从 httprequest C# 读取客户端证书
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/867171/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
read client certificate from httprequest C#
提问by Sean
I am trying to read an X509 certificate using Request.ClientCertificate but nothing is returned. The certificate is definitely being attached to the request because I can get the certificate information from the page sending the request.
我正在尝试使用 Request.ClientCertificate 读取 X509 证书,但没有返回任何内容。证书肯定会附加到请求中,因为我可以从发送请求的页面中获取证书信息。
I have tried reading the certificate from several different places but cannot seem to get it to work.
我曾尝试从几个不同的地方阅读证书,但似乎无法让它发挥作用。
I started with code from this KB Article. In the requested page I tried to print out some information about the certificate but nothing was returned in the response.
我从这篇知识库文章中的代码开始。在请求的页面中,我尝试打印出有关证书的一些信息,但响应中没有返回任何内容。
This is running on IIS 5.1 and the communication is over SSL. This must be done using version 2 of the .Net framework
它在 IIS 5.1 上运行,并且通过 SSL 进行通信。这必须使用 .Net 框架的第 2 版完成
Why does the certificate seem to dissappear?
为什么证书好像消失了?
回答by albertjan
Ok it isn't completely clear but you have a website which requires the clients to authenticate themselves using certificates? Because thats what the Request.ClientCertificateproperty is for.
好吧,这还不是很清楚,但是您有一个网站要求客户使用证书对自己进行身份验证?因为这就是Request.ClientCertificate物业的用途。
I say this because there's something odd about your question.
我这样说是因为你的问题有些奇怪。
"I can get the certificate information from the page sending the request."
“我可以从发送请求的页面获取证书信息。”
Pages in general do not really send requests the clients do.
页面通常不会真正发送客户端所做的请求。
To get the server cert you could open the X509Store and sift through the certs to find the one with the CN you need.
要获得服务器证书,您可以打开 X509Store 并筛选证书以找到带有您需要的 CN 的证书。
回答by Jacob
I'm not sure what you need the client certificate for, but if you're using it for your own custom authentication or authorization, you may want to consider using the web server's security infrastructure instead of implementing your own. For example, you can configure IIS to require client certificates, map the certs to user accounts, and use Windows-based authentication. Of course, this doesn't necessarily work for your problem domain.
我不确定您需要客户端证书的用途,但如果您将其用于您自己的自定义身份验证或授权,您可能需要考虑使用 Web 服务器的安全基础设施,而不是实现您自己的。例如,您可以将 IIS 配置为需要客户端证书、将证书映射到用户帐户并使用基于 Windows 的身份验证。当然,这不一定适用于您的问题域。
回答by Dscoduc
I wrote a identification web page a while back that looked for a client certificate and if found would display the certificate information. I believe that is what you are looking for... Here is the page:
不久前我写了一个识别网页,寻找客户端证书,如果找到,将显示证书信息。我相信这就是你正在寻找的......这是页面:
<%@ Page Language="C#" Trace="false" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<%@ Import Namespace="System.Security.Cryptography.X509Certificates" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<script runat="server">
//protected void Page_Load(object sender, EventArgs e)
//{ }
void LoadCertInfo()
{
string para = "<div style='margin: 10px 0 0 0; font-weight: bold'>{0}</div>";
string subpara = "<div style='margin-left: 15px; font-size: 90%'>{0}</div>";
if (Page.Request.ClientCertificate.IsPresent)
{
Response.Write("<hr /><div style='width: 500px; margin: 20px auto'>");
Response.Write("<h3 style='width: 500px; margin: 20px auto'>Client Certificate Information</h3>");
try
{
X509Certificate2 x509Cert2 = new X509Certificate2(Page.Request.ClientCertificate.Certificate);
Response.Write(string.Format(para, "Issued To:"));
Response.Write(string.Format(subpara, x509Cert2.Subject));
Response.Write(string.Format(para, "Issued By:"));
Response.Write(string.Format(subpara, x509Cert2.Issuer));
Response.Write(string.Format(para, "Friendly Name:"));
Response.Write(string.Format(subpara, string.IsNullOrEmpty(x509Cert2.FriendlyName) ? "(None Specified)" : x509Cert2.FriendlyName));
Response.Write(string.Format(para, "Valid Dates:"));
Response.Write(string.Format(subpara, "From: " + x509Cert2.GetEffectiveDateString()));
Response.Write(string.Format(subpara, "To: " + x509Cert2.GetExpirationDateString()));
Response.Write(string.Format(para, "Thumbprint:"));
Response.Write(string.Format(subpara, x509Cert2.Thumbprint));
//Response.Write(string.Format(para, "Public Key:"));
//Response.Write(string.Format(subpara, x509Cert2.GetPublicKeyString()));
#region EKU Section - Retrieve EKU info and write out each OID
X509EnhancedKeyUsageExtension ekuExtension = (X509EnhancedKeyUsageExtension)x509Cert2.Extensions["Enhanced Key Usage"];
if (ekuExtension != null)
{
Response.Write(string.Format(para, "Enhanced Key Usages (" + ekuExtension.EnhancedKeyUsages.Count.ToString() + " found)"));
OidCollection ekuOids = ekuExtension.EnhancedKeyUsages;
foreach (Oid ekuOid in ekuOids)
Response.Write(string.Format(subpara, ekuOid.FriendlyName + " (OID: " + ekuOid.Value + ")"));
}
else
{
Response.Write(string.Format(para, "No EKU Section Data"));
}
#endregion // EKU Section
#region Subject Alternative Name Section
X509Extension sanExtension = (X509Extension)x509Cert2.Extensions["Subject Alternative Name"];
if (sanExtension != null)
{
Response.Write(string.Format(para, "Subject Alternative Name:"));
Response.Write(string.Format(subpara, sanExtension.Format(true)));
}
else
{
Response.Write(string.Format(para, "No Subject Alternative Name Data"));
}
#endregion // Subject Alternative Name Section
#region Certificate Policies Section
X509Extension policyExtension = (X509Extension)x509Cert2.Extensions["Certificate Policies"];
if (policyExtension != null)
{
Response.Write(string.Format(para, "Certificate Policies:"));
Response.Write(string.Format(subpara, policyExtension.Format(true)));
}
else
{
Response.Write(string.Format(para, "No Certificate Policies Data"));
}
#endregion //Certificate Policies Section
// Example on how to enumerate all extensions
//foreach (X509Extension extension in x509Cert2.Extensions)
// Response.Write(string.Format(para, extension.Oid.FriendlyName + "(" + extension.Oid.Value + ")"));
}
catch (Exception ex)
{
Response.Write(string.Format(para, "An error occured:"));
Response.Write(string.Format(subpara, ex.Message));
Response.Write(string.Format(subpara, ex.StackTrace));
}
finally
{
Response.Write("</div>");
}
}
}
</script>
<html>
<head runat="server">
<title><% Page.Response.Write(System.Environment.MachineName); %></title>
</head>
<body>
<% LoadCertInfo(); %>
</body>
</html>
回答by Dscoduc
You have to configure your local IIS to accept (or require) client certificates.
您必须将本地 IIS 配置为接受(或要求)客户端证书。
