EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Search certificate in local storage MVC

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#34208
Posted: 08/10/2015 10:38:21
by Luis Soto (Standard support level)
Joined: 07/07/2015
Posts: 4

Hi guys,
I'm trying to get a certificate from Storage, I created a test method for that and is finding the certificate correctly, but when I'm calling the same exact method from my MVC application is not finding it.

Code
int index = 0;
TElX509CertificateEx result = new TElX509CertificateEx();
TElWinCertStorage WinStorageToSearch = new TElWinCertStorage()
{
AccessType = TSBStorageAccessType.atCurrentUser,
StorageType = TSBStorageType.stSystem
};
WinStorageToSearch.SystemStores.Add("MY");
TElCertificateLookup Search = new TElCertificateLookup();
Search.Options = 1 | 2 | 4;
Search.EmailAddresses.Add(SBUtils.Unit.BytesOfString("email@domain.com"));
Search.Criteria = 512;
index = WinStorageToSearch.FindFirst(Search);


Could you please address me on how to make this work or what I'm doing wrong?

I'll appreciate your help.

Best regards
#34209
Posted: 08/10/2015 10:50:52
by Ken Ivanov (EldoS Corp.)

Hi Rogerio,

Thank you for contacting us.

Your code looks correct and should work if the certificate is there. You said that the test method works fine in some environment for you - could you please clarify what kind of environment is that?

Besides, could you please try iterating over certificates in TElWinCertStorage in your MVC application (via get_Certificates() and Count properties) and check if the needed certificate is present in the list?

Ken
#34212
Posted: 08/10/2015 11:49:37
by Luis Soto (Standard support level)
Joined: 07/07/2015
Posts: 4

Hi Ken,

When I debug my test method on Visual Studio, there are 3 certificates in the Count property; but when I run the application and step into this method Count property is 0.

I'm testing on my dev machine.

Regards,
#34213
Posted: 08/10/2015 12:19:45
by Ken Ivanov (EldoS Corp.)

Rogerio,

This is probably because you run the application under different user accounts in debug and release modes. As you are specifying atCurrentUser as your AccessType, a per-user copy of the system certificate store is acquired by the application. This copy is kept independently for every user account, so certificates contained in user A's store are only visible to user A and not to any other user of the machine.

Another reason is also permission-specific. This is easy to check - please try to run your application in administrative mode and check if it can see the certificates in that way.

Ken
#34214
Posted: 08/10/2015 16:12:50
by Luis Soto (Standard support level)
Joined: 07/07/2015
Posts: 4

Ken,
I'm facing this issue when using Local IIS.
I changed the AccessType to atLocalMachine and now I'm getting the error message "Failed to open storage" on line 07
Code
01 TElX509CertificateEx result = new TElX509CertificateEx();
02 TElWinCertStorage WinStorageToSearch = new TElWinCertStorage()
03 {
04   AccessType = TSBStorageAccessType.atLocalMachine,
05   StorageType = TSBStorageType.stSystem                
06 };
07 WinStorageToSearch.SystemStores.Add("MY");


Regards,
#34215
Posted: 08/10/2015 17:45:33
by Ken Ivanov (EldoS Corp.)

Hi Rogerio,

Thank you for the important details.

The system account which IIS runs under often comes with reduced access rights and cannot access certain machine-wide objects (which the 'local machine' store is one of). The best and most compatible approach would be to add certificates to the 'current user' copy of the store of the account IIS runs under. This can be done with e.g. MMC (by running it under a different user account), or with a simple SBB-driven certificate import app executed under the needed user account.

Another way to go would be to provide the appropriate access rights to the user account that hosts the IIS process so that it could access the 'local machine' store, but that solution is not desirable due to potential security risks.

Ken
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 2108 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!