Geek Answers Handbook

How to verify a certificate has a CA certificate in the certificate chain when using WCF

I have a requirement to make sure that the x509 certificate that the client presents during the WCF session has a specific certificate service in its chain.

I know that I can verify the certificate chain programmatically using ChainElements [index].

But I'm not sure how to do this, still integrating with WCF using configuration files.

WCF is currently configured in the configuration file, see below:

<services> <service name="SampleService" behaviorConfiguration="wsHttpBehavior"> <endpoint name="SampleEndPoint" address="http://localhost:70000/SampleService.svc" binding="wsHttpBinding" bindingConfiguration="wsHttpBinding" contract="SampleApp.ISampleService"> </endpoint> </service> </services> <bindings> <wsHttpBinding> <binding name="wsHttpBinding"> <reliableSession enabled="true" ordered="true" /> <security> <message clientCredentialType="Certificate" /> </security> </binding> </wsHittpBinding> </bindings> <behaviors> <serviceBehaviors> <serviceMetadata httpGetEnabled="true" /> <serviceDebug includeExceptionDetailInFaults="false" /> <serviceCredentials> <serviceCertificate findValue="aa aa aa" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySerialNumber" /> </serviceCredentials> <serviceBehaviors> </behaviors>

Is there anything I can do in the configuration file to tell him to make sure that the client certificate provided contains a specific certificate authority. Or do I need to bind a WCF channel to do this? Is it possible?

+4
source share
1 answer

This can be achieved through the expansion of WCF ( Introduction to Extensbility ).

For a specific example ( How to create a service using a custom Validator certificate )

Using this information and the information that I collected from fooobar.com/questions/1039047 / ... , I created a service that verified the validity of the certificate and also verified that it came from a specialized certification authority.

code:

 public class CustomX509CertificateValidator : X509CertificateValidator { public override void Validate(System.Security.Cryptography.X509Certificates.X509Certificate2 certificate) { var ch = new X509Chain(); //RevocationMode Enumeration //http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509revocationmode.aspx ch.ChainPolicy.RevocationMode = X509RevocationMode.Online; //RevocationFlag Enumeration //http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509revocationflag.aspx ch.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain; //The time span that elapsed during online revocation verification or downloading the //certificate revocation list (CRL) ch.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(1000); //VerificationFlags Enumeration //http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509verificationflags.aspx ch.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag; //The time that the certificate was verified expressed in local time ch.ChainPolicy.VerificationTime = DateTime.Now; ch.Build(certificate); //Check to see if the CA is a specific one if (ch.ChainElements[ch.ChainElements.Count - 1].Certificate.IssuerName.Name != "CN=Something, OU=PKI...,") { throw new SecurityTokenValidationException("Certificate was not issued by a trusted issuer"); } foreach (X509ChainStatus s in ch.ChainStatus) { string str = s.Status.ToString(); Console.WriteLine("str: " + str); } //Check to see if the current certificate is revoced in the current system (does this not happen in the above? X509Store store = new X509Store(StoreName.Disallowed, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); bool isRevoked = store.Certificates.Contains(certificate); store.Close(); if (isRevoked) { throw new SecurityTokenValidationException("Certificate is revoked"); } if (certificate.Verify() == false) { throw new SecurityTokenValidationException("Certificate cannot be verified"); } } }

web.config

 <behaviors> <serviceBehaviors> <behavior name="secureHttpBehavior"> <serviceMetadata httpGetEnabled="true"/> <serviceDebug includeExceptionDetailInFaults="false"/> <serviceCredentials> <serviceCertificate findValue="00 b7 70" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySerialNumber"/> <clientCertificate> <authentication certificateValidationMode="Custom" customCertificateValidatorType="WcfWebServer.CustomX509CertificateValidator, WcfWebServer"/> </clientCertificate> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors>
+1
source

More articles:


All Articles