I have ASP.NET MVC web site which I configured to authenticate through Active Directory Federation Service. Everything worked fine until I tried to enable token encryption. As usual, I created one more self-signed certificate on IIS, added it to Trusted Root authorities on my web server and ADFS server and run application to veryfy how it works.
My application correctly redirected me to ADFS service page to enter credentials. But when I submit my login and password, I immediately get "An error occured" message on the same login page with not very useful details section:
Activity ID: 00000000-0000-0000-b039-0080010000e4
Relying party: [My relying party name]
Error time: Fri, 21 Oct 2016 18:48:24 GMT
Cookie: enabled
User agent string: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36
I don't get redirected to my web site after that and Network panel doesn't contain any requests.
But I discovered, that if I add the following setting into my web site's web.config, it starts working again:
<certificateValidation certificateValidationMode="None" />
So the error must be related to the fact that my certificate is self-signed. But I have added it to trusted root authorities both on web server and ADFS server (as well as few other "suspicious" certificates).
Does anybody have an idea what could be missing and what can I do to make my test environment work with self-signed certificates, while validating certificate chain?
It appeared that to resolve an error it was enough to add ADFS Token Signing certificate as Trusted Root Certification Authority on my web server.
PS: I'm not sure why token signing certificate chain validation didn't raise errors when encryption was disabled and what relation does it have to encryption at all, but the fact is that it helped for both environments we've used for testing.
I do something similar with an api handler that acts as a pass through and must interrogate certs.
Something that may help your troubleshooting.
Set the cert validation callback to something like:
// validate server cert
ServicePointManager.ServerCertificateValidationCallback += ValidateServerCertificate;
Then in the validation method you can interrogate the chain:
private static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
// default validation bool to false
var isValid = false;
// If the certificate is a valid, signed certificate, return true to short circuit any add'l processing.
if (sslPolicyErrors == SslPolicyErrors.None)
{
return true;
}
else
{
// cast cert as v2 in order to expose thumbprint prop
var requestCertificate = (X509Certificate2)certificate;
// init string builder for creating a long log entry
var logEntry = new StringBuilder();
// capture initial info for the log entry
logEntry.AppendFormat("Certificate Validation Error - SSL Policy Error: {0} - Cert Issuer: {1} - SubjectName: {2}",
sslPolicyErrors.ToString(),
requestCertificate.Issuer,
requestCertificate.SubjectName.Name);
//init special builder for thumprint mismatches
var thumbprintMismatches = new StringBuilder();
// load valid certificate thumbs for comparison later
var validThumbprints = new string[] { "thumbprint A", "thumbprint N" };
// else if a cert name mismatch then assume api pass thru issue and verify thumb print
if (sslPolicyErrors == SslPolicyErrors.RemoteCertificateNameMismatch)
{
// compare thumbprints
var hasMatch = validThumbprints.Contains(requestCertificate.Thumbprint, StringComparer.OrdinalIgnoreCase);
// if match found then we're valid so clear builder and set global valid bool to true
if (hasMatch)
{
thumbprintMismatches.Clear();
isValid = true;
}
// else thumbprint did not match so append to the builder
else
{
thumbprintMismatches.AppendFormat("|Thumbprint mismatch - Issuer: {0} - SubjectName: {1} - Thumbprint: {2}",
requestCertificate.Issuer,
requestCertificate.SubjectName.Name,
requestCertificate.Thumbprint);
}
}
// else if chain issue, then iterate over the chain and attempt find a matching thumbprint
else if (sslPolicyErrors == SslPolicyErrors.RemoteCertificateChainErrors) //Root CA problem
