none
How to trigger and check password for certificate? RRS feed

  • Question

  • I have the following :

    • Cardredaer (USB)
    • ID Card (with a couple of certificates)
    • Correct root certificate installed
    • Installed NETID (software that acts like a simple interface between reader and my code(forexample reacting on card insert and install the certificates in to my private storage))

    This is the code I use after a card is inserted :

    private X509Certificate2 GetClientCertificate(string truestedIssuerNames)
            {
                X509Certificate2Collection filteredCertStoreCollection = new X509Certificate2Collection();
                X509Store store = new X509Store(StoreName.My);
                store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
    
                if (store.Certificates.Count > 0)
                {
    
                    filteredCertStoreCollection.AddRange((X509Certificate2Collection)store.Certificates.
                        Find(X509FindType.FindByIssuerName, truestedIssuerNames, true).
                        Find(X509FindType.FindByKeyUsage, X509KeyUsageFlags.DigitalSignature, true));
    
                    var scollection = X509Certificate2UI.SelectFromCollection(filteredCertStoreCollection, "Identify Certificate", "Select a certificate to identity yourself with", X509SelectionFlag.SingleSelection);
    
                    if (scollection.Count > 0)
                    {
                        txtInfo.Text = "Use certificate " + scollection[0].ToString();
                        return scollection[0];
                    }
                }
    
    
                return null;
            }

    The code will show a dialog that let me choose the correct certificate.

    To use this in a WCF communication I would use a code like this :

    ClientService clientService = new ClientService();
                    InstanceContext context = new InstanceContext(clientService);
    
                    DuplexChannelFactory<MyApp.ServiceContracts.IMyAppClientService> factory = new DuplexChannelFactory<MyApp.ServiceContracts.IMyAppClientService>(context, connectionName);
    
                    if (personalCertificate != null)
                        factory.Credentials.ClientCertificate.Certificate = personalCertificate;
    
                    factory.Credentials.UserName.UserName = anvandarNamn;
                    factory.Credentials.UserName.Password = password;
                    serviceInstance = factory;
    
                    return factory.CreateChannel();

    This will bring up a dialog where a password is required. I need to make this check without the WCF connection, is this possible, and if so, how?


    Friday, December 6, 2013 7:39 AM

All replies

  • Hi,

    If you disconnected the WCF, how can you get the username and password information?

    Regards.

    Friday, December 6, 2013 10:15 AM
  • Hi,

    I was hoping that I could varify the user (card + pin-code) without using WCF/SLL.

    In this case I only have a simple winform client where I need to verify the user that uses the inserted card.

    Friday, December 6, 2013 10:39 AM
  • Hello,

    >>This will bring up a dialog where a password is required. I need to make this check without the WCF connection, is this possible, and if so, how?

    I am afraid that it is impossible, we can see that ‘context’ object is initialized with the service instance or ServiceHost instance, see this hereand search for constructor section.

    If we disconnect the service, we cannot initialize the service or ServiceHost. We have to need a Windows Service or a WCF service.

    For using a card certificate with .NET Security in C#, you can refer to link below:

    http://www.codeproject.com/Articles/240655/Using-a-Smart-Card-Certificate-with-NET-Security-i

    If I have misunderstood, please let me know.

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, December 9, 2013 6:36 AM
    Moderator
  • Hi,

    I do still not understand. Is it possible to verify a user based on smartcard and pin without trigger some kind of communication like WCF(SLL)? All I need is to make sure it is the correct user for the inserted card. If it is possible to ensure a service of the user it should also be possible to ensure the client of the user?

    I have looked that the codeproject sample before and according to that it seems possible to validate user without somekind communication(for example WCF(SLL)). But I cant get it to work.

    This is the code so far : 

    static unsafe void Main(string[] args)
            {
                const string xmlPubKey =
                    @"<RSAKeyValue><Modulus>jyDy7cVpXHpMHG3odjcUmIZaQvCAT+dPQTfuoba0fUX/M9Nii609oxEswPk4D11MnZmv7f5mG456/I+Bf4r8KgQPBKMGTRaNd0wuMQOKvG9gwolEhL+jBIkmpodUK1+99qj7e1k4i4sB/k9TdecyJF4skYiMxR95bQu9PyjpUfc=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>";
    
                try
                {
                    SecureString pwd;
                    char[] scPwd = { '0', '0', '0', '0' };
                    fixed(char* pChars = scPwd)       
                    {   
                        pwd = new SecureString(pChars, scPwd.Length);       
                    }
                    pwd = new SecureString();
                    pwd.AppendChar('2');
                    pwd.AppendChar('7');
                    pwd.AppendChar('2');
                    pwd.AppendChar('8'); 
                    pwd.AppendChar('5');
                    pwd.AppendChar('0');
    
                    CspParameters csp = 
                        new CspParameters(1, 
                            "Net iD - CSP",//"Microsoft Base Smart Card Crypto Provider",
                            "Codeproject_1",
                            new System.Security.AccessControl.CryptoKeySecurity(),
                            pwd);
    
                    byte[] toSign = new byte[20];
                    Random rnd = new Random((int)DateTime.Now.Ticks);
                    rnd.NextBytes(toSign);
    
                    Console.WriteLine("Data to sign : " + BitConverter.ToString(toSign));
    
                    RSACryptoServiceProvider rsaCsp = new RSACryptoServiceProvider(csp);
                    RSAPKCS1SignatureFormatter rsaSign = new RSAPKCS1SignatureFormatter(rsaCsp);
                    rsaSign.SetHashAlgorithm("SHA1");
                    byte[] signature = rsaSign.CreateSignature(toSign);
    
                    Console.WriteLine();
                    Console.WriteLine("Signature: " + BitConverter.ToString(signature));
    
                    RSACryptoServiceProvider rsaCsp2 = new RSACryptoServiceProvider();
                    rsaCsp2.FromXmlString(xmlPubKey);
                    
                    RSAPKCS1SignatureDeformatter rsaVerify = new RSAPKCS1SignatureDeformatter(rsaCsp2);
                    rsaVerify.SetHashAlgorithm("SHA1");
                    bool verified = rsaVerify.VerifySignature(toSign, signature);
    
                    Console.WriteLine();
                    Console.WriteLine("Signature verified [{0}]", verified);
                }
                catch (Exception ex)
                {
                    Console.WriteLine("Crypto error: " + ex.Message);
                }
            }

    The problem is that verified are always false even when I know that the pin is correct?

    Monday, December 9, 2013 8:17 AM
  • >>Is it possible to verify a user based on smartcard and pin without trigger some kind of communication like WCF(SLL)?

    As far as I know, it is impossible, we have to connect one service.

    Tuesday, December 10, 2013 7:06 AM