IndySSL - using certificate authentication - …

This document explains how to use certificate authentication when connecting to a site that requires certificate authentication. We are using Indy components on the client side and some server (MS IIS, Apache, …) on the server side. In the example we will be using http protocol, cause it is very easy to set such an environment.
First of all we must get certificates and private keys for the client. Let''''s suppose that we got some private key/certificate pair from some Certificate Authority (like Verisign) and we have this listed in MS IE in Personal Certificates Store.

Task 1. Convert the certificate from MS format to PEM format used by OpenSSL

First we have to export the certificate, I don''''t write down but it is assumed that also private key is exported, to the PFX file (personal exchange format). We can protect this file with some password, but for let''''s not for the sake of example.
When we have this file, in our case is test_b.pfx, we have to convert it to PEM format. With IndySSL dll''''s we distribute also the precompiled openssl.exe utility that can be used to do the conversion.

The proper parameters are:
openssl.exe pkcs12 –in test_b.pfx –out test_b.pem

we will be asked to provide the password, first to unlock the pfx file (we didn''''t specify it) and then password for locking the private key part in pem file. We can specify this password that will be latter used to unlock the private key in the demo. Le''''t suppose that we use ?aaaa? for the password (four letters a).
If we look at the PEM file we will notice that we have two parts in it. The private key file and the certificate (public key) part and some informational statements. We should divide those two parts in separate file, cause we need them separated in Indy SSL clients.

So, let''''s create a first file called test_b_key.pem and copy/paste every thing between
-----BEGIN RSA PRIVATE KEY----- and
-----END RSA PRIVATE KEY-----
and those two lines included in this new file and save it.
Create also the certificate file called test_b_crt.pem and copy/paste every thing between
-----BEGIN CERTIFICATE----- and
-----END CERTIFICATE-----
and those two lines included in this new file and save it.

Now we need also the Certificate Authority certificate file. This can be obtained from the MSIE in Trusted Root Certificate Authority. Select the Authority that issued your certificate and export it in Base64 (cer) format. This format is also the same like PEM format so you can easily rename the file test_b_ca.crt to test_b_ca.pem and you have the proper file.

We have now all the files that we require so we can start coding in Delphi.

Let''''s create a new application.

Put IdHTTP component and IdSSLIOHandlerSocket on it and save the project.
Now we will specify those certificate files in the IdSSLIOHandlerSocket component.

Set the property:
- CertFile to test_b_crt.pem,
- KeyFile to test_b_key.pem,
- RootCertFile to test_b_ca.pem.

Set the property Method to sslvSSLv23 so the ssl protocol will negotiate the proper mode (SSL ver2 or SSL ver3) automatically.
Set the property VerifyDepth to 2, this means that we accept the server certificate (that we connect to), up to 2 levels of Certificate Chain (CA1 -> CA2 -> Server certificate). In our case we have only one level so value 2 will be fine.
Now we have to connect the components IdHTTP to IdSSLIOHandlerSocket. This is done by choosing the IdSSLIOHandlerSocket1 in IOHandler property of IdHTTP1 component.
Set the Port of IdHTTP1 to 443, that is the HTTPS protocol port.

Create a OnGetPassword event, that will be fired when the client will need to access the private key. In this event handler you specify the password for unlocking the key.

procedure TForm1.IdSSLIOHandlerSocket1GetPassword(var Password: String);
begin
Password := ''''aaaa'''';
end;

Now, add a button on a form that will trigger the read of http address, and a memo box that will show the results. We used something like this:

procedure TForm1.Button1Click(Sender: TObject);
begin
Memo1.Clear;
Memo1.Lines.Text := IdHTTP1.Get(''''https://rotel/test/'''');
end;

Now you can set the verify options like sslvrfPeer, will force checking if the other side has a proper valid certificate, sslvrfFailNoPeerCert, will check if the other side has the certificate (used in server applications mostly), sslvrfClientOnce, will check the certificate only once in the ssl session - not all requests will be checked.

If you specify the OnVerifyPeer event, you can additionally check the properties of other side certificate, for example a valid user certificate properties that match your user database, role of user or something like this.

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有