带有更新证书的 SignedCms.CheckSignature() ->新连续剧?
我正在使用
SignedCms.CheckSignature(certColl, true)
(certColl 中只有一个证书)来验证 pkcs-7 消息的签名。我的问题是,在签名者更新其证书后,我不想更改我的服务器上的签名者证书(公共部分):-( 签名者更新其证书后,公钥、颁发者和主题保持不变!所以这必须工作 - 至少在我看来,即使我不是一个加密极客 :-)
..但是,不幸的是 .NET-Framework 抛出一个加密异常“找不到原始签名者”,就像堆栈跟踪所说的那样:
SignerInfo.CheckSignature(X509Certificate2Collection extraStore, Boolean verifySignatureOnly)
这一定是因为签名者证书的序列号已更改,并且 SignerIdentifier 属性为只读并设置为 IssuerAndSerialNumber。
有谁知道如何解决这个问题?
或者我是否必须实现“手工”签名验证,例如:signedMessage.ComputeSignature(signer, false)?
提前致谢,祝编程愉快, 克赖勒
i am using
SignedCms.CheckSignature(certColl, true)
(with only one cert in certColl) to verify the signature of a pkcs-7 message. My problem is that i dont want to change the (public part of the) signers certificate on my server after the signer has renewed his certificate :-( The public key, issuer and subject are remaining unchanged after signer has renewed his certificate! So this has to work - at least in my opinion, even if i´m not a crypto-geek :-)
..but, unfortunately the .NET-Framework throws a Cryptographic Exception "Cannot find the original signer" like the stacktrace says exactly at:
SignerInfo.CheckSignature(X509Certificate2Collection extraStore, Boolean verifySignatureOnly)
This must be because the serial number of the signers certificate has changed and the SignerIdentifier property is readonly and set to IssuerAndSerialNumber.
Does anyone know how workaround this?
Or do i have to implement a "handmade" signature verifying with sth like: signedMessage.ComputeSignature(signer, false)?
Thanks in advance and happy programming,
Krile
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
对于所有对此问题感兴趣的人:
有人告诉我,这是由于 PKCS #7 规范造成的,该规范规定,SubjectKeyIdentifier 始终设置为 IssuerAndSerialNumber。
For all interested on this issue:
Someone told me that this is due to the PKCS #7 specification, which states that the SubjectKeyIdentifier is always set to IssuerAndSerialNumber.