Capturing a Client Cert and Passing it to a Secure Web Service

Discussion in 'ASP .Net' started by hepsubah, Aug 28, 2007.

  1. hepsubah

    hepsubah Guest

    I'm trying to capture a client cert in my ASP.NET application, and use
    that cert as the client cert for a call to secure web service.

    I've used the following code, but am getting a 403 error on the
    invocation of the service. All the service is supposed to do is
    return the subject of the passed cert (I'll do more with it later)

    -----------------------------------------------------------------------------------------------------------------------------------------
    protected void Page_Load(object sender, EventArgs e)
    {
    // Capture Client Certificate
    HttpClientCertificate cs = Request.ClientCertificate;
    string svcres;

    try
    {

    // Create X509 Cert from Client Cert
    X509Certificate x509 = new
    X509Certificate(cs.Certificate);

    // Instantiate the Servive
    TestCertService.Service ts = new
    TestCertService.Service();

    // Add the Captured Cert
    ts.ClientCertificates.Add(x509);

    // Invoke the Service
    svcres = ts.CertSubject();

    Response.Write("<br><br><br>Cert from Service<br>");

    Response.Write("-------------------------------------------------------
    <br>");
    Response.Write("Subject = " + svcres + "<br>");
    }
    catch (Exception ex)
    {
    if (ex is WebException)
    {
    WebException we = ex as WebException;

    Response.Write("WebError Invoking Service = Message:"
    + we.Message + "<br>");
    }
    else
    {
    Response.Write("Error Invoking Service = Message:" +
    ex.Message + "<br>");
    }
    }
    -------------------------------------------------------------------------------------------------------------------------------------------------

    Is this approach sound?

    Is this a security issue?

    Any help would be appreciated
     
    hepsubah, Aug 28, 2007
    #1
    1. Advertising

  2. hepsubah

    Joe Kaplan Guest

    It doesn't work that way. SSL client certificate authentication involves
    the client with the client certificate signing part of the request with the
    private key for the certificate in question in order to assert ownership of
    the private key for the certificate. You won't have that private key on the
    server side of the request, so you can't "forward" or "delegate" the user's
    client certificate authentication to another service.

    If you want to do delegation, you probably need to look at an authentication
    protocol that supports delegation like Kerberos.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "hepsubah" <> wrote in message
    news:...
    > I'm trying to capture a client cert in my ASP.NET application, and use
    > that cert as the client cert for a call to secure web service.
    >
    > I've used the following code, but am getting a 403 error on the
    > invocation of the service. All the service is supposed to do is
    > return the subject of the passed cert (I'll do more with it later)
    >
    > -----------------------------------------------------------------------------------------------------------------------------------------
    > protected void Page_Load(object sender, EventArgs e)
    > {
    > // Capture Client Certificate
    > HttpClientCertificate cs = Request.ClientCertificate;
    > string svcres;
    >
    > try
    > {
    >
    > // Create X509 Cert from Client Cert
    > X509Certificate x509 = new
    > X509Certificate(cs.Certificate);
    >
    > // Instantiate the Servive
    > TestCertService.Service ts = new
    > TestCertService.Service();
    >
    > // Add the Captured Cert
    > ts.ClientCertificates.Add(x509);
    >
    > // Invoke the Service
    > svcres = ts.CertSubject();
    >
    > Response.Write("<br><br><br>Cert from Service<br>");
    >
    > Response.Write("-------------------------------------------------------
    > <br>");
    > Response.Write("Subject = " + svcres + "<br>");
    > }
    > catch (Exception ex)
    > {
    > if (ex is WebException)
    > {
    > WebException we = ex as WebException;
    >
    > Response.Write("WebError Invoking Service = Message:"
    > + we.Message + "<br>");
    > }
    > else
    > {
    > Response.Write("Error Invoking Service = Message:" +
    > ex.Message + "<br>");
    > }
    > }
    > -------------------------------------------------------------------------------------------------------------------------------------------------
    >
    > Is this approach sound?
    >
    > Is this a security issue?
    >
    > Any help would be appreciated
    >
     
    Joe Kaplan, Aug 28, 2007
    #2
    1. Advertising

  3. hepsubah

    hepsubah Guest

    On Aug 28, 3:08 pm, "Joe Kaplan"
    <> wrote:
    > It doesn't work that way. SSL client certificate authentication involves
    > the client with the client certificate signing part of the request with the
    > private key for the certificate in question in order to assert ownership of
    > the private key for the certificate. You won't have that private key on the
    > server side of the request, so you can't "forward" or "delegate" the user's
    > client certificate authentication to another service.
    >
    > If you want to do delegation, you probably need to look at an authentication
    > protocol that supports delegation like Kerberos.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
    > --"hepsubah" <> wrote in message
    >
    > news:...
    >
    > > I'm trying to capture a client cert in my ASP.NET application, and use
    > > that cert as the client cert for a call to secure web service.

    >
    > > I've used the following code, but am getting a 403 error on the
    > > invocation of the service. All the service is supposed to do is
    > > return the subject of the passed cert (I'll do more with it later)

    >
    > > -----------------------------------------------------------------------------------------------------------------------------------------
    > > protected void Page_Load(object sender, EventArgs e)
    > > {
    > > // Capture Client Certificate
    > > HttpClientCertificate cs = Request.ClientCertificate;
    > > string svcres;

    >
    > > try
    > > {

    >
    > > // Create X509 Cert from Client Cert
    > > X509Certificate x509 = new
    > > X509Certificate(cs.Certificate);

    >
    > > // Instantiate the Servive
    > > TestCertService.Service ts = new
    > > TestCertService.Service();

    >
    > > // Add the Captured Cert
    > > ts.ClientCertificates.Add(x509);

    >
    > > // Invoke the Service
    > > svcres = ts.CertSubject();

    >
    > > Response.Write("<br><br><br>Cert from Service<br>");

    >
    > > Response.Write("-------------------------------------------------------
    > > <br>");
    > > Response.Write("Subject = " + svcres + "<br>");
    > > }
    > > catch (Exception ex)
    > > {
    > > if (ex is WebException)
    > > {
    > > WebException we = ex as WebException;

    >
    > > Response.Write("WebError Invoking Service = Message:"
    > > + we.Message + "<br>");
    > > }
    > > else
    > > {
    > > Response.Write("Error Invoking Service = Message:" +
    > > ex.Message + "<br>");
    > > }
    > > }
    > > -------------------------------------------------------------------------------------------------------------------------------------------------

    >
    > > Is this approach sound?

    >
    > > Is this a security issue?

    >
    > > Any help would be appreciated


    Thanks
     
    hepsubah, Aug 28, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Robert Seacord

    CERT C Programming Language Secure Coding Standard

    Robert Seacord, Aug 31, 2006, in forum: C Programming
    Replies:
    7
    Views:
    353
    Bill Pursell
    Sep 18, 2006
  2. Robert Seacord

    CERT C Programming Language Secure Coding Standard

    Robert Seacord, Jul 31, 2007, in forum: C Programming
    Replies:
    16
    Views:
    573
    Eric Sosman
    Aug 3, 2007
  3. rCs
    Replies:
    0
    Views:
    329
  4. David Chan via .NET 247
    Replies:
    1
    Views:
    369
    Dominick Baier [DevelopMentor]
    Jun 2, 2005
  5. gardavis
    Replies:
    0
    Views:
    266
    gardavis
    Jul 2, 2004
Loading...

Share This Page