如何解决以.CER格式发送客户证书
第三部分将每天使用 .cer 格式的证书将一些xml文件发送到我的端点,然后我使用FromBody从请求中读取数据,然后将文件保存到服务器上的目录中。准备了一个用于使用客户端证书和客户端证书身份验证的应用程序,并配置了IIS以使用将客户端证书映射到用户的客户端证书。
这是我的设置。当我尝试使用邮递员以.pfx格式的证书将请求发送到我的端点时,一切正常(在本地和生产环境中),但是当我尝试以 .cer 格式的证书发送请求时,它将失败。我该如何准备.cer格式的证书申请!谁能帮助我或为我指明正确的方向! :)
Startup.cs
public void ConfigureServices(IServiceCollection services)
{
services.AddSingleton<MyCertificateValidationService>();
services.AddScoped<IDespatch,DespatchRepo>();
services.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme)
.AddCertificate(options => // code from ASP.NET Core sample
{
// https://docs.microsoft.com/en-us/aspnet/core/security/authentication/certauth
options.AllowedCertificateTypes = CertificateTypes.All;
options.RevocationMode = X509RevocationMode.NoCheck;
options.Events = new CertificateAuthenticationEvents
{
OnCertificateValidated = context =>
{
var validationService =
context.HttpContext.RequestServices.GetService<MyCertificateValidationService>();
if (validationService.ValidateCertificate(context.ClientCertificate))
{
var claims = new[]
{
new Claim(ClaimTypes.NameIdentifier,context.ClientCertificate.Subject,ClaimValueTypes.String,context.Options.ClaimsIssuer),new Claim(ClaimTypes.Name,context.Options.ClaimsIssuer)
};
context.Principal = new ClaimsPrincipal(new ClaimsIdentity(claims,context.Scheme.Name));
context.Success();
}
else
{
context.Fail("invalid cert");
}
return Task.CompletedTask;
}
};
});
services.AddAuthorization();
services.AddControllers().AddXmlSerializerFormatters();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app,IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
// The default HSTS value is 30 days. You may want to change this for production scenarios,see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseRouting();
//app.UseCertificateForwarding();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
MyCertificateValidationService.cs-在Startup类的OnCertificateValidated中使用
在这里,我有点困惑,我认为验证失败,因为我正在以.cer格式(Base-64)发送客户端证书,并且我认为应该进行一些转换。如何提取证书并以指纹方式检索数据,然后再与服务器证书指纹相匹配?
public class MyCertificateValidationService
{
public bool ValidateCertificate(X509Certificate2 clientCertificate)
{
return CheckIfThumbprintIsValid(clientCertificate);
}
private bool CheckIfThumbprintIsValid(X509Certificate2 clientCertificate)
{
var listOfValidThumbprints = new List<string>
{
"CBF52D037D4CF0401F8EC8260C6382520D60EDD3","BEE026E73A64D58943A66451D94389FA466169A4","70D38240A71DD2882B4103E703F94D0B22285B0D",// valid but incorret DNS
"ABF302B616CDEED10C53EA2C0E07CA1616814C68"
};
if (listOfValidThumbprints.Contains(clientCertificate.Thumbprint))
{
return true;
}
return false;
}
}
Program.cs
public static int Main(string[] args)
{
CreateHostBuilder(args).Build().Run();
}
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureWebHostDefaults(webBuilder =>
{
var cert = new X509Certificate2(Path.Combine("cert.pfx"),"pfxpassword");
webBuilder.UseStartup<Startup>()
.ConfigureKestrel(options =>
{
options.Limits.MinRequestBodyDataRate = null;
options.ConfigureHttpsDefaults(o =>
{
o.ServerCertificate = cert;
o.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
});
})
});
端点
[Consumes("application/xml")]
[Produces("application/xml")]
[ProducesResponseType(typeof(DespatchAdvice),(int)HttpStatusCode.OK)]
[ProducesResponseType(StatusCodes.Status400BadRequest)]
[ProducesResponseType(StatusCodes.Status500InternalServerError)]
[ProducesDefaultResponseType]
[HttpPost("SendDespatch")]
public IActionResult SendDespatch([FromBody] DespatchAdvice despatches)
{
try
{
if (despatches == null)
{
return NotFound();
}
XmlSerializer writer;
string path;
_despatch.Serializer(out writer,out path);
using (FileStream file = System.IO.File.Create(path))
{
writer.Serialize(file,despatches);
file.Close();
}
return Ok(200);
}
catch (Exception ex)
{
return BadRequest(ex.Message);
}
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。