I have a C# RestFull client trying to connect to a Go server. Once I reach the TLS handshake stage it fails because client didn't provide a certificate.
I have verified that client certificate was associated with RestClient Object before the execution of the request.
// Initializing the client
RestClient client = new RestClient(Config.SERVER_DOMAIN);
// Adding client certificate (exported from a smart card with no private key attributes)
client.ClientCertificates = Global.cpf.getCertCollection();
// defining our request then executing it
var request = new RestRequest("users", Method.GET);
var response = await client.ExecuteTaskAsync(request);
It works only if the certificate was read from a .PFX file where the private component is there. But when I switch to smart card certificate (which has no private key attributes because the smart card doesn't want you to have them) the server doesn't receive any certificate from the client.
I understand that TLS needs a private key for the handshake stage, yet the client obj doesn't see any associated private key with the given certificate and therefore doesn't recognize the certificate as a valid one for TLS establishment.
I know that private keys can't be exported from the smart card, and I know that there has to be a way to tell RestClient object that in order to pass handshake stage, you should communicate with the smart card, however, I gave up!
Can someone point me to the right direction?
For most of the smartcards there should be minidriver or standalone CSP (Cryptographic Service Provider) available. These components act as a drivers that integrate the card with Windows cryptographic subsystem. They are usually provided by the device vendor and you should be able to get your certificate with reference to correct private key from your Windows Certificate Store once they're set up correctly.
Try to use the following method:
private static X509Certificate2 GetCertificate()
{
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
try
{
// Note: X509Certificate2UI requires reference to System.Security
X509Certificate2Collection certs = X509Certificate2UI.SelectFromCollection(store.Certificates, null, null, X509SelectionFlag.SingleSelection);
if (certs != null && certs.Count > 0)
return certs[0];
}
finally
{
store.Close();
}
return null;
}
Related
I programming in C# .Net Core 3.1 and .Net Standard library where this code is put.
I am not getting my http requests with RestSharp with a client certificate that are NOT installed on the server/computer i am not going to have access to the server/computer where this is going to be running later on..
My code:
// Create a RestSharp RestClient objhect with the base URL
var client = new RestClient(_baseAPIUrl);
// Create a request object with the path to the payment requests
var request = new RestRequest("swish-cpcapi/api/v1/paymentrequests");
// Create up a client certificate collection and import the certificate to it
X509Certificate2Collection clientCertificates = new X509Certificate2Collection();
clientCertificates.Import(_certDataBytes, _certificatePassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
// Add client certificate collection to the RestClient
client.ClientCertificates = clientCertificates;
//X509Certificate2 certificates = new X509Certificate2(_certDataBytes, _certificatePassword);
//client.ClientCertificates = new X509CertificateCollection() { certificates };
// Add payment request data
request.AddJsonBody(requestData);
var response = client.Post(request);
var content = response.Content;
I have done what ever i can find on internet and i have used the service test environment with there own generated certificate and generated my own in there production environment with the same result..
I have tested set TLS 1.1 or TLS 1.2 to test, they specified TLS 1.1 on there own curl examples.
Anyone got any idea?
Update 2020-01-08 - I have got information from the service tech support that they only see me sending one certificate but when i trying to debug and checking the X509Certificate2Collection i finding 3 certificate. But they saying they only see one?
IMHO, if the service you are trying to access is protected via SSL cert with expecting public key/private key, then without the cert, you cant access it. If thats the intent of the service to be protected, i think you may only do to check the service health check or at max, check if the service is accessible (without having the client cert)
But just as HTTPS, then you can try to download the cert from the browser if you can access the service URL from your browser, say, to access their meta or a simple GET or something. In chrome, you may see a lock symbol (security icon) just before to the URL. click that, and you may possibly download the public cert. You can install that on your machine and try that.
In case, if that service has a pub cert and the access doesnt need the client cert, then above option may work. and i hope you are installing the CERT and access that via your code from the account that has access to the cert. Lets say, you install the cert under the LocalSystem, then you may need administrator access from code/solution to access that cert path. Or install the cert under the current_user path.
I would Check if am able to access the service from browser as the first step.
This is, just from what i have understood from your question. again, if you can explain whether the service is a protected service based on public key/private key, you need to have the access/cert to use that service.
UPDATE:
I have tried few options on my end, by creating a demo api and a demo client to use client certs. With what i have understood from your query, i assume below may be some of your options to try out.
