EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Validating Certificate on WP8

Posted: 03/14/2014 12:22:39
by hawkeye (Basic support level)
Joined: 03/14/2014
Posts: 4

I am using the TElHTTPSClient class in a Windows Phone 8 application, to communicate with my server, and I want to validate that the server certs are valid, so I added a callback to OnCertificateValidate.

In that callback, I manually load the required cert based on the cert issuer, and then call the TElX509Certificate method, ValidateWithCA.

1) When I do this, the root cert is returned, which has no issuer name. How would this be validated?

2) Is it possible to add all the certs i have to a MemoryCertStorage object, and use that to validate the certs, rather than having to load the neccessary cert each time the Validate callback is called?

Posted: 03/14/2014 12:47:20
by hawkeye (Basic support level)
Joined: 03/14/2014
Posts: 4

I guess I was using the wrong method:
What I ended up doing was loading all the certificates into a TElMemoryCertStorage object, and then using that objects Validate method, to validate the X509Certificate that is passed in to the OnCertificateValidate callback.
Posted: 03/14/2014 12:52:56
by Eugene Mayevski (Team)

Please use TElX509CertificateValidator class. This class implements complete validation mechanism with all checks in place. All other methods are either incomplete or outdated or both.

Sincerely yours
Eugene Mayevski
Posted: 03/14/2014 16:11:41
by hawkeye (Basic support level)
Joined: 03/14/2014
Posts: 4

Thanks for your response, Eugene.
I tried switching to using TElX509CertificateValidator, however, I am having some issues getting it to function correctly.

This is what I did:
TElMemoryCertStorage  certstore = new TElMemoryCertStorage();
certstore.Add(X509Cert, false);
TElX509CertificateValidator validator = new TElX509CertificateValidator ();

validator.ValidateForSSL(X509Certificate, "", "", SBTypes.TSBHostRole.hrServer, null, false, false, DateTime.Now, ref validity, ref reason);

But that fails.
I have also used:
validator.Validate(X509Certificate, ref validity, ref reason);

Which gave the same results.

If, however, I use the certstorage directly, it works:
certstore.Validate(X509Certificate, ref validity, ref reason);

Is there a way I can verify the certs were added correctly to the CertValidator object?
Posted: 03/17/2014 02:10:05
by Vsevolod Ievgiienko (Team)

TElX509CertificateValidator performs deeper validation than TElMemoryCertStorage.Validate and that is why it may fail. This article describes the process in details: https://www.eldos.com/security/articles/7545.php
Posted: 03/17/2014 15:39:35
by hawkeye (Basic support level)
Joined: 03/14/2014
Posts: 4

Thanks for that link Vsevolod; that helped me resolve my issue.
What I ended up having to do was:
- Obtain the trusted certs (which I exported from my windows box).
- Add those as my trusted certs.
- Added the intermediates as my known certs.
- Registering the CRL/OCSP components.

Once I did that, validation worked correctly.
Having said that, are there any recommendations regarding speeding up the CRL check? I added a callback to OnCRLRetrieved, and added the CRL returned there to my certificate validators knownCRLs, but there was little noticeable speed difference?

Posted: 03/18/2014 01:18:35
by Vsevolod Ievgiienko (Team)

All CRLs that are retrieved during validation process are cached for subsequent usage. You don't need to put it to KnownCRLs manually.



Topic viewed 1373 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!