EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Certificate validation question

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#2765
Posted: 04/18/2007 16:01:48
by Bernd Heinsohn (Basic support level)
Joined: 04/17/2007
Posts: 2

Hi there :)

I'm in the process of evaluating your product and I have some difficulties applying certificate validation during an SSL connection using an HTTPS Client/Server connection.

Maybe I'm just too dumb to understand the whole thing :(

I have 3 certificates:

1. My "Root certificate" which is self signed and has been created using your certificate tool included with the product samples -> ROOTCERT

2. One certificate for the server (Issued and signed by ROOTCERT) -> SERVERCERT

3. One certificate for the client (also Issued and signed by ROOTCERT) -> CLIENTCERT

I have loaded Certificate ROOTCERT (without private key) into a ElMemoryCertStorage attached to the ServerCertStorage-property of the server component.

I have loaded Certificate SERVERCERT (with private key) into the same ElMemoryCertStorage attached to the ServerCertStorage-property of the server component.

I have loaded Certificate CLIENTCERT (with private key) into a ElMemoryCertStorage attached to the CertStorage-property of the client component.

A:

Now I need to do this on the server with ClientAuthentication set to "True" and AuthenticationLevel set to "alRequireCert":

If a client wants to connect and has passed his certificate (CLIENTCERT) to the server I need to verify that the client is using a certificate which is valid and has been issued by ROOTCERT.

The "meta"-code for the OnCertificateValidate-event on the server would look like this:

...
If (ClientCertificate is valid) and (ClientCertificate has been issued by ROOTCERT) then validate:= True
...

B:

And this on the client:

If a server has been connected and the server has passed his certificates (ROOTCERT, SERVERCERT) I need to make sure that the client certificate which is stored in the client has been issued by one of this server certificates

The "meta"-code for the OnCertificateValidate-event on the client would look like this:

...
If (ServerCertificates are valid) and (ClientCertificate has been issued by one of the server certificates) then validate:= True
...

Can you gimme some hints on how to accomplish this in real code ?

Thanks in advance
#2766
Posted: 04/19/2007 12:58:10
by Ken Ivanov (EldoS Corp.)

Quote
Now I need to do this on the server with ClientAuthentication set to "True" and AuthenticationLevel set to "alRequireCert":

JFYI: In this case you also need to handle the Client.OnCertificateNeededEx event and pass the client certificate (CLIENTCERT) to its 'Certificate' parameter (please see the corresponding section of SecureBlackbox documentation for further details).

To validate client certificate on server side, you need to add the root certificate to the certificate storage pointed by Server.CertStorage property. The validation then can be performed via the call of Server.InternalValidate() method from inside the Server.OnCertificateValidate event handler. The InternalValidate() method performs basic certificate validation.

Please consider using TElCustomCertStorage.GetIssuerCertificate() method to get the issuer's index for some particular certificate. You can verify if ROOTCERT is the parent certificate for the certificate received from the remote side in this way.

The same approach should be used to validate server certificates on client side.
#2767
Posted: 04/19/2007 14:38:29
by Bernd Heinsohn (Basic support level)
Joined: 04/17/2007
Posts: 2

Thanks for your answer. I forgot to mention that I had also implemented OnCertificateNeededEx on the client :)

My problem was the procedure of validating the client certificate against the root certificate because I didn't know how to verify the connection between the two certificates.

Regards
#2768
Posted: 04/20/2007 02:14:13
by Eugene Mayevski (EldoS Corp.)

Use ElX509Certificate.ValidateWithCA() method and pass it the supposedly root certificate as a parameter.


Sincerely yours
Eugene Mayevski

Reply

Statistics

Topic viewed 2444 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!