// --- using the cert path if you have the path (instead of the byte[])
var myCert = new X509Certificate2("<path to the client cert.cer/.pfx>", "secure-password", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
X509CertificateCollection clientCerts = new X509CertificateCollection();
clientCerts.Add(myCert);
OR
var certStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine); //replace with appropriate values based on your cert configuration
certStore.Open(OpenFlags.ReadOnly);
//option 1 (ideally a client must have the cert thumbprint instead of a password
var cert = certStore.Certificates.Find(X509FindType.FindByThumbprint, "<cert Thumbprint>", false);
//option 2 (explore other options based on X509NameTypes
var cert = certStore.Certificates.OfType<X509Certificate2>()
.FirstOrDefault(cert => cert.GetNameInfo(X509NameType.DnsName, false) == "mycompany.dns.name.given in the cert");
client.ClientCertificates = new X509CertificateCollection(cert);
I recommend generate your own certificate
public static void MakeCert()
{
var ecdsa = ECDsa.Create(); // generate asymmetric key pair
var req = new CertificateRequest("cn=foobar", ecdsa, HashAlgorithmName.SHA256);
var cert = req.CreateSelfSigned(DateTimeOffset.Now, DateTimeOffset.Now.AddYears(10));
// Create PFX (PKCS #12) with private key
File.WriteAllBytes("c:\\temp\\mycert.pfx", cert.Export(X509ContentType.Pfx, "P#55w0rd"));
// Create Base 64 encoded CER (public key only)
File.WriteAllText("c:\\temp\\mycert.cer",
"-----BEGIN CERTIFICATE-----\r\n"
+ Convert.ToBase64String(cert.Export(X509ContentType.Cert), Base64FormattingOptions.InsertLineBreaks)
+ "\r\n-----END CERTIFICATE-----");
}
and then add to request
var client = new RestClient(url);
client.ClientCertificates = new X509CertificateCollection();
client.ClientCertificates.Add(new X509Certificate2("c:\\temp\\mycert.cer"));
I need to start using SNMPv3 over DTLS with certificates from the windows certificate store in c# and from what I've seen so far, this isn't used very often at all. Unfortunately, I have no choice in the matter.
I'm working on using DTLS.NET to do the handshake. One trick is that DTLS.NETseems to want a pem file instead of an X509 Certificate from the Windows Certificate Store. I believe I've figured out how to load the cert, except the private key. The private key is not exportable, and I don't believe I can change that.
public void LoadX509Certificate(X509Certificate2 certificate)
{
if (certificate == null)
{
throw new ArgumentNullException(nameof(certificate));
}
this._PrivateKey = DotNetUtilities.GetKeyPair(certificate.PrivateKey).Private;
this._Certificate = new Certificate
{
CertChain = new List<byte[]>() { certificate.RawData },
CertificateType = TCertificateType.X509
};
}
I believe I've figured out up to the certificate verify message and that's where it appears to need the private key.
CertificateVerify certificateVerify = new CertificateVerify();
byte[] signatureHash = _HandshakeInfo.GetHash();
certificateVerify.SignatureHashAlgorithm = new SignatureHashAlgorithm() { Signature = TSignatureAlgorithm.ECDSA, Hash = THashAlgorithm.SHA256 };
certificateVerify.Signature = TLSUtils.Sign(_PrivateKey, true, _Version, _HandshakeInfo, certificateVerify.SignatureHashAlgorithm, signatureHash);
SendHandshakeMessage(certificateVerify, false);
I can't seem to find much information in the RFCs or elsewhere that describe exactly what needs to happen here. I do know that the server can handle RSA, DSS, or ECDSA, so I left it with ECDSA since that's what DTLS.NET is using.
Do I actually need the private key to create the CertificateVerify message?
Thanks in advance!
The handshake may authenticate the client by it's certificate.
Though the certificate on it's own is "public", everyone would be able to send it and the authentication could not be granted.
Therefore the client has to proof, that he has access to the private key as well. That's why the "Certificate Verify" message is used.
If you don't have access to the private key of your public key of your certificate, a client certificate handshake is not possible.
Maybe the keystore doesn't export that private key, but offer instead a "signing" function, where that privte key is applied.
I have a non-exportable client certificate in the "client" computer's Local Computer / Personal certificates store, and I want to use this certificate for client authentication when making web requests using System.Net.Http.HttpClient.
