验证分离的签名（* .p7s文件）和X509Certificate2 [英] Verify detached signature(*.p7s files) and X509Certificate2

问题描述

您好！

请帮我解决问题。我会告诉你这个问题。

简介：

我在我的方法中将xml文档作为字符串输入参数。

Xml文档是：

Hello!
Please help me with solution to my problem. I'll tell you about the problem.
Introduction:
I get the xml-document as a string input parameter in my method.
Xml-document is:

<Document>
    <ZipContainer> Zip_File_In_Base64 </ZipContainer>
    <X509Certificate> Certificate_In_Base64 </X509Certificate>
</Document>

来自此字符串（xml） -document）我提取BASE64格式的zip文件和BASE64格式的X509Certificate2证书。

Zip文件包含：

•描述zip文件内容的文件xml（文件packageDescription.xml）;

•包含已传输文档内容的文件（例如，* .doc文件）;

•包含分离数字签名内容的文件（* .p7s文件 - 即分离的数字签名）;



从归档应提取签名的签名文件（分离的数字签名可能不止一个）。

分离的数字签名存储在扩展名为* .p7s的文件中。

必须完成每个签名以检查其与数字签名的协议，用户登录门户网站。



验证必须包含两个步骤：

1）请参阅方法certificateValidator（） （请参阅下面的此方法）：这是验证分离的签名，包含在文件* .p7s及其相应的已签名文件中，这些* .p7s文件。

例如：一对相关文件和ZayavUL_3594c921f545406d9b8734bbe28bf894.doc_1.p7s和ZayavUL_3594c921f545406d9b8734bbe28bf894.doc



2）请参阅方法certificateValidator（）：这是来自文件* .p7s的验证证书从输入字符串中提取的证书（Xml-document as string）。





我的问题是：

1）方法signatureValidator（参见下面这个方法）目前没有使用文件的分离签名* .p7s

我试过，但没有成功。如何正确验证* .p7s文件的分离签名是否包含相应的文件？

我应该从.NET加密类中使用哪些类和方法？ 请使用具体示例帮助。



2）方法certificateValidator（请参阅下面的方法）如何验证符合性从文件* .p7s中提取的证书，从Base64格式的输入字符串中提取证书？

代码行foreach（X509Certificate2 x509 in signCms.Certificates）{}--->证书集合始终为空。为什么？

我应该从.NET加密类中使用哪些类和方法？ 请使用具体示例提供帮助。



//输入参数：

//字典<字符串，字节[] GT; dictP7SFiles（key - 文件的名称* .p7s，value - 字节数组，表示* .p7s文件）

// Dictionary< string，byte []> dictNotP7SFiles（key - 使用* .p7s文件中的分离签名签名的文件的名称，值 - 字节数组，表示文件）

// X509Certificate2 userCertX509 - 证书对象，从输入中提取xml-document（格式为Base64）



//以下是测试验证步骤的实现（参见上面的2个步骤）

From this string(xml-document) I extract zip-file in BASE64 format and X509Certificate2 certificate in BASE64 format.
Zip-file contains:
• file describing the contents of the zip-file as xml (file packageDescription.xml);
• files with the contents of transmitted documents (for example, *.doc files);
• files with content of detached digital signature (*.p7s files - that is detached digital signature);

From the archive should be extracted signature that signed documents (detached digital signature may be more than one).
Detached digital signature are stored in files with *.p7s extension.
Each signature must be done to check its agreement with digital signature, with which the user is logged in to the portal.

The verifying must consist of two steps:
1) See method certificateValidator () (see this method below): This is a verifying of detached signature, contained in the files *.p7s with their corresponding files that are signed, these *.p7s-files.
For example: a pair of related files and ZayavUL_3594c921f545406d9b8734bbe28bf894.doc_1.p7s and ZayavUL_3594c921f545406d9b8734bbe28bf894.doc

2) See method certificateValidator (): This is a verify certificate from a file *.p7s with a certificate that is extracted from the input string(Xml-document as string).


