Client certificate validation in windows 8
Download as PPTX, PDF0 likes640 views
The document outlines the process of client certificate validation within Windows 8/8.1 WinRT applications, focusing on binary security token authentication and encryption methods for token retrieval. It details the necessary capabilities for accessing locally installed X.509 certificates, as well as the steps to query and utilize these certificates for decrypting secure tokens to obtain cookies. Additionally, it covers certificate enrollment and the process for creating certificate requests and obtaining certificates from servers.
![Get certificate from server for decryption
• string postJsonData = "{"Username":"zhao@saifdemo.partner.onmschina.cn","&Password":"password01!"}";
• var clientHandler = new HttpClientHandler();
• byte[] responsecert = await SpCommon.SendHttpRequest(
new Uri(“SERVERURL"),
HttpMethod.Post,
new MemoryStream(Encoding.UTF8.GetBytes(postJsonData)),
"application/x-www-form-urlencoded",
clientHandler);
• if (responsecert != null)
• {
• // parse the required x509 certificate response
• }](https://image.slidesharecdn.com/clientcertificatevalidationinwindows8-141116020154-conversion-gate02/85/Client-certificate-validation-in-windows-8-12-320.jpg)
Client certificate validation in windows 8
- 1. Client Certificate validation in Windows 8/8.1 winRT app -Ashish Agrawal
- 2. Problem Statement • How to do certificate validation in windows RT metro app.
- 3. Binary Security Based token authentication • <wsse:BinarySecurityToken Id="Compact0">ABCD</wsse:BinarySecurityToken> • In non encrypted token response, we directly get the binary Security token from where we can get the RTFA and FEDAuth cookies and communicate with the server. • https://login.partner.microsoftonline.cn should be hit to get the encrypted token
- 4. Encrypted token • <wst:RequestedSecurityToken> • <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Id="Assertion0" Type="http://www.w3.org/2001/04/xmlenc#Element"> • <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"></EncryptionMethod> • <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> • <EncryptedKey> • <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod> • <ds:KeyInfo> • <ds:X509Data> • <ds:X509SKI>ac4GbK23Iw/V29Ef4tJAaZwrR6I=</ds:X509SKI> • </ds:X509Data> • <ds:KeyName>sharepoint.cn</ds:KeyName> • </ds:KeyInfo> • <CipherData> • <CipherValue>ABCD</CipherValue> • </CipherData> • </EncryptedKey> • </ds:KeyInfo> •
- 5. • <CipherData> • <CipherValue>XXX/CipherData> • </EncryptedData> • </wst:RequestedSecurityToken> • <wst:RequestedAttachedReference> • <wsse:SecurityTokenReference> • <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">uuid- e36c6939-c283-4c68-ad2e-8e5720b9c51a</wsse:KeyIdentifier> • </wsse:SecurityTokenReference> • </wst:RequestedAttachedReference> • <wst:RequestedUnattachedReference> • <wsse:SecurityTokenReference> • <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">uuid- e36c6939-c283-4c68-ad2e-8e5720b9c51a</wsse:KeyIdentifier> • </wsse:SecurityTokenReference> • </wst:RequestedUnattachedReference> • <wst:RequestedProofToken> • <wst:BinarySecret>8TM1ybkRA1Y4QURgKaIlzu7gywlQscqI</wst:BinarySecret> • </wst:RequestedProofToken> • </wst:RequestSecurityTokenResponse> Encrypted token cont..
- 6. The data encryption process can be understood from below link: • http://msdn.microsoft.com/en- us/library/vstudio/aa967562(v=vs.90).aspx
- 7. How to get locally installed certificate in WinRTapp • In-order to access locally installed X509 certificated, the below capability need to be enabled in app manifest • <Capabilities> • <Capability Name="internetClient" /> • <Capability Name="sharedUserCertificates" /> • </Capabilities>
- 8. Code to access local certificate • use Windows.Security (System.Security namespace is unavailable in winRT apps) • Windows.Security.Cryptography.Certificates.CertificateQuery cq = new Windows.Security.Cryptography.Certificates.CertificateQuery(); cq.Thumbprint = data; (Create certificate query using the thumbprint received from encrypted token xml. ds:X509SKI) • IEnumerable<Certificate> certificates = await CertificateStores.FindAllAsync(cq); (Using the certificate query we can access all the local certificates)
- 9. How to get Rtfa and FedAuth cookie • Once we get the desired certificate based on the certificate query, we should get its private key and use it to decrypt the cipher data: • <CipherData> • <CipherValue>ABCD</CipherValue> • </CipherData> • This decrypted key should be used to further decrypt the RequestedSecurityToken and get the actual cookie (rtfa and fedauth)
- 10. Incase required certificate is not present locally. Certificate enrollment • Security server specially bank servers provide certificate enrollment API which provide certificate to be used to validation. • http://msdn.microsoft.com/en-US/library/windows/apps/hh464943
- 11. Create Certificate Request • Create certificate request properties with the required parameters: • CertificateRequestProperties reqProperties = new CertificateRequestProperties(); • reqProperties.KeyUsages = EnrollKeyUsages.Signing; • reqProperties.FriendlyName = "Ashish"; • Make a request using the certificate properties • String cert = await CertificateEnrollmentManager.CreateRequestAsync(reqProperties);
- 12. Get certificate from server for decryption • string postJsonData = "{"Username":"zhao@saifdemo.partner.onmschina.cn","&Password":"password01!"}"; • var clientHandler = new HttpClientHandler(); • byte[] responsecert = await SpCommon.SendHttpRequest( new Uri(“SERVERURL"), HttpMethod.Post, new MemoryStream(Encoding.UTF8.GetBytes(postJsonData)), "application/x-www-form-urlencoded", clientHandler); • if (responsecert != null) • { • // parse the required x509 certificate response • }
- 13. Thanks. • For any queries Contact me : meetashish@gmail.com