数字证书及在WCF中的应用
一 概念
1、内容
证书的发布机构
证书的有效期
证书所有者(Subject)
签名所使用的算法
指纹以及指纹算法
公钥
私钥
2、存储区
3、有效性
二 作用
1、增强传输的安全性与消息的完整性
防止消息被查看与篡改
2、保证发信的不可抵赖性
三 创建、查看、导入、导出
1、运行命令“makecert -r -pe -n "CN=MyServer" -ss My -sky exchange”,创建并存储证书
2、运行“mmc”命令,弹出“Microsoft管理控制台”窗体。在此进行证书的查看、导入、导出等工作。
四 在WCF中使用X.509证书
WCF服务端
1、需要一个包含私钥的数字证书
makecert -r -pe -n "CN=MyServer" -ss My -sky exchange
2、Binding的Security模式设置为“Certificate”
代码方式
public class CustomX509CertificateValidator : X509CertificateValidator { public override void Validate(X509Certificate2 certificate) { } } var binding = new NetTcpBinding { Security = { Mode = SecurityMode.Message, Message = { ClientCredentialType = MessageCredentialType.Certificate }, }, }; host.AddServiceEndpoint(contract, binding, contract.Name); var serviceBehaviors = new List<IServiceBehavior>(); var serviceCredentials = new ServiceCredentials(); //设置数字证书 serviceCredentials.ServiceCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindBySubjectName, "MyServer"); //设置数字证书的有效性验证模式 serviceCredentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.Custom; serviceCredentials.ClientCertificate.Authentication.CustomCertificateValidator = new CustomX509CertificateValidator(); serviceBehaviors.Add(serviceCredentials); foreach (var serviceBehavior in _serviceBehaviors) { if (host.Description.Behaviors.Contains(serviceBehavior.GetType())) host.Description.Behaviors.Remove(serviceBehavior); host.Description.Behaviors.Add(serviceBehavior); }
WCF客户端
1、需要一个包含私钥的数字证书
makecert -r -pe -n "CN=MyClient" -ss My -sky exchange
2、Binding的Security模式设置为“Certificate”
代码方式
static ChannelFactory<T> GetFactory<T>(object callbackObject) where T : IServiceContract { //获取数字证书 var store = new X509Store(StoreName.My, StoreLocation.CurrentUser); store.Open(OpenFlags.ReadOnly); var certs = store.Certificates.Find(X509FindType.FindBySubjectName, "MyClient", false); if (certs.Count == 0) throw new SecurityException("客户端未安装数字证书"); var cert = certs[0]; var binding = new NetTcpBinding(Properties.Settings.Default.BindingConfigurationName); var address = new EndpointAddress( new Uri(string.Format("{0}/{1}", Properties.Settings.Default.EndpointAddress, typeof(T).Name)) //, EndpointIdentity.CreateDnsIdentity("MyServer") ); var factory = (callbackObject == null) ? new ChannelFactory<T>(binding, address) : new DuplexChannelFactory<T>(callbackObject, binding, address); var cc=factory.Endpoint.Behaviors.Find<ClientCredentials>(); cc.ClientCertificate.Certificate = cert; cc.ServiceCertificate.Authentication.CertificateValidationMode=X509CertificateValidationMode.None; return factory; }
配置方式
<bindings> <netTcpBinding> <binding name="NetTcpBinding"> <security mode="Message"> <message clientCredentialType="Certificate" algorithmSuite="Default" /> </security> </binding> </netTcpBinding> </bindings>
五 参考
勉強心を持てば、生活は虚しくない!