EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How to implement Certificate Pinning for Silverlight Application & WCF

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
Posted: 04/17/2015 04:11:10
by Daniel Algar (Basic support level)
Joined: 04/16/2015
Posts: 4


We are evaluating SecureBlackBox for a specific functionality. This functionality is to implement certificate pinning. We have a Silverlight 4 application and we need to verify the server X.509 certificate for each call. The web service is implemented using Windows Communication Foundation. I have searched in your forums and in the samples but I can't achieve it.
We are using ClientBase from ServiceModel to create the connection from client to services. Do you have any experience in this scenario?

Thank you,
Posted: 04/17/2015 04:37:26
by Ken Ivanov (EldoS Corp.)

Hi Daniel,

Thank you for contacting us.

Certificate pinning is a fairly wide and sometimes ambiguous concept. Could you please let us know what exactly is your understanding of pinning?

Generally, SecureBlackbox TLS components pass the certificate chain to the user via the OnCertificateValidate event, and that is the place where you should perform the validation routine. If you interpret pinning as 'explicit trust', you could just iterate over the list of the trusted certificates inside that event handler and set Validate = true if the certificate was located in the trusted list. Just let me know if this is what you wish to do and we'll come up with a more detailed guidance.


Posted: 04/17/2015 05:11:51
by Eugene Mayevski (EldoS Corp.)

Besides what Ken has said, please note that certificate pinning with SecureBlackbox is possible when you use SSL/TLS components included with SecureBlackbox. If you use system/Silverlight classes or thirdparty classes for TLS connectivity, we won't be able to help you.

Sincerely yours
Eugene Mayevski
Posted: 04/17/2015 06:39:30
by Daniel Algar (Basic support level)
Joined: 04/16/2015
Posts: 4

Hi Ken and Eugene,

thank you for your quick answer. Yes, you both are right, we want to 'explicit trust' our server certificate. This should be checked in every service call.

Currently, our silverlight app uses a client proxy generated using the Visual Studio tool (adding Service Reference). Proxy (.net class) is created automatically collecting info from our services contracts. Of course, the auto-generated class make use of System.ServiceModel namespace of Microsoft. Our services are SOAP (WCF).

We need to know how can we put this custom validation in every service call done from silverlight app. Do we have to change the autogenerated proxy client? Do we have to make, from scratch, a custom proxy client? Do we have to generate "manually" all the SOAP envelope?

Thanks for your help!
Posted: 04/17/2015 07:15:02
by Eugene Mayevski (EldoS Corp.)

We don't have experience with WCF or with ServiceModel namespace of Microsoft and that functionality is not ours, so we can't support it. I don't know how to implement certificate pinning in it.

SecureBlackbox has its own SOAP client component included and with it you can use certificate pinning.

We have the article on Certificate pinning in the Knowledgebase.

Sincerely yours
Eugene Mayevski
Posted: 04/17/2015 10:08:35
by Daniel Algar (Basic support level)
Joined: 04/16/2015
Posts: 4

Thank you Eugene. In order to evaluate if we can use your SOAP client, do you have any example?

I searched into the folder referenced in another post "<SecureBlackbox>\Samples\<language>\XMLBlackbox\Desktop\SOAPClient" but I don't found it.

Thanks for your help,
Posted: 04/17/2015 10:43:37
by Eugene Mayevski (EldoS Corp.)

For C# the right path as of now is <SecureBlackbox>\Samples\C#\XMLBlackbox\Desktop\SOAPClient and I see files there. Could you please specify what part of the path differs from what you have?

Sincerely yours
Eugene Mayevski
Posted: 04/17/2015 11:53:28
by Daniel Algar (Basic support level)
Joined: 04/16/2015
Posts: 4

Sorry, I had an old version. I downloaded it again and now the version is 12.0.269.

I'll try with the SOAP client.

Thank you!
Posted: 02/04/2016 15:18:35
by jason  (Basic support level)
Joined: 02/04/2016
Posts: 1

Hi Daniel,

Were you able to get your Silverlight application to work finally? I'm looking for a similar solution for my Silverlight app to fix MIM attacks,

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.



Topic viewed 1998 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!