自定义X509CertificateValidator与BasicHttpSecurityMode.Transport?

时间:2009-04-10 17:56:49

标签: wcf wcf-security

是否有一种简单的方法可以将自定义X509证书验证与BasicHttpBinding(或者相同的CustomHttpBinding)相结合,这将实现仅传输安全性?

EDIT1:我在代码中添加了ServerCertificateValidationCallback,以表明它不会启动

这是我正在尝试做的事情:

1)编写了自定义X509CertificateValidator:

public class MyX509Validator : X509CertificateValidator
{
    public override void Validate(X509Certificate2 certificate)
    {
        Console.WriteLine("Incoming validation: subj={0}, thumb={1}",
                certificate.Subject, certificate.Thumbprint);
    }
}

2)创建主持人:

var soapBinding = new BasicHttpBinding() { Namespace = "http://test.com" };
soapBinding.Security.Mode = BasicHttpSecurityMode.Transport;
soapBinding.Security.Transport.ClientCredentialType =
            HttpClientCredentialType.Certificate;

var sh = new ServiceHost(typeof(Service1), uri);
sh.AddServiceEndpoint(typeof(IService1), soapBinding, "");
sh.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine,
           StoreName.My, X509FindType.FindBySubjectName, "localhost");
sh.Credentials.ClientCertificate.Authentication.CertificateValidationMode =
           System.ServiceModel.Security.X509CertificateValidationMode.Custom;
sh.Credentials.ClientCertificate.Authentication.CustomCertificateValidator = 
           new MyX509Validator();
System.Net.ServicePointManager.ServerCertificateValidationCallback += 
           delegate(object sender, X509Certificate certificate, 
                    X509Chain chain, SslPolicyErrors sslPolicyErrors)
           {
                Console.WriteLine("Incoming validation: subj={0}, thumb={1}",
                    certificate.Subject, certificate.GetIssuerName());
                return true;
           };
sh.Open();

3)创建了WCF客户端:

var binding = new BasicHttpBinding();
binding.Security.Mode = BasicHttpSecurityMode.Transport;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
var cli = new ServiceReference2.Service1Client(binding, 
           new EndpointAddress("https://localhost:801/Service1"));
cli.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, 
           StoreName.My, X509FindType.FindBySubjectName, "localhost");
cli.HelloWorld();

身份验证工作正常,但永远不会调用MyX509Validator.Validate()。我怀疑X509CertificateValidator仅适用于邮件安全,而不适用于传输。是对的吗?我可以做些什么来覆盖传输级证书验证吗?

2 个答案:

答案 0 :(得分:1)

我假设您正在谈论与HTTPS绑定的证书...

如果是这样,答案如下:X509CertificateValidationMode用于您要交换的文档的标头中以提供身份验证。它对底层传输本身没有任何作用,在本例中是HTTPS及其关联的x.509证书。所以,你的假设很明显。

如果要提供传输的自定义证书验证,请改用System.Net.ServicePointManager.ServerCertificateValidationCallback。但要小心,这是一个应用程序范围设置。如果您在多个端点上循环并且未将其设置为null,则它将保持活动状态。

答案 1 :(得分:0)

我使用以下设置执行此操作,我的自定义验证程序肯定会被点击:

serviceHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode =
    X509CertificateValidationMode.Custom;

serviceHost.Credentials.ClientCertificate.Authentication.CustomCertificateValidator =
    new CertificateValidator(ConfigurationManager.AppSettings["Cerficate"]);

我的行为是:

    <behavior name="CustomCertificateBehavior">
      <serviceCredentials>
        <clientCertificate>
          <authentication certificateValidationMode="Custom" />
        </clientCertificate>
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>

我的约束力:

  <basicHttpBinding>
    <binding name="SecureBinding" maxReceivedMessageSize="5242880">
      <security mode="Transport">
        <transport clientCredentialType="Certificate"></transport>
      </security>
    </binding>
  </basicHttpBinding>
相关问题
最新问题