WCF 服务中的自定义证书验证 [英] Custom certificate validation in WCF service

问题描述

我想在我的 WCF 服务中检查客户端证书.

I want to check client certificates in my WCF service.

我的目标是只允许拥有带有特定指纹的证书的客户端能够与我的服务进行通信.

My goal is to allow only clients with certificates with specific thumbprints to be able to communicate with my service.

我的 WCF 服务托管在 IIS 中，我使用的是 basicHttpBinding 和 security mode="transport"，凭据类型为Certificate".IIS 需要客户端证书才能与服务通信.

My WCF service is hosted in IIS, I'm using basicHttpBinding and security mode="transport" with credential type "Certificate". IIS requires client certificates for communication with the service.

预先感谢您的帮助.

更新:我的配置:

<basicHttpBinding>
<binding 
             name="testBinding"
         maxReceivedMessageSize="2147483647">
         <readerQuotas 
                    maxDepth="2147483647"
                maxStringContentLength="2147483647"
                maxArrayLength="2147483647"
                maxBytesPerRead="2147483647"
                maxNameTableCharCount="2147483647" />
 <security mode="Transport">
              <transport clientCredentialType="Certificate"/> 
             </security>

</binding>
</basicHttpBinding>

行为:

<serviceBehaviors>
    <behavior name="SomeServiceBehavior">
      <serviceMetadata httpsGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="true" />
      <serviceCredentials>
        <clientCertificate>
          <authentication certificateValidationMode="Custom" customCertificateValidatorType="SomeService.CustomCertificateValidator,SomeService"  />
        </clientCertificate>
      </serviceCredentials>         
     </behavior> 
   </serviceBehaviors>

服务配置:

<service 
               behaviorConfiguration="SomeServiceBehavior"
               name="SomeService">
        <endpoint 
                  address=""
                  binding="basicHttpBinding"
                  bindingConfiguration="testBinding"
                  contract="ISomeService">
        </endpoint>
      </service>

为了测试目的，我以这种方式实现了验证器:

And for test purpose I implemented validator in this way:

public class CustomCertificateValidator : X509CertificateValidator
    {
        public override void Validate(System.Security.Cryptography.X509Certificates.X509Certificate2 certificate)
        {                
            throw new SecurityTokenValidationException("TEST Certificate was not issued by a trusted issuer TEST");
        }
    }

这行不通.我可以使用任何有效证书连接到我的服务.

And this doesn't work. I can connect to my service with any valid certificate.

推荐答案

您可以创建一个派生自 X509CertificateValidator 的类，并使用它对传入的证书进行自定义验证.如果您出于某种原因希望验证失败，则抛出 SecurityTokenValidationException.

You can create a class derived from X509CertificateValidator and use it to do custom validation of the incoming certificate. Throw an SecurityTokenValidationException if you want to fail validation for some reason.

将 certificateValidationMode 设置为 Custom 并在配置文件的 clientCertificate 服务行为部分指定您的验证器.

Set the certificateValidationMode to Custom and specify your validator in the clientCertificate service behavior section of the config file.

如何:创建使用自定义证书验证器的服务

这篇关于WCF 服务中的自定义证书验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！