|
Forums -> Security Library Forum
Problem with certificates |
|
|
by Daryn Kiely [Daryn dot Kiely at igt dot com] posted on 2003/10/22 |
|
Ok, I am sure my problem has to do with my own stupidity, but I have fought with this thing for a day and a half already and cannot resolve it. My code used to work until I got new certificates and downloaded the latest library. Now when I attempt to send a message I get an exception (stact trace to follow). Here is my code that opens the socket:
SecurityOptions options;
CertificateStore cs = CertificateStore.CreateFromPfxFile(key_file,password);
Certificate cert = cs.FindCertificateBySubjectString("R&D Client");
options = new SecurityOptions(SecureProtocol.Ssl3,cert,ConnectionEnd.Client);
if (!check_cn)
{
options.VerificationType = CredentialVerification.AutoWithoutCName;
}
m_client_port = new SecureSocket(AddressFamily.InterNetwork,SocketType.Stream,ProtocolType.Tcp,options);
IPAddress ipa = IPAddress.Parse("10.207.101.40");
IPEndPoint ipe = new IPEndPoint(ipa,16001);
m_client_port.Connect(ipe);
And my stack trace:
[INIT ] - 10/22/2003 11:31:25 AM: Initializing Mentalis Connection
[FAIL ] - 10/22/2003 11:31:25 AM: Exception initializing communication An error occurs while communicating with the remote host. - at Org.Ment
alis.Security.Ssl.SecureSocket.EndSend(IAsyncResult asyncResult)
at Org.Mentalis.Security.Ssl.SecureSocket.Send(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
at Arbiter.MentalisConnection.Write(Byte[] bytes) in c:\documents and settings\kielyd\my documents\visual studio projects\testhost\testhost\me
ntalisconnection.cs:line 151
at Arbiter.ArbiterConnection.InitializeCommunication() in c:\documents and settings\kielyd\my documents\visual studio projects\testhost\testho
st\arbiterconnection.cs:line 119
[FAIL ] - 10/22/2003 11:31:25 AM: Connection failed, thread exiting...
Any help would be greatly appreciated.
Thanks
Daryn
|
by Pieter Philippaerts [Pieter at mentalis dot org] posted on 2003/10/22 |
|
The first thing you have to do when such a problem arises is to set the verification type to CredentialVerification.None and see if the code works again. You're using CredentialVerification.Auto and AutoWithoutCName, and both these options automatically close the connection if there's something wrong with the peer certificate.
If setting the verification type to None helps, you can be sure that the server or client certificate cannot be verified correctly. You can get a description of the error if you use CredentialVerification.Manual.
If setting the verification type to None doesn't help, then there's something else going on and we'll have to take a closer look. But can you first verify whether it's a certificate problem? |
by Daryn Kiely [Daryn dot Kiely at igt dot com] posted on 2003/10/22 |
|
Ok, I set the verification to None and it did not help, I am getting the same errors. I also changed the code to do manual verification, the output follows:
[INIT ] - 10/22/2003 1:37:45 PM: Initializing Mentalis Connection
[FAIL ] - 10/22/2003 1:37:45 PM: Certificate - CERTIFICATE:
Format: X509
Name: R&D Server
Issuing CA: R and D
Key Algorithm: 1.2.840.113549.1.1.5
Serial Number: 06
Key Alogrithm Parameters: 0500
Public Key: 30818902818100D0CB8C4F0A04FBD9B81B6BFA512EFD5E787F6A434AFB139A3A090B93AA2A73D83FD80E913E2AD29E81D150D255B4ABAB7FAE16CBFFDBDC
D921F495A509CE09EC9A29E8C023AB18D8BC428CCF14A69DA698E98BBF985B9294FB3A8E8816619CF4C77C208468A2C73EE576F76F304751043560612049F81C6E5A82181BEAFB4BB
50203010001
[FAIL ] - 10/22/2003 1:37:45 PM: Certificate - CERTIFICATE:
Format: X509
Name: R and D
Issuing CA: R and D
Key Algorithm: 1.2.840.113549.1.1.5
Serial Number: 00
Key Alogrithm Parameters: 0500
Public Key: 30818902818100BF2450F218D2AAEC0A96BE3BA7430F50127F5E395B96DE41E887DB9075E5565FE7FB6F47C78588ED5A0FF91D954BD209F8120D1822DF3A
C4A60F421F13732C4FAA2969886A5AF9F06D1BB81B802C1043322D2BA1CD0D3DA8FB23DE6F506106C09263037813750E343566B30442A5C4FA4A9A5C85321E2B9DA7C08B3006B7D85
30203010001
[FAIL ] - 10/22/2003 1:37:45 PM: chain - ValidCertificate
[FAIL ] - 10/22/2003 1:37:45 PM: Exception initializing communication An error occurs while communicating with the remote host. - at Org.Menta
lis.Security.Ssl.SecureSocket.EndSend(IAsyncResult asyncResult)
at Org.Mentalis.Security.Ssl.SecureSocket.Send(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
at Arbiter.MentalisConnection.Write(Byte[] bytes) in c:\documents and settings\kielyd\my documents\visual studio projects\testhost\testhost\me
ntalisconnection.cs:line 178
at Arbiter.ArbiterConnection.InitializeCommunication() in c:\documents and settings\kielyd\my documents\visual studio projects\testhost\testho
st\arbiterconnection.cs:line 119
[FAIL ] - 10/22/2003 1:37:45 PM: Connection failed, thread exiting...
[FAIL ] - 10/22/2003 1:37:45 PM: Arbiter Thread failed, restarting |
by Daryn Kiely [Daryn dot Kiely at igt dot com] posted on 2003/10/22 |
|
Stepping through the libraries I see that ti.AsyncResult.m_AsyncException in SecureSocket.cs line 381 says "Could not acquire crypto context." As I dig deeper it looks like the error number from GetLastError is 8009000f, or Object Already Exists. Now I am really confused... |
by Daryn Kiely [Daryn dot Kiely at igt dot com] posted on 2003/10/22 |
|
I am getting deeper into the bowels of certificate.cs, but no closer to my solution. The library calls CryptAcquireContext once with the standard flags, it then calls it again (if the first call fails) with the NEWKEYSET flag. The first failure is NTE_BAD_KEYSET which is "key container could not be opened", the second call fils with NTE_EXISTS which is self explanitory. I can print out the certificate for the key, so I know I read it, and te server key chain is valid, so now I am completely dazed and confused!!!! |
by Pieter Philippaerts [Pieter at mentalis dot org] posted on 2003/10/23 |
|
Like you've already figured out, the problem appears to be in the PublicKey property of the Certificate class.
I searched the newsgroups for posts that were describing the same issues you're having, and it turns out that occasionally the CryptoAPI key containers get corrupted. Once a key container gets corrupted, you get the behavior you're seeing.
Here are some thing you can do to solve it:
- the key containers are stored under the %userprofile%/application data/microsoft/crypto directory. Make sure all the files and directories under this crypto directory have the correct permissions set. The Owner, the Administrators and the System should all get full access to that directory.
- try deleting the files in the crypto directory. This will resolve your problem according to the posts I found online, but use this option with caution because you will delete any keys that are stored in the default container. |
by Pieter Philippaerts [Pieter at mentalis dot org] posted on 2003/10/23 |
|
The same problem was posted on the microsoft.public.platformsdk.security today. I'll keep my eye on the thread and if they find a solution for this problem I'll post it here. |
by Daryn Kiely [Daryn dot Kiely at igt dot com] posted on 2003/10/23 |
|
Pieter,
Deleting everything in the crypto directory resolved the issue. Thanks!!! |
|
|