没有证书存储的WCF证书 [英] WCF Certificates without Certificate Store

问题描述

我的团队正在为第三方胖客户端应用程序开发一些WPF插件。 WPF插件使用WCF来使用由多个TIBCO服务发布的Web服务。厚客户端应用程序维护单独的中央数据存储，并使用专有API访问数据存储。厚客户端和WPF插件将部署到10,000个工作站上。我们的客户希望将厚客户端使用的证书保存在中央数据存储中，以便他们不必担心重新颁发证书（当前的重发周期大约需要3个月），并且还有机会授权使用证书。所提出的架构在中央数据存储和TIBCO服务之间提供了一种共享秘密/认证的形式。

My team is developing a number of WPF plug-ins for a 3rd party thick client application. The WPF plug-ins use WCF to consume web services published by a number of TIBCO services. The thick client application maintains a separate central data store and uses a proprietary API to access the data store. The thick client and WPF plug-ins are due to be deployed onto 10,000 workstations. Our customer wants to keep the certificate used by the thick client in the central data store so that they don't need to worry about re-issuing the certificate (current re-issue cycle takes about 3 months) and also have the opportunity to authorise the use of the certificate. The proposed architecture offers a form of shared secret / authentication between the central data store and the TIBCO services.

虽然我不一定同意建议的架构，不能改变它，必须与提供的东西一起工作。

Whilst I don’t necessarily agree with the proposed architecture our team is not able to change it and must work with what’s been provided.

基本上，我们的客户希望我们在我们的WPF插件中构建一个从中央数据存储中检索证书的机制（根据角色，允许或拒绝证书）该数据存储）到内存中，然后使用证书创建到TIBCO服务的SSL连接。不允许使用本地机器的证书存储，并且在每个会话结束时丢弃内存版本。

Basically our client wants us to build into our WPF plug-ins a mechanism which retrieves the certificate from the central data store (which will be allowed or denied based on roles in that data store) into memory then use the certificate for creating the SSL connection to the TIBCO services. No use of the local machine's certificate store is allowed and the in memory version is to be discarded at the end of each session.

所以问题是，是否有人知道它是否是否可以将内存中的证书传递给用于SSL传输级加密的WCF（.NET 3.5）服务？

So the question is does anyone know if it is possible to pass an in-memory certificate to a WCF (.NET 3.5) service for SSL transport level encryption?

注意： （此处），但已删除它，并重新询问更多信息。 / em>

Note: I had asked a similar question (here) but have since deleted it and re-asked it with more information.

推荐答案

这是可能的。我们做相似的证书Auth - 服务证书，在某些情况下，客户端证书是从中央机关获取作为自动发现/单点登录机制的一部分。

It is possible. We do something similar with Mutual Certificate Auth - the service certificate and in some cases the client certificate are picked up from a central authority as part of an auto-discovery/single-sign-on mechanism.

在什么上下文中使用证书还不完全清楚，但在所有情况下，您需要做的是定义您自己的行为和行为元素，从 System.ServiceModel.Description 获取证书的命名空间。我暂时假设这是一个客户凭证。首先，你必须写出这样的行为，它是这样的：

It's not entirely clear in what context the certificate will be used, but in all cases what you need to do is define your own behavior and behavior element deriving from the particular behavior/element in the System.ServiceModel.Description namespace that takes the certificate. I'll assume for the time being that it's a client credential. First you have to write the behaviour, which goes something like this:

public class MyCredentials : ClientCredentials
{
    public override void ApplyClientBehavior(ServiceEndpoint endpoint,
        ClientRuntime behavior)
    {
        // Assuming GetCertificateFromNetwork retrieves from CDS
        ClientCertificate.Certificate = GetCertificateFromNetwork();
    }

    protected override ClientCredentials CloneCore()
    {
        // ...
    }
}

现在您需要创建一个可以进入XML配置的元素：

Now you need to create an element that can go in the XML configuration:

public class MyCredentialsExtensionElement : ClientCredentialsElement
{
    protected override object CreateBehavior()
    {
        return new MyCredentials();
    }

    public override Type BehaviorType
    {
        get { return typeof(MyCredentials); }
    }

    // Snip other overrides like Properties
}

之后，您可以将策略添加到您的WCF配置：

After this you can add the policy to your WCF config:

<behaviors>
    <endpointBehaviors>
        <behavior name="MyEndpointBehavior">
            <myCredentials/>
        </behavior>
    </endpointBehaviors>
</behaviors>

编辑：几乎忘记提及，您需要注册扩展：

Almost forgot to mention, you need to register the extension:

<system.serviceModel>
    <extensions>
        <behaviorExtensions>
            <add name="myCredentials"
                 type="MyAssembly.MyCredentialsExtensionElement, MyAssembly,
                       Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
        </behaviorExtensions>
    </extensions>
</system.serviceModel>

希望有帮助。如果您需要有关所有这些类的安排的更多详细信息和幕后发生了什么，请尝试阅读使用自定义行为扩展WCF 。

Hope that helps. If you need more details on the arrangement of all of these classes and what's going on behind the scenes, try reading Extending WCF with Custom Behaviors.

这篇关于没有证书存储的WCF证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！