使用Windows UWP应用的智能卡登录用户 [英] User login with Smart Card for Windows UWP app

问题描述

这似乎是一件简单的事情，但我已经尝试解决了一个多星期，现在似乎无法解决.我们正在使用WinJS创建Windows UWP应用，希望用户使用PIV(智能卡)/PIN组合登录到该应用.本质上，当应用程序启动时，它将验证设备中是否插入了智能卡，然后提示用户输入PIN.如果针对智能卡验证了PIN，则该应用将登录用户.

This seems like such a simple thing but I have been trying to figure this out for over a week now and cannot seem to figure it out. We are creating a Windows UWP app using WinJS and would like the user to login to the app with a PIV (smart card)/PIN combination. Essentially, when the app starts it will verify that there is a smart card inserted into the device and then prompt the user for the PIN. If the PIN is validated against the smart card the app will log the user in.

我们确实有Windows 7应用程序当前正在执行此操作，并且我尝试转换该代码，但是看来我们使用的API对于Windows UWP应用程序无效.我确实发布了有关这些API的问题，但未收到任何响应( https ://stackoverflow.com/questions/43344679/x509certificate2ui-class-equivalent-with-windows-uwp-and-winjs ).在Windows 7中，我们使用了X509Certificate2UI( https://msdn.microsoft.com/zh-cn/library/system.security.cryptography.x509certificates.x509certificate2ui(v = vs.110).aspx )类以选择用于提示用户输入PIN.

We do have Windows 7 applications that currently do this and I attempted to convert that code however it appears the APIs we used are not valid for Windows UWP apps. I did post the question about those APIs but did not receive any responses (https://stackoverflow.com/questions/43344679/x509certificate2ui-class-equivalent-with-windows-uwp-and-winjs). With Windows 7 we used the X509Certificate2UI (https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2ui(v=vs.110).aspx ) class to select a certificate which prompted the user for the PIN.

经过大量研究，我认为(对于Windows UWP，这可能是错误的)我需要使用智能卡API(

After a lot of research, I believe (and could be wrong) with Windows UWP I need to use the smart card APIs (https://docs.microsoft.com/en-us/uwp/api/windows.devices.smartcards ). I have been reading the past couple of days and went through several Microsoft documents on smart cards like this one: https://docs.microsoft.com/en-us/windows/uwp/security/smart-cards but have not been able to find a way to validate a user entered PIN against the PIN on the smart card.

从SmartCardProvisioning类( https://docs.microsoft.com/zh-cn/uwp/api/windows.devices.smartcards.smartcardprovisioning )，我们可以调用requestPinChangeAsync()方法，该方法提示用户输入当前PIN和新PIN.我正在寻找类似的功能，除了它只要求提供当前PIN，然后返回一个值，该值将使应用程序知道PIN是否正确.

From the SmartCardProvisioning class (https://docs.microsoft.com/en-us/uwp/api/windows.devices.smartcards.smartcardprovisioning ) we are able to call the requestPinChangeAsync() method which prompts the user for the current PIN and the new PIN. I am looking for similar functionality except that it only asks for the current PIN and then returns a value that will let the app know if the PIN was correct.

我还阅读了Microsoft的Hello( https://docs.microsoft.com/en-us/windows/uwp/security/microsoft-passport )API，但没有找到将其用于智能卡的方法.

I have also read through Microsoft’s Hello (https://docs.microsoft.com/en-us/windows/uwp/security/microsoft-passport ) API but did not see a way to use it with smart cards.

任何人都可以向我指出如何使用智能卡/PIN组合在我的应用程序中使用两因素身份验证的正确方向.过去几天来，我似乎一直徘徊在Google泡泡中，需要帮助才能脱身.

Can anyone point me in the right direction on how to use two-factor authentication in my app using a smart card/PIN combination. It seems like I have been in a Google bubble for the past several days going round and round and need help to get out.

