Unable to access the client SSL certificate   

Hello,
	I am writing an ISAPI filter (running it on IIS 6.0 Windows 2003) and
in the filter I need to access the "Client Certificate".
	I have registered for following notifications:
	SF_NOTIFY_AUTHENTICATION
        SF_NOTIFY_AUTH_COMPLETE

          I have written functions OnAuthComplete & OnAuthentication.
In both the functions I am trying to access the Client Certificate
using following code: (I think I should be doing it only in
"OnAuthComplete" but just to be sure I tried it in both the
places.)

[Function signatures are
DWORD CAuthFilter::OnAuthentication(CHttpFilterContext* pCtxt,
HTTP_FILTER_AUTHENT pAuthent)
DWORD CAuthFilter::OnAuthComplete(CHttpFilterContext* pfc,
PHTTP_FILTER_AUTH_COMPLETE_INFO pAuthComplInfo)
]
===============================================================
        char CertificateBuf[8192];
	CERT_CONTEXT_EX ccex;
	ccex.cbAllocated = sizeof(CertificateBuf);
	ccex.CertContext.pbCertEncoded = (BYTE*)CertificateBuf;
	DWORD dwSize = sizeof(ccex);
	bool error = false;

	if(pCtxt->m_pFC->ServerSupportFunction(pCtxt->m_pFC,
		(enum SF_REQ_TYPE)HSE_REQ_GET_CERT_INFO_EX,
		(LPVOID)&ccex, dwSize, NULL) == FALSE)
	{
		// Handle Error Here
	}
===================================================================

When the above code is executed the "ServerSupportFunction" returns
TRUE which means that the function was executed successfully and also
ccex.dwCertificateFlags is 1, which implies that the client certificate
was present because bit0 is 1 and it is valid because bit1 is 0.

After this when I try to access ccex.CertContext.pCertInfo I get a null
pointer.

So can someone tell me why I am unable to access the certificate? Is
this not the right way to access the client certificate or am calling
it in incorrect context?

Thanks,
Suyog

date: 20 Jan 2006 03:43:28 -0800   author:   Suyog

Re: Unable to access the client SSL certificate   

A little more clarification:



I am interested only in the "Subject" of the certificate.



Is this a good way to do the same?



[Function signature:

DWORD CAuthFilter::OnAuthComplete(CHttpFilterContext* pfc,
PHTTP_FILTER_AUTH_COMPLETE_INFO pAuthComplInfo)

]





LPSTR szVariableName = "CERT_SUBJECT";

      DWORD dwSubjectBufSize = sizeof (SubjectBuf);



      pfc->GetServerVariable(szVariableName, SubjectBuf,
&dwSubjectBufSize);



I am using the "GetServerVariable" but I am not sure if this will
work in all cases so wanted to confirm. 

 

Thanks,

Suyog

date: 20 Jan 2006 04:46:32 -0800   author:   Suyog

Re: Unable to access the client SSL certificate   

What about:
    GetServerVariable( "CERT_SUBJECT" )

I have no idea what you mean by "if this will work in all cases" because by 
definition, server variables cannot work in all cases, especially before 
they become valid throughout the request execution process.

For example, AUTH_USER cannot possibly be populated correctly prior to 
completing authentication, but nothing stops you from calling 
GetServerVariable( AUTH_USER ) in SF_NOTIFY_PREPROC_HEADERS. You decide 
whether the value retrieved is valid or not...

-- 
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Suyog"  wrote in message 
news:1137761192.651508.250020@z14g2000cwz.googlegroups.com...
>A little more clarification:
>
>
>
> I am interested only in the "Subject" of the certificate.
>
>
>
> Is this a good way to do the same?
>
>
>
> [Function signature:
>
> DWORD CAuthFilter::OnAuthComplete(CHttpFilterContext* pfc,
> PHTTP_FILTER_AUTH_COMPLETE_INFO pAuthComplInfo)
>
> ]
>
>
>
>
>
> LPSTR szVariableName = "CERT_SUBJECT";
>
>      DWORD dwSubjectBufSize = sizeof (SubjectBuf);
>
>
>
>      pfc->GetServerVariable(szVariableName, SubjectBuf,
> &dwSubjectBufSize);
>
>
>
> I am using the "GetServerVariable" but I am not sure if this will
> work in all cases so wanted to confirm.
>
>
>
> Thanks,
>
> Suyog
>

date: Sat, 21 Jan 2006 01:16:56 -0800   author:   David Wang [Msft]

Re: Unable to access the client SSL certificate   

I am using the variable in "CERT_SUBJECT" in the function
OnAuthComplete.Is the information available at that time?
To elaborate my problem I want to extract the information from the
subject in CERT and then using this info modify one of the headers(BITS
header).This header is also used by on of the built-in ISAPI extension
(the BITS extension).
The behaviour as I observed was as follows: (This is for OnAuthComplete
function)
1) The OnAuthComplete was called 2 times
2) First time the BITS header was available but the "CERT_SUBJECT"
contained null
3) Second time the "CERT_SUBJECT" was appropriate but the BITS header
was not present in the request.

So I am a little confused as to how does IIS behave in this scenario.
I expected that the request processing will not happen before a valid
SSL connection would be established.Also I assumed that if a valid SSL
connection has been established then certificate information must be
available.
Then why did I not get it in the 1st request? Should I be using some
other method to access the certificate?
And last but not least as I had mentioned in my 1st mail why is
pCertInfo not containing valid data?

date: 21 Jan 2006 10:47:51 -0800   author:   Suyog

Re: Unable to access the client SSL certificate   

Please clarify how many actual requests and under what authentication 
protocol were the requests made. Just saying that you see it called twice 
with different server variable values is not useful.

ISAPI Filter fires during HTTP request processing, which may/not directly 
correspond to any logical concept you are trying to manipulate. So, you 
*must* understand the underlying request/response sequence being negotiated 
and then use ISAPI Filter to modify it -- you cannot expect ISAPI Filter to 
provide you perfect constructs to manipulate your arbitrary logical 
concepts.

For example, during negotiation of NTLM Authentication, you will see 
multiple requests as an ISAPI Filter, the first requests contain 
Authorization: header while the final ones over the same connection do 
NOT -- but the request sequence is still considered authenticated. The 
behavior is by-design -- the first time Authorization: header was available 
but AUTH_USER is empty; the second time Authorization: header is not 
available but AUTH_USER is populated. You just have to know what you are 
doing.

-- 
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Suyog"  wrote in message 
news:1137869271.863568.316500@g47g2000cwa.googlegroups.com...
>I am using the variable in "CERT_SUBJECT" in the function
> OnAuthComplete.Is the information available at that time?
> To elaborate my problem I want to extract the information from the
> subject in CERT and then using this info modify one of the headers(BITS
> header).This header is also used by on of the built-in ISAPI extension
> (the BITS extension).
> The behaviour as I observed was as follows: (This is for OnAuthComplete
> function)
> 1) The OnAuthComplete was called 2 times
> 2) First time the BITS header was available but the "CERT_SUBJECT"
> contained null
> 3) Second time the "CERT_SUBJECT" was appropriate but the BITS header
> was not present in the request.
>
> So I am a little confused as to how does IIS behave in this scenario.
> I expected that the request processing will not happen before a valid
> SSL connection would be established.Also I assumed that if a valid SSL
> connection has been established then certificate information must be
> available.
> Then why did I not get it in the 1st request? Should I be using some
> other method to access the certificate?
> And last but not least as I had mentioned in my 1st mail why is
> pCertInfo not containing valid data?
>

date: Sat, 21 Jan 2006 19:48:53 -0800   author:   David Wang [Msft]