如何禁用用于验证消息签名的x509证书的验证?

时间:2018-09-19 00:23:14

标签: c# .net ssl x509certificate2

我有一个客户端,该客户端调用签名其响应消息的API。签名验证设置需要特殊的绑定,如下所示:

public class SignatureBinding : Binding
{
    public override BindingElementCollection CreateBindingElements()
    {
        var signingElement = new AsymmetricSecurityBindingElement
        {
            AllowInsecureTransport = false,
            RecipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.Never),
            InitiatorTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient),
            DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256,
            SecurityHeaderLayout = SecurityHeaderLayout.Strict,
            MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt,
            MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10,
            AllowSerializedSigningTokenOnReply = true
        };
        signingElement.SetKeyDerivation(false);

        return new BindingElementCollection
        {
            signingElement,
            new HttpsTransportBindingElement()
        };
    }
}

在ClientCredentials行为中:

public class CredentialsBehavior : ClientCredentials 
{
    public CredentialsBehavior()
    {
        base.ServiceCertificate.DefaultCertificate = store.FindBySerialNumber(signatureCertSN);
    }

    //Code omitted
}

我已经确认,从普通计算机运行时,上述代码可以正常工作。消息已发送,服务器制作了响应并对其进行签名,然后返回,客户端验证了签名,一切都很好。

但是,从预期的服务器运行时出现故障,由于防火墙而无法访问CRL services。通过通道发送消息时,ServiceModel调用返回错误。该错误与包含用于验证签名的公钥的证书有关。错误是:

  

X.509证书CN = somecert.somedomain.com,OU = CE_Operations,O =“ MyCompany,Inc。”,L =城市,S =州,C =美国链建立失败。使用的证书具有无法验证的信任链。替换证书或更改certificateValidationMode。吊销服务器处于脱机状态,吊销功能无法检查吊销。

该服务器位于无法访问CRL的域中,因此我在this answer的帮助下禁用了检查:

ServicePointManager.ServerCertificateValidationCallback += ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
ServicePointManager.CheckCertificateRevocationList = false;

但是,错误仍然存​​在。我猜测ServerCertificateValidationCallback仅对服务器证书有效,而该证书是不同的。

我如何说服服务模型在不检查CRL或执行其他验证步骤的情况下允许使用此证书?

1 个答案:

答案 0 :(得分:0)

将certificateValidationMode设置为None以忽略证书验证X509CertificateValidationMode

这是一种行为,因此,如果要以编程方式进行操作,则应将其作为新行为绑定到服务:

ServiceHost host = new ServiceHost(typeof(Service));
ServiceEndpoint endpoint = host.AddServiceEndpoint(typeof(IService), new WebHttpBinding(), "http://...");

var endpointClientbehavior = new ClientCredentials();
endpointClientbehavior.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;

endpoint.Behaviors.Add(endpointClientbehavior);
相关问题
最新问题