TScSslClient: readbuffer, writebuffer and other unknown things

Discussion of open issues, suggestions and bugs regarding network security and data protection solution - SecureBridge
Post Reply
wheathoff
Posts: 12
Joined: Thu 08 Feb 2018 18:39

TScSslClient: readbuffer, writebuffer and other unknown things

Post by wheathoff » Mon 05 Mar 2018 22:42

How do TScSslClient.ReadBuffer and TScSslClient.WriteBuffer work? And how does THttpOptions work alongside these buffers?

We have a vendor who requires we use an SSL client certificate to connect to their site. After we successfully authenticate, we can retrieve an OAuth token for subsequent requests. They provide an example of doing this, using curl and assuming we're sending them a PEM file:

Code: Select all

curl Example:
'curl -k -d "grant_type=client_cert" --basic -u "proxyUser:proxyPwd" -H "Content-Type: application/x-www-form-urlencoded" --cert "our_cert.pem:ourPwd" "https://portal.myvendor.com/token"'

  //    This translates to:
  //    -k: Allow insecure server connections (Really?!...)
  //    -d: HTTP POST data ("grant_type=client_cert")
  //    --basic: Use HTTP Basic Authentication
  //    -u: Proxy user and password
  //    -H: Header
  //    --cert: Client certificate and password
  //            (presumably the PEM file is replaced by MyScSslClient.Storage.Certificates.FindCertificate(MyScSslClient.CertName),
  //            but where would we pass 'ourPwd'?
  //    --url ("https://portal.myvendor.com/token")
  //

I *think* I have been able to establish a connection, using TScSslClient. But, I'm confused as to what to do next: is the certificate value for the '--cert' argument passed when we called TScSslClient.Connect? (See other code sample, below.) What about the password portion of that same value?

If they *were* passed, do we then just need to focus on crafting the POST request and providing the HTTP header? What about providing the proxyuser and proxyPwd values?

I have a hunch that perhaps we need to use THttpOptions for some (all?) of these values. But, the documentation only gives SSH Tunneling examples for using THttpOptions -- nothing for an SSL Client certificate situation.

Let me know if I need to clarify anything. Thank you!

Code: Select all

procedure TForm1.Button1Click(Sender: TObject);
var
  sndbxKey, sndbxSecrt, vendorConn: string;
begin
  // For our dev sandbox (the '-u' argument in the curl example)
  sndbxKey   := 'ourProxyUsername';
  sndbxSecrt := 'ourProxyPwd';

  vendorConn := 'https://myvendor.com/token';

  MyScSslClient.Connect;

  // Now that we've connected, what do we do?

  // The API documentation for the SecureBridge TScSSLClient
  // (https://www.devart.com/sbridge/docs/tscsslclient.htm) says,
  // "To exchange data, you should use the ReadBuffer and WriteBuffer methods."
  // The documentation for ReadBuffer and WriteBuffer does not contain very much.

end;


ViktorV
Devart Team
Posts: 2299
Joined: Wed 30 Jul 2014 07:16

Re: TScSslClient: readbuffer, writebuffer and other unknown things

Post by ViktorV » Wed 07 Mar 2018 12:30

1. If the server requires the user certificate verification for client authentication, you just need to specify it in the TScSSLClient.CertName property, pre-importing it into TScStorage. You can do this either in design time using the Certificates tab in the TScStorage descendant property editor, or in runtime using the TScCertificate.ImportFrom method (Stream: TStream; const Password: string = ''). For example:

Code: Select all

var
Cert: TScCertificate;
MyCert: String;
SStream: TStringStream;
...
Cert := TScCertificate.Create(ScFileStorage.Certificates);
Cert.Name := 'CertName';
SStream:=TStringStream.Create(MyCert);
Cert.ImportFrom(SStream, aPwd);
ScSSLClient.CertName := 'CertName';
ScSSLClient.Connect;
In this case, you only need to call the TScSSLClient.Connect method to connect to the server and no additional action are required for authentication.
2. SecureBridge allows you to connect to a non-HTTP server using an HTTP tunnel, and the THttpOptions property is used to configure this connection. If you are working with an HTTP server, then you cannot use the HTTP tunnel, and correspondingly, THttpOptions.
3. To work with the data via the HTTP protocol, you can use the TScHttpWebRequest component: https://devart.com/sbridge/docs/index.h ... equest.htm
You can find the samples of using the TScHttpWebRequest component at our forum: https://forums.devart.com/viewtopic.php?f=27&t=36270
Note, maybe we did not fully understand the essence of your question. If you have any questions after reading our answer - please contact us and we will try to give you a detailed answer in the shortest possible time.

