Home/ Questions/Q 3222260
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-17T15:58:14+00:00

We have a C# web app where users will connect using a digital certificate

  • 0

We have a C# web app where users will connect using a digital certificate stored in their browsers.

From the examples that we have seen, verifying their identity will be easy once we enable SSL, as we can access the fields in the certificate, using Request.ClientCertificate, to check the user’s name.

We have also been requested, however, to sign the data sent by the user (a few simple fields and a binary file) so that we can prove, without doubt, which user entered each record in our database.

Our first thought was creating a small text signature including the fields (and, if possible, the md5 of the file) and encrypt it with the private key of the certificate, but…

As far as I know we can’t access the private key of the certificate to sign the data, and I don’t know if there is any way to sign the fields in the browser, or we have no other option than using a Java applet. And if it’s the latter, how we would do it (Is there any open source applet we can use? Would it be better if we create one ourselves?)

Of course, it would be better if there was any way to “sign” the fields received in the server, using the data that we can access from the user’s certificate. But if not, any info on the best way to solve the problem would be appreciated.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I suggest you to use java-applet. This approach is unified for all browsers. We use it in our projects. To sign the user-data you will need to use JCA API (http://download.oracle.com/javase/1.4.2/docs/guide/security/CryptoSpec.html#Signature). Also you will need to solve problem with accessing windows certificate store from java.

    You can solve it in this way:

    KeyStore keystore = KeyStore.getInstance("Windows-MY", "SunMSCAPI");

keystore.load(null, null);

HashMap<String,String> userPublicKeys = new HashMap<String,String>();

Enumeration<String> aliasesEnum = keystore.aliases();

if (!aliasesEnum.hasMoreElements())
    throw new Exception("No certificate!");

// list through windows personal store
while (aliasesEnum.hasMoreElements()) 
{
   String alias = aliasesEnum.nextElement();

   boolean isKey = keystore.isKeyEntry(alias);

   if (isKey)
   {
       BASE64Encoder encoder = new BASE64Encoder();
       encoder.encode(keystore.getCertificate(alias).getEncoded());

       userPublicKeys.put(alias, encoder.encode(keystore.getCertificate(alias).getEncoded()));
       System.out.println("Entry alias: " + alias); 
   }

   // sign
   PrivateKey privateKey = (PrivateKey) keystore.getKey(alias,null);           

   Provider provider = keystore.getProvider();
   // data to signed
   byte[] data ="test data".getBytes();
   // Signing the data
   Signature sig = Signature.getInstance("SHA1withRSA", provider);
   sig.initSign(privateKey);

   sig.update(data);
   byte[] signature = sig.sign();

   System.out.println(ByteArrayToFromHexDigits.bytesToHexString(signature).toUpperCase());
}
    • 0