{
// check chain status and log
if (chain != null && chain.ChainStatus != null)
{
// check errors in chain and add to log entry
foreach (var chainStatus in chain.ChainStatus)
{
logEntry.AppendFormat("|Chain Status: {0} - {1}", chainStatus.Status.ToString(), chainStatus.StatusInformation.Trim());
}
// check for thumbprint mismatches
foreach (var chainElement in chain.ChainElements)
{
// compare thumbprints
var hasMatch = validThumbprints.Contains(chainElement.Certificate.Thumbprint, StringComparer.OrdinalIgnoreCase);
// if match found then we're valid so break, clear builder and set global valid bool to true
if (hasMatch)
{
thumbprintMismatches.Clear();
isValid = true;
break;
}
// else thumbprint did not match so append to the builder
else
{
thumbprintMismatches.AppendFormat("|Thumbprint mismatch - Issuer: {0} - SubjectName: {1} - Thumbprint: {2}",
chainElement.Certificate.Issuer,
chainElement.Certificate.SubjectName.Name,
chainElement.Certificate.Thumbprint);
}
}
}
}
// if still invalid and thumbprint builder has items, then continue
if (!isValid && thumbprintMismatches != null && thumbprintMismatches.Length > 0)
{
// append thumbprint entries to the logentry as well
logEntry.Append(thumbprintMismatches.ToString());
}
// log as WARN here and not ERROR - if method ends up returning false then it will bubble up and get logged as an ERROR
LogHelper.Instance.Warning((int)ErrorCode.CertificateValidation, logEntry.ToString().Trim());
}
// determine env
var isDev = EnvironmentHelper.IsDevelopment();
var isTest = EnvironmentHelper.IsTest();
// if env is dev or test then ignore cert errors and return true (reference any log entries created from logic above for troubleshooting)
if (isDev || isTest)
isValid = true;
return isValid;
}
NOTE: you'll need to disable/change some of the custom code - thumbprint stuff, logging etc.
Adding certificates to your CA trusted store only mean you trust the issuer of the certificate, which is the certificate itself in this case because it is a self-signed certificate. What is missing is that certificate validation performs chain-check and revocation check and either one of the two check failed for you. Please note that even if you trust a certificate, it still could have been revoked recently and thus shouldn't no longer be trusted. Therefore, revocation check is always necessary. For testing, disabling revocation check is one way. One ADFS side, you can disable revocation check per relying party. If the check happens on your own code, you can either disable check totally or use Stinky Towel's code to selectively allow some certificates only.
Related
I have managed to figure out if a cert in a x509Certificate2Collection is a certificate authority cert but how can I safely determine if it's a Root cert or an Intermediate cert please? Is the following safe enough?
var collection = new X509Certificate2Collection();
collection.Import("test.pfx", "password", X509KeyStorageFlags.PersistKeySet);
foreach (X509Certificate2 cert in collection)
{
var basicConstraintExt = cert.Extensions["2.5.29.19"] as X509BasicConstraintsExtension;
if (basicConstraintExt != null)
{
Log.Debug($" Subject is: '{cert.Subject}'");
Log.Debug($" Issuer is: '{cert.Issuer}'");
if (basicConstraintExt.CertificateAuthority)
{
Log.Debug("I am a CA Cert.");
if (cert.Subject == cert.Issuer)
{
Log.Debug("My Subject matches Issuer.");
}
else
{
Log.Debug("My Subject does not match Issuer.");
}
Log.Debug(cert.Verify() ? "I verify" : "I do not verify");
}
else
{
Log.Debug("I am not a CA Cert.");
}
}
}
Results:
Displaying Cert #1 in collection
********************************
Subject is: 'CN=Intermediate-CA, DC=test, DC=lan'
Issuer is: 'CN=Root-CA, DC=test, DC=lan'
- I am a CA Cert.
- My Subject does not match Issuer.
- I do not verify
Displaying Cert #2 in collection
********************************
Subject is: 'CN=Root-CA, DC=test, DC=lan'
Issuer is: 'CN=Root-CA, DC=test, DC=lan'
- I am a CA Cert.
- My Subject matches Issuer.
- I do not verify
Not sure if this helps with Kestrel, but I would try the code below.
