开发者

Using client certificate not in certificate store

开发者 https://www.devze.com 2022-12-09 15:04 出处:网络
I\'m trying to authenticate myself against WebService using my client certificate, but, for some reasons (I explain), I don\'t want to load certificate from store, rather read it from disc.

I'm trying to authenticate myself against WebService using my client certificate, but, for some reasons (I explain), I don't want to load certificate from store, rather read it from disc.

The following:

// gw is teh WebService client
X509Certificate cert = new X509Certificate(PathToCertificate);
_gw.ClientCertificates.Add(ClientCertificate());
ServicePointManager.ServerCertificateValidationCallback = (a,b,c,d) => true;
_gw.DoSomeCall();

returns always 403 - the Service doesn't authorize me. But, when I save that certificate into CertStore, it works. (As stated in MSDN.)

Is it possibl开发者_高级运维e to use certificate not in store?

(the reason is, that I got windows service(client) sometimes calling webservice(server), and after unspecified amount of time the service 'forgets' my certificates and doesnt authorize against server, with no apparent reason)


What type of file is PathToCertificate? If it's just a .cer file, it will not contain the private key for the certificate and trying to use that certificate for SSL/TLS will fail.

However, if you have a PKCS7 or PKCS12 file that includes the public and private key for the certificate, your code will work (you might need to use the overload that takes a password if the private key has one).

To test this, I went to http://www.mono-project.com/UsingClientCertificatesWithXSP and created my client.p12 file following those instructions. I also created a simple HTTPS server using HttpListener for testing.

Then I compiled the following program into 'client.exe' and run like:

 client.exe https://<MYSSLSERVER>/ client.p12 password

where client.p12 is the PKCS12 file generated before and 'password' is the password I set for the private key of the certificate.

using System;
using System.IO;
using System.Net;
using System.Security.Cryptography.X509Certificates;
using System.Text;

public class HttpWebRequestClientCertificateTest : ICertificatePolicy {

    public bool CheckValidationResult (ServicePoint sp, X509Certificate certificate,
            WebRequest request, int error)
    {
            return true; // server certificate's CA is not known to windows.
    }

    static void Main (string[] args)
    {
            string host = "https://localhost:1234/";
            if (args.Length > 0)
                    host = args[0];

            X509Certificate2 certificate = null;
            if (args.Length > 1) {
                    string password = null;
                    if (args.Length > 2)
                            password = args [2];
                    certificate = new X509Certificate2 (args[1], password);
            }

            ServicePointManager.CertificatePolicy = new HttpWebRequestClientCertificateTest ();

            HttpWebRequest req = (HttpWebRequest) WebRequest.Create (host);
            if (certificate != null)
                    req.ClientCertificates.Add (certificate);

            WebResponse resp = req.GetResponse ();
            Stream stream = resp.GetResponseStream ();
            StreamReader sr = new StreamReader (stream, Encoding.UTF8);
            Console.WriteLine (sr.ReadToEnd ());
    }
}

Let me know if you want me to upload the server code and the certificates used on both sides of the test.


The potential problem could be caching of SSL sessions (Schannel cache). Only first request negotiates the SSL handshake. Subsequent requests will use the same session ID and hope that the server accept it. If the server clears the SessionId, the requests will fail with 403 error. To disable local ssl session caching (and force SSL negotiation for each request) you have to open windows registry folder:

[HKEY_LOCAL_MACHINE][System][CurrentControlSet][Control][SecurityProviders][SCHANNEL]

and add the key named ClientCacheTime (DWORD) with value 0.

This issue is covered here:

http://support.microsoft.com/?id=247658


You have the potential for at least two problems...

First...

Your client certificate file cannot contain a private key unless it's accessed with a password. You should be using a PKCS #12 (*.pfx) certificate with a password so that your client has access to the private key. You client code will have to provide the password when opening the certificate as others have already posted. There are several ways to create this, the easiest is to use the following command-line to first generate the certificate, then use the MMC certificate manager to export the certificates private key:

Process p = Process.Start(
    "makecert.exe",
    String.Join(" ", new string[] {
        "-r",//                     Create a self signed certificate
        "-pe",//                    Mark generated private key as exportable
        "-n", "CN=" + myHostName,// Certificate subject X500 name (eg: CN=Fred Dews)
        "-b", "01/01/2000",//       Start of the validity period; default to now.
        "-e", "01/01/2036",//       End of validity period; defaults to 2039
        "-eku",//                   Comma separated enhanced key usage OIDs
        "1.3.6.1.5.5.7.3.1," +//    Server Authentication (1.3.6.1.5.5.7.3.1)
        "1.3.6.1.5.5.7.3.2", //     Client Authentication (1.3.6.1.5.5.7.3.2)
        "-ss", "my",//              Subject's certificate store name that stores the output certificate
        "-sr", "LocalMachine",//    Subject's certificate store location.
        "-sky", "exchange",//       Subject key type <signature|exchange|<integer>>.
        "-sp",//                    Subject's CryptoAPI provider's name
        "Microsoft RSA SChannel Cryptographic Provider",
        "-sy", "12",//              Subject's CryptoAPI provider's type
        myHostName + ".cer"//       [outputCertificateFile]
    })
);

Second...

Your next problem is going to be server-side. The server has to allow this certificate. You have the right logic, but on the wrong side of the wire, move this line to the web server handling the request. If you cannot, you must then take the '.cer' file saved above to the server and add it to the server computer's trust list:

ServicePointManager.ServerCertificateValidationCallback = (a,b,c,d) => true;


Do you need a password for the certificate? If so, there is a field for it in the constructor.

X509Certificate cert = new X509Certificate(PathToCertificate,YourPassword);
0

精彩评论

暂无评论...
验证码 换一张
取 消