在WCF服务中的自定义证书验证 [英] Custom certificate validation in WCF service

问题描述

我想在我的WCF服务中检查客户端证书。

I want to check client certificates in my WCF service.

我的目标是只允许具有特定指纹的证书的客户端能够与我的服务通信。

My goal is to allow only clients with certificates with specific thumbprints to be able to communicate with my service.

我的WCF服务托管在IIS中，我使用basicHttpBinding和安全模式=transport与凭据类型证书。 IIS需要客户端证书与服务通信。

My WCF service is hosted in IIS, I'm using basicHttpBinding and security mode="transport" with credential type "Certificate". IIS requires client certificates for communication with the service.

提前感谢您的帮助。

更新：
我的配置：

UPDATE: My configuration:

<basicHttpBinding>
<binding 
             name="testBinding"
         maxReceivedMessageSize="2147483647">
         <readerQuotas 
                    maxDepth="2147483647"
                maxStringContentLength="2147483647"
                maxArrayLength="2147483647"
                maxBytesPerRead="2147483647"
                maxNameTableCharCount="2147483647" />
 <security mode="Transport">
              <transport clientCredentialType="Certificate"/> 
             </security>

</binding>
</basicHttpBinding>

行为：

<serviceBehaviors>
    <behavior name="SomeServiceBehavior">
      <serviceMetadata httpsGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="true" />
      <serviceCredentials>
        <clientCertificate>
          <authentication certificateValidationMode="Custom" customCertificateValidatorType="SomeService.CustomCertificateValidator,SomeService"  />
        </clientCertificate>
      </serviceCredentials>         
     </behavior> 
   </serviceBehaviors>

服务配置：

<service 
               behaviorConfiguration="SomeServiceBehavior"
               name="SomeService">
        <endpoint 
                  address=""
                  binding="basicHttpBinding"
                  bindingConfiguration="testBinding"
                  contract="ISomeService">
        </endpoint>
      </service>

为了测试目的，我以这种方式实现了验证器：

And for test purpose I implemented validator in this way:

public class CustomCertificateValidator : X509CertificateValidator
    {
        public override void Validate(System.Security.Cryptography.X509Certificates.X509Certificate2 certificate)
        {                
            throw new SecurityTokenValidationException("TEST Certificate was not issued by a trusted issuer TEST");
        }
    }

我可以使用任何有效的证书连接到我的服务。

And this doesn't work. I can connect to my service with any valid certificate.

推荐答案

您可以创建一个派生自X509CertificateValidator的类，验证传入证书。

You can create a class derived from X509CertificateValidator and use it to do custom validation of the incoming certificate. Throw an SecurityTokenValidationException if you want to fail validation for some reason.

将certificateValidationMode设置为Custom，并在配置文件的clientCertificate服务行为部分指定您的验证器。

Set the certificateValidationMode to Custom and specify your validator in the clientCertificate service behavior section of the config file.

如何：创建使用自定义证书验证程序的服务

这篇关于在WCF服务中的自定义证书验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！