我们正在开发许多WCF服务。请求将越过域边界;也就是说,客户端在一个域中运行,处理请求的服务器位于不同的(生产)域中。我知道如何使用SSL和证书保护此链接。我们将询问用户在生产域上的用户名和密码,并将其传递到SOAP头中。
我的问题是在开发和“beta”测试期间要做什么。我知道我可以获得临时证书并在开发期间使用它。我想知道我对这种方法的替代方案是什么。其他人在这种情况下做了什么?
更新:我不确定我的问题得到了“好”的回答。我是一个大型团队(50+)开发人员的一员。该组织相当敏捷。任何一个开发人员都可能最终处理使用WCF的项目。事实上,其他几个项目正在做类似的事情,但针对不同的网站和服务。我正在寻找的是一种方式,我可以让任何人进入这个特定的项目几天,而不必跳过一些箍。安装开发证书就是其中之一。我完全理解在开发过程中对WCF结构进行“dogfooding”是最佳实践。大多数答案都给出了答案。我想知道什么,如果有的话,除了“获得一个测试证书(或两个)并将其安装在所有开发人员盒子上之外。”
乔恩
答案 0 :(得分:5)
更新:我们现在实际使用更简单的Keith Brown solution而不是现在,请参阅他提供的源代码。优点:无需维护非托管代码。
如果您仍想查看如何使用C / C ++进行操作,请继续阅读...
仅推荐用于开发当然,而不是生产,但有一种低摩擦方式来生成X.509证书(不使用makecert.exe)。
如果您可以在Windows上访问CryptoAPI,那么您的想法是使用CryptoAPI调用生成RSA公钥和私钥,对新的X.509证书进行签名和编码,将其放入仅内存的证书库中,然后使用PFXExportCertStore()生成.pfx字节,然后将其传递给X509Certificate2构造函数。
一旦有了X509Certificate2实例,就可以将它设置为相应WCF对象的属性,然后开始工作。
我有一些我编写的示例代码,不保证任何类型的课程,并且你需要一些C经验才能编写必须不受管理的位(编写它会更加痛苦)所有CryptoAPI调用的P / Invoke,而不是该部分是在C / C ++中。)
使用非托管辅助函数的示例C#代码:
public X509Certificate2 GenerateSelfSignedCertificate(string issuerCommonName, string keyPassword)
{
int pfxSize = -1;
IntPtr pfxBufferPtr = IntPtr.Zero;
IntPtr errorMessagePtr = IntPtr.Zero;
try
{
if (!X509GenerateSelfSignedCertificate(KeyContainerName, issuerCommonName, keyPassword, ref pfxSize, ref pfxBufferPtr, ref errorMessagePtr))
{
string errorMessage = null;
if (errorMessagePtr != IntPtr.Zero)
{
errorMessage = Marshal.PtrToStringUni(errorMessagePtr);
}
throw new ApplicationException(string.Format("Failed to generate X.509 server certificate. {0}", errorMessage ?? "Unspecified error."));
}
if (pfxBufferPtr == IntPtr.Zero)
{
throw new ApplicationException("Failed to generate X.509 server certificate. PFX buffer not initialized.");
}
if (pfxSize <= 0)
{
throw new ApplicationException("Failed to generate X.509 server certificate. PFX buffer size invalid.");
}
byte[] pfxBuffer = new byte[pfxSize];
Marshal.Copy(pfxBufferPtr, pfxBuffer, 0, pfxSize);
return new X509Certificate2(pfxBuffer, keyPassword);
}
finally
{
if (pfxBufferPtr != IntPtr.Zero)
{
Marshal.FreeHGlobal(pfxBufferPtr);
}
if (errorMessagePtr != IntPtr.Zero)
{
Marshal.FreeHGlobal(errorMessagePtr);
}
}
}
X509GenerateSelfSignedCertificate函数实现可能是这样的(你需要WinCrypt.h):
BOOL X509GenerateSelfSignedCertificate(LPCTSTR keyContainerName, LPCTSTR issuerCommonName, LPCTSTR keyPassword, DWORD *pfxSize, BYTE **pfxBuffer, LPTSTR *errorMessage)
{
// Constants
#define CERT_DN_ATTR_COUNT 1
#define SIZE_SERIALNUMBER 8
#define EXPIRY_YEARS_FROM_NOW 2
#define MAX_COMMON_NAME 8192
#define MAX_PFX_SIZE 65535
// Declarations
HCRYPTPROV hProv = NULL;
BOOL result = FALSE;
// Sanity
if (pfxSize != NULL)
{
*pfxSize = -1;
}
if (pfxBuffer != NULL)
{
*pfxBuffer = NULL;
}
if (errorMessage != NULL)
{
*errorMessage = NULL;
}
if (keyContainerName == NULL || _tcslen(issuerCommonName) <= 0)
{
SetOutputErrorMessage(errorMessage, _T("Key container name must not be NULL or an empty string."));
return FALSE;
}
if (issuerCommonName == NULL || _tcslen(issuerCommonName) <= 0)
{
SetOutputErrorMessage(errorMessage, _T("Issuer common name must not be NULL or an empty string."));
return FALSE;
}
if (keyPassword == NULL || _tcslen(keyPassword) <= 0)
{
SetOutputErrorMessage(errorMessage, _T("Key password must not be NULL or an empty string."));
return FALSE;
}
// Start generating
USES_CONVERSION;
if (CryptAcquireContext(&hProv, keyContainerName, MS_DEF_RSA_SCHANNEL_PROV, PROV_RSA_SCHANNEL, CRYPT_MACHINE_KEYSET) ||
CryptAcquireContext(&hProv, keyContainerName, MS_DEF_RSA_SCHANNEL_PROV, PROV_RSA_SCHANNEL, CRYPT_NEWKEYSET | CRYPT_MACHINE_KEYSET))
{
HCRYPTKEY hKey = NULL;
// Generate 1024-bit RSA keypair.
if (CryptGenKey(hProv, AT_KEYEXCHANGE, CRYPT_EXPORTABLE | RSA1024BIT_KEY, &hKey))
{
DWORD pkSize = 0;
PCERT_PUBLIC_KEY_INFO pkInfo = NULL;
// Export public key for use by certificate signing.
if (CryptExportPublicKeyInfo(hProv, AT_KEYEXCHANGE, X509_ASN_ENCODING, NULL, &pkSize) &&
(pkInfo = (PCERT_PUBLIC_KEY_INFO)LocalAlloc(0, pkSize)) &&
CryptExportPublicKeyInfo(hProv, AT_KEYEXCHANGE, X509_ASN_ENCODING, pkInfo, &pkSize))
{
CERT_RDN_ATTR certDNAttrs[CERT_DN_ATTR_COUNT];
CERT_RDN certDN[CERT_DN_ATTR_COUNT] = {{1, &certDNAttrs[0]}};
CERT_NAME_INFO certNameInfo = {CERT_DN_ATTR_COUNT, &certDN[0]};
DWORD certNameSize = -1;
BYTE *certNameData = NULL;
certDNAttrs[0].dwValueType = CERT_RDN_UNICODE_STRING;
certDNAttrs[0].pszObjId = szOID_COMMON_NAME;
certDNAttrs[0].Value.cbData = (DWORD)(_tcslen(issuerCommonName) * sizeof(WCHAR));
certDNAttrs[0].Value.pbData = (BYTE*)T2W((LPTSTR)issuerCommonName);
// Encode issuer name into certificate name blob.
if (CryptEncodeObject(X509_ASN_ENCODING, X509_NAME, &certNameInfo, NULL, &certNameSize) &&
(certNameData = (BYTE*)LocalAlloc(0, certNameSize)) &&
CryptEncodeObject(X509_ASN_ENCODING, X509_NAME, &certNameInfo, certNameData, &certNameSize))
{
CERT_NAME_BLOB issuerName;
CERT_INFO certInfo;
SYSTEMTIME systemTime;
FILETIME notBefore;
FILETIME notAfter;
BYTE serialNumber[SIZE_SERIALNUMBER];
DWORD certSize = -1;
BYTE *certData = NULL;
issuerName.cbData = certNameSize;
issuerName.pbData = certNameData;
// Certificate should be valid for a decent window of time.
