Load a smart card or other private certificate in CryptoServiceProvider for signature

1
votes

I'm trying to develop a simple C# signature API to be used by a web intranet procedure. This signature API must allow a subject connected to the web application to use his certificate (on a smart card or on a USB stick) to sign a document (a PDF file).

When I try to initialize an RSACryptoServiceProvider as suggested here: http://msdn.microsoft.com/en-us/library/ms229931.aspx:

// Create a new CspParameters object that identifies a  
// Smart Card CryptoGraphic Provider. 
// The 1st parameter comes from
// HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Defaults\Provider Types.
// The 2nd parameter comes from
// HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Defaults\Provider. 
CspParameters csp = new CspParameters(1, "Schlumberger Cryptographic Service Provider");
csp.Flags = CspProviderFlags.UseDefaultKeyContainer;
// Initialize an RSACryptoServiceProvider object using 
// the CspParameters object.
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(csp);

I get a CryptographicException: 

keyset does not exist

I looked at the windows registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider and did not find any smart card provider.
I'm using a Dell Latitude with a card reader and installed all the drivers (I think so...).
So my questions are:

  • The provider specified in the parameters is for using the reader or for reading the card, or both?
  • Is there a generic smart card CSP publicly available or should it be tipically delivered with the smart card?
  • May I use other types certificates (e.g. a CA signed or self signed certificate stored on disk or USB stick)? How?
1
c#cryptographysmartcardsign
If somebody is still looking for help for signing pdf from web application using modern browsers, please refer to so answer stackoverflow.com/a/55676351/9659885Bharat Vasant

1 Answers

3
votes
  • The provider specified in the parameters is for using the reader or for reading the card, or both?

Its for using a CSP. CSP can handle hardware device but it can also handle crypto operations with private keys stored in software store like i.e. Microsoft Enhanced Cryptographic Provider does.

  • Is there a generic smart card CSP publicly available or should it be tipically delivered with the smart card?

It is typically delivered with middleware of smartcard. In these days you will very often find that the middleware installs SmartCard Minidriver. These minidrivers are used by Microsoft Base Smart Card Crypto Provider. The other option is that the middleware installs whole new CSP.

  • May I use other types certificates (e.g. a CA signed or self signed certificate stored on disk or USB stick)? How?

You can load i.e. a PKCS#12 file using X509Certificate2 class. Then cast its PrivateKey property to RSACryptoServiceProvider.

OK, now to the code that you referenced. This code will find first private key in default container using given CSP. You don't know what key has been found. You don't know what certificate does this key belong to. Look at this SO Answer.

I would suggest to implement basic certificate selection using X509Certificate2UI.SelectFromCollection Method. If the user does not want to you certificate available in store but instead wants to use a certificate on USB stick than give him the option to select a file and use X509Certificate2 class. Now that you have X509Certificate2 selected (in both cases you end up with X509Certificate2) cast its PrivateKey property to RSACryptoServiceProvider.