9
显然我在前面的帖子中提出了错误的问题。我有一个以X.509证书作为安全网站(https://..)运行的Web服务。我想使用公司的根CA颁发的客户机证书(也是X.509)来验证服务器客户机是否有权使用该服务。为了做到这一点,我需要检查证书并寻找一些识别功能,并将其与存储在数据库中的值(可能是指纹?)进行匹配。如何从Web服务中的客户端发送X509Certificate?
下面是我用它来获得从本地证书库中的代码(从http://msdn.microsoft.com/en-us/magazine/cc163454.aspx直举):
public static class SecurityCertificate
{
private static X509Certificate2 _certificate = null;
public static X509Certificate2 Certificate
{
get { return _certificate; }
}
public static bool LoadCertificate()
{
// get thumbprint from app.config
string thumbPrint = Properties.Settings.Default.Thumbprint;
if (string.IsNullOrEmpty(thumbPrint))
{
// if no thumbprint on file, user must select certificate to use
_certificate = PickCertificate(StoreLocation.LocalMachine, StoreName.My);
if (null != _certificate)
{
// show certificate details dialog
X509Certificate2UI.DisplayCertificate(_certificate);
Properties.Settings.Default.Thumbprint = _certificate.Thumbprint;
Properties.Settings.Default.Save();
}
}
else
{
_certificate = FindCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, thumbPrint);
}
if (null == _certificate)
{
MessageBox.Show("You must have a valid machine certificate to use STS.");
return false;
}
return true;
}
private static X509Certificate2 PickCertificate(StoreLocation location, StoreName name)
{
X509Store store = new X509Store(name, location);
try
{
// create and open store for read-only access
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection coll = store.Certificates.Find(X509FindType.FindByIssuerName, STSClientConstants.NBCCA, true);
if (0 == coll.Count)
{
MessageBox.Show("No valid machine certificate found - please contact tech support.");
return null;
}
// pick a certificate from the store
coll = null;
while (null == coll || 0 == coll.Count)
{
coll = X509Certificate2UI.SelectFromCollection(
store.Certificates, "Local Machine Certificates",
"Select one", X509SelectionFlag.SingleSelection);
}
// return first certificate found
return coll[ 0 ];
}
// always close the store
finally { store.Close(); }
}
private static X509Certificate2 FindCertificate(StoreLocation location, StoreName name, X509FindType findType, string findValue)
{
X509Store store = new X509Store(name, location);
try
{
// create and open store for read-only access
store.Open(OpenFlags.ReadOnly);
// search store
X509Certificate2Collection col = store.Certificates.Find(findType, findValue, true);
// return first certificate found
return col[ 0 ];
}
// always close the store
finally { store.Close(); }
}
然后,我将证书安装到正是如此出站流:
public static class ServiceDataAccess
{
private static STSWebService _stsWebService = new STSWebService();
public static DataSet GetData(Dictionary<string,string> DictParam, string action)
{
// add the machine certificate here, the first web service call made by the program (only called once)
_stsWebService.ClientCertificates.Add(SecurityCertificate.Certificate);
// rest of web service call here...
}
}
我的问题是 - 我怎么“搞定”在Web服务代码证书?我遇到过的大多数示例代码片断都涉及如何进行自定义验证,在那里有一个GetCertificate()调用,显然假设该部分非常简单,每个人都应该知道如何去做?
我的主类继承自WebService,所以我可以使用Context.Request.ClientCertificate获取证书,但这是一个HttpClientCertificate,而不是X509Certificate2。 HttpContext给了我相同的结果。其他方法都使用Web配置代码来调用预定义的验证代码,而不知道如何调用自定义C#方法来执行验证。
我敢肯定,这是另一种“愚蠢的问题”,有人会回来,并说:“看,只是做这个和它的作品,”不过没关系。我花了很多时间试图让这个工作,而我的骄傲几乎不存在在这一点上。有人能告诉我我的方式错误吗?
谢谢, 戴夫
如果您没有HttpContext,请参阅http:// stackoverflow的答案。com/questions/7528455/how-to-get-the-x509certificate-from-a-client-request?lq = 1 – 2013-06-20 21:51:30