EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Certificate PrivateKeyExists

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#29899
Posted: 06/24/2014 08:27:48
by ChrisM (Standard support level)
Joined: 06/23/2014
Posts: 13

Both are true.
Maybe this can help, if I load from PFX it's working well.
#29900
Posted: 06/24/2014 08:33:06
by Eugene Mayevski (EldoS Corp.)

Looks like while the key is available, it can not be used for whatever reason.

Can you please try to place the certificate to CURRENT_USER\My (possibly using TElWinCertStorage.Add method) and try to use it this way? As I understand the problem is in the way the key is linked with the certificate - SecureBlackbox (or Windows) can't match the certificate with the key in some place.


Sincerely yours
Eugene Mayevski
#29901
Posted: 06/24/2014 08:34:02
by Vsevolod Ievgiienko (EldoS Corp.)

Try to use TElHTTPSClient.OnCertificateNeededEx event instead of ClientCertStorage property and check if this helps.

Also you have a memory leak here:

Code
FCert:=TElX509Certificate.Create(nil); // remove this line
FCert:= FWinCert.Certificates[I];


as you put new object to FCert variable and then assign it another object from FWinCert.
#29902
Posted: 06/24/2014 08:41:11
by ChrisM (Standard support level)
Joined: 06/23/2014
Posts: 13

I remove the line (thanks for the tips) and nothing changed.
Right now OnCertificateNeededEx is used, I have Validate:=true;
I don't know how to replace the ClientCertStorage, can you provide an example?
#29903
Posted: 06/24/2014 08:46:04
by Vsevolod Ievgiienko (EldoS Corp.)

Quote
Right now OnCertificateNeededEx is used, I have Validate:=true;

OnCertificateNeededEx is not OnCertificateValidate event. It seems you've mixed them.

Quote
I don't know how to replace the ClientCertStorage, can you provide an example?

Don't assign ClientCertStorage property and pass certificate from windows store directly from OnCertificateNeededEx event handler. Event is described here: https://www.eldos.com/documentation/sb...dedex.html
#29904
Posted: 06/24/2014 09:34:03
by ChrisM (Standard support level)
Joined: 06/23/2014
Posts: 13

Now I'm using the OnCertificateNeededEx event and I have the same values (true) for FATAL and REMOTE. Here is my code:
Code
if FNeededIndex=0 then begin
   showmessage('CertificateNeededEx '+FCert.IssuerName.CommonName); //just to check
   Certificate:=FCert;
   Inc(FNeededIndex);
end
else
  Certificate:=nil;


Sorry Eugene, I didn't see your comments:
-I have no control, in real life the certificate will be installed in Local_Computer\MY and not in Current_User\MY.
-also in real life the certificate will be non-exportable.
#29905
Posted: 06/24/2014 09:41:48
by Eugene Mayevski (EldoS Corp.)

It doesn't matter what the planned scenarios are. What matters is the particular bug and the methods to find and fix it. The important step in problem solving is narrowing down the problem by trying variations of the initial configuration.

As said, the problem hides in the code that matches the certificate and its private key for further use with CryptoAPI functions when the key is non-exportable.

I will try to reproduce the problem locally, though I am not sure that this would be easy to do.


Sincerely yours
Eugene Mayevski
#29907
Posted: 06/24/2014 10:07:07
by Ken Ivanov (EldoS Corp.)

Hi Chris,

Just another couple of questions to get some details about your circumstances:

1. What key is stored in the certificate - is it of RSA or some other type?

2. Does your PFX contain only a single certificate, or the whole chain, up to the root certificate, associated with it?

Thanks,

Ken
#29908
Posted: 06/24/2014 10:10:03
by ChrisM (Standard support level)
Joined: 06/23/2014
Posts: 13

Eugene,

I just did another test: I imported the certificate in certmgr so the certificate is now in Current_user/My. PrivateKeyExists is true, but I have the same error regardless if I'm using ClientCertStorage or CertificateNeededEx event.
#29909
Posted: 06/24/2014 10:13:18
by ChrisM (Standard support level)
Joined: 06/23/2014
Posts: 13

Ken:
1. RSA, key size 2048, hash alg=sha1
2. single certificate
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 2059 times

Number of guests: 2, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!