如何使用 .Net Core 创建 PKCS#7 分离签名?
How to create a PKCS#7 detached signature with .Net Core?
我想使用 .Net Core (2.0) 创建 PKCS#7 分离签名。
我阅读了此处与我的问题或多或少相关的所有答案,并找到了 this and 个答案。其他人都束手无策。第一个示例完全符合我的需要,但它依赖于 .NetFramework。
第二个使用 Bouncy Castle 库,做一些不同但相似的事情。我发现 Portable.BouncyCastle 项目在 .Net Core 上运行。据我所知,这是我唯一的选择。
这是第一个示例中的代码,经过一些修改:
string s = "data string";
byte[] data = Encoding.UTF8.GetBytes(s);
X509Certificate2 certificate = null;
X509Store my = new X509Store(StoreName.My,StoreLocation.CurrentUser);
my.Open(OpenFlags.ReadOnly);
certificate = my.Certificates.Find(X509FindType.FindByThumbprint, "my thumbprint", false)[0];
if (certificate == null) throw new Exception("No certificates found.");
ContentInfo content = new ContentInfo(new Oid("1.2.840.113549.1.7.1"),data);
SignedCms signedCms = new SignedCms(content, true);
CmsSigner signer = new CmsSigner(certificate);
signer.DigestAlgorithm = new Oid("SHA256");
// create the signature
signedCms.ComputeSignature(signer);
return signedCms.Encode();
在我的情况下效果很好。 signedCms.Encode() returns 1835 字节并且此值通过验证。
但如果我使用 BounceCastle,我会得到另一个结果。这是代码:
X509Certificate2 certificate = null;
X509Store my = new X509Store(StoreName.My, StoreLocation.CurrentUser);
my.Open(OpenFlags.ReadOnly);
certificate = my.Certificates.Find(X509FindType.FindByThumbprint, "my thumbprint", false)[0];
var privKey = DotNetUtilities.GetRsaKeyPair(certificate.GetRSAPrivateKey()).Private;
var cert = DotNetUtilities.FromX509Certificate(certificate);
var content = new CmsProcessableByteArray(data);
var generator = new CmsSignedDataGenerator();
generator.AddSigner(privKey, cert, CmsSignedGenerator.EncryptionRsa, CmsSignedGenerator.DigestSha256);
var signedContent = generator.Generate(content, false);
return signedContent.GetEncoded();
signedContent.GetEncoded() returns 502 字节,无法验证此结果。我知道我做错了什么,但我不知道是什么。
我应该如何修改带有 Bouncy Castle 的示例才能得到与上述代码相同的结果?
我找到了另一个 that gave me a clue. There is a link to a GitHub repo 示例应用程序。我稍微修改了一下,现在它按预期工作了。这是代码:
X509Certificate2 certificate = null;
X509Store my = new X509Store(StoreName.My, StoreLocation.CurrentUser);
my.Open(OpenFlags.ReadOnly);
certificate = my.Certificates.Find(X509FindType.FindByThumbprint, "thumbprint", false)[0];
var privKey = DotNetUtilities.GetRsaKeyPair(certificate.GetRSAPrivateKey()).Private;
var cert = DotNetUtilities.FromX509Certificate(certificate);
var content = new CmsProcessableByteArray(data);
var generator = new CmsSignedDataGenerator();
generator.AddSigner(privKey, cert, CmsSignedGenerator.EncryptionRsa, CmsSignedGenerator.DigestSha256);
var signedContent = generator.Generate(content, false);
string hashOid = OID.SHA256;
var si = signedContent.GetSignerInfos();
var signer = si.GetSigners().Cast<SignerInformation>().First();
SignerInfo signerInfo = signer.ToSignerInfo();
Asn1EncodableVector digestAlgorithmsVector = new Asn1EncodableVector();
digestAlgorithmsVector.Add(
new AlgorithmIdentifier(
algorithm: new DerObjectIdentifier(hashOid),
parameters: DerNull.Instance));
// Construct SignedData.encapContentInfo
ContentInfo encapContentInfo = new ContentInfo(
contentType: new DerObjectIdentifier(OID.PKCS7IdData),
content: null);
Asn1EncodableVector certificatesVector = new Asn1EncodableVector();
certificatesVector.Add(X509CertificateStructure.GetInstance(Asn1Object.FromByteArray(cert.GetEncoded())));
// Construct SignedData.signerInfos
Asn1EncodableVector signerInfosVector = new Asn1EncodableVector();
signerInfosVector.Add(signerInfo.ToAsn1Object());
// Construct SignedData
SignedData signedData = new SignedData(
digestAlgorithms: new DerSet(digestAlgorithmsVector),
contentInfo: encapContentInfo,
certificates: new BerSet(certificatesVector),
crls: null,
signerInfos: new DerSet(signerInfosVector));
ContentInfo contentInfo = new ContentInfo(
