【发布时间】:2021-12-30 08:37:40
【问题描述】:
我目前有一个需要用户 x509 证书的 DotNet Core 应用程序。我目前可以拉它并使用以下验证它
在我的 Program.cs 中
Host.CreateDefaultBuilder(args)
.ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.UseStartup<Startup>();
webBuilder.ConfigureKestrel(o =>
{
o.ConfigureHttpsDefaults(o =>
o.ClientCertificateMode = ClientCertificateMode.RequireCertificate);
});
});
在我的 Startup.cs 中
services.AddScoped<CertificateValidationService>();
services.AddControllers();
services.AddAuthentication(
CertificateAuthenticationDefaults.AuthenticationScheme)
.AddCertificate(options =>
{
options.AllowedCertificateTypes = CertificateTypes.All;
options.Events = new CertificateAuthenticationEvents
{
OnAuthenticationFailed = context =>
{
context.NoResult();
context.Response.Headers.Add("Token-Expired", "true");
context.Response.ContentType = "text/plain";
context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
return Task.CompletedTask;
},
OnCertificateValidated = context =>
{
var validationService =
context.HttpContext.RequestServices
.GetRequiredService<CertificateValidationService>();
if (validationService.ValidateCertificate(
context.ClientCertificate))
{
var claims = new[]
{
new Claim(
ClaimTypes.NameIdentifier,
context.ClientCertificate.Subject,
ClaimValueTypes.String,
context.Options.ClaimsIssuer),
new Claim(
ClaimTypes.Name,
context.ClientCertificate.Subject,
ClaimValueTypes.String,
context.Options.ClaimsIssuer)
};
context.Properties.SetParameter("x509", context.ClientCertificate);
context.Principal = new ClaimsPrincipal(
new ClaimsIdentity(claims, context.Scheme.Name));
context.Success();
}
else
{
context.Fail($"Unrecognized client certificate: " +
$"{context.ClientCertificate.GetNameInfo(X509NameType.SimpleName, false)}");
}
return Task.CompletedTask;
}
};
});
services.AddControllers();
我也有用于验证证书的实现,并且工作正常。但是,稍后在应用程序中我想执行以下操作
[Route("/signature")]
[HttpGet]
public string Signature()
{
using (var signer = new PdfDocumentSigner(@"C:\test\Document.pdf"))
{
ITsaClient tsaClient = new TsaClient(new Uri(@"https://freetsa.org/tsr"),
DevExpress.Office.DigitalSignatures.HashAlgorithmType.SHA256);
string signatureName = signer.GetSignatureFieldNames(false)[0];
// Create a provider that retrieves certificates from a store:
// public CertificateStoreProvider(X509Certificate2Collection collection);
using (var certificateStoreProvider =
new CertificateStoreProvider(new X509Store(StoreLocation.CurrentUser), true))
{
// Add the signature to the security store
// and specify the CrlClient and OcspClient objects
// used to check the certificates' revocation status:
signer.AddToDss(signatureName, new CrlClient(), new OcspClient(), certificateStoreProvider);
}
signer.SaveDocument(@"C:\test\signedLTV.pdf", new[] { new PdfSignatureBuilder(new PdfTimeStamp(tsaClient)) });
}
return "The file was signed";
}
现在显然问题在于这是我本地主机上的 X509 证书。但是我想做的是使用用户验证过的那个在程序/启动中传递的
有没有办法以编程方式获取或安全传递?
【问题讨论】:
标签: c# .net-core x509certificate