如何禁用用于验证消息签名的x509证书的验证?
[英]How do I disable validation of the x509 certificate used to validate a message signature?
问题描述
I have a client that calls an API that signs its response messages. 
我有一个客户端,该客户端调用签名其响应消息的API。 The signature validation setup requires special binding that looks like this: 签名验证设置需要特殊的绑定,如下所示:
public class SignatureBinding : Binding
{
public override BindingElementCollection CreateBindingElements()
{
var signingElement = new AsymmetricSecurityBindingElement
{
AllowInsecureTransport = false,
RecipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.Never),
InitiatorTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient),
DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256,
SecurityHeaderLayout = SecurityHeaderLayout.Strict,
MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt,
MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10,
AllowSerializedSigningTokenOnReply = true
};
signingElement.SetKeyDerivation(false);
return new BindingElementCollection
{
signingElement,
new HttpsTransportBindingElement()
};
}
}
And in the ClientCredentials behavior: 并且在ClientCredentials行为中:
public class CredentialsBehavior : ClientCredentials
{
public CredentialsBehavior()
{
base.ServiceCertificate.DefaultCertificate = store.FindBySerialNumber(signatureCertSN);
}
//Code omitted
}
I have confirmed that the above code works fine when run from an ordinary computer. 我已经确认,从普通计算机上运行上述代码可以正常工作。 The message is sent, the server crafts a response and signs it, it comes back, the client validates the signature, and all is well. 消息已发送,服务器制作了响应并对其进行签名,然后返回,客户端验证了签名,一切都很好。
However, there is a failure when running from the intended server, which cannot access CRL services due to firewalls. 但是,从目标服务器运行时会出现故障,由于防火墙,该服务器无法访问CRL服务 。 The ServiceModel call returns an error when I send the message over the channel. 通过通道发送消息时,ServiceModel调用返回错误。 The error pertains to the certificate that contains the public key for validating the signature. 该错误与包含用于验证签名的公钥的证书有关。 The error is: 错误是:
The X.509 certificate CN=somecert.somedomain.com, OU=CE_Operations, O="MyCompany, Inc.", L=City, S=State, C=US chain building failed.
The server exists in a domain that can't access CRLs so I disabled the check with help from this answer : 该服务器存在于无法访问CRL的域中,因此我在此答案的帮助下禁用了检查:
ServicePointManager.ServerCertificateValidationCallback += ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
ServicePointManager.CheckCertificateRevocationList = false;
However, the error persists. 但是,错误仍然存在。 I'm guessing that ServerCertificateValidationCallback only fires for server certificates, and this certificate is different. 我猜想ServerCertificateValidationCallback仅针对服务器证书触发,并且此证书是不同的。
How do I convince the service model to allow the use of this certificate without checking the CRL or performing other validation procedures? 如何说服服务模型允许使用此证书,而无需检查CRL或执行其他验证过程?
1 个解决方案
解决方案1
0 2018-09-19 01:47:54
Set certificateValidationMode to None to ignore certificate validation X509CertificateValidationMode 将certificateValidationMode设置为None以忽略证书验证X509CertificateValidationMode
This is a behavior, so if you want to do it programmatically you should bind it as new behavior to your service : 这是一种行为,因此,如果要以编程方式进行操作,则应将其作为新行为绑定到服务:
ServiceHost host = new ServiceHost(typeof(Service));
ServiceEndpoint endpoint = host.AddServiceEndpoint(typeof(IService), new WebHttpBinding(), "http://...");
var endpointClientbehavior = new ClientCredentials();
endpointClientbehavior.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
endpoint.Behaviors.Add(endpointClientbehavior);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.