iPhone Web 服务使用证书身份验证调用 WCF 服务 [英] iPhone web service calls to WCF Service with Certificate Authentication

问题描述

我们是一家对 WCF 服务进行标准化的 .Net 商店.我们正在开发一个 iPhone 应用程序，该应用程序需要进行安全的 Web 服务调用以获取应用程序的数据.为确保安全通信，我们在 Web 服务器上启用了 SSL.但这并不能确保该服务只能由授权应用程序使用.我们已将服务配置为支持 x509 证书身份验证.甚至可以从 iPhone 应用调用具有证书身份验证的安全 WCF 服务吗?

We are a .Net shop that has standardized on WCF Services. We are in the processs of developing an iPhone application that needs to make secure web services calls to obtain data for the app. To ensure secure communiations we have enabled SSL on our web servers. But this does not ensure the service can only be consumed by authorized apps. We have configured our services to support x509 certificate authentication. Is it even possible to call a secure WCF service with certifcate authentication from an IPhone app?

我花了很多时间在互联网上搜索示例，但无济于事.我已经能够成功调用不安全的 WCF 服务，没有任何问题.我还对 WS-Security 和 WS-Trust 通信标准进行了大量研究.我相信我明白这应该如何运作.我只是在将 iPhone 框架中的步骤/对象拼凑在一起时遇到了麻烦，我需要完成这项工作.

I have spent many hours searching the internet for examples but to no avail. I HAVE been able to successfuly call an un-secure WCF service with no issues. I have also done a lot of research on the WS-Security and WS-Trust communications standards. I believe I understand how this should work. I am just having trouble piecing together the steps/objects within the iPhone frameworks I need to make this work.

关于这个主题的任何想法和想法将不胜感激.

Any thoughts and ideas on the subject would be greatly appreciated.

此外，对以下任何一项的任何想法:

Also, any thoughts on any of the following:

1. 如何最好地使用 iPhone 应用程序部署 P12 证书文件
2. 如何最好地保护应用内 P12 文件的密码
3. 使用应用部署 P12 文件是最佳做法
4. iPhone 框架内是否有支持这种安全通信的设施?如果没有，什么是替代建议.

推荐答案

首先，我想说，如果您真的很重视安全性，请为它投入适当的时间和资源，并像对待您的一等公民一样对待它功能列表.不要只是打开 SSL"并假装事情是安全的.我不是建议你这样做或不这样做，但我只是觉得我必须在继续之前说出来.

For starters, I'd say if you are really serious about security please dedicate the proper time and resources to it and treat it like a first class citizen in your feature list. Don't just "turn on SSL" and pretend things are secure. I'm not suggesting you are doing this or not doing this, but I just feel like I have to say it before proceeding.

也就是说，您可能已经知道 WS-* 都是建立在 http 请求之上的，并且任何时候您处理大量 http 请求时，您都可能会发现 ASIHTTPRequest 在 iPhone 上非常有用.但是，这不会让您 100% 成功.

That said, you probably already know that WS-* is all built on top of http requests, and any time you are doing loads of http requests, you'll probably find ASIHTTPRequest very helpful on the iPhone. However, that will not get you 100% of the way there.

从 iPhone 的角度来看，您有:

From the iPhone's perspective you have:

1. URL 加载系统，这是一个用于处理任何类型网络资源的高级 API
2. CFNetwork C API，它是较低级别的，允许您以任何您认为合适的方式更好地控制加密流和网络流量
3. 证书、密钥和信任服务 完成繁重的工作，更具体地说是 X509 信任策略

1. The URL loading system, which is a high level API for dealing with network resources of any kind
2. The CFNetwork C API which is lower-level and allows you a great deal more control of encrypting streams and network traffic any way you see fit
3. The Certificate, Key, and Trust Services that do the heavy lifting, and more specifically the X509 trust policies

在 Mac 上，您可以使用安全传输，但据我所知，他们尚未将其移植到设备上，因此除非您打算将其带到桌面或只是想学习一切:)

On Macs you get to use Secure Transport, but as far as I know they haven't ported that to the device so I wouldn't get too distracted reading up on that unless you are planning on bringing this to the desktop or are just in the mood to learn everything :)

如果您使用 WCF 进行任何安全操作，您可能意识到的第一件事是 您可以使用许多选项，但都归结为以下简短列表:

If you are doing any security with WCF, the first thing you probably realized is that there are many options available to you, but it all boils down to this short list:

1. 具有明文消息 (xml/json/...) 的传输层安全性 (https)
2. 基于开放传输 (http) 的消息层安全性(加密消息正文)
3. 通过安全传输保护消息

我上次使用 WCF 时(大约一年前)，由于在尝试保护传输时引入了防火墙/可访问性问题，Microsoft 的一般建议似乎是开放传输上的消息层安全性.但是，这种方法假定所有相关方都具有 .NET/WCF 能力.我相信如果它是 HTTPS 传输级别的安全性，并且具有清晰的 XML 或 JSON 消息正文，那么在设备上使用它会更容易.这样，您就可以利用 Apple 已经完成的 CFNetwork 和 NSHTTPRequest 中的所有内容.

The last time I was doing WCF (about a year ago) the general recommendation from Microsoft seemed to be Message layer security over an open transport because of firewall / accessibility issues introduced when trying to secure the transport. However, this approach assumed that all parties involved were .NET / WCF capable. I believe it would be easier to consume on the device if it were an HTTPS transport level security, with clear XML or JSON message bodies. That way you can take advantage of all the stuff baked into CFNetwork and NSHTTPRequest that Apple has done.

一旦你开始工作，你会想要参考企业部署指南，特别是有关无线注册的文档，以便您可以在设备上安装证书.请记住，一切皆有可能，不要害怕使用该程序随附的 Apple 支持票之一:)

Once you get something working, you'll want to refer to the Enterprise Deployment Guide, and specifically the documentation on Over-the-Air Enrollment so that you can install the certificates on the devices. Remember, anything is possible, and don't be afraid to use one of those Apple support tickets that come with the program :)

我完全忘记提及 GenericKeychain 和 CryptoExcercise 示例

I completely forgot to mention the GenericKeychain and CryptoExcercise examples

编辑 2:

在我无缘无故被否决后，我重新阅读了我的回复，并意识到我在没有真正回答您关于如何在设备上打开 p12 文件的问题的情况下说得太多了.您应该能够简单地[[UIApplication sharedApplication] openURL:urlToP12FileEitherLocalOrRemote]] 并将其踢出到操作系统进行安装过程.

After I got downvoted for no apparent reason I re-read my response and realized I rambled a bit too much without actually answering your question about how to open a p12 file on the device. You ought to be able to simply [[UIApplication sharedApplication] openURL:urlToP12FileEitherLocalOrRemote]] and have it kick out to the OS for the installation procedure.

这篇关于iPhone Web 服务使用证书身份验证调用 WCF 服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！