阅读 WP8 上的 SSL 证书详细信息 [英] Read SSL Certificate Details on WP8

问题描述

出于安全原因，我想阅读证书详细信息(例如到期日期或 CN).

I want to read certificate details (e.g. expiration date or CN) for security reasons.

通常网络类中有一些属性可用，允许检查证书.这在 WP8 实现中是缺失的.

Usually there are some properties in network classes available, that allow to check the certificate. This is missing in WP8 implementations.

此外，我尝试创建一个 SslStream，但也无法获取任何证书详细信息，例如 RemoteCertificate.

Also I tried to create an SslStream but also there is no way to get any certificate detail like the RemoteCertificate on .net 4.5.

var sslStream = new SslStream(new NetworkStream(e.ConnectSocket));

SslStream 缺少与安全相关的所有内容.所以看起来BountyCastle等库也拿不到证书，因为底层框架不支持.

The SslStream is missing everything relating security. So it looks like also BountyCastle and other libraries cannot be able to get the certificate, because the underlying framework doesn't support it.

所以我的问题是:

1. 我可以阅读 CN 或其他 证书有关使用其他方法的 WP8 的详细信息.?
2. 如果没有，您如何使用 SSL 固定 或客户端证书验证，WP8 不支持此功能是否有任何原因?

1. Can I read the CN or other Certificate details on WP8 using other approaches.?
2. If not, how can you create then seriously secure apps (line banking) on WP8 using techniques like SSL Pinning or client side certificate validation and is there any reason why this is not supported in WP8?

问候霍尔格

推荐答案

在 Windows Phone 8.1 上，这可以通过 HttpClient，以及 StreamSocket(如 Mike 建议的那样).
可以在此处找到使用 StreamSocket 进行证书验证的示例(源代码中的 Scenario5_Certificate).

On Windows Phone 8.1 this can be done with HttpClient, as well as with StreamSocket (as Mike suggested).
Example for certificate validation with StreamSocket can be found here (Scenario5_Certificate in source code).

使用 HttpClient 的证书验证可以通过处理 ERROR_INTERNET_INVALID_CA 异常来完成，使用 HttpTransportInformation 类，创建 HttpBaseProtocolFilter 类并指定要忽略的错误.

Certificate validation with HttpClient can be done by handling the ERROR_INTERNET_INVALID_CA exception, validating the server certificate using the HttpTransportInformation class, creating new instance of HttpBaseProtocolFilter class and specifying the errors to ignore.

请注意，并非所有错误都可以忽略.如果您尝试添加成功、撤销、InvalidSignature、InvalidCertificateAuthorityPolicy、BasicConstraintsError、UnknownCriticalExtension 或 OtherErrors 枚举值.

Note that not all the errors are ignorable. You will receive an exception if you'll try to add Success, Revoked, InvalidSignature, InvalidCertificateAuthorityPolicy, BasicConstraintsError, UnknownCriticalExtension or OtherErrors enum values.

我正在添加一个使用 HttpClient 绕过证书错误的示例代码:

I'm adding a sample code that bypasses certificate errors using HttpClient:

using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Threading.Tasks;
using Windows.Security.Cryptography.Certificates;
using Windows.Web.Http;
using Windows.Web.Http.Filters;

namespace Example.App
{
    public class HttpsHandler
    {
        private const int ERROR_INTERNET_INVALID_CA = -2147012851; // 0x80072f0d

        public static async void HttpsWithCertificateValidation()
        {
            Uri resourceUri;
            if (!Uri.TryCreate("https://www.pcwebshop.co.uk/", UriKind.Absolute, out resourceUri))
                return;

            IReadOnlyList<ChainValidationResult> serverErrors = await DoGet(null, resourceUri);
            if (serverErrors != null)
            {
                HttpBaseProtocolFilter filter = new HttpBaseProtocolFilter();
                foreach (ChainValidationResult value in serverErrors)
                {
                    try {
                        filter.IgnorableServerCertificateErrors.Add(value);
                    } catch (Exception ex) {
                        // Note: the following values can't be ignorable:
                        //       Success Revoked InvalidSignature InvalidCertificateAuthorityPolicy
                        //       BasicConstraintsError UnknownCriticalExtension OtherErrors
                        Debug.WriteLine(value + " can't be ignorable");
                    }
                }

                await DoGet(filter, resourceUri);
            }
        }

        private static async Task<IReadOnlyList<ChainValidationResult>> DoGet(HttpBaseProtocolFilter filter, Uri resourceUri)
        {
            HttpClient httpClient;
            if (filter != null)
                httpClient = new HttpClient(filter);
            else
                httpClient = new HttpClient();

            HttpRequestMessage requestMessage = new HttpRequestMessage(HttpMethod.Get, resourceUri);
            bool hadCertificateException = false;
            HttpResponseMessage response;
            String responseBody;

            try {
                response = await httpClient.SendRequestAsync(requestMessage);
                response.EnsureSuccessStatusCode();
                responseBody = await response.Content.ReadAsStringAsync();
            } catch (Exception ex) {
                hadCertificateException = ex.HResult == ERROR_INTERNET_INVALID_CA;
            }

            return hadCertificateException ? requestMessage.TransportInformation.ServerCertificateErrors : null;
        }
    }
}

这篇关于阅读 WP8 上的 SSL 证书详细信息的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！