I have tried using HttpClientHandler thus:
var subject = /* Distinctive subject name of the certificate known to exist in the store */;
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var certificates = store.Certificates.Find(X509FindType.FindBySubjectName, subject, true);
// Known/verifiable at this point that certificates[0] is the correct client cert
var clientHandler = new HttpClientHandler();
clientHandler.ClientCertificates.Add(certificates[0]);
using (var client = new HttpClient(clientHandler))
{
var response = await client.GetAsync(URL.Text);
var result = await response.Content.ReadAsStringAsync();
// ... etc...
}
... but the GetAsync call throws an exception with the message:
The request was aborted: Could not create SSL/TLS secure channel.
I have been able to verify that this is a client-side issue and that the correct certificate is being returned from the store.
I have tested this code against known working endpoints (which require a certificate); other clients work.
I know the certificate is valid because it is successfully used for client authentication by other client code (sources I don't currently have at my disposal)
As I understand it, I am only attaching the public portion (because it is non-exportable), so the authentication is failing. There must surely be a way to use a private, non-exportable key for such a purpose, correct? How do I do it?
i am developing very simple desktop (win forms) application, that comunicates with server via WCF service on HTTPS protocol.
Every client that use this application, can upload client certificate (unique for each client), wich shall be used to to communication.
What exactly i am trying to achieve:
1. user will "upload" certificate to my desktop application, application take the certificate and programmatically save the certificate to windows cert store, here is my code:
[SecurityCritical]
public CertificateInfoDto GetCertificateInfoAndImportToStore(string fullPath, SecureString password)
{
if (string.IsNullOrEmpty(fullPath))
{
throw new ArgumentNullException("fullPath");
}
if (!File.Exists(fullPath))
{
throw new ArgumentException(string.Concat("No file present on ", fullPath));
}
try
{
byte[] rawBytes = this.GetCertificateContent(fullPath);
var certificate = new X509Certificate2(rawBytes, password, X509KeyStorageFlags.Exportable);
this.EnsureImport(certificate);
}
// some error handling etc, and end of method.
[SecurityCritical]
private void EnsureImport(X509Certificate2 certificate)
{
X509Store store = null;
try
{
store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadWrite);
store.Add(certificate);
}
In my application settings file, i store only certificate serial number.
2. Now, when i have uploaded certificate to windows store, i want to use it for wcf communication, so my code looks like:
var client = new SomeWcfServiceProxy();
client.ClientCredentials.ClientCertificate.SetCertificate(
StoreLocation.CurrentUser,
StoreName.My,
X509FindType.FindBySerialNumber,
certificateSerialNumber);
And finally, here is my problem, when i try to call some method on proxy, ill get an exception:
System.ServiceModel.Security.SecurityNegotiationException: Could not establish secure channel for SSL/TLS with authority 'url (i changed this)'. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
But what confuses me, is that when i create proxy client like this:
var client = new SomeWcfServiceProxy();
var clientCertificate = new X509Certificate2(#"C:\U\BB\certificate.pfx", "password");
client.ClientCredentials.ClientCertificate.Certificate = clientCertificate;
Everything working like a charm!
So there is my question: I do not want to store clients certificate password anywhere, i want to once upload it via windows certificate store and then use it only from windows certificate store. Is this possible? Or i must store certificate password somewhere ( i do not know where, becouse i think it is not very secure and this certificates are very very confidential).
Thanks for any help :)
After all, i needed this:
var certificate = new X509Certificate2(rawBytes, password, X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
Now certificate is imported just right and can be used for communication without any problems
I'm trying to authenticate myself against WebService using my client certificate, but, for some reasons (I explain), I don't want to load certificate from store, rather read it from disc.
The following:
// gw is teh WebService client
X509Certificate cert = new X509Certificate(PathToCertificate);
_gw.ClientCertificates.Add(ClientCertificate());
ServicePointManager.ServerCertificateValidationCallback = (a,b,c,d) => true;
_gw.DoSomeCall();
returns always 403 - the Service doesn't authorize me. But, when I save that certificate into CertStore, it works. (As stated in MSDN.)
Is it possible to use certificate not in store?
(the reason is, that I got windows service(client) sometimes calling webservice(server), and after unspecified amount of time the service 'forgets' my certificates and doesnt authorize against server, with no apparent reason)
What type of file is PathToCertificate? If it's just a .cer file, it will not contain the private key for the certificate and trying to use that certificate for SSL/TLS will fail.
