我需要创建一个必须使用SSL向服务器发送API请求的c#应用程序。我需要创建客户端身份验证。我已经有服务器CA证书,客户端证书(cer),客户端私钥(pem)和密码。我找不到有关如何创建客户端连接的示例。有人可以建议我从哪里开始做一个很好的解释?我手上有客户证书(PEM),客户提供密钥和客户密钥的密码。我不知道从哪里开始编写代码以将请求发送到服务器
答案 0 :(得分:3)
前段时间,我创建了this POC以便通过.Net Core中的证书进行客户端身份验证。它使用的是idunno.Authentication的build-in in .Net Core软件包。我的POC现在可能有点过时了,但这对您来说可能是一个很好的起点。
首先创建一个扩展方法以将证书添加到HttpClientHandler:
public static class HttpClientHandlerExtensions
{
public static HttpClientHandler AddClientCertificate(this HttpClientHandler handler, X509Certificate2 certificate)
{
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
handler.ClientCertificates.Add(certificate);
return handler;
}
}
然后是将证书添加到IHttpClientBuilder
public static IHttpClientBuilder AddClientCertificate(this IHttpClientBuilder httpClientBuilder, X509Certificate2 certificate)
{
httpClientBuilder.ConfigureHttpMessageHandlerBuilder(builder =>
{
if (builder.PrimaryHandler is HttpClientHandler handler)
{
handler.AddClientCertificate(certificate);
}
else
{
throw new InvalidOperationException($"Only {typeof(HttpClientHandler).FullName} handler type is supported. Actual type: {builder.PrimaryHandler.GetType().FullName}");
}
});
return httpClientBuilder;
}
然后加载证书并在HttpClient中注册HttpClientFactory
var cert = CertificateFinder.FindBySubject("your-subject");
services
.AddHttpClient("ClientWithCertificate", client => { client.BaseAddress = new Uri(ServerUrl); })
.AddClientCertificate(cert);
现在,当您使用由工厂创建的客户端时,它将自动发送带有请求的证书;
public async Task SendRequest()
{
var client = _httpClientFactory.CreateClient("ClientWithCertificate");
....
}
答案 1 :(得分:1)
这里有很多选择,因此我不确定100%基于问题的简洁性走哪条路。我创建了一个基本的aspnet.core WebApi项目,该项目具有“天气预报”控制器作为测试。这里没有显示很多错误检查,并且有很多关于如何存储或不存储密钥和证书,甚至用于什么操作系统的假设(不是操作系统的重要性,而是密钥)。商店是不同的。)
还请注意,使用OpenSsl创建的证书在Web服务器的证书中不包含私钥。为此,您必须将证书和私钥合并为Pkcs12 / PFX格式。
例如(对于Web服务器,不一定是客户端,但是您可以在任何实际位置使用PFX ...)。
openssl pkcs12 -export -out so-selfsigned-ca-root-x509.pfx -inkey so-root-ca-rsa-private-key.pem -in so-selfsigned-ca-root-x509.pem
在控制台应用程序中考虑此Main方法。我添加到此的唯一非BCL软件包(用于PEM专用密钥)是Portable.BouncyCastle。如果您使用的是.NET Core 5.0(几天前发布),则那里有PEM选项。假设您还没有,此示例使用的是NetCoreApp 3.1。
The appSettings.json example file:
{
"HttpClientRsaArtifacts": {
"ClientCertificateFilename": "so-x509-client-cert.pem",
"ClientPrivateKeyFilename": "so-client-private-key.pem"
}
}
private static async Task Main(string[] args)
{
IConfiguration config = new ConfigurationBuilder().AddJsonFile("appSettings.json").Build();
const string mainAppSettingsKey = "HttpClientRsaArtifacts";
var clientCertificateFileName = config[$"{mainAppSettingsKey}:ClientCertificateFilename"];
var clientPrivKeyFileName = config[$"{mainAppSettingsKey}:ClientPrivateKeyFilename"];
var clientCertificate = new X509Certificate2(clientCertificateFileName);
var httpClientHandler = new HttpClientHandler();
httpClientHandler.ClientCertificates.Add(clientCertificate);
httpClientHandler.ClientCertificateOptions = ClientCertificateOption.Manual;
httpClientHandler.ServerCertificateCustomValidationCallback = ByPassCertErrorsForTestPurposesDoNotDoThisInTheWild;
httpClientHandler.CheckCertificateRevocationList = false;
var httpClient = new HttpClient(httpClientHandler);
httpClient.BaseAddress = new Uri("https://localhost:5001/");
var httpRequestMessage = new HttpRequestMessage(
HttpMethod.Get,
"weatherforecast");
// This is "the connection" (and API call)
using var response = await httpClient.SendAsync(
httpRequestMessage,
HttpCompletionOption.ResponseHeadersRead);
var stream = await response.Content.ReadAsStreamAsync();
var jsonDocument = await JsonDocument.ParseAsync(stream);
var options = new JsonSerializerOptions
{
WriteIndented = true,
};
Console.WriteLine(
JsonSerializer.Serialize(
jsonDocument,
options));
}
private static bool ByPassCertErrorsForTestPurposesDoNotDoThisInTheWild(
HttpRequestMessage httpRequestMsg,
X509Certificate2 certificate,
X509Chain x509Chain,
SslPolicyErrors policyErrors)
{
var certificateIsTestCert = certificate.Subject.Equals("O=Internet Widgits Pty Ltd, S=Silicon Valley, C=US");
return certificateIsTestCert && x509Chain.ChainElements.Count == 1 &&
x509Chain.ChainStatus[0].Status == X509ChainStatusFlags.UntrustedRoot;
}
