Client Certificate validation in Windows

8/8.1 winRT app-Ashish Agrawal

Problem Statement

• How to do certificate validation in windows RT metro app.

Binary Security Based token authentication• <wsse:BinarySecurityToken

Id="Compact0">ABCD</wsse:BinarySecurityToken>

• In non encrypted token response, we directly get the binary Security token from where we can get the RTFA and FEDAuth cookies and communicate with the server.• https://login.partner.microsoftonline.cn should be hit to get the

encrypted token

Encrypted token• <wst:RequestedSecurityToken>

• <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Id="Assertion0" Type="http://www.w3.org/2001/04/xmlenc#Element">

• <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"></EncryptionMethod>

• <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

• <EncryptedKey>

• <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod>

• <ds:KeyInfo>

• <ds:X509Data>

• <ds:X509SKI>ac4GbK23Iw/V29Ef4tJAaZwrR6I=</ds:X509SKI>

• </ds:X509Data>

• <ds:KeyName>sharepoint.cn</ds:KeyName>

• </ds:KeyInfo>

• <CipherData>

• <CipherValue>ABCD</CipherValue>

• </CipherData>

• </EncryptedKey>

• </ds:KeyInfo>

•

• <CipherData>• <CipherValue>XXX/CipherData>• </EncryptedData>• </wst:RequestedSecurityToken>• <wst:RequestedAttachedReference> • <wsse:SecurityTokenReference>• <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">uuid-

e36c6939-c283-4c68-ad2e-8e5720b9c51a</wsse:KeyIdentifier>• </wsse:SecurityTokenReference>• </wst:RequestedAttachedReference>• <wst:RequestedUnattachedReference>• <wsse:SecurityTokenReference>• <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">uuid-

e36c6939-c283-4c68-ad2e-8e5720b9c51a</wsse:KeyIdentifier>• </wsse:SecurityTokenReference>• </wst:RequestedUnattachedReference>• <wst:RequestedProofToken>• <wst:BinarySecret>8TM1ybkRA1Y4QURgKaIlzu7gywlQscqI</wst:BinarySecret>• </wst:RequestedProofToken>• </wst:RequestSecurityTokenResponse>

Encrypted token cont..

The data encryption process can be understood from below link:• http://msdn.microsoft.com/en-us/library/vstudio/

aa967562(v=vs.90).aspx

How to get locally installed certificate in WinRTapp• In-order to access locally installed X509 certificated, the below

capability need to be enabled in app manifest

• <Capabilities>• <Capability Name="internetClient" />• <Capability Name="sharedUserCertificates" />• </Capabilities>

Code to access local certificate

• use Windows.Security (System.Security namespace is unavailable in winRT apps) • Windows.Security.Cryptography.Certificates.CertificateQuery cq = new

Windows.Security.Cryptography.Certificates.CertificateQuery(); cq.Thumbprint = data; (Create certificate query using the thumbprint received from encrypted token xml. ds:X509SKI)• IEnumerable<Certificate> certificates = await

CertificateStores.FindAllAsync(cq); (Using the certificate query we can access all the local certificates)

How to get Rtfa and FedAuth cookie

• Once we get the desired certificate based on the certificate query, we should get its private key and use it to decrypt the cipher data:• <CipherData>• <CipherValue>ABCD</CipherValue>• </CipherData>• This decrypted key should be used to further decrypt the

RequestedSecurityToken and get the actual cookie (rtfa and fedauth)

Incase required certificate is not present locally. Certificate enrollment• Security server specially bank servers provide certificate enrollment

API which provide certificate to be used to validation.• http://msdn.microsoft.com/en-US/library/windows/apps/hh464943

Create Certificate Request

• Create certificate request properties with the required parameters:

• CertificateRequestProperties reqProperties = new CertificateRequestProperties();

• reqProperties.KeyUsages = EnrollKeyUsages.Signing;

• reqProperties.FriendlyName = "Ashish";

• Make a request using the certificate properties

• String cert = await CertificateEnrollmentManager.CreateRequestAsync(reqProperties);

Get certificate from server for decryption• string postJsonData = "{\"Username\":\"zhao@saifdemo.partner.onmschina.cn\",\"&Password\":\"password01!\"}";

• var clientHandler = new HttpClientHandler(); • byte[] responsecert = await SpCommon.SendHttpRequest( new Uri(“SERVERURL"), HttpMethod.Post, new MemoryStream(Encoding.UTF8.GetBytes(postJsonData)), "application/x-www-form-urlencoded", clientHandler);

• if (responsecert != null)• {• // parse the required x509 certificate response • }

Thanks.

• For any queries Contact me : meetashish@gmail.com