Writing ASP Code to Read Client-Side Certificates

As you might recall, Active Server Pages has six built-in objects: Request, Response, Application, Session, Server, and ObjectContext. The Request object has a collection named ClientCertificate. This collection can be accessed via ASP to read the values in a client certificate.

If the Web browser is using Secure Sockets Layer to connect to your Web server and the server requests certification, a series of client certificate objects in this collection will contain information about the client's certification. You can tell when an SSL connection is being used because the address in the browser begins with https:// instead of http://.

The syntax for retrieving these certificates is

 Request.ClientCertificate( Key[SubField] ) 

Table 23-2 lists the possible key values, along with their uses.

Table 23-2. Key values in the ClientCertificate collection of the Request object.

Key Use
Subject A list of values that contain information about the subject of the certificate. Subfields are used with this key to extract the individual values from the list.
Issuer A list of values that contain information about the issuer of the certificate. Subfields are used with this key to extract the individual values from the list.
ValidFrom A valid date that indicates when the certificate becomes active.
ValidUntil A valid date that indicates when the certificate expires.
SerialNumber A string that represents the serial number. This string is a series of hexadecimal bytes separated by hyphens.
Certificate The entire certificate (all the previous keys). It is represented in a binary format, so it's best to use the other keys to attain the values.
Flags A set of flags that provide additional client certificate information. The following flags can be set: ceCert Present—a client certificate is present. ceUnrecognizedIssuer—the last certification in this chain is from an unknown issuer.

A variety of subfield values are available to extract specific information from the Subject and Issuer keys. Table 23-3 shows some of the common subfield values for these keys.

Table 23-3. Subfield values for the Subject and Issuer keys.

Subfield Use
C Specifies the name of the country of origin
CN Specifies the common name of the user; only used with the Subject key
GN Specifies a given name
I Specifies a set of initials
L Specifies a locality
O Specifies the company or organization name
OU Specifies the name of the organizational unit
S Specifies a state or province
T Specifies the title of the person or organization

The code below is taken from a sample Web page named ClientCertificate.asp in the Certificate Web project included on the CD-ROM. This sample page shows how to read the values in a client certificate using the Request object and displays the values in the browser.

 <%@ Language=VBScript %> <HTML> <HEAD> <META NAME="GENERATOR" Content="Microsoft Visual Studio 6.0"> </HEAD> <BODY> <H2>Client Certificate Sample</H2> <HR> <% If Len(Request.ClientCertificate("Subject")) = 0 Then     Response.Write "No client certificate was presented" Else     Response.Write "<TABLE BORDER=1 CELLSPACING=5 CELLPADDING=5>"     Response.Write "<TR><TD>Subject</TD><TD>" + _         Request.ClientCertificate("Subject") + "</TD></TR>"     Response.Write "<TR><TD>Issuer</TD><TD>" + _         Request.ClientCertificate("Issuer") + "</TD></TR>"     Response.Write "<TR><TD>ValidFrom</TD><TD>" + _         CStr(Request.ClientCertificate("ValidFrom")) + "</TD></TR>"     Response.Write "<TR><TD>ValidUntil</TD><TD>" + _         CStr(Request.ClientCertificate("ValidUntil")) + "</TD></TR>"     Response.Write "<TR><TD>SerialNumber</TD><TD>" + _         Request.ClientCertificate("SerialNumber") + "</TD></TR>"     Response.Write "<TR><TD>Certificate</TD><TD>" + _         Request.ClientCertificate("Certificate") + "</TD></TR>"     Response.Write "<TR><TD>Flags</TD><TD>" + _         CStr(Request.ClientCertificate("Flags")) + "</TD></TR>"     Response.Write "</TABLE>" End If %> </BODY> </HTML> 

Figure 23-10 shows an example of the resulting browser output from the ClientCertificate.asp page.

click to view at full size.

