search

Pkcs11Interop / Pkcs11Interop.X509Store

Easy to use PKCS#11 based X.509 certificate store
Apache License 2.0
31 stars 18 forks source link

Pkcs11X509Store certificate throw unauthorized (Anonymous) with client WCF authentication #7

Closed cibermon closed 4 years ago

cibermon commented 5 years ago

Hello,

I'm trying to assign X509Certificate witch was returned by Pkcs11X509Store:

Dim pinProvider As IPinProvider = New PinProvider()
            Try
                Using store As New Pkcs11X509Store(libraryPath, pinProvider)
                    Dim slots As IEnumerable(Of Pkcs11Slot) = store.Slots.Where(Function(s) s?.Token IsNot Nothing)
                    If slots?.Count > 0 Then
                        For Each slot As Pkcs11Slot In slots
                            If slot?.Token?.Certificates.Count > 0 Then
                                For Each cert As Pkcs11X509Certificate In slot?.Token?.Certificates
                                    If cert?.Info IsNot Nothing Then
                                        result.Add(cert.Info.ParsedCertificate)
                                    End If
                                Next
                            End If
                        Next
                    End If
                End Using
            Catch ex As Exception

            End Try

The user chooses the certificate who want to use and the system try to assign it in ClientCredential:

Dim b As New BasicHttpBinding()
            b.Security.Mode = SecurityMode.Transport
            b.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate
            b.MessageEncoding = WSMessageEncoding.Mtom
            b.MaxReceivedMessageSize = 2147483647

            ' Create an EndPointAddress.
            Dim ea As New EndpointAddress(New Uri(Servidor & /ServiciosWCF/OVCWcfCDYG/OVCCertifDYG.svc"))

            ' Create the client.
            Dim proxy As New OVCCertificacionDescriptivaGrafica.OVCCertifDYGClient(b, ea)

            proxy.ClientCredentials.ClientCertificate.Certificate = Me.certificado

This is my IPinProvider

Public Class PinProvider
    Implements IPinProvider

    Public Function GetTokenPin(storeInfo As Pkcs11X509StoreInfo, slotInfo As Pkcs11SlotInfo, tokenInfo As Pkcs11TokenInfo) As GetPinResult Implements IPinProvider.GetTokenPin
        Return New GetPinResult(True, False, Nothing)
    End Function

    Public Function GetKeyPin(storeInfo As Pkcs11X509StoreInfo, slotInfo As Pkcs11SlotInfo, tokenInfo As Pkcs11TokenInfo, certificateInfo As Pkcs11X509CertificateInfo) As GetPinResult Implements IPinProvider.GetKeyPin
        Return New GetPinResult(True, False, Nothing)
    End Function

End Class

And Finally proxy throw Exception 403 (Anonymous)

Can you help me, please?

jariq commented 5 years ago

Instances of X509Certificate2 classes returned by Pkcs11Interop.Store cannot be used in SSL connections. That's a known limitation (at least to me) and will be documented soonTM.

cibermon commented 5 years ago

Is There any workaround to solve this problem?

jariq commented 5 years ago

None that I know of (see https://github.com/dotnet/corefx/issues/22437 for more details). If you want to use X509Certificate2 object with SSL connections then you need to get it from X509Store.