数字证书及在WCF中的应用

一 概念

1、内容

证书的发布机构

证书的有效期

证书所有者（Subject）

签名所使用的算法

指纹以及指纹算法

公钥

私钥

2、存储区

3、有效性

二 作用

1、增强传输的安全性与消息的完整性

防止消息被查看与篡改

2、保证发信的不可抵赖性

三 创建、查看、导入、导出

1、运行命令“makecert -r -pe -n "CN=MyServer" -ss My -sky exchange”，创建并存储证书

2、运行“mmc”命令，弹出“Microsoft管理控制台”窗体。在此进行证书的查看、导入、导出等工作。

四 在WCF中使用X.509证书

WCF服务端

1、需要一个包含私钥的数字证书

makecert -r -pe -n "CN=MyServer" -ss My -sky exchange

2、Binding的Security模式设置为“Certificate”

代码方式

public class CustomX509CertificateValidator : X509CertificateValidator
{
public override void Validate(X509Certificate2 certificate)
{
}
}

var binding = new NetTcpBinding
{
Security =
{
Mode = SecurityMode.Message,
Message = { ClientCredentialType = MessageCredentialType.Certificate },
},
};
host.AddServiceEndpoint(contract, binding, contract.Name);

var serviceBehaviors = new List<IServiceBehavior>();
var serviceCredentials = new ServiceCredentials();
//设置数字证书
serviceCredentials.ServiceCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindBySubjectName, "MyServer");
//设置数字证书的有效性验证模式
serviceCredentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.Custom;
serviceCredentials.ClientCertificate.Authentication.CustomCertificateValidator = new CustomX509CertificateValidator();
serviceBehaviors.Add(serviceCredentials);
foreach (var serviceBehavior in _serviceBehaviors)
{
if (host.Description.Behaviors.Contains(serviceBehavior.GetType()))
host.Description.Behaviors.Remove(serviceBehavior);
host.Description.Behaviors.Add(serviceBehavior);
}

WCF客户端

1、需要一个包含私钥的数字证书

makecert -r -pe -n "CN=MyClient" -ss My -sky exchange

2、Binding的Security模式设置为“Certificate”

代码方式

static ChannelFactory<T> GetFactory<T>(object callbackObject)
where T : IServiceContract
{
//获取数字证书
var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var certs = store.Certificates.Find(X509FindType.FindBySubjectName, "MyClient", false);
if (certs.Count == 0)
throw new SecurityException("客户端未安装数字证书");
var cert = certs[0];

var binding = new NetTcpBinding(Properties.Settings.Default.BindingConfigurationName);
var address = new EndpointAddress(
new Uri(string.Format("{0}/{1}", Properties.Settings.Default.EndpointAddress, typeof(T).Name))
//, EndpointIdentity.CreateDnsIdentity("MyServer")
);

var factory = (callbackObject == null)
? new ChannelFactory<T>(binding, address)
: new DuplexChannelFactory<T>(callbackObject, binding, address);
var cc=factory.Endpoint.Behaviors.Find<ClientCredentials>();
cc.ClientCertificate.Certificate = cert;
cc.ServiceCertificate.Authentication.CertificateValidationMode=X509CertificateValidationMode.None;
return factory;
}

配置方式

<bindings>
<netTcpBinding>
<binding name="NetTcpBinding">
<security mode="Message">
<message clientCredentialType="Certificate" algorithmSuite="Default" />
</security>
</binding>
</netTcpBinding>
</bindings>

五 参考

x.509证书在WCF中的应用(CS篇)

X.509 & RSA

WCF应用X509证书

序、消息安全模式之UserName客户端身份验证