Welcome Guest Search | Active Topics | Sign In | Register

Does the EOBrowser take X509Certificate2 as parameter for mutual authentication Options
DP
Posted: Tuesday, May 26, 2015 3:39:57 AM
Rank: Newbie
Groups: Member

Joined: 5/26/2015
Posts: 1
Hi ,

We are evaluating the EO Browser control and looks good .

We are facing certain challenges using the EO Browser control specially with the mutual authentication .

We have a client certificate that is of type (.pfx) which needs to be passed to the EO Browser control in the NeedClientCertificate . This is of type X509Certificate2 in .NET.

Currently when we pass the certificate , looks like it is converting it to X509Certificate and hence loses the private key when assigned with the continue method .

With this approach , it looks like the certificate needs to be added to the windows store for the client authentication to work .

How to solve this issue where I can use the certificate with private key directly with the EO browser without adding the certificate to the Windows store ?
eo_support
Posted: Tuesday, May 26, 2015 4:52:38 PM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,229
Hi,

Currently there is no way for you to do that. We can add a new method that would allow you to pass the raw certificate data directly to the browser engine. We will let you know as soon as we have a test build for you.

Thanks!
Trivium
Posted: Wednesday, August 5, 2015 10:26:35 AM
Rank: Member
Groups: Member

Joined: 8/5/2015
Posts: 12
Hi ,

We are evaluating the EO Browser control.
We have used the newly added method "Continue(byte[] rawcertData)" to pass the raw certificate in order to avoid the certificate store.

When we convert the X509Certificate2 to bytearray with private key, and pass it to Continue method then it gives bad client cert data error with the code -135.

How to solve this issue where I can use the certificate array with private key directly with the EO browser "Continue(byte[] rawcertData)" method?

Please provide some sample code.

Here is the code which we tried:

Code: C#
X509Certificate2 cert = new X509Certificate2(fileDG.FileName, "xawwew", X509KeyStorageFlags.Exportable | 509KeyStorageFlags.PersistKeySet);
var PFXByteArray = cert.Export(X509ContentType.Pfx);                      
e.Continue(PFXByteArray);

eo_support
Posted: Wednesday, August 5, 2015 9:53:50 PM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,229
Hi,

Error code -135 is ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY. You can try the code in this link and see if it works for you:

http://stackoverflow.com/questions/9810887/export-x509certificate2-to-byte-array-with-the-private-key

Thanks!
Trivium
Posted: Thursday, August 6, 2015 2:12:01 AM
Rank: Member
Groups: Member

Joined: 8/5/2015
Posts: 12
Hi,

We tried the same and pass the Certificate Byte Array with privatekey to Continue Method gives -117 error (ERR_BAD_SSL_CLIENT_AUTH_CERT)

How to solve this issue where I can use the certificate array with private key directly with the EO browser "Continue(byte[] rawcertData)" method?

Here is code which we tried:

Code: C#
X509Certificate2 cert = new X509Certificate2(certificateFileName, "Pass", X509KeyStorageFlags.Exportable|X509KeyStorageFlags.PersistKeySet);
var pfxCertBytes = cert.Export(X509ContentType.Pkcs12);
e.Continue(pfxCertBytes);


The above code gives -117 error (ERR_BAD_SSL_CLIENT_AUTH_CERT)

also we tried the below method gives same -117 error (ERR_BAD_SSL_CLIENT_AUTH_CERT)

Code: C#
pfxCertBytes = cert.Export(X509ContentType.Pfx);
eo_support
Posted: Thursday, August 6, 2015 10:24:48 AM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,229
Hi,

Can you send us a test certificate as well as the server Url that you use to test the certificate so that we can debug it here? See here for our email address:

http://www.essentialobjects.com/forum/test_project.aspx

Thanks!
Trivium
Posted: Thursday, August 6, 2015 11:10:16 AM
Rank: Member
Groups: Member

Joined: 8/5/2015
Posts: 12
Hi,

We have sent the test certificate via email with the subject "Test Certificate for the thread 37951".
we used the local host apache tomcat server with client certificate authentication enabled for testing.so we don’t have any server url.

Thanks!
Trivium
Posted: Tuesday, August 11, 2015 9:04:01 AM
Rank: Member
Groups: Member

Joined: 8/5/2015
Posts: 12
Hi,

Is there any update on this?. Please let us know if you need anything.
eo_support
Posted: Tuesday, August 11, 2015 9:42:40 PM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,229
Hi,

I apologize for the delay. This is just to let you know that we are still working on it. The code in the browser engine calls Windows API CertAddEncodedCertificateToStore to load the certificate data, however this function does not take PKCS#12 format (which contains private key). So I am not sure how this works. We will continue researching and reply again if we find anything.

Thanks
Trivium
Posted: Wednesday, August 26, 2015 9:22:27 AM
Rank: Member
Groups: Member

Joined: 8/5/2015
Posts: 12
Hi,
Is there any update on this?
Trivium
Posted: Thursday, September 3, 2015 8:38:29 AM
Rank: Member
Groups: Member

Joined: 8/5/2015
Posts: 12
Please check the below link for some information about storing the certificate with private key.

http://stackoverflow.com/questions/7273231/creating-a-temporary-client-certificate-including-a-private-key

Let us know if there is any update on this. This is a blocker issue for us to proceed further.

Thanks!
eo_support
Posted: Saturday, September 5, 2015 4:42:14 PM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,229
Trivium wrote:
Please check the below link for some information about storing the certificate with private key.

http://stackoverflow.com/questions/7273231/creating-a-temporary-client-certificate-including-a-private-key

Let us know if there is any update on this. This is a blocker issue for us to proceed further.

Thanks!


Thanks for the additional information. We have revisited this issue thoroughly and should have an update build soon (possibily next week) that would support this. We would add an overloaded version of the Continue method that would take two parameters: both the binary certificate data and the password. That version will allow you to use your own custom PKCS#12 certificate file. We will post here again when the new build is available.
eo_support
Posted: Wednesday, September 9, 2015 8:52:38 PM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,229
Hi,

This is just to let you know that we have posted a new build that supports PKCS#12. In your NeedClientCertificate event handler you will need to call e.Continue(certificate_data, certificate_password) in order to supply the PKCS#12 certificate. This version of Continue with a password is new in this build. Note that in order to use client certificate, the CA that is used to sign the certificate must be a trusted CA by the server so that the server can verify the certificate.

Please see your private message for the download location of the new build.

Thanks!


You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.