1. 技术文章
  2. How can I convert the private key stored in HSM to SignedXml.SigningKey in C#

How can I convert the private key stored in HSM to SignedXml.SigningKey in C#

吃可爱长大的小学妹 提交于 2019-12-19 04:35:11

问题


I'm trying to implement some demo of XML signing with a certificate which stored in the HSM.

I found some interesting example from this link: Sign XML Document with X509Certificate2 and modified it to using certificate and key inside the HSM with PKCS11Interop wrapper.

But anyone could give me a suggestion or example to convert ObjectHandle privateKey from HSM to SignedXML.SigningKey

private static void SignXmlWithCertificate(XmlDocument xmlDoc, X509Certificate2 cert, Session session, String alias)
        {
            SignedXml signedXml = new SignedXml(xmlDoc);

            List<ObjectAttribute> template = new List<ObjectAttribute>();
            template.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_PRIVATE_KEY));
            template.Add(new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_RSA));
            template.Add(new ObjectAttribute(CKA.CKA_LABEL, alias));
            List<ObjectHandle> foundObjects = session.FindAllObjects(template);
            ObjectHandle privateKey = foundObjects[0];

            signedXml.SigningKey = privateKey; //Here is where I stuck.

In the example from above external link. They using a certificate which combined private key. Then they can use like this.

signedXml.SigningKey = cert.PrivateKey;

But the certificate that I'm using haven't content of private key inside. Please give me some suggestion.


回答1:


You need to implement custom class inherited from System.Security.Cryptography.Xml.SignedXml like this

public class CustomSignedXml: SignedXml
    {
    public CustomSignedXml(XmlDocument xmlDoc):base(xmlDoc)
    {
    }
    internal void ComputeSignature(ISignerProvider signerProvider)
    {
        var methodInfo = typeof (SignedXml).GetMethod("BuildDigestedReferences",
            BindingFlags.Instance | BindingFlags.NonPublic);
        methodInfo.Invoke(this, null);
        SignedInfo.SignatureMethod = XmlDsigRSASHA1Url;
        // See if there is a signature description class defined in the Config file
        SignatureDescription signatureDescription =
            CryptoConfig.CreateFromName(SignedInfo.SignatureMethod) as SignatureDescription;
        if (signatureDescription == null)
            throw new CryptographicException("Cryptography_Xml_SignatureDescriptionNotCreated");

        var hashAlg = signatureDescription.CreateDigest();
        if (hashAlg == null)
            throw new CryptographicException("Cryptography_Xml_CreateHashAlgorithmFailed");
        var methodInfo2 = typeof (SignedXml).GetMethod("GetC14NDigest", BindingFlags.Instance | BindingFlags.NonPublic);
        var hashvalue = (byte[]) methodInfo2.Invoke(this, new object[] {hashAlg});

        m_signature.SignatureValue = signerProvider.Sign(hashvalue);
    }
}

and then you need to create interface like this

public interface ISignerProvider
{
    byte[] Sign(byte[] data);
}

then implement it by Pkcs11Interop like this

    public class Pkcs11SignerProvider : ISignerProvider
{
    private string _thumbprint;
    public string DllPath { get; set; }
    public string TokenSerial { get; set; }
    public string TokenPin { get; set; }
    public string PrivateKeyLabel { get; set; }

    public Pkcs11SignerProvider(string dllPath, string tokenSerial, string tokenPin, string privateKeyLabel)
    {
        DllPath = dllPath;
        TokenSerial = tokenSerial;
        TokenPin = tokenPin;
        PrivateKeyLabel = privateKeyLabel;
    }

    public byte[] Sign(byte[] data)
    {
        using (var pkcs11 = new Pkcs11(DllPath, AppType.SingleThreaded))
        {

            var slots = pkcs11.GetSlotList(SlotsType.WithTokenPresent);
            var slot = slots.FirstOrDefault(slot1 => slot1.GetTokenInfo().SerialNumber == TokenSerial);
            if (slot == null)
                throw new Exception("there is no token with serial " + TokenSerial);
            using (var session = slot.OpenSession(SessionType.ReadOnly))
            {
                session.Login(CKU.CKU_USER, TokenPin);

                var searchTemplate = new List<ObjectAttribute>
                {
                    new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_PRIVATE_KEY),
                    new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_RSA)
                };
                if (!string.IsNullOrEmpty(PrivateKeyLabel))
                    searchTemplate.Add(new ObjectAttribute(CKA.CKA_LABEL, PrivateKeyLabel));

                var foundObjects = session.FindAllObjects(searchTemplate);
                var privateKey = foundObjects.FirstOrDefault();

                using (var mechanism = new Mechanism(CKM.CKM_RSA_PKCS))
                {
                    return session.Sign(mechanism, privateKey, data);
                }

            }

        }
    }

}

then call this method to sign xml

public static void Sign(XmlDocument xmlDoc, ISignerProvider signerProvider)
    {
        if (xmlDoc == null)
            throw new ArgumentException("xmlDoc");
        if (xmlDoc.DocumentElement == null)
            throw new ArgumentException("xmlDoc.DocumentElement");
        var signedXml = new CustomSignedXml(xmlDoc);
        var reference = new Reference { Uri = "" };
        var env = new XmlDsigEnvelopedSignatureTransform();
        reference.AddTransform(env);
        signedXml.AddReference(reference);
        signedXml.ComputeSignature(signerProvider);
        var xmlDigitalSignature = signedXml.GetXml();
        xmlDoc.DocumentElement.AppendChild(xmlDoc.ImportNode(xmlDigitalSignature, true));
    }

and this code to verify

        public static bool Verify(XmlDocument document, X509Certificate2 certificate)
    {
        // Check arguments.
        if (document == null)
            throw new ArgumentException("Doc");
        if (certificate == null)
            throw new ArgumentException("Key");

        // Create a new SignedXml object and pass it
        // the XML document class.
        var signedXml = new SignedXml(document);

        // Find the "Signature" node and create a new
        // XmlNodeList object.
        var nodeList = document.GetElementsByTagName("Signature");

        // Throw an exception if no signature was found.
        if (nodeList.Count <= 0)
        {
            throw new CryptographicException("Verification failed: No Signature was found in the document.");
        }

        // This example only supports one signature for
        // the entire XML document.  Throw an exception 
        // if more than one signature was found.
        if (nodeList.Count >= 2)
        {
            throw new CryptographicException("Verification failed: More that one signature was found for the document.");
        }

        // Load the first <signature> node.  
        signedXml.LoadXml((XmlElement)nodeList[0]);

        return signedXml.CheckSignature(certificate, true);
    }



回答2:


You need to implement custom class inherited from System.Security.Cryptography.RSA class, use Pkcs11Interop in its implementation and then use instance of your custom class as a SigningKey.

You can implement it yourself or you can use Pkcs11Interop.X509Store library which provides easy to use PKCS#11 based X.509 certificate store and contains Pkcs11RsaProvider class inherited from System.Security.Cryptography.RSA class. There's also a code sample available which demonstrates its usage with SignedXml class.



来源:https://stackoverflow.com/questions/46440422/how-can-i-convert-the-private-key-stored-in-hsm-to-signedxml-signingkey-in-c-sha

标签
c#
private-key
pkcs#11
xml-signature
pkcs11interop
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!