ssl - 无法在 ASP.NET Core 2.1 中使用带有客户端证书的 SOAP 服务

Question

我正在尝试从 4.6.1 移植到 ASP.NET Core 2.1.0-preview1。以下代码抛出异常“无法为具有权限的 SSL/TLS 安全通道建立信任关系 '[service url]:447'

我是否错误地应用了客户端证书？

X509Certificate cert = X509Certificate2.CreateFromCertFile("C:\\mycert.cer");
X509Certificate2 cert2 = new X509Certificate2(cert);


var binding = new BasicHttpsBinding();
binding.Security.Mode = BasicHttpsSecurityMode.Transport;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
var endpoint = new EndpointAddress(new Uri("https://[service url]"));
var channelFactory = new ChannelFactory<APIWebService>(binding, endpoint);
channelFactory.Credentials.ClientCertificate.Certificate = cert2;
var serviceClient = channelFactory.CreateChannel();
var result = serviceClient.getBatchesSinceGUID(new getBatchesSinceGUIDRequest("-1"));
channelFactory.Close();

事实

1. 已知 X509Certificate 可与 4.6.1 代码一起使用；尽管如此，核心版本使用的是 X509Certificate2
2. 在4.6.1版本中，APIWebService代理是用wsdl.exe生成的
3. 在 ASP.NET Core 版本中，APIWebService 代理是用 svcutil.exe 生成的

异常堆栈跟踪

System.ServiceModel.Security.SecurityNegotiationException
  HResult=0x80131500
  Message=Could not establish trust relationship for the SSL/TLS secure channel with authority '[server url]:447'.
  Source=System.Private.ServiceModel
  StackTrace:
   at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(HttpRequestException requestException, HttpRequestMessage request, HttpAbortReason abortReason)
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpClientRequestChannel.HttpClientChannelAsyncRequest.<SendRequestAsync>d__13.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.ServiceModel.Channels.RequestChannel.<RequestAsync>d__33.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.ServiceModel.Channels.RequestChannel.<RequestAsyncInternal>d__32.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.TaskHelpers.WaitForCompletionNoSpin[TResult](Task`1 task)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(MethodCall methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(MethodInfo targetMethod, Object[] args)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Reflection.DispatchProxyGenerator.Invoke(Object[] args)
   at generatedProxy_1.getDispatchBatchesSinceUID(getDispatchBatchesSinceUIDRequest )
   at NCPA.NADS.Test.UnitTest1.AdsDownload_Test() in UnitTest1.cs:line 26

Inner Exception 1:
HttpRequestException: An error occurred while sending the request.

Inner Exception 2:
WinHttpException: A security error occurred

Answer 1

看起来可能是因为没有为其提供私钥。在进行相互证书认证时，双方都需要他们的公钥/私钥对来建立一个安全的、正确的认证 channel 。

一般来说，.cer 文件通常只包含证书本身，即公钥加上一些元数据和 CA 签名。私钥保存在证书存储区(如果它是在本地生成/安装的)或 .pfx 文件(通常受密码保护或权限限制)。

如果您使用 .pfx 文件执行此操作，而不是从本地证书存储区加载，请务必执行以下操作:

• 将运行应用程序的帐户的文件权限限制为只读，并且只有可以信任私钥的管理员/开发人员才能读/写。
• 如果它是受密码保护的文件，请不要在您的代码中硬编码密码或将其 checkin 源代码管理。这完全违背了目的，您还不如不使用 HTTPS。任何可以查看您的代码和 key 文件的人都可以作为该帐户进行身份验证。
• 对 .pfx 文件本身的评论相同 - 不要将其放在源代码管理中。