谢谢

编辑以解释为什么它不是重复的: 并不是真正的重复，这两个问题都是我提出的，我在问题的正文中提到了另一篇文章.在另一篇文章中，我正在寻找与WinJS配合使用的Windows UWP X509Certificate2UI类的等效项.通过进一步的研究，我认为这可能不是正确的方法，因此在这篇文章中，我正在寻找是否有人可以指出我正确的方向，以便使用PIV(智能卡)和PIN进行两因素身份验证与卡关联.

edit to explain why it is not a duplicate: Not really a duplicate, both questions were asked by me and I mention the other post in the bod of the question. In the other post I was looking for an equivalent to the X509Certificate2UI class for Windows UWP with WinJS. With further research, I am thinking that might not be the correct way to go therefore with this post I am looking to see if anyone can point me in the right direction to doing two-factor authentication using a PIV (smart card) and the PIN associated with the card.

共享有效的代码: 这是似乎起作用的WinJS代码.不确定是否有更好的方法:

Share code that works: Here is the WinJS code that seems to work. Not sure is there is a better way or not:

  if (certToUse != null) {
    Windows.Security.Cryptography.Core.PersistedKeyProvider.openKeyPairFromCertificateAsync(certToUse, Windows.Security.Cryptography.Core.HashAlgorithmNames.sha256, Windows.Security.Cryptography.Core.CryptographicPadding.rsaPkcs1V15).then(function (keyPair) {
      var buffer = 'data to sign'
      var data = Windows.Security.Cryptography.CryptographicBuffer.convertStringToBinary(buffer, Windows.Security.Cryptography.BinaryStringEncoding.utf16BE)
      Windows.Security.Cryptography.Core.CryptographicEngine.signAsync(keyPair, data).then(function (signed) {
        var results = Windows.Security.Cryptography.Core.CryptographicEngine.verifySignature(keyPair, data, signed)
          completeValidatePin = true
          successCallback(true)
      }, function (reason) {
          completeValidatePin = true
          errorCallback('User cancelled login')
      })
    }, function (reason) {
      completeValidatePin = true
      errorCallback('Error using certificate')
    })
  } else {
    errorCallback('Certificate not found')
  }

推荐答案

我目前正在调查您的问题，并试图确定是否有好的解决方案.

I'm currently investigating your question and trying to determine if there is a good solution.

我确实写了以下我认为应该起作用的代码:

I did write the following code which I thought should work:

IReadOnlyList<Certificate> Certs;
CertificateQuery CertQuery = new CertificateQuery();
CertQuery.HardwareOnly = true;

Certs = await CertificateStores.FindAllAsync(CertQuery);
string strEncrypt = "test";
IBuffer BufferToEncrypt = CryptographicBuffer.ConvertStringToBinary(strEncrypt, BinaryStringEncoding.Utf8);

foreach (Certificate Cert in Certs)
{
    if (Cert.HasPrivateKey && ((Cert.KeyStorageProviderName == "Microsoft Base Smart Card Crypto Provider") || Cert.KeyStorageProviderName == "Microsoft Smart Card Key Storage Provider"))
    {
        CryptographicKey Key = null;

        try
        {                        
            Key = await PersistedKeyProvider.OpenKeyPairFromCertificateAsync(Cert, HashAlgorithmNames.Sha1, CryptographicPadding.RsaPkcs1V15);                        

        }
        catch (Exception ex)
        {
            // Could not open Smart Card Key Pair
        }

        if (Key != null)
        {
            try
            {                           
                // Try to Sign with Cert Private key 
                IBuffer EncryptedBuffer = CryptographicEngine.Sign(Key, BufferToEncrypt);
            }
            catch (Exception ex)
            {
                // Could not sign                            
            }
        }
    }
}

不幸的是，OpenKeyPairFromCertificateAsync创建了一个具有静默上下文的提供程序，因此CryptographicEngine.Sign无法显示PIN对话框.我将不得不对其进行更多研究.

Unfortunately, OpenKeyPairFromCertificateAsync creates a provider with a silent context so CryptographicEngine.Sign is unable to display a PIN dialog. I will have to look into it a bit more.

这篇关于使用Windows UWP应用的智能卡登录用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！