[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

microsoft.public.dotnet.framework.sdk

HTTPWebRequest - security

Jan Nitecki

12/8/2002 8:44:00 AM

Hello,
I just trying to port one of my old client components
from Win32 to .NET. In my scenario client component is
connecting to HTTP server with client authentication and
also validating if server certificate is issued by
specific Certification Authority.

For client authentication I found that I can use
ClientCertificaties property, but it doesn't allow me to
specify certificate which is already in trusted store
X509Certificate has no such constructor - only solution I
found is use unmanaged code to get handle of certificate
from store and pass it to constructor of X509Certificate.
Is it any more smart way which doesn't require use of
unmanaged code, but allows to keep certificate in Windows
Certificate Store?

Validating server certificate problem is even worse - I
cannot set list of trusted CA's (probably they are taken
from Trusted CA store) or even get information about
server certificate after connection is established. How
can I do that?

Very important for me is to have the solution fully
managed - otherwise I can simply use old ActiveX component.

Best regards,
Janek
1 Answer

Jan Nitecki

12/9/2002 8:44:00 PM

0

Hi,

After some time spent on experiments I even realise
that using ClientCertificates property of HttpWebRequest
is not obvious. Since I can add there only X509Certificate
objects which I think can be loaded from file
(CreateFromFile) from DER certificate files. BUT DER don't
contain private key it's pure certificate and for client
authentication access is required to both public and
private keys - so how it works? Maybe I can give
certificate in some other format? Pfx doesn't seem to work.

So I have few questions
1) how to do client authentication using HttpWebRequest?
(Which file formats should I use? How should I give
private key? Should I give full chain of user certificate?)
2) how to obtain server certificate in this case (actually
I mean whole server cerificate chain, not only actual
server certificate)
3) is it any way to replace ServicePoint with my one - so
I can use HTTP parser/builder functionallity build
into .NET framework, but do the connectivity part myself
(this is important only in case if there is no solution
for point 1 or 2).

Best regards,
Janek