签署与用户证书的Web表单数据的最佳方式 [英] Best way to sign data in web form with user certificate
问题描述
我们有一个C#的web应用程序,用户将使用存储在其浏览器中的数字证书进行连接。
We have a C# web app where users will connect using a digital certificate stored in their browsers.
这是我们所看到的例子,核实他们的身份将是容易的,一旦我们启用SSL,因为我们可以访问该证书在田间地头,用Request.ClientCertificate,检查用户的姓名。
From the examples that we have seen, verifying their identity will be easy once we enable SSL, as we can access the fields in the certificate, using Request.ClientCertificate, to check the user's name.
我们也一直要求,但是,签署由用户(几个简单的字段和二进制文件)发送数据,这样我们可以证明,毫无疑问,这些用户输入的每一条记录在我们的数据库。
We have also been requested, however, to sign the data sent by the user (a few simple fields and a binary file) so that we can prove, without doubt, which user entered each record in our database.
我们的第一个想法是创建一个小的文本签名,包括域(如果可能的话,该文件的MD5),并与证书的私钥加密,但...
Our first thought was creating a small text signature including the fields (and, if possible, the md5 of the file) and encrypt it with the private key of the certificate, but...
据我知道我们不能访问证书的私钥对数据进行签名,我不知道是否有任何方式登录浏览器领域,或者我们没有其他选择比使用Java小应用程序。如果是后者,我们怎么会做到这一点(有没有我们可以使用任何开源的小程序吗?它会更好,如果我们创建一个自己?)
As far as I know we can't access the private key of the certificate to sign the data, and I don't know if there is any way to sign the fields in the browser, or we have no other option than using a Java applet. And if it's the latter, how we would do it (Is there any open source applet we can use? Would it be better if we create one ourselves?)
当然,这将是更好的,如果有任何的方式来登录,在服务器接收到的字段,使用我们可以从用户的证书访问数据。但如果不是,就最好的办法的任何信息来解决问题将是AP preciated。
Of course, it would be better if there was any way to "sign" the fields received in the server, using the data that we can access from the user's certificate. But if not, any info on the best way to solve the problem would be appreciated.
推荐答案
我建议你使用Java的小程序。这种方法统一为所有的浏览器。我们用它在我们的项目。要登录用户的数据,你需要使用JCA API(<一个href=\"http://download.oracle.com/javase/1.4.2/docs/guide/security/CryptoSpec.html#Signature\">http://download.oracle.com/javase/1.4.2/docs/guide/security/CryptoSpec.html#Signature).你还需要与从Java访问Windows证书存储来解决问题。
I suggest you to use java-applet. This approach is unified for all browsers. We use it in our projects. To sign the user-data you will need to use JCA API (http://download.oracle.com/javase/1.4.2/docs/guide/security/CryptoSpec.html#Signature). Also you will need to solve problem with accessing windows certificate store from java.
您可以解决它通过这种方式:
You can solve it in this way:
KeyStore keystore = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
keystore.load(null, null);
HashMap<String,String> userPublicKeys = new HashMap<String,String>();
Enumeration<String> aliasesEnum = keystore.aliases();
if (!aliasesEnum.hasMoreElements())
throw new Exception("No certificate!");
// list through windows personal store
while (aliasesEnum.hasMoreElements())
{
String alias = aliasesEnum.nextElement();
boolean isKey = keystore.isKeyEntry(alias);
if (isKey)
{
BASE64Encoder encoder = new BASE64Encoder();
encoder.encode(keystore.getCertificate(alias).getEncoded());
userPublicKeys.put(alias, encoder.encode(keystore.getCertificate(alias).getEncoded()));
System.out.println("Entry alias: " + alias);
}
// sign
PrivateKey privateKey = (PrivateKey) keystore.getKey(alias,null);
Provider provider = keystore.getProvider();
// data to signed
byte[] data ="test data".getBytes();
// Signing the data
Signature sig = Signature.getInstance("SHA1withRSA", provider);
sig.initSign(privateKey);
sig.update(data);
byte[] signature = sig.sign();
System.out.println(ByteArrayToFromHexDigits.bytesToHexString(signature).toUpperCase());
}
这篇关于签署与用户证书的Web表单数据的最佳方式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
