Cómo firmar un mensaje con varios firmantes
En este ejemplo se crea un mensaje CMS/PKCS #7 firmado con System.Security.Cryptography.Pkcs. Varios firmantes firman el mensaje. A continuación, se comprueban las firmas de dicho mensaje.
Ejemplo
En este ejemplo se utilizan las siguientes clases:
En el siguiente ejemplo se empieza utilizando un mensaje SignedCms codificado que se generó con anterioridad (con un firmante cuyo nombre de sujeto es "MessageSigner1") y, luego, lo firma una segunda vez un firmante cuyo nombre de sujeto es "MessageSigner2". En este ejemplo es necesario que haya un certificado de clave pública con el nombre de sujeto "MessageSigner2" en el almacén My certificate y que tenga una clave privada asociada.
.gif) Nota: |
|---|
Este ejemplo sólo tiene fines ilustrativos. En los entornos de producción se podría utilizar un modelo distinto, en el que el remitente y el destinatario del mensaje se ejecuten en procesos diferentes con sus credenciales de clave pública únicas. |
Configure este ejemplo mediante la utilidad Makecert.exe, que ofrece uno de los distintos métodos posibles de hacerlo. Certificate Creation Tool (Makecert.exe) es una práctica utilidad para generar certificados de prueba. En un entorno de producción, una entidad de certificación genera los certificados.
El siguiente comando de Makecert genera los certificados de clave pública y las claves privadas necesarias.
Makecert -n "CN=MessageSigner2" -ss My
// Copyright (c) Microsoft Corporation. All rights reserved.
#region Using directives
using System;
using System.Security.Cryptography.Pkcs;
using System.Security.Cryptography.X509Certificates;
using System.Text;
#endregion
namespace SigningAMessageByMultipleSigners
{
class SignedCmsMultipleSigners
{
// Subject name of the second signer of the message.
const String signerName = "MessageSigner2";
static void Main(string[] args)
{
// An encoded SignedCms message that was generated
// previously. It is the message "The Board of Directors
// hereby adopts the resolution." signed by one signer
// with the subject name "MessageSigner1". This example
// adds a second signature to this encoded
// SignedCms message.
Byte[] signedMessage = {
0x30, 0x82, 0x03, 0x34, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x03, 0x25, 0x30,
0x82, 0x03, 0x21, 0x02, 0x01, 0x01, 0x31, 0x0b, 0x30, 0x09,
0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x30,
0x77, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
0x07, 0x01, 0xa0, 0x6a, 0x04, 0x68, 0x54, 0x00, 0x68, 0x00,
0x65, 0x00, 0x20, 0x00, 0x42, 0x00, 0x6f, 0x00, 0x61, 0x00,
0x72, 0x00, 0x64, 0x00, 0x20, 0x00, 0x6f, 0x00, 0x66, 0x00,
0x20, 0x00, 0x44, 0x00, 0x69, 0x00, 0x72, 0x00, 0x65, 0x00,
0x63, 0x00, 0x74, 0x00, 0x6f, 0x00, 0x72, 0x00, 0x73, 0x00,
0x20, 0x00, 0x68, 0x00, 0x65, 0x00, 0x72, 0x00, 0x65, 0x00,
0x62, 0x00, 0x79, 0x00, 0x20, 0x00, 0x61, 0x00, 0x64, 0x00,
0x6f, 0x00, 0x70, 0x00, 0x74, 0x00, 0x73, 0x00, 0x20, 0x00,
0x74, 0x00, 0x68, 0x00, 0x65, 0x00, 0x20, 0x00, 0x72, 0x00,
0x65, 0x00, 0x73, 0x00, 0x6f, 0x00, 0x6c, 0x00, 0x75, 0x00,
0x74, 0x00, 0x69, 0x00, 0x6f, 0x00, 0x6e, 0x00, 0x2e, 0x00,
0xa0, 0x82, 0x01, 0xc2, 0x30, 0x82, 0x01, 0xbe, 0x30, 0x82,
0x01, 0x68, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x04,
0xd3, 0xc9, 0xdd, 0xb4, 0x38, 0x2a, 0xb5, 0x4d, 0x43, 0x4b,
0x99, 0x65, 0x19, 0xab, 0xeb, 0x30, 0x0d, 0x06, 0x09, 0x2a,
0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00,
0x30, 0x16, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04,
0x03, 0x13, 0x0b, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x41, 0x67,
0x65, 0x6e, 0x63, 0x79, 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x33,
0x31, 0x32, 0x32, 0x36, 0x32, 0x32, 0x34, 0x35, 0x33, 0x37,
0x5a, 0x17, 0x0d, 0x33, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32,
