在基于互联网的wcf服务中，安全是非常重要的一环，在wcf中有着很多的安全模式，本次考虑在一个极限的服务器环境（比如虚拟主机）中配置使用证书文件配置自定义X509证书验证的消息安全模式。由于一般在这样的极限环境下，很难实现基于SSL的传输安全，因此我们考虑部署消息安全，同时服务器和客户端相互认证均使用X509证书。

首先我们创建两个证书，Microsoft Visual Studio 2008-->Visual Studio Tools-->Visual Studio 2008 命令提示行，进入控制台，然后分别创建服务器证书和客户端证书，如下：

1	`makecert -r -pe -n` `"CN=TestServer"` `-e 08/10/2020 -sky exchange -ss mymakecert -r -pe -n` `"CN=TestClient"` `-e 08/10/2020 -sky exchange -ss my`

执行之后如图:

然后进入证书管理将两个证书分别导出，导出的时候每个证书导出两次，分别导出为包含私钥的pfx文件和不包含私钥的cer文件，这样我们得到4个证书文件，我们命名为:TestServer.pfx,TestServer.cer,TestClient.pfx,TestClient.cer。

这部分如下图:

下面创建wcf服务端程序，

由于使用自定义证书认证，我们需要提供服务器端和客户端的认证程序，服务器端认证程序如下：

public class ServiceX509CertificateValidator : X509CertificateValidator {
    public override void Validate(X509Certificate2 certificate) {
        string path = HostingEnvironment.MapPath(WebConfig.ClientCertificate);
        if (!File.Exists(path)) {
            throw new FileNotFoundException(Path.GetFileName(path));
        }
        X509Certificate2 clientCertificate = new X509Certificate2(path);
        //This is the Client  Certificate Thumbprint,In Production,We can validate the Certificate With CA
        if (!certificate.Thumbprint.Equals(clientCertificate.Thumbprint, StringComparison.CurrentCultureIgnoreCase)) {
            throw new SecurityTokenException("Unknown Certificate");
        }
    }
}

客户端认证程序如下:

public class ClientX509CertificateValidator : X509CertificateValidator {
    public override void Validate(X509Certificate2 certificate) {
        //throw new NotImplementedException();
        if (certificate == null) {
            throw new ArgumentNullException("certificate");
        }
        string path = Path.GetFullPath(WebConfig.ServiceCertificate);
        if (!File.Exists(path)) {
            throw new FileNotFoundException(Path.GetFileName(path));
        }
        X509Certificate2 clientCertificate = new X509Certificate2(path);
        //This is the Client  Certificate Thumbprint,In Production,We can validate the Certificate With CA
        if (!certificate.Thumbprint.Equals(clientCertificate.Thumbprint, StringComparison.CurrentCultureIgnoreCase)) {
            throw new SecurityTokenException("Unknown Certificate");
        }
    }
}

这两个程序都是对证书的指纹进行验证。

下面开始对服务器端进行配置，首先建立新的Binding配置：

<bindings>
  <wsHttpBinding>
    <binding name="TestHttpBinding">
      <security mode="Message">
        <transport clientCredentialType="None"/>
        <message clientCredentialType="Certificate"/>
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

然后修改Behavior配置：

<serviceBehaviors>
  <behavior name="SecurityWcf.Service.TestServiceBehavior">
    <serviceMetadata httpGetEnabled="true" />
    <serviceDebug includeExceptionDetailInFaults="false" />
    <serviceCredentials>
      <clientCertificate>
        <authentication certificateValidationMode="Custom" customCertificateValidatorType="SecurityWcf.Core.ServiceX509CertificateValidator, SecurityWcf.Core"/>
      </clientCertificate>
    </serviceCredentials>
  </behavior>
</serviceBehaviors>

最后将在当前测试服务加入binding配置

1	`<endpoint address=""` `binding="wsHttpBinding"` `contract="SecurityWcf.Service.ITestService"` `bindingConfiguration="TestHttpBinding">`

按照正常情况，程序需要配置服务器端证书，然而本文中由于采用了文件方式配置，因此必须使用程度动态处理，因此，我们创建了自己的ServiceHost，程序如下：

public class WcfServiceHostFactory : ServiceHostFactory {
    public override ServiceHostBase CreateServiceHost(string constructorString, Uri[] baseAddresses) {
        ServiceHostBase host;
        Uri baseUri;
        if (!String.IsNullOrEmpty(WebConfig.ServiceUri) &&
            Uri.TryCreate(WebConfig.ServiceUri, UriKind.RelativeOrAbsolute, out baseUri)) {
            host = base.CreateServiceHost(constructorString, new Uri[] { baseUri });
        } else {
            host = base.CreateServiceHost(constructorString, baseAddresses);
        }
        if (WebConfig.EnableServiceCertificate) {
            string path = System.Web.Hosting.HostingEnvironment.MapPath(WebConfig.ServiceCertificate);
            if (!File.Exists(path)) {
                throw new FileNotFoundException(WebConfig.ServiceCertificate);
            }
            host.Credentials.ServiceCertificate.Certificate =
                new X509Certificate2(path, WebConfig.ServiceCertificatePassword, X509KeyStorageFlags.MachineKeySet);
        }
        return host;
    }
}

这部分将根据配置文件自动在服务中加入证书支持，为了使用该部分，需要修改服务的svc文件，在头部配置上该ServiceHost，如下：

1	`<%@ ServiceHost Language="C#"` `Debug="true"` `Service="SecurityWcf.Service.TestService"` `Factory="SecurityWcf.Core.WcfServiceHostFactory, SecurityWcf.Core"` `CodeBehind="TestService.svc.cs"` `%>`

然后在web.config中配置好证书路径，在服务器端，需要用到TestServer.pfx和TestClient.cer。这部分配置文件如下：

<appSettings>
  <add key="ServiceCertificate" value="~/config/TestServer.pfx"/>
  <add key="ServiceCertificatePassword" value="123456"/>
  <add key="EnableServiceCertificate" value="true"/>
  <add key="ClientCertificate" value="~/config/TestClient.cer"/>
</appSettings>

运行服务，如果没有错误提示，说明服务端已经成功运行，如图：

下面开始创建客户端程序，按照页面提示，我们来到vs command，执行svcutil.exe http://localhost:2674/TestService.svc?wsdl

这样我们可以得到客户端源码，加入到客户端程序中，并将同时生成的output.config中的数据复制到项目中的app.config中。为了使用安全措施，必须在该文件中心在behavior部分，该部分如下：

<behaviors>
  <endpointBehaviors>
    <behavior name="TestClientBehavior">
      <clientCredentials>
        <serviceCertificate>
          <authentication certificateValidationMode="Custom" customCertificateValidatorType="SecurityWcf.Core.ClientX509CertificateValidator, SecurityWcf.Core"/>
        </serviceCertificate>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>

然后在客户端配置该behavior。客户端就可以使用证书验证了，在客户端程序中，我们创建一个factory类，创建连接对象，代码如下：

public static class ServerClientFactory {
    public static TestServiceClient CreateServerClient(string password) {
        TestServiceClient client = new TestServiceClient();
        string path = System.IO.Path.GetFullPath("config/TestClient.pfx");
        client.ClientCredentials.ClientCertificate.Certificate
            = new X509Certificate2(path, password, X509KeyStorageFlags.MachineKeySet);
        return client;
    }
}

这样，我们就可以方便的使用连接对象了。测试主程序如下：

class Program {
    static void Main(string[] args) {
        using (var context = ServerClientFactory.CreateServerClient("123456")) {
            Console.WriteLine(context.GetSystemString());
        }
    }
}