0

I have been researching this topic for last 2 weeks and I have found so much information that I am overwhelmed. I am going to start from scratch. I am a newbie at this like never done anything with certificates before. I have created RESTful web api that catches requests from postman. In the request, I am sending a CERT (my-cert.cer). I would like to use API controller to capture the CERT from the request and validate what is on the server. Is it even possible to capture CERTs the way I am doing it? I have not found a good working example anywhere. Please help!

Here is my GET method 

public class clientController : ApiController
{
    public string Get(int id)
    {
        X509Certificate2 cert = Request.GetClientCertificate();
        X509Certificate2 cert2 = RequestContext.ClientCertificate;

        logger.addLine(LogLineType.Message, "CERT " + cert + "\n", "page", null);
        logger.addLine(LogLineType.Message, "CERT 2" + cert2 + "\n", "page", null);
        System.Console.WriteLine("cert : " + cert);
        System.Console.WriteLine("cert2 : " + cert2);

        GetClient getClient = new GetClient();
        string response = getClient.RetrieveClientRequest(id).ToString();
        return response; } }
Dheeraj Dixit
  • 73
  • 1
  • 11
  • This question should be more specific to be answerable. What did you expect to happen, and what happened instead? – Tom W Feb 19 '19 at 16:26
  • Furthermore, what does "validate against certificate on the server" mean? Do you mean checking that for example the client certificate thumbprint matches a certificate in the server's own certificate store? – Tom W Feb 19 '19 at 16:28
  • Once again, I am a newbie. I am passing in cert from postman as part of the https request. I was expecting to see cert getting initialized to cert or cert2 variables that I have declared above. I will say yes to matching thumbprint, if that is how you match a cert from server's own certificate store. – Dheeraj Dixit Feb 19 '19 at 16:34
  • It’s very likely there’s absolutely nothing wrong with your code, and it’s some configuration that is incorrect. – Dave M Feb 19 '19 at 23:37
  • I have tried this and surprisingly, I can't get it to work either. [This issue](https://github.com/postmanlabs/postman-app-support/issues/3434) suggests that PostMan is actually quite strict about pattern-matching the client certificate to the requested URL, so the issue might be that PostMan is ignoring your client certificate. Are you certain it's being used? – Tom W Feb 20 '19 at 09:04

1 Answers1

0

According to MSDN 

var cert = Request.GetClientCertificate();

will get you the certificate sent with the request.
In order to validate you have now two options.

1) validate using OCSP
2) call 

cert.Verify();

to validate it's chain locally, using the certificates in the certificate store. Which means, it looks for the certificate in the local certificate store or some other certificates that were used to build the chain of trust for the certificate.

The whole topic is very broad. If your certificate was signed by some authority, then there is a chain. a signs b, b signs c and c signs your certificate (d). Usually you have a certificate authority (CA) that signs the certificate requests for users/machines. This CA's certificate (in the upper case this will be usually a or b) is deployed to all machines, who are in the same company.

With Verify() you look for the certificate itself, whether the machine knows it. If not, you go up the chain and as soon, as you have one that was used for signing, you trust the whole tree.

d was signed by c => d is not known, but there is the signature of c. c is not known either, but the signature tells us, that is was signed by b. b then is installed in the Trusted Certificates of your machine, and therefore known. So you trust b, which lets you trust c and therefore trust d.

Of course, this tells you nothing about revocation. I am not sure, if .Verify() will check the revocation list. Better to use OCSP, if you have it available.

Andreas
  • 828
  • 4
  • 15
  • Thanks Andreas. Do you know of any examples that I could use to understand this better? MSDN explanation is very vague – Dheeraj Dixit Feb 19 '19 at 16:45
  • I edited my answer. It is a bit boiled down, but should help you a bit in understanding. If you understand german, there is a formidable podcast about it if called "Request for comments" where a guy called Clemens Schrimpe explains this in bit more detail over hours. – Andreas Feb 19 '19 at 16:57
  • Thanks for your response. I don't speak german and your response just went over my head. Just to reiterate, I am a beginner at certs. CERTs are pretty complex. – Dheeraj Dixit Feb 20 '19 at 17:11
  • Yes, they are! And if you just start getting into the topic, it will be really a lot to consume. But once, you understand the basics, it starts to click. Which doesn‘t mean, it gets easier, but you start to understand, what is happening and why something happens, the way it happens. – Andreas Feb 21 '19 at 19:45
  • I figured it out and answer it here --> https://stackoverflow.com/questions/54948695/no-certificate-in-onauthorizationhttpactioncontext-actioncontext – Dheeraj Dixit Jun 04 '19 at 16:23