I'm building multi-platform client app using FireMonkey which will communicate with server that will be also developed in house, so we were looking for using self signed certificate in this scenario.
According to this article: SSL / HTTPS on different platforms with TIdHTTP and TRESTClient, it seems that TRestClient has support for SSL out of the box and there is no need to assign IO Handler like with TidHTTP. Problem is that I can't find a way to assign self signed certificate to TRestClient the way you could do it with IdSSLIOHandlerSocketOpenSSL component. Also, TRestClient.HTTPClient seems to not have published IOHandler property the way Indy's HTTP had.
My question is this:
Is there a way to provide self-signed certificate to TRestClient component in Delphi XE7 and how?
Related
I'm trying to access a certain API and I have been provided with a smart card which contains the certificate that I'm supposed to use to establish a SSL connection with the said API. I'm trying to do this through a Delphi appliction.
The following is the info of the certificate:
The certificate used to establish a secure connection is stored on a
smart card and it can be accessed from the PKI Applet using PKSC#11
API. The certificate is loaded in the slot / token structure on the
PKI Applet. After the certificate is extracted from the smart card (in
DER format) it can be used as a standard X.509 certificate for TLS/SSL
and HTTPS protocols.
I'm able to extract the certificate (via pkcs11CertificateStorage tool from SecureBlackbox) but I'm hvaing trouble using it for a SSL connection with Delphi.
Here's a simplified version of what I'm doing to attach the certificate to the request (using ipWorks REST component):
var
CertStorage: TsbxCertificateStorage;
ipwREST1: TipwREST;
// ...
CertStorage.Open('pkcs11://user:' + Pin + '#/' + StorageFilename + '?slot=0'+ RO);
ipwREST1.SSLCertEncodedB := CertStorage.Certificates[0].Bytes;
ipwREST1.Get('https://...');
The error that I get from the REST component:
273: Could not acquire security credentials: error 0x8009030E
Which led me to the error explanation by the component developer:
When using a certificate for client authentication, ensure the certificate's private keys are accessible. The certificate in the Windows certificate store must contain the corresponding private keys, and be marked as exportable.
and I'm not sure how to interpret this.
I've tried saving the certificate in a file, using openSSL to convert to PEM and attaching it in other ways but with no success.
I feel like I'm missing something in my approach. Any help would be appreciated, thanks.
My application is written using Delphi 2007 and Indy 10. It uses certificates in .p12 files. I set Indy's CertFile, KeyFile and RootCertFile properties and everything works great.
But soon, it will be used for certificates stored on cryptographic cards or tokens.
Can Indy load SSL certificate from a cryptographic card or token?
If not, how can I improve the application to use a certificate stored on a cryptographic card or token?
I state that I am not an expert.
I'm trying to create a TCP server / client encrypted. I have implemented SSL, and I created a key selfsigned and its certificate.
I realized, thanks to many post also read on this site that i do not need to use the certificate. I refer in particular to a user's response Remy Lebeau: Delphi Indy - How to get SSL certificates for a SSL-TCP Client/Server link with Indy 10
Now I was wondering if you can, somehow, prevent attacks man in the middle.
Or rather, if I implement the code of the app the signature and fingerprint of the certificate and verify during event OnVerifyPeer is enough?
I want to do Client/Server communication with HTTP/HTTPS encapsulation.
The HTTPS mode is used just for encryption data, i don't need authentification.
For HTTPS connection, I created and installed certificat on server side. Is it possible to connect to server even if client has no certificat? (I think Yes but....)
PS: I developed client on Windows, Android and iOS
Thanks
Yes if the cert is signed by a recognized CA (Certificate Authority), no if self-signed.
If you look in the Keychain under System Roots you will find over 200 CAs.
I'm working on an ios application without authentication. Now I would like to protect my server API from calls other then my ios application. A possible solution would be to have the application generate a unique key (based on the appname and the signing), which is not stored on the device since this is the main problem. I could think off an application logic that does some protection combined with some file encryption but the problem is that somewhere something is stored (ex public key can be stored in keychain but still not safe for my API-hackers).
Anyone any tips/advice on how I can handle this ?
thanks in advance
In short, there is no 100% secure way to make sure that the request comes from your application, if the key is available to the iPhone, it's available to extract from the iPhone.
You can make it reasonably safe by calculating a key runtime from info in the application as you say and communicate it over SSL, but a determined attacker can always reverse engineer the key generation too.
What you want to do is employ mutually-authenticated SSL, so that your server will only accept incoming connections from your app and your app will only communicate with your server.
Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. You can use freely available tools for this, like keytool, and I think (but don't know for sure) that Apple includes a tool for this with the iOS SDK. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource. Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
If someone/something other than your app attempts to connect to your server, the SSL connection will not be created, as the server will reject incoming SSL connections that do not present the client certificate that you have included in your app.