Swish TLS certificate och .Net / C# kod

RickardP · 2016-02-20, 17:34

Jag har kommit så långt att den verkar hitta certifikatet och privat nyckeln men sen säger servern ifrån av någon anledning.

Har hittat något som aktiverae .Net trace log så här står det i den:

System.Net Information: 0 : [11852] SecureChannel#14193427 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [11852] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Information: 0 : [11852] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = ae84607320:579f591360, targetName = mss.swicpc.bankgirot.se, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [11852] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=1788, returned code=ContinueNeeded).
System.Net Information: 0 : [11852] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = ae84607320:579f591360, targetName = mss.swicpc.bankgirot.se, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [11852] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=IllegalMessage).
System.Net Error: 0 : [11852] Exception in HttpWebRequest#4095822:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Error: 0 : [11852] Exception in HttpWebRequest#4095822::EndGetRequestStream - The request was aborted: Could not create SSL/TLS secure channel..

jayzee · 2016-02-20, 23:02

Lägg till denna innan anropet:

Kod:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

RickardP · 2016-02-21, 08:59

Citat:

Ursprungligen postat av jayzee

Lägg till denna innan anropet:

Kod:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

Hjälpte inte och det var en av grejerna som gjorde att jag kom vidare tidigare var att sätta Tls11 då deras server kör TLS 1.1

jackjson · 2016-02-29, 11:09

Digrad affärssystem bjuder på en lösning

Kod:

private HttpWebRequest CreateSwishRequest(String url, String clientCertPath, String clientCertPass)
{
    //Basic set up
    ServicePointManager.CheckCertificateRevocationList = false;
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11; //Tls12 does not work

    //Load client certificates
    var clientCerts = new X509Certificate2Collection();
    clientCerts.Import(clientCertPath, clientCertPass ?? "", X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);

    //Assert CA certs in cert store, and get root CA
    var rootCertificate = AssertCertsInStore(clientCerts);

    var req = HttpWebRequest.Create(url) as HttpWebRequest;
    req.ClientCertificates = clientCerts;
    req.Method = "POST";
    req.ContentType = "application/json; charset=UTF-8";
    req.AllowAutoRedirect = false;
            
    //Verify server root CA by comparing to client cert root CA
    req.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => {
        var chainRootCa = chain?.ChainElements?.OfType<X509ChainElement>().LastOrDefault()?.Certificate;
        if (rootCertificate == null || chainRootCa == null)
            return false;
        return rootCertificate.Equals(chainRootCa); //Same root CA as client cert
    };

    return req;
}

private X509Certificate2 AssertCertsInStore(X509Certificate2Collection certs)
{
    //Create typed array
    var certArr = certs.OfType<X509Certificate2>().ToArray();
    //Build certificate chain
    var chain = new X509Chain();
    chain.ChainPolicy.ExtraStore.AddRange(certArr.Where(o => !o.HasPrivateKey).ToArray());
    var privateCert = certArr.FirstOrDefault(o => o.HasPrivateKey);
    if (privateCert == null)
        return null;
    var result = chain.Build(privateCert);
    //Get CA certs
    var caCerts = chain.ChainElements.OfType<X509ChainElement>().Where(o => !o.Certificate.HasPrivateKey).Select(o => o.Certificate).ToArray();
    if (caCerts == null || caCerts.Length == 0)
        return null;
    //Assert CA certs in intermediate CA store
    var intermediateStore = new X509Store(StoreName.CertificateAuthority, StoreLocation.CurrentUser);
    intermediateStore.Open(OpenFlags.ReadWrite);
    foreach (var ca in caCerts)
    {
        if (!intermediateStore.Certificates.Contains(ca))
            intermediateStore.Add(ca);
    }
    intermediateStore.Close();
    //Return last CA in chain (root CA)
    return caCerts.LastOrDefault();
}

RickardP · 2016-03-03, 10:01

Citat:

Ursprungligen postat av jackjson

Digrad affärssystem bjuder på en lösning

Kod:

private HttpWebRequest CreateSwishRequest(String url, String clientCertPath, String clientCertPass)
{
    //Basic set up
    ServicePointManager.CheckCertificateRevocationList = false;
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11; //Tls12 does not work

    //Load client certificates
    var clientCerts = new X509Certificate2Collection();
    clientCerts.Import(clientCertPath, clientCertPass ?? "", X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);

    //Assert CA certs in cert store, and get root CA
    var rootCertificate = AssertCertsInStore(clientCerts);

    var req = HttpWebRequest.Create(url) as HttpWebRequest;
    req.ClientCertificates = clientCerts;
    req.Method = "POST";
    req.ContentType = "application/json; charset=UTF-8";
    req.AllowAutoRedirect = false;
            
    //Verify server root CA by comparing to client cert root CA
    req.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => {
        var chainRootCa = chain?.ChainElements?.OfType<X509ChainElement>().LastOrDefault()?.Certificate;
        if (rootCertificate == null || chainRootCa == null)
            return false;
        return rootCertificate.Equals(chainRootCa); //Same root CA as client cert
    };

    return req;
}

private X509Certificate2 AssertCertsInStore(X509Certificate2Collection certs)
{
    //Create typed array
    var certArr = certs.OfType<X509Certificate2>().ToArray();
    //Build certificate chain
    var chain = new X509Chain();
    chain.ChainPolicy.ExtraStore.AddRange(certArr.Where(o => !o.HasPrivateKey).ToArray());
    var privateCert = certArr.FirstOrDefault(o => o.HasPrivateKey);
    if (privateCert == null)
        return null;
    var result = chain.Build(privateCert);
    //Get CA certs
    var caCerts = chain.ChainElements.OfType<X509ChainElement>().Where(o => !o.Certificate.HasPrivateKey).Select(o => o.Certificate).ToArray();
    if (caCerts == null || caCerts.Length == 0)
        return null;
    //Assert CA certs in intermediate CA store
    var intermediateStore = new X509Store(StoreName.CertificateAuthority, StoreLocation.CurrentUser);
    intermediateStore.Open(OpenFlags.ReadWrite);
    foreach (var ca in caCerts)
    {
        if (!intermediateStore.Certificates.Contains(ca))
            intermediateStore.Add(ca);
    }
    intermediateStore.Close();
    //Return last CA in chain (root CA)
    return caCerts.LastOrDefault();
}

Tackar, hade fått det att lira genom att installera root certifikatet på servern men detta kommer ju hjälpa så man slipper den biten.

jackjson · 2016-03-03, 10:36

Citat:

Ursprungligen postat av RickardP

Tackar, hade fått det att lira genom att installera root certifikatet på servern men detta kommer ju hjälpa så man slipper den biten.

Yes, det fina med denna lösning är att alla CA-cert läggs i biblioteket för "mellanliggande certifikat" för aktuell användare, så ingen speciell behörighet krävs, och inga varningsrutor visas.

SEOutanHatt · 2016-03-05, 12:16

Vackert, tack för den!

Aktiva användare som för närvarande tittar på det här ämnet: 1 (0 medlemmar och 1 gäster)

Menu

Swish TLS certificate och .Net / C# kod