一段时间以前,我使用 .Net Core 创建了 这个 POC 来进行客户端证书认证。它使用了现在已经 内置于 .Net Core 的 idunno.Authentication 包。我的 POC 可能有些过时,但可以成为你的好起点。
首先创建一个扩展方法将证书添加到 HttpClientHandler
:
public static class HttpClientHandlerExtensions
{
public static HttpClientHandler AddClientCertificate(this HttpClientHandler handler, X509Certificate2 certificate)
{
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
handler.ClientCertificates.Add(certificate);
return handler;
}
}
接下来是另一种将证书添加到IHttpClientBuilder
的扩展方法。
public static IHttpClientBuilder AddClientCertificate(this IHttpClientBuilder httpClientBuilder, X509Certificate2 certificate)
{
httpClientBuilder.ConfigureHttpMessageHandlerBuilder(builder =>
{
if (builder.PrimaryHandler is HttpClientHandler handler)
{
handler.AddClientCertificate(certificate);
}
else
{
throw new InvalidOperationException($"Only {typeof(HttpClientHandler).FullName} handler type is supported. Actual type: {builder.PrimaryHandler.GetType().FullName}");
}
});
return httpClientBuilder;
}
var cert = CertificateFinder.FindBySubject("your-subject");
services
.AddHttpClient("ClientWithCertificate", client => { client.BaseAddress = new Uri(ServerUrl); })
.AddClientCertificate(cert);
public async Task SendRequest()
{
var client = _httpClientFactory.CreateClient("ClientWithCertificate");
....
}
这里有很多选择,所以我不确定根据问题的简洁性应该选择哪一种。我创建了一个基本的aspnet.core WebApi项目,它有一个“天气预报”控制器作为测试。这里没有展示很多错误检查,并且对于密钥和证书的存储方式以及用于什么操作系统(尽管操作系统并不那么重要,但是密钥库是不同的)存在许多假设。
另外请注意,使用OpenSsl创建的证书不包含Web服务器的私钥。您需要将证书和私钥合并到Pkcs12 / PFX格式中。
例如(适用于Web服务器,而不一定是客户端,但您确实可以在任何地方使用PFX...)。
openssl pkcs12 -export -out so-selfsigned-ca-root-x509.pfx -inkey so-root-ca-rsa-private-key.pem -in so-selfsigned-ca-root-x509.pem
The appSettings.json example file:
{
"HttpClientRsaArtifacts": {
"ClientCertificateFilename": "so-x509-client-cert.pem",
"ClientPrivateKeyFilename": "so-client-private-key.pem"
}
}
private static async Task Main(string[] args)
{
IConfiguration config = new ConfigurationBuilder().AddJsonFile("appSettings.json").Build();
const string mainAppSettingsKey = "HttpClientRsaArtifacts";
var clientCertificateFileName = config[$"{mainAppSettingsKey}:ClientCertificateFilename"];
var clientPrivKeyFileName = config[$"{mainAppSettingsKey}:ClientPrivateKeyFilename"];
var clientCertificate = new X509Certificate2(clientCertificateFileName);
var httpClientHandler = new HttpClientHandler();
httpClientHandler.ClientCertificates.Add(clientCertificate);
httpClientHandler.ClientCertificateOptions = ClientCertificateOption.Manual;
httpClientHandler.ServerCertificateCustomValidationCallback = ByPassCertErrorsForTestPurposesDoNotDoThisInTheWild;
httpClientHandler.CheckCertificateRevocationList = false;
var httpClient = new HttpClient(httpClientHandler);
httpClient.BaseAddress = new Uri("https://localhost:5001/");
var httpRequestMessage = new HttpRequestMessage(
HttpMethod.Get,
"weatherforecast");
// This is "the connection" (and API call)
using var response = await httpClient.SendAsync(
httpRequestMessage,
HttpCompletionOption.ResponseHeadersRead);
var stream = await response.Content.ReadAsStreamAsync();
var jsonDocument = await JsonDocument.ParseAsync(stream);
var options = new JsonSerializerOptions
{
WriteIndented = true,
};
Console.WriteLine(
JsonSerializer.Serialize(
jsonDocument,
options));
}
private static bool ByPassCertErrorsForTestPurposesDoNotDoThisInTheWild(
HttpRequestMessage httpRequestMsg,
X509Certificate2 certificate,
X509Chain x509Chain,
SslPolicyErrors policyErrors)
{
var certificateIsTestCert = certificate.Subject.Equals("O=Internet Widgits Pty Ltd, S=Silicon Valley, C=US");
return certificateIsTestCert && x509Chain.ChainElements.Count == 1 &&
x509Chain.ChainStatus[0].Status == X509ChainStatusFlags.UntrustedRoot;
}
private static RSA LoadClientPrivateKeyFromPemFile(string clientPrivateKeyFileName)
{
if (!File.Exists(clientPrivateKeyFileName))
{
throw new FileNotFoundException(
"The client private key PEM file could not be found",
clientPrivateKeyFileName);
}
var clientPrivateKeyPemText = File.ReadAllText(clientPrivateKeyFileName);
using var reader = new StringReader(clientPrivateKeyPemText);
var pemReader = new PemReader(reader);
var keyParam = pemReader.ReadObject();
// GET THE PRIVATE KEY PARAMETERS
RsaPrivateCrtKeyParameters privateKeyParams = null;
// This is the case if the PEM file has is a "traditional" RSA PKCS#1 content
// The private key file with begin and end with -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----
if (keyParam is AsymmetricCipherKeyPair asymmetricCipherKeyPair)
{
privateKeyParams = (RsaPrivateCrtKeyParameters)asymmetricCipherKeyPair.Private;
}
// This is to check if it is a Pkcs#8 PRIVATE KEY ONLY or a public key (-----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----)
if (keyParam is AsymmetricKeyParameter asymmetricKeyParameter)
{
privateKeyParams = (RsaPrivateCrtKeyParameters)asymmetricKeyParameter;
}
var rsaPrivateKeyParameters = DotNetUtilities.ToRSAParameters(privateKeyParams);
// CREATE A NEW RSA INSTANCE WITH THE PRIVATE KEY PARAMETERS (THIS IS THE PRIVATE KEY)
return RSA.Create(rsaPrivateKeyParameters);
}
最后,如果您想使用私钥(从 PEM 文件中使用上面的示例获得)对数据进行签名,可以使用 System.Security.Cryptography.RSA 类的标准加密和签名方法。例如:
var signedData = rsaInstanceWithPrivateKey.SignData(
data,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
...并将其作为ByteArrayContent添加到HttpRequestMessage中,然后再通过调用SendAsync与HttpRequestMessage一起使用。
var byteArrayContent = new ByteArrayContent(signedData);
var httpRequestMessage = new HttpRequestMessage(
HttpMethod.Post,
"/myapiuri");
httpRequestMessage.Content = byteArrayContent;
您提到您使用相同的私钥创建所有内容,因此如果在Web服务器端是这种情况,您将能够验证签名并解密您在此示例中从客户端发送的内容。
再次强调,这里有很多选项和细微差别。
使用Bouncy Castle PEM阅读器,您可以注入一个包含密码的IPasswordFinder实现。
例如:
/// <summary>
/// Required when using the Bouncy Castle PEM reader for PEM artifacts with passwords.
/// </summary>
class BcPemPasswordFinder : IPasswordFinder
{
private readonly string m_password;
public BcPemPasswordFinder(string password)
{
m_password = password;
}
/// <summary>
/// Required by the IPasswordFinder interface
/// </summary>
/// <returns>System.Char[].</returns>
public char[] GetPassword()
{
return m_password.ToCharArray();
}
}
private static RSA LoadClientPrivateKeyFromPemFile(string clientPrivateKeyFileName)
{
if (!File.Exists(clientPrivateKeyFileName))
{
throw new FileNotFoundException(
"The client private key PEM file could not be found",
clientPrivateKeyFileName);
}
var clientPrivateKeyPemText = File.ReadAllText(clientPrivateKeyFileName);
using var reader = new StringReader(clientPrivateKeyPemText);
// Instantiate password finder here
var passwordFinder = new BcPemPasswordFinder("P@ssword");
// Pass the IPasswordFinder instance into the PEM PemReader...
var pemReader = new PemReader(reader, passwordFinder);
var keyParam = pemReader.ReadObject();
// GET THE PRIVATE KEY PARAMETERS
RsaPrivateCrtKeyParameters privateKeyParams = null;
// This is the case if the PEM file has is a "traditional" RSA PKCS#1 content
// The private key file with begin and end with -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----
if (keyParam is AsymmetricCipherKeyPair asymmetricCipherKeyPair)
{
privateKeyParams = (RsaPrivateCrtKeyParameters)asymmetricCipherKeyPair.Private;
}
// This is to check if it is a Pkcs#8 PRIVATE KEY ONLY or a public key (-----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----)
if (keyParam is AsymmetricKeyParameter asymmetricKeyParameter)
{
privateKeyParams = (RsaPrivateCrtKeyParameters)asymmetricKeyParameter;
}
var rsaPrivateKeyParameters = DotNetUtilities.ToRSAParameters(privateKeyParams);
// CREATE A NEW RSA INSTANCE WITH THE PRIVATE KEY PARAMETERS (THIS IS THE PRIVATE KEY)
return RSA.Create(rsaPrivateKeyParameters);
}