none
C# and X.509 certificate for authentication on ASP.NET HttpHandler RRS feed

  • Question

  • Greetings gentlemen!

    I'm completely newbie in all this certification stuff, so correct me if I'm wrong.

    What I need to do is to implement authentication using X.509 certificate on ASP.NET HttpHandler, so my server-side code could verify client certificate.
    If certificate is valid - then client is considered as authenticated and some positive HTTP-response is returned.
    Otherwise, for example if client makes request without certificate or with not valid/expired certificate - I need to return some error in response.

    In the internet, there's so much theory and no practical example on how to do this common scenario (I'm not talking about WCF, I'm using HTTPHandler).

    First I created certificates.

    Root authority self-signed certificate:
    makecert -n "CN=TestServerCA" -r -sv C:\temp\TestServerCA.pvk C:\temp\TestServerCA.cer

    And new one for my client application, which is signed by the root authority certificate:
    makecert -sk TestClient -iv C:\temp\TestServerCA.pvk -n "CN=TestClient" -ic C:\temp\TestServerCA.cer C:\temp\TestClient.cer -sr currentuser -ss My

    Then I inported "TestServerCA.cer" to:
    Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates

    I got console application:

    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    using System.Text;
    using System.Threading.Tasks;
    
    namespace CertTest.Client {
        class Program {
            static void Main(string[] args) {
                HttpWebRequest request = WebRequest.CreateHttp("http://localhost:49187/HttpHandler.ashx");
                request.ClientCertificates.Add(X509Certificate.CreateFromCertFile(@"C:\temp\TestClient.cer"));
                request.GetResponse().GetResponseStream().CopyTo(Console.OpenStandardOutput());
                Console.ReadKey(true);
            }
        }
    }
    And here's my HTTPHandler:
    using System.Collections.Generic;
    using System.Linq;
    using System.Security.Cryptography.X509Certificates;
    using System.Web;
    
    namespace CertTest.Server {
        public class HttpHandler : IHttpHandler {
            public void ProcessRequest(HttpContext context) {
                HttpClientCertificate certificate = context.Request.ClientCertificate;
                byte[] certBytes = certificate.Certificate;
    
                context.Response.ContentType = "text/plain";
                context.Response.Write("Hello World");
            }
    
            public bool IsReusable { get { return false; } }
        }
    }

    "certBytes" is empty array, there's no certificate.

    My machine is Win 2008 R2, VS 2013

    So how do I acquire client certificate sent with HTTP-request and verify it against "C:\temp\TestServerCA.cer"?


    nya-nya!

    Wednesday, January 29, 2014 2:27 PM

Answers

  • Hi,

    As you said that you were not talking about the WCF, but this forum is used to discussing the question about the WCF, so it will be better for you to post your question to the asp.net httphandlers forum. Then you will get a good reply from the asp.net experts. 
    #HttpHandlers and HttpModules Forum:
    http://forums.asp.net/27.aspx/1?HttpHandlers+and+HttpModules .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, January 30, 2014 2:19 AM
    Moderator