wheathoff
Posts: 12
Joined: Thu 08 Feb 2018 18:39

Re: TScSslClient: readbuffer, writebuffer and other unknown things

Post by wheathoff » Fri 09 Mar 2018 20:19

Thanks for the reply. There was a typo in your example: Cert.Name should actually be Cert.CertName.

More importantly, when I try the following code, I'm getting an exception:

Code: Select all

procedure TForm1.FormCreate(Sender: TObject);
var
  Cert:    TScCertificate;
  SStream: TStringStream;
begin
  Cert          := TScCertificate.Create(MyFileStorage.Certificates);
  Cert.CertName := 'MyCert';
  SStream       := TStringStream.Create('MyCert.PEM');
  Cert.ImportFrom(SStream, 'aPwd');

  MySslClient.CertName := Cert.CertName;

end;
When we try to run Cert.ImportFrom(SStream, 'aPwd'), the exception 'Wrong certificate context' is raised. Stepping into it, I see it's at line 9505 of TScCertificate.SetCertContext. But, I have no idea what it means. Can you shed some light?

Thanks.

wheathoff
Posts: 12
Joined: Thu 08 Feb 2018 18:39

Re: TScSslClient: readbuffer, writebuffer and other unknown things

Post by wheathoff » Mon 12 Mar 2018 14:53

Further information:

TscASN1Compiler.Parse has this block

Code: Select all

  if Stream <> nil then
    Result := ParseData(FLexemInfo)
  else
    Result := True;
When we get into TscASN1Compiler.ParseData, we hit this section (lines 1634-1638), which exits with a Result of False:

Code: Select all

      PrevPos := ParentLexemInfo.FCurPos;
      Identifier := ReadByte(ParentLexemInfo);
      Len := ReadLength(ParentLexemInfo);
      if (ParentLexemInfo.FLexemData.FSize - ParentLexemInfo.FCurPos) < Len then
        Exit;
Hopefully this can help isolate the issue?...

ViktorV
Devart Team
Posts: 2299
Joined: Wed 30 Jul 2014 07:16

Re: TScSslClient: readbuffer, writebuffer and other unknown things

Post by ViktorV » Mon 12 Mar 2018 15:14

To solve the issue, try replacing in your sample the string:

Code: Select all

  SStream: = TStringStream.Create ('MyCert.PEM');
with

Code: Select all

  SStream       := TStringStream.Create;
  SStream.LoadFromFile('MyCert.PEM');

wheathoff
Posts: 12
Joined: Thu 08 Feb 2018 18:39

Re: TScSslClient: readbuffer, writebuffer and other unknown things

Post by wheathoff » Tue 13 Mar 2018 19:39

Thank you -- separating Create and LoadFromFile got around the issue.

Attempting to send data with the HTTP Request object, I'm getting an error (from THandshakeLayer.ProcessAlert(Message: TRecordMessage)):
First chance exception at $75B308C2. Exception class EScError with message 'The other side has sent a failure alert: [40]'. Is the description '40' from the SecureBridge library, or is it from "the other side"?...

wheathoff
Posts: 12
Joined: Thu 08 Feb 2018 18:39

Re: TScSslClient: readbuffer, writebuffer and other unknown things

Post by wheathoff » Tue 13 Mar 2018 20:42

Further details:

We're trying to use the SecureBridge SslClient and TCRHttpWebRequest objects to replace the curl example shown in the commented portion of the code below. What remains tricky at this point is the --cert parameter of the curl command. You see in the example that the --cert parameter will expect the certificate PEM file *and* the password.

I am wondering:
1. Would the PEM file be represented by assigning Buf: TBytes := SslCiient.Storage.Certificates.FindCertificate(SslClient.CertName).GetRawData and passing that to WriteBuffer?

