在基于互联网的wcf服务中,安全是非常重要的一环,在wcf中有着很多的安全模式,本次考虑在一个极限的服务器环境(比如虚拟主机)中配置使用证书文件配置自定义X509证书验证的消息安全模式。由于一般在这样的极限环境下,很难实现基于SSL的传输安全,因此我们考虑部署消息安全,同时服务器和客户端相互认证均使用X509证书。
首先我们创建两个证书,Microsoft Visual Studio 2008-->Visual Studio Tools-->Visual Studio 2008 命令提示行,进入控制台,然后分别创建服务器证书和客户端证书,如下:
makecert -r -pe -n "CN=TestServer" -e 08/10/2020 -sky exchange -ss mymakecert -r -pe -n "CN=TestClient" -e 08/10/2020 -sky exchange -ss my
执行之后如图:
然后进入证书管理将两个证书分别导出,导出的时候每个证书导出两次,分别导出为包含私钥的pfx文件和不包含私钥的cer文件,这样我们得到4个证书文件,我们命名为:TestServer.pfx,TestServer.cer,TestClient.pfx,TestClient.cer。
这部分如下图:
下面创建wcf服务端程序,
由于使用自定义证书认证,我们需要提供服务器端和客户端的认证程序,服务器端认证程序如下:
public class ServiceX509CertificateValidator : X509CertificateValidator {
public override void Validate(X509Certificate2 certificate) {
string path = HostingEnvironment.MapPath(WebConfig.ClientCertificate);
if (!File.Exists(path)) {
throw new FileNotFoundException(Path.GetFileName(path));
}
X509Certificate2 clientCertificate = new X509Certificate2(path);
//This is the Client Certificate Thumbprint,In Production,We can validate the Certificate With CA
if (!certificate.Thumbprint.Equals(clientCertificate.Thumbprint, StringComparison.CurrentCultureIgnoreCase)) {
throw new SecurityTokenException("Unknown Certificate");
}
}
}
客户端认证程序如下:
public class ClientX509CertificateValidator : X509CertificateValidator {
public override void Validate(X509Certificate2 certificate) {
//throw new NotImplementedException();
if (certificate == null) {
throw new ArgumentNullException("certificate");
}
string path = Path.GetFullPath(WebConfig.ServiceCertificate);
if (!File.Exists(path)) {
throw new FileNotFoundException(Path.GetFileName(path));
}
X509Certificate2 clientCertificate = new X509Certificate2(path);
//This is the Client Certificate Thumbprint,In Production,We can validate the Certificate With CA
if (!certificate.Thumbprint.Equals(clientCertificate.Thumbprint, StringComparison.CurrentCultureIgnoreCase)) {
throw new SecurityTokenException("Unknown Certificate");
}
}
}
这两个程序都是对证书的指纹进行验证。
下面开始对服务器端进行配置,首先建立新的Binding配置:
<bindings>
<wsHttpBinding>
<binding name="TestHttpBinding">
<security mode="Message">
<transport clientCredentialType="None"/>
<message clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
然后修改Behavior配置:
<serviceBehaviors>
<behavior name="SecurityWcf.Service.TestServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="Custom" customCertificateValidatorType="SecurityWcf.Core.ServiceX509CertificateValidator, SecurityWcf.Core"/>
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
最后将在当前测试服务加入binding配置
<endpoint address="" binding="wsHttpBinding" contract="SecurityWcf.Service.ITestService" bindingConfiguration="TestHttpBinding">
按照正常情况,程序需要配置服务器端证书,然而本文中由于采用了文件方式配置,因此必须使用程度动态处理,因此,我们创建了自己的ServiceHost,程序如下:
public class WcfServiceHostFactory : ServiceHostFactory {
public override ServiceHostBase CreateServiceHost(string constructorString, Uri[] baseAddresses) {
ServiceHostBase host;
Uri baseUri;
if (!String.IsNullOrEmpty(WebConfig.ServiceUri) &&
Uri.TryCreate(WebConfig.ServiceUri, UriKind.RelativeOrAbsolute, out baseUri)) {
host = base.CreateServiceHost(constructorString, new Uri[] { baseUri });
} else {
host = base.CreateServiceHost(constructorString, baseAddresses);
}
if (WebConfig.EnableServiceCertificate) {
string path = System.Web.Hosting.HostingEnvironment.MapPath(WebConfig.ServiceCertificate);
if (!File.Exists(path)) {
throw new FileNotFoundException(WebConfig.ServiceCertificate);
}
host.Credentials.ServiceCertificate.Certificate =
new X509Certificate2(path, WebConfig.ServiceCertificatePassword, X509KeyStorageFlags.MachineKeySet);
}
return host;
}
}
这部分将根据配置文件自动在服务中加入证书支持,为了使用该部分,需要修改服务的svc文件,在头部配置上该ServiceHost,如下:
<%@ ServiceHost Language="C#" Debug="true" Service="SecurityWcf.Service.TestService" Factory="SecurityWcf.Core.WcfServiceHostFactory, SecurityWcf.Core" CodeBehind="TestService.svc.cs" %>
然后在web.config中配置好证书路径,在服务器端,需要用到TestServer.pfx和TestClient.cer。这部分配置文件如下:
<appSettings>
<add key="ServiceCertificate" value="~/config/TestServer.pfx"/>
<add key="ServiceCertificatePassword" value="123456"/>
<add key="EnableServiceCertificate" value="true"/>
<add key="ClientCertificate" value="~/config/TestClient.cer"/>
</appSettings>
运行服务,如果没有错误提示,说明服务端已经成功运行,如图:
下面开始创建客户端程序,按照页面提示,我们来到vs command,执行svcutil.exe http://localhost:2674/TestService.svc?wsdl
这样我们可以得到客户端源码,加入到客户端程序中,并将同时生成的output.config中的数据复制到项目中的app.config中。为了使用安全措施,必须在该文件中心在behavior部分,该部分如下:
<behaviors>
<endpointBehaviors>
<behavior name="TestClientBehavior">
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="Custom" customCertificateValidatorType="SecurityWcf.Core.ClientX509CertificateValidator, SecurityWcf.Core"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
然后在客户端配置该behavior。客户端就可以使用证书验证了,在客户端程序中,我们创建一个factory类,创建连接对象,代码如下:
public static class ServerClientFactory {
public static TestServiceClient CreateServerClient(string password) {
TestServiceClient client = new TestServiceClient();
string path = System.IO.Path.GetFullPath("config/TestClient.pfx");
client.ClientCredentials.ClientCertificate.Certificate
= new X509Certificate2(path, password, X509KeyStorageFlags.MachineKeySet);
return client;
}
}
这样,我们就可以方便的使用连接对象了。测试主程序如下:
class Program {
static void Main(string[] args) {
using (var context = ServerClientFactory.CreateServerClient("123456")) {
Console.WriteLine(context.GetSystemString());
}
}
}
执行,得到测试结果,如图所示:
这样,我们成功配置了使用证书文件的基于X509消息安全的wcf,最后给出整个测试项目下载:
点击下载此文件
