【WCF】使用数字证书加密通讯
2012-02-01 10:39
417 查看
【WCF】使用数字证书加密通讯
WCF使用证书非常简便,很多事情WCF都帮做好了,例如证书的检查,证书链的检查,加密解密消息的过程等,甚至证书交换和分发也帮搞定了。配置使用证书大致就下面这几个步骤:1. 分别给服务端和客户端申请数字证书,安装在各自的私人证书库(Personal)中。客户端启动后,WCF会默认到该库查找WCF客户端的数字证书。
2. 将服务端的数字证书导出,安装到客户端系统的可信人员证书库(Trusted People)中。客户端启动后,WCF默认会到该库查找WCF服务的数字证书。
3. 服务宿主配置文件修改如下。
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<compilation debug="true" />
</system.web>
<system.serviceModel>
<services>
<service name="CertificateTest.Service.CalService"
behaviorConfiguration="CalServiceBeConfig">
<host>
<baseAddresses>
<add baseAddress = "http://localhost:8888/" />
</baseAddresses>
</host>
<endpoint address ="CalService"
binding="wsHttpBinding"
contract="CertificateTest.Contract.ICalService">
<identity>
</identity>
</endpoint>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="CalServiceBeConfig" >
<serviceMetadata httpGetEnabled="True"/>
<serviceDebug includeExceptionDetailInFaults="False" />
<serviceCredentials>
<serviceCertificate findValue="d7a95083f6c5d13c20e6a962d338a2ebea055c9c"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindByThumbprint"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
4. 客户端配置文件如下。Behavior中加了个clientVia是为了进行消息跟踪。
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<!--Behaviors Configuration-->
<behaviors>
<endpointBehaviors>
<behavior name="clientBeh">
<clientVia viaUri="http://localhost:8080/CalService"></clientVia>
<clientCredentials>
<!--以证书指纹作为条件在私人证书库中搜索证书-->
<clientCertificate
findValue="ffd01fef0293e479a3d170a141522e8ce1fdded4"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindByThumbprint"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<!--Client Configuration-->
<client>
<endpoint address="http://192.168.1.167:8888/CalService"
binding="wsHttpBinding"
contract="CertificateTest.Contract.ICalService"
behaviorConfiguration="clientBeh"
name="defaultEP">
</endpoint>
</client>
</system.serviceModel>
</configuration>
关于客户端证书配置,不用显式指定证书的位置,甚至不用指定使用数字证书也是可以的,只要把客户端证书导入到私人证书库里就可以了。WCF会自动协商使用证书,并到上面提到证书库中去查找证书进行交换。配置如下所示:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<!--Behaviors Configuration-->
<behaviors>
<endpointBehaviors>
<behavior name="clientBeh">
<clientVia viaUri="http://localhost:8080/CalService"></clientVia>
</behavior>
</endpointBehaviors>
</behaviors>
<!--Client Configuration-->
<client>
<endpoint address="http://192.168.1.167:8888/CalService"
binding="wsHttpBinding"
contract="CertificateTest.Contract.ICalService"
behaviorConfiguration="clientBeh"
name="defaultEP">
</endpoint>
</client>
</system.serviceModel>
</configuration>
下面是源码,很简单的加法例子。
WCF契约部分代码:
using System;
using System.Runtime.Serialization;
using System.ServiceModel;
namespace CertificateTest.Contract
{
[ServiceContract]
public interface ICalService
{
[OperationContract]
int Add(int a, int b);
}
}
WCF服务器部分代码:
using System;
using System.Runtime.Serialization;
using System.ServiceModel;
using CertificateTest.Contract;
namespace CertificateTest.Service
{
public class CalService : ICalService
{
public int Add(int a, int b)
{
return a + b;
}
}
}
WCF宿主部分代码:
using System;
using System.ServiceModel;
using CertificateTest.Service;
using CertificateTest.Contract;
namespace CertificateTest.Host
{
class Program
