在基于互联网的wcf服务中,安全是非常重要的一环,在wcf中有着很多的安全模式,本次考虑在一个极限的服务器环境(比如虚拟主机)中配置使用证书文件配置自定义X509证书验证的消息安全模式。由于一般在这样的极限环境下,很难实现基于SSL的传输安全,因此我们考虑部署消息安全,同时服务器和客户端相互认证均使用X509证书。

    首先我们创建两个证书,Microsoft Visual Studio 2008-->Visual Studio Tools-->Visual Studio 2008 命令提示行,进入控制台,然后分别创建服务器证书和客户端证书,如下:

makecert -r -pe -n "CN=TestServer" -e 08/10/2020 -sky exchange -ss mymakecert -r -pe -n "CN=TestClient" -e 08/10/2020 -sky exchange -ss my

执行之后如图:

    然后进入证书管理将两个证书分别导出,导出的时候每个证书导出两次,分别导出为包含私钥的pfx文件和不包含私钥的cer文件,这样我们得到4个证书文件,我们命名为:TestServer.pfx,TestServer.cer,TestClient.pfx,TestClient.cer。

   这部分如下图:

    下面创建wcf服务端程序,

    由于使用自定义证书认证,我们需要提供服务器端和客户端的认证程序,服务器端认证程序如下:

    public class ServiceX509CertificateValidator : X509CertificateValidator {
        public override void Validate(X509Certificate2 certificate) {
            string path = HostingEnvironment.MapPath(WebConfig.ClientCertificate);
            if (!File.Exists(path)) {
                throw new FileNotFoundException(Path.GetFileName(path));
            }
            X509Certificate2 clientCertificate = new X509Certificate2(path);
            //This is the Client  Certificate Thumbprint,In Production,We can validate the Certificate With CA
            if (!certificate.Thumbprint.Equals(clientCertificate.Thumbprint, StringComparison.CurrentCultureIgnoreCase)) {
                throw new SecurityTokenException("Unknown Certificate");
            }
        }
    }

客户端认证程序如下:

    public class ClientX509CertificateValidator : X509CertificateValidator {
        public override void Validate(X509Certificate2 certificate) {
            //throw new NotImplementedException();
            if (certificate == null) {
                throw new ArgumentNullException("certificate");
            }
            string path = Path.GetFullPath(WebConfig.ServiceCertificate);
            if (!File.Exists(path)) {
                throw new FileNotFoundException(Path.GetFileName(path));
            }
            X509Certificate2 clientCertificate = new X509Certificate2(path);
            //This is the Client  Certificate Thumbprint,In Production,We can validate the Certificate With CA
            if (!certificate.Thumbprint.Equals(clientCertificate.Thumbprint, StringComparison.CurrentCultureIgnoreCase)) {
                throw new SecurityTokenException("Unknown Certificate");
            }
        }
    }

  这两个程序都是对证书的指纹进行验证。

  下面开始对服务器端进行配置,首先建立新的Binding配置:

    <bindings>
      <wsHttpBinding>
        <binding name="TestHttpBinding">
          <security mode="Message">
            <transport clientCredentialType="None"/>
            <message clientCredentialType="Certificate"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>

  然后修改Behavior配置:

      <serviceBehaviors>
        <behavior name="SecurityWcf.Service.TestServiceBehavior">
          <serviceMetadata httpGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="false" />
          <serviceCredentials>
            <clientCertificate>
              <authentication certificateValidationMode="Custom" customCertificateValidatorType="SecurityWcf.Core.ServiceX509CertificateValidator, SecurityWcf.Core"/>
            </clientCertificate>
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>

  最后将在当前测试服务加入binding配置

<endpoint address="" binding="wsHttpBinding" contract="SecurityWcf.Service.ITestService" bindingConfiguration="TestHttpBinding">

   按照正常情况,程序需要配置服务器端证书,然而本文中由于采用了文件方式配置,因此必须使用程度动态处理,因此,我们创建了自己的ServiceHost,程序如下:

    public class WcfServiceHostFactory : ServiceHostFactory {
        public override ServiceHostBase CreateServiceHost(string constructorString, Uri[] baseAddresses) {
            ServiceHostBase host;
            Uri baseUri;
            if (!String.IsNullOrEmpty(WebConfig.ServiceUri) &&
                Uri.TryCreate(WebConfig.ServiceUri, UriKind.RelativeOrAbsolute, out baseUri)) {
                host = base.CreateServiceHost(constructorString, new Uri[] { baseUri });
            } else {
                host = base.CreateServiceHost(constructorString, baseAddresses);
            }
            if (WebConfig.EnableServiceCertificate) {
                string path = System.Web.Hosting.HostingEnvironment.MapPath(WebConfig.ServiceCertificate);
                if (!File.Exists(path)) {
                    throw new FileNotFoundException(WebConfig.ServiceCertificate);
                }
                host.Credentials.ServiceCertificate.Certificate =
                    new X509Certificate2(path, WebConfig.ServiceCertificatePassword, X509KeyStorageFlags.MachineKeySet);
            }
            return host;
        }
    }

    这部分将根据配置文件自动在服务中加入证书支持,为了使用该部分,需要修改服务的svc文件,在头部配置上该ServiceHost,如下:

<%@ ServiceHost Language="C#" Debug="true" Service="SecurityWcf.Service.TestService" Factory="SecurityWcf.Core.WcfServiceHostFactory, SecurityWcf.Core" CodeBehind="TestService.svc.cs" %>

    然后在web.config中配置好证书路径,在服务器端,需要用到TestServer.pfx和TestClient.cer。这部分配置文件如下:

  <appSettings>
    <add key="ServiceCertificate" value="~/config/TestServer.pfx"/>
    <add key="ServiceCertificatePassword" value="123456"/>
    <add key="EnableServiceCertificate" value="true"/>
    <add key="ClientCertificate" value="~/config/TestClient.cer"/>
  </appSettings>

    运行服务,如果没有错误提示,说明服务端已经成功运行,如图:

    下面开始创建客户端程序,按照页面提示,我们来到vs command,执行svcutil.exe http://localhost:2674/TestService.svc?wsdl

   这样我们可以得到客户端源码,加入到客户端程序中,并将同时生成的output.config中的数据复制到项目中的app.config中。为了使用安全措施,必须在该文件中心在behavior部分,该部分如下:

    <behaviors>
      <endpointBehaviors>
        <behavior name="TestClientBehavior">
          <clientCredentials>
            <serviceCertificate>
              <authentication certificateValidationMode="Custom" customCertificateValidatorType="SecurityWcf.Core.ClientX509CertificateValidator, SecurityWcf.Core"/>
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>

    然后在客户端配置该behavior。客户端就可以使用证书验证了,在客户端程序中,我们创建一个factory类,创建连接对象,代码如下:

    public static class ServerClientFactory {
        public static TestServiceClient CreateServerClient(string password) {
            TestServiceClient client = new TestServiceClient();
            string path = System.IO.Path.GetFullPath("config/TestClient.pfx");
            client.ClientCredentials.ClientCertificate.Certificate
                = new X509Certificate2(path, password, X509KeyStorageFlags.MachineKeySet);
            return client;
        }
    }

    这样,我们就可以方便的使用连接对象了。测试主程序如下:

    class Program {
        static void Main(string[] args) {
            using (var context = ServerClientFactory.CreateServerClient("123456")) {
                Console.WriteLine(context.GetSystemString());
            }
        }
    }

    执行,得到测试结果,如图所示:

    这样,我们成功配置了使用证书文件的基于X509消息安全的wcf,最后给出整个测试项目下载:
下载文件点击下载此文件

posted on 2010-10-24 15:34  Leven  阅读(3150)  评论(5编辑  收藏  举报
CopyRight 2008, Leven's Blog xhtml | css
Leven的个人Blog