EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Load certificate from service certificate store

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#29352
Posted: 04/30/2014 09:15:21
by Birger Jansen (Standard support level)
Joined: 07/19/2012
Posts: 73

I have a problem that looks a bit like the one in this topic:
https://www.eldos.com/forum/read.php?FID=7&TID=2614

A Windows service that I created needs to load a certificate from the certificate store. I used to open the user store for the user that runs the service and that worked.

Now there is a new request and that is to use the service certificate store. Through the management console I installed the certificate for the service and the service opens the store like this (WCS = WindowsCertificateStore):
Code
WCS.Clear;
WCS.ReadOnly := True;
WCS.StorageType := stSystem;
WCS.AccessType := atCurrentService;
WCS.SystemStores.Add('My');

However, this has a WCS.Count = 0.

I also tried with WCS.SystemStores.Add('ServiceName\My') but also no result.

Am I overlooking something? Must the certificate be added in a special way?
#29355
Posted: 05/01/2014 04:13:17
by Ken Ivanov (EldoS Corp.)

Hello Birger,

Thank you for contacting us.

1. Could you please check if a reference to your certificate is available in the corresponding registry location:

HKEY_LOCAL_MACHINE / Software / Microsoft / Cryptography / Services / ServiceName / SystemCertificates ?

2. An alternative way to access the service's certificates is to use the atServices access type and specify the store name as following:

\\ComputerName\ServiceName\MY

Ken
#29362
Posted: 05/05/2014 02:06:37
by Birger Jansen (Standard support level)
Joined: 07/19/2012
Posts: 73

1: Yes, I can see the reference
2: This method works.

Is there an explanation for why this work and it doesn't work to get the certificate from the atCurrentService store?

I prefer the atCurrentService method because now the code must also look up the current computer name and the name under which the service is installed (might change when I re-use this code in another project).
#29363
Posted: 05/05/2014 05:48:25
by Ken Ivanov (EldoS Corp.)

Hi Birger,

Thank you for checking. At first glance the issue has something to do with access rights to the store (yet indeed the fact that the service is able to access the certificates via the 'Services' store but not via the 'Current Service' one looks weird).

Could you please do another couple of checks for us:

1. Please check if you see any certificates in the ROOT store at all when accessing the store through the 'Current Service' view.

2. Please try to additionally provide a physical name of the store and check if this method works:
Code
WCS.SystemStores.BeginUpdate();
try
  WCS.SystemStores.Add('MY');
  WCS.PhysicalStores.Add('.Default');
finally
  WCS.SystemStores.EndUpdate();
end;


Ken
#29364
Posted: 05/05/2014 06:45:42
by Birger Jansen (Standard support level)
Joined: 07/19/2012
Posts: 73

Hi Ken,

I modified the code to this:

Code
WCS := TElWinCertStorage.Create(nil);
WCS.ReadOnly := True;
WCS.StorageType := stSystem;
WCS.AccessType := atCurrentService;
WCS.SystemStores.BeginUpdate;
try
  WCS.SystemStores.Add('MY');
  WCS.PhysicalStores.Add('.Default');
finally
  WCS.SystemStores.EndUpdate;
end;

But I once again have WCS.Count = 0 with this.

I'm also having a hard time validating the certificate with the TElX509CertificateValidator. The validator also needs the complete chain and the root of this chain in the Root store. But the validator has no access to the Services trusted root store. If I use Validator.InitializeWinStorages I get an exception because the service cannot open the atCurrentUser (default) store.

When I modify TElX509CertificateValidator so that WinStorageTrust and WinStorageCA can be created (they were read only) with the correct settings (same as the certificate store in the previous posts) the validation works. Is there a better solution for this and if not: can you modify your source so that the TElX509CertificateValidator.WinStorage* are read AND write properties?
#29365
Posted: 05/05/2014 08:04:06
by Ken Ivanov (EldoS Corp.)

Birger,

We will try to reproduce the issue with 'Current service'-based certificate access and find out what is going wrong.

You can overcome the certificate validator issue (which is actually not an issue, but a design feature) in the following way:

1. Set the validator's UseSystemStorages property to false;

2. Create and set up the 'trusted' certificate storage objects yourselves (by creating relevant TElWinCertStorage instances for 'ROOT' and 'CA' stores and initializing them accordingly);

3. Pass both storages to the validator's AddTrustedCertificates() method before running the validation.

Ken
#29366
Posted: 05/05/2014 08:59:40
by Eugene Mayevski (EldoS Corp.)

Quote
Ken Ivanov wrote:
3. Pass both storages to the validator's AddTrustedCertificates() method before running the validation.


Storages created with "CA" as store name should be added using AddKnownCertificates - they contain intermediate certificates which are not trusted. Only ROOT are trusted.


Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 1452 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!