我正在尝试关注Microsoft文档和其他在ASP.NET Core中演示证书身份验证的博客。调用RequestServices.GetService((返回null。我在validationService变量上添加了null检查,以检查它是否为null引用。
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme).AddCertificate(options =>
{
options.RevocationMode = System.Security.Cryptography.X509Certificates.X509RevocationMode.NoCheck;
options.Events = new CertificateAuthenticationEvents
{
OnCertificateValidated = context =>
{
var validationService = context.HttpContext.RequestServices.GetService<MyCertificateValidationService>();
if (validationService == null)
{
throw new NullReferenceException("Validation Service returned by GetService<MyCertificateValidationService>() is null");
}
if (validationService.ValidateCertificate(context?.ClientCertificate))
{
var claims = new[]
{
new Claim(
ClaimTypes.NameIdentifier,
context.ClientCertificate.Subject,
ClaimValueTypes.String,
context.Options.ClaimsIssuer),
new Claim(
ClaimTypes.Name,
context.ClientCertificate.Subject,
ClaimValueTypes.String,
context.Options.ClaimsIssuer)
};
context.Principal = new ClaimsPrincipal(new ClaimsIdentity(claims, context.Scheme.Name));
context.Success();
}
return Task.CompletedTask;
}
};
});
services.AddControllers();
services.AddMvc()
.AddXmlSerializerFormatters();
}
验证服务类别:
public class MyCertificateValidationService
{
public bool ValidateCertificate(X509Certificate2 clientCertificate)
{
bool valid = false;
var cert = new X509Certificate2(Path.Combine("Test.crt"), ")F@4R9df3s75(5g0");
if (clientCertificate.Thumbprint == cert.Thumbprint)
{
valid = true;
}
return valid;
}
}
以下是启动中的配置方法:
public void Configure(IApplicationBuilder app, IWebHostEnvironment env, ILoggerFactory loggerFactory)
{
app.UseCertificateForwarding();
app.UseAuthentication();
loggerFactory.AddSerilog();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/error");
}
app.UseMiddleware<SerilogMiddleware>();
app.UseMiddleware<AuthenticationMiddleware>();
app.UseRouting();
app.UseEndpoints(endPoints =>
{
endPoints.MapControllers();
});
}
正如king king所说,如果你想使用自定义证书处理程序服务,你应该先注册它,然后像下面这样使用:
注意:文档中提到您也可以使用ICertificateValidationService,如果您想从context.HttpContext.RequestServices.GetService方法获得它,还需要自己构建此服务并将其注册为服务。
public void ConfigureServices(IServiceCollection services)
{
services.AddSingleton<MyCertificateValidationService>();
services.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme).AddCertificate(options =>
{
options.RevocationMode = System.Security.Cryptography.X509Certificates.X509RevocationMode.NoCheck;
options.Events = new CertificateAuthenticationEvents
{
OnCertificateValidated = context =>
{
var validationService = context.HttpContext.RequestServices.GetService<MyCertificateValidationService>();
if (validationService == null)
{
throw new NullReferenceException("Validation Service returned by GetService<MyCertificateValidationService>() is null");
}
if (validationService.ValidateCertificate(context?.ClientCertificate))
{
var claims = new[]
{
new Claim(
ClaimTypes.NameIdentifier,
context.ClientCertificate.Subject,
ClaimValueTypes.String,
context.Options.ClaimsIssuer),
new Claim(
ClaimTypes.Name,
context.ClientCertificate.Subject,
ClaimValueTypes.String,
context.Options.ClaimsIssuer)
};
context.Principal = new ClaimsPrincipal(new ClaimsIdentity(claims, context.Scheme.Name));
context.Success();
}
return Task.CompletedTask;
}
};
});
services.AddControllers();
services.AddMvc()
.AddXmlSerializerFormatters();
}
此外,我建议您可以参考这个github演示,了解它如何与客户端证书验证一起工作。