We will use X509Chain class to construct and validate the chain.
var collection = new X509Certificate2Collection();
collection.Import("test.pfx", "password");
var chain = new X509Chain();
chain.ChainPolicy.ExtraStore.AddRange(collection);
// untrusted root error raise false-positive errors, for example RevocationOffline
// so skip possible untrusted root chain error.
chain.VerificationFlags |= X509VerificationFlags.AllowUnknownCertificateAuthority;
// revocation checking is client's responsibility. Skip it.
chain.RevocationMode = X509VerificationFlags.NoCheck;
// build the chain.
Boolean isValid = chain.Build(collection[0]);
// explore chain.ChainElements collection. First item should be your leaf
// certificate and last item should be root certificate
All this stuff is located in System.Security.Cryptography.X509Certificates namespace. In this code piece, I'm assuming that first certificate in PFX is leaf certificate (it is in 99% cases unless someone tries to ignore standards). By exploring chain.ChainElements collection, you can find issues with every certificate in the chain.
Currently I am working in POC with CRUD operations using AmazonS3 Sdk for .net 3.5 version 3. I am trying to retrieve the Region Endpoint(Location) of the specific bucket name using secret key and Access Key and bucket name( has Location: EU (Frankfurt) (eu-central-1)). in order to establish connection
with AmazonS3 and perform CRUD operations
So I get the A WebException with status TrustFailure was thrown when I tried to get the Region Endpoint from share point(web page I create my own page using the master page of SharePoint) in order to create AmazonS3Client instance with Region Retrieve.
with the following code:
private string defaultAmazonHttpsHost = "https://s3.amazonaws.com";
private string defaultAmazonHttpHost = "http://s3.amazonaws.com";
private Amazon.RegionEndpoint GetRegionEndpoint(string bucket, BasicAWSCredentials amazonCredentials, bool useSSL)
{
Amazon.RegionEndpoint regiongEndpoint = null;
AmazonS3Config configurationClient = new AmazonS3Config();
configurationClient.UseHttp = !useSSL;
configurationClient.ServiceURL = useSSL ? defaultAmazonHttpsHost : defaultAmazonHttpHost;
try
{
using (AmazonS3Client clientConnection = new AmazonS3Client(amazonCredentials, configurationClient))
{
GetBucketLocationRequest locationRequest = new GetBucketLocationRequest();
locationRequest.BucketName = bucket;
string locationName = clientConnection.GetBucketLocation(locationRequest).Location.Value;
if (locationName.Equals("EU", StringComparison.InvariantCultureIgnoreCase))
{
regiongEndpoint = Amazon.RegionEndpoint.EUWest1;
}
else if (string.IsNullOrEmpty(locationName))
{
regiongEndpoint = Amazon.RegionEndpoint.USEast1;
}
else
{
regiongEndpoint = Amazon.RegionEndpoint.GetBySystemName(locationName);
}
}
}
catch (AmazonS3Exception amazonS3Exception)
{
throw amazonS3Exception;
}
catch (Exception unExpectedException)
{
throw unExpectedException;
}
return regiongEndpoint;
}
BasicAWSCredentials credentials = new BasicAWSCredentials("my access Key", "my secret key");
AmazonS3Config configurationAmazon = new AmazonS3Config();
configurationAmazon.RegionEndpoint = GetRegionEndpoint("bucketName", credentials, false);
AmazonS3Client _s3 = new AmazonS3Client(credentials, configurationAmazon );
My task Perform CRUD operations + test connection with AmazonS3 Sdk .net 3.5 version 3 , with the source information :
-secret key
- access key
- bucket Name
the strange is if this part code run(execute) since another Project (without share point interaction for example: Console Project) I do not get this exception) Do you know what is the problem?
I used the following before execute any request to amazonS3 and now it works as expected I think the problem was with the certificates that sharepoint is using .
