stackoom
  简体   繁体   中英

C# DTLS Certificate Verify Message

 原文  2019-09-10 21:30:21       c#/ x509certificate/ private-key/ dtls

Question

I need to start using SNMPv3 over DTLS with certificates from the windows certificate store in c# and from what I've seen so far, this isn't used very often at all. Unfortunately, I have no choice in the matter.

I'm working on using DTLS.NET to do the handshake. One trick is that DTLS.NET seems to want a pem file instead of an X509 Certificate from the Windows Certificate Store. I believe I've figured out how to load the cert, except the private key. The private key is not exportable, and I don't believe I can change that. 

public void LoadX509Certificate(X509Certificate2 certificate)
{
    if (certificate == null)
    {
        throw new ArgumentNullException(nameof(certificate));
    }

    this._PrivateKey = DotNetUtilities.GetKeyPair(certificate.PrivateKey).Private;

    this._Certificate = new Certificate
    {
        CertChain = new List<byte[]>() { certificate.RawData },
        CertificateType = TCertificateType.X509
    };
}

I believe I've figured out up to the certificate verify message and that's where it appears to need the private key. 

CertificateVerify certificateVerify = new CertificateVerify();
byte[] signatureHash = _HandshakeInfo.GetHash();
certificateVerify.SignatureHashAlgorithm = new SignatureHashAlgorithm() { Signature = TSignatureAlgorithm.ECDSA, Hash = THashAlgorithm.SHA256 };
certificateVerify.Signature = TLSUtils.Sign(_PrivateKey, true, _Version, _HandshakeInfo, certificateVerify.SignatureHashAlgorithm, signatureHash);
SendHandshakeMessage(certificateVerify, false);

I can't seem to find much information in the RFCs or elsewhere that describe exactly what needs to happen here. I do know that the server can handle RSA , DSS , or ECDSA , so I left it with ECDSA since that's what DTLS.NET is using.

Do I actually need the private key to create the CertificateVerify message?

Thanks in advance!

1 answers

solution1
 0 ACCPTED  2019-09-16 06:25:44

The handshake may authenticate the client by it's certificate. Though the certificate on it's own is "public", everyone would be able to send it and the authentication could not be granted. Therefore the client has to proof, that he has access to the private key as well. That's why the "Certificate Verify" message is used.

If you don't have access to the private key of your public key of your certificate, a client certificate handshake is not possible.

Maybe the keystore doesn't export that private key, but offer instead a "signing" function, where that privte key is applied.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question C# DTLS implementation that uses X509Certificate2 certificates Verify SSL certificate in C# C# verify file certificate Verify a CA Certificate with a public key in C# C# verify server certificate with .pem file c# verify certificate in CRL list How to verify a certificate chain using a CA certificate C# Decrypt and verify PKCS7 message in C# RabbitMQ C# verify message was sent C# - Verify client certificate signed by proper root
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM