Sign data using smart card's private key with

2020-07-27 06:14发布

问题:

I want to know if it is possible to sign data using a smart card's private key without resorting to a java applet or activex control.

I am tantalizingly close!

Our environment is:

  • AD Domain
  • PKI infrastructure/smart cards (PIV)

I knocked up a simple ASP.NET (.net 4.0) web forms app with:

  • Windows Authentication on, Anonymous off
  • Identity Impersonate on

With the smart card in the reader I can easily enumerate the certificates on the logged-in user's smart card (StoreLocation.CurrentUser). However, when I try to access the private key (via a CSP), I get an "Access Denied" error.

On my local machine in debug mode everything works fine. I know - it's a cliche.

        protected void Page_Load(object sender, EventArgs e)
        {

            //always populate the cert store
            store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
            store.Open(OpenFlags.MaxAllowed);

            RSACryptoServiceProvider csp = new RSACryptoServiceProvider();

            //hardcoded to get the first cert in the store - it's legit and had a private key
            cert = store.Certificates[0];

            //throws error when not local
            csp = (RSACryptoServiceProvider)cert.PrivateKey;

        }

I've tried giving app pool identities access to the certificate store to no avail.

回答1:

It is not possible to use the user's private key on the Server. This would effectively nullify the benefits of using a Smart Card. In fact, security operations will be performed ON the Smart Card.

Strategy for Supporting Smart Cards

Microsoft views smart cards as a key component of its Public Key Infrastructure (PKI) support. Smart cards enhance software-only solutions, such as client authentication, interactive logon, and secure e-mail. Smart cards are a point of convergence for public-key certificates and associated keys because they:

  • Provide tamper-resistant storage for protecting private keys and other forms of personal information.
  • Isolate security-critical computations involving authentication, digital signatures, and key exchanges from other parts of the system.
  • Enable portability of credentials and other private information between computers at work, at home, or for mobile users.

Source: Smart Card Concepts

As you can see, one key aspect is to isolate security critical operations from the rest of the system. The only way to perform encryption with the user's private key is to use the Smart Card reader (the hardware itself). Since there's no way to access the client's hardware from a server side ASP.NET webpage what you try to do isn't possible.

The only way to achieve this is to use a client side component.



回答2:

You could try this first:

store.Open(OpenFlags.ReadOnly);
cert = store.Certificates[0];
store.Close();


回答3:

The reason you are getting access denied is because you are trying to access the private key and have not passed the PIN to the card. (I believe)

Private Key functions require the PIN. Also.. You need to Acquire the card context using the winscard.dll

You can check this out.

http://msdn.microsoft.com/en-us/library/windows/desktop/aa379886(v=vs.85).aspx

You also need to use the Smart Card CSP.. Windows has a native one in 7 and above called the smart card mini driver.

I am attempting the same thing ... If I get further I will post back a sample...