如何在.NET代码中使用X509证书进行操作
我有一些代码需要使用 X509 证书信息。我已经下载了一个执行此操作的示例:
const string CertWithoutPrivateKey = "MII....";
const string CertWithPrivateKey = "MII...";
public static SecurityToken GetSigningToken(bool includePrivateKey)
{
X509Certificate2 cert = null;
if (includePrivateKey)
{
cert = new X509Certificate2(
Convert.FromBase64String(CertWithPrivateKey),
"pw", X509KeyStorageFlags.PersistKeySet);
}
else
{
cert = new X509Certificate2(
Convert.FromBase64String(CertWithoutPrivateKey));
}
return cert;
}
代码需要能够使用私钥获取证书。 Saml2AuthenticationModule(来自 SAML 2.0 协议的 WIF 扩展)依赖此私钥来解密从 SAML 身份提供商发送的信息。
我对证书或加密不太了解,但在我看来,将证书硬编码到类中并不安全。
那么,我的代码应该如何使用私钥检索证书?据我所知,此代码仅在应用程序启动时运行一次(因此也可能在应用程序池回收之后运行)。
我可以:
- 将证书存储为配置文件中的 appSetting。只要appSettings配置加密,这安全吗?
- 将证书存储在数据库中。
- 将证书作为文件存储在 bin/App_Data 中。据我所知,这意味着它无法通过网络读取,但任何可以访问主机服务器的人都可以清楚地看到它。在我看来,如果有人可以进入我的服务器,让他们阅读此证书可能是我最不担心的事情。
还有其他选择吗?在这种情况下什么是最合适的?
I have some code that needs to work with X509 Certificate information. I have downloaded a sample that does this:
const string CertWithoutPrivateKey = "MII....";
const string CertWithPrivateKey = "MII...";
public static SecurityToken GetSigningToken(bool includePrivateKey)
{
X509Certificate2 cert = null;
if (includePrivateKey)
{
cert = new X509Certificate2(
Convert.FromBase64String(CertWithPrivateKey),
"pw", X509KeyStorageFlags.PersistKeySet);
}
else
{
cert = new X509Certificate2(
Convert.FromBase64String(CertWithoutPrivateKey));
}
return cert;
}
The code needs to be able to get the cert with the private key. The Saml2AuthenticationModule (from the WIF Extension for the SAML 2.0 Protocol) relies on this private key to decrypt information sent from a SAML Identity Provider.
I don't know much about certificates or encryption, but it seems to me that hard-coding the certificate into a class is not secure.
So, how should my code go about retrieving the cert with private key? Afaik, this code is only run one time at app startup (so probably also after an app pool recycle).
I could:
- Store the cert as an appSetting in config file. As long as appSettings are config encrypted, is this secure?
- Store the cert in a database.
- Store the cert as a file in bin/App_Data. Afaik this means it could not be read over the web, but would be in plain view to anyone who can access the host server. Imo if someone can get into my server, letting them read this cert is probably the least of my worries.
Are there any other options? What is most appropriate in this case?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
带或不带私钥的证书都可以保存到用户或计算机的 X509 存储中。这已经具有内置的 Windows 安全性,应该足够了。您可以将
mmc与证书管理单元结合使用,将证书添加到存储区并进行管理。对证书的引用(例如其名称或缩略图)可以保存到配置文件中并用于检索证书。检索可能如下所示:
在集合上使用
Find是另一种(也是更简洁的)搜索证书的方法。A certificate with or without private key can be save to X509 store of a user or the computer. This already has build-in Windows security that should be sufficient. You can use
mmcwith Certificates snap-in to add certificates to the store and manage them.A reference to the certificate, for example, its name or thumbnail, can saved to the config file and used to retrieve the certificate. The retrieval may look like the following:
Using
Findon the collection is another (and cleaner) way to search certificates.我不确定 WIF 是如何做到这一点的(您可能可以使用 Reflector 来查看它与证书存储交互的内部机制),但听起来您正在 IIS 托管的应用程序中使用 WIF。如果是这种情况,WIF 应该为您处理所有证书交互。您只需确保设置了以下内容:
I'm not sure how WIF does it (you could probably use Reflector to see the internals of how it interacts with the certificate store), but it sounds like you are using WIF in an application hosted in IIS. If that's the case, WIF should take care of all the certificate interactions for you. You'll just have to make sure you have the following things set up: