1

我在配置我的 asp.net Web api 服务以通过客户端证书对请求进行身份验证时遇到问题

我执行 Pro ASP.NET Web Api Security 中描述的步骤:

  1. 我使用 makecert.exe 创建证书 makecert.exe -r -n "CN=MobileTradeDataGateway" -pe -sv MobileTradeDataGateway.pvk -a sha256 -cy authority MobileTradeDataGateway.cermakecert.exe -iv MobileTradeDataGateway.pvk -ic MobileTradeDataGateway.cer -n "CN=DataGateway1" -pe -sv DataGateway1.pvk -a sha256 -sky exchange DataGateway1.cer -eku 1.3.6.1.5.5.7.3.2
  2. 我在服务器受信任的根证书颁发机构和客户端中安装了 MobileTradeDataGateway 证书。在客户端个人权限中安装 DataGateway1。
  3. 将站点配置为接受证书并启用。启用匿名身份验证。
  4. 创建 DelegatingHandler 并将其添加到 mvc 中的 messagehandlers 集合以检查证书。

  5. 调用web api方法

    var certStore = new X509Store(StoreLocation.CurrentUser); certStore.Open(OpenFlags.ReadOnly); var collection = certStore.Certificates.Find(X509FindType.FindByIssuerName, "MobileTradeDataGateway", true); var cert = 集合[0]; certStore.Close(); var messageHandler = new WebRequestHandler(); messageHandler.ClientCertificates.Add(cert); var client = new HttpClient(messageHandler) { BaseAddress = new Uri("...") }; var res = client.GetAsync("/api/orderuploader?number=5").Result;

.

在我的机器是服务器的本地机器和网络中一切正常。但是当我将它部署到天蓝色云服务 var cert = request.GetClientCertificate(); // here is null 时,我的自定义委托处理程序中会出现 null

当然,我使 IIS 能够接受证书并正确地将证书放入受信任的根证书颁发机构

有任何想法吗?

4

3 回答 3

0

这是我的 web api 委托处理程序的代码

public class X509ClientCertificateHandler : DelegatingHandler
{
    protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        if (request.RequestUri.Scheme != Uri.UriSchemeHttps)
        {
            WebApiEventSource.Log.InvalidHttpsScheme();
            return request.CreateResponse(HttpStatusCode.Forbidden);
        }
        var cert = request.GetClientCertificate(); // here is null!!!
        if (cert == null)
        {
            WebApiEventSource.Log.FailureAuthenticate("certificate is abcent", "", "");
            return request.CreateResponse(HttpStatusCode.Unauthorized);
        }
        var chain =new X509Chain {ChainPolicy = {RevocationMode = X509RevocationMode.NoCheck}};
        if (chain.Build(cert) && cert.Issuer.Equals("CN=MobileTradeDataGateway"))
        {
            var claims = new List<Claim>
                {
                    new Claim(ClaimTypes.Name, cert.Subject.Substring(3))
                };
            var principal = new ClaimsPrincipal(new[] {new ClaimsIdentity(claims, "X509")});
            Thread.CurrentPrincipal = principal;
            if (HttpContext.Current != null)
                HttpContext.Current.User = principal;
            WebApiEventSource.Log.SuccessAuthenticate(cert.SubjectName.Name);
            return await base.SendAsync(request, cancellationToken);
        }
        WebApiEventSource.Log.FailureAuthenticate("certificate is incorrect", cert.IssuerName.Name, cert.SubjectName.Name);
        return request.CreateResponse(HttpStatusCode.Unauthorized);
    }
}
于 2013-08-09T05:21:57.357 回答
0

您是否也尝试过通过“指纹”获取您的证书。这是一个尝试从证书存储中读取证书的示例代码。

private X509Certificate2 FindCertificate()
{
    X509Store certificateStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
    certificateStore.Open(OpenFlags.ReadOnly);
    X509Certificate2Collection certificates = certificateStore.Certificates;
    X509Certificate2Collection matchingCertificates = certificates.Find(X509FindType.FindByThumbprint, "CertThumbprint", false);
    if (matchingCertificates != null && matchingCertificates.Count > 0)
    {
        return matchingCertificates[0];
    }
    throw new ArgumentException("Unable to find a matching certificate in the certificate store. Please modify the search criteria.");
}

链接包含有关如何从 web /worker 角色读取证书的更多信息

于 2013-08-05T19:31:10.687 回答
0

我认为您错过了将证书上传到 Azure 门户。请确保将 .cer 或 .pfx 证书上传到 Azure 门户。如果您需要有关如何上传等方面的帮助,请告诉我。

于 2014-05-22T12:35:11.520 回答