使用 PKCS#11 HSM 验证 SSL Web 请求 [英] Authenticate SSL Web Request Using PKCS#11 HSM
问题描述
我正在尝试向我编写的网站发出 Web 请求,该网站要求客户端提供证书以进行身份验证.
I'm trying to make a web request to a site I wrote which requires the client to provide certificates to authenticate.
具体来说,我正在尝试编写一个 C#(或 Visual C++)应用程序,它可以发出 Web 请求,但在我的 HSM 上使用证书和私钥.
Specifically, I'm trying to write a C# (or Visual C++) application that can make a web request, but use the certificate and private key on my HSM.
我知道这里有一个类似的问题,但它没有收到我需要的答案.
I realize there's one similar question here, but it hasn't received the answer I need.
我已经可以了:
- P/调用我的原生 pkcs#11 库(一个 DLL),登录,在 HSM 上查找/创建对象
- 使用 pkcs#11 界面,我可以在 HSM 上读取 X509 证书
我不能:
- 从 HSM 导出私钥.它不可导出.
所以我需要的是一种从我的应用程序发出 Web 请求并说对于握手,在我的 HSM 上使用 X509 和私钥对象"的方法.
So what I need is a way to make a Web Request from my application and say, "For the handshake, use the X509 and Private Key objects on my HSM."
请不要建议我检查"诸如 NCryptoki、Bouncy Castle 等之类的东西——我已经可以使用它们来制作我的 Windows 应用程序了.与 HSM 通信.我需要的是如何制作 Windows 应用程序.在 HSM 上的凭据上下文下发出 Web 请求.
Please don't suggest that I "check out" things like NCryptoki, Bouncy Castle, etc- I can already use them to make my Windows app. communicate with the HSM. What I need is how I can I make the Windows app. make a web request under the context of the credentials on the HSM.
推荐答案
当您通过 pkcs#11 本机调用获得证书时,您没有附加私钥.私钥进行解密,所以我们需要它.要解决这个问题,您有两个选择:
When you get a certificate through the pkcs#11 native calls you have no private key attached. The private key does the decrypting so we need it.To get around this you have two options:
几乎所有设备都在安装过程中注册了加密服务提供程序.例如,您可以将
RSACryptoServiceProvider包装在该提供程序上,并将其分配给证书的PrivateKey属性.
Almost all devices register a Cryptographic Service Provider during installation. You can wrap, for example, a
RSACryptoServiceProviderover that provider and assign it to thePrivateKeyproperty of your certificate.
某些设备驱动程序将来自您的 HSM 的证书与个人证书存储同步.如果您从 Windows 商店中选择证书,它将自动附加一个加密服务提供程序.所以丢失的私钥问题消失了.您需要做的就是将证书添加到 ClientCertificates 集合中.
Some device drivers sync the certificates from your HSM with the Personal Certificate Store. If you select the certificate from the Windows store it will automatically have a Cryptographic Service Provider attached. So the missing private key issue is gone. All you need to do is add the certificate to the ClientCertificates collection.
您可以想象我会推荐第二个选项(如果可用).
You can imagine I would recommend the second option if available.
这篇关于使用 PKCS#11 HSM 验证 SSL Web 请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
