[RickardP]

Citat:

Ursprungligen postat av jackjson

Digrad affärssystem bjuder på en lösning

Kod:

private HttpWebRequest CreateSwishRequest(String url, String clientCertPath, String clientCertPass)
{
    //Basic set up
    ServicePointManager.CheckCertificateRevocationList = false;
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11; //Tls12 does not work

    //Load client certificates
    var clientCerts = new X509Certificate2Collection();
    clientCerts.Import(clientCertPath, clientCertPass ?? "", X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);

    //Assert CA certs in cert store, and get root CA
    var rootCertificate = AssertCertsInStore(clientCerts);

    var req = HttpWebRequest.Create(url) as HttpWebRequest;
    req.ClientCertificates = clientCerts;
    req.Method = "POST";
    req.ContentType = "application/json; charset=UTF-8";
    req.AllowAutoRedirect = false;
            
    //Verify server root CA by comparing to client cert root CA
    req.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => {
        var chainRootCa = chain?.ChainElements?.OfType<X509ChainElement>().LastOrDefault()?.Certificate;
        if (rootCertificate == null || chainRootCa == null)
            return false;
        return rootCertificate.Equals(chainRootCa); //Same root CA as client cert
    };

    return req;
}

private X509Certificate2 AssertCertsInStore(X509Certificate2Collection certs)
{
    //Create typed array
    var certArr = certs.OfType<X509Certificate2>().ToArray();
    //Build certificate chain
    var chain = new X509Chain();
    chain.ChainPolicy.ExtraStore.AddRange(certArr.Where(o => !o.HasPrivateKey).ToArray());
    var privateCert = certArr.FirstOrDefault(o => o.HasPrivateKey);
    if (privateCert == null)
        return null;
    var result = chain.Build(privateCert);
    //Get CA certs
    var caCerts = chain.ChainElements.OfType<X509ChainElement>().Where(o => !o.Certificate.HasPrivateKey).Select(o => o.Certificate).ToArray();
    if (caCerts == null || caCerts.Length == 0)
        return null;
    //Assert CA certs in intermediate CA store
    var intermediateStore = new X509Store(StoreName.CertificateAuthority, StoreLocation.CurrentUser);
    intermediateStore.Open(OpenFlags.ReadWrite);
    foreach (var ca in caCerts)
    {
        if (!intermediateStore.Certificates.Contains(ca))
            intermediateStore.Add(ca);
    }
    intermediateStore.Close();
    //Return last CA in chain (root CA)
    return caCerts.LastOrDefault();
}

Tackar, hade fått det att lira genom att installera root certifikatet på servern men detta kommer ju hjälpa så man slipper den biten.