在Azure API管理中,我试图能够验证从调用应用程序传入的证书,并将证书发送到后端。我也在尝试使用Azure Keyvault证书来做到这一点。我可以独立执行其中任一操作,但很难使它们一起工作。
[基本上,我想从Keyvault中获取证书,确保传入的证书匹配,然后还将相同的证书发送到后端以进行端到端证书验证。通过使用下面的入站策略,我可以从keyvault中获取证书并将其发送到我的后端。我也能够获得传入证书的缩图。
我遇到问题的地方是从密钥库获取的证书的base64字符串获取指纹。无论如何,我可以将证书字符串转换为证书对象吗?
<inbound>
<base />
<send-request mode="new" response-variable-name="keyVaultCertResponse" timeout="20" ignore-error="false">
<set-url>https://MYKEYVAULTNAME.vault.azure.net/secrets/CLIENTCERTTEST/?api-version=2016-10-01</set-url>
<set-method>GET</set-method>
<authentication-managed-identity resource="https://vault.azure.net" />
</send-request>
<set-variable name="keyVaultCertBase64" value="@(((IResponse)context.Variables["keyVaultCertResponse"]).Body.As<JObject>()["value"].ToString())" />
<choose>
<when condition="@(context.Request.Certificate == null)">
<return-response>
<set-status code="403" reason="No Client Certificate Provided to APIM" />
</return-response>
</when>
<when condition="@(context.Variables["keyVaultCertResponse"] != context.Request.Certificate.Thumbprint)">
<return-response>
<set-status code="403" reason="Client Certificate Presented to APIM is incorrect" />
</return-response>
</when>
</choose>
<authentication-certificate body="@(Convert.FromBase64String((string)context.Variables["keyVaultCertBase64"]))" />
</inbound>
在您的第二个when中,您正在比较keyVaultCertResponse(它是IResponse对象)与客户端证书的指纹。如果可以通过指纹比较它们,请尝试实例化X509Certificate2对象并从中获取指纹。像这样:
new X509Certificate2(Convert.FromBase64String((string)context.Variables["keyVaultBase64"])). Thumbprint == context.Request.Certiricate.Thumbprint