EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Certificate pinning and validating an incomplete chain

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#33894
Posted: 07/06/2015 07:12:59
by OGAlex (Standard support level)
Joined: 06/08/2015
Posts: 13

Quote
Eugene Mayevski wrote:
Emm, you get ok because you've set the certificate itself as trusted, no?
If you add nothing, the certificate being validated can not become valid unless there's a system certificate storage used implicitly. I see no way for the certificate to be treated as trusted.

ValidateForSSL would not return cvOk on the certificate in your call as it matches the passed name and the name in the certificate. Something must be wrong with your code (i.e. you've written not the code you tested).


Hmm well I am unable to find what it is. Here is my validator initialization:

Code
certificateValidator = new TElX509CertificateValidator();
certificateValidator.CheckCRL = false;
certificateValidator.CheckOCSP = false;
//certificateValidator.AddTrustedCertificates(trustedCerts);
certificateValidator.ForceCompleteChainValidationForTrusted = false;


And my OnCertificateValidate:

Code
private void OnCertificateValidate(object sender, TElX509Certificate certificate, ref bool validate)
        {
            if (certificate.Chain == null || certificate.Chain.get_Certificates(0) == certificate)
            {
                TSBCertificateValidity validity = TSBCertificateValidity.cvInvalid;
                int reason = 0;
                certificateValidator.ValidateForSSL(certificate, "mytestserver.com", "", TSBHostRole.hrServer, null, true, false, DateTime.Now, ref validity, ref reason);

                System.Diagnostics.Debug.WriteLine("===== " + validity + " / " + reason + " =====");

                if (validity != TSBCertificateValidity.cvOk)
                {
                    validate = false;
                    return;
                }
            }
            validate = true;
        }


I am not adding any trusted certificates, and yet I'm getting a cvOk. I am using the WinStore assemblies, my logic is in a PCL targeting Windows Phone 8.1 referenced by a Windows Phone 8.1 project. I have tested this on the Windows Phone 8.1 emulator and also an actual Windows Phone device (Nokia Lumia).

Very strange, I don't understand where the trust is coming from.

Edit: For the sake of completion I'll post some more code as well.

My TElRESTClient initialization:

Code
restClient = new TElRESTClient();
restClient.OnPreparedHeaders += OnPreparedHeaders;
restClient.OnCertificateValidate += OnCertificateValidate;


For the rest I don't touch restClient or certificateValidator at all, except that I add headers before calling GetAsync or PostAsync.
#33916
Posted: 07/07/2015 07:28:50
by Ken Ivanov (EldoS Corp.)

Hi Alex,

Could you please put a breakpoint into the OnCertificateValidate handler and check why exactly it returns validate==true back to the component? Does ValidateForSSL() return cvOk for the server end-entity certificate?

And please also check that the TElX509CertificateValidator.ImplicitlyTrustSelfSignedCertificates is not accidentally set to true somewhere in your code.

Ken
#33917
Posted: 07/07/2015 07:42:47
by OGAlex (Standard support level)
Joined: 06/08/2015
Posts: 13

Quote
Ken Ivanov wrote:
Hi Alex,

Could you please put a breakpoint into the OnCertificateValidate handler and check why exactly it returns validate==true back to the component? Does ValidateForSSL() return cvOk for the server end-entity certificate?

And please also check that the TElX509CertificateValidator.ImplicitlyTrustSelfSignedCertificates is not accidentally set to true somewhere in your code.

Ken


Hi Ken, using a breakpoint I can see ValidateForSSL() returns cvOk for the server end-entity certificate. I am unable to determine why. ValidateForSSL is only called for the server certificate as shown in the code I quoted in my previous post (which is recommended by this page (https://www.eldos.com/documentation/sbb/documentation/ref_cl_certificatevalidator_mtd_validateforssl.html).

Also, ImplicitlyTrustSelfSignedCertificates was set to the default false. I tried setting it to false just to be sure, but there was no change in result.
#33920
Posted: 07/07/2015 08:24:59
by Ken Ivanov (EldoS Corp.)

Hmm, that's weird. Could you share that certificate (or the address of the server) with us please (just the public part)? You can use Helpdesk ( http://www.eldos.com/helpdesk/ ) to send us the information securely.

Ken
#33927
Posted: 07/07/2015 12:50:18
by OGAlex (Standard support level)
Joined: 06/08/2015
Posts: 13

Hi Ken, I reopened the ticket from last time, the certificates are uploaded there. I see you've been assigned to the ticket so you probably already see them.
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 3448 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!