如何在C#中重写ServicePointManager.ServerCertificateValidationCallback时调用默认的证书检查? [英] How to call the default certificate check when overriding ServicePointManager.ServerCertificateValidationCallback in C#?
问题描述
我要信任某些自签名证书的应用程序,所以我重写校验回调是这样的:
I need to trust some self-signed certificates in the application, so I override validation callback like this:
ServicePointManager.ServerCertificateValidationCallback = MyRemoteCertificateValidationCallback;
...
public static bool MyRemoteCertificateValidationCallback(
Object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
return true;
if (IsAprrovedByMyApplication(sender, certificate)) // <-- no matter what the check here is
return true;
else
return false; // <-- here I'd like to call the default Windwos handler rather than returning 'false'
}
不过,当有是一些政策失误,而我连接到非认可的应用程序的网站,抛出异常。 这里的问题是,它不同于标准的Windows行为
But when there're some policy errors, and the site I am connecting to is not approved by application, the Exception is thrown. The problem here is that it differs from standard Windows behavior.
考虑一下这个网站: https://www.dscoduc.com/
这是证书未知的发行人,因此不可信。我将它与MMC的地方Copmuter的受信任人(这是Windows 7中)。
It's certificate has an unknown issuer, and therefore untrusted. I have added it with MMC to the Local Copmuter's Trusted People (it's Windows 7).
如果我运行此code无覆盖证书验证回调:
If I run this code without overriding certificate validation callback:
HttpWebRequest http = (HttpWebRequest)HttpWebRequest.Create("https://www.dscoduc.com/");
using (WebResponse resp = http.GetResponse())
{
using (StreamReader sr = new StreamReader(resp.GetResponseStream()))
{
string htmlpage = sr.ReadToEnd();
}
}
连接成功。 这意味着Windows默认验证器决定信任此证书。
但是,一旦我重写ServerCertificateValidationCallback,我的回调函数调用的 SslPolicyErrors.RemoteCertificateChainErrors 的 和链包含了状态一个元素的 X509ChainStatusFlags.PartialChain 的(其实我也想到会在这里收到任何错误,监守当前证书应该是可信的)
But once I override the ServerCertificateValidationCallback, my callback is called with SslPolicyErrors.RemoteCertificateChainErrors and the chain contains one element with status X509ChainStatusFlags.PartialChain (in fact I would expect to receive no errors here, becuase current cert is supposed to be trusted)
本网站不包含在我的信任列表中,并且不希望从我的回调返回真。 但我不希望返回'假'没有,否则我会得到一个异常:,这显然不是预期的 https://www.dscoduc.com/ ,监守它添加到信任的人商店,以及由Windows批准证书时,回调不覆盖。 所以,我希望Windows采取了默认的验证程序,这个网站。我不想寻找到可信的Windows商店自己去完成所有链元素,因为它已经(希望正确)在Windows中实现的。
This site is not included in my trusted list, and do not want to return 'true' from my callback. But I don't want to return 'false' neither, or I'll get an Exception: "The remote certificate is invalid according to the validation procedure", which is obviously not expected for https://www.dscoduc.com/, becuase it's added to Trusted People store, and is approved by Windows when certificate callback is not overriden. So I want Windows to take the default validation procedure for this site. I don't want to look into Windows Trusted stores myself and go through all the chain elements, because it's already (and hopefully correctly) implemented in Windows.
换句话说,我需要明确信任的网站用户(至极的地方保存在他的设置)approvied,并调用默认的认证检查所有其他人。
有关ServicePointManager.ServerCertificateValidationCallback的默认值为空,因此没有默认的回调让我再打。 我应该怎么称呼这种默认证书处理?
The default value for ServicePointManager.ServerCertificateValidationCallback is null, so there's no 'default' callback for me to call later. How should I call this 'default' certificate handler?
感谢
推荐答案
这是比你想从你的回调中走链不那么困难。
It's less difficult than you think to walk the chain from within your callback.
看一看的http:// MSDN .microsoft.com / EN-US /库/ dd633677(V = EXCHG.80)的.aspx
在code表示样品中检查证书链工作,如果该证书是自签名的,如果是这样,相信它。你可以适应,要接受 PartialChain
代替或为好。你会希望做这样的事情:
The code in that sample examines the certificate chain to work out if the certificate is self-signed and if so, trust it. You could adapt that to accept a PartialChain
instead or as well. You'd be looking to do something like this:
if (status.Status == X509ChainStatusFlags.PartialChain ||
(certificate.Subject == certificate.Issuer &&
status.Status == X509ChainStatusFlags.UntrustedRoot)
{
// Certificates with a broken chain and
// self-signed certificates with an untrusted root are valid.
continue;
}
else if (status.Status != X509ChainStatusFlags.NoError)
{
// If there are any other errors in the certificate chain,
// the certificate is invalid, so the method returns false.
return false;
}
另外,检查主题
属性:
private static bool CertificateValidationCallBack(
object sender,
System.Security.Cryptography.X509Certificates.X509Certificate certificate,
System.Security.Cryptography.X509Certificates.X509Chain chain,
System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
return certificate.Subject.Contains(".dsoduc.com");
}
这篇关于如何在C#中重写ServicePointManager.ServerCertificateValidationCallback时调用默认的证书检查?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!