在asp.net中实现证书授权
首先,我很抱歉我的英语不好。
在过去的两天里,我读了很多书,但没有找到解决我的问题的方法。
我需要实施这样的授权: 用户打开网页,出现特殊表单。在此表单上只需一个按钮“选择证书文件”。 当用户单击它时 - 他必须选择证书文件,该文件将用于授权。该文件必须是 存储在闪存驱动器等上。而不是存储在计算机硬盘驱动器上。
我读到了有关 cer/pfx 文件的信息,但没有了解有关此类模型的信息。
也许在.net中使用此类来实现这一点是不可能的,
System.Security.Cryptography.X509Certificates.X509Certificate
System.Security.Cryptography.X509Certificates.X509Certificate2
同时该站点将实现表单授权, 这样用户就可以选择如何授权。
更新: 我认为这些类不能用于该模型。你还能给我建议吗?
First of all I'm sorry for my bad english.
In past two days i read a lot, but didn't find out solution for my problem.
I need to implement such authorization:
User openning web page, special form appears. On this form just one button "Choose certificate file".
When user click it - he must choose certificate file, which will be used for authorization. This file must be
stored on a flash drive and etc. Not on a computers hard drive.
I read about cer/pfx files, but nothing about such model.
Maybe it's impossible to make this using this classes in .net
System.Security.Cryptography.X509Certificates.X509Certificate
System.Security.Cryptography.X509Certificates.X509Certificate2
At the same time forms authorization will be implemented on this site,
so user can choose how to authorize.
Update:
I think that these classes can't be used for this model. Can you advise me anything else?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
首先,您需要一个启用 SSL 的网页。您无法使用附带的开发 Web 服务器 (cassini) 来开发它。可以使用 IIS Express 或本地 IIS 实例来开发此类身份验证模型。 SSL 身份验证无法直接通过代码进行控制,而是取决于 IIS 网页文件夹设置。请查看本文。
至于 GUI 体验,证书通常存储在安全的证书存储中,并且无法从客户端页面/脚本内进行控制。当 Web 浏览器收到客户端证书协商请求的响应时,将显示浏览器/平台特定的对话框,其中显示所有兼容的客户端证书。在服务器端,您可以通过安装来自受信任证书颁发机构的适当根证书来控制客户端可以选择哪些证书。但是,您无法控制客户端可以进一步选择哪些证书(它们是存储在支持的智能卡上还是本地存储在硬盘驱动器上)。
更新
就您而言,我认为您想要的内容在网络浏览器中通过客户端验证的 HTTPS 会话是不可能的,因为您无法控制它管理其证书存储的方式。
但是,如果您开发了一个可以访问客户端 USB 驱动器上的便携式证书存储的插件,则这是可能的。 一个可以从页面的 javascript 访问的公共 API,原因如下:
平台/浏览器
启用 SSL 的网页中的信任模式
商店(参见)
您需要自己实现身份验证/握手部分,例如让小程序使用 XMLDSIG(可以包含歌手的公钥并在 .net 中受支持)签署 XML 文档/片段(也可以包含用户名和密码哈希)。成功验证签名的 XML 后,您可以将正常的身份验证 cookie 返回给客户端。
First of all you will need a SSL enabled web page. You can't develop it with the included development web server (cassini). It is possible to develop such an authentication model using IIS Express or a local IIS instance. SSL authentication cannot be controlled from your code directly and depends on IIS web page folder settings. Take a look at this article.
As for the GUI experience, certificates are normally stored in certificate stores, which are secure, and cannot be controlled from within client-side pages/scripts. When the web browser gets a response with a client certificate negotiation request a browser/platform specific dialog is displayed showing all compatible client certificates. On the server-side you can control which certificates are viable for the client to select by installing the appropriate root certificates from the trusted certificate authorities. However you cannot control what certificates (weather they are stored on a supported smart-card or are stored locally on the hard drive) are available to the client for selection any further.
UPDATE
In your case, I think what you want is not possible within a web browser over a client authenticated HTTPS session since you cannot control how it manages it's certificate store.
However it would be possible if you developed a plug-in that would access a portable certificate store on the client's USB drive. I think I would go with a JAVA applet running in background, and creating a public API that could be accessed from the page's javascript, for the following reasons:
platforms/browsers
trust mode in a SSL enabled web page
stores (see)
You would need to implement the authentication/handshake part yourself, say by having the applet sign an XML document/fragment (could also an addition containt username and password hash) using XMLDSIG (which can contain the singer's public key and is supported in .net). Upon successful validation of the signed XML you could then return a normal authentication cookie to the client.