I am trying to bypass the message "The certificate authority is invalid or incorrect" for a WinHTTP request. I read that this can be achieved by WINHTTP_OPTION_SECURITY_FLAGS function.
How do I set this?
More importantly, is this valid for Microsoft JScript?
I have an object handler that catches the certificate message but I want to bypass the certificate message and reprocess the request.
This helped resolve it
WinHttpRequestOption_UserAgentString = 0;
WinHttpRequestOption_SslErrorIgnoreFlags = 4;
WinHttpRequestOption_EnableRedirects = 6;
WinHttpRequestOption_EnableHttpsToHttpRedirects = 12;
SslErrorFlag_Ignore_All = 0x00003300;
WinHttpReq.Option(WinHttpRequestOption_UserAgentString) = "http_requester/0.1";
WinHttpReq.Option(WinHttpRequestOption_SslErrorIgnoreFlags) = SslErrorFlag_Ignore_All ;
WinHttpReq.Option(WinHttpRequestOption_EnableRedirects) = "True";
WinHttpReq.Option(WinHttpRequestOption_EnableHttpsToHttpRedirects) = "True";
Related
I am using an example (Node.js Create Egypt ITIDA CAdES-BES Signature with Automatic JSON Canonicalization) but I always get this error ( 4043 4043:message-digest attribute value does not match calculated value[message-digest attribute value does not match calculated value] ).
Can you help me with the solution?
Code Used:
// This example assumes the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.
var crypt = new chilkat.Crypt2();
crypt.VerboseLogging = true;
var cert = new chilkat.Cert();
cert.VerboseLogging = true;
// Set the smart card PIN, which will be needed for signing.
cert.SmartCardPin = "12345678";
// There are many ways to load the certificate.
// This example was created for a customer using an ePass2003 USB token.
// Assuming the USB token is the only source of a hardware-based private key..
var success = cert.LoadFromSmartcard("");
if (success !== true) {
console.log(cert.LastErrorText);
return;
}
// Tell the crypt class to use this cert.
success = crypt.SetSigningCert(cert);
if (success !== true) {
console.log(crypt.LastErrorText);
return;
}
var cmsOptions = new chilkat.JsonObject();
// Setting "DigestData" causes OID 1.2.840.113549.1.7.5 (digestData) to be used.
cmsOptions.UpdateBool("DigestData",true);
cmsOptions.UpdateBool("OmitAlgorithmIdNull",true);
// Indicate that we are passing normal JSON and we want Chilkat do automatically
// do the ITIDA JSON canonicalization:
cmsOptions.UpdateBool("CanonicalizeITIDA",true);
crypt.CmsOptions = cmsOptions.Emit();
// The CadesEnabled property applies to all methods that create CMS/PKCS7 signatures.
// To create a CAdES-BES signature, set this property equal to true.
crypt.CadesEnabled = true;
crypt.HashAlgorithm = "sha256";
var jsonSigningAttrs = new chilkat.JsonObject();
jsonSigningAttrs.UpdateInt("contentType",1);
jsonSigningAttrs.UpdateInt("signingTime",1);
jsonSigningAttrs.UpdateInt("messageDigest",1);
jsonSigningAttrs.UpdateInt("signingCertificateV2",1);
crypt.SigningAttributes = jsonSigningAttrs.Emit();
// By default, all the certs in the chain of authentication are included in the signature.
// If desired, we can choose to only include the signing certificate:
crypt.IncludeCertChain = false;
var jsonToSign = "{ ... }";
// Create the CAdES-BES signature.
crypt.EncodingMode = "base64";
// Make sure we sign the utf-8 byte representation of the JSON string
crypt.Charset = "utf-8";
var sigBase64 = crypt.SignStringENC(jsonToSign);
if (crypt.LastMethodSuccess == false) {
console.log(crypt.LastErrorText);
return;
}
console.log("Base64 signature:");
console.log(sigBase64);
Check to see if the information at this Chilkat blog post helps: https://cknotes.com/itida-4043message-digest-attribute-value-does-not-match-calculated-value/
See this example for details about debugging and what you can send to Chilkat: https://www.example-code.com/nodejs/itida_egypt_debug.asp
We were having this error, until we were advised of not using any null values in the json file. So, pls try to replace any null values in json file with "".
