iPhone Web 服务调用带有证书身份验证的 WCF 服务 [英] iPhone web service calls to WCF Service with Certificate Authentication

问题描述

我们是一家已标准化 WCF 服务的 .Net 商店.我们正在开发一个 iPhone 应用程序，该应用程序需要进行安全的 Web 服务调用以获取应用程序的数据.为确保安全通信，我们在 Web 服务器上启用了 SSL.但这并不能确保该服务只能由授权的应用程序使用.我们已将我们的服务配置为支持 x509 证书身份验证.甚至可以从 iPhone 应用程序调用具有证书身份验证的安全 WCF 服务吗?

We are a .Net shop that has standardized on WCF Services. We are in the processs of developing an iPhone application that needs to make secure web services calls to obtain data for the app. To ensure secure communiations we have enabled SSL on our web servers. But this does not ensure the service can only be consumed by authorized apps. We have configured our services to support x509 certificate authentication. Is it even possible to call a secure WCF service with certifcate authentication from an IPhone app?

我花了很多时间在互联网上搜索示例，但无济于事.我已经能够成功调用不安全的 WCF 服务而没有任何问题.我还对 WS-Security 和 WS-Trust 通信标准进行了大量研究.我相信我理解这应该如何工作.我只是无法将 iPhone 框架中的步骤/对象拼凑在一起，我需要完成这项工作.

I have spent many hours searching the internet for examples but to no avail. I HAVE been able to successfuly call an un-secure WCF service with no issues. I have also done a lot of research on the WS-Security and WS-Trust communications standards. I believe I understand how this should work. I am just having trouble piecing together the steps/objects within the iPhone frameworks I need to make this work.

任何关于这个主题的想法和想法都将不胜感激.

Any thoughts and ideas on the subject would be greatly appreciated.

此外，对以下任何一项的任何想法:

Also, any thoughts on any of the following:

1. 如何最好地使用 iPhone 应用程序部署 P12 证书文件
2. 如何最好地保护应用内 P12 文件的密码
3. 将 P12 文件与应用一起部署是一种最佳做法
4. iPhone 框架中是否有支持这种安全通信的功能?如果不是，那将是什么替代建议.

推荐答案

对于初学者，我想说，如果您真的很重视安全性，请投入适当的时间和资源，并像对待您的头等公民一样对待它功能列表.不要只是打开 SSL"并假装事情是安全的.我并不是建议您这样做或不这样做，但我只是觉得我必须在继续之前说出来.

For starters, I'd say if you are really serious about security please dedicate the proper time and resources to it and treat it like a first class citizen in your feature list. Don't just "turn on SSL" and pretend things are secure. I'm not suggesting you are doing this or not doing this, but I just feel like I have to say it before proceeding.

也就是说，您可能已经知道 WS-* 完全建立在 http 请求之上，并且任何时候您执行大量 http 请求时，您都可能会发现 ASIHTTPRequest 在 iPhone 上非常有用.但是，这不会让您 100% 到达那里.

That said, you probably already know that WS-* is all built on top of http requests, and any time you are doing loads of http requests, you'll probably find ASIHTTPRequest very helpful on the iPhone. However, that will not get you 100% of the way there.

从 iPhone 的角度来看，您有:

From the iPhone's perspective you have:

1. URL 加载系统，这是一个高级 API，用于处理任何类型的网络资源
2. CFNetwork 较低级别的 C API，允许您以任何您认为合适的方式更好地控制加密流和网络流量
3. 证书、密钥和信任服务，完成繁重的工作，更具体地说是 X509 信任策略

1. The URL loading system, which is a high level API for dealing with network resources of any kind
2. The CFNetwork C API which is lower-level and allows you a great deal more control of encrypting streams and network traffic any way you see fit
3. The Certificate, Key, and Trust Services that do the heavy lifting, and more specifically the X509 trust policies

在 Mac 上，您可以使用 Secure Transport，但据我所知，他们尚未将其移植到设备上，因此除非您打算将其带到桌面或只是有心情学习一切:)

On Macs you get to use Secure Transport, but as far as I know they haven't ported that to the device so I wouldn't get too distracted reading up on that unless you are planning on bringing this to the desktop or are just in the mood to learn everything :)

如果您正在使用 WCF 进行任何安全操作，您可能首先意识到的是有 您可以使用许多选项，但都归结为以下简短列表:

If you are doing any security with WCF, the first thing you probably realized is that there are many options available to you, but it all boils down to this short list:

1. 带有明文消息的传输层安全 (https) (xml/json/...)
2. 开放传输 (http) 上的消息层安全性(加密的消息正文)
3. 通过安全传输的安全消息

我上次做 WCF 时(大约一年前)，微软的一般建议似乎是开放传输上的消息层安全性，因为在尝试保护传输时引入了防火墙/可访问性问题.但是，这种方法假定所有相关方都具备 .NET/WCF 能力.我相信如果它是 HTTPS 传输级别的安全性，具有清晰的 XML 或 JSON 消息正文，那么在设备上使用会更容易.这样，您就可以利用 Apple 提供的 CFNetwork 和 NSHTTPRequest 中的所有功能.

The last time I was doing WCF (about a year ago) the general recommendation from Microsoft seemed to be Message layer security over an open transport because of firewall / accessibility issues introduced when trying to secure the transport. However, this approach assumed that all parties involved were .NET / WCF capable. I believe it would be easier to consume on the device if it were an HTTPS transport level security, with clear XML or JSON message bodies. That way you can take advantage of all the stuff baked into CFNetwork and NSHTTPRequest that Apple has done.

一旦你得到一些工作，你会想要参考 企业部署指南，特别是关于无线注册的文档，以便您可以在设备上安装证书.请记住，一切皆有可能，不要害怕使用该程序随附的 Apple 支持票之一 :)

Once you get something working, you'll want to refer to the Enterprise Deployment Guide, and specifically the documentation on Over-the-Air Enrollment so that you can install the certificates on the devices. Remember, anything is possible, and don't be afraid to use one of those Apple support tickets that come with the program :)

我完全忘了提及 GenericKeychain 和 CryptoExcercise 示例

I completely forgot to mention the GenericKeychain and CryptoExcercise examples

在我无缘无故地被否决后，我重新阅读了我的回复，并意识到我在没有真正回答您关于如何在设备上打开 p12 文件的问题的情况下有点啰嗦.您应该能够简单地 [[UIApplication sharedApplication] openURL:urlToP12FileEitherLocalOrRemote]] 并将其启动到操作系统以进行安装过程.

After I got downvoted for no apparent reason I re-read my response and realized I rambled a bit too much without actually answering your question about how to open a p12 file on the device. You ought to be able to simply [[UIApplication sharedApplication] openURL:urlToP12FileEitherLocalOrRemote]] and have it kick out to the OS for the installation procedure.

这篇关于iPhone Web 服务调用带有证书身份验证的 WCF 服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！