我正在尝试将此WCF服务设置为仅在客户端提供“Test 01”证书时接受请求。问题是它似乎接受来自同一机构的任何证书,例如“Test 04”。
如何拒绝使用“Test 01”证书未发送的所有请求?
<basicHttpBinding>
<binding
name="TestSecureBinding"
maxReceivedMessageSize="5242880">
<security mode="Transport">
<transport
clientCredentialType="Certificate"></transport>
</security>
</binding>
</basicHttpBinding>
<behavior name="TestCertificateBehavior">
<serviceCredentials>
<clientCertificate>
<certificate
storeLocation="LocalMachine"
x509FindType="FindBySubjectName"
findValue="Test 01"/>
<authentication
certificateValidationMode="PeerTrust"
trustedStoreLocation="LocalMachine"
revocationMode="NoCheck"/>
</clientCertificate>
</serviceCredentials>
</behavior>
<service
name="IService"
behaviorConfiguration="TestCertificateBehavior">
<endpoint
name="MyHttps"
address="https://localhost:443"
contract="IService"
binding="basicHttpBinding"
bindingConfiguration="TestSecureBinding">
</endpoint>
<host>
<baseAddresses>
<add baseAddress="https://localhost:443"/>
</baseAddresses>
</host>
</service>
答案 0 :(得分:0)
无法在普通的WCF配置中配置它 - 您必须自己动手。
public class CertificateValidator : X509CertificateValidator
{
private string _expectedSubjectName;
public CertificateValidator(string expectedSubjectName)
{
_expectedSubjectName = expectedSubjectName;
}
public override void Validate(System.Security.Cryptography.X509Certificates.X509Certificate2 certificate)
{
if (certificate == null)
{
throw new ArgumentNullException("certificate");
}
if (certificate.SubjectName.Name != _expectedSubjectName)
{
throw new SecurityTokenValidationException("Invalid certificate");
}
}
}
然后将其附加到您的服务主机:
serviceHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.Custom;
serviceHost.Credentials.ClientCertificate.Authentication.CustomCertificateValidator =
new CertificateValidator(expectedCertificateName);
取自:Creating a service that employs a custom certificate validator。