Windows 2003，ASP，使用Request.ClientCertificate("Certificate")取得的证书全文不正确

如果你在Windows Server 2003 + SP1（IIS版本6.0）里面部署ASP，该ASP使用Request.ClientCertificate("Certificate")的方式来取得客户端证明书全文（并转换为BASE64字符串），那么很不幸的，你可能尽是取得一堆诸如下述的东西。

Pz8/Pz9BP34/Pz8/Pz9hPyA/uz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz+vPz8/Pz8/
Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/P7s/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/
Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz9jYQU/jT8/Pz8/
Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/OT8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/BT8/
Pz8/Pz8/Pz8/Pz8/Pz8/YUE/Pz8/Pz8/Pz8gPz8/Pz8/Pz8/Pz8/Pz+7Pz8/TGE/
Pz8/QT8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/P2E/rz8/Pz8/Pz8/Pz8/Pz8/Pz8/
Pz8/Pz8/Pz8/Pz8/Pz8/Kz8/Pz8/Pz8/Pz8/Pz8/Pys/Pz8/Pz8/Pz8/Pz8/Pz8/
Pz8/Pz8/Pz8/Pz8/Pz8/Yz8FP4E/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/
Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz/FPz8/Pz8/Pz8/Pz8/Pz8/

 

关于这个杯具可以参考这篇文章：

Dump client certificates from SSL to file?

http://www.derkeiler.com/Newsgroups/microsoft.public.inetserver.iis.security/2004-08/0147.html

 

该文章里面提到的使用方法来自：

How to Write a Client Authentication Certificate to a File in IIS 4.0

http://support.microsoft.com/default.aspx?scid=kb;en-us;216829

 

注意msdn里面的这篇文章是基于IIS4.0的！

 

经验证，在Windows 2000 Server + SP4（IIS版本5.0）上没有这样的问题，可以正常取得证明书全文，在Windows XP + SP2（IIS5.1）上则存在同样问题。简言之，猜测理解为，以IIS5.1为界，大于或等于5.1，有问题，小于则没问题。

 

后来的调查发现，很有可能，这是微软的BUG。。。

 

参考以下文章：

FIX: The contents of the Request.ClientCertificate("Certificate") field are incorrect when an .asp Web page is hosted on IIS 6.0

http://support.microsoft.com/kb/916833/en-us/

 

文章里面提到：

Consider the following scenario. You browse an .asp Web page that is hosted on Microsoft Internet Information Services (IIS) 5.0. You then use the same client and keyset to browse the same .asp Web page, but the Web page is hosted on IIS 6.0.

In this scenario, the contents of the Request.ClientCertificate("Certificate") field are incorrect when the page is hosted on IIS 6.0. For example, the last byte of the content is incorrect when you use a COM component to write the content to a certificate in ASN.1 format.

 

解决办法：

To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge

 

详细请参考原文。。。

 

------------------------------------------------------------

后记（2010/10/14）：

实践表明，在Windows Server 2003上安装了SP2之后并不能解决这个问题。

现象依旧，如有兄弟姐妹遇到了，解决了的路过，还请不吝赐教，多谢。

 

------------------------------------------------------------

后后记（2010/12/08）：

实际上，我们可发现问题的根源在于从IIS6.0开始，Request.ClientCertificate所返回的内容已经统一使用Unicode编码，也就是说，尽管“Certificate”这个项是二进制内容（非文本），MS还是将之转换到Unicode了。真不知道MS怎么想的。

 

MSDN原文是这样说的：

http://msdn.microsoft.com/en-us/library/ms524668%28VS.90%29.aspx

Note:

Beginning with IIS 6.0, IIS is built in unicode in order to provide improved support for international applications. This can affect features like Request.ClientCertificate Collection . If you are porting code from an older version of IIS, use custom COM object to convert the public key to ANSI in a return parameter that ASP can then display. For more information about creating COM objects for ASP pages, see Creating COM Components for ASP .

 

※不过这段内容不能说明为什么IIS5.1上也存在同样故障现象。

 

★要解决这个问题有两种方法，一是在安装了SP2的基础上，修改注册表：

以下为摘要内容，详情请参考：http://support.microsoft.com/kb/886810

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

1. Click Start , click Run , type regedit in the Open box, and then click OK .
2. Locate and then right-click the following registry key:
   HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/ASP/Parameters
   Note If the Parameters key is not found, you must create it.
3. Click New , and then click DWORD Value .
4. Type DisableCertificateBlobAsArray , and then press ENTER.
5. Right-click DisableCertificateBlobAsArray, and then click Modify .
6. Type 1 in the Value data box, and then click OK .
   
   Note If you assign a value of 1 to the DisableCertificateBlobAsArray registry entry, the same behavior occurs in IIS 6.0 and in IIS 5.0. If you assign a null value (0) to the DisableCertificateBlobAsArray registry entry, IIS 6.0 works as if the hotfix is not applied, and the problem may occur again.
7. Close Registry Editor.
8. Restart the World Wide Publishing service. To do this, follow these steps:
   1. Click Start , point to Programs , point to Administrative Tools , and then click Services .
   2. Right-click World Wide Web Publishing Service , and then click Restart .

 

二是逆向操作，把已经被转换到Unicode的Certificate内容转回ANSI，这个可以利用ADODB.Stream的功能，写一个小函数自行转换即可。至于到底选择方法一还是方法二，嗯，见仁见智各取所需吧。