RemoteCertificateValidationCallback 委托

定义

命名空间:

System.Net.Security

程序集:

System.Net.Security.dll

程序集:

System.dll

程序集:

netstandard.dll

验证用于身份验证的远程安全套接字层 (SSL) 证书。

public delegate bool RemoteCertificateValidationCallback(System::Object ^ sender, X509Certificate ^ certificate, X509Chain ^ chain, SslPolicyErrors sslPolicyErrors);

public delegate bool RemoteCertificateValidationCallback(object sender, X509Certificate? certificate, X509Chain? chain, SslPolicyErrors sslPolicyErrors);

public delegate bool RemoteCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors);

type RemoteCertificateValidationCallback = delegate of obj * X509Certificate * X509Chain * SslPolicyErrors -> bool

Public Delegate Function RemoteCertificateValidationCallback(sender As Object, certificate As X509Certificate, chain As X509Chain, sslPolicyErrors As SslPolicyErrors) As Boolean 

参数

sender

Object

一个对象，它包含此验证的状态信息。

certificate

X509Certificate

用于对远程方进行身份验证的证书。

chain

X509Chain

与远程证书关联的证书颁发机构链。

sslPolicyErrors

SslPolicyErrors

与远程证书关联的一个或多个错误。

返回值

Boolean

Boolean 值，它确定是否接受指定证书进行身份验证。

示例

下面的代码示例实现由类实例 RemoteCertificateValidationCallback 调用的方法。 如果存在验证错误，此方法将显示并返回 false，这可以防止与未经身份验证的服务器通信。

    // Load a table of errors that might cause 
    // the certificate authentication to fail.
    static void InitializeCertificateErrors()
    {
        certificateErrors->Add(0x800B0101,
            "The certification has expired.");
        certificateErrors->Add(0x800B0104,
            "A path length constraint "
            "in the certification chain has been violated.");
        certificateErrors->Add(0x800B0105,
            "A certificate contains an unknown extension "
            "that is marked critical.");
        certificateErrors->Add(0x800B0107,
            "A parent of a given certificate in fact "
            "did not issue that child certificate.");
        certificateErrors->Add(0x800B0108,
            "A certificate is missing or has an empty value "
            "for a necessary field.");
        certificateErrors->Add(0x800B0109,
            "The certificate root is not trusted.");
        certificateErrors->Add(0x800B010C,
            "The certificate has been revoked.");
        certificateErrors->Add(0x800B010F,
            "The name in the certificate does not not match "
            "the host name requested by the client.");
        certificateErrors->Add(0x800B0111,
            "The certificate was explicitly marked "
            "as untrusted by the user.");
        certificateErrors->Add(0x800B0112,
            "A certification chain processed correctly, "
            "but one of the CA certificates is not trusted.");
        certificateErrors->Add(0x800B0113,
            "The certificate has an invalid policy.");
        certificateErrors->Add(0x800B0114,
            "The certificate name is either not "
            "in the permitted list or is explicitly excluded.");
        certificateErrors->Add(0x80092012,
            "The revocation function was unable to check "
            "revocation for the certificate.");
        certificateErrors->Add(0x80090327,
            "An unknown error occurred while "
            "processing the certificate.");
        certificateErrors->Add(0x80096001,
            "A system-level error occurred "
            "while verifying trust.");
        certificateErrors->Add(0x80096002,
            "The certificate for the signer of the message "
            "is invalid or not found.");
        certificateErrors->Add(0x80096003,
            "One of the counter signatures was invalid.");
        certificateErrors->Add(0x80096004,
            "The signature of the certificate "
            "cannot be verified.");
        certificateErrors->Add(0x80096005,
            "The time stamp signature or certificate "
            "could not be verified or is malformed.");
        certificateErrors->Add(0x80096010,
            "The digital signature of the object "
            "was not verified.");
        certificateErrors->Add(0x80096019,
            "The basic constraint extension of a certificate "
            "has not been observed.");
    }

    static String^ CertificateErrorDescription(UInt32 problem)
    {
        // Initialize the error message dictionary 
        // if it is not yet available.
        if (certificateErrors->Count == 0)
        {
            InitializeCertificateErrors();
        }

        String^ description = safe_cast<String^>(
            certificateErrors[problem]);
        if (description == nullptr)
        {
            description = String::Format(
                CultureInfo::CurrentCulture,
                "Unknown certificate error - 0x{0:x8}",
                problem);
        }

        return description;
    }

public:
    // The following method is invoked 
    // by the CertificateValidationDelegate.
static bool ValidateServerCertificate(
        Object^ sender,
        X509Certificate^ certificate,
        X509Chain^ chain,
        SslPolicyErrors sslPolicyErrors)
    {
    
        Console::WriteLine("Validating the server certificate.");
        if (sslPolicyErrors == SslPolicyErrors::None)
            return true;

        Console::WriteLine("Certificate error: {0}", sslPolicyErrors);

        // Do not allow this client to communicate with unauthenticated servers.
        return false;
    }

// The following method is invoked by the RemoteCertificateValidationDelegate.
public static bool ValidateServerCertificate(
      object sender,
      X509Certificate certificate,
      X509Chain chain,
      SslPolicyErrors sslPolicyErrors)
{
   if (sslPolicyErrors == SslPolicyErrors.None)
        return true;

    Console.WriteLine("Certificate error: {0}", sslPolicyErrors);

    // Do not allow this client to communicate with unauthenticated servers.
    return false;
}

下面的代码示例使用前面的代码示例中定义的方法创建委托。

// Create a TCP/IP client socket.
// machineName is the host running the server application.
TcpClient^ client = gcnew TcpClient(machineName, 8080);
Console::WriteLine("Client connected.");
  
// Create an SSL stream that will close 
// the client's stream.
SslStream^ sslStream = gcnew SslStream(
    client->GetStream(), false,
    gcnew RemoteCertificateValidationCallback(ValidateServerCertificate),
    nullptr);
  
// The server name must match the name
// on the server certificate.
try
{
    sslStream->AuthenticateAsClient(serverName);
}
catch (AuthenticationException^ ex) 
{
    Console::WriteLine("Exception: {0}", ex->Message);
    if (ex->InnerException != nullptr)
    {
        Console::WriteLine("Inner exception: {0}", 
            ex->InnerException->Message);
    }

    Console::WriteLine("Authentication failed - "
        "closing the connection.");
    sslStream->Close();
    client->Close();
    return;
}

// Create a TCP/IP client socket.
// machineName is the host running the server application.
TcpClient client = new TcpClient(machineName,443);
Console.WriteLine("Client connected.");
// Create an SSL stream that will close the client's stream.
SslStream sslStream = new SslStream(
    client.GetStream(),
    false,
    new RemoteCertificateValidationCallback (ValidateServerCertificate),
    null
    );
// The server name must match the name on the server certificate.
try
{
    sslStream.AuthenticateAsClient(serverName);
}
catch (AuthenticationException e)
{
    Console.WriteLine("Exception: {0}", e.Message);
    if (e.InnerException != null)
    {
        Console.WriteLine("Inner exception: {0}", e.InnerException.Message);
    }
    Console.WriteLine ("Authentication failed - closing the connection.");
    client.Close();
    return;
}

注解

委托的参数 sslPolicyErrors 包含 SSPI 在对客户端或服务器进行身份验证时返回的任何证书错误。 Boolean此委托调用的方法返回的值确定是否允许身份验证成功。

此委托与类一起使用 SslStream 。

扩展方法

GetMethodInfo(Delegate)

获取指示指定委托表示的方法的对象。

另请参阅

• LocalCertificateSelectionCallback