1. 首頁
  2. 問答
  3. 如何將存儲在HSM中的私鑰轉換爲C#中的SignedXml.SigningKey?

如何將存儲在HSM中的私鑰轉換爲C#中的SignedXml.SigningKey?

2017-09-27 94 views
2

我試圖通過存儲在HSM中的證書實現一些XML簽名演示。如何將存儲在HSM中的私鑰轉換爲C#中的SignedXml.SigningKey?

我發現了一些有趣的例子,從這個鏈接: Sign XML Document with X509Certificate2並修改爲使用與PKCS11Interop包裝的HSM內的證書和密鑰。

但任何人都可以給我一個建議或例子轉換對象句柄專用密鑰由HSM到SignedXML.SigningKey

private static void SignXmlWithCertificate(XmlDocument xmlDoc, X509Certificate2 cert, Session session, String alias) 
     { 
      SignedXml signedXml = new SignedXml(xmlDoc); 

      List<ObjectAttribute> template = new List<ObjectAttribute>(); 
      template.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_PRIVATE_KEY)); 
      template.Add(new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_RSA)); 
      template.Add(new ObjectAttribute(CKA.CKA_LABEL, alias)); 
      List<ObjectHandle> foundObjects = session.FindAllObjects(template); 
      ObjectHandle privateKey = foundObjects[0]; 

      signedXml.SigningKey = privateKey; //Here is where I stuck.

在這個例子從上面的外部鏈接。他們使用結合了私鑰的證書。然後他們可以像這樣使用。

signedXml.SigningKey = cert.PrivateKey;

但是,我使用的證書都沒有的內容裏面私鑰。請給我一些建議。

來源

2017-09-27 ktikar

回答

0

您需要實現繼承自System.Security.Cryptography.RSA類的自定義類,在其實現中使用Pkcs11Interop,然後使用您的自定義類的實例作爲SigningKey

您可以自己實現它,或者你可以使用Pkcs11Interop.X509Store庫,它提供了易於使用的PKCS#11基於X.509證書存儲區,包含從System.Security.Cryptography.RSA類繼承Pkcs11RsaProvider類。還有一個code sample可用,它演示了SignedXml類的用法。

來源

2017-09-27 06:17:18 jariq

+0

嗨Jariq, 你的意思是我需要創建一個所有屬性和方法,如RSA類權的新的繼承類?我可以在哪裏放置私鑰?你能否引導我更多或給一些簡單的示例代碼。 – ktikar

+0

@ktikar是的,您需要創建繼承類 - 最重要的部分是重寫'SignHash'方法並使用Pkcs11Interop實現它。我計劃發佈具有這種實現的獨立庫,但我目前正忙於其他付費項目。 – jariq

+0

謝謝你的建議。我會試試看。 – ktikar

1

您需要實現從System.Security.Cryptography.Xml.SignedXml繼承這樣

public class CustomSignedXml: SignedXml 
    { 
    public CustomSignedXml(XmlDocument xmlDoc):base(xmlDoc) 
    { 
    } 
    internal void ComputeSignature(ISignerProvider signerProvider) 
    { 
     var methodInfo = typeof (SignedXml).GetMethod("BuildDigestedReferences", 
      BindingFlags.Instance | BindingFlags.NonPublic); 
     methodInfo.Invoke(this, null); 
     SignedInfo.SignatureMethod = XmlDsigRSASHA1Url; 
     // See if there is a signature description class defined in the Config file 
     SignatureDescription signatureDescription = 
      CryptoConfig.CreateFromName(SignedInfo.SignatureMethod) as SignatureDescription; 
     if (signatureDescription == null) 
      throw new CryptographicException("Cryptography_Xml_SignatureDescriptionNotCreated"); 

     var hashAlg = signatureDescription.CreateDigest(); 
     if (hashAlg == null) 
      throw new CryptographicException("Cryptography_Xml_CreateHashAlgorithmFailed"); 
     var methodInfo2 = typeof (SignedXml).GetMethod("GetC14NDigest", BindingFlags.Instance | BindingFlags.NonPublic); 
     var hashvalue = (byte[]) methodInfo2.Invoke(this, new object[] {hashAlg}); 