ZeroMemory(&certInfo, sizeof(certInfo));
GetSystemTime(&systemTime);
systemTime.wYear -= 1;
SystemTimeToFileTime(&systemTime, ¬Before);
systemTime.wYear += EXPIRY_YEARS_FROM_NOW;
SystemTimeToFileTime(&systemTime, ¬After);
// Generate a throwaway serial number.
if (CryptGenRandom(hProv, SIZE_SERIALNUMBER, serialNumber))
{
certInfo.dwVersion = CERT_V3;
certInfo.SerialNumber.cbData = SIZE_SERIALNUMBER;
certInfo.SerialNumber.pbData = serialNumber;
certInfo.SignatureAlgorithm.pszObjId = szOID_RSA_MD5RSA;
certInfo.Issuer = issuerName;
certInfo.NotBefore = notBefore;
certInfo.NotAfter = notAfter;
certInfo.Subject = issuerName;
certInfo.SubjectPublicKeyInfo = *pkInfo;
// Now sign and encode it.
if (CryptSignAndEncodeCertificate(hProv, AT_KEYEXCHANGE, X509_ASN_ENCODING, X509_CERT_TO_BE_SIGNED, (LPVOID)&certInfo, &(certInfo.SignatureAlgorithm), NULL, NULL, &certSize) &&
(certData = (BYTE*)LocalAlloc(0, certSize)) &&
CryptSignAndEncodeCertificate(hProv, AT_KEYEXCHANGE, X509_ASN_ENCODING, X509_CERT_TO_BE_SIGNED, (LPVOID)&certInfo, &(certInfo.SignatureAlgorithm), NULL, certData, &certSize))
{
HCERTSTORE hCertStore = NULL;
// Open a new temporary store.
if ((hCertStore = CertOpenStore(CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING, NULL, CERT_STORE_CREATE_NEW_FLAG, NULL)))
{
PCCERT_CONTEXT certContext = NULL;
// Add to temporary store so we can use the PFX functions to export a store + private keys in PFX format.
if (CertAddEncodedCertificateToStore(hCertStore, X509_ASN_ENCODING, certData, certSize, CERT_STORE_ADD_NEW, &certContext))
{
CRYPT_KEY_PROV_INFO keyProviderInfo;
// Link keypair to certificate (without this the keypair gets "lost" on export).
ZeroMemory(&keyProviderInfo, sizeof(keyProviderInfo));
keyProviderInfo.pwszContainerName = T2W((LPTSTR)keyContainerName);
keyProviderInfo.pwszProvName = MS_DEF_RSA_SCHANNEL_PROV_W; /* _W used intentionally. struct hardcodes LPWSTR. */
keyProviderInfo.dwProvType = PROV_RSA_SCHANNEL;
keyProviderInfo.dwFlags = CRYPT_MACHINE_KEYSET;
keyProviderInfo.dwKeySpec = AT_KEYEXCHANGE;
// Finally, export to PFX and provide to caller.
if (CertSetCertificateContextProperty(certContext, CERT_KEY_PROV_INFO_PROP_ID, 0, (LPVOID)&keyProviderInfo))
{
CRYPT_DATA_BLOB pfxBlob;
DWORD pfxExportFlags = EXPORT_PRIVATE_KEYS | REPORT_NO_PRIVATE_KEY | REPORT_NOT_ABLE_TO_EXPORT_PRIVATE_KEY;
// Calculate size required.
ZeroMemory(&pfxBlob, sizeof(pfxBlob));
if (PFXExportCertStore(hCertStore, &pfxBlob, T2CW(keyPassword), pfxExportFlags))
{
pfxBlob.pbData = (BYTE *)LocalAlloc(0, pfxBlob.cbData);
if (pfxBlob.pbData != NULL)
{
// Now export.
if (PFXExportCertStore(hCertStore, &pfxBlob, T2CW(keyPassword), pfxExportFlags))
{
if (pfxSize != NULL)
{
*pfxSize = pfxBlob.cbData;
}
if (pfxBuffer != NULL)
{
// Caller must free this.
*pfxBuffer = pfxBlob.pbData;
}
else
{
// Caller did not provide target pointer to receive buffer, free ourselves.
