问题
I have a .xml file that has to be signed with digital certificate in format of PKCS#7 version 1.5 (RFC 2315) and DER (ITU-T Recommendation X.690
That .xml will be send to a govt. WebService that only accept the format I mentioned upwards.
What I'm able to do - thanks to this website is digitaly sign .xml with the .pfx file that I generated with Certificate Export Wizard explained below. The class that I'm using to sign is down on mentioned website or here.
From what I tried to understand so far I will need to sign the .xml with .pfx file according to X.690 standards but I'm only able to access this namespace:
using System.Security.Cryptography.X509Certificates;
which is obviously for X.509 format.
Note:
There are several things I'm confused about - to export the certificate into .pfx I'm using Internet Explorer - Certificate Export Wizard from there I'm able to:
Yes - export private keys - then it will be generated in PKCS#12 but .pfx
No - do not export private keys - Certificate according to standards Cryptographic Message Syntax Standard - PKCS#7 that I guess I need but I would receive .p7b file
I must say that I am a newbie in certificates and digital signatures so I'm not even sure if I'm correctly exporting the certificat and the second thing is how I can sign according to X.690 standards.
May I know how to sign according to X.690 format please?
Thank you everyone for your time and replies.
My code is following:
bool res = false;
try
{
byte[] certBytes = System.IO.File.ReadAllBytes(pvkPath);
X509Certificate2 cert = new X509Certificate2(certBytes, certPass);
XmlDocument doc = new XmlDocument();
doc.Load(xmlPath);
// sign the document with the private key of the certificate
XmlDsig.SignXml(doc, cert);
// save the document
doc.Save(xmlSavePath);
// verify that the document has a signature
bool hasSignature = XmlDsig.HasSignatureElement(doc);
return res = true;
}
catch (Exception)
{ return res; }
回答1:
foDigital signature in PKCS#7/CMS format is blob that contains your XML data + signer's x509 public key certificate (.cer file) + Digital signature. The entire blob is encoded in ASN 1.0 format(X690). There may be variations in the blob due to the absence of original data or the signer certificate, This variation is called detached signatures.
Digital signature is generated when you sign your xml file with the signer's private key. This signature can be verified when you send your XML file + signer's public key (as X509 .cer file)+ digital signature to the party who are interested in verifying it.
PFX/p12 is a container that contains both the signer's private key and public key. You get this key pair from either your government or your government approved key custodians. You will then use this PFX to perform digital signature.
PKCS#7 is supported by cryptoAPI.
The above are the basics. This should allow you make your queries more clearly.
来源:https://stackoverflow.com/questions/23906821/sign-xml-with-digital-certificate-in-format-of-pkcs7-in-der-itu-t-rec-x-690