数字证书及在WCF中的应用

一 概念

  1、内容

    证书的发布机构
    证书的有效期
    证书所有者(Subject)
    签名所使用的算法
    指纹以及指纹算法

    公钥
    私钥

  2、存储区

  3、有效性


二 作用

  1、增强传输的安全性与消息的完整性
    防止消息被查看与篡改
  2、保证发信的不可抵赖性


三 创建、查看、导入、导出

  1、运行命令“makecert -r -pe -n "CN=MyServer" -ss My -sky exchange”,创建并存储证书

  2、运行“mmc”命令,弹出“Microsoft管理控制台”窗体。在此进行证书的查看、导入、导出等工作。


四 在WCF中使用X.509证书

WCF服务端

1、需要一个包含私钥的数字证书

  makecert -r -pe -n "CN=MyServer" -ss My -sky exchange

2、Binding的Security模式设置为“Certificate”

代码方式

public class CustomX509CertificateValidator : X509CertificateValidator
{
    public override void Validate(X509Certificate2 certificate)
    {
    }
}


var binding = new NetTcpBinding
{
 Security =
 {
     Mode = SecurityMode.Message,
     Message = { ClientCredentialType = MessageCredentialType.Certificate },
 },
};
host.AddServiceEndpoint(contract, binding, contract.Name);

var serviceBehaviors = new List<IServiceBehavior>();
var serviceCredentials = new ServiceCredentials();
//设置数字证书
serviceCredentials.ServiceCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindBySubjectName, "MyServer");
//设置数字证书的有效性验证模式
serviceCredentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.Custom;
serviceCredentials.ClientCertificate.Authentication.CustomCertificateValidator = new CustomX509CertificateValidator();
serviceBehaviors.Add(serviceCredentials);
foreach (var serviceBehavior in _serviceBehaviors)
{
 if (host.Description.Behaviors.Contains(serviceBehavior.GetType()))
     host.Description.Behaviors.Remove(serviceBehavior);
 host.Description.Behaviors.Add(serviceBehavior);
}




WCF客户端

1、需要一个包含私钥的数字证书

  makecert -r -pe -n "CN=MyClient" -ss My -sky exchange

2、Binding的Security模式设置为“Certificate”

代码方式

static ChannelFactory<T> GetFactory<T>(object callbackObject)
    where T : IServiceContract
{
    //获取数字证书
    var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
    store.Open(OpenFlags.ReadOnly);
    var certs = store.Certificates.Find(X509FindType.FindBySubjectName, "MyClient", false);
    if (certs.Count == 0)
 throw new SecurityException("客户端未安装数字证书");
    var cert = certs[0];

    var binding = new NetTcpBinding(Properties.Settings.Default.BindingConfigurationName);
    var address = new EndpointAddress(
 new Uri(string.Format("{0}/{1}", Properties.Settings.Default.EndpointAddress, typeof(T).Name))
 //, EndpointIdentity.CreateDnsIdentity("MyServer")
 );

    var factory = (callbackObject == null)
        ? new ChannelFactory<T>(binding, address)
        : new DuplexChannelFactory<T>(callbackObject, binding, address);
    var cc=factory.Endpoint.Behaviors.Find<ClientCredentials>();
    cc.ClientCertificate.Certificate = cert;
    cc.ServiceCertificate.Authentication.CertificateValidationMode=X509CertificateValidationMode.None;
    return factory;
}



配置方式

<bindings>
    <netTcpBinding>
 <binding name="NetTcpBinding">
     <security mode="Message">
  <message clientCredentialType="Certificate" algorithmSuite="Default" />
     </security>
 </binding>
    </netTcpBinding>
</bindings>

五 参考





posted @ 2012-05-07 16:59  beta2013  阅读(190)  评论(0编辑  收藏  举报