2. How to include the password as shown in the curl example? Would I need to append ':certPwd' to Buf, before passing Buf to WriteBuffer? Or is that the wrong approach for matching the curl syntax?

Thank you!

Code: Select all

procedure TForm1.SslClientAfterConnect(Sender: TObject);
var
  myKey, mySecrt, TokenURL: string;
  Request: TCRHttpWebRequest;
  Resp:    TCRHttpWebResponse;
  Buf:     TBytes;
  Base64AuthStr: string;
begin
  myKey   := 'myKey';
  mySecrt := 'mySecrt';

  TokenURL := 'https://securesite.com/token';

  // Example curl request:
  //
  //    'curl -k -d "grant_type=client_cert" --basic -u "myKey:mySecrt" -H "Content-Type: application/x-www-form-urlencoded" --cert "MyCert.pem:certPwd" "https://securesite.com/token"'
  // 
  //    --cert: Client certificate and password
  //            (presumably SslClient.Storage.Certificates.FindCertificate(SslClient.CertName),
  //            but how to provide the password ('certPwd')?...

  Base64AuthStr := Base64Encode(myKey + ':' + mySecrt);
  Buf := SslClient.Storage.Certificates.FindCertificate(SslClient.CertName).GetRawData;

  Request := TCRHttpWebRequest.Create(TokenURL);
  Request.Method := rmPost;
  Request.ContentType := 'application/x-www-form-urlencoded';
  Request.ContentLength := Length(Buf);
  Request.Headers.Add('grant_type', 'client_cert');
  Request.Headers.Add('Authorization',  'Basic ' + Base64AuthStr );
  Request.WriteBuffer(Buf);

  SslClient.IsSecure := True;

  try
    Resp :=  Request.GetResponse;
  finally
    Request.Free;
    SslClient.Disconnect;
  end;

end;


ViktorV
Devart Team
Posts: 2299
Joined: Wed 30 Jul 2014 07:16

Re: TScSslClient: readbuffer, writebuffer and other unknown things

Post by ViktorV » Wed 14 Mar 2018 08:40

Please provide more information about your task. Do you use a certificate to authenticate a client to a server? Then, why are you trying to pass it using TCRHttpWebRequest? How do you bind a client certificate with the certificate that you pass using the TCRHttpWebRequest component, because these are different connections?

wheathoff
Posts: 12
Joined: Thu 08 Feb 2018 18:39

Re: TScSslClient: readbuffer, writebuffer and other unknown things

Post by wheathoff » Wed 14 Mar 2018 18:43

Okay, let's start over.

I'm connecting to a server that requires a certificate from me. So, I'm using your SslClient component to connect. (I hit the AfterConnect event, so I'm assuming (correctly?...) that we authenticated. At least, the 'Connected' property is True.

Now that we're connected, what should we do to send and receive data? You pointed me to the ReadBuffer and WriteBuffer methods, but the documentation on those methods is sparse (to put it mildly). Are those all that we need to use?

For example: now that we're connected, let's say we want to send the following:
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded

say=Hi&to=Mom
Using the SslClient connection, how would you send that and how would you read the server response?


Thank you.

wheathoff
Posts: 12
Joined: Thu 08 Feb 2018 18:39

Re: TScSslClient: readbuffer, writebuffer and other unknown things

Post by wheathoff » Mon 19 Mar 2018 15:40

*Bump*

Anyone?....

ViktorV
Devart Team
Posts: 2299
Joined: Wed 30 Jul 2014 07:16

Re: TScSslClient: readbuffer, writebuffer and other unknown things

Post by ViktorV » Mon 19 Mar 2018 16:21

To solve the task, you can use the following code:

Code: Select all

var
  WriteBuf, ReadBuf: TBytes;
begin
  WriteBuf := TEncoding.UTF8.GetBytes('POST / HTTP/1.1' + #13#10 +
    'Content-Type: application/x-www-form-urlencoded' + #13#10 + 'say=Hi&to=Mom');
  ScSSLClient.WriteBuffer(WriteBuf, Length(WriteBuf));
  SetLength(ReadBuf, ReadBufSize);
  ScSSLClient.ReadBuffer(ReadBuf, Length(ReadBuf));
end;

Post Reply