如果要从PEM文件加载私钥,则可以使用Bouncy Castle轻松做到这一点。例如,要从PEM文件导入私钥,然后使用它创建用于签名数据或哈希的RSA实例,则可以这样获得RSA实例:
private static RSA LoadClientPrivateKeyFromPemFile(string clientPrivateKeyFileName)
{
if (!File.Exists(clientPrivateKeyFileName))
{
throw new FileNotFoundException(
"The client private key PEM file could not be found",
clientPrivateKeyFileName);
}
var clientPrivateKeyPemText = File.ReadAllText(clientPrivateKeyFileName);
using var reader = new StringReader(clientPrivateKeyPemText);
var pemReader = new PemReader(reader);
var keyParam = pemReader.ReadObject();
// GET THE PRIVATE KEY PARAMETERS
RsaPrivateCrtKeyParameters privateKeyParams = null;
// This is the case if the PEM file has is a "traditional" RSA PKCS#1 content
// The private key file with begin and end with -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----
if (keyParam is AsymmetricCipherKeyPair asymmetricCipherKeyPair)
{
privateKeyParams = (RsaPrivateCrtKeyParameters)asymmetricCipherKeyPair.Private;
}
// This is to check if it is a Pkcs#8 PRIVATE KEY ONLY or a public key (-----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----)
if (keyParam is AsymmetricKeyParameter asymmetricKeyParameter)
{
privateKeyParams = (RsaPrivateCrtKeyParameters)asymmetricKeyParameter;
}
var rsaPrivateKeyParameters = DotNetUtilities.ToRSAParameters(privateKeyParams);
// CREATE A NEW RSA INSTANCE WITH THE PRIVATE KEY PARAMETERS (THIS IS THE PRIVATE KEY)
return RSA.Create(rsaPrivateKeyParameters);
}
最后,如果要使用私钥对数据签名(使用上面的示例从PEM文件获得),则可以在System.Security.Cryptography.RSA类上使用标准的加密和签名方法。例如
var signedData = rsaInstanceWithPrivateKey.SignData(
data,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
...然后在使用HttpRequestMessage调用SendAsync之前,将其作为ByteArrayContent添加到HttpRequestMessage中。
var byteArrayContent = new ByteArrayContent(signedData);
var httpRequestMessage = new HttpRequestMessage(
HttpMethod.Post,
"/myapiuri");
httpRequestMessage.Content = byteArrayContent;
您已经提到过,您使用相同的私钥来创建所有内容,因此,在网络服务器端,如果是这种情况,您将能够验证签名并解密在此示例中从客户端发送的内容。 / p>
同样,这里有很多选择和细微差别。
使用Bouncy Castle PEM阅读器,您可以使用密码注入IPasswordFinder实现。
例如:
/// <summary>
/// Required when using the Bouncy Castle PEM reader for PEM artifacts with passwords.
/// </summary>
class BcPemPasswordFinder : IPasswordFinder
{
private readonly string m_password;
public BcPemPasswordFinder(string password)
{
m_password = password;
}
/// <summary>
/// Required by the IPasswordFinder interface
/// </summary>
/// <returns>System.Char[].</returns>
public char[] GetPassword()
{
return m_password.ToCharArray();
}
}
这是我最初发布的LoadClientPrivateKeyFromPemFile的修改版本(在此示例中,为了简洁起见,密码进行了硬编码),您可以在其中将IPasswordFinder注入实例。
private static RSA LoadClientPrivateKeyFromPemFile(string clientPrivateKeyFileName)
{
if (!File.Exists(clientPrivateKeyFileName))
{
throw new FileNotFoundException(
"The client private key PEM file could not be found",
clientPrivateKeyFileName);
}
var clientPrivateKeyPemText = File.ReadAllText(clientPrivateKeyFileName);
using var reader = new StringReader(clientPrivateKeyPemText);
// Instantiate password finder here
var passwordFinder = new BcPemPasswordFinder("P@ssword");
// Pass the IPasswordFinder instance into the PEM PemReader...
var pemReader = new PemReader(reader, passwordFinder);
var keyParam = pemReader.ReadObject();
// GET THE PRIVATE KEY PARAMETERS
RsaPrivateCrtKeyParameters privateKeyParams = null;
// This is the case if the PEM file has is a "traditional" RSA PKCS#1 content
// The private key file with begin and end with -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----
if (keyParam is AsymmetricCipherKeyPair asymmetricCipherKeyPair)
{
privateKeyParams = (RsaPrivateCrtKeyParameters)asymmetricCipherKeyPair.Private;
}
// This is to check if it is a Pkcs#8 PRIVATE KEY ONLY or a public key (-----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----)
if (keyParam is AsymmetricKeyParameter asymmetricKeyParameter)
{
privateKeyParams = (RsaPrivateCrtKeyParameters)asymmetricKeyParameter;
}
var rsaPrivateKeyParameters = DotNetUtilities.ToRSAParameters(privateKeyParams);
// CREATE A NEW RSA INSTANCE WITH THE PRIVATE KEY PARAMETERS (THIS IS THE PRIVATE KEY)
return RSA.Create(rsaPrivateKeyParameters);
}