EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Validating Certificate on WP8

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#28784
Posted: 03/14/2014 12:22:39
by hawkeye (Basic support level)
Joined: 03/14/2014
Posts: 4

Hello,
I am using the TElHTTPSClient class in a Windows Phone 8 application, to communicate with my server, and I want to validate that the server certs are valid, so I added a callback to OnCertificateValidate.

In that callback, I manually load the required cert based on the cert issuer, and then call the TElX509Certificate method, ValidateWithCA.

1) When I do this, the root cert is returned, which has no issuer name. How would this be validated?

2) Is it possible to add all the certs i have to a MemoryCertStorage object, and use that to validate the certs, rather than having to load the neccessary cert each time the Validate callback is called?

Thanks,
#28785
Posted: 03/14/2014 12:47:20
by hawkeye (Basic support level)
Joined: 03/14/2014
Posts: 4

I guess I was using the wrong method:
What I ended up doing was loading all the certificates into a TElMemoryCertStorage object, and then using that objects Validate method, to validate the X509Certificate that is passed in to the OnCertificateValidate callback.
#28786
Posted: 03/14/2014 12:52:56
by Eugene Mayevski (EldoS Corp.)

Please use TElX509CertificateValidator class. This class implements complete validation mechanism with all checks in place. All other methods are either incomplete or outdated or both.


Sincerely yours
Eugene Mayevski
#28787
Posted: 03/14/2014 16:11:41
by hawkeye (Basic support level)
Joined: 03/14/2014
Posts: 4

Thanks for your response, Eugene.
I tried switching to using TElX509CertificateValidator, however, I am having some issues getting it to function correctly.

This is what I did:
Code
TElMemoryCertStorage  certstore = new TElMemoryCertStorage();
certstore.Add(X509Cert, false);
TElX509CertificateValidator validator = new TElX509CertificateValidator ();
validator.AddKnownCertificates(certstore);

validator.ValidateForSSL(X509Certificate, "", "", SBTypes.TSBHostRole.hrServer, null, false, false, DateTime.Now, ref validity, ref reason);


But that fails.
I have also used:
Code
validator.Validate(X509Certificate, ref validity, ref reason);

Which gave the same results.

If, however, I use the certstorage directly, it works:
Code
certstore.Validate(X509Certificate, ref validity, ref reason);


Is there a way I can verify the certs were added correctly to the CertValidator object?
#28788
Posted: 03/17/2014 02:10:05
by Vsevolod Ievgiienko (EldoS Corp.)

TElX509CertificateValidator performs deeper validation than TElMemoryCertStorage.Validate and that is why it may fail. This article describes the process in details: https://www.eldos.com/security/articles/7545.php
#28814
Posted: 03/17/2014 15:39:35
by hawkeye (Basic support level)
Joined: 03/14/2014
Posts: 4

Thanks for that link Vsevolod; that helped me resolve my issue.
What I ended up having to do was:
- Obtain the trusted certs (which I exported from my windows box).
- Add those as my trusted certs.
- Added the intermediates as my known certs.
- Registering the CRL/OCSP components.

Once I did that, validation worked correctly.
Having said that, are there any recommendations regarding speeding up the CRL check? I added a callback to OnCRLRetrieved, and added the CRL returned there to my certificate validators knownCRLs, but there was little noticeable speed difference?

Regards,
#28815
Posted: 03/18/2014 01:18:35
by Vsevolod Ievgiienko (EldoS Corp.)

All CRLs that are retrieved during validation process are cached for subsequent usage. You don't need to put it to KnownCRLs manually.
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 1261 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!