Ämne: Swish TLS certificate och .Net / C# kod
Visa ett inlägg
Oläst 2016-03-03, 09:01 #30
RickardPs avatar
RickardP RickardP är inte uppkopplad
Mycket flitig postare
  
Reg.datum: Jun 2004
Inlägg: 515
RickardP RickardP är inte uppkopplad
Mycket flitig postare
RickardPs avatar
 
Reg.datum: Jun 2004
Inlägg: 515
Citat:
Ursprungligen postat av jackjson Visa inlägg
Digrad affärssystem bjuder på en lösning

Kod:
private HttpWebRequest CreateSwishRequest(String url, String clientCertPath, String clientCertPass)
{
    //Basic set up
    ServicePointManager.CheckCertificateRevocationList = false;
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11; //Tls12 does not work

    //Load client certificates
    var clientCerts = new X509Certificate2Collection();
    clientCerts.Import(clientCertPath, clientCertPass ?? "", X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);

    //Assert CA certs in cert store, and get root CA
    var rootCertificate = AssertCertsInStore(clientCerts);

    var req = HttpWebRequest.Create(url) as HttpWebRequest;
    req.ClientCertificates = clientCerts;
    req.Method = "POST";
    req.ContentType = "application/json; charset=UTF-8";
    req.AllowAutoRedirect = false;
            
    //Verify server root CA by comparing to client cert root CA
    req.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => {
        var chainRootCa = chain?.ChainElements?.OfType<X509ChainElement>().LastOrDefault()?.Certificate;
        if (rootCertificate == null || chainRootCa == null)
            return false;
        return rootCertificate.Equals(chainRootCa); //Same root CA as client cert
    };

    return req;
}

private X509Certificate2 AssertCertsInStore(X509Certificate2Collection certs)
{
    //Create typed array
    var certArr = certs.OfType<X509Certificate2>().ToArray();
    //Build certificate chain
    var chain = new X509Chain();
    chain.ChainPolicy.ExtraStore.AddRange(certArr.Where(o => !o.HasPrivateKey).ToArray());
    var privateCert = certArr.FirstOrDefault(o => o.HasPrivateKey);
    if (privateCert == null)
        return null;
    var result = chain.Build(privateCert);
    //Get CA certs
    var caCerts = chain.ChainElements.OfType<X509ChainElement>().Where(o => !o.Certificate.HasPrivateKey).Select(o => o.Certificate).ToArray();
    if (caCerts == null || caCerts.Length == 0)
        return null;
    //Assert CA certs in intermediate CA store
    var intermediateStore = new X509Store(StoreName.CertificateAuthority, StoreLocation.CurrentUser);
    intermediateStore.Open(OpenFlags.ReadWrite);
    foreach (var ca in caCerts)
    {
        if (!intermediateStore.Certificates.Contains(ca))
            intermediateStore.Add(ca);
    }
    intermediateStore.Close();
    //Return last CA in chain (root CA)
    return caCerts.LastOrDefault();
}
Tackar, hade fått det att lira genom att installera root certifikatet på servern men detta kommer ju hjälpa så man slipper den biten.
RickardP är inte uppkopplad   Svara med citatSvara med citat