English 中文(简体)
X509 Certificates, DigitalSignature vs NonRepudiation (C#)
原标题:

We have been handed a set of test sertificates on smart cards for developing a solution that requires XML messages to be signed using PKI. Each (physical) smart card seems to have two certificates stored on it. I import them into the Windows certificate store using software supplied by the smart card provider, and then use code resembling the following to iterate over the installed certificates:

foreach (X509Certificate2 x509 in CertStore.Certificates) {
  foreach (X509Extension extension in x509.Extensions) {
     if (extension.Oid.Value == "one we are interested in") {
        X509KeyUsageExtension ext = (X509KeyUsageExtension)extension;
        if ((ext.KeyUsages & X509KeyUsageFlags.DigitalSignature) != X509KeyUsageFlags.None) {
            // process certs here

We have been told to use the certificates that have the NonRepudiation key usage flag set to sign the XMLs. However, the certificate that has the NonRepudiation flag has this flag only, and not for instance the DigitalSignature flag which I check for above. Does this strike anyone but me as slightly odd? I am in other words told to sign with a certificate that does not (appear to) have the DigitalSignature usage flag set. Is this normal procedure? Any comments?

Thanks.

最佳回答

What key use does it have? You re right, this is a little odd, however if, for example, the key was used to provide AD logins then it may not have the flags set for DigitalSignature use. That s not to say you can t use it for that, it just indicates that the certificate issuer provides no guarantee when you go outside the key s indicated usage.

时间:2009-12-21 09:51:41
问题回答

If you want to provide a non-repudiation service, i.e. you want signatures have a LEGAL value, then you are supposed to use nonRepudiation only. Indeed, this is RECOMMENDED by standards (see ETSI TS 102 280) since the usage of other keyUsage bits together with nonRepudation may have security issues.

时间:2010-06-10 14:19:25

As I read RFC 5280 (4.2.1.3), nonRepudiation is a superset of digitalSignature. In other words it grants all the abilities of digitalSignature and then some. So technically, what they are asking for is valid, though perhaps unusual.

时间:2010-01-10 16:49:02


上一篇:
下一篇:


相关问题
Anyone feel like passing it forward?

I m the only developer in my company, and am getting along well as an autodidact, but I know I m missing out on the education one gets from working with and having code reviewed by more senior devs. ...

时间:2009-11-13 04:17:47 回答:6 展示:1
NSArray s, Primitive types and Boxing Oh My!

I m pretty new to the Objective-C world and I have a long history with .net/C# so naturally I m inclined to use my C# wits. Now here s the question: I feel really inclined to create some type of ...

时间:2009-11-13 04:15:39 回答:4 展示:1
C# Marshal / Pinvoke CBitmap?

I cannot figure out how to marshal a C++ CBitmap to a C# Bitmap or Image class. My import looks like this: [DllImport(@"test.dll", CharSet = CharSet.Unicode)] public static extern IntPtr ...

时间:2009-11-13 03:47:30 回答:1 展示:1
How to Use Ghostscript DLL to convert PDF to PDF/A

How to user GhostScript DLL to convert PDF to PDF/A. I know I kind of have to call the exported function of gsdll32.dll whose name is gsapi_init_with_args, but how do i pass the right arguments? BTW, ...

时间:2009-11-13 03:33:19 回答:3 展示:1
Linqy no matchy

Maybe it s something I m doing wrong. I m just learning Linq because I m bored. And so far so good. I made a little program and it basically just outputs all matches (foreach) into a label control. ...

时间:2009-11-13 03:12:54 回答:2 展示:1
热门标签

友情链接

Allggapp Alljchome-教程家园 mvfinale.com-影视剧情大结局大全