WCF wsHttpBinding 客户端证书身份验证,无需在客户端中使用存储
WCF wsHttpBinding Client Certificate Authentication without using store in client
我使用 wsHttpBinding 注册了一个 WCF 服务,它托管在 IIS 中,并通过 HTTPS 绑定到有效的活动证书:
<?xml version="1.0"?>
<configuration>
<system.webServer>
<security>
<access sslFlags="Ssl, SslNegotiateCert, SslRequireCert"/>
<authorization>
<add users="*" accessType="Allow" />
</authorization>
</security>
</system.webServer>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<system.serviceModel>
<protocolMapping>
<add scheme="https" binding="wsHttpBinding" />
</protocolMapping>
<bindings>
<wsHttpBinding>
<binding name="MyNameSpace.WebService_TransportSecurity">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="MyNameSpace.WebService_Behaviour">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck" />
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="MyNameSpace.WebService" behaviorConfiguration="MyNameSpace.WebService_Behaviour">
<endpoint address=""
binding="wsHttpBinding"
bindingConfiguration="MyNameSpace.WebService_TransportSecurity"
contract="MyNameSpace.IMyServiceContract">
</endpoint>
<endpoint address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange" />
</service>
</services>
</system.serviceModel>
</configuration>
据我所知,我使用的是 .NET 4,这是唯一适用于 SSL 和客户端证书身份验证的绑定。
我已经使用 svcutil 生成了标准代理并尝试使用它的 base64 表示法设置证书(自签名的,也在服务器中):
X509Certificate2 certificate = new System.Security.Cryptography.X509Certificates.X509Certificate2(System.Convert.FromBase64String("thebase64ofthecertificate"));
if (certificate == null)
{
return null;
}
IMyServiceContractClient client = new IMyServiceContractClient(new System.ServiceModel.WSHttpBinding
{
Security = new System.ServiceModel.WSHttpSecurity
{
Mode = System.ServiceModel.SecurityMode.Transport,
Transport = new System.ServiceModel.HttpTransportSecurity
{
ClientCredentialType = System.ServiceModel.HttpClientCredentialType.Certificate
}
}
},
new System.ServiceModel.EndpointAddress(new System.Uri("https://myserviceendpoint/webservice.svc")));
client.ClientCredentials.ClientCertificate.Certificate = certificate;
但如果我在本地计算机商店中没有证书,它就不起作用,我收到此错误:
我不是安全、SSL 或证书方面的专家,但这可行吗?
我想要实现的是确保我的服务只被这段代码调用,并且认为使用在服务器中验证的自签名客户端证书就可以了,但如果他们需要在商店给整个事情增加了不必要的复杂性!
更新 1:
根据 Yacoub Massad 的建议,使用 X509ContentType.Pkcs12 导出证书的 Base64 会产生异常:
An unhandled exception of type 'System.Security.Cryptography.CryptographicException' occurred in mscorlib.dll
Additional information: Key not valid for use in specified state.
