stackoom
  简体   繁体   中英

X509 Certificates, DigitalSignature vs NonRepudiation (C#)

 原文  2009-12-21 09:21:12       c#/ x509certificate/ pki

Question

We have been handed a set of test sertificates on smart cards for developing a solution that requires XML messages to be signed using PKI. Each (physical) smart card seems to have two certificates stored on it. I import them into the Windows certificate store using software supplied by the smart card provider, and then use code resembling the following to iterate over the installed certificates: 

foreach (X509Certificate2 x509 in CertStore.Certificates) {
  foreach (X509Extension extension in x509.Extensions) {
     if (extension.Oid.Value == "one we are interested in") {
        X509KeyUsageExtension ext = (X509KeyUsageExtension)extension;
        if ((ext.KeyUsages & X509KeyUsageFlags.DigitalSignature) != X509KeyUsageFlags.None) {
            // process certs here

We have been told to use the certificates that have the NonRepudiation key usage flag set to sign the XMLs. However, the certificate that has the NonRepudiation flag has this flag only , and not for instance the DigitalSignature flag which I check for above. Does this strike anyone but me as slightly odd? I am in other words told to sign with a certificate that does not (appear to) have the DigitalSignature usage flag set. Is this normal procedure? Any comments?

Thanks.

3 answers

solution1
 1 ACCPTED  2009-12-21 09:51:41

What key use does it have? You're right, this is a little odd, however if, for example, the key was used to provide AD logins then it may not have the flags set for DigitalSignature use. That's not to say you can't use it for that, it just indicates that the certificate issuer provides no guarantee when you go outside the key's indicated usage.

solution2
 1  2010-01-10 16:49:02

As I read RFC 5280 (4.2.1.3), nonRepudiation is a superset of digitalSignature. In other words it grants all the abilities of digitalSignature and then some. So technically, what they are asking for is valid, though perhaps unusual.

solution3
 1  2010-06-10 14:19:25

If you want to provide a non-repudiation service, ie you want signatures have a LEGAL value, then you are supposed to use nonRepudiation only. Indeed, this is RECOMMENDED by standards (see ETSI TS 102 280) since the usage of other keyUsage bits together with nonRepudation may have security issues.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to do asymmetric encryption with X509 certificates and C#? Open X509 Certificates Selection Using USB Token in C# Hosted on IIS X509 guide/tutorial in C# C# x509 certificate decoder Create and verify x509 certificates in .Net AccessDeniedException X509Certificates C# C# convert certificate string into X509 certificate Hash X509 certificate with SHA 256 in c# Where do I get my WCF service to handle X509 certificates? C#.NET OpenSSL .NET c# wrapper X509 certification
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM