-Vamsi sri Harsha Vidala - PowerPoint PPT Presentation

About This Presentation
Title:

-Vamsi sri Harsha Vidala

Description:

... uses to obtain X.509 certificates – PowerPoint PPT presentation

Number of Views:94
Avg rating:3.0/5.0
Slides: 27
Provided by: vvi1
Learn more at: https://www.cs.odu.edu
Category:
Tags: harsha | senthil | sri | vamsi | vidala

less

Transcript and Presenter's Notes

Title: -Vamsi sri Harsha Vidala


1
X.509 certificate management in .NET
  • -Vamsi sri Harsha Vidala

2
Introduction
  • A public key certificate is digitally signed
    document that is commonly used for authentication
    and secure exchange of information on open
    networks.
  • A certificate securely binds a public key to the
    entity that holds the corresponding private key.
  • Certificates are digitally signed by the issuing
    certification authority (CA). They create a trust
    relationship between two unknown entities.

3
Overview of X.509 certificates
  • Entities involved in X.509 certificate
    management.
  • Subjects and End Entities.
  • Certification Authority(CA).
  • Registration Authority(RA).

4
Certificate Management Operations
Certificate Repository
End Entity
Cert. publish
Out-of-Band loading
Initial Registration/ Certification. Key Pair
recovery. Key Pair Update. Certificate
Update. Revocation Request.
Cert. USERS
Cert. Mgmt Entities
RA
Cert. publish
Out-of-Band publication
CA
Cert. publish
Cross-certification. Cross- Certificate Update.
CA-2
5
Certificate Management Operations
  • CA establishment.
  • End entity initialization.
  • Certification
  • Initial registration/Certification.
  • Key pair Update.
  • Certificate Update.
  • CA Key pair update.
  • Cross-certification Request.
  • Cross-certificate Update.

6
Operations(contd.)
  • Certificate/CRL discovery operations.
  • Certificate Publication
  • CRL Publication
  • Recovery operations
  • Key-pair recovery
  • PSE operations

7
Implementation in ASP.NET
8
Formats for X.509 Certificate
Format Extension
DER Encoded Binary X.509 cer
Base64 Encoded X.509 cer
PKCS7 / Cryptographic Message Syntax Standard p7b
PKCS12 / Personal Information Exchange pfx
  • Note
  • The most widely accepted format for certificates
    is defined by the ITU-T X.509 version 3
    international standards.
  • The certificates are encoded using OSI ASN.1 DER.

9
Primary Fields in X.509 certificate
Field Meaning
Version Which version of X.509
Serial number This number plus the CAs name uniquely identifies the certificate
Signature algorithm The algorithm used to sign certificate
Issuer X.500 name of CA
Validity Period The starting and ending period
Subject name The entity whose key being certified
Public Key The subjects pubic key and ID of algorithm using it
10
.NET Certificate Management Tools
Application Usage
Makecert Generate a X.509 certificate
Certmgr Assembles certificates into CTL (certificate trust list) and can also be used for revoking lists (CRLs)
Chktrust Verifies the validity of a file signed with an X.509 certificate
Cert2spc Creates a Software Publisher's Certificate (SPC) from one or more X.509 certificates
pvk2pfx Convert the certificate .cer and .pvk to .pfx
WseCertificate2 X.509 Certificate tool to displays details about X.509 certificates.
11
Using X.509 Certificates in .NET application
  • Create and manage X.509 Certificate
  • Sign a SOAP Message Using an X.509 Certificate
  • Verify Digital Signatures of SOAP Messages Signed
    by an X.509 Certificate

12
  • STEP I
  • Create and manage
  • X.509 Certificate

13
Obtain X.509 Certificate
  • Purchase a certificate from a certificate
    authority, such as VeriSign, Inc
  • Set up our own certificate service and have a
    certificate authority sign the certificates
  • Set up our own certificate service and do not
    have the certificates signed
  • Note
  • Whichever approach we take, the recipient of the
    SOAP request containing the X.509 certificate
    must trust the X.509 certificate.