我正在从商店加载证书:
X509Certificate2 certificate = null;
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
try
{
store.Open(OpenFlags.ReadWrite);
var r = store.Certificates.Find(X509FindType.FindBySubjectName, "LicensingCert", false);
if (r.Count > 0)
certificate = r[0];
}
catch
{
certificate = null;
}
finally
{
if (store != null)
store.Close();
}
if (certificate == null)
{
return null;
}
File.WriteAllText(@"C:\tmp\certs\ExportLicensingCert.txt", Convert.ToBase64String(certificate.Export(X509ContentType.Pkcs12)));
更新 2:
确保已导入证书并将其标记为可导出并且成功了,我一定是在第一次导入证书时跳过了这一点。现在在另一台电脑上测试编译好的代码已经停止报错了。非常感谢 Yacoub Massad 为我指明了正确的方向:)
要使证书身份验证起作用,客户端需要私钥向服务器证明其身份。证书本身是行不通的。
确保您设置要使用的 WCF 客户端的 X509Certificate2 具有相应的私钥。
您需要一个包含证书和私钥的 PFX 文件,并且需要通过 Import 方法将它们导入到 X509Certificate2 对象中。
我使用 wsHttpBinding 注册了一个 WCF 服务,它托管在 IIS 中,并通过 HTTPS 绑定到有效的活动证书:
<?xml version="1.0"?>
<configuration>
<system.webServer>
<security>
<access sslFlags="Ssl, SslNegotiateCert, SslRequireCert"/>
<authorization>
<add users="*" accessType="Allow" />
</authorization>
</security>
</system.webServer>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<system.serviceModel>
<protocolMapping>
<add scheme="https" binding="wsHttpBinding" />
</protocolMapping>
<bindings>
<wsHttpBinding>
<binding name="MyNameSpace.WebService_TransportSecurity">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="MyNameSpace.WebService_Behaviour">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck" />
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="MyNameSpace.WebService" behaviorConfiguration="MyNameSpace.WebService_Behaviour">
<endpoint address=""
binding="wsHttpBinding"
bindingConfiguration="MyNameSpace.WebService_TransportSecurity"
contract="MyNameSpace.IMyServiceContract">
</endpoint>
<endpoint address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange" />
</service>
</services>
</system.serviceModel>
</configuration>
据我所知,我使用的是 .NET 4,这是唯一适用于 SSL 和客户端证书身份验证的绑定。
我已经使用 svcutil 生成了标准代理并尝试使用它的 base64 表示法设置证书(自签名的,也在服务器中):
X509Certificate2 certificate = new System.Security.Cryptography.X509Certificates.X509Certificate2(System.Convert.FromBase64String("thebase64ofthecertificate"));
if (certificate == null)
{
return null;
}
IMyServiceContractClient client = new IMyServiceContractClient(new System.ServiceModel.WSHttpBinding
{
Security = new System.ServiceModel.WSHttpSecurity
{
Mode = System.ServiceModel.SecurityMode.Transport,
Transport = new System.ServiceModel.HttpTransportSecurity
{
ClientCredentialType = System.ServiceModel.HttpClientCredentialType.Certificate
}
}
},
new System.ServiceModel.EndpointAddress(new System.Uri("https://myserviceendpoint/webservice.svc")));
client.ClientCredentials.ClientCertificate.Certificate = certificate;
但如果我在本地计算机商店中没有证书,它就不起作用,我收到此错误:
我不是安全、SSL 或证书方面的专家,但这可行吗?
我想要实现的是确保我的服务只被这段代码调用,并且认为使用在服务器中验证的自签名客户端证书就可以了,但如果他们需要在商店给整个事情增加了不必要的复杂性!
更新 1:
根据 Yacoub Massad 的建议,使用 X509ContentType.Pkcs12 导出证书的 Base64 会产生异常:
An unhandled exception of type 'System.Security.Cryptography.CryptographicException' occurred in mscorlib.dll
Additional information: Key not valid for use in specified state.
我正在从商店加载证书:
X509Certificate2 certificate = null;
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
try
{
store.Open(OpenFlags.ReadWrite);
var r = store.Certificates.Find(X509FindType.FindBySubjectName, "LicensingCert", false);
if (r.Count > 0)
certificate = r[0];
}
catch
{
certificate = null;
}
finally
{
if (store != null)
store.Close();
}
if (certificate == null)
{
return null;
}
File.WriteAllText(@"C:\tmp\certs\ExportLicensingCert.txt", Convert.ToBase64String(certificate.Export(X509ContentType.Pkcs12)));
更新 2:
确保已导入证书并将其标记为可导出并且成功了,我一定是在第一次导入证书时跳过了这一点。现在在另一台电脑上测试编译好的代码已经停止报错了。非常感谢 Yacoub Massad 为我指明了正确的方向:)
要使证书身份验证起作用,客户端需要私钥向服务器证明其身份。证书本身是行不通的。
确保您设置要使用的 WCF 客户端的 X509Certificate2 具有相应的私钥。
您需要一个包含证书和私钥的 PFX 文件,并且需要通过 Import 方法将它们导入到 X509Certificate2 对象中。