WCF wsHttpBinding客户端证书身份验证,而不在客户端中使用存储

时间:2016-02-05 18:34:13

标签: c# wcf ssl client-certificates wshttpbinding

我有一个使用wsHttpBinding注册的WCF服务,它在IIS中托管,HTTPS绑定到有效的活动证书:

<?xml version="1.0"?>
<configuration>
  <system.webServer>
    <security>
      <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert"/>
      <authorization>
        <add users="*" accessType="Allow" />
      </authorization>
    </security>
  </system.webServer>
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
  <system.serviceModel>
    <protocolMapping>
      <add scheme="https" binding="wsHttpBinding" />
    </protocolMapping>
    <bindings>
      <wsHttpBinding>
        <binding name="MyNameSpace.WebService_TransportSecurity">
          <security mode="Transport">
            <transport clientCredentialType="Certificate" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior name="MyNameSpace.WebService_Behaviour">
          <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceCredentials>
            <clientCertificate>
              <authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck" />
            </clientCertificate>
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <services>
      <service name="MyNameSpace.WebService" behaviorConfiguration="MyNameSpace.WebService_Behaviour">
        <endpoint address=""
                  binding="wsHttpBinding"
                  bindingConfiguration="MyNameSpace.WebService_TransportSecurity"
                  contract="MyNameSpace.IMyServiceContract">
        </endpoint>

        <endpoint address="mex"
                             binding="mexHttpsBinding"
                  contract="IMetadataExchange" />
      </service>
    </services>
  </system.serviceModel>
</configuration>

我正在使用.NET 4,据我所知,这是唯一适用于SSL和客户端证书身份验证的绑定。

我使用svcutil生成标准代理并尝试使用它的base64表示设置证书(也在服务器中的自签名):

X509Certificate2 certificate = new System.Security.Cryptography.X509Certificates.X509Certificate2(System.Convert.FromBase64String("thebase64ofthecertificate"));
if (certificate == null)
{
    return null;
}
IMyServiceContractClient client = new IMyServiceContractClient(new System.ServiceModel.WSHttpBinding
{
    Security = new System.ServiceModel.WSHttpSecurity
    {
        Mode = System.ServiceModel.SecurityMode.Transport,
        Transport = new System.ServiceModel.HttpTransportSecurity
        {

            ClientCredentialType = System.ServiceModel.HttpClientCredentialType.Certificate
        }
    }
},
new System.ServiceModel.EndpointAddress(new System.Uri("https://myserviceendpoint/webservice.svc")));
client.ClientCredentials.ClientCertificate.Certificate = certificate;

但如果我在本地计算机商店没有证书,它就无效了,我收到了这个错误:

enter image description here

我不是安全,证书或证书方面的专家,但这是否可行?

我想要实现的只是确保我的服务仅由此代码调用,并认为使用在服务器中验证的自签名客户端证书可以,但如果他们需要在商店中它为整个事情增加了不必要的复杂性!

更新1:

根据Yacoub Massad的建议,使用X509ContentType.Pkcs12导出证书的Base64会产生异常:

An unhandled exception of type 'System.Security.Cryptography.CryptographicException' occurred in mscorlib.dll

Additional information: Key not valid for use in specified state.

我正在从商店加载证书:

    X509Certificate2 certificate = null;
    X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
    try
    {
        store.Open(OpenFlags.ReadWrite);
        var r = store.Certificates.Find(X509FindType.FindBySubjectName, "LicensingCert", false);
        if (r.Count > 0)
            certificate = r[0];
    }
    catch
    {
        certificate = null;
    }
    finally
    {
        if (store != null)
            store.Close();
    }

    if (certificate == null)
    {
        return null;
    }
    File.WriteAllText(@"C:\tmp\certs\ExportLicensingCert.txt", Convert.ToBase64String(certificate.Export(X509ContentType.Pkcs12)));

更新2:

确保证书已经导入,Mark可以导出并且它可以解决问题,我必须在第一次导入证书时跳过它。现在在另一台计算机上测试已编译的代码已停止执行该错误。非常感谢Yacoub Massad指出我正确的方向:)

1 个答案:

答案 0 :(得分:2)

要使证书身份验证起作用,客户端需要私钥来向服务器证明其身份。仅凭证书不起作用。

确保您设置WCF客户端的X509Certificate2具有相应的私钥。

您需要一个包含证书和私钥的PFX文件,您需要通过Import方法将它们导入X509Certificate2对象。

相关问题
最新问题