EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How to validate SSL certificate using HTTPSClient in Windows Phone 8

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
Posted: 01/12/2016 10:37:47
by Gururaj Kulkarni (Basic support level)
Joined: 01/12/2016
Posts: 2


We as a company are working on Windows Phone 8 applications and have the requirement to check if the certificates are valid and from trusted source.

Having looked at your sample applications "HTTPSGet_VS2015", I can see that using TElX509CertificateValidator we can do ValidateForSSL which performs CRL / OCSP (https://www.eldos.com/security/articles/7545.php).

Well, this is fine for a ".NET" desktop application, but how can this be achieved in Windows Phone 8 application? If it is possible, please point me to a code snippet which I can try.

We don't have access to "InitializeWinStorages" in TElX509CertificateValidator. Also, we don't have access to "RemoteHost" and "RemoteIP" in TElHTTPSClient class.

We are really hard pressed for time and would really appreciate if you can be quick with your response. This requirement is very crucial in making the decision as to whether or not we purchase company licence for SecureBlackbox.

To summarise I am trying to achieve this or equivalent in Windows Phone 8 application

private TElHTTPSClient HTTPSClient;
private TElX509CertificateValidator CertificateValidator;



this.HTTPSClient = new SBHTTPSClient.TElHTTPSClient();
this.CertificateValidator = new TElX509CertificateValidator();

this.HTTPSClient.OnCertificateValidate += new SBSSLCommon.TSBCertificateValidateEvent(this.HTTPSClient_OnCertificateValidate);

private void HTTPSClient_OnCertificateValidate(object Sender, SBX509.TElX509Certificate X509Certificate, ref bool Validate)
   TSBCertificateValidity Validity = TSBCertificateValidity.cvInvalid;
   int Reason = 0;
   if ((X509Certificate.Chain == null) || (X509Certificate.Chain.get_Certificates(0) == X509Certificate))
      // For proper CRL and OCSP validation please read instructions in
      // description of ElX509CertificateValidator class in the help file
      CertificateValidator.ValidateForSSL(X509Certificate, HTTPSClient.RemoteHost, HTTPSClient.RemoteIP, TSBHostRole.hrServer, null, false, DateTime.Now, ref Validity, ref Reason);
      Validate = (Validity == TSBCertificateValidity.cvOk);
      if (!Validate)
         if (MessageBox.Show("There was a problem validating the server certificate (validity: " + Validity.ToString() + ", reason: " + Reason.ToString() + "). Click OK to continue or Cancel to close the session.", "Validation error", MessageBoxButtons.OKCancel, MessageBoxIcon.Warning) == DialogResult.OK)
            Validate = true;
      Validate = true;
Posted: 01/12/2016 14:43:45
by Ken Ivanov (EldoS Corp.)

Hi Gururaj,

Thank you for contacting us.

We don't have access to "InitializeWinStorages" in TElX509CertificateValidator.

When implementing a Windows Phone 8 application, you have to get certificates from the phone's system stores and add them to the validator object as trusted/known by yourselves. This is normally done in the following way:

1. Get the trusted store object Windows.Security.Cryptography.Certificates.TrustedRootCertificationAuthorities;

2. List all certificates contained in it with FindAllAsync() call.

3. Create a TElMemoryCertStorage object.

4. Iterate over the certificate list you've obtained on step 2. For every certificate object create an instance of SecureBlackbox's TElX509Certificate class, import the system certificate there with FromWSCCertificate() call, and add that TElX509Certificate object to the memory storage object created on step 3.

5. Add the formed trusted certificate storage to the validator object with its AddTrustedCertificates() call.

6. Repeat steps 1-5 for Windows.Security.Cryptography.Certificates.IntermediateCertificationAuthorities; pass the TElMemoryCertStorage object created on this step to TElX509CertificateValidator.AddKnownCertificates() method.

That's it, now your validator is ready to validate certificates.

In addition to/as a replacement for built-in system stores, your application can maintain its own list of trusted and known intermediary certificates.

Also, we don't have access to "RemoteHost" and "RemoteIP" in TElHTTPSClient class.

That's right. The only option to get the address is to extract it from the URL. You can do that with SBStrUtils.Unit.ParseURL() method.

Posted: 01/13/2016 04:40:34
by Gururaj Kulkarni (Basic support level)
Joined: 01/12/2016
Posts: 2

Hi Ken

Thank you very much for your reply.

I am developing an app on Windows Phone 8 SDK and don't have access to Windows.Security.Cryptography.Certificates.TrustedRootCertificationAuthorities.

Am I missing something?

Posted: 01/13/2016 04:54:54
by Ken Ivanov (EldoS Corp.)


That property is only available starting from Windows Phone 8.1. If you need to support WP 8.0 too, the only option is deploying and storing trusted certificates together with your application.




Topic viewed 1679 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!