如何创建自定义的CertificateHandler,其中在其内部使用基本处理程序?

huangapple go评论66阅读模式
英文:

How to create custom CertificateHandler, which uses the base handler inside itself?

问题

一般来说,某些用户会遇到这种错误:

Webrequest fails with Curl error 60,当创建UnityWebRequest时。

我想要创建自己的CertificateHandler,它在内部调用基本的CertificateHandler(也就是说,系统首先尝试解决一切),如果解决失败,那么我的处理程序的额外逻辑就会生效。

我有一个选项,在错误发生后添加我的处理程序(也就是说,首先我们不将任何内容分配给处理程序属性),但我不明白如何捕获这个特定的错误。

看起来她没有代码,只有文本SSL CA证书错误。可能仅依靠文本导航并不是很好,因为它在不同的系统上会有变化...

英文:

In general, some users get this kind of error:

Webrequest fails with Curl error 60, when is createdUnityWebRequest.

I would like to make my own CertificateHandler, which calls the base CertificateHandler inside itself (that is, the system first tried to resolve everything) and if it didn’t work out, then the additional logic of my handler came into play.

I had an option to add my Handler after an error (that is, first we don’t assign anything to the handler property), but I don’t understand how to catch this particular error.

She seems to have no code, and there is only the text SSL CA certificate error. And it’s probably not good to navigate only by text, since it changes from system to system ...

答案1

得分: 1

如果您正在实现自定义证书处理程序,您可以简单地这样做:

public class MyCertificateHandler : CertificateHandler
{
     protected override bool ValidateCertificate(byte[] certificateData)     
     {
         if (base.ValidateCertificate(certificateData)) return true; 

         return YourOwnCheck();
    }
}

具体取决于您是要先执行自己的检查还是默认的检查。


此刻我不太确定,但 CertificateHandler 实际上似乎只是实现了:

protected virtual bool ValidateCertificate(byte[] certificateData) => false;

...在这种情况下,您实际上需要使用正常的系统验证,例如通过 X509Chain

// 从接收到的证书数据创建 X509Certificate2 对象
var certificate = new X509Certificate2(certificateData);

// 使用系统默认的证书验证
var chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;

if (chain.Build(certificate))
{
    return true;
}

return YourOwnCheck();

请注意,这些标志基本上相对宽泛,您当然可以根据实际需求使用更严格的标志来更频繁地触发自定义验证 - 这取决于您的确切需求。

参见:

  • X509RevocationMode

    主要是用于检查证书是否应该被吊销(失效)。

    使用的 X509RevocationMode.NoCheck 当然是较不严格的一个。稍后您可能会更愿意使用 Online(使用在线证书列表)或 Offline(使用本地缓存的证书列表)。

  • X509RevocationFlag

    这指定了如何检查吊销,可以是仅在此特定证书本身 (EndCertificateOnly),整个链 (EntireChain) 或整个链除了根 (ExceptRoot),以节省一些性能。

    最严格的当然是 EntireChain

  • X509VerificationFlags

    最终,这允许某些例外情况。例如,使用的 AllowUnknownCertificateAuthority 允许自定义签名的证书,这些证书未经官方已知的根证书机构签名。

    在这里最严格的是 NoFlags,表示我们不想忽略任何规则。

通常情况下,作为开发人员,您知道在 UnityWebRequest 上使用的是哪些 URL,所以通常只需拥有一个 CertificateHandler 来检查特定目标证书即可。

英文:

If you are implementing your custom certificate handler you can simply do e.g.

public class MyCertificateHandler : CertificateHandler
{
     protected override bool ValidateCertificate(byte[] certificateData)     
     {
         if (base.ValidateCertificate(certificateData)) return true; 

         return YourOwnCheck();
    }
}

depending on whether you want to do your own or the default checks first.


Not sure right now but the CertificateHandler actually seems to simply implement

protected virtual bool ValidateCertificate(byte[] certificateData) => false;

... in that case you would actually need to use the normal system validation and e.g. go through X509Chain

// Create an X509Certificate2 object from the received certificate data
var certificate = new X509Certificate2(certificateData);

// Use the system default certificate validation
var chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;

if (chain.Build(certificate))
{
    return true;
}

return YourOwnCheck();

Note that those flags are basically a bit wider, you might of course want to use more strict ones to trigger your custom validation more often - depends on your exact needs.

See

  • X509RevocationMode

    This is mainly whether revocation (invalidation) of certs should be checked.

    The used X509RevocationMode.NoCheck is of course the less strict one. You would later rather use Online (use online cert lists) or Offline (use locally cached cert list).

  • X509RevocationFlag

    This specifies how the revocation should be checked, either only on this specific cert itself (EndCertificateOnly), the EntireChain or the entire chain except the root (ExceptRoot) to save some performance.

    The most strict would of course be EntireChain.

  • X509VerificationFlags

    This finally allows certain exceptions. For instance the used AllowUnknownCertificateAuthority allows custom signed certificates that are not signed by an officially known Root Cert Authority.

    The most strict here would be NoFlags indicating we don't want to ignore any rules.

In general usually you as a developer know which URLs you are using the UnityWebRequest on so usually it is enough to have a CertificateHandler check that specific target certificate.

huangapple
  • 本文由 发表于 2023年7月13日 19:43:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/76679010.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定