀ“t know if I am being clear but let me know if not.

Thanks for the explanation. I have learnt a lot with your explanation. I think you answered my question.
#20818
Posted: 07/18/2012 05:37:23
by Ken Ivanov (EldoS Corp.)

Eduardo,

I guess you decided to choose the second approach - i.e. to compare the certificate provided by the web service to the explicitly trusted local certificate each time you are connecting to it. As far as I understand your goal, this is indeed a more convenient choice.

Quote
3) In the event "OnCertificateValidate" the application receive each certificate in X509Certificate variable. Then I have to loop throught the FMemCert, find the certificate, if not there is a problem but if it is find
then I have to check X509Certificate.CertificateBinary (and CertificateSize) against with one that was found ?

You can simply iterate over the certificates in your memory storage, comparing the one provided by the web service to them:

Code
Validate := false;
for I := 0 to FMemCert.Count - 1 do
  if (FMemCert.Certificates[I].CertificateSize = Certificate.CertificateSize) and (CompareMem(FMemCert.Certificates[I].CertificateBinary, Certificate.CertificateBinary, Certificate.CertificateSize)) then
  begin
    Validate := true;
    Break;
  end;
#20820
Posted: 07/18/2012 06:03:53
by Eduardo Helminsky (Standard support level)
Joined: 08/20/2010
Posts: 102

Innokentiy Ivanov

I did almost exactly what you describe in previuos post but unfortunately it does not work. If I just put "Validate := True" it works perfectlly. I have replaced my code by one you wrote and does not work too.

What is happening ? Or what is wrong ?

Thanks for the example. It only confirms the way I am going.
#20821
Posted: 07/18/2012 06:21:57
by Vsevolod Ievgiienko (EldoS Corp.)

Hello.

If the above mentioned code doesn't work then your FMemCert storage doesn't contain certificate that is sent by the webservice. You should dump all certificates returned by the webservice and compare them to the one you've got from your supplier to find out what is wrong.

You should also re-check that the certificate is successfully added to FMemCert.
#20838
Posted: 07/19/2012 05:29:18
by Eduardo Helminsky (Standard support level)
Joined: 08/20/2010
Posts: 102

Vsevolod Ievgiienko

Thanks for the answer. I will double check my code again but the most important thing is that now it is more clear to me after all explanation you provide.

My best regards and thanks again.
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 824 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!