locked
Validation of server-side certificates on secure StreamSocket RRS feed

  • Question

  • I'm having trouble with my Metro app connecting to a remote server using a secure StreamSocket.  The code I have is pretty straightforward:

            public async Task ConnectAsync(String serverName)
            {
                var client = new StreamSocket();
                await client.ConnectAsync(new HostName(serverName), "443", SocketProtectionLevel.Ssl);
            }
    

    Unfortunately, this is a private server not a regular web server, and the server certificate is not rooted at a well-known CA - so when I connect I get an exception:

       A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider

    That's true, of course, but in my .NET 4.0 app on the desktop side (using SslStream) I can handle the RemoteCertificateValidationCallback to do my own server certificate checks.  I don't see that sort of functionality anywhere in StreamSocket.

    In this question, the answer is that client certificate handling is not supported in StreamSocket at this time.  So … is it the case that server certificate validation isn't included either (seem to be the case) and, if so, is that likely to be an RTM restriction or might we expect that in the final release bits?

    Presumably, if this is missing functionality, the only workaround (such as it is) would be to either switch to a public server certificate or somehow get users to install our root certificate in their trusted certificates store … if that's even possible on the Metro side of Windows 8.

    Adrian

    Friday, April 6, 2012 4:38 PM

Answers

  • I am confident that removal of the ability to side-step the invalidation of the trust chain is a feature of Metro-style applications.  Looking at the PKI inforamtion, however, shows these abilities:
    http://msdn.microsoft.com/en-us/library/windows/apps/hh464922.aspx


    PKI support

    A Metro style app can perform the following PKI tasks. For more information, see the Windows.Security.Cryptography.Certificates namespace.

    • Create a certificate
    • Create a self-signed certificate
    • Install a certificate response
    • Import a certificate in PFX format
    • Use smart card certificates and keys (sharedUserCertificates capabilities set)
    • Use certificates from the user MY store (sharedUserCertificates capabilities set)

    Additionally, you can use the manifest to perform the following actions:

    • Specify per application trusted root certificates
    • Specify per application peer trusted certificates
    • Explicitly disable inheritance from system trust
    • Specify the certificate selection criteria
      • Hardware certificates only
      • Certificates that chain through a specified set of issuers
      • Automatically select a certificate from the application store
      It seems like you might want to figure out how to import the root certificate as a prerequisite to using your application *or* force the cert chain through the specific set of issuers like it says above.

    Matt Small - Microsoft Escalation Engineer - Forum Moderator

    • Marked as answer by Min ZhuMember Wednesday, April 18, 2012 7:21 AM
    Friday, April 6, 2012 8:59 PM
    Moderator

All replies

  • I am confident that removal of the ability to side-step the invalidation of the trust chain is a feature of Metro-style applications.  Looking at the PKI inforamtion, however, shows these abilities:
    http://msdn.microsoft.com/en-us/library/windows/apps/hh464922.aspx


    PKI support

    A Metro style app can perform the following PKI tasks. For more information, see the Windows.Security.Cryptography.Certificates namespace.

    • Create a certificate
    • Create a self-signed certificate
    • Install a certificate response
    • Import a certificate in PFX format
    • Use smart card certificates and keys (sharedUserCertificates capabilities set)
    • Use certificates from the user MY store (sharedUserCertificates capabilities set)

    Additionally, you can use the manifest to perform the following actions:

    • Specify per application trusted root certificates
    • Specify per application peer trusted certificates
    • Explicitly disable inheritance from system trust
    • Specify the certificate selection criteria
      • Hardware certificates only
      • Certificates that chain through a specified set of issuers
      • Automatically select a certificate from the application store
      It seems like you might want to figure out how to import the root certificate as a prerequisite to using your application *or* force the cert chain through the specific set of issuers like it says above.

    Matt Small - Microsoft Escalation Engineer - Forum Moderator

    • Marked as answer by Min ZhuMember Wednesday, April 18, 2012 7:21 AM
    Friday, April 6, 2012 8:59 PM
    Moderator
  • Thanks Matt

    Yes, as you mention, there is no way to intercept the cetificate validation process in a Metro app.  That might come, I guess, but I can understand why that might not be supported.  I did get round this, however, by including the private root and CA certificates in the application.  Works as advertised!

    Adrian

    Wednesday, April 18, 2012 3:16 PM
  • I'm glad to hear it!

    Matt Small - Microsoft Escalation Engineer - Forum Moderator

    Wednesday, April 18, 2012 3:41 PM
    Moderator