使用软件分发RSA公钥的最简单方法是什么?
[英]What's the simplest way to distribute an RSA public key with software?
问题描述
I'm working on some software that exchanges XML documents with a server. 
我正在研究一些与服务器交换XML文档的软件。 The server signs the XML using XMLDSIG and the client should verify the signature before trusting the XML. 服务器使用XMLDSIG对XML进行签名,客户端应在信任XML之前验证签名。 I'm using RSACryptoServiceProvider to do this. 我正在使用RSACryptoServiceProvider来执行此操作。 The XML is signed, but not encrypted. XML已签名,但未加密。
I'm following the basic procedure explained in: 我正在遵循以下基本程序:
How to Sign XML Documents with Digital Signatures 如何使用数字签名签署XML文档
How to Verify the Digital Signatures of XML Documents 如何验证XML文档的数字签名
This requires that the client software has the public key available. 这要求客户端软件具有可用的公钥。 I want the distribution of the client software to be as simple as possible and I don't want the client to have to deal with certificates. 我希望客户端软件的分发尽可能简单,我不希望客户端必须处理证书。 The pair of documents referenced above conveniently skirt around the subject of distributing the public key, simply stating that the user "needs to have the same key". 上面引用的这对文档方便地围绕分发公钥的主题,简单地说明用户“需要具有相同的密钥”。 I don't particularly want the end user to even be aware that they have a public key, so asking them to mess around with certificates is out of the question. 我并不特别希望最终用户甚至意识到他们有公钥,所以要求他们搞乱证书是不可能的。 Since the public key is public, what I would like to do is somehow embed it within the client software. 由于公钥是公开的,我想要做的是以某种方式将其嵌入客户端软件中。 As I see it, my options are: 在我看来,我的选择是:
- Install the public key during the setup process 在安装过程中安装公钥
- Somehow embed the public key into the software itself, possibly within the App.config file 以某种方式将公钥嵌入到软件本身中,可能在App.config文件中
Is this feasible in practice? 这在实践中是否可行? What is the simplest way of achieving this that doesn't require any user interaction or awareness? 实现这一目标的最简单方法是什么,不需要任何用户交互或意识?
2 个解决方案
解决方案1
4 已采纳 2014-07-21 16:22:36
You don't have to distribute the certificate. 您不必分发证书。 One of common approaches is to include the certificate in the signed document, in the KeyInfo/X509Data node. 常见方法之一是将证书包含在KeyInfo/X509Data节点中的签名文档中。
The validation can use the embedded certificate easily and the only required infrastructure element at the client side is the certificate thumbprint and subject name. 验证可以轻松使用嵌入式证书,客户端唯一需要的基础架构元素是证书指纹和主题名称。 In other words, client validates the document using included certificate and then easily checks the certificate agaist the subject name and thumbprint. 换句话说,客户端使用包含的证书验证文档,然后轻松检查证书,主题名称和指纹。 In case of a match, there is the assumption that a correct certificate has been provided. 如果匹配,则假设已提供正确的证书。
Read more about technical details in one of my blog entries (this is a 3 part tutorial so you can also take a look at all other entries). 在我的一个博客条目中阅读有关技术细节的更多信息(这是一个3部分的教程,因此您还可以查看所有其他条目)。 Anyway, no importing certificates and no including certificates with your software, rather you have two string configuration parameters. 无论如何,没有导入证书,也没有包含软件的证书,而是有两个字符串配置参数。
The embedded certificate inside the XmlDsigned document has a const size and usually the overhead is neglectable. XmlDsigned文档中的嵌入式证书具有const大小,通常开销可忽略不计。
http://www.wiktorzychla.com/2012/12/interoperable-xml-digital-signatures-c.html http://www.wiktorzychla.com/2012/12/interoperable-xml-digital-signatures-c.html
http://www.wiktorzychla.com/2012/12/interoperable-xml-digital-signatures-c_20.html http://www.wiktorzychla.com/2012/12/interoperable-xml-digital-signatures-c_20.html
解决方案2
3 2014-07-21 16:22:11
Am not sure what problem you're facing without seeing your code but, could this answer from Ji Zhou help? 如果没有看到你的代码,我不确定你面临的问题但是, 周济的这个回答是否有帮助?
public static void Main()
{
try
{ //initialze the byte arrays to the public key information.
byte[] PublicKey = {214,46,220,83,160,73,40,39,201,155,19,202,3,11,191,178,56,
74,90,36,248,103,18,144,170,163,145,87,54,61,34,220,222,
207,137,149,173,14,92,120,206,222,158,28,40,24,30,16,175,
108,128,35,230,118,40,121,113,125,216,130,11,24,90,48,194,
240,105,44,76,34,57,249,228,125,80,38,9,136,29,117,207,139,
168,181,85,137,126,10,126,242,120,247,121,8,100,12,201,171,
38,226,193,180,190,117,177,87,143,242,213,11,44,180,113,93,
106,99,179,68,175,211,164,116,64,148,226,254,172,147};
//Values to store encrypted symmetric keys.
byte[] EncryptedSymmetricKey;
byte[] EncryptedSymmetricIV;
//Create a new instance of RSACryptoServiceProvider.
RSACryptoServiceProvider RSA = new RSACryptoServiceProvider();
//Get an instance of RSAParameters from ExportParameters function.
RSAParameters RSAKeyInfo = RSA.ExportParameters(false);
//Set RSAKeyInfo to the public key values.
RSAKeyInfo.Modulus = PublicKey;
//Import key parameters into RSA.
RSA.ImportParameters(RSAKeyInfo);
//Create a new instance of the RijndaelManaged class.
RijndaelManaged RM = new RijndaelManaged();
//Encrypt the symmetric key and IV.
EncryptedSymmetricKey = RSA.Encrypt(RM.Key, false);
EncryptedSymmetricIV = RSA.Encrypt(RM.IV, false);
Console.WriteLine("RijndaelManaged Key and IV have been encrypted with RSACryptoServiceProvider.");
}
catch (CryptographicException e)
{
Console.WriteLine(e.Message);
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.