智能卡CMS解密 [英] Smartcard CMS Decrypt
问题描述
我正在使用 Bouncycastle 来管理我的项目的加密功能。
我设法使用 CMS 进行加密和解密,这两个密钥都存储在文件系统中(一个 .cert 和一个 .p12 )。
I'm using Bouncycastle to manage the Encrypt function of my project.
I managed out to use CMS for encrypt and decrypt where both key are stored in my file system (a .cert and a .p12).
这些是我实际使用的两个函数:
These are the two function I'm actually using:
private static byte[] CmsEncrypt(byte[] message)
{
var envelopGenerator = new CmsEnvelopedDataGenerator();
var certificateStream = new FileStream("Test.cer", FileMode.Open, FileAccess.Read);
var cert = new X509CertificateParser().ReadCertificate(certificateStream);
envelopGenerator.AddKeyTransRecipient(cert);
return
envelopGenerator.Generate(new CmsProcessableByteArray(message), CmsEnvelopedGenerator.DesEde3Cbc)
.GetEncoded();
}
private static byte[] CmsDecrypt(byte[] encrypted, AsymmetricKeyParameter key, X509Certificate cert)
{
return new CmsEnvelopedData(encrypted).GetRecipientInfos().GetFirstRecipient(new RecipientID()
{
SerialNumber = cert.SerialNumber,
Issuer = cert.IssuerDN
}).GetContent(key);
}
现在我必须向前走一步,私钥必须位于智能卡,但在这种情况下我真的不知道要使用 CMS 。
Now I have to do a step forward, The private key must be on a smartcard but I can't really figure out to use the CMS in this scenario.
我可以初始化卡并解密一条简单消息(使用标准的 pkcs11 ,我发现了一个很好的c#包装器),但我无法
I can initialize the card and decrypt a simple message (using standard pkcs11, I found a good wrapper for c#) but I can't find any clue how to do CMS decryption with smartcard.
推荐答案
AFAIK BouncyCastleSharp可以不起作用,找到任何线索来使用智能卡解密。
AFAIK BouncyCastleSharp works out-of-the-box only with the cryptographic keys that can be exposed into the host memory. However one must not forget that Bouncy Castle C# is a general purpose cryptographic library and if you are willing to do a little extra work on lower level APIs you can use it also with the keys that cannot be exposed in the host memory. Such keys are usually stored in specialized cryptographic hardware i.e. smartcards, HSMs, TPMs and usually can be accessed and used only via a specialized cryptographic API such as MS CryptoAPI (Windows only) and/or PKCS#11 API (multiplatform).
我创建了一个示例应用程序- Pkcs7SignatureGenerator -用于CMS使用 Pkcs11Interop (我是作者)和 Bouncy Castle 库。在此应用程序中,Pkcs11Interop库使用存储在硬件设备中的私钥通过PKCS#11 API执行签名操作,而Bouncy Castle库负责构建CMS(PKCS#7)签名结构。
I have created an example application - Pkcs7SignatureGenerator - for CMS signature creation with Pkcs11Interop (which I am author of) and Bouncy Castle libraries. In this application Pkcs11Interop library performs signing operation via PKCS#11 API with the private key stored in the hardware device and Bouncy Castle library is responsible for construction of a CMS (PKCS#7) signature structure.
在您的情况下,您将需要使用BouncyCastle库(低级API)来解析CMS结构,然后使用PKCS#11库进行低级解密。这种方法需要您做更多的编码,并且对CMS有更深入的了解,但是它确实可以做到。
In your case you would need to use BouncyCastle library (low level APIs) to parse CMS structure and then use PKCS#11 library for low level decryption. This approach requires you to do more coding and to have much deeper understanding of CMS but it certainly can be done.
BTW几个月前,我在评估可用的选项,以寻求更接近的结果。 Pkcs11Interop和BouncyCastle库的集成,但是我发现BouncyCastle关键材料处理API不能提供所需的抽象级别,因此这种集成将需要对库进行大量重写。这将破坏其向后兼容性,并且IMO将不容易被上游开发人员接受。因此,我决定不再进行任何操作。
BTW few months ago I was evaluating available options for a closer integration of Pkcs11Interop and BouncyCastle libraries but I have found out that BouncyCastle key material handling APIs do not provide required level of abstraction and therefore such integration would require major rewrite of the library. That would break its backwards compatibility and IMO would not get accepted easily by the upstream developers. So I have decided not to proceed any further.
希望这会有所帮助。
这篇关于智能卡CMS解密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
