英文:
How to create custom CertificateHandler, which uses the base handler inside itself?
问题
一般来说,某些用户会遇到这种错误:
Webrequest fails with Curl error 60
,当创建UnityWebRequest
时。
我想要创建自己的CertificateHandler,它在内部调用基本的CertificateHandler
(也就是说,系统首先尝试解决一切),如果解决失败,那么我的处理程序的额外逻辑就会生效。
我有一个选项,在错误发生后添加我的处理程序(也就是说,首先我们不将任何内容分配给处理程序属性),但我不明白如何捕获这个特定的错误。
看起来她没有代码,只有文本SSL CA证书错误。可能仅依靠文本导航并不是很好,因为它在不同的系统上会有变化...
英文:
In general, some users get this kind of error:
Webrequest fails with Curl error 60
, when is createdUnityWebRequest
.
I would like to make my own CertificateHandler, which calls the base CertificateHandler
inside itself (that is, the system first tried to resolve everything) and if it didn’t work out, then the additional logic of my handler came into play.
I had an option to add my Handler after an error (that is, first we don’t assign anything to the handler property), but I don’t understand how to catch this particular error.
She seems to have no code, and there is only the text SSL CA certificate error. And it’s probably not good to navigate only by text, since it changes from system to system ...
答案1
得分: 1
如果您正在实现自定义证书处理程序,您可以简单地这样做:
public class MyCertificateHandler : CertificateHandler
{
protected override bool ValidateCertificate(byte[] certificateData)
{
if (base.ValidateCertificate(certificateData)) return true;
return YourOwnCheck();
}
}
具体取决于您是要先执行自己的检查还是默认的检查。
此刻我不太确定,但 CertificateHandler
实际上似乎只是实现了:
protected virtual bool ValidateCertificate(byte[] certificateData) => false;
...在这种情况下,您实际上需要使用正常的系统验证,例如通过 X509Chain
:
// 从接收到的证书数据创建 X509Certificate2 对象
var certificate = new X509Certificate2(certificateData);
// 使用系统默认的证书验证
var chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
if (chain.Build(certificate))
{
return true;
}
return YourOwnCheck();
请注意,这些标志基本上相对宽泛,您当然可以根据实际需求使用更严格的标志来更频繁地触发自定义验证 - 这取决于您的确切需求。
参见:
-
主要是用于检查证书是否应该被吊销(失效)。
使用的
X509RevocationMode.NoCheck
当然是较不严格的一个。稍后您可能会更愿意使用Online
(使用在线证书列表)或Offline
(使用本地缓存的证书列表)。 -
这指定了如何检查吊销,可以是仅在此特定证书本身 (
EndCertificateOnly
),整个链 (EntireChain
) 或整个链除了根 (ExceptRoot
),以节省一些性能。最严格的当然是
EntireChain
。 -
最终,这允许某些例外情况。例如,使用的
AllowUnknownCertificateAuthority
允许自定义签名的证书,这些证书未经官方已知的根证书机构签名。在这里最严格的是
NoFlags
,表示我们不想忽略任何规则。
通常情况下,作为开发人员,您知道在 UnityWebRequest
上使用的是哪些 URL,所以通常只需拥有一个 CertificateHandler
来检查特定目标证书即可。
英文:
If you are implementing your custom certificate handler you can simply do e.g.
public class MyCertificateHandler : CertificateHandler
{
protected override bool ValidateCertificate(byte[] certificateData)
{
if (base.ValidateCertificate(certificateData)) return true;
return YourOwnCheck();
}
}
depending on whether you want to do your own or the default checks first.
Not sure right now but the CertificateHandler
actually seems to simply implement
protected virtual bool ValidateCertificate(byte[] certificateData) => false;
... in that case you would actually need to use the normal system validation and e.g. go through X509Chain
// Create an X509Certificate2 object from the received certificate data
var certificate = new X509Certificate2(certificateData);
// Use the system default certificate validation
var chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
if (chain.Build(certificate))
{
return true;
}
return YourOwnCheck();
Note that those flags are basically a bit wider, you might of course want to use more strict ones to trigger your custom validation more often - depends on your exact needs.
See
-
This is mainly whether revocation (invalidation) of certs should be checked.
The used
X509RevocationMode.NoCheck
is of course the less strict one. You would later rather useOnline
(use online cert lists) orOffline
(use locally cached cert list). -
This specifies how the revocation should be checked, either only on this specific cert itself (
EndCertificateOnly
), theEntireChain
or the entire chain except the root (ExceptRoot
) to save some performance.The most strict would of course be
EntireChain
. -
This finally allows certain exceptions. For instance the used
AllowUnknownCertificateAuthority
allows custom signed certificates that are not signed by an officially known Root Cert Authority.The most strict here would be
NoFlags
indicating we don't want to ignore any rules.
In general usually you as a developer know which URLs you are using the UnityWebRequest
on so usually it is enough to have a CertificateHandler
check that specific target certificate.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论