您需要實現從System.Security.Cryptography.Xml.SignedXml繼承這樣
public class CustomSignedXml: SignedXml
{
public CustomSignedXml(XmlDocument xmlDoc):base(xmlDoc)
{
}
internal void ComputeSignature(ISignerProvider signerProvider)
{
var methodInfo = typeof (SignedXml).GetMethod("BuildDigestedReferences",
BindingFlags.Instance | BindingFlags.NonPublic);
methodInfo.Invoke(this, null);
SignedInfo.SignatureMethod = XmlDsigRSASHA1Url;
// See if there is a signature description class defined in the Config file
SignatureDescription signatureDescription =
CryptoConfig.CreateFromName(SignedInfo.SignatureMethod) as SignatureDescription;
if (signatureDescription == null)
throw new CryptographicException("Cryptography_Xml_SignatureDescriptionNotCreated");
var hashAlg = signatureDescription.CreateDigest();
if (hashAlg == null)
throw new CryptographicException("Cryptography_Xml_CreateHashAlgorithmFailed");
var methodInfo2 = typeof (SignedXml).GetMethod("GetC14NDigest", BindingFlags.Instance | BindingFlags.NonPublic);
var hashvalue = (byte[]) methodInfo2.Invoke(this, new object[] {hashAlg});
m_signature.SignatureValue = signerProvider.Sign(hashvalue);
}
}
定製類,然後你需要這樣的
public interface ISignerProvider
{
byte[] Sign(byte[] data);
}
創建界面,然後通過Pkcs11Interop實現像這樣
public class Pkcs11SignerProvider : ISignerProvider
{
private string _thumbprint;
public string DllPath { get; set; }
public string TokenSerial { get; set; }
public string TokenPin { get; set; }
public string PrivateKeyLabel { get; set; }
public Pkcs11SignerProvider(string dllPath, string tokenSerial, string tokenPin, string privateKeyLabel)
{
DllPath = dllPath;
TokenSerial = tokenSerial;
TokenPin = tokenPin;
PrivateKeyLabel = privateKeyLabel;
}
public byte[] Sign(byte[] data)
{
using (var pkcs11 = new Pkcs11(DllPath, AppType.SingleThreaded))
{
var slots = pkcs11.GetSlotList(SlotsType.WithTokenPresent);
var slot = slots.FirstOrDefault(slot1 => slot1.GetTokenInfo().SerialNumber == TokenSerial);
if (slot == null)
throw new Exception("there is no token with serial " + TokenSerial);
using (var session = slot.OpenSession(SessionType.ReadOnly))
{
session.Login(CKU.CKU_USER, TokenPin);
var searchTemplate = new List<ObjectAttribute>
{
new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_PRIVATE_KEY),
new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_RSA)
};
if (!string.IsNullOrEmpty(PrivateKeyLabel))
searchTemplate.Add(new ObjectAttribute(CKA.CKA_LABEL, PrivateKeyLabel));
var foundObjects = session.FindAllObjects(searchTemplate);
var privateKey = foundObjects.FirstOrDefault();
using (var mechanism = new Mechanism(CKM.CKM_RSA_PKCS))
{
return session.Sign(mechanism, privateKey, data);
}
}
}
}
}
然後調用這個方法來簽名xml
public static void Sign(XmlDocument xmlDoc, ISignerProvider signerProvider)
{
if (xmlDoc == null)
throw new ArgumentException("xmlDoc");
if (xmlDoc.DocumentElement == null)
throw new ArgumentException("xmlDoc.DocumentElement");
var signedXml = new CustomSignedXml(xmlDoc);
var reference = new Reference { Uri = "" };
var env = new XmlDsigEnvelopedSignatureTransform();
reference.AddTransform(env);
signedXml.AddReference(reference);
signedXml.ComputeSignature(signerProvider);
var xmlDigitalSignature = signedXml.GetXml();
xmlDoc.DocumentElement.AppendChild(xmlDoc.ImportNode(xmlDigitalSignature, true));
}
和驗證碼驗證
public static bool Verify(XmlDocument document, X509Certificate2 certificate)
{
// Check arguments.
if (document == null)
throw new ArgumentException("Doc");
if (certificate == null)
throw new ArgumentException("Key");
// Create a new SignedXml object and pass it
// the XML document class.
var signedXml = new SignedXml(document);
// Find the "Signature" node and create a new
// XmlNodeList object.
var nodeList = document.GetElementsByTagName("Signature");
// Throw an exception if no signature was found.
if (nodeList.Count <= 0)
{
throw new CryptographicException("Verification failed: No Signature was found in the document.");
}
// This example only supports one signature for
// the entire XML document. Throw an exception
// if more than one signature was found.
if (nodeList.Count >= 2)
{
throw new CryptographicException("Verification failed: More that one signature was found for the document.");
}
// Load the first <signature> node.
signedXml.LoadXml((XmlElement)nodeList[0]);
return signedXml.CheckSignature(certificate, true);
}
嗨Jariq, 你的意思是我需要創建一個所有屬性和方法,如RSA類權的新的繼承類?我可以在哪裏放置私鑰?你能否引導我更多或給一些簡單的示例代碼。 – ktikar
@ktikar是的,您需要創建繼承類 - 最重要的部分是重寫'SignHash'方法並使用Pkcs11Interop實現它。我計劃發佈具有這種實現的獨立庫,但我目前正忙於其他付費項目。 – jariq
謝謝你的建議。我會試試看。 – ktikar