     m_signature.SignatureValue = signerProvider.Sign(hashvalue); 
    } 
}

定製類,然後你需要這樣的

public interface ISignerProvider 
{ 
    byte[] Sign(byte[] data); 
}

創建界面,然後通過Pkcs11Interop實現像這樣

public class Pkcs11SignerProvider : ISignerProvider 
{ 
    private string _thumbprint; 
    public string DllPath { get; set; } 
    public string TokenSerial { get; set; } 
    public string TokenPin { get; set; } 
    public string PrivateKeyLabel { get; set; } 

    public Pkcs11SignerProvider(string dllPath, string tokenSerial, string tokenPin, string privateKeyLabel) 
    { 
     DllPath = dllPath; 
     TokenSerial = tokenSerial; 
     TokenPin = tokenPin; 
     PrivateKeyLabel = privateKeyLabel; 
    } 

    public byte[] Sign(byte[] data) 
    { 
     using (var pkcs11 = new Pkcs11(DllPath, AppType.SingleThreaded)) 
     { 

      var slots = pkcs11.GetSlotList(SlotsType.WithTokenPresent); 
      var slot = slots.FirstOrDefault(slot1 => slot1.GetTokenInfo().SerialNumber == TokenSerial); 
      if (slot == null) 
       throw new Exception("there is no token with serial " + TokenSerial); 
      using (var session = slot.OpenSession(SessionType.ReadOnly)) 
      { 
       session.Login(CKU.CKU_USER, TokenPin); 

       var searchTemplate = new List<ObjectAttribute> 
       { 
        new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_PRIVATE_KEY), 
        new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_RSA) 
       }; 
       if (!string.IsNullOrEmpty(PrivateKeyLabel)) 
        searchTemplate.Add(new ObjectAttribute(CKA.CKA_LABEL, PrivateKeyLabel)); 

       var foundObjects = session.FindAllObjects(searchTemplate); 
       var privateKey = foundObjects.FirstOrDefault(); 

       using (var mechanism = new Mechanism(CKM.CKM_RSA_PKCS)) 
       { 
        return session.Sign(mechanism, privateKey, data); 
       } 

      } 

     } 
    } 

}

然後調用這個方法來簽名xml

public static void Sign(XmlDocument xmlDoc, ISignerProvider signerProvider) 
    { 
     if (xmlDoc == null) 
      throw new ArgumentException("xmlDoc"); 
     if (xmlDoc.DocumentElement == null) 
      throw new ArgumentException("xmlDoc.DocumentElement"); 
     var signedXml = new CustomSignedXml(xmlDoc); 
     var reference = new Reference { Uri = "" }; 
     var env = new XmlDsigEnvelopedSignatureTransform(); 
     reference.AddTransform(env); 
     signedXml.AddReference(reference); 
     signedXml.ComputeSignature(signerProvider); 
     var xmlDigitalSignature = signedXml.GetXml(); 
     xmlDoc.DocumentElement.AppendChild(xmlDoc.ImportNode(xmlDigitalSignature, true)); 
    }

和驗證碼驗證

 public static bool Verify(XmlDocument document, X509Certificate2 certificate) 
    { 
     // Check arguments. 
     if (document == null) 
      throw new ArgumentException("Doc"); 
     if (certificate == null) 
      throw new ArgumentException("Key"); 

     // Create a new SignedXml object and pass it 
     // the XML document class. 
     var signedXml = new SignedXml(document); 

     // Find the "Signature" node and create a new 
     // XmlNodeList object. 
     var nodeList = document.GetElementsByTagName("Signature"); 

     // Throw an exception if no signature was found. 
     if (nodeList.Count <= 0) 
     { 
      throw new CryptographicException("Verification failed: No Signature was found in the document."); 
     } 

     // This example only supports one signature for 
     // the entire XML document. Throw an exception 
     // if more than one signature was found. 
     if (nodeList.Count >= 2) 
     { 
      throw new CryptographicException("Verification failed: More that one signature was found for the document."); 
     } 

     // Load the first <signature> node. 
     signedXml.LoadXml((XmlElement)nodeList[0]); 

     return signedXml.CheckSignature(certificate, true); 
    }

來源

2017-10-17 11:57:40 Gholamreza

+0

嗨Gholamreza, 我真的很感激你的幫助。我會試試看。 – ktikar

相關問題

 相關問題