Welcome Guest Search | Active Topics | Sign In | Register

Certificates Options
Tom Wynne
Posted: Thursday, April 5, 2018 7:30:05 PM
Rank: Member
Groups: Member

Joined: 1/29/2015
Posts: 26
Does the WebBrowser look at the certificate store for a client certificate? If it doesn't find one there, then does it fire the NeedCertificate event? It isn't clear from the documentation.
Also, if I provide a certificate with the e.continue, does it only use it for that session or does it install it into the certificate store? Would it be better for the user to install the certificate using the regular web browser first instead of being prompted or loading from a file each time?
eo_support
Posted: Friday, April 6, 2018 7:51:38 AM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,218
Hi,

Here is the flow for client certificate:

1. The server requests a client certificate;
2. The browser engine search the "My" store for matching certificates and produces a list of such certificates. Note there can be multiple matching certificates so at this point the browser engine still does not known which certificate to use;
3. WebView.NeedClientCertificate event is triggered. Inside this event you can:
3.a: Supply a certificate object from your My certificate store;
-- OR --
3.b: Supply a certificate object NOT from your My certificate store;

If you supply a certificate from your My certificate store, then:
1. The certificate does not have to contain private key since the certificate is already in the certificate store;
2. It must match one of pre-selected certificate in step 2;

If you supply a certificate not from your My certificate store, then:
1. The certificate MUST contain private key. For example, if you call Continue with raw byte data format, then that data should be from a PK12 file;
2. The browser engine will use this certificate, but will NOT add it to your system's certificate store;

The above process is repeated for every request.

The key difference between 3.a and 3.b is the private key. Private key is always needed for client certificate because private key is used for encryption. However if the certificate is already in the certificate store, then you do not have to explicitly provide the private key because the system already has it. We do not modify the system's certificate store.

Hope this helps. Please feel free to let us know if you have any questions.

Thanks!
Tom Wynne
Posted: Monday, April 9, 2018 2:11:05 PM
Rank: Member
Groups: Member

Joined: 1/29/2015
Posts: 26
Is there a code example of how to retrieve the list of certificates the browser engine matched?
We have a client that accesses a financial web site that requires them to download and install a certificate. They provide instructions on their site to do this. I am unclear as to if they install the certificate in Chrome, whether it just uses it in EO. I don't think there would be more than one to choose from.
Thanks
eo_support
Posted: Thursday, April 12, 2018 1:39:50 PM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,218
Hi,

Sorry about the delay. The search is implemented in Chromium's code. You can find the implementation in the GetClientCertsImpl function in the following link:

https://cs.chromium.org/chromium/src/net/ssl/client_cert_store_win.cc?q=GetClientCertsImpl&sq=package:chromium&l=110

Thanks!
Trivium
Posted: Friday, July 12, 2019 7:01:07 AM
Rank: Member
Groups: Member

Joined: 8/5/2015
Posts: 12
Hi ,
We have upgraded EO from 17.2.92 to 19.1.95. After the upgrade, We observed that the NeedClientCertificate event doesn't send the client certificate to server if the certificate is not found in the my certificate store.
If we add the certificate in the store then works fine but we don't want to store the certificates in the store.

Here is the code we used to send the client certificate:
Code: C#
private void M_WebView_NeedClientCertificate(object sender, NeedClientCertificateEventArgs e)
        {
            X509Certificate2 cert = new X509Certificate2(@"D:\usr_ST300User.pfx", "****", X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
            e.Continue(cert.GetRawCertData(), "******");
        }


        private void M_WebView_CertificateError(object sender, CertificateErrorEventArgs e)
        {
            e.Continue();
        }

It works perfectly when we use EO version 17.2.92.
Please check and let us know how to fix this issue so that we can upgrade to the latest version of EO.

eo_support wrote:
Hi,

Here is the flow for client certificate:

1. The server requests a client certificate;
2. The browser engine search the "My" store for matching certificates and produces a list of such certificates. Note there can be multiple matching certificates so at this point the browser engine still does not known which certificate to use;
3. WebView.NeedClientCertificate event is triggered. Inside this event you can:
3.a: Supply a certificate object from your My certificate store;
-- OR --
3.b: Supply a certificate object NOT from your My certificate store;

If you supply a certificate from your My certificate store, then:
1. The certificate does not have to contain private key since the certificate is already in the certificate store;
2. It must match one of pre-selected certificate in step 2;

If you supply a certificate not from your My certificate store, then:
1. The certificate MUST contain private key. For example, if you call Continue with raw byte data format, then that data should be from a PK12 file;
2. The browser engine will use this certificate, but will NOT add it to your system's certificate store;

The above process is repeated for every request.

The key difference between 3.a and 3.b is the private key. Private key is always needed for client certificate because private key is used for encryption. However if the certificate is already in the certificate store, then you do not have to explicitly provide the private key because the system already has it. We do not modify the system's certificate store.

Hope this helps. Please feel free to let us know if you have any questions.

Thanks!
eo_support
Posted: Monday, July 15, 2019 1:21:10 PM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,218
Hi,

We have confirmed this to be an issue in the current build. The current build does not properly load private key data. This will be resolved in our next build.

Additionally, you can not use GetRawCertData to get the certificate data because the data returned by this function does not contain private key information. As a result, this function will only work when the certificate is already imported into the client system.

If you already have the pfx file, the easiest way for you to pass the certificate data is to use:

Code: C#
byte[] certData = File.ReadAllBytes(your_pfx_file_name);
e.Continue(certData, export_password);


If you have the X509Certificate2 object but does not have the original pfx file, you can do:

Code: C#
byte[] certData = cert.Export(X509ContentType.Pkcs12, export_password);
e.Continue(certData, export_password);


Note that while the above code will properly pass the private key data, due to the problem on our end that does not properly load it, it still won't work in the current build. Our next build will fix the issue with loading private key data. So the next build should work with the above code. We will reply here again when the new build is ready.

Thanks!
eo_support
Posted: Monday, July 22, 2019 4:56:10 PM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,218
Hi,

This is just to let you know that we have posted a new build that should resolve this issue. You can download the new build from our download page. Please take a look and let us know how it goes.

Thanks!
Trivium
Posted: Tuesday, July 23, 2019 3:12:23 AM
Rank: Member
Groups: Member

Joined: 8/5/2015
Posts: 12
Hi,
Thanks for the new build. It works with the client certificate which is not present in cert store. After upgrading EO to 19.2.11.0, just opening a single EO browser instance throws the error below.

"One of the child processes used by EO components reported an out of memory error. If your system has sufficient memory, please consider setting EO.Base.Runtime.EnableEOWP to true."

Only after setting EO.Base.Runtime.EnableEOWP to true then it works But why do we get this memory error though we have sufficient memory available(16 GB RAM) ?
eo_support
Posted: Tuesday, July 23, 2019 8:46:29 AM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,218
Hi,

This does not have anything to do with how much physical memory you have on your system. It has to do with the maximum logical memory space available to a process. At runtime, EO.WebBrowser dynamically creates child processes and run the native chromium browser engine in child processes. By default this child process is started by rundll32.exe, which is a Windows system file. Rundll32.exe will only allow a maximum of 2GB memory per process. When you set EnableEOWP to true, it switches to our own eowp.exe. eowp.exe allows up to 4GB memory per process.

Thanks!


You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.