通过X509证书携带的信息验证身份 #812

887c1116 · 麦壳饼 · f343eeef · 887c1116 · 887c1116 · 887c1116
4 changed file
--- a/IoTSharp/Extensions/MqttExtension.cs
+++ b/IoTSharp/Extensions/MqttExtension.cs
@@ -19,6 +19,8 @@ using MQTTnet.AspNetCore.Routing;
 using IoTSharp.Data;
 using Newtonsoft.Json.Linq;
 using IoTSharp.Contracts;
+using System.Net.Security;
+using System.Runtime.ConstrainedExecution;

 namespace IoTSharp
 {
@@ -40,13 +42,45 @@ namespace IoTSharp
                    if (broker.CACertificate!=null)
                    {
                        broker.CACertificate.LoadCAToRoot();
+                   
                    }
                    options.WithEncryptedEndpoint();
                    options.WithEncryptedEndpointPort(broker.TlsPort);
                    if (broker.BrokerCertificate!=null)
                    {
-                        options.WithEncryptionCertificate(broker.BrokerCertificate.Export(X509ContentType.Pfx)).WithEncryptionSslProtocol(broker.SslProtocol);
+                        options.WithEncryptionCertificate(broker.CACertificate.Export(X509ContentType.Pfx)).WithEncryptionSslProtocol(broker.SslProtocol);
                    }
+                    options.WithClientCertificate((object sender, X509Certificate? certificate, X509Chain? chain, SslPolicyErrors sslPolicyErrors) =>
+                    {
+                        bool result = false;
+                        try
+                        {
+                       //如果CA跟证书是受信任， 这里就是None。
+                            if (sslPolicyErrors == SslPolicyErrors.None)
+                            {
+                                result= true;
+                            }
+                            else if (sslPolicyErrors == SslPolicyErrors.RemoteCertificateChainErrors 
+                                && chain.ChainStatus.Count()==1 &&  chain.ChainStatus.First().Status==X509ChainStatusFlags.UntrustedRoot)
+                            {
+                                //如果有是远程证书链有问题， 并且只有 UntrustedRoot 时，内部开始验证客户端是不是由本机CA证书颁发的
+                                chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
+                                chain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
+                                chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
+                                chain.ChainPolicy.CustomTrustStore.Add(broker.CACertificate);
+                                if (chain.Build((X509Certificate2)certificate))//如果是本CA办法， 则能构建成功， 如果是其他CA办法，则失败。 
+                                {
+                                    //确认跟证书在当前
+                                    result = chain.ChainElements.Cast<X509ChainElement>().Any(a => a.Certificate.Thumbprint == broker.CACertificate.Thumbprint);
+                                }
+                            }
+                        }
+                        catch { }
+
+                        return result;
+                    });
+
+
                }
                else
                {

--- a/IoTSharp/IoTSharp.csproj
+++ b/IoTSharp/IoTSharp.csproj
@@ -236,6 +236,7 @@
 		<ProjectReference Include="..\IoTSharp.EventBus\IoTSharp.EventBus.csproj" />
 		<ProjectReference Include="..\IoTSharp.Extensions.AspNetCore\IoTSharp.Extensions.AspNetCore.csproj" />
 		<ProjectReference Include="..\IoTSharp.Extensions.EFCore\IoTSharp.Extensions.EFCore.csproj" />
+		<ProjectReference Include="..\IoTSharp.Extensions.X509\IoTSharp.Extensions.X509.csproj" />
 		<ProjectReference Include="..\IoTSharp.Extensions\IoTSharp.Extensions.csproj" />
 		<ProjectReference Include="..\IoTSharp.Interpreter\IoTSharp.Interpreter.csproj" />
 		<ProjectReference Include="..\IoTSharp.TaskActions\IoTSharp.TaskActions.csproj" />

--- a/IoTSharp/Services/MQTTService.cs
+++ b/IoTSharp/Services/MQTTService.cs
@@ -167,10 +167,17 @@ namespace IoTSharp.Services
                    }
                    else
                    {
-                        _logger.LogInformation($"ClientId={obj.ClientId},Endpoint={obj.Endpoint},Username={obj.UserName}，Password={obj.Password}");
+                        string _thumbprint = string.Empty ;
+                        if (_settings.MqttBroker.EnableTls)
+                        {
+                            _thumbprint = e.ClientCertificate?.Thumbprint;
+                        }
+                            _logger.LogInformation($"ClientId={obj.ClientId},Endpoint={obj.Endpoint},Username={obj.UserName}，Password={obj.Password}");
                        var mcr = _dbContextcv.DeviceIdentities.Include(d => d.Device).AsSplitQuery().FirstOrDefault(mc =>
-                                              mc.IdentityType == IdentityType.AccessToken && mc.IdentityId == obj.UserName ||
-                                              mc.IdentityType == IdentityType.DevicePassword && mc.IdentityId == obj.UserName && mc.IdentityValue == obj.Password);
+                                              (mc.IdentityType == IdentityType.AccessToken && mc.IdentityId == obj.UserName) ||
+                                             ( mc.IdentityType == IdentityType.X509Certificate &&  mc.IdentityId == _thumbprint ) ||
+                                             ( mc.IdentityType == IdentityType.DevicePassword && mc.IdentityId == obj.UserName && mc.IdentityValue == obj.Password)
+                                             );
                        if (mcr != null)
                        {
                            try

--- a/IoTSharp/appsettings.PostgreSql.json
+++ b/IoTSharp/appsettings.PostgreSql.json
@@ -12,8 +12,8 @@
    "TelemetryStorage": "Server=localhost;Database=IoTSharp20222;Username=postgres;Password=future;"
  },
  "MqttBroker": {
-    "EnableTls": true,
-    "SslProtocol": 12288
+    "EnableTls": true
+ 
  },
  "JwtKey": "iotsharpiotsharpiotsharpiotsharpiotsharp",
  "JwtExpireHours": 3,