I am using Visual Studio Mac (latest version) and need to fetch data from an IIs server (vaersion 10) with a GET request and by passing a client certificate.
Unfortunately the IIs answers with an RST packet and shows the error:
The I/O operation has been aborted becourse of either a thread exit or an application request.
I know apple uses ATS (I am using iOS 10.3.3).
I guess this has something to do with the client certificate and IIS not accepting it.
Can someone point me to a differnt mono api where I can append the client cert to a GET request?
My code so far is as follows (with request.GetResponse() waiting until timeout...):
X509Certificate2Collection certificates = new X509Certificate2Collection (certificate);
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(this.uriString);
request.ClientCertificates = certificates;
request.Method = "GET";
request.ContentType = "application/json";
request.Accept = "application/json";
request.UserAgent = UserAgentString;
request.KeepAlive = false;
request.ProtocolVersion = HttpVersion.Version11;
using (HttpWebResponse response = (HttpWebResponse)request.GetResponse ())
{
this.webResponse = response;
stream = response.GetResponseStream ();
}
I try to reach my STS to request a token. The code is based on a blog post by #leastprivilege : WCF and Identity in .NET 4.5: External Authentication with WS-Trust. I use the explicit approach (by code).
private static SecurityToken RequestSecurityToken()
{
// set up the ws-trust channel factory
var factory = new WSTrustChannelFactory(
new UserNameWSTrustBinding(
SecurityMode.TransportWithMessageCredential),
"https://federation.mydomain/adfs/services/trust/mex") { TrustVersion = TrustVersion.WSTrust13 };
//factory.Credentials.SupportInteractive = false;
factory.Credentials.UserName.UserName = "user-pcote";
factory.Credentials.UserName.Password = "123456";
// create token request
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Symmetric,
AppliesTo = new EndpointReference("https://myRP/")
};
var channel = factory.CreateChannel();
return channel.Issue(rst);
}
I can see the XML when copying the STS endpoint adress in my browser, therefore the federation server is reachable. But I always get an internal server error (500) as soon as I issue the token request. Does anybody have an idea what could be my problem here.
Finally managed to get it working by changing the KeyType to KeyTypes.Bearer (since there's no certificate applied to the RP in AD FS). I based myseflf on this website that gives a good explanations on how it all relates :
http://blog.skadefro.dk/2011/09/claimsbased-authentication-and-wcf.html
if we look in Microsoft.IdentityModel.SecurityTokenService.KeyTypes we
see we can use Asymmetric, Symmetric or Bearer. Tons of post out there
about this.
If you use Asymmetric you as requestor need to supply a key to encrypt
the claims with. ( set "UseKey” )
If you use Symmetric the identity provider have all ready been told
what certificate to use, to encrypt the claims with.
If you choose Bearer. The token get signed, but claims will not be
encrypted. If a token signing certificate have been assigned on the
Relying Party, claims will simply not be included at all.
When you request a token, the token gets signed (not encrypted) with a
certificate installed on the Identity Provider ( ADFS ). If you add a
certificate on a Relying Party Trust (RP) on the ADFS server, the
claims inside the token gets encrypted with with that certificate.
Only host/applications that have access to the private key of that
certificate can now decrypt the token and read the claims. You don’t
need to read the claims in order to authenticate your self. For
instance if you have a WCF Service you want to call from within an
application. You can from within that application still request a
token from the ADFS server and then access the WCF service with that
Token. As long as the WCF service have access to the private key and
can read the claims, your application don’t need it.
