Welcome Guest Search | Active Topics | Sign In | Register

Essential Objects Product Support Forum » All Products » Support » Implementing NeedClientCertificate Event

Implementing NeedClientCertificate Event Options
Previous Topic · Next Topic
Brendan
Posted: Thursday, October 29, 2020 11:28:57 AM
Rank: Newbie
Groups: Member

Joined: 10/29/2020
Posts: 2
Hi

I need to implement the NeedClientCertificate Event Handler for a use case where the client machine can have multiple client certificates installed to access a server page that requests them.

Normally in a Desktop browser you get a dialog that pops up allowing the user to select from a list when there's more than one matching valid certificate.

I was reading another thread here on the forum that discussed how the event works, whereby the engine will check to see if a single certificate is found and valid, but if multiple certificates are found then the event is raised, whereby you need to implement your own process to handle it.

https://www.essentialobjects.com/forum/postst10863_Certificates.aspx


My question is how can I access the list of certificate names that the engine uses to find by Issuer, either by name, serial number, thumbprint for the requesting page?
I see there's a Host property for the event args but I can't use this to find matching certificates in the MY cert store.

There's also a List (array) of byte arrays for the TrustedAuthorities that I can load into a X500DistinguishedName class but I'm unsure how to use this to find the certs by Issuer.

I'm looking for a way to identify what certs the requested URL is looking for. It seems the engine already does this but they're not accessible from the Event args. Is there any way to go about this?

Thanks.
Back to top
 
eo_support
Posted: Thursday, October 29, 2020 12:46:17 PM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,080
Hi,

Unfortunately this list is not exposed. Here is the relative Chromium source code that populates the certificate list based on trusted authorities:

https://source.chromium.org/chromium/chromium/src/+/master:net/ssl/client_cert_store_win.cc

The code is inside GetClientCertsImpl function, it should give you some basic idea on how it looks for certificate, you can then maybe duplicate the same logic on the .NET side.

Thanks!
Back to top
 
Brendan
Posted: Friday, October 30, 2020 12:10:48 PM
Rank: Newbie
Groups: Member

Joined: 10/29/2020
Posts: 2
Thanks. By looking at the code I was able to figure out most of what it is doing.

For reference if anyone stumbles on this in the future:

1. Loop the TrustedAuthorities byte array and construct an X500DistinguishedName class with the byte data.
2. Search the X509Store for CurrentUser using the X500DistinguishedName.Name and a "Find Type" of X509FindType.FindByIssuerDistinguishedName
3. Validate the certificate has not expired by comparing the NotAfter DateTime property
4. Validate the certificate has an Enhanced Key Usage Extension for "Client Authentication" or an Oid.Value of [szOID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2";]
5. You can check the Extensions by looping them on the Certificate Extensions property and casting to X509EnhancedKeyUsageExtension
Back to top
 
eo_support
Posted: Friday, October 30, 2020 4:22:08 PM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,080
That's very helpful for other users. Thank you very much for sharing!
Back to top
 


You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.