1

我试图了解客户端身份验证在 https 场景中的工作方式以及如何使用它来提供基本的身份验证/授权功能。

假设我想在证书和用户(例如 IPrincipal)之间建立一个映射。我的服务器颁发证书并将其分发给客户端。当客户端连接时,我要求提供证书,如果提供了有效的证书,我会根据之前定义的映射对用户进行身份验证。

我应该使用什么来创建映射?证书指纹是一个很好的候选人吗?确定客户身份就足够了吗?

或者也许我根本不需要映射并且可以简单地接受我的服务器颁发的所有证书?

编辑:让我改写一下 - 假设我可以颁发客户端证书,我如何在 https 会话期间验证客户端身份?

4

3 回答 3

1

A lot of what your asking depends greatly on what your existing cert infrastructure looks like. For security reasons I would highly suggest identifying the specific user via a mapping. If you've gone as far as to distribute certs for user auth, theres probably something worth securing. Any authorization or auditing you need should be per user. The best way is to use the cert CN (common name). The thumbprint will identify as specific cert, but what happens when the cert expires? This of course means when you issue certs the CN is controlled, and will relate to a specific person. I've found using email address to be very reliable, because you can create a validation routine by sending them confirmation emails. You can also enforce some uniqueness with the email address.

The hard part is distributing certs and getting IIS to ask the client for certs so your asp.net app can gain access to its information. Once you have that all your requests will have something in Request.ClientCertificate which has all the details of their cert you'd need to authenticate them.

于 2012-10-23T15:21:50.777 回答
0

I'm assuming you are using .Net framework. You may try to use HttpRequest.ClientCertificate property. Certificate validation is already done with ASP.NET you just need check IsValid property. Rest of validation is map certificates to users.

If all certificates are issued by same CA you can use the certificate serial number. If not include the HttpClientCertificate.Issuer property with serial number.

Thumbprint is hard to use later if you need some debugging.

于 2012-10-23T15:22:23.853 回答
0

你的问题包含 2 个不同的部分:

1) 我如何验证客户证书是由我签发且信誉良好?

非常普遍的答案是您根据受信任的根证书验证它的链。例如,您可以在此处阅读:

http://msdn.microsoft.com/en-us/library/windows/desktop/dd407310(v=vs.85).aspx http://www.openssl.org/docs/apps/verify.html http:// /www.cryptosys.net/pki/x509_validatechain.html

在大多数情况下,您不必编写任何代码来执行此操作。您只需要在 Web 服务器之前安装(例如)Apache。Apache 可以配置为根据受信任的证书请求和验证客户端证书。

2) 如何将证书映射到用户?

如果您正在寻找一种常见的完成方式,那么您应该在证书中使用 Subject Alternative Name 属性来存储主体名称。这是多个提供商使用的最常见的方式。

以下是一些与 Windows 相关的有趣链接:

http://technet.microsoft.com/en-us/library/cc736706(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/cc736781(WS.10).aspx

但是,一般来说,您可以使用证书中的任何唯一事物进行映射。

于 2012-10-23T15:26:58.267 回答