Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Capturing a Client Cert and Passing it to a Secure Web Service

Reply
Thread Tools

Capturing a Client Cert and Passing it to a Secure Web Service

 
 
hepsubah
Guest
Posts: n/a
 
      08-28-2007
I'm trying to capture a client cert in my ASP.NET application, and use
that cert as the client cert for a call to secure web service.

I've used the following code, but am getting a 403 error on the
invocation of the service. All the service is supposed to do is
return the subject of the passed cert (I'll do more with it later)

-----------------------------------------------------------------------------------------------------------------------------------------
protected void Page_Load(object sender, EventArgs e)
{
// Capture Client Certificate
HttpClientCertificate cs = Request.ClientCertificate;
string svcres;

try
{

// Create X509 Cert from Client Cert
X509Certificate x509 = new
X509Certificate(cs.Certificate);

// Instantiate the Servive
TestCertService.Service ts = new
TestCertService.Service();

// Add the Captured Cert
ts.ClientCertificates.Add(x509);

// Invoke the Service
svcres = ts.CertSubject();

Response.Write("<br><br><br>Cert from Service<br>");

Response.Write("-------------------------------------------------------
<br>");
Response.Write("Subject = " + svcres + "<br>");
}
catch (Exception ex)
{
if (ex is WebException)
{
WebException we = ex as WebException;

Response.Write("WebError Invoking Service = Message:"
+ we.Message + "<br>");
}
else
{
Response.Write("Error Invoking Service = Message:" +
ex.Message + "<br>");
}
}
-------------------------------------------------------------------------------------------------------------------------------------------------

Is this approach sound?

Is this a security issue?

Any help would be appreciated

 
Reply With Quote
 
 
 
 
Joe Kaplan
Guest
Posts: n/a
 
      08-28-2007
It doesn't work that way. SSL client certificate authentication involves
the client with the client certificate signing part of the request with the
private key for the certificate in question in order to assert ownership of
the private key for the certificate. You won't have that private key on the
server side of the request, so you can't "forward" or "delegate" the user's
client certificate authentication to another service.

If you want to do delegation, you probably need to look at an authentication
protocol that supports delegation like Kerberos.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"hepsubah" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> I'm trying to capture a client cert in my ASP.NET application, and use
> that cert as the client cert for a call to secure web service.
>
> I've used the following code, but am getting a 403 error on the
> invocation of the service. All the service is supposed to do is
> return the subject of the passed cert (I'll do more with it later)
>
> -----------------------------------------------------------------------------------------------------------------------------------------
> protected void Page_Load(object sender, EventArgs e)
> {
> // Capture Client Certificate
> HttpClientCertificate cs = Request.ClientCertificate;
> string svcres;
>
> try
> {
>
> // Create X509 Cert from Client Cert
> X509Certificate x509 = new
> X509Certificate(cs.Certificate);
>
> // Instantiate the Servive
> TestCertService.Service ts = new
> TestCertService.Service();
>
> // Add the Captured Cert
> ts.ClientCertificates.Add(x509);
>
> // Invoke the Service
> svcres = ts.CertSubject();
>
> Response.Write("<br><br><br>Cert from Service<br>");
>
> Response.Write("-------------------------------------------------------
> <br>");
> Response.Write("Subject = " + svcres + "<br>");
> }
> catch (Exception ex)
> {
> if (ex is WebException)
> {
> WebException we = ex as WebException;
>
> Response.Write("WebError Invoking Service = Message:"
> + we.Message + "<br>");
> }
> else
> {
> Response.Write("Error Invoking Service = Message:" +
> ex.Message + "<br>");
> }
> }
> -------------------------------------------------------------------------------------------------------------------------------------------------
>
> Is this approach sound?
>
> Is this a security issue?
>
> Any help would be appreciated
>



 
Reply With Quote
 
 
 
 
hepsubah
Guest
Posts: n/a
 
      08-28-2007
On Aug 28, 3:08 pm, "Joe Kaplan"
<(E-Mail Removed)> wrote:
> It doesn't work that way. SSL client certificate authentication involves
> the client with the client certificate signing part of the request with the
> private key for the certificate in question in order to assert ownership of
> the private key for the certificate. You won't have that private key on the
> server side of the request, so you can't "forward" or "delegate" the user's
> client certificate authentication to another service.
>
> If you want to do delegation, you probably need to look at an authentication
> protocol that supports delegation like Kerberos.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
> --"hepsubah" <(E-Mail Removed)> wrote in message
>
> news:(E-Mail Removed) ups.com...
>
> > I'm trying to capture a client cert in my ASP.NET application, and use
> > that cert as the client cert for a call to secure web service.

>
> > I've used the following code, but am getting a 403 error on the
> > invocation of the service. All the service is supposed to do is
> > return the subject of the passed cert (I'll do more with it later)

>
> > -----------------------------------------------------------------------------------------------------------------------------------------
> > protected void Page_Load(object sender, EventArgs e)
> > {
> > // Capture Client Certificate
> > HttpClientCertificate cs = Request.ClientCertificate;
> > string svcres;

>
> > try
> > {

>
> > // Create X509 Cert from Client Cert
> > X509Certificate x509 = new
> > X509Certificate(cs.Certificate);

>
> > // Instantiate the Servive
> > TestCertService.Service ts = new
> > TestCertService.Service();

>
> > // Add the Captured Cert
> > ts.ClientCertificates.Add(x509);

>
> > // Invoke the Service
> > svcres = ts.CertSubject();

>
> > Response.Write("<br><br><br>Cert from Service<br>");

>
> > Response.Write("-------------------------------------------------------
> > <br>");
> > Response.Write("Subject = " + svcres + "<br>");
> > }
> > catch (Exception ex)
> > {
> > if (ex is WebException)
> > {
> > WebException we = ex as WebException;

>
> > Response.Write("WebError Invoking Service = Message:"
> > + we.Message + "<br>");
> > }
> > else
> > {
> > Response.Write("Error Invoking Service = Message:" +
> > ex.Message + "<br>");
> > }
> > }
> > -------------------------------------------------------------------------------------------------------------------------------------------------

>
> > Is this approach sound?

>
> > Is this a security issue?

>
> > Any help would be appreciated


Thanks

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola MCSE 4 11-15-2006 02:40 AM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola Microsoft Certification 3 11-14-2006 05:18 PM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola MCSD 3 11-14-2006 05:18 PM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola MCAD 3 11-14-2006 05:18 PM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd realexxams@yahoo.com Microsoft Certification 0 05-10-2006 02:35 PM



Advertisments