覆盖ServicePointManager.ServerCertificateValidationCallback时执行默认证书验证

时间:2014-07-11 13:30:47

标签: c# vb.net multithreading ssl smtpclient

我使用SmtpClient使用SSL通过SMTP服务器发送电子邮件。此SMTP服务器配置为使用自签名证书。

由于我在所有客户端计算机上安装证书超出了范围,因此我添加了ServicePointManager.ServerCertificateValidationCallback来为我们的自签名证书实施自定义验证。

但是,我希望仅在我使用SmtpClient时执行自定义验证,并在其他地方执行证书验证时恢复为默认行为。

由于回调是一个静态属性,我还应该确保回调不会被我用来发送电子邮件的其他线程调用。

我想出了以下代码:

Private Shared _defaultServerCertificateValidationCallback As System.Net.Security.RemoteCertificateValidationCallback
Private Shared _overrideSmtpCertificateValidation As Boolean = False
Private Shared _callbackLocker As New Object()

Private Shared Function OurCertificateValidation(s As Object, certificate As Security.Cryptography.X509Certificates.X509Certificate, chain As Security.Cryptography.X509Certificates.X509Chain, sslPolicyErrors As Net.Security.SslPolicyErrors) As Boolean

    SyncLock _callbackLocker

        If _overrideSmtpCertificateValidation Then
            _overrideSmtpCertificateValidation = False
            Dim actualCertificate = Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile("selfSignedSmtp.cert")
            Return certificate.Equals(actualCertificate)
        Else
            'Should execute the default certificate validation.
            Return _defaultServerCertificateValidationCallback(s, certificate, chain, sslPolicyErrors)
        End If

    End SyncLock

End Function

Public Sub SendMail()
    _defaultServerCertificateValidationCallback = System.Net.ServicePointManager.ServerCertificateValidationCallback
    System.Net.ServicePointManager.ServerCertificateValidationCallback = New System.Net.Security.RemoteCertificateValidationCallback(AddressOf OurCertificateValidation)
    _overrideSmtpCertificateValidation = True
    'Send mail using SMTP client here...
End Sub

发送电子邮件时此代码应执行的操作是将默认ServerCertificateValidationCallback保留在变量中,标记要执行的自定义验证,在与SmtpClient相同的线程上执行自定义验证,阻止其他线程使用SyncLock执行自定义验证,然后恢复为默认行为并允许其他线程继续使用默认证书验证。

但是,默认情况下ServerCertificateValidationCallback设置为Nothing,因此我无法显式调用默认验证回调。

有什么我可以调用而不是Return _defaultServerCertificateValidationCallback(s, certificate, chain, sslPolicyErrors)可以在需要时执行默认证书验证吗?

1 个答案:

答案 0 :(得分:7)

我发现默认证书验证是在ServerCertificateValidationCallback之前完成的。如果sslPolicyErrors设置为None,则表示验证成功。

我认为这段代码满足了我的需求,对我的情况似乎足够安全:

Private Shared _customCertificateLocker As New Object()
Private Shared _customCertificateThreadId As Integer
Private Shared _customCertificatePath As String

'Returns True if the certificate is valid according to the default certificate validation algorithm,
'or else if the certificate is the same as the specified custom certificate.
Private Shared Function CustomCertificateValidation(s As Object, certificate As Security.Cryptography.X509Certificates.X509Certificate, chain As Security.Cryptography.X509Certificates.X509Chain, sslPolicyErrors As Net.Security.SslPolicyErrors) As Boolean

    If sslPolicyErrors = System.Net.Security.SslPolicyErrors.None Then
        'The certificate is valid according to the default certificate validation algorithm
        Return True
    Else

        'Validates only for the thread that called UseCustomCertificate.
        If System.Threading.Thread.CurrentThread.ManagedThreadId = _customCertificateThreadId Then

            If Not File.Exists(_customCertificatePath) Then
                Throw New FileNotFoundException("Certificate not found at path : '" & _customCertificatePath & "'.")
            End If

            Try
                'Validates the specified custom certificate against the server certificate.
                Dim actualCertificate = Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile(_customCertificatePath)
                Return certificate.Equals(actualCertificate)
            Catch
                Return False
            End Try

        End If

    End If

    Return False

End Function

'Performs an Action that needs the custom certificate validation, on one thread at a time.
Public Shared Sub UseCustomCertificate(customCertificatePath As String, action As Action)

    'Used to make sure that the ServerCertificateValidationCallback stays the same during the Action, even if multiple threads call this method.
    SyncLock _customCertificateLocker

        _customCertificateThreadId = System.Threading.Thread.CurrentThread.ManagedThreadId
        _customCertificatePath = customCertificatePath
        System.Net.ServicePointManager.ServerCertificateValidationCallback = New System.Net.Security.RemoteCertificateValidationCallback(AddressOf CustomCertificateValidation)

        Try
            action()

        Finally
            _customCertificateThreadId = 0
            _customCertificatePath = String.Empty
            System.Net.ServicePointManager.ServerCertificateValidationCallback = Nothing
        End Try

    End SyncLock

End Sub

使用示例:

UseCustomCertificate("C:\example.cert",
                     Sub()
                        'Send email with SmtpClient...
                     End Sub)

只有在几天内我没有得到更安全/更好的答案时,我才接受这个答案。

相关问题
最新问题