对 pdf 进行数字签名
我的公司有一个网络文档管理应用程序,我被指派寻找一种使用用户数字证书签署 pdf 文件的方法。
pdf 的大小可以从几 kb 到超过 100 Mb,这是通过互联网进行的,因此签名必须在网络服务器上进行。
为了做到这一点,我构建了一个 activeX 控件,要求用户选择证书,然后使用 WebClient.UploadData 将证书上传到网页,将证书作为字节数组发送。
在网页上,当我尝试签署 pdf 文档时,出现错误“密钥不存在”。 这对我来说并不奇怪,因为当我在选择正确的证书后直接通过 https 连接使用证书时,系统会提示我输入密钥。 activeX 不会发生这种情况。
这就是我从用户那里获取证书的方式:
private static X509Certificate2 PickCertificate()
{
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
try
{
store.Open(OpenFlags.ReadOnly);
// pick a certificate from the store
X509Certificate2 cert = X509Certificate2UI.SelectFromCollection(store.Certificates, "Title", "Message", X509SelectionFlag.SingleSelection)[0];
// show certificate details dialog
X509Certificate2UI.DisplayCertificate(cert);
store.Close();
return cert;
}
finally { store.Close(); }
}
我如何要求用户提供我丢失的密钥?
My company has a web document management application and I have been assigned to find a way to sign pdf files with the user digital certificate.
The pdfs can go from a few kb to over 100Mb, this is over the internet so the signature must take place at the web server.
In order to do this i have built an activeX control that asks the user to choose the certificate, then uploads it to a webpage using WebClient.UploadData sending the certificate as a byte array.
On the web page when i'm trying to sign the pdf document i am getting an error "Key does not exist". This comes to no surprise to me because when i was using the certificate directly over an https connection after i choose the proper certificate i would be prompt for the key. This is not happening with the activeX.
This is how i'm getting the certificate from the user:
private static X509Certificate2 PickCertificate()
{
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
try
{
store.Open(OpenFlags.ReadOnly);
// pick a certificate from the store
X509Certificate2 cert = X509Certificate2UI.SelectFromCollection(store.Certificates, "Title", "Message", X509SelectionFlag.SingleSelection)[0];
// show certificate details dialog
X509Certificate2UI.DisplayCertificate(cert);
store.Close();
return cert;
}
finally { store.Close(); }
}
How can I ask the user to provide the key i am missing?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您希望用户将其证书的私钥上传到网络服务器,以便它可以签署 PDF? 如果是这样,从安全角度来看,这从根本上被破坏了。
我认为您可能忽略了公共证书!=私钥这一点。 (我们大多数人都很草率,使用“证书”这个词来指代其中一个(或两者),所以这并不完全令人惊讶)。 根据记忆,CryptoAPI 仅具有一组允许您访问密钥的精选方法。 其中必须有一个“导出为 PFX”方法,这样如果您真的非常愿意,就可以使您的设计发挥作用,但我不建议这样做。 (将私钥发送到网络服务器、破坏不可否认性等的风险)。
如果您确实必须在服务器上进行签名[我不太明白您的论点,签名不应在上传中添加太多数据],那么您可能应该考虑多层架构和密钥托管机制。 这样您至少可以最大限度地减少一些安全问题(但您仍然会失去不可否认性......并引入其他风险。这里没有免费的午餐)。
所以...您可能需要考虑重新构建您的应用程序,以便在上传 PDF 文件之前在客户端(在您的 ActiveX 控件中)上进行 PDF 签名。 我想您将需要一个第三方库来执行签名步骤,如 this SO thread 中讨论的那样。
You want the user to upload their certificate's private key to the webserver so that it may sign PDFs? If so, that's fundamentally broken from a security perspective.
I think you may have missed the point that public certificate != private key. (Most of us are sloppy and use the word "certificate" to refer to either (or both) of those things, so that's not entirely suprising). Going from memory, the CryptoAPI only has a select set of methods that will allow you to access the key. There must be an "export as PFX" method amongst those, so you could make your design work if you really, really wanted to, but there's no way I'd recommend this. (Risk of sending private keys to webserver, broken non-repudiation, etc etc).
If you really must do the signing on the server [I don't really understand your argument, signature should not add much data to the upload], then you should probably consider a multi-tiered architecture, and a key escrow mechanism. This way you can at least minimize some of the security concerns (but you'll still lose non-repudiation... and introduce other risks. No free lunch here).
So... you probably need to consider re-architecting your application so that PDF signature occurs on the client (in your ActiveX control), before the PDF file is uploaded. I imagine you will need a 3rd-party library for the signature step as discussed in this SO thread.