如何使用证书回调SslStream.AuthenticateAsClient方法？ [英] How to use certificate callback in SslStream.AuthenticateAsClient method?

问题描述

当我在IE（工具/ Internet选项/内容/证书）中手动导入证书时，我的C＃.NET SSL连接工作，但是如何通过代码加载证书？
这是我的代码：

My C#.NET SSL connect works when I import the certificate manually in IE (Tools/Internet Options/Content/Certificates), but how can I load the certificate by code? Here is my code:

TcpClient client = new TcpClient(ConfigManager.SSLSwitchIP, Convert.ToInt32(ConfigManager.SSLSwitchPort));

SslStream sslStream = new SslStream(
                client.GetStream(),
                false,
                new RemoteCertificateValidationCallback(ValidateServerCertificate),
                null
                );
sslStream.AuthenticateAsClient("Test");

如果我在Internet Explorer中手动导入证书文件，上述代码可以正常工作。但是如果我从IE中删除我的证书，并使用下面的代码，我得到身份验证异常：

The above code works fine if i import my certificate file manually in Internet Explorer. But if i remove my certificate from IE and use the following code instead, i get Authentication exception:

sslStream.AuthenticateAsClient("Test", GetX509CertificateCollection(), SslProtocols.Default, false);

这里是'GetX509CertificateCollection'方法：

and here is the 'GetX509CertificateCollection' method :

public static X509CertificateCollection GetX509CertificateCollection()
        {
            X509Certificate2 certificate1 = new X509Certificate2("c:\\ssl.txt");
            X509CertificateCollection collection1 = new X509CertificateCollection();
            collection1.Add(certificate1);
            return collection1;
        }

我应该如何动态载入我的凭证？

What should I do to load my certificate dynamically?

推荐答案

为了建立owlstead的答案，下面是如何使用单个CA证书和自定义链在验证回调，以避免Microsoft的存储。

To build upon owlstead's answer, here's how I use a single CA certificate and a custom chain in the verification callback to avoid Microsoft's store.

我已经没有弄清楚如何使用这个链（ chain2 下面）默认情况下，有不需要回调。也就是说，将其安装在ssl套接字上，连接将只工作。我已经没有弄清楚如何安装它，使其传入回调。也就是说，我必须为每次调用回调构建链。我认为这些是.Net中的架构缺陷，但我可能会缺少一些明显的东西。

I have not figured out how to use this chain (chain2 below) by default such that there's no need for the callback. That is, install it on the ssl socket and the connection will "just work". And I have not figured out how install it such that its passed into the callback. That is, I have to build the chain for each invocation of the callback. I think these are architectural defects in .Net, but I might be missing something obvious.

函数的名称无关紧要。下面， VerifyServerCertificate 是与 RemoteCertificateValidationCallback 相同的回调。您还可以将其用于 ServicePointManager 中的 ServerCertificateValidationCallback 。

The name of the function does not matter. Below, VerifyServerCertificate is the same callback as RemoteCertificateValidationCallback. You can also use it for the ServerCertificateValidationCallback in ServicePointManager.

static bool VerifyServerCertificate(object sender, X509Certificate certificate,
    X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    try
    {
        String CA_FILE = "ca-cert.der";
        X509Certificate2 ca = new X509Certificate2(CA_FILE);

        X509Chain chain2 = new X509Chain();
        chain2.ChainPolicy.ExtraStore.Add(ca);

        // Check all properties
        chain2.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;

        // This setup does not have revocation information
        chain2.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;

        // Build the chain
        chain2.Build(new X509Certificate2(certificate));

        // Are there any failures from building the chain?
        if (chain2.ChainStatus.Length == 0)
            return true;

        // If there is a status, verify the status is NoError
        bool result = chain2.ChainStatus[0].Status == X509ChainStatusFlags.NoError;
        Debug.Assert(result == true);

        return result;
    }
    catch (Exception ex)
    {
        Console.WriteLine(ex);
    }

    return false;
}

这篇关于如何使用证书回调SslStream.AuthenticateAsClient方法？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！