gpt4 book ai didi

WCF 在客户端和服务器上都有证书(消息安全和 wsHttpBinding)

转载 作者:行者123 更新时间:2023-12-04 12:55:36 30 4
gpt4 key购买 nike

我正在尝试在客户端和服务器上设置具有证书身份验证的 WCF 服务。我正在经历 hell ,遍历所有可能的错误消息。

这里的最终目标是使用证书对双方进行身份验证。我将为每个客户颁发一个特定的证书(希望)这将使我能够将它们区分开来。

到目前为止,我有以下配置文件:

服务器配置文件

<configuration>
<system.serviceModel>
<services>
<service name="ServiceApiImplementation" behaviorConfiguration="myBehaviour">
<host>
<baseAddresses><add baseAddress="http://localhost:9110/MyService"/></baseAddresses>
</host>
<endpoint address="" binding="wsHttpBinding" contract="IServiceAPI" bindingName="SOAP12Binding">
<identity>
<certificateReference findValue="ServerCertificate" storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName"/>
</identity>
</endpoint>
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="SOAP12Binding" receiveTimeout="00:02:00" closeTimeout="00:01:00" openTimeout="00:01:00" sendTimeout="00:01:00">
<security mode="Message">
<message clientCredentialType="Certificate" negotiateServiceCredential="false" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="myBehaviour">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<serviceCertificate findValue="ServerCertificate" storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
<clientCertificate>
<authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck"/>
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>

客户端配置文件
<system.serviceModel>
<client>
<endpoint address="http://localhost:9110/MyService" binding="wsHttpBinding"
bindingConfiguration="SOAP12Binding_IServiceAPI" contract="IServiceAPI"
behaviorConfiguration="behaviour1" name="SOAP12Binding_IServiceAPI">
<identity>
<!-- Value obtained when "Adding a Service Reference in visual studio" -->
<certificate encodedValue="xxxxxxxxxxxxx" />
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="behaviour1">
<clientCredentials>
<clientCertificate findValue="ClientCertificate" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName"/>
<serviceCertificate>
<defaultCertificate findValue="ServerCertificate" storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
<authentication certificateValidationMode="ChainTrust" trustedStoreLocation="LocalMachine" revocationMode="NoCheck" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="SOAP12Binding_IServiceAPI">
<security mode="Message">
<message clientCredentialType="Certificate" negotiateServiceCredential="false" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
</system.serviceModel>

我已经为客户端和服务器生成了一个 rootCA 和几个证书,给定了适当的权限并将它们放在商店中(LocalMachine 和 CurrentUSer 都绝望了)。据我所知,这一点是有效的。

调用服务时会出现问题。最新的错误是:

An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.

The message could not be processed. This is most likely because the action 'http://tempuri.org/IServiceAPI/MyMethod' is incorrect or because the message contains an invalid or expired security context token or because there is a m ismatch between bindings. The security context token would be invalid if the service aborted the channel due to inactivity. To prevent the service from aborting idle sessions prematurely increase the Receive timeout on the service endpoint' s binding.



甚至(上一个错误)

The identity check failed for the outgoing message. The expected identity is 'identity(http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn)' for the 'http://localhost:9110/MyService' target endpoint.



错误消息根据我在配置文件中的实验而有所不同。现在客户端和服务器都在同一台机器上运行,因此,至少,我希望每个应用程序都可以通过 rootCA 对另一个应用程序进行身份验证。

请注意,我正在使用 Message Security 和 wsHttpBinding,因为它们似乎是正确的选择。除了发布标准 JAVA 框架可以使用的服务外,我没有任何大的限制。

谁能帮我解决这个烂摊子?

任何帮助将不胜感激

问候,

最佳答案

我设法解决了我原来的问题。

关于双向证书认证,我发现下面的codeproject文章提供了一个工作演示:http://www.codeproject.com/Articles/36683/9-simple-steps-to-enable-X-509-certificates-on-WCF#Step%201:-%20Create%20client%20and%20server%20certificates

诚然,这个例子使用了对等信任,但到目前为止,无论如何我都无法让一个工作原型(prototype)正常工作。从这一点开始,我预见到的唯一陷阱是将证书链存储在适当的位置,并为您的项目正在运行的用户提供对私钥的访问权限。有关如何授予证书私钥权限的说明,请参阅此文章:http://msdn.microsoft.com/en-us/library/ff647171.aspx#Step6

对于问题的第二部分:如何在 WCF 服务中区分客户端证书?,您可以使用以下代码获取客户端的证书指纹:

X509Certificate2 certificate = null;

if(ServiceSecurityContext.Current.AuthorizationContext.ClaimSets == null)
throw new Exception("No claim set");

foreach(var claim in ServiceSecurityContext.Current.AuthorizationContext.ClaimSets)
if(claim is X509CertificateClaimSet)
{
X509CertificateClaimSet xcset = claim as X509CertificateClaimSet;
certificate = xcset.X509Certificate;
break;
}

if(certificate == null)
throw new Exception("No X509 certificate found");

string clientCertificateThumbprint = certificate.Thumbprint;

这将获得客户端的指纹,该指纹对于您向其颁发证书的每个客户端都是不同的。当然,所有其他证书数据都是可用的。

关于WCF 在客户端和服务器上都有证书(消息安全和 wsHttpBinding),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/12094113/

30 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com