分享
 
 
 

IndySSL - using certificate authentication - Client side issues [zz]

王朝delphi·作者佚名  2006-01-09
窄屏简体版  字體: |||超大  

This document explains how to use certificate authentication when connecting to a site that requires certificate authentication. We are using Indy components on the client side and some server (MS IIS, Apache, …) on the server side. In the example we will be using http protocol, cause it is very easy to set such an environment.

First of all we must get certificates and private keys for the client. Let's suppose that we got some private key/certificate pair from some Certificate Authority (like Verisign) and we have this listed in MS IE in Personal Certificates Store.

Task 1. Convert the certificate from MS format to PEM format used by OpenSSL

First we have to export the certificate, I don't write down but it is assumed that also private key is exported, to the PFX file (personal exchange format). We can protect this file with some password, but for let's not for the sake of example.

When we have this file, in our case is test_b.pfx, we have to convert it to PEM format. With IndySSL dll's we distribute also the precompiled openssl.exe utility that can be used to do the conversion.

The proper parameters are:

openssl.exe pkcs12 –in test_b.pfx –out test_b.pem

we will be asked to provide the password, first to unlock the pfx file (we didn't specify it) and then password for locking the private key part in pem file. We can specify this password that will be latter used to unlock the private key in the demo. Le't suppose that we use ?aaaa? for the password (four letters a).

If we look at the PEM file we will notice that we have two parts in it. The private key file and the certificate (public key) part and some informational statements. We should divide those two parts in separate file, cause we need them separated in Indy SSL clients.

So, let's create a first file called test_b_key.pem and copy/paste every thing between

-----BEGIN RSA PRIVATE KEY----- and

-----END RSA PRIVATE KEY-----

and those two lines included in this new file and save it.

Create also the certificate file called test_b_crt.pem and copy/paste every thing between

-----BEGIN CERTIFICATE----- and

-----END CERTIFICATE-----

and those two lines included in this new file and save it.

Now we need also the Certificate Authority certificate file. This can be obtained from the MSIE in Trusted Root Certificate Authority. Select the Authority that issued your certificate and export it in Base64 (cer) format. This format is also the same like PEM format so you can easily rename the file test_b_ca.crt to test_b_ca.pem and you have the proper file.

We have now all the files that we require so we can start coding in Delphi.

Let's create a new application.

Put IdHTTP component and IdSSLIOHandlerSocket on it and save the project.

Now we will specify those certificate files in the IdSSLIOHandlerSocket component.

Set the property:

- CertFile to test_b_crt.pem,

- KeyFile to test_b_key.pem,

- RootCertFile to test_b_ca.pem.

Set the property Method to sslvSSLv23 so the ssl protocol will negotiate the proper mode (SSL ver2 or SSL ver3) automatically.

Set the property VerifyDepth to 2, this means that we accept the server certificate (that we connect to), up to 2 levels of Certificate Chain (CA1 -> CA2 -> Server certificate). In our case we have only one level so value 2 will be fine.

Now we have to connect the components IdHTTP to IdSSLIOHandlerSocket. This is done by choosing the IdSSLIOHandlerSocket1 in IOHandler property of IdHTTP1 component.

Set the Port of IdHTTP1 to 443, that is the HTTPS protocol port.

Create a OnGetPassword event, that will be fired when the client will need to access the private key. In this event handler you specify the password for unlocking the key.

procedure TForm1.IdSSLIOHandlerSocket1GetPassword(var Password: String);

begin

Password := 'aaaa';

end;

Now, add a button on a form that will trigger the read of http address, and a memo box that will show the results. We used something like this:

procedure TForm1.Button1Click(Sender: TObject);

begin

Memo1.Clear;

Memo1.Lines.Text := IdHTTP1.Get('https://rotel/test/');

end;

Now you can set the verify options like sslvrfPeer, will force checking if the other side has a proper valid certificate, sslvrfFailNoPeerCert, will check if the other side has the certificate (used in server applications mostly), sslvrfClientOnce, will check the certificate only once in the ssl session - not all requests will be checked.

If you specify the OnVerifyPeer event, you can additionally check the properties of other side certificate, for example a valid user certificate properties that match your user database, role of user or something like this.

Note that you have to set the property VerifyMode to verify Peer if you want to event OnVerifyPeer get triggered.

Sample of verification code:

function TForm1.IdSSLIOHandlerSocket1VerifyPeer(Certificate: TIdX509): Boolean;

begin

if Pos('INTELICOM', UpperCase(Certificate.Subject.OneLine)) > 0 then

Result := True

Else

Result := False;

end;

If you return the True value then the client will be authorized, elsewhere it will not. Either way the other side certificate must be valid. The purpose of this event is to narrow the group of users with valid certificates.

[ zz from http://www.intelicom.si/domcms.nsf/web/en.products001.html ]

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有