如何从安全令牌获取信息与C#
问题描述:
我需要使我的应用程序的用户可以用他们的个人USB安全令牌来签署他们的批准。如何从安全令牌获取信息与C#
我已经设法签署数据,但我还没有能够获得已使用过的谁的令牌信息。
这里是我到目前为止的代码:
CspParameters csp = new CspParameters(1, "SafeNet RSA CSP");
csp.Flags = CspProviderFlags.UseDefaultKeyContainer;
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(csp);
// Create some data to sign.
byte[] data = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7 };
Console.WriteLine("Data : " + BitConverter.ToString(data));
// Sign the data using the Smart Card CryptoGraphic Provider.
byte[] sig = rsa.SignData(data, "SHA1");
Console.WriteLine("Signature : " + BitConverter.ToString(sig));
有一个名为“令牌名称”令牌信息的字段。我如何访问该字段以验证该令牌是否已用于签署批准?
aditional的信息和更新:
- “令牌名”总是符合主人的姓名(谁拥有USB 令牌用户)
- 现在看来似乎不能做,也许有一个网络服务或 我需要调用才能从cert authority直接获取 的信息。
答
当我问这个问题时,我对数字证书的理解是非常基本的,所以这个问题没有得到妥善的解答。现在我明白我需要从智能卡设备访问证书,查询其属性并测试用户是否可以输入适当的PIN码。
这里是我用来做这样的代码:
//Prompt the user with the list of certificates on the local store.
//The user have to select the certificate he wants to use for signing.
//Note: All certificates form the USB device are automatically copied to the local store as soon the device is plugged in.
X509Store store = new X509Store(StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
X509CertificateCollection certificates = X509Certificate2UI.SelectFromCollection(store.Certificates,
"Certificados conocidos",
"Por favor seleccione el certificado con el cual desea firmar",
X509SelectionFlag.SingleSelection
);
store.Close();
X509Certificate2 certificate = null;
if (certificates.Count != 0)
{
//The selected certificate
certificate = (X509Certificate2)certificates[0];
}
else
{
//The user didn't select a certificate
return "El usuario canceló la selección de un certificado";
}
//Check certificate's atributes to identify the type of certificate (censored)
if (certificate.Issuer != "CN=............................., OU=................., O=..., C=US")
{
//The selected certificate is not of the needed type
return "El certificado seleccionado no corresponde a un token ...";
}
//Check if the certificate is issued to the current user
if (!certificate.Subject.ToUpper().Contains(("E=" + pUserADLogin + "@censoreddomain.com").ToUpper()))
{
return "El certificado seleccionado no corresponde al usuario actual";
}
//Check if the token is currently plugged in
XmlDocument xmlDoc = new XmlDocument();
XmlElement element = xmlDoc.CreateElement("Content", SignedXml.XmlDsigNamespaceUrl.ToString());
element.InnerText = "comodin";
xmlDoc.AppendChild(element);
SignedXml signedXml = new SignedXml();
try
{
signedXml.SigningKey = certificate.PrivateKey;
}
catch
{
//USB Token is not plugged in
return "El token no se encuentra conectado al equipo";
}
DataObject dataObject = new DataObject();
dataObject.Data = xmlDoc.ChildNodes;
dataObject.Id = "CONTENT";
signedXml.AddObject(dataObject);
Reference reference = new Reference();
reference.Uri = "#CONTENT";
signedXml.AddReference(reference);
//Attempt to sign the data. The user will be prompted to enter his PIN
try
{
signedXml.ComputeSignature();
}
catch
{
//User didn't enter the correct PIN
return "Hubo un error confirmando la identidad del usuario";
}
//The user has signed with the correct token
return String.Format("El usuario {0} ha firmado exitosamente usando el token con serial {1}", pUserADLogin, certificate.SerialNumber);
来源:
http://stormimon.developpez.com/dotnet/signature-electronique/(EN法语) https://www.simple-talk.com/content/print.aspx?article=1713(英文)
+0
有一个替代方法来获取令牌名称。您将不得不使用PKCS#11或CryptoAPI接口来检测哪个tokane已被插入。这与根据证书主题名称删除令牌名称的方法不同。 – Raj 2014-05-13 16:15:50
这也许是更多的安全问题.stachexchange.com? – MiMo 2013-02-28 14:37:06
看起来您需要提取[Modulus](http://msdn.microsoft.com/zh-cn/library/system.security.cryptography.rsaparameters.modulus.aspx)作为证书指纹,然后与所有可用证书的指纹数据库。可能类似['byte [] modulus = rsa.ExportParameters(false).Modulus;'](http://attercop.googlecode.com/svn-history/r8/trunk/AttercopClient/SettingsWindow.cs) – oleksii 2013-02-28 14:55:37
@oleksii I没有模数据库。我需要获取“令牌名称”并将其与当前AD用户名进行比较。谢谢你的评论。 – daniloquio 2013-02-28 15:02:42