{
static void Main(string[] args)
{
using (ServiceHost host
= new ServiceHost(typeof(CertificateTest.Service.CalService)))
{
host.Opened+=delegate
{
Console.WriteLine("The service is openning.");
};
host.Open();
Console.Read();
}
}
}
}
WCF客户端部分代码:
using System;
using System.ServiceModel;
using CertificateTest.Contract;
namespace CertificateTest.Client
{
class Program
{
static void Main(string[] args)
{
using (CalClient client = new CalClient())
{
Console.WriteLine("100+200={0}", client.Add(100, 200));
}
}
}
class CalClient : ClientBase<ICalService>, ICalService
{
public CalClient()
: base()
{ }
public int Add(int a, int b)
{
return this.Channel.Add(a, b);
}
}
}
下面是用星际强度密钥加密后的SOAP消息密文,用tcpTrace抓的。
HTTP/1.1 200 OK
Content-Length: 2858
Content-Type: application/soap+xml; charset=utf-8
Server: Microsoft-HTTPAPI/1.0
Date: Thu, 29 Jan 2009 15:55:03 GMT
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1" u:Id="_1">http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel</a:Action>
<a:RelatesTo u:Id="_2">urn:uuid:58e87213-f5cc-4541-9d45-0a880db9ed24</a:RelatesTo>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-3393524a-cd23-4a9b-8dde-01bf7d124715-72">
<u:Created>2009-01-29T15:55:03.390Z</u:Created>
<u:Expires>2009-01-29T16:00:03.390Z</u:Expires>
</u:Timestamp>
<c:DerivedKeyToken u:Id="uuid-3393524a-cd23-4a9b-8dde-01bf7d124715-67" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<o:SecurityTokenReference>
<o:Reference URI="urn:uuid:74031c45-64e6-4dd2-afaf-d351503f8557" ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"/>
</o:SecurityTokenReference>
<c:Offset>0</c:Offset>
<c:Length>24</c:Length>
<c:Nonce>RhG3GrRz7LzSyQG2J6y4QQ==</c:Nonce>
</c:DerivedKeyToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>BXF6YVgC7GaFcATWlFL6EsPDNMk=</DigestValue>
</Reference>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>Co+CdLM6yrXJYKmiLC3jm2Mbk1E=</DigestValue>
</Reference>
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>lP2tDfmzac97N49n0kAJ/q55Qd0=</DigestValue>
</Reference>
<Reference URI="#uuid-3393524a-cd23-4a9b-8dde-01bf7d124715-72">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>zSNOO+zcFHJ+By95A6rYCASaODE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>p6WT2z73qpigpEoCd56LHCmC+OY=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/dk" URI="#uuid-3393524a-cd23-4a9b-8dde-01bf7d124715-67"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_0">
<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:RequestedTokenCancelled></t:RequestedTokenCancelled>
</t:RequestSecurityTokenResponse>
</s:Body>
</s:Envelope>
相关文章推荐
- 【WCF】使用数字证书加密通讯
- 使用数字证书技术来保证WCF传输中的数据加密
- WCF使用证书与加密
- .NET中RSA使用数字证书加密解密
- 使用X.509数字证书加密解密实务(一)-- 证书的获得和管理
- 使用X.509数字证书加密解密实务(三)-- 使用RSA证书结合对称加密技术加密长数据
- 使用X.509数字证书加密解密实务(二)-- 使用RSA证书加密敏感数据
- 使用X.509数字证书加密解密实务(三)-- 使用RSA证书结合对称加密技术加密长数据
- 使用X.509数字证书加密解密实务(一)-- 证书的获得和管理(转)
- 使用X.509数字证书加密解密实务(一)-- 证书的获得和管理
- .NET中使用数字证书用RSA算法对数据进行加密和签名
- WCF开发框架之证书加密使用说明书
- 使用X.509数字证书加密解密实务(一)-- 证书的获得和管理(转)
- 使用X.509数字证书加密解密实务(二)-- 使用RSA证书加密敏感数据
- 使用X.509数字证书加密解密实务(二)-- 使用RSA证书
- 使用X.509数字证书加密解密实务(一)-- 证书的获得和管理 (转)
- WCF使用安全证书验证消息加密
- 使用X.509数字证书加密解密实务(二)-- 使用RSA证书加密敏感数据(转)
- WCF 使用证书加密
- 使用X.509数字证书加密解密实务(二)-- 使用RSA证书加密敏感数据