locked
Digitally signing RRS feed

  • Question

  • Hi,

     

    I am encountering an error while trying to digitally sign an item I'm writing into HV.  Here is a snippet of the code I am testing with:

     

    OfflineWebApplicationConnection owac = new OfflineWebApplicationConnection(new Guid(appid), healthserviceurl + "wildcat.ashx", new Guid("... PersonID GUID here ..."));

    owac.Authenticate();

     

    HealthRecordAccessor hra = new HealthRecordAccessor(owac, new Guid("... RecordID guid here ..."));

    HealthRecordSearcher searcher = hra.CreateSearcher();

    HealthRecordFilter filter = new HealthRecordFilter(LabTestResults.TypeId);

    searcher.Filters.Add(filter);

    HealthRecordItemCollection items1 = searcher.GetMatchingItems()[0];

    LabTestResults ltr = new LabTestResults();

    //... filling out the ltr here ...

     

    string certname = "WildcatApp-" + appid;

    X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);

    X509Certificate2 cert2 = null;

    store.Open(OpenFlags.ReadWrite);

    if (certname.Length > 0)

    {

    foreach (X509Certificate2 cert in store.Certificates)

    {

    if (cert.SubjectName.Name.Contains(certname))

    {

    cert2 = cert;

    break;

    }

    }

    }

     

    ltr.Sign(cert2);

    hra.NewItem(ltr);

     

    I get a Microsoft.Health.HealthServiceException exception on the last line when trying to add the the LabTestResults item with message:

     

    The certificate in the signature of the thing cannot be validated.

     

    Any idea what I am doing wrong?

     

    Thanks,

    Jad Startin

    Medicity, Inc.

     

    Wednesday, December 10, 2008 6:57 PM

Answers

  • Hmm.. looking at your code, it appears that you're trying to sign your item with your application's private key, which I'm guessing you generated with the tools that ship with the SDK (makecrt). The HealthVault Platform will only accept signed Things where the certificate has been issued by a trusted Certificate Authority (currently VeriSign, Comodo and GeoTrust). We do this so that we can verify the validity of the certificate at the time when the data is added to the record (as described in the document library: “As evidence of its authenticity, this item has a digital signature that was valid at the time it was added to this HealthVault record.”).

     

    Hope that helps.

     

    Thanks,

     _jim

     

    • Marked as answer by Jad Startin Friday, December 12, 2008 12:36 AM
    Wednesday, December 10, 2008 8:06 PM

All replies

  • Hmm.. looking at your code, it appears that you're trying to sign your item with your application's private key, which I'm guessing you generated with the tools that ship with the SDK (makecrt). The HealthVault Platform will only accept signed Things where the certificate has been issued by a trusted Certificate Authority (currently VeriSign, Comodo and GeoTrust). We do this so that we can verify the validity of the certificate at the time when the data is added to the record (as described in the document library: “As evidence of its authenticity, this item has a digital signature that was valid at the time it was added to this HealthVault record.”).

     

    Hope that helps.

     

    Thanks,

     _jim

     

    • Marked as answer by Jad Startin Friday, December 12, 2008 12:36 AM
    Wednesday, December 10, 2008 8:06 PM
  •  Jim, Is it possible to work out with microsoft on having my custom certificate, apart from the ones that are currently supported?
    Thursday, December 11, 2008 9:45 AM
  •  Hi Jim,

    OK, so I am a little perplexed by the readily available certificates from Verisign, Digicert (GeoTrust) and InstantSSL (Comodo).  All of these public CAs sell a "code signing certificate" that is capable of signing PE executeables, but none offer a "data signing certificate".  I talked to support at all three groups and was informed "they don't offer a certificate that is capable of signing XML".  Verisign pointed me to a partner that offers XMLDSIG at http://www.infomosaic.net/, but according to their website, the company is defunct and no longer accepting new customers.  I've read up on XML signing at http://msdn.microsoft.com/en-us/library/system.security.cryptography.xml.signedxml.aspx, so I have a good idea of what I'm trying to do.  I just don't know where to get a certificate that can support XMLDSIG.  I would have guessed any PKI cert could be used, but this doesn't seem to be the case?

    Thanks,
    Jad

    Friday, December 12, 2008 12:35 AM
  •  

    @indmav:

    In order for the HealthVault platform to accept a signed item today, the certificate needs to link back to a trusted root authority. You can get your own certificate from one of the providers listed in the previous post, but we currently don’t accept self-generated certificates for items placed into HealthVault. That’s the story right now, although we are looking to do more work in this space in the future (pardon the vagueness).

     

    @Jad:

    Your being perplexed is testament to the fact that we need more documentation around DigSigs in HealthVault. We’ve got this early blog post, which focuses more on methods and classes, but don’t have any real public-facing info on how one goes about getting a cert that’ll work with HV. You don’t really need a special kind of cert for signing the XML you send up to HealthVault (your example is signing the XML alright, it’s just that the HV Platform can’t verify the certificate, so the server returns an error) --it all comes down to the platform trusting the chain of issuers in your cert (see “for now”, above). If you’d like to get your hands on a working cert, the [free Comodo certificates available here] have worked for me. We’ll try to get some better docs out soon..

     

    Thanks,

     -Jim

    Saturday, December 13, 2008 12:10 AM
  • It should be noted that when using the Free Comodo Certificate, Comodo will install the certificate to your CurrentUser certificate store. In a live environment, you will want to load the certificate from the LocalMachine. Because of this, you will not be able to simply copy the certificate over from the CurrentUser store as the privatekey will be tied to the user. The solution is that you will need to obtain a real public ca issued certificate from Comodo, GeoTrust or Verisign. Expensive... yes :/
    Thomas
    Friday, April 10, 2009 5:08 PM