private static SecurityToken RequestSecurityToken()
{
var binding = new UserNameWSTrustBinding(
SecurityMode.TransportWithMessageCredential);
var factory = new WSTrustChannelFactory(
binding,
new EndpointAddress(new Uri("<your_adfs_uri>/adfs/services/trust/13/usernamemixed"), EndpointIdentity.CreateSpnIdentity("host/your.spn.com"))) { TrustVersion = TrustVersion.WSTrust13 };
factory.Credentials.UserName.UserName = "username";
factory.Credentials.UserName.Password = "password";
// create token request
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Bearer,
AppliesTo = new EndpointReference(<uri_of_your_relying_party>)
};
var channel = factory.CreateChannel();
try
{
var response = channel.Issue(rst);
return response ;
}
catch (Exception e)
{
var message = e.Message;
return null;
}
}
I managed to find the right endpoint (which was /adfs/services/trust/13/usernamemixed) but now I get the following error :
ID4007: The symmetric key inside the requested security token must be encrypted
I can get a remote console app talking to a NTLM Sharepoint site with ClientContext and I can it talking to a remote Kerberos Sharepoint box with HttpWebRequest.GetResponse();
But I cannot get it talking to the Kerberos Sharepoint box with CientContext. Any additional pointers would be gratefully recieved.
string siteURL = "http://my.remote.sharepoint";
ClientContext ctx = new ClientContext(siteURL);
CredentialCache cc = new CredentialCache();
cc.Add(new Uri(siteURL), "Kerberos", CredentialCache.DefaultNetworkCredentials);
ctx.AuthenticationMode = ClientAuthenticationMode.Default;
ctx.Credentials =cc;
/////////////////////////////////////////////////////////////////////////////////
// This code confirms that I can access "my.remote.sharepoint" with KRB
// HttpWebRequest myRequest = (HttpWebRequest)WebRequest.Create(siteURL);
// myHttpWebRequest.Credentials = cc;
// myHttpWebRequest.UseDefaultCredentials = true;
// HttpWebResponse myResponse = (HttpWebResponse)myRequest.GetResponse();
/////////////////////////////////////////////////////////////////////////////////
Web remoteWeb = ctx.Web;
ctx.Load(remoteWeb);
ctx.ExecuteQuery();
//401 unauthorised returned from here
Wireshark suggests that it returns the initial 401 & then gives up! Any ideas
Please check if a SPN is registered for that host and a reverse DNS entry exists.
I want to securely communicate with my server and here is what I am doing...
NSURLProtectionSpace *protectionSpace = [challenge protectionSpace];
SecTrustRef trust = [protectionSpace serverTrust];
NSURLCredential *credential = [NSURLCredential credentialForTrust:trust];
SecPolicyRef myPolicy = SecPolicyCreateBasicX509();
NSArray * certs = [[NSArray alloc] initWithObjects:(id)certificate,nil]; //certificate is my server's cert.
credential = [NSURLCredential credentialForTrust:trust];
SecTrustSetAnchorCertificates(trust,
(CFArrayRef) [NSArray arrayWithObject:(id) certificate ]);
OSStatus status = SecTrustCreateWithCertificates(certs, myPolicy, &trust);
SecTrustResultType trustResult = 0;
if (status == noErr) {
status = SecTrustEvaluate(trust, &trustResult);
}
NSLog(#"Trust I get: %d", trustResult);
[certs release];
if (trustResult == kSecTrustResultRecoverableTrustFailure) {
NSLog(#"Recoverable Failure");
CFAbsoluteTime trustTime,currentTime,timeIncrement,newTime;
CFDateRef newDate;
trustTime = SecTrustGetVerifyTime(trust);
timeIncrement = 31536000;
currentTime = CFAbsoluteTimeGetCurrent();
newTime = currentTime - timeIncrement;
if (trustTime - newTime){
newDate = CFDateCreate(NULL, newTime);
SecTrustSetVerifyDate(trust, newDate);
status = SecTrustEvaluate(trust, &trustResult);
}
NSLog(#"Trust again:%d", trustResult);// AGAIN kSecTrustResultRecoverableTrustFailure(5) over here
}
Anybody has idea why it is happening...
Seems it is not about the expiration of the certificate (which is not in reality as well) but could be the reason.
thank you
al
SecTrustResultRecoverableTrustFailure happens if
the certificate is md5 hashed (IOS5)
the server does not present the root and intermediate certificates
the SecTrustSetAnchorCertificatesOnly(trust,YES) is set and the anchor certificate is only in the built in anchor certificates
the certificate is expired
?
I solved my problem by configuring the webserver to send the whole certificate chain instead of only the server certificate.
By configuring my apache mod_ssl:
https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile