提问人:Alberto De Caro 提问时间:6/22/2012 最后编辑:Alberto De Caro 更新时间:6/27/2012 访问量:19208
使用证书身份验证访问 Web 服务和 HTTP 接口
Accessing a web service and a HTTP interface using certificate authentication
问:
这是我第一次使用证书身份验证。 商业合作伙伴公开两个服务,一个 XML Web services 和一个 HTTP 服务。我必须使用 .NET 客户端访问它们。
我尝试过什么
0. 设置环境
我已经使用 certmgr.exe 在我的本地计算机(win 7 专业版)中安装了 SSLCACertificates(在根和两个中间)和客户端证书。
1. 对于 Web 服务
- 我有客户端证书 (der)。
- 该服务将通过 .NET 代理使用。
代码如下:
OrderWSService proxy = new OrderWSService();
string CertFile = "ClientCert_DER.cer";
proxy.ClientCertificates.Add(new System.Security.Cryptography.X509Certificates.X509Certificate(CertFile));
orderTrackingTO ot = new orderTrackingTO() { order_id = "80", tracking_id = "82", status = stateOrderType.IN_PREPARATION };
resultResponseTO res = proxy.insertOrderTracking(ot);
最后一条语句中报告的异常:。The request failed with an empty response
2. 对于HTTP接口
- 这是一个HTTPS接口,我必须通过POST方法调用。
- HTTPS 请求将使用 HTTPWebRequest 从 .NET 客户端发送。
代码如下:
string PostData = "MyPostData";
//setting the request
HttpWebRequest req;
req = (HttpWebRequest)HttpWebRequest.Create(url);
req.UserAgent = "MyUserAgent";
req.Method = "POST";
req.ContentType = "application/x-www-form-urlencoded";
req.ClientCertificates.Add(new System.Security.Cryptography.X509Certificates.X509Certificate(CertFile, "MyPassword"));
//setting the request content
byte[] byteArray = Encoding.UTF8.GetBytes(PostData);
Stream dataStream = req.GetRequestStream();
dataStream.Write(byteArray, 0, byteArray.Length);
dataStream.Close();
//obtaining the response
WebResponse res = req.GetResponse();
r = new StreamReader(res.GetResponseStream());
最后一条语句中报告的异常:。The request was aborted: Could not create SSL/TLS secure channel
3.最后一次尝试:使用浏览器
在 Chrome 中,安装证书后,如果我尝试访问这两个 URL,我会收到 107 错误:
Error 107 (net::ERR_SSL_PROTOCOL_ERROR)
我被困住了。
答:
7赞
David Martin
6/27/2012
#1
以下内容应该可以帮助您确定问题,以下是测试SSL连接的两种方法:一种是测试站点,另一种是回调方法,用于确定SSL失败的原因。如果不出意外,它应该让你更好地了解它失败的原因。
调用该方法时,它将弹出“选择证书”对话框,显然,当您真正执行此操作时,您将希望自动从证书存储中读取。我之所以放这个,是因为如果没有找到有效的证书,那么你就会知道你的问题出在证书的安装方式上。
最好的办法是将此代码放在一个简单的控制台应用中:
using System.Security.Cryptography.X509Certificates;
using System.Net.Security;
using System.Net;
private static void CheckSite(string url, string method)
{
X509Certificate2 cert = null;
ServicePointManager.ServerCertificateValidationCallback += ValidateRemoteCertificate;
X509Store store = new X509Store(StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
X509Certificate2Collection certcollection = (X509Certificate2Collection)store.Certificates;
// pick a certificate from the store
cert = X509Certificate2UI.SelectFromCollection(certcollection,
"Caption",
"Message", X509SelectionFlag.SingleSelection)[0];
store.Close();
HttpWebRequest ws = (HttpWebRequest)WebRequest.Create(url);
ws.Credentials = CredentialCache.DefaultCredentials;
ws.Method = method;
if (cert != null)
ws.ClientCertificates.Add(cert);
using (HttpWebResponse webResponse = (HttpWebResponse)ws.GetResponse())
{
using (Stream responseStream = webResponse.GetResponseStream())
{
using (StreamReader responseStreamReader = new StreamReader(responseStream, true))
{
string response = responseStreamReader.ReadToEnd();
Console.WriteLine(response);
responseStreamReader.Close();
}
responseStream.Close();
}
webResponse.Close();
}
}
/// <summary>
/// Certificate validation callback.
/// </summary>
private static bool ValidateRemoteCertificate(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors error)
{
// If the certificate is a valid, signed certificate, return true.
if (error == System.Net.Security.SslPolicyErrors.None)
{
return true;
}
Console.WriteLine("X509Certificate [{0}] Policy Error: '{1}'",
cert.Subject,
error.ToString());
return false;
}
评论