14
Creating and configuring X.509 Certificate
  • Create certificate using makecert.exe
  • cmdgtmakecert -n "CNTempCA" -r -sv TempCA.pvk
    TempCA.cer
  • Import the created certificate using MMC in to
    the certificate store
  • Import the certificate TempCA.cer using MMC in
    to "Trusted Root Certificate Authorities" folder
  • Export the created certificate to outside world
    by creating and distributing pfx file using
    pvk2pfx tool
  • cmdgtpvk2pfx -pvk TempCA.pvk -spc TempCA.cer
  • Define access permission for X.509 certificate
  • cmdgtwinhttpcertcfg -g -c LOCAL_MACHINE\MY -s
    TempCA -a ASPNET

15
Make certificates accessible to application
  • Specify the certificate store that application
    uses to obtain X.509 certificates
  • ltconfigurationgt
  • ltmicrosoft.web.services2gt
  • ltsecuritygt
  • ltx509 storeLocation"CurrentUser" /gt
  • lt/securitygt
  • lt/microsoft.web.services2gt
  • lt/configurationgt
  • Specify the account under which application is
    running read access to the file containing the
    private key associated with the X.509
    certificate.
  • ltprocessModel enable"truefalse"  userName"use
    rname"  password"password" /gt

16
Default accessibility for certificates
Default Locations of certificate store
X.509 certificate use Client Application Web service (.ASMX)
Signing or encrypting an outgoing SOAP message. Local Computer's Personal Store Local Computer's Personal Store
Verifying the signature of an incoming SOAP message SOAP message SOAP message
Decrypting an inbound SOAP message Local Computer's Personal Store Local Computer's Personal Store
Usage of private key
X.509 certificate use Private key
Digitally signing an outbound SOAP Yes
Verifying the signature of an inbound SOAP No
Encrypting an outbound SOAP message No
Decrypting an inbound SOAP message Yes
17
  • STEP II
  • Sign a SOAP Message
  • Using an X.509 Certificate

18
Config file settings for using X.509 certificates
ltpolicyDocument xmlns"http//schemas.microsof
t.com/wse/2003/06/Policy"gt ltmappings
xmlnswse"http//schemas.microsoft.com/wse/2003/0
6/Policy"gt ltendpoint uri"http//www.cohowiner
y.com/SaleWidgets.asmx"gt ltdefaultOperationgt
ltrequest policy"policy-c0a22319-6b89-49f
f-9b82-bdbac5f04618" /gt ltresponse
policy"policy-c0a22319-6b89-49ff-9b82-bdbac5f046
18" /gt ltfault policy"policy-c0a22319-6b8
9-49ff-9b82-bdbac5f04618" /gt
lt/defaultOperationgt lt/endpointgt
lt/mappingsgt ltpolicies
lt/policiesgt lt/policyDocumentgt
19
Config file settings for using X.509 certificates
ltpolicies xmlnswsu"http//docs.oasis-open.org/ws
s/2004/01/oasis-200401-wss-wssecurity-utility-1.0.
xsd"gt ltwspPolicy wsuId"policy-c0a22319-6b89
-49ff-9b82-bdbac5f04618" xmlnswsp"http//s
chemas.xmlsoap.org/ws/2002/12/policy"
xmlnswsa"http//schemas.xmlsoap.org/ws/2004/03/a
ddressing" gt ltwsspIntegrity
wspUsage"wspRequired" xmlnswssp"http//schema
s.xmlsoap.org/ws/2002/12/secext"gt
ltwsspTokenInfogt ltSecurityToken
xmlns"http//schemas.xmlsoap.org/ws/2002/12/secex
t"gt ltwsspTokenTypegt
http//schemas.xmlsoap.org/ws/2003/12/kerberos/Ker
berosv5ST lt/wsspTokenTypegt
ltwsspTokenIssuergtCOHOWINERYlt/wsspTokenIssuergt
ltwsspClaimsgt
ltwsspServiceNamegthost/computer1_at_cohowinery.comlt/w
sspServiceNamegt lt/wsspClaimsgt
lt/SecurityTokengt lt/wsspTokenInfogt
ltwsspMessageParts Dialect"http//schemas.xm
lsoap.org/2002/12/wssepart"gt
wspBody() wspHeader(wsaTo) wspHeader(wsaActio
n) wspHeader(wsaMessageID) wspHeader(wsaFrom)
lt/wsspMessagePartsgt
lt/wsspIntegritygt lt/policiesgt
20
Retrieve certificate from store
public X509SecurityToken GetSecurityToken()
X509SecurityToken securityToken null
X509CertificateStore store X509CertificateStore
.CurrentUserStore( X509CertificateStore.MyStore)
bool open store.OpenRead() try
byte certHash 0x98, 0xec, 0x08,
0x4b, 0xa5, 0x7a, 0x6c, 0x2f, 0x39, 0x26, 0xb3,
0x0a, 0x58, 0xbf, 0x65, 0x25, 0x61, 0xc5,
0x64, 0x59 X509CertificateCollection
certs store.FindCertificateByHash(certHash)
Microsoft.Web.Services2.Security.X509.X509Cer
tificate cert ((Microsoft.Web.Service
s2.Security.X509.X509Certificate) certs0)
if (cert null) else if
(!cert.SupportsDigitalSignature (cert.Key
null)) else
securityToken new X509SecurityToken(cert)
finally if
(store ! null) store.Close()
return securityToken
21
Code for signing SOAP messages
  • Call GetSecurityToken() to retrieve certificate
  • X509SecurityToken signatureToken
    GetSecurityToken()
  • Get the SoapContext method for the SOAP request
    made to the Web service.
  • Service1 svc new Service1()
  • SoapContext requestContext
    svc.RequestSoapContext
  • Add the client's X.509 certificate to the SOAP
    header. requestContext.Security.Tokens.Add(sig
    natureToken)
  • Create a new instance of the MessageSignature
    class by using the X.509
  • certificate just added to the SOAP header.
  • MessageSignature sig new MessageSignature(si
    gnatureToken)
  • Add the digital signature to the SOAP header.
  • RequestContext.Security.Elements.Add(sig)
  • Specify the TTL for the SOAP message
  • requestContext.Security.Timestamp.TtlInSeconds
    60

