我正在使用syncfusion pdf对pdf文件进行数字签名。在他们的网站上,他们有一个外部签名PDF的示例。我稍微更改了示例,以便可以从Windows证书存储区选择证书。所选证书需要PIN码,以便弹出对话框。函数Signature_ComputeHast是纯C#代码。如何在下面的代码中以编程方式输入PIN?
private static X509Certificate2 SelectCertificate()
{
// Selecte certificate from store
var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates;
X509Certificate2Collection selectedCertificate = (X509Certificate2Collection)collection.Find(X509FindType.FindByKeyUsage, X509KeyUsageFlags.DigitalSignature, false);// (X509FindType.FindByKeyUsage, X509KeyUsageFlags.DigitalSignature, true);
selectedCertificate = X509Certificate2UI.SelectFromCollection(
store.Certificates,
"Certficates",
"Select a certificate for signing the document",
X509SelectionFlag.SingleSelection);
return selectedCertificate[0];
}
void Signature_ComputeHash(object sender, PdfSignatureEventArgs arguments)
{
//Get the document bytes
byte[] documentBytes = arguments.Data;
SignedCms signedCms = new SignedCms(new ContentInfo(documentBytes), detached: true);
//Compute the signature using the specified digital ID file and the password
X509Certificate2 certificate = SelectCertificate();
var cmsSigner = new CmsSigner(certificate);
//Set the digest algorithm SHA256
cmsSigner.DigestAlgorithm = new Oid("2.16.840.1.101.3.4.2.1");
signedCms.ComputeSignature(cmsSigner);
//Embed the encoded digital signature to the PDF document
arguments.SignedData = signedCms.Encode();
}
答案 0 :(得分:1)
您将需要使用RSACryptoServiceProvider或RSACng cng(在.NET核心中)类,这些类在Windows上以更高的粒度支持硬件安全模块。您可以创建带有参数的适当类的新实例,以包含如下密码:
if(certificate.PrivateKey is RSACryptoServiceProvider rsa) {
if(rsa.CspKeyContainerInfo.HardwareDevice) {
CspParameters cspParams = new CspParameters(1, rsa.CspKeyContainerInfo.ProviderName,
rsa.CspKeyContainerInfo.UniqueKeyContainerName) {
KeyPassword = certPassword,
Flags = CspProviderFlags.NoPrompt
};
byte[] signedCMSBytes = new RSACryptoServiceProvider(cspParams).SignData(documentBytesDigest);
}
}
据我所知,在签名之前,您需要自己创建documentBytes摘要的哈希摘要,并将其与所需的经过身份验证的属性一起放入PKCS#7中。之后,您需要将所有未经身份验证的属性添加到CMS。我个人使用Bouncy Castle进行所有操作。但是我们必须使用MS SSC与OS交互才能访问HSM。对于SSC类,可能有一种方法可以做到这一切。顺便说一下,certPassword是SecureString。