Figure 23-10. The Internet Explorer 4.0 browser showing the output from the ClientCertificate.asp page that lists the values of the keys within a client certificate that has been presented to the Web server.

Of course, in a real application you would read the values in the client certificate to determine whether the user is authorized to have access to your application instead of simply returning the values back to the browser. For example, you might use the common name (CN), organization name (O), or the organizational unit name (OU) subfield values of the Subject key to identify the user.

Once you have identified the user, you can take whatever next steps you need to within your particular application. This might include any of the following: redirection to a page specific to the user's role; performing a database lookup given one of the certificate subfield values to gather more information and ensure that the user is a valid business partner, customer, or employee; display a personalized welcome message; or many others. You could even read the EMAIL subfield value to send personalized e-mail messages (using the CDONTS NewMail server-side component) for cross-selling and other purposes.

To read a subfield value within ASP, you simply add the subfield to the key name, as shown here:

 CommonName = Request.ClientCertificate("SubjectCN") 

In this example, the common name subfield value of the Subject key is stored in a variable named CommonName.

The following code reads the e-mail address of the end user from their client certificate:

 EMail = Request.ClientCertificate("SubjectEMAIL") 

Using the ServerVariables Collection

In addition to using the ClientCertificate collection of the Request object to read client certificates, you can get a lot of useful information from the ServerVariables collection.

The code below is taken from a sample Web page named ServerVariables.asp in the Certificate Web project included on the CD-ROM. This sample page shows how to read the values that relate to both client and server-side certificates using the Request.ServerVariables syntax and displays the values in the browser.

 <%@ Language=VBScript %> <HTML> <HEAD> <META NAME="GENERATOR" Content="Microsoft Visual Studio 6.0"> </HEAD> <BODY> <H2>Client Certificate (ServerVariables) Sample</H2> <HR> <% Response.Write "<TABLE BORDER=1 CELLSPACING=5 CELLPADDING=5>" Response.Write "<TR><TD>CERT_COOKIE</TD><TD>" + _     Request.ServerVariables("CERT_COOKIE") + "</TD></TR>" Response.Write "<TR><TD>CERT_FLAGS</TD><TD>" + _     Request.ServerVariables("CERT_FLAGS") + "</TD></TR>" Response.Write "<TR><TD>CERT_ISSUER</TD><TD>" + _     Request.ServerVariables("CERT_ISSUER") + "</TD></TR>" Response.Write "<TR><TD>CERT_KEYSIZE</TD><TD>" + _     Request.ServerVariables("CERT_KEYSIZE") + "</TD></TR>" Response.Write "<TR><TD>CERT_SECRETKEYSIZE</TD><TD>" + _     Request.ServerVariables("CERT_SECRETKEYSIZE") + "</TD></TR>" Response.Write "<TR><TD>CERT_SERIALNUMBER</TD><TD>" + _     Request.ServerVariables("CERT_SERIALNUMBER") + "</TD></TR>" Response.Write "<TR><TD>CERT_SERVER_ISSUER</TD><TD>" + _     Request.ServerVariables("CERT_SERVER_ISSUER") + "</TD></TR>" Response.Write "<TR><TD>CERT_SERVER_SUBJECT</TD><TD>" + _     Request.ServerVariables("CERT_SERVER_SUBJECT") + "</TD></TR>" Response.Write "<TR><TD>CERT_SUBJECT</TD><TD>" + _     Request.ServerVariables("CERT_SUBJECT") + "</TD></TR>" Response.Write "</TABLE>" %> </BODY> </HTML> 

Figure 23-11 shows an example of the resulting browser output from the ServerVariables.asp page.

click to view at full size.

Figure 23-11. The Internet Explorer 4.0 browser showing the output from the ServerVariables.asp page that lists several values of the keys from both a client certificate and server certificate.



Programming Microsoft Visual InterDev 6. 0
Programming Microsoft Visual InterDev 6.0
ISBN: 1572318147
EAN: 2147483647
Year: 2005
Pages: 143

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net