22
  • STEP III
  • Verify Digital Signatures of SOAP Messages
  • Signed by an X.509 Certificate

23
Configure application to validate digital
signatures for incoming SOAP messages
  • Export and Import the CA certificate chain
  • Add a reference to the Microsoft.Web.Services2
    assembly
  • When the SOAP message recipient is a Web service
    client, this configuration entry is not required.
    Else configure web.config as below

ltconfigurationgt ltsystem.webgt
ltwebServicesgt ltsoapExtensionTypesgt
ltadd type"Microsoft.Web.Services2.WebServic
esExtension, Microsoft.Web.Service
s2,Version2.0.0.0, Cultureneutral,
PublicKeyToken31bf3856ad364e35"
priority"1" group"0"/gt
lt/soapExtensionTypesgt lt/webServicesgt
lt/system.webgt lt/configurationgt
24
Code to verify if SOAP Body is signed
public string CheckSOAPBody() SoapContext
requestContext RequestSoapContext.Current
// Verify that a SOAP request was received.
if (requestContext null)
throw new ApplicationException("Either a non-SOAP
" "request was received or WSE is not
properly " "installed for the Web
application hosting the " "Web
service.") // Check if the Soap
Message is Signed. if (!IsMessageSigned(reques
tContext)) throw new
ApplicationException("The request is not
signed.") return "sucess"
25
Code to verify digital signature of SOAP request
private bool IsMessageSigned(SoapContext
context) foreach (ISecurityElement element
in context.Security.Elements) if
(element is MessageSignature)
// The given context contains a Signature
element. MessageSignature sig
element as MessageSignature if
((sig.SignatureOptions
SignatureOptions.IncludeSoapBody) ! 0)
// The SOAP Body is signed.
return true
return false
26
References
http//www.ietf.org/rfc/rfc2510.txt http//msdn.m
icrosoft.com/en-us/library/system.security.cryptog
raphy.x509certificates.x509certificate(VS.71).aspx
http//msdn.microsoft.com/en-us/library/ms820022
.aspx http//support.microsoft.com/kb/315588 htt
p//msdn.microsoft.com/en-us/library/ms819944.aspx
http//www.codeproject.com/KB/cpp/X509Certificat
e.aspx http//www.codeproject.com/KB/WCF/Senthil.
aspx
Write a Comment
User Comments (0)
About PowerShow.com