5 Replies Latest reply on May 21, 2008 9:47 AM by Jeesmon

    Send Client Certificate to WebService

    checoder
      I'm deploying a project that need to comunicate to secure webservice over https. The server only accept connections with x509 client certificates and it is the CA.
      There is a way to authenticate an AIR application using client certificates?
      I have already downloaded hurlants library, but I don't know if its the solution, and I don't know how to use it.
        • 1. Re: Send Client Certificate to WebService
          Level 1
          I didn't understand the entire picture of your problem and how the x509 authentication works for WS. But It's worth looking at TLSEngine and TLSTest classes in hurlant's library. Especially connectLoginYahooCom() method in TLSTest for establishing a secure connection by sending client certificate.
          • 2. Re: Send Client Certificate to WebService
            checoder Level 1
            The question is, can I use the certificates installed into the internet explorer? Anybody have used the hurlants library in production? What is the best way to comunicate throw SSL using client certificates? I can't believe that anybody have already deployed an Air application with a PKI.
            • 3. Re: Send Client Certificate to WebService
              Level 1
              AFAIK, there is no API available for accessing windows cert store from AIR app but seems like AIR runtime is using windows cert store (not sure 100%) and pops up warning dialogs that IE shows (confirmed) when we try to connect to https URL with test certs. I think that's the reason why hurlant's library has a perl script to download CA root certs from mozilla. What we do in our app is we go through a native component layer for all SSL cert related stuff and communicate to native component from AIR through socket communication. We decided to go in that route until AIR exposes window CAPI.
              • 4. Re: Send Client Certificate to WebService
                checoder Level 1
                Thanks for the information. I'm a newbie in cert. Do you know if can I send the certificate before send a webservice request?

                for example:
                var test:com.hurlant.crypto.tls.TLSTest;
                test = new TLSTest();
                test.connectURL("https://www4.aeat.es/es13/h/ie71000f.html");
                servicio.url="https://www4.aeat.es/es13/h/ie71000f.html";
                servicio.send();
                • 5. Re: Send Client Certificate to WebService
                  Level 1
                  Looks like we need to wait for hurlant to complete the TLS support in his library to get the x509 auth working:

                  ==============
                  var host:String = "www4.aeat.es";
                  var t:TLSSocket = new TLSSocket;
                  t.connect(host, 443);
                  t.writeUTFBytes("GET / HTTP/1.0\nHost: www4.aeat.es/es13/h/ie71000f.html\n\n");
                  t.addEventListener(Event.CLOSE, function(e:*):void {
                  var s:String = t.readUTFBytes(t.bytesAvailable);
                  trace("Response from "+host+": "+s.length+" characters");
                  trace(s);
                  });
                  ===========

                  Trace output:
                  TLSEngine shutdown triggered by Error: Certificate Request Not Implemented
                  Response from www4.aeat.es: 0 characters