C#.NET-固定證書頒發機構-我做得正確嗎?
[英]C# .NET - Pinning Certificates Authorities - I am doing it correctly?
問題描述
我的軟件使用HTTPS連接連接到Dropbox,以檢索一些敏感數據。
我想固定證書頒發機構,以防止中間人攻擊。
到目前為止,我有以下代碼:
static bool VerifyServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
try
{
var currentCaPublicKey = chain.ChainElements.Cast<X509ChainElement>().Last().Certificate.GetPublicKeyString();
var caPublicKeys = new List<string>(){"00ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f"};
return caPublicKeys.Any(s => currentCaPublicKey.Equals(s));
}
catch (Exception ex)
{
Console.WriteLine(ex);
return false;
}
}
它工作正常,但我不知道我是否檢查了正確的事情。 一些加密專家的任何建議將不勝感激。
1 個解決方案
解決方案1
3 已采納 2017-10-21 23:26:47
您的代碼對於固定到根CA公共密鑰來說看起來是正確的。
HPKP要求您至少提供一個備用引腳,但是,我建議您遵循該指南。 假設您要固定到根CA,則最好提供另一個根CA的公鑰作為備份,以減輕第一個CA發生故障(例如停業)時發生DoS的風險。
當然,您的代碼可以容納多個公共密鑰以供使用,因此只需在字符串列表中添加其他密鑰即可。
干杯
編輯2017.10.23
這是我認為合理的根CA公鑰固定和證書驗證應具有的示例。 這個快速樣本是在WebApi項目中完成的,因此是樣板值控制器。
請注意,在我的示例中僅使用了一(1)個根CA公共密鑰,並且如上所述,應提供一個備用引腳(至少2個數組元素)。
這是一個示例 ,不用作生產代碼-我建議對以下內容進行同行/安全性審查:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
using System.Web.Http;
namespace CertPinPocClient.Controllers
{
public class ValuesController : ApiController
{
// GET api/values
public IEnumerable<string> Get()
{
ServicePointManager.ServerCertificateValidationCallback = new PinnedRootCaCertificate(new[]
{
"MIICCgKCAgEAzHYh7u+V5haaRSoGSVGm/gC4EYvZHkBR3/c/kQvTJeh1L9Bn/b7U1s7onw85SjvpZ28ohoT7p4vJRoNUBemR6hf3TM1mZmSE0tqnLGzBV9H4Nfrxx1+cubxYyYaOJ8iJfp1XslGGyZqQmUFFjWOUuU9cvOAbz4DqBIUn344JhG0xEHCf5IOF0gfuWE8yQC9vIjlveUQQ7dq/rDNZcQjqDhEb6DcF7za+1ZxjZdmtKewoYgDBPqzf66Gwi85BZsEcYFQTbjzvAhYaq4xPhJF6iPS4ihf+zjnMPxmy2oH1bm8n2fVuyxqV5JgIDU0ualx728UhfJUjcoBl57OLVsiJIdHFHpcDhN8Fn5QUGkNPgQqX27R1aw/+t2HfYTEsg6urH3aam8e7qRKUEXJs8qMKnXZ15aY0zlO7DLtfnK5tq2Cnu+HBBo4FlDhRO4kTBZOisFkvkEWI/Nj6jioOyMWsTsUvOdDK5KUpWZazpc3rwCvQy3KwBz6EyPU7ihrTm+nqqK5wiI9YwRcMjsPRBZfAur1cB0hNi+g98+2zzj+hwyR49KkOzFowp5MvXEWhnYDrY4cHSJ7zSdgMdO9HWPMke1HuKOUuUUUIpQMvPmFDAh4WQpAKqGvI/cOZeubnSwVMQra13QviYdlUeT56tFDTjgdbUNyBy0gxcFPVgTjzTj8CAwEAAQ==",
}).Valid;
var httpClient = new HttpClient
{
BaseAddress = new Uri("https://local.monitor.iontech.org")
};
var httpResponseMessage = httpClient.GetAsync(new Uri("https://local.monitor.iontech.org/api/status/")).Result;
var result = httpResponseMessage.Content.ReadAsStringAsync().Result;
return new[] {result};
}
}
public class PinnedRootCaCertificate
{
private readonly string[] _rootCaPublicKeys;
public PinnedRootCaCertificate(string[] rootCaPublicKeys)
{
_rootCaPublicKeys = rootCaPublicKeys;
}
public bool Valid(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslpolicyerrors)
{
if (sslpolicyerrors != SslPolicyErrors.None) return false;
var rootCertificate = SelfSignedCertificate(chain);
var publicKey = Convert.ToBase64String(rootCertificate.PublicKey.EncodedKeyValue.RawData);
return rootCertificate.Verify() && _rootCaPublicKeys.Contains(publicKey);
}
private X509Certificate2 SelfSignedCertificate(X509Chain chain)
{
foreach (var x509ChainElement in chain.ChainElements)
{
if (x509ChainElement.Certificate.SubjectName.Name != x509ChainElement.Certificate.IssuerName.Name) continue;
return x509ChainElement.Certificate;
}
throw new Exception("Self-signed certificate not found.");
}
}
}
信任存儲在c#中“受信任的根證書頒發機構”中的SSL證書
[英]Trusting SSL certificates stored in “Trusted Root Certification Authorities” in c#
將css樣式應用於Asp.net標簽(c#)。 我究竟做錯了什么?
[英]Applying a css style to Asp.net label (c#) . What am i doing Wrong?
C#、. net,委托,異步回調。 我在這里做錯了什么?
[英]c#, .net, delegate, asynchronous callback. What am I doing wrong here?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.