ServicePointManager.ServerCertificateValidationCallback +=
delegate(
object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
return true;
};
the post provide a explanation about it
The key point here is "TrustFailure". There's something wrong with the certificate. In my case, this error was caused because my company uses Websense, a web filter/security suite that intercepts and reissues https certificates for web traffic so it can spy on you. Even if you don't use anything like that, the bottom line is that your computer doesn't trust the issuer of the certificate being used by the remote computer. The server on which I was receiving this error did not have the correct certificate in its Trusted Root Certification Authorities. After importing the correct trusted root cert (Add trusted root certificate authority to local computer), I no longer received the error.
If you don't think this is the case, you can get more details on what the exception is by either writing the details to console or putting a breakpoint on the Console.WriteLine here and actually inspect the certificate and ssl errors:
using System.Security.Cryptography.X509Certificates;
using System.Net.Security;
.....
.....
//before you make the request
System.Net.ServicePointManager.ServerCertificateValidationCallback +=
delegate (
object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
Console.WriteLine("Subject: " + certificate.Subject + ", Issuer: " + certificate.Issuer + ". SSL Errors: " + sslPolicyErrors.ToString());
return false;
};
The key point here is that you need to find the certificate issue and resolve it instead of leaving yourself vulnerable by ignoring all ssl errors.
TrustFailure can also be caused by the date being incorrect on the machine.
My C#.NET SSL connect works when I import the certificate manually in IE (Tools/Internet Options/Content/Certificates), but how can I load the certificate by code?
Here is my code:
TcpClient client = new TcpClient(ConfigManager.SSLSwitchIP, Convert.ToInt32(ConfigManager.SSLSwitchPort));
SslStream sslStream = new SslStream(
client.GetStream(),
false,
new RemoteCertificateValidationCallback(ValidateServerCertificate),
null
);
sslStream.AuthenticateAsClient("Test");
The above code works fine if i import my certificate file manually in Internet Explorer. But if i remove my certificate from IE and use the following code instead, i get Authentication exception:
sslStream.AuthenticateAsClient("Test", GetX509CertificateCollection(), SslProtocols.Default, false);
and here is the 'GetX509CertificateCollection' method :
public static X509CertificateCollection GetX509CertificateCollection()
{
X509Certificate2 certificate1 = new X509Certificate2("c:\\ssl.txt");
X509CertificateCollection collection1 = new X509CertificateCollection();
collection1.Add(certificate1);
return collection1;
}
What should I do to load my certificate dynamically?
To build upon owlstead's answer, here's how I use a single CA certificate and a custom chain in the verification callback to avoid Microsoft's store.
I have not figured out how to use this chain (chain2 below) by default such that there's no need for the callback. That is, install it on the ssl socket and the connection will "just work". And I have not figured out how install it such that its passed into the callback. That is, I have to build the chain for each invocation of the callback. I think these are architectural defects in .Net, but I might be missing something obvious.
The name of the function does not matter. Below, VerifyServerCertificate is the same callback as RemoteCertificateValidationCallback. You can also use it for the ServerCertificateValidationCallback in ServicePointManager.
static bool VerifyServerCertificate(object sender, X509Certificate certificate,
X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
try
{
String CA_FILE = "ca-cert.der";
X509Certificate2 ca = new X509Certificate2(CA_FILE);
X509Chain chain2 = new X509Chain();
chain2.ChainPolicy.ExtraStore.Add(ca);
// Check all properties
chain2.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
// This setup does not have revocation information
chain2.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
// Build the chain
chain2.Build(new X509Certificate2(certificate));
// Are there any failures from building the chain?
if (chain2.ChainStatus.Length == 0)
return true;
// If there is a status, verify the status is NoError
bool result = chain2.ChainStatus[0].Status == X509ChainStatusFlags.NoError;
Debug.Assert(result == true);
return result;
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
return false;
}
A quick Google pointed me to a piece of text from the Microsoft SslStream class.
The authentication is handled by the Security Support Provider (SSPI)
channel provider. The client is given an opportunity to control
validation of the server's certificate by specifying a
RemoteCertificateValidationCallback delegate when creating an
SslStream. The server can also control validation by supplying a
RemoteCertificateValidationCallback delegate. The method referenced by
the delegate includes the remote party's certificate and any errors
SSPI encountered while validating the certificate. Note that if the
server specifies a delegate, the delegate's method is invoked
regardless of whether the server requested client authentication. If
the server did not request client authentication, the server's
delegate method receives a null certificate and an empty array of
certificate errors.
