I want to know if it is possible to sign data using a smart card's private key without resorting to a java applet or activex control.
I am tantalizingly close!
Our environment is:
- AD Domain
- PKI infrastructure/smart cards (PIV)
I knocked up a simple ASP.NET (.net 4.0) web forms app with:
- Windows Authentication on, Anonymous off
- Identity Impersonate on
With the smart card in the reader I can easily enumerate the certificates on the logged-in user's smart card (StoreLocation.CurrentUser). However, when I try to access the private key (via a CSP), I get an "Access Denied" error.
On my local machine in debug mode everything works fine. I know - it's a cliche.
protected void Page_Load(object sender, EventArgs e)
{
//always populate the cert store
store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.MaxAllowed);
RSACryptoServiceProvider csp = new RSACryptoServiceProvider();
//hardcoded to get the first cert in the store - it's legit and had a private key
cert = store.Certificates[0];
//throws error when not local
csp = (RSACryptoServiceProvider)cert.PrivateKey;
}
I've tried giving app pool identities access to the certificate store to no avail.
It is not possible to use the user's private key on the Server. This would effectively nullify the benefits of using a Smart Card. In fact, security operations will be performed ON the Smart Card.
Strategy for Supporting Smart Cards
Microsoft views smart cards as a key component of its Public Key Infrastructure (PKI) support. Smart cards enhance software-only solutions, such as client authentication, interactive logon, and secure e-mail. Smart cards are a point of convergence for public-key certificates and associated keys because they:
- Provide tamper-resistant storage for protecting private keys and
other forms of personal information.
- Isolate security-critical computations involving authentication,
digital signatures, and key exchanges from other parts of the system.
- Enable portability of credentials and other private information
between computers at work, at home, or for mobile users.
Source: Smart Card Concepts
As you can see, one key aspect is to isolate security critical operations from the rest of the system. The only way to perform encryption with the user's private key is to use the Smart Card reader (the hardware itself). Since there's no way to access the client's hardware from a server side ASP.NET webpage what you try to do isn't possible.
The only way to achieve this is to use a client side component.
You could try this first:
store.Open(OpenFlags.ReadOnly);
cert = store.Certificates[0];
store.Close();
The reason you are getting access denied is because you are trying to access the private key and have not passed the PIN to the card. (I believe)
Private Key functions require the PIN. Also.. You need to Acquire the card context using the winscard.dll
You can check this out.
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379886(v=vs.85).aspx
You also need to use the Smart Card CSP.. Windows has a native one in 7 and above called the smart card mini driver.
I am attempting the same thing ... If I get further I will post back a sample...