client certificate validation in windows 8
DESCRIPTION
Client certificate and token decryption in winRT apps. * Decoding xml token * Accessing local x509 certificates * Certificate validation and decryption * Certificate enrollmentTRANSCRIPT
Client Certificate validation in Windows
8/8.1 winRT app-Ashish Agrawal
Problem Statement
• How to do certificate validation in windows RT metro app.
Binary Security Based token authentication• <wsse:BinarySecurityToken
Id="Compact0">ABCD</wsse:BinarySecurityToken>
• In non encrypted token response, we directly get the binary Security token from where we can get the RTFA and FEDAuth cookies and communicate with the server.• https://login.partner.microsoftonline.cn should be hit to get the
encrypted token
Encrypted token• <wst:RequestedSecurityToken>
• <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Id="Assertion0" Type="http://www.w3.org/2001/04/xmlenc#Element">
• <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"></EncryptionMethod>
• <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
• <EncryptedKey>
• <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod>
• <ds:KeyInfo>
• <ds:X509Data>
• <ds:X509SKI>ac4GbK23Iw/V29Ef4tJAaZwrR6I=</ds:X509SKI>
• </ds:X509Data>
• <ds:KeyName>sharepoint.cn</ds:KeyName>
• </ds:KeyInfo>
• <CipherData>
• <CipherValue>ABCD</CipherValue>
• </CipherData>
• </EncryptedKey>
• </ds:KeyInfo>
•
• <CipherData>• <CipherValue>XXX/CipherData>• </EncryptedData>• </wst:RequestedSecurityToken>• <wst:RequestedAttachedReference> • <wsse:SecurityTokenReference>• <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">uuid-
e36c6939-c283-4c68-ad2e-8e5720b9c51a</wsse:KeyIdentifier>• </wsse:SecurityTokenReference>• </wst:RequestedAttachedReference>• <wst:RequestedUnattachedReference>• <wsse:SecurityTokenReference>• <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">uuid-
e36c6939-c283-4c68-ad2e-8e5720b9c51a</wsse:KeyIdentifier>• </wsse:SecurityTokenReference>• </wst:RequestedUnattachedReference>• <wst:RequestedProofToken>• <wst:BinarySecret>8TM1ybkRA1Y4QURgKaIlzu7gywlQscqI</wst:BinarySecret>• </wst:RequestedProofToken>• </wst:RequestSecurityTokenResponse>
Encrypted token cont..
The data encryption process can be understood from below link:• http://msdn.microsoft.com/en-us/library/vstudio/
aa967562(v=vs.90).aspx
How to get locally installed certificate in WinRTapp• In-order to access locally installed X509 certificated, the below
capability need to be enabled in app manifest
• <Capabilities>• <Capability Name="internetClient" />• <Capability Name="sharedUserCertificates" />• </Capabilities>
Code to access local certificate
• use Windows.Security (System.Security namespace is unavailable in winRT apps) • Windows.Security.Cryptography.Certificates.CertificateQuery cq = new
Windows.Security.Cryptography.Certificates.CertificateQuery(); cq.Thumbprint = data; (Create certificate query using the thumbprint received from encrypted token xml. ds:X509SKI)• IEnumerable<Certificate> certificates = await
CertificateStores.FindAllAsync(cq); (Using the certificate query we can access all the local certificates)
How to get Rtfa and FedAuth cookie
• Once we get the desired certificate based on the certificate query, we should get its private key and use it to decrypt the cipher data:• <CipherData>• <CipherValue>ABCD</CipherValue>• </CipherData>• This decrypted key should be used to further decrypt the
RequestedSecurityToken and get the actual cookie (rtfa and fedauth)
Incase required certificate is not present locally. Certificate enrollment• Security server specially bank servers provide certificate enrollment
API which provide certificate to be used to validation.• http://msdn.microsoft.com/en-US/library/windows/apps/hh464943
Create Certificate Request
• Create certificate request properties with the required parameters:
• CertificateRequestProperties reqProperties = new CertificateRequestProperties();
• reqProperties.KeyUsages = EnrollKeyUsages.Signing;
• reqProperties.FriendlyName = "Ashish";
• Make a request using the certificate properties
• String cert = await CertificateEnrollmentManager.CreateRequestAsync(reqProperties);
Get certificate from server for decryption• string postJsonData = "{\"Username\":\"[email protected]\",\"&Password\":\"password01!\"}";
• var clientHandler = new HttpClientHandler(); • byte[] responsecert = await SpCommon.SendHttpRequest( new Uri(“SERVERURL"), HttpMethod.Post, new MemoryStream(Encoding.UTF8.GetBytes(postJsonData)), "application/x-www-form-urlencoded", clientHandler);
• if (responsecert != null)• {• // parse the required x509 certificate response • }
Thanks.
• For any queries Contact me : [email protected]