So simply implement the delegate and do the verification yourself.
I wrote another method to add my certificate to Trusted Root Certification Authorities (root) before attempting to authenticate as client via SSLStream object:
public static void InstallCertificate()
{
X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
string fileName = "sslcert.pem";
X509Certificate2 certificate1;
try
{
certificate1 = new X509Certificate2(fileName);
}
catch (Exception ex)
{
throw new Exception("Error loading SSL certificate file." + Environment.NewLine + fileName);
}
store.Add(certificate1);
store.Close();
}
And then:
InstallCertificate();
sslStream.AuthenticateAsClient("Test");
It works fine without any warnings or errors. But base question still remains unsolved:
How can I use a certificate to authenticate as client without installing it in Windows?
I have a Windows certification authority that I am using to issue client authentication certificates via .net / c#. I have been able to successfully get it to issue certificates programmatically by calling the certification authority's API through COM. I issue a new certificate when I set up a client.
At runtime, these clients attach the certificates to requests to my server. How can I verify programmatically that an X509Certificate2 was signed by the root certificate of my certificate authority (and reject certificates signed by any other source)?
I've done this a lot. Here's some easy code you can use.
The part in the if (!isChainValid) block is to make a pretty error message. You don't have to use that if you don't want, but you should throw an error if the chain cannot be built. The chain elements are necessary to check for your root.
X509Certificate2 authority = GetAuthorityCertificate();
X509Certificate2 certificateToValidate = GetCertificateToValidate();
X509Chain chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
chain.ChainPolicy.VerificationTime = DateTime.Now;
chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 0);
// This part is very important. You're adding your known root here.
// It doesn't have to be in the computer store at all. Neither certificates do.
chain.ChainPolicy.ExtraStore.Add(authority);
bool isChainValid = chain.Build(certificateToValidate);
if (!isChainValid)
{
string[] errors = chain.ChainStatus
.Select(x => String.Format("{0} ({1})", x.StatusInformation.Trim(), x.Status))
.ToArray();
string certificateErrorsString = "Unknown errors.";
if (errors != null && errors.Length > 0)
{
certificateErrorsString = String.Join(", ", errors);
}
throw new Exception("Trust chain did not complete to the known authority anchor. Errors: " + certificateErrorsString);
}
// This piece makes sure it actually matches your known root
var valid = chain.ChainElements
.Cast<X509ChainElement>()
.Any(x => x.Certificate.Thumbprint == authority.Thumbprint);
if (!valid)
{
throw new Exception("Trust chain did not complete to the known authority anchor. Thumbprints did not match.");
}
You can also use the built in method Verify() for X509Certificate2.
X509Certificate2 certificateToValidate = GetCertificateToValidate();
bool valid = certificateToValidate.Verify()
https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.verify.aspx
If you say you have a root (which is self-signed) certificate, then your only option is to keep this root certificate available on your server (without the private key of course) and perform certificate validation procedure against your root certificate. This is a mirrored situation to the web client validating server certificate chain.
Apparently I was asking the wrong question in my earlier post. I have a web service secured with a X.509 certificate, running as a secure web site (https://...). I want to use the client's machine certificate (also X.509) issued by the company's root CA to verify to the server that the client machine is authorized to use the service. In order to do this, I need to inspect the certificate and look for some identifying feature and match that to a value stored in a database (maybe the Thumbprint?).
