问题描述
出于安全原因,我想读取证书详细信息(例如到期日期或CN).
I want to read certificate details (e.g. expiration date or CN) for security reasons.
通常,网络类中有一些可用的属性,这些属性允许检查证书. WP8实现中缺少此功能.
Usually there are some properties in network classes available, that allow to check the certificate. This is missing in WP8 implementations.
我也试图创建一个SslStream,但是也没有办法获得任何证书详细信息,例如 RemoteCertificate .
Also I tried to create an SslStream but also there is no way to get any certificate detail like the RemoteCertificate on .net 4.5.
var sslStream = new SslStream(new NetworkStream(e.ConnectSocket));
SslStream缺少与安全性有关的所有内容.因此,看来BountyCastle和其他库也无法获得证书,因为基础框架不支持该证书.
The SslStream is missing everything relating security. So it looks like also BountyCastle and other libraries cannot be able to get the certificate, because the underlying framework doesn't support it.
所以我的问题是:
- 我可以阅读CN还是其他使用其他方法在WP8上提供证书详细信息.
- 如果没有,您如何使用 SSL固定或客户端证书验证,并且有什么原因导致WP8不支持此功能?
- Can I read the CN or other Certificate details on WP8 using other approaches.?
- If not, how can you create then seriously secure apps (line banking) on WP8 using techniques like SSL Pinning or client side certificate validation and is there any reason why this is not supported in WP8?
问候霍尔格
推荐答案
在Windows Phone 8.1上,可以使用 HttpClient ,以及 StreamSocket (如Mike所建议).
可以在此处中找到使用StreamSocket进行证书验证的示例(源代码中的场景5_Certificate ).
On Windows Phone 8.1 this can be done with HttpClient, as well as with StreamSocket (as Mike suggested).
Example for certificate validation with StreamSocket can be found here (Scenario5_Certificate in source code).
通过处理ERROR_INTERNET_INVALID_CA异常,使用 HttpTransportInformation 类,创建 HttpBaseProtocolFilter 类,并指定要忽略的错误.
Certificate validation with HttpClient can be done by handling the ERROR_INTERNET_INVALID_CA exception, validating the server certificate using the HttpTransportInformation class, creating new instance of HttpBaseProtocolFilter class and specifying the errors to ignore.
请注意,并非所有错误都是可忽略的.如果您尝试添加成功,已撤销,InvalidSignature,InvalidCertificateAuthorityPolicy,BasicConstraintsError,UnknownCriticalExtension或OtherErrors枚举值.
Note that not all the errors are ignorable. You will receive an exception if you'll try to add Success, Revoked, InvalidSignature, InvalidCertificateAuthorityPolicy, BasicConstraintsError, UnknownCriticalExtension or OtherErrors enum values.
我要添加一个示例代码,该代码使用HttpClient绕过证书错误:
I'm adding a sample code that bypasses certificate errors using HttpClient:
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Threading.Tasks;
using Windows.Security.Cryptography.Certificates;
using Windows.Web.Http;
using Windows.Web.Http.Filters;
namespace Example.App
{
public class HttpsHandler
{
private const int ERROR_INTERNET_INVALID_CA = -2147012851; // 0x80072f0d
public static async void HttpsWithCertificateValidation()
{
Uri resourceUri;
if (!Uri.TryCreate("https://www.pcwebshop.co.uk/", UriKind.Absolute, out resourceUri))
return;
IReadOnlyList<ChainValidationResult> serverErrors = await DoGet(null, resourceUri);
if (serverErrors != null)
{
HttpBaseProtocolFilter filter = new HttpBaseProtocolFilter();
foreach (ChainValidationResult value in serverErrors)
{
try {
filter.IgnorableServerCertificateErrors.Add(value);
} catch (Exception ex) {
// Note: the following values can't be ignorable:
// Success Revoked InvalidSignature InvalidCertificateAuthorityPolicy
// BasicConstraintsError UnknownCriticalExtension OtherErrors
Debug.WriteLine(value + " can't be ignorable");
}
}
await DoGet(filter, resourceUri);
}
}
private static async Task<IReadOnlyList<ChainValidationResult>> DoGet(HttpBaseProtocolFilter filter, Uri resourceUri)
{
HttpClient httpClient;
if (filter != null)
httpClient = new HttpClient(filter);
else
httpClient = new HttpClient();
HttpRequestMessage requestMessage = new HttpRequestMessage(HttpMethod.Get, resourceUri);
bool hadCertificateException = false;
HttpResponseMessage response;
String responseBody;
try {
response = await httpClient.SendRequestAsync(requestMessage);
response.EnsureSuccessStatusCode();
responseBody = await response.Content.ReadAsStringAsync();
} catch (Exception ex) {
hadCertificateException = ex.HResult == ERROR_INTERNET_INVALID_CA;
}
return hadCertificateException ? requestMessage.TransportInformation.ServerCertificateErrors : null;
}
}
}
这篇关于阅读WP8上的SSL证书详细信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!