Does the HttpClientCertificate return any "signed" data?

1
votes

I'm working on a research story involving web-based Smart Card authentication. We've managed to set up an environment that requires Smart Card PIN entry during the authentication process, but there's some disagreement about whether the resulting HttpClientCertificate includes any information representing a signature (i.e., some arbitrary data encrypted with the PIN/private key on the Smart Card).

Does anyone have experience dealing with signatures like this? I'm having real trouble finding examples describing any kind of web-based Smart Card/PIN authentication and then recording data from the HttpClientCertificate that would verify the signature.

1
c#httpscertificatesmartcardclient-certificates
No special experience with http certificates, but any certificate has a signature covering the [hash of the] public key (here: of the card), and signed either with the corresponding private key (self-signed cert.) or more likely with the private key from the CA, which verified the identity of the card holder.guidot
Thanks - I think your comment answers my question - I was under the impression that the Certificate property on this class represented what you described. We're still waiting for a our server admin to set up a test environment to confirm.jwheron

1 Answers

1
votes

HttpClientCertificate, as the name suggests, contains the certificate (typically following X.509). So it does not contain "arbitrary" data encrypted with the PIN/private key on the smartcard (I assume you are actually trying to refer to session authentication data).

The certificate consists of only static data, which is

  • the public key that the certificate was issued for,
  • some metadata (such as identifying information for the key pair, parameters of the public-key cryptosystem, validity periods, usage constraints, etc.), and
  • a signature over that static data, which is either issued by a cerificate authority (in case a certificate authority issued the certificate) or created with the private key that corresponds to the public key in the certificate (in case of a self-signed certificate / CA root certificate, though this should not be the case for TLS client certificates).

So HttpClientCertificate neither contains the private key associated with the certificate nor any dynamic data signed by the private key in order to authenticate the TLS session.