My questions are:
1) The method signatureValidator(see this method below) is not currently used detached signature of the files *.p7s
I did try, but without success. How do I properly verify the detached signature of *.p7s file for its corresponding file?
Which classes and methods should I use from .NET Cryptography Classes? Please help by using a specific example.

2) In the method certificateValidator(see this method below) how to verify the conformity of the certificate extracted from the file *.p7s, with a certificate extracted from input string in Base64 format?
the line of code " foreach (X509Certificate2 x509 in signCms.Certificates) { } " ---> Certificates Collection always is empty. Why?
Which classes and methods should I use from .NET Cryptography Classes? Please help by using a specific example.

// Input parameters:
// Dictionary <string,byte[]> dictP7SFiles (key - the name of the file *.p7s, value - array of bytes, representing *.p7s file)
// Dictionary <string,byte[]> dictNotP7SFiles (key - the name of the file that is signed using detached signature from *.p7s file, value - array of bytes, representing file)
// X509Certificate2 userCertX509 - certificate object, extracted from the input xml-document (where it has the format Base64)

// Here below are testing implementation of verification steps(see above this 2 steps)

private bool certificateValidator(
    Dictionary<string,byte[]> dictP7SFiles,
    Dictionary<string,byte[]> dictNotP7SFiles,
    X509Certificate2 userCertX509
)
{
    bool isValid = false;
    
    try
    {               
        foreach (KeyValuePair<string,byte[]> pair in dictP7SFiles)
        {
            ContentInfo contentInfo = new ContentInfo(pair.Value);
            SignedCms signCms = new SignedCms(contentInfo, true);                   

             if (signCms.Certificates.Count != 0)
             {
                //Certificates Collection always is empty. Why?
	        foreach (X509Certificate2 x509 in signCms.Certificates)
                {
                    if (
                        (x509.SerialNumber != userCertX509.SerialNumber)
                        || (x509.Thumbprint != userCertX509.Thumbprint)
                    )
                    {
                        isValid = false;
                        return isValid;
                    }
                }

                isValid = true;
                return isValid;
             }
        }
    }
    catch (Exception ex)  
    {
        //here process exception code
    }           

    return isValid;
}


private bool signatureValidator(
    Dictionary<string,byte[]> dictP7SFiles,
    Dictionary<string,byte[]> dictNotP7SFiles,
    X509Certificate2 userCertX509
)
{
    bool isValid = false;

    try
    {              
        byte[] data = dictP7SFiles["ZayavUL_3594c921f545406d9b8734bbe28bf894.doc"];
        byte[] publicKey;
        byte[] signature;
        object hasher = SHA1.Create(); // Our chosen hashing algorithm.
        // Generate a new key pair, then sign the data with it:
        using (var publicPrivate = new RSACryptoServiceProvider())
        {
            signature = publicPrivate.SignData(data, hasher);
            publicKey = publicPrivate.ExportCspBlob(false); // get public key
        }
        // Create a fresh RSA using just the public key, then test the signature.
        using (var publicOnly = new RSACryptoServiceProvider())
        {
            publicOnly.ImportCspBlob(publicKey);

            isValid = publicOnly.VerifyData(data, hasher, signature); // Return True

            //isValid = ByteArrayCompare(dictP7SStreams["ZayavUL_3594c921f545406d9b8734bbe28bf894.doc_1.p7s"], signature);

            byte[] p7sDetachedSignature = File.ReadAllBytes(@"D:\ZayavUL_3594c921f545406d9b8734bbe28bf894.doc_1.p7s");
            isValid = ByteArrayCompare(p7sDetachedSignature, signature);
        }                
    }
    catch (Exception)
    {
        //here process exception code
    }

    return isValid;    
}

推荐答案

解决方案1：

Solution 1:

byte[] fileData = File.ReadAllBytes(fileFullName);
ContentInfo contentInfo = new ContentInfo(fileData);
SignedCms signedCms = new SignedCms(contentInfo, true);
signedCms.Decode(fileData);

解决方案2：

Solution 2:

byte[] fileData = File.ReadAllBytes(fileFullName);
SignedCms signedCms = new SignedCms();
signedCms.Decode(fileData);

这篇关于验证分离的签名（* .p7s文件）和X509Certificate2的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！