My code receives the saml response in xml format. I need to verify the signature to confirm that response is not tampered, and I also need to confirm that this is coming from a trusted source. (in a settings file I have cert thumbprint and issuername for the trust certs).
I am using componentspace tools where I can call GetCertificate() to get the X509Certificate2 from the xml file.
To verify the signed xml, do I need to install this cert to the cert store? Is it possible to verify an xml signed doc with the cert you construct from the xml itself?
I certainly would not trust the veracity of a signed message based solely upon the cert included in the signed message. In theory, someone could intercept the message and create a new message with a new singing cert and your SP would never know. It is considered best practice to have the IDP send you their signing cert out-of-band and you should securely store it locally. That way, when you receive the signed message, you can check that the signing cert included in the message matches the locally store version your IDP gave you as well as validate that the message signature is valid using the same certificate.
Related
I'm trying to load multiple certificates into an SSL_CTX.
Looking at the documentation, I was able to establish SSL connection using these 2 ways:
Create an X509_STORE, add certificates to the store, and then load the cert store into the SSL_CTX using SSL_CTX_set_cert_store.
Call SSL_CTX_use_certificate(ctx, cert) multiple times
Is there a difference between these two? I saw on StackOverflow somewhere that SSL_CTX_use_certificate does not work with self signed certs? (Loading CA certificate from memory) Why? I don't see this on the documentation anywhere. (What does it mean to be self signed?)
*also for #2, does calling SSL_CTX_use_certificate multiple times replace the existing certificate? Would I need to call SSL_CTX_add_extra_chain_cert?
The X509_STORE is used for building the certificate trust chain during certificate validation. Thus, any certificates added by X509_STORE_add_cert are used when validating the peer certificate.
SSL_CTX_use_certificate instead is used to set the local certificate used for authentication against the peer, i.e. this is to set the server certificate at the server and the client certificate at the client. It must be accompanied by a function to set the private key, like SSL_CTX_use_PrivateKey. SSL_CTX_use_certificate can be called multiple times and will either replace the existing certificate or add another one: i.e. one might have both an RSA and a ECDSA certificate at the same time with newer versions of OpenSSL.
SSL_CTX_use_certificate does not work with self signed certs?
OpenSSL does not care if the certificate is self-signed or not when using SSL_CTX_use_certificate. The communication peer which receives the certificate as authentication will hopefully care though and might complain since no local trust anchor is found to validate the certificate.
I'm calling a web service hosted by a 3rd party and they require that I encrypt the actual SOAP message with a x.509 certificate (they are using asymmetric encryption)
The certificate I use needs to be signed by a root Certificate Authority. In searching online, I am finding mostly references to SSL certificates, but from what I've read, this is different from what I need. If that is correct, can someone provide a link to a page on a Certificate Authority's website where I would be able to purchase the certificate I need. I haven't had any luck and it's driving me crazy.
Thanks in advance for any help you can provide. Let me know if you need further details.
-Chris
I'm trying to connect with one of my client to call api methods from their server, the client want to have a bi-directional commnunication, they shared their security certificate which contains CACert.crt, another file with .crt, .key, .p7b, .pfx files. Now They want us to share our certificate. I've following questions:
How I install their certificate?
How I can generate my certificate? Do I need to purchase certificate for this or I need to generate something based on their certificate?
They mentioned about DataPower public certificate. After Googling, I found Datapower is from the IBM, can I create a free certificate from it?
I'm absolutely new to this, tried to google a lot, but couldn't make much sense.
It sounds like your client wants you to use a client certificate. They've provided you with a CA for you to use; just use that to fulfill the signing request for the certificate you generate.
In https protocol a per-secrect key is generated by client and is sent to server . And for thereon symmetric encryption takes place .My question is if this is the case how a message digest is considered as signed by server .
Or the digital signature comes to play only in establishing https connection ?.
Does it apply only to public keys ?.
You skipped the most important part (in terms of trust) of the protocol. The client (browser) needs to confirm that the server is who it claims to be. The server provides to the client its certificate for this proof. The client then does a number of checks on the certificate such as:
Does it have a valid chain of trust?
Is the root signature authority a trusted authority by the client?
Is the certificate within its period of validity?
Has the certificate been revoked? (this check is not always possible)
And a few other checks. Once the client trusts the certificate, it can then use it to establish a session with the the server using its public key. The creation of the session involves sharing symmetric keys (note the plural) for the remaining communications.
During the session, two types of security are enforced: privacy via encryption and message integrity via MAC (typically HMAC). The MAC is a symmetric method for computing signatures on every message using a shared secret key (one of the keys that was shared during the creation of the session). This prevents a 3rd party from altering the messages in transit.
You ask how "message digest is considered digital signature?" I think you are referring to the MAC part of the protocol in your question. For more information, see Wikipedia.
I have a SOAP webserver developed in Delphi XE2 that exposes some methods and it uses SSL. I built my client also in Delphi XE2, and I use THTTPRIO to connect to webserver. My question is related to the use of SSL certificatest with THTTPRIO. If I call my webservice it works without having a certificate installed, but I think that it shouldn't.
Second scenario :I have a self signed certificate which I installed it and after I made a call to my webservice it works also.
When I inspected my events: HTTPRIOAfterExecute and HTTPRIOBeforeExecute, I converted SoapRequest and SOAPResponse to string from TStream and seems that it isn't encrypted in both cases. I also found on another forum the same question but with no response.
I searched for info about SOAP SSL Clients with Delphi but couldn't find any new info. Could any of you guys give me some advices regarding this issue?
If I call my webservice it works without having a certificate
installed, but I think that it shouldn't.
Not many web services require client certificates (with exceptions like banking and other high risk environments). It is more common that clients want to verify the server identity, and this is done with server certificates.
So I would say this web service does work in a normal, expected way.
HTTPRIOAfterExecute and HTTPRIOBeforeExecute, I converted SoapRequest
and SOAPResponse to string from TStream and seems that it isn't
encrypted in both cases
This is correct, the message payload will appear unencrypted because SSL / TLS does encryption on the transport layer. Your application will not see the encrypted data, which actually makes things easier.
You can add encryption for the message payload, there are generic libraries for this (however I have no experience with using encryption HTTPRio).