contentType: new DerObjectIdentifier(OID.PKCS7IdSignedData),
content: signedData);
return contentInfo.GetDerEncoded();
我想使用 .Net Core (2.0) 创建 PKCS#7 分离签名。
我阅读了此处与我的问题或多或少相关的所有答案,并找到了 this and
第二个使用 Bouncy Castle 库,做一些不同但相似的事情。我发现 Portable.BouncyCastle 项目在 .Net Core 上运行。据我所知,这是我唯一的选择。
这是第一个示例中的代码,经过一些修改:
string s = "data string";
byte[] data = Encoding.UTF8.GetBytes(s);
X509Certificate2 certificate = null;
X509Store my = new X509Store(StoreName.My,StoreLocation.CurrentUser);
my.Open(OpenFlags.ReadOnly);
certificate = my.Certificates.Find(X509FindType.FindByThumbprint, "my thumbprint", false)[0];
if (certificate == null) throw new Exception("No certificates found.");
ContentInfo content = new ContentInfo(new Oid("1.2.840.113549.1.7.1"),data);
SignedCms signedCms = new SignedCms(content, true);
CmsSigner signer = new CmsSigner(certificate);
signer.DigestAlgorithm = new Oid("SHA256");
// create the signature
signedCms.ComputeSignature(signer);
return signedCms.Encode();
在我的情况下效果很好。 signedCms.Encode() returns 1835 字节并且此值通过验证。
但如果我使用 BounceCastle,我会得到另一个结果。这是代码:
X509Certificate2 certificate = null;
X509Store my = new X509Store(StoreName.My, StoreLocation.CurrentUser);
my.Open(OpenFlags.ReadOnly);
certificate = my.Certificates.Find(X509FindType.FindByThumbprint, "my thumbprint", false)[0];
var privKey = DotNetUtilities.GetRsaKeyPair(certificate.GetRSAPrivateKey()).Private;
var cert = DotNetUtilities.FromX509Certificate(certificate);
var content = new CmsProcessableByteArray(data);
var generator = new CmsSignedDataGenerator();
generator.AddSigner(privKey, cert, CmsSignedGenerator.EncryptionRsa, CmsSignedGenerator.DigestSha256);
var signedContent = generator.Generate(content, false);
return signedContent.GetEncoded();
signedContent.GetEncoded() returns 502 字节,无法验证此结果。我知道我做错了什么,但我不知道是什么。
我应该如何修改带有 Bouncy Castle 的示例才能得到与上述代码相同的结果?
我找到了另一个
X509Certificate2 certificate = null;
X509Store my = new X509Store(StoreName.My, StoreLocation.CurrentUser);
my.Open(OpenFlags.ReadOnly);
certificate = my.Certificates.Find(X509FindType.FindByThumbprint, "thumbprint", false)[0];
var privKey = DotNetUtilities.GetRsaKeyPair(certificate.GetRSAPrivateKey()).Private;
var cert = DotNetUtilities.FromX509Certificate(certificate);
var content = new CmsProcessableByteArray(data);
var generator = new CmsSignedDataGenerator();
generator.AddSigner(privKey, cert, CmsSignedGenerator.EncryptionRsa, CmsSignedGenerator.DigestSha256);
var signedContent = generator.Generate(content, false);
string hashOid = OID.SHA256;
var si = signedContent.GetSignerInfos();
var signer = si.GetSigners().Cast<SignerInformation>().First();
SignerInfo signerInfo = signer.ToSignerInfo();
Asn1EncodableVector digestAlgorithmsVector = new Asn1EncodableVector();
digestAlgorithmsVector.Add(
new AlgorithmIdentifier(
algorithm: new DerObjectIdentifier(hashOid),
parameters: DerNull.Instance));
// Construct SignedData.encapContentInfo
ContentInfo encapContentInfo = new ContentInfo(
contentType: new DerObjectIdentifier(OID.PKCS7IdData),
content: null);
Asn1EncodableVector certificatesVector = new Asn1EncodableVector();
certificatesVector.Add(X509CertificateStructure.GetInstance(Asn1Object.FromByteArray(cert.GetEncoded())));
// Construct SignedData.signerInfos
Asn1EncodableVector signerInfosVector = new Asn1EncodableVector();
signerInfosVector.Add(signerInfo.ToAsn1Object());
// Construct SignedData
SignedData signedData = new SignedData(
digestAlgorithms: new DerSet(digestAlgorithmsVector),
contentInfo: encapContentInfo,
certificates: new BerSet(certificatesVector),
crls: null,
signerInfos: new DerSet(signerInfosVector));
ContentInfo contentInfo = new ContentInfo(
contentType: new DerObjectIdentifier(OID.PKCS7IdSignedData),
content: signedData);
return contentInfo.GetDerEncoded();