However, if you have a PKCS7 or PKCS12 file that includes the public and private key for the certificate, your code will work (you might need to use the overload that takes a password if the private key has one).
To test this, I went to http://www.mono-project.com/UsingClientCertificatesWithXSP and created my client.p12 file following those instructions. I also created a simple HTTPS server using HttpListener for testing.
Then I compiled the following program into 'client.exe' and run like:
client.exe https://<MYSSLSERVER>/ client.p12 password
where client.p12 is the PKCS12 file generated before and 'password' is the password I set for the private key of the certificate.
using System;
using System.IO;
using System.Net;
using System.Security.Cryptography.X509Certificates;
using System.Text;
public class HttpWebRequestClientCertificateTest : ICertificatePolicy {
public bool CheckValidationResult (ServicePoint sp, X509Certificate certificate,
WebRequest request, int error)
{
return true; // server certificate's CA is not known to windows.
}
static void Main (string[] args)
{
string host = "https://localhost:1234/";
if (args.Length > 0)
host = args[0];
X509Certificate2 certificate = null;
if (args.Length > 1) {
string password = null;
if (args.Length > 2)
password = args [2];
certificate = new X509Certificate2 (args[1], password);
}
ServicePointManager.CertificatePolicy = new HttpWebRequestClientCertificateTest ();
HttpWebRequest req = (HttpWebRequest) WebRequest.Create (host);
if (certificate != null)
req.ClientCertificates.Add (certificate);
WebResponse resp = req.GetResponse ();
Stream stream = resp.GetResponseStream ();
StreamReader sr = new StreamReader (stream, Encoding.UTF8);
Console.WriteLine (sr.ReadToEnd ());
}
}
Let me know if you want me to upload the server code and the certificates used on both sides of the test.
The potential problem could be caching of SSL sessions (Schannel cache). Only first request negotiates the SSL handshake. Subsequent requests will use the same session ID and hope that the server accept it. If the server clears the SessionId, the requests will fail with 403 error. To disable local ssl session caching (and force SSL negotiation for each request) you have to open windows registry folder:
[HKEY_LOCAL_MACHINE][System][CurrentControlSet][Control][SecurityProviders][SCHANNEL]
and add the key named ClientCacheTime (DWORD) with value 0.
This issue is covered here:
http://support.microsoft.com/?id=247658
You have the potential for at least two problems...
First...
Your client certificate file cannot contain a private key unless it's accessed with a password. You should be using a PKCS #12 (*.pfx) certificate with a password so that your client has access to the private key. You client code will have to provide the password when opening the certificate as others have already posted. There are several ways to create this, the easiest is to use the following command-line to first generate the certificate, then use the MMC certificate manager to export the certificates private key:
Process p = Process.Start(
"makecert.exe",
String.Join(" ", new string[] {
"-r",// Create a self signed certificate
"-pe",// Mark generated private key as exportable
"-n", "CN=" + myHostName,// Certificate subject X500 name (eg: CN=Fred Dews)
"-b", "01/01/2000",// Start of the validity period; default to now.
"-e", "01/01/2036",// End of validity period; defaults to 2039
"-eku",// Comma separated enhanced key usage OIDs
"1.3.6.1.5.5.7.3.1," +// Server Authentication (1.3.6.1.5.5.7.3.1)
"1.3.6.1.5.5.7.3.2", // Client Authentication (1.3.6.1.5.5.7.3.2)
"-ss", "my",// Subject's certificate store name that stores the output certificate
"-sr", "LocalMachine",// Subject's certificate store location.
"-sky", "exchange",// Subject key type <signature|exchange|<integer>>.
"-sp",// Subject's CryptoAPI provider's name
"Microsoft RSA SChannel Cryptographic Provider",
"-sy", "12",// Subject's CryptoAPI provider's type
myHostName + ".cer"// [outputCertificateFile]
})
);
Second...
Your next problem is going to be server-side. The server has to allow this certificate. You have the right logic, but on the wrong side of the wire, move this line to the web server handling the request. If you cannot, you must then take the '.cer' file saved above to the server and add it to the server computer's trust list:
ServicePointManager.ServerCertificateValidationCallback = (a,b,c,d) => true;
Do you need a password for the certificate? If so, there is a field for it in the constructor.
X509Certificate cert = new X509Certificate(PathToCertificate,YourPassword);