EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Problems with token certificate

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#26345
Posted: 09/06/2013 11:34:07
by Eduardo Helminsky (Standard support level)
Joined: 08/20/2010
Posts: 102

I have been using the attached unit HPROPKI.TXT successfully. It signs my XML files, I do the https comunication with webservices and everything was working ok until one of my customers started to use a token certificate.

The entry point of this unit is the function "EnviarSoap". The first time it returns 200 but when I try the second time the results is 403 (according with error at the end of HPROPKI.TXT file attached). If the user quits the application and starts again it backs to result 200 only for first time but the second (and others) results in 403.

My other customers are (the most) using A1 without ANY problems.

I have already instanciate the HttpClient inside the EnviarSoap but the problem still remains. What can I do to solve this problem or at least to trace down where the problem is ?


[ Download ]
#26350
Posted: 09/09/2013 02:22:10
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

From the first point of view the error is not related to the fact that the client is using a token. 403 error code stands for 'Forbidden'. What you can try to do is:

1) Ask the server administrator to check server logs if its possible.
2) Dump subsequent HTTP requests and responses using TElHTTPSClient.OnSendData/OnData/OnReceivingHeaders/OnPreparedHeaders event handlers and compare them. They may include some hints.
#26354
Posted: 09/09/2013 02:43:40
by Eugene Mayevski (EldoS Corp.)

Well it seems that on subsequent connections the client-side certificate is not used for whatever reason.

From your code or your post it's not clear - does the customer use the same certificate for signing and for SSL authentication OR he uses different certificates?


Sincerely yours
Eugene Mayevski
#26356
Posted: 09/09/2013 04:54:34
by Eduardo Helminsky (Standard support level)
Joined: 08/20/2010
Posts: 102

Thank you for the answers.

First I will try to catch up the HTTP requests from one connection and the subsequent connections too and compare them.

Second, altought I did not metion, yes, the certificate is the same for signing XML and SSL. What point of my code was not clear ?
#26359
Posted: 09/09/2013 05:21:34
by Eugene Mayevski (EldoS Corp.)

Usually data signing certificates and SSL certificates have different Key Usage fields and as such one certificate can't be used for both activities. It can happen that the token driver prevents use of the private key more frequently than once per certain period, or asks the user to re-enter the PIN after two or three uses. We can only guess at this point.


Sincerely yours
Eugene Mayevski
#26360
Posted: 09/09/2013 06:21:06
by Eduardo Helminsky (Standard support level)
Joined: 08/20/2010
Posts: 102

Eugene

I donĀ“t know if it is the case because I have used to call a dotnet DLL that do the tasks (XML signing and SSL) and it never happend before. I have been replacing this DLL to use Eldos Components and as I said before when the certificate is A1 the things are working very very well (with speed and of course reliability).

I am still investigating and checking my code. One thing I suspect is the code inside ClientCertNeedEx event.
#26361
Posted: 09/09/2013 06:24:39
by Eugene Mayevski (EldoS Corp.)

Quote
Eduardo Helminsky wrote:
I am still investigating and checking my code. One thing I suspect is the code inside ClientCertNeedEx event.


The code there is fine (I've checked it first of all).

Alternatively you can just use ClientCertificates property (but use one way - either the event or the property, not both).


Sincerely yours
Eugene Mayevski
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.

Reply

Statistics

Topic viewed 543 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!