PFX cert with ScHttpWebRequest

Discussion of open issues, suggestions and bugs regarding network security and data protection solution - SecureBridge
Post Reply
edbored
Posts: 5
Joined: Mon 25 Nov 2019 18:24

PFX cert with ScHttpWebRequest

Post by edbored » Mon 25 Nov 2019 19:04

I'm trying to duplicate a SoapUI query with a TScHttpWebRequest, unfortunately I'm a little confused with respect to how to use the components...

(Using Delphi Rio)

I was provided a certificate in pfx format, which I converted it to pem with:
openssl pkcs12 -in certfile.pfx -out certfile.pem

I dropped a TScFileStorage on a form, set the Path, and double clicked to get to editor.

In "Certificates" I created a new "cert1" entry, and did an "Import Key From" certfile.pem.

I then Exported public key to certfile.pub.

I went to Keys tab and did an Import From certfile.pub to "key1".


I dropped a TScHttpWebRequest on the form, and set:
- SSLOptions.Storage to ScFileStorage1,
- SSLOptions.ClientCertificateName to key1.key
- RequestURI to https://some_long_domain:443/some_resource
- Method to rmPOST
- ReadWriteTimeout to 100
- ContentType to application/xml

Based on a few postings here, I tried:

Code: Select all

procedure TfrmTestQA.btn1Click(Sender: TObject);
var
 Response: TScHttpWebResponse;
 ResponseStr: string;
 buf: TBytes;
 s856xml: string;

begin
   s856xml :=Get856Info(se1.AsInteger); // returns xml packet
   buf := TEncoding.UTF8.GetBytes(s856xml);
   ScHttpWebRequest1.ContentLength := Length(buf);
   ScHttpWebRequest1.WriteBuffer(buf);
   Response:=ScHttpWebRequest1.GetResponse;
   ResponseStr:=Response.ReadAsString;
end;
With version 9.02, I was getting Error 40 returned.
With version 9.1 I'm getting "The CRL is not valid".

I'm not sure that the steps I've taken to populate the FileStorage are correct, and I'm ever more clueless on how to apply the cert/key data to the ScHttpWebRequest.

Can I please get clarification?

Thanks.

edbored
Posts: 5
Joined: Mon 25 Nov 2019 18:24

Re: PFX cert with ScHttpWebRequest

Post by edbored » Wed 27 Nov 2019 01:40

I went through all the help docs again, and realized I need to do the following:

Just Import the .pem file as certificate in ScFileStorage1 (with default "cert1" name).
Set ScHttpWebRequest.SSLOptions.Storage to ScFileStorage1
Set ScHttpWebRequest.SSLOptions.ClientCertificateName to 'cert1'

Clearly I was overthinking (or underthinking/under-reading) things.

I've tried a number of things, but always receive:

If a certificate is specified, it must have a private key.

At this point, I'm wondering if there's a way to use pfx directly, or some information on how to verify the conversion from pfx to pem worked (there's a "-----BEGIN ENCRYPTED PRIVATE KEY-----" segment in the pem file).

EdB

edbored
Posts: 5
Joined: Mon 25 Nov 2019 18:24

Re: PFX cert with ScHttpWebRequest

Post by edbored » Wed 27 Nov 2019 03:30

I just had what I thought was a flash of the blindingly obvious - I took the pfx file and converted to the three PEM files:

openssl pkcs12 -in <filename.pfx> -nocerts -nodes -out <clientcert.key>
openssl pkcs12 -in <filename.pfx> -clcerts -nokeys -out <clientcert.cer>
openssl pkcs12 -in <filename.pfx> -cacerts -nokeys -chain -out <cacerts.cer>

And imported the key (as cl_cert1_key), clientcert (as clCert1), and cacert into ScFileStorage.

I set SSLOptions.ClientCertificateName to clCert1;

Then modified the original code to load the key:

Code: Select all

 
   s856xml:=Get856Info(se1.AsInteger);
  buf := TEncoding.UTF8.GetBytes(s856xml);
  Cert:= ScFileStorage1.Certificates.FindCertificate('clCert1');
  if cert<>nil then
    cert.Key.ImportFrom('cl_cert1_key.key');

  ScHttpWebRequest1.ContentLength:=Length(buf);
  ScHttpWebRequest1.WriteBuffer(buf);
  try
    Response:=ScHttpWebRequest1.GetResponse;
I'm now getting The other side has sent a failure alert: [40].


I think I'm close - any suggestions?

ViktorV
Devart Team
Posts: 2803
Joined: Wed 30 Jul 2014 07:16

Re: PFX cert with ScHttpWebRequest

Post by ViktorV » Thu 28 Nov 2019 11:16

Your code that imports a certificate and a private key associated with the certificate is correct.
In order for us to be able to give you a detailed answer, we need a sample demonstrating the behavior you mentioned. Therefore, please, compose a small sample demonstrating the described behavior and send it to us using the contact form https://devart.com/company/contactform.html

edbored
Posts: 5
Joined: Mon 25 Nov 2019 18:24

Re: PFX cert with ScHttpWebRequest

Post by edbored » Thu 28 Nov 2019 22:47

Thanks Viktor.

I have to get permission from "the server end" to expose their cert info - it might be a couple of days.

Can you comment on the OpenSSL command lines I used to convert then pfx to pem - then extracted the ca,cl, clkey?

Thanks again.

EdB

ViktorV
Devart Team
Posts: 2803
Joined: Wed 30 Jul 2014 07:16

Re: PFX cert with ScHttpWebRequest

Post by ViktorV » Fri 29 Nov 2019 13:47

We think that those commands can be used to get the required files.

edbored
Posts: 5
Joined: Mon 25 Nov 2019 18:24

Re: PFX cert with ScHttpWebRequest

Post by edbored » Tue 03 Dec 2019 02:46

I finally got the right cert/key combination plugged in and working.

It POSTed and returned a response - once (every other time it complained about connection still open - that'll take some help-file reading to sort out).

I ended up having to convert the original pfx into cl_cert, ca_cert and key a couple of different ways.

I ended up using openssl s_client on command line to work out what worked and what failed:

Code: Select all

c:\openssl-win64\bin\openssl s_client -connect service-to-reach.com:443 -cert server.crt -showcerts -key server.key
I'll post the particular openssl pfx-to-pem and key commands I used (once I figure out which eventually worked!

Post Reply