Here is the code I use to get the certificate from the local certificate store (lifted straight from http://msdn.microsoft.com/en-us/magazine/cc163454.aspx):
public static class SecurityCertificate
{
private static X509Certificate2 _certificate = null;
public static X509Certificate2 Certificate
{
get { return _certificate; }
}
public static bool LoadCertificate()
{
// get thumbprint from app.config
string thumbPrint = Properties.Settings.Default.Thumbprint;
if ( string.IsNullOrEmpty( thumbPrint ) )
{
// if no thumbprint on file, user must select certificate to use
_certificate = PickCertificate( StoreLocation.LocalMachine, StoreName.My );
if ( null != _certificate )
{
// show certificate details dialog
X509Certificate2UI.DisplayCertificate( _certificate );
Properties.Settings.Default.Thumbprint = _certificate.Thumbprint;
Properties.Settings.Default.Save();
}
}
else
{
_certificate = FindCertificate( StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, thumbPrint );
}
if ( null == _certificate )
{
MessageBox.Show( "You must have a valid machine certificate to use STS." );
return false;
}
return true;
}
private static X509Certificate2 PickCertificate( StoreLocation location, StoreName name )
{
X509Store store = new X509Store( name, location );
try
{
// create and open store for read-only access
store.Open( OpenFlags.ReadOnly );
X509Certificate2Collection coll = store.Certificates.Find( X509FindType.FindByIssuerName, STSClientConstants.NBCCA, true );
if ( 0 == coll.Count )
{
MessageBox.Show( "No valid machine certificate found - please contact tech support." );
return null;
}
// pick a certificate from the store
coll = null;
while ( null == coll || 0 == coll.Count )
{
coll = X509Certificate2UI.SelectFromCollection(
store.Certificates, "Local Machine Certificates",
"Select one", X509SelectionFlag.SingleSelection );
}
// return first certificate found
return coll[ 0 ];
}
// always close the store
finally { store.Close(); }
}
private static X509Certificate2 FindCertificate( StoreLocation location, StoreName name, X509FindType findType, string findValue )
{
X509Store store = new X509Store( name, location );
try
{
// create and open store for read-only access
store.Open( OpenFlags.ReadOnly );
// search store
X509Certificate2Collection col = store.Certificates.Find( findType, findValue, true );
// return first certificate found
return col[ 0 ];
}
// always close the store
finally { store.Close(); }
}
Then, I attach the certificate to the outbound stream thusly:
public static class ServiceDataAccess
{
private static STSWebService _stsWebService = new STSWebService();
public static DataSet GetData(Dictionary<string,string> DictParam, string action)
{
// add the machine certificate here, the first web service call made by the program (only called once)
_stsWebService.ClientCertificates.Add( SecurityCertificate.Certificate );
// rest of web service call here...
}
}
My question is this -- how do I "get" the certificate in the web service code? Most sample code snippets I have come across that cover how to do custom validation have a GetCertificate() call in there, apparently assuming that part is so easy everyone should know how to do it?
My main class inherits from WebService, so I can use Context.Request.ClientCertificate to get a certificate, but that's an HttpClientCertificate, not an X509Certificate2. HttpContext gives me the same result. Other approaches all use web configuration code to call pre-defined verification code, with no clue as to how to call a custom C# method to do the verification.
I recall doing something similar, its been awhile but, have you tried this in your web service:
X509Certificate2 cert = new X509Certificate2(Context.Request.ClientCertificate.Certificate);
On the subject of how to tie the certificate back to a user, so assuming the identity of the user associated with the key is good (as the certificate has been verified back to a trusted root and has not been revoked) then you need to tie the identity claimed by the cert to a user. You could just use the LDAP string form of the subject DN and look that up (cn=Username,ou=Department...) to determine the local ID. This is resiliant in the case the user re-generates their key/certificate say because of a card loss or natural expiry of the certificate. This relies on the fact that two CAs won't issue two certs with the same subject name to two different people.
If the certificate was issued by a MS CA it might have a UPN in it that is effectively a domain logon name.
Alternatively if you want to tie the user's identity to an actual certificate the usual method is to store the issuer name and certificate serial number. CAs must issue unique serial numbers for each certificate. Note serial numbers can be large depending on the CA. Not however that using this method then means the cert details in the database must be updated every time the user cert is re-issued.