LocalFree(pfxBlob.pbData);
}
result = TRUE;
}
else
{
SetOutputErrorMessage(errorMessage, _T("Failed to export certificate in PFX format (0x%08x)."), GetLastError());
}
}
else
{
SetOutputErrorMessage(errorMessage, _T("Failed to export certificate in PFX format, buffer allocation failure (0x%08x)."), GetLastError());
}
}
else
{
SetOutputErrorMessage(errorMessage, _T("Failed to export certificate in PFX format, failed to calculate buffer size (0x%08x)."), GetLastError());
}
}
else
{
SetOutputErrorMessage(errorMessage, _T("Failed to set certificate key context property (0x%08x)."), GetLastError());
}
}
else
{
SetOutputErrorMessage(errorMessage, _T("Failed to add certificate to temporary certificate store (0x%08x)."), GetLastError());
}
CertCloseStore(hCertStore, 0);
hCertStore = NULL;
}
else
{
SetOutputErrorMessage(errorMessage, _T("Failed to create temporary certificate store (0x%08x)."), GetLastError());
}
}
else
{
SetOutputErrorMessage(errorMessage, _T("Failed to sign/encode certificate or out of memory (0x%08x)."), GetLastError());
}
if (certData != NULL)
{
LocalFree(certData);
certData = NULL;
}
}
else
{
SetOutputErrorMessage(errorMessage, _T("Failed to generate certificate serial number (0x%08x)."), GetLastError());
}
}
else
{
SetOutputErrorMessage(errorMessage, _T("Failed to encode X.509 certificate name into ASN.1 or out of memory (0x%08x)."), GetLastError());
}
if (certNameData != NULL)
{
LocalFree(certNameData);
certNameData = NULL;
}
}
else
{
SetOutputErrorMessage(errorMessage, _T("Failed to export public key blob or out of memory (0x%08x)."), GetLastError());
}
if (pkInfo != NULL)
{
LocalFree(pkInfo);
pkInfo = NULL;
}
CryptDestroyKey(hKey);
hKey = NULL;
}
else
{
SetOutputErrorMessage(errorMessage, _T("Failed to generate public/private keypair for certificate (0x%08x)."), GetLastError());
}
CryptReleaseContext(hProv, 0);
hProv = NULL;
}
else
{
SetOutputErrorMessage(errorMessage, _T("Failed to acquire cryptographic context (0x%08x)."), GetLastError());
}
return result;
}
void
SetOutputErrorMessage(LPTSTR *errorMessage, LPCTSTR formatString, ...)
{
#define MAX_ERROR_MESSAGE 1024
va_list va;
if (errorMessage != NULL)
{
size_t sizeInBytes = (MAX_ERROR_MESSAGE * sizeof(TCHAR)) + 1;
LPTSTR message = (LPTSTR)LocalAlloc(0, sizeInBytes);
va_start(va, formatString);
ZeroMemory(message, sizeInBytes);
if (_vstprintf_s(message, MAX_ERROR_MESSAGE, formatString, va) == -1)
{
ZeroMemory(message, sizeInBytes);
_tcscpy_s(message, MAX_ERROR_MESSAGE, _T("Failed to build error message"));
}
*errorMessage = message;
va_end(va);
}
}
我们已经使用它来在启动时生成SSL证书,当您只想测试加密而不验证信任/身份时,这很好,并且生成只需要大约2-3秒。
答案 1 :(得分:2)
您真的希望您的开发环境尽可能地匹配生产。 WCF将在传输协商或签名检查和自签名证书期间检查撤销列表,或使用makecert的伪造证书不支持CRL。
如果您有备用计算机,则可以使用Windows证书服务(Server 2003和2008免费)。这提供了一个CA,您可以从中请求证书(SSL或客户端)。它需要是一个备用机器,因为它在默认网站下设置自己,并且如果你已经调整了它就完全搞砸了。它还出版CRL。您需要做的就是在开发盒上安装CA的根证书,然后离开。
答案 2 :(得分:1)
您可以选择生成要在开发中使用的证书,也可以通过配置文件禁用证书的使用。我建议在开发过程中实际使用证书。
答案 3 :(得分:1)
扩展Leon Breedt的答案,要生成内存中的x509证书,您可以使用Keith Elder's SelfCert中的源代码。
using (CryptContext ctx = new CryptContext())
{
ctx.Open();
var cert = ctx.CreateSelfSignedCertificate(
new SelfSignedCertProperties
{
IsPrivateKeyExportable = true,
KeyBitLength = 4096,
Name = new X500DistinguishedName("cn=InMemoryTestCert"),
ValidFrom = DateTime.Today.AddDays(-1),
ValidTo = DateTime.Today.AddYears(5),
});
var creds = new ServiceCredentials();
creds.UserNameAuthentication.CustomUserNamePasswordValidator = new MyUserNamePasswordValidator();
creds.ServiceCertificate.Certificate = cert;
serviceHost.Description.Behaviors.Add(creds);
}
答案 4 :(得分:0)
如何在开发和生产之间更改配置?
答案 5 :(得分:0)
我的建议是考虑几种不同的方法:
用于开发 - &gt;有一些方法可以在本地生成SSL证书,以便可以在您完全控制的环境中完成https测试。
对于“beta”测试 - &gt;考虑为此获得第二个证书,因为可能需要在版本之间进行一些beta测试,因此可能会反复使用。