证书固定在.NET上

时间:2013-01-29 18:44:27

标签: .net ssl application-security

我想限制我的.NET应用程序只接受已知的证书。那么如何在.NET上强制执行证书固定?什么是最佳做法?只是验证拇指印刷是否可以?

2 个答案:

答案 0 :(得分:3)

Per OWASP,您可以使用.NET的ServicePointManager

实现证书和公钥固定

答案 1 :(得分:1)

https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#.Net

这个网址已经有了一个很好的例子。

// Encoded RSAPublicKey
private static String PUB_KEY = "30818902818100C4A06B7B52F8D17DC1CCB47362" +
    "C64AB799AAE19E245A7559E9CEEC7D8AA4DF07CB0B21FDFD763C63A313A668FE9D764E" +
    "D913C51A676788DB62AF624F422C2F112C1316922AA5D37823CD9F43D1FC54513D14B2" +
    "9E36991F08A042C42EAAEEE5FE8E2CB10167174A359CEBF6FACC2C9CA933AD403137EE" +
    "2C3F4CBED9460129C72B0203010001";

public static void Main(string[] args)
{
  ServicePointManager.ServerCertificateValidationCallback = PinPublicKey;
  WebRequest wr = WebRequest.Create("https://encrypted.google.com/");
  wr.GetResponse();
}

public static bool PinPublicKey(object sender, X509Certificate certificate, X509Chain chain,
                                SslPolicyErrors sslPolicyErrors)
{
  if (null == certificate)
    return false;

  String pk = certificate.GetPublicKeyString();
  if (pk.Equals(PUB_KEY))
    return true;

  // Bad dog
  return false;
}
相关问题
最新问题