0

你好,

我正在尝试使用 WCF 进行一些身份验证:

  • 使用用户名/密码验证用户
  • 使用客户端证书对客户端进行身份验证
  • 自定义接受哪些根证书

经过反复试验,我设法使第 1 点和第 2 点工作,但我被困在第 3 点。这是我的服务配置

<system.serviceModel>
    <behaviors>
        <endpointBehaviors />
        <serviceBehaviors>
            <behavior name="MyBehavior">
                <serviceCredentials>
                    <userNameAuthentication userNamePasswordValidationMode="Custom"
                                            customUserNamePasswordValidatorType="WcfService1.CustomValidator, WcfService1" />
                </serviceCredentials>                    
                <serviceMetadata httpsGetEnabled="true" httpGetEnabled="false" />
                <serviceDebug includeExceptionDetailInFaults="true" />
            </behavior>
        </serviceBehaviors>
    </behaviors>
    <bindings>
        <customBinding>
            <binding name="certificate">
                <security authenticationMode="UserNameOverTransport" />
                <textMessageEncoding messageVersion="Soap12WSAddressing10" />
                <httpsTransport requireClientCertificate="true" />
            </binding>
        </customBinding>
    </bindings>
    <services>
        <service behaviorConfiguration="MyBehavior" name="WcfService1.Service1">
            <endpoint address="" binding="customBinding" bindingConfiguration="certificate"
                      contract="WcfService1.IService1" />
        </service>
    </services>
</system.serviceModel>

这是我的客户端配置

    <client>
        <endpoint name="service1" address="https://localhost:443/WcfService1/Service1.svc" binding="customBinding"
                  bindingConfiguration="certificate" behaviorConfiguration="certificate" contract="WcfService1.IService1" />
    </client>
    <behaviors>
        <endpointBehaviors>
            <behavior name="certificate">
                <clientCredentials>
                    <clientCertificate storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName"
                                       findValue="SignedByCA" />
                </clientCredentials>
            </behavior>
        </endpointBehaviors>
        <serviceBehaviors />
    </behaviors>
    <bindings>
        <customBinding>
            <binding name="certificate">
                <security authenticationMode="UserNameOverTransport" />
                <textMessageEncoding messageVersion="Soap12WSAddressing10" />
                <httpsTransport requireClientCertificate="true" />
            </binding>
        </customBinding>
    </bindings>

使用客户端并附加用户名凭据效果很好

var channelFactory = new ChannelFactory<IService1>("service1");
var user = channelFactory.Credentials.UserName;
user.UserName = username;
user.Password = password;

使用 OperationContext.Current.ServiceSecurityContext.AuthorizationContext.ClaimSets 可以让我访问用户名以及证书的名称和指纹。可悲的是,我找不到证书的颁发者名称。我还能如何禁止没有某个根证书颁发的证书的客户端?

非常欢迎任何提示我正确方向或任何替代方案的提示;)

谢谢

4

1 回答 1

0

实际上,这很容易,但是 hack。授权上下文中有一个身份列表。

OperationContext.Current.ServiceSecurityContext
.AuthorizationContext.Properties["Identities"]

其中之一是 X509Identity 类型。那个是 System.IdentityModel 内部的,你不能直接得到它。

identity.GetType().Name == "X509Identity"

这并不重要,因为包含证书的字段是私有的,无论如何:)

var field = identity.GetType().GetField(
    "certificate", 
    BindingFlags.GetField | BindingFlags.Instance | BindingFlags.NonPublic);
var certificate = (X509Certificate2) field.GetValue(identity);
string issuer = certificate.Issuer;
于 2012-08-15T14:59:34.217 回答