UWP上的证书固定 [英] Certificate Pinning on UWP

问题描述

我们有一个Xamarin.Forms项目，当前使用.NET Standard 2.0为共享项目为Android，iOS和UWP进行编译.

We have a Xamarin.Forms project that is currently compiled for Android, iOS and UWP using .NET Standard 2.0 for the shared project.

通信是通过WCF服务合同进行的.

The communications is performed through a WCF Service Contract.

为了固定证书，我们根据示例实现了以下代码.确保在项目属性下使用必需的HttpClient实现后，此方法在Android和iOS上可以正常使用.

In order to pin the certificate we implemented the following code as per examples. This works correctly on Android and iOS after making sure that are using the necessary HttpClient implementations under their project properties.

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;

private bool ValidateServerCertificate(object sender,
                                       X509Certificate certificate,
                                       X509Chain chain,
                                       SslPolicyErrors sslPolicyErrors)
{
    // Make sure we have a certificate to check.
    if (certificate == null)
    {
        return false;
    }

    if (sslPolicyErrors != SslPolicyErrors.None)
    {
        return false;
    }

    return this.KnownKeys.Contains(certificate.GetCertHashString(), 
                                   StringComparer.Ordinal);
}

UWP但是事实证明它很顽固.我无法在通讯的任何阶段触发回调.

UWP however is proving to be rather stubborn. I am unable to get the callback to fire at any stage of the communications.

我还研究了实现我们自己的X509CertificateValidator并将其提供给WCF配置，但这也无济于事.

I have also looked in to implementing our own X509CertificateValidator and supplying it to the WCF config however that also does nothing.

问题

1. 我是否需要/可以在UWP下指定HttpClient实现，就像可以解决Android和iOS那样?
2. 我目前还缺少另一种方法吗?

1. Do I need to/Am I able to specify a HttpClient implementation under UWP much like you can for Android and iOS that will fix this?
2. Is there another approach that I am currently missing?

推荐答案

我建议您使用 HttpBaseProtocolFilter 实例，可以订阅 HttpBaseProtocolFilter.ServerCustomValidationRequested 事件.在此事件处理程序中，您可以执行服务器SSL证书的额外验证(除操作系统默认设置外).

I would suggest you to use the HttpBaseProtocolFilter Class in the Windows.Web.Http Namespace in you UWP app. With the HttpBaseProtocolFilter instance, you can subscribe HttpBaseProtocolFilter.ServerCustomValidationRequested event. In this event handler, you can perform extra validation (in addition to the OS default) of the server SSL certificate.

这篇关于UWP上的证书固定的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！