[英]How can I convert the private key stored in HSM to SignedXml.SigningKey in C#
我正在嘗試使用存儲在HSM中的證書來實現XML簽名的一些演示。
我從此鏈接中找到了一些有趣的示例: 使用X509Certificate2對XML文檔進行簽名,並將其修改為在帶有PKCS11Interop包裝器的HSM中使用證書和密鑰。
但是任何人都可以給我一個建議或示例,以將ObjectHandle私鑰從HSM轉換為SignedXML.SigningKey
private static void SignXmlWithCertificate(XmlDocument xmlDoc, X509Certificate2 cert, Session session, String alias)
{
SignedXml signedXml = new SignedXml(xmlDoc);
List<ObjectAttribute> template = new List<ObjectAttribute>();
template.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_PRIVATE_KEY));
template.Add(new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_RSA));
template.Add(new ObjectAttribute(CKA.CKA_LABEL, alias));
List<ObjectHandle> foundObjects = session.FindAllObjects(template);
ObjectHandle privateKey = foundObjects[0];
signedXml.SigningKey = privateKey; //Here is where I stuck.
在上面的示例中,外部鏈接。 他們使用結合了私鑰的證書。 然后他們可以像這樣使用。
signedXml.SigningKey = cert.PrivateKey;
但是我正在使用的證書里面沒有私鑰的內容。 請給我一些建議。
您需要像這樣實現從System.Security.Cryptography.Xml.SignedXml繼承的自定義類
public class CustomSignedXml: SignedXml
{
public CustomSignedXml(XmlDocument xmlDoc):base(xmlDoc)
{
}
internal void ComputeSignature(ISignerProvider signerProvider)
{
var methodInfo = typeof (SignedXml).GetMethod("BuildDigestedReferences",
BindingFlags.Instance | BindingFlags.NonPublic);
methodInfo.Invoke(this, null);
SignedInfo.SignatureMethod = XmlDsigRSASHA1Url;
// See if there is a signature description class defined in the Config file
SignatureDescription signatureDescription =
CryptoConfig.CreateFromName(SignedInfo.SignatureMethod) as SignatureDescription;
if (signatureDescription == null)
throw new CryptographicException("Cryptography_Xml_SignatureDescriptionNotCreated");
var hashAlg = signatureDescription.CreateDigest();
if (hashAlg == null)
throw new CryptographicException("Cryptography_Xml_CreateHashAlgorithmFailed");
var methodInfo2 = typeof (SignedXml).GetMethod("GetC14NDigest", BindingFlags.Instance | BindingFlags.NonPublic);
var hashvalue = (byte[]) methodInfo2.Invoke(this, new object[] {hashAlg});
m_signature.SignatureValue = signerProvider.Sign(hashvalue);
}
}
然后您需要創建這樣的界面
public interface ISignerProvider
{
byte[] Sign(byte[] data);
}
然后像這樣通過Pkcs11Interop實現它
public class Pkcs11SignerProvider : ISignerProvider
{
private string _thumbprint;
public string DllPath { get; set; }
public string TokenSerial { get; set; }
public string TokenPin { get; set; }
public string PrivateKeyLabel { get; set; }
public Pkcs11SignerProvider(string dllPath, string tokenSerial, string tokenPin, string privateKeyLabel)
{
DllPath = dllPath;
TokenSerial = tokenSerial;
TokenPin = tokenPin;
PrivateKeyLabel = privateKeyLabel;
}
public byte[] Sign(byte[] data)
{
using (var pkcs11 = new Pkcs11(DllPath, AppType.SingleThreaded))
{
var slots = pkcs11.GetSlotList(SlotsType.WithTokenPresent);
var slot = slots.FirstOrDefault(slot1 => slot1.GetTokenInfo().SerialNumber == TokenSerial);
if (slot == null)
throw new Exception("there is no token with serial " + TokenSerial);
using (var session = slot.OpenSession(SessionType.ReadOnly))
{
session.Login(CKU.CKU_USER, TokenPin);
var searchTemplate = new List<ObjectAttribute>
{
new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_PRIVATE_KEY),
new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_RSA)
};
if (!string.IsNullOrEmpty(PrivateKeyLabel))
searchTemplate.Add(new ObjectAttribute(CKA.CKA_LABEL, PrivateKeyLabel));
var foundObjects = session.FindAllObjects(searchTemplate);
var privateKey = foundObjects.FirstOrDefault();
using (var mechanism = new Mechanism(CKM.CKM_RSA_PKCS))
{
return session.Sign(mechanism, privateKey, data);
}
}
}
}
}
然后調用此方法對xml進行簽名
public static void Sign(XmlDocument xmlDoc, ISignerProvider signerProvider)
{
if (xmlDoc == null)
throw new ArgumentException("xmlDoc");
if (xmlDoc.DocumentElement == null)
throw new ArgumentException("xmlDoc.DocumentElement");
var signedXml = new CustomSignedXml(xmlDoc);
var reference = new Reference { Uri = "" };
var env = new XmlDsigEnvelopedSignatureTransform();
reference.AddTransform(env);
signedXml.AddReference(reference);
signedXml.ComputeSignature(signerProvider);
var xmlDigitalSignature = signedXml.GetXml();
xmlDoc.DocumentElement.AppendChild(xmlDoc.ImportNode(xmlDigitalSignature, true));
}
和此代碼進行驗證
public static bool Verify(XmlDocument document, X509Certificate2 certificate)
{
// Check arguments.
if (document == null)
throw new ArgumentException("Doc");
if (certificate == null)
throw new ArgumentException("Key");
// Create a new SignedXml object and pass it
// the XML document class.
var signedXml = new SignedXml(document);
// Find the "Signature" node and create a new
// XmlNodeList object.
var nodeList = document.GetElementsByTagName("Signature");
// Throw an exception if no signature was found.
if (nodeList.Count <= 0)
{
throw new CryptographicException("Verification failed: No Signature was found in the document.");
}
// This example only supports one signature for
// the entire XML document. Throw an exception
// if more than one signature was found.
if (nodeList.Count >= 2)
{
throw new CryptographicException("Verification failed: More that one signature was found for the document.");
}
// Load the first <signature> node.
signedXml.LoadXml((XmlElement)nodeList[0]);
return signedXml.CheckSignature(certificate, true);
}
您需要實現從System.Security.Cryptography.RSA
類繼承的自定義類,在其實現中使用Pkcs11Interop,然后將自定義類的實例用作SigningKey
。
您可以自己實現它,也可以使用Pkcs11Interop.X509Store庫,該庫提供了易於使用的基於PKCS#11的X.509證書存儲,並且包含從System.Security.Cryptography.RSA
類繼承的Pkcs11RsaProvider
類。 還有一個可用的代碼示例 ,演示了SignedXml
類的用法。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.