Warning: file_get_contents(/data/phpspider/zhask/data//catemap/0/azure/12.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Asp.net Azure中rest api的证书身份验证(使用https)_Asp.net_Azure_Asp.net Web Api_X509certificate - Fatal编程技术网
Fatal编程技术网
  • asp.net/
  • Asp.net Azure中rest api的证书身份验证(使用https)

Asp.net Azure中rest api的证书身份验证(使用https)

asp.net azure asp.net-web-api

Asp.net Azure中rest api的证书身份验证(使用https),asp.net,azure,asp.net-web-api,x509certificate,Asp.net,Azure,Asp.net Web Api,X509certificate,我在配置asp.net web api服务以通过客户端证书验证请求时遇到问题 我执行Pro ASP.NET Web Api Security中描述的步骤: 我使用makecert.exe创建证书 makecert.exe-r-n“CN=MobileTradeDataGateway”-pe-sv MobileTradeDataGateway.pvk-a sha256-cy authority MobileTradeDataGateway.cer和makecert.exe-iv MobileTrad

我在配置asp.net web api服务以通过客户端证书验证请求时遇到问题

我执行Pro ASP.NET Web Api Security中描述的步骤:

  • 我使用makecert.exe创建证书 
    makecert.exe-r-n“CN=MobileTradeDataGateway”-pe-sv MobileTradeDataGateway.pvk-a sha256-cy authority MobileTradeDataGateway.cer和
    makecert.exe-iv MobileTradeDataGateway.pvk-ic MobileTradeDataGateway.cer-n“CN=DataGateway1”-pe-sv数据网关1.pvk-a sha256-sky exchange数据网关1.cer-eku 1.3.6.1.5.5.7.3.2
  • 我将MobileTradeDataGateway证书安装在服务器受信任的根证书颁发机构和客户端中。在客户端个人权限中安装DataGateway1
  • 将站点配置为接受证书并启用。启用匿名身份验证
  • 创建DelegatingHandler并将其添加到mvc中的messagehandlers集合以检查证书
  • 调用web api方法

    var certStore=new X509Store(StoreLocation.CurrentUser); 打开(OpenFlags.ReadOnly); var collection=certStore.Certificates.Find(X509FindType.FindByIssuerName,“MobileTradeDataGateway”,true); var cert=集合[0]; certStore.Close(); var messageHandler=new WebRequestHandler(); messageHandler.ClientCertificates.Add(cert); var client=newhttpclient(messageHandler){BaseAddress=newuri(“…”)}; var res=client.GetAsync(“/api/orderuploader?number=5”).Result

    • 在我的本地机器和网络中,我的机器是服务器,一切正常。 但当我将其部署到azure云服务时,我得到了空值 
    var cert=request.GetClientCertificate();//此处为空
    在我的自定义委托处理程序中

    当然,我允许IIS接受证书并正确地将证书放入受信任的根证书颁发机构

    有什么想法吗?

    您是否也尝试过通过“指纹”获取证书。 下面是尝试从证书存储读取证书的示例代码

    private X509Certificate2 FindCertificate()
{
    X509Store certificateStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
    certificateStore.Open(OpenFlags.ReadOnly);
    X509Certificate2Collection certificates = certificateStore.Certificates;
    X509Certificate2Collection matchingCertificates = certificates.Find(X509FindType.FindByThumbprint, "CertThumbprint", false);
    if (matchingCertificates != null && matchingCertificates.Count > 0)
    {
        return matchingCertificates[0];
    }
    throw new ArgumentException("Unable to find a matching certificate in the certificate store. Please modify the search criteria.");
}
    这有更多关于如何从web/worker角色读取证书的信息

    这是我的web api中的delegatinghandler代码

    public class X509ClientCertificateHandler : DelegatingHandler
{
    protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        if (request.RequestUri.Scheme != Uri.UriSchemeHttps)
        {
            WebApiEventSource.Log.InvalidHttpsScheme();
            return request.CreateResponse(HttpStatusCode.Forbidden);
        }
        var cert = request.GetClientCertificate(); // here is null!!!
        if (cert == null)
        {
            WebApiEventSource.Log.FailureAuthenticate("certificate is abcent", "", "");
            return request.CreateResponse(HttpStatusCode.Unauthorized);
        }
        var chain =new X509Chain {ChainPolicy = {RevocationMode = X509RevocationMode.NoCheck}};
        if (chain.Build(cert) && cert.Issuer.Equals("CN=MobileTradeDataGateway"))
        {
            var claims = new List<Claim>
                {
                    new Claim(ClaimTypes.Name, cert.Subject.Substring(3))
                };
            var principal = new ClaimsPrincipal(new[] {new ClaimsIdentity(claims, "X509")});
            Thread.CurrentPrincipal = principal;
            if (HttpContext.Current != null)
                HttpContext.Current.User = principal;
            WebApiEventSource.Log.SuccessAuthenticate(cert.SubjectName.Name);
            return await base.SendAsync(request, cancellationToken);
        }
        WebApiEventSource.Log.FailureAuthenticate("certificate is incorrect", cert.IssuerName.Name, cert.SubjectName.Name);
        return request.CreateResponse(HttpStatusCode.Unauthorized);
    }
}

    public类X509ClientCertificateHandler:DelegatingHandler
{
受保护的覆盖异步任务SendAsync(HttpRequestMessage请求,CancellationToken CancellationToken)
{
if(request.RequestUri.Scheme!=Uri.UriSchemeHttps)
{
WebApiEventSource.Log.InvalidHttpsScheme();
返回请求.CreateResponse(HttpStatusCode.Forbidden);
}
var cert=request.GetClientCertificate();//此处为空!!!
如果(证书==null)
{
WebApiEventSource.Log.FailureAuthenticate(“证书是abcent的,”“,”);
返回请求.CreateResponse(HttpStatusCode.Unauthorized);
}
var chain=new X509Chain{ChainPolicy={RevocationMode=X509RevocationMode.NoCheck};
if(chain.Build(cert)和&cert.Issuer.Equals(“CN=MobileTradeDataGateway”))
{
var索赔=新列表
{
新索赔(ClaimTypes.Name,cert.Subject.Substring(3))
};
var principal=新索赔(新[]{新索赔实体(索赔,“X509”)});
Thread.CurrentPrincipal=主体;
if(HttpContext.Current!=null)
HttpContext.Current.User=主体;
WebApiEventSource.Log.SuccessAuthenticate(cert.SubjectName.Name);
返回wait base.sendaync(请求、取消令牌);
}
WebApiEventSource.Log.FailureAuthenticate(“证书不正确”,cert.IssuerName.Name,cert.SubjectName.Name);
返回请求.CreateResponse(HttpStatusCode.Unauthorized);
}
}
    我认为您没有将证书上载到Azure门户。请确保将.cer或.pfx证书上载到Azure门户。如果您需要有关如何上传等方面的帮助,请告诉我。

    在delegatehandlerHi@АаСаааааа中读取HttpRequestMessage中的证书没有问题,您是否在最后解决了此问题?我面临着同样的问题