Capturing a Client Cert and Passing it to a Secure Web Service

H

hepsubah

I'm trying to capture a client cert in my ASP.NET application, and use
that cert as the client cert for a call to secure web service.

I've used the following code, but am getting a 403 error on the
invocation of the service. All the service is supposed to do is
return the subject of the passed cert (I'll do more with it later)

-----------------------------------------------------------------------------------------------------------------------------------------
protected void Page_Load(object sender, EventArgs e)
{
// Capture Client Certificate
HttpClientCertificate cs = Request.ClientCertificate;
string svcres;

try
{

// Create X509 Cert from Client Cert
X509Certificate x509 = new
X509Certificate(cs.Certificate);

// Instantiate the Servive
TestCertService.Service ts = new
TestCertService.Service();

// Add the Captured Cert
ts.ClientCertificates.Add(x509);

// Invoke the Service
svcres = ts.CertSubject();

Response.Write("<br><br><br>Cert from Service<br>");

Response.Write("-------------------------------------------------------
<br>");
Response.Write("Subject = " + svcres + "<br>");
}
catch (Exception ex)
{
if (ex is WebException)
{
WebException we = ex as WebException;

Response.Write("WebError Invoking Service = Message:"
+ we.Message + "<br>");
}
else
{
Response.Write("Error Invoking Service = Message:" +
ex.Message + "<br>");
}
}
-------------------------------------------------------------------------------------------------------------------------------------------------

Is this approach sound?

Is this a security issue?

Any help would be appreciated
 
J

Joe Kaplan

It doesn't work that way. SSL client certificate authentication involves
the client with the client certificate signing part of the request with the
private key for the certificate in question in order to assert ownership of
the private key for the certificate. You won't have that private key on the
server side of the request, so you can't "forward" or "delegate" the user's
client certificate authentication to another service.

If you want to do delegation, you probably need to look at an authentication
protocol that supports delegation like Kerberos.

Joe K.
 
H

hepsubah

It doesn't work that way. SSL client certificate authentication involves
the client with the client certificate signing part of the request with the
private key for the certificate in question in order to assert ownership of
the private key for the certificate. You won't have that private key on the
server side of the request, so you can't "forward" or "delegate" the user's
client certificate authentication to another service.

If you want to do delegation, you probably need to look at an authentication
protocol that supports delegation like Kerberos.

Joe K.

Thanks
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,733
Messages
2,569,440
Members
44,829
Latest member
PIXThurman

Latest Threads

Top