0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x19, 0x31, 0x17,
0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0e, 0x4d,
0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x53, 0x69, 0x67, 0x6e,
0x65, 0x72, 0x31, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09,
0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81,
0x81, 0x00, 0x9b, 0xb4, 0x92, 0x23, 0x35, 0x3f, 0x23, 0xec,
0x4b, 0xcf, 0x4d, 0x5b, 0xed, 0x81, 0x22, 0x45, 0x62, 0x97,
0xea, 0x38, 0xff, 0x32, 0xc6, 0xa0, 0xdd, 0xeb, 0xd1, 0x18,
0x6a, 0x30, 0xec, 0x6e, 0x4b, 0x4f, 0xab, 0x2a, 0x41, 0xc7,
0x0d, 0xbb, 0xcd, 0x80, 0xdc, 0xef, 0xf2, 0xd0, 0x00, 0xd6,
0x82, 0x81, 0x7f, 0x9a, 0x9c, 0xc9, 0x41, 0xf3, 0xa8, 0x0b,
0xa3, 0x9d, 0xed, 0x9a, 0xee, 0x23, 0xb8, 0xf0, 0xe6, 0x27,
0x65, 0x30, 0x10, 0x13, 0x65, 0x75, 0x33, 0x64, 0x0b, 0x0b,
0xea, 0x7f, 0xf8, 0x3b, 0x49, 0xa7, 0xea, 0xd0, 0x2d, 0xc1,
0xf8, 0xa1, 0x66, 0xb9, 0x6d, 0xa2, 0x8d, 0x36, 0x43, 0x2e,
0xe1, 0x91, 0xe2, 0x41, 0xa1, 0xe6, 0x80, 0xc4, 0xa5, 0xf6,
0x1a, 0xa4, 0x1e, 0x1a, 0x47, 0x3e, 0x5e, 0xf1, 0x97, 0xc9,
0x26, 0x6a, 0x0c, 0xf1, 0x0f, 0xcb, 0x55, 0x03, 0xb2, 0xb7,
0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x4b, 0x30, 0x49, 0x30,
0x47, 0x06, 0x03, 0x55, 0x1d, 0x01, 0x04, 0x40, 0x30, 0x3e,
0x80, 0x10, 0x12, 0xe4, 0x09, 0x2d, 0x06, 0x1d, 0x1d, 0x4f,
0x00, 0x8d, 0x61, 0x21, 0xdc, 0x16, 0x64, 0x63, 0xa1, 0x18,
0x30, 0x16, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04,
0x03, 0x13, 0x0b, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x41, 0x67,
0x65, 0x6e, 0x63, 0x79, 0x82, 0x10, 0x06, 0x37, 0x6c, 0x00,
0xaa, 0x00, 0x64, 0x8a, 0x11, 0xcf, 0xb8, 0xd4, 0xaa, 0x5c,
0x35, 0xf4, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
0xf7, 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x03, 0x41, 0x00,
0x1c, 0x97, 0xe5, 0x69, 0xac, 0x34, 0xa5, 0xa0, 0xbb, 0xc5,
0x65, 0x2e, 0xdf, 0x14, 0xa8, 0x8d, 0x4e, 0xf1, 0x86, 0x6c,
0x05, 0x5f, 0x51, 0xf3, 0xcc, 0x09, 0x8e, 0xaa, 0xa9, 0x43,
0x85, 0x11, 0x3b, 0xa9, 0xc3, 0x7d, 0x46, 0x58, 0x6b, 0xae,
0xf5, 0x6b, 0xd4, 0xef, 0xdf, 0xa5, 0x0f, 0xdb, 0x37, 0x78,
0xfd, 0x79, 0xf3, 0x31, 0x61, 0x26, 0x44, 0x98, 0x8b, 0xa4,
0xab, 0x3a, 0x89, 0x6e, 0x31, 0x81, 0xcf, 0x30, 0x81, 0xcc,
0x02, 0x01, 0x01, 0x30, 0x2a, 0x30, 0x16, 0x31, 0x14, 0x30,
0x12, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0b, 0x52, 0x6f,
0x6f, 0x74, 0x20, 0x41, 0x67, 0x65, 0x6e, 0x63, 0x79, 0x02,
0x10, 0x04, 0xd3, 0xc9, 0xdd, 0xb4, 0x38, 0x2a, 0xb5, 0x4d,
0x43, 0x4b, 0x99, 0x65, 0x19, 0xab, 0xeb, 0x30, 0x09, 0x06,
0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x30, 0x0d,
0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
0x01, 0x05, 0x00, 0x04, 0x81, 0x80, 0x4f, 0x71, 0x32, 0xc8,
0x5f, 0x2f, 0xe3, 0x8e, 0xc7, 0x8d, 0x85, 0x96, 0x28, 0x1d,
0x6e, 0xa6, 0x6e, 0x76, 0x63, 0x64, 0xae, 0x8d, 0xdc, 0x06,
0x64, 0x14, 0xeb, 0xcf, 0xcb, 0x2a, 0xd2, 0x17, 0xaa, 0xa5,
0x24, 0xd9, 0x17, 0x05, 0x07, 0x35, 0x8e, 0xa0, 0xce, 0x48,
0xed, 0x4b, 0x9d, 0xe4, 0x6c, 0xfa, 0xdc, 0x00, 0x82, 0x15,
0x6b, 0xde, 0x29, 0x90, 0x28, 0xe9, 0x53, 0xcb, 0x6b, 0xb7,
0xac, 0xa0, 0xf5, 0xd7, 0x75, 0x92, 0x89, 0x5e, 0x3d, 0x71,
0x46, 0x0c, 0x38, 0xee, 0xfb, 0x51, 0xfc, 0x4b, 0x7e, 0x70,
0x87, 0xde, 0x09, 0x8f, 0x0d, 0x63, 0x27, 0x26, 0x81, 0x43,
0xce, 0xcb, 0x03, 0x44, 0xe9, 0x70, 0xf5, 0xf0, 0x80, 0xcd,
0xe1, 0x89, 0x2b, 0xd8, 0x84, 0xd2, 0xc4, 0x90, 0xef, 0xbc,
0xad, 0x31, 0x2a, 0x3a, 0x29, 0xa0, 0xb0, 0x84, 0x9f, 0x65,
0x5b, 0x0d, 0x6f, 0x61};
Console.WriteLine("System.Security.Cryptography.Pkcs " +
"Sample: Multiple-signer signed " +
"and verified message");
Console.WriteLine("\n\n------------------------------");
Console.WriteLine(" SETUP OF CREDENTIALS ");
Console.WriteLine("------------------------------\n");
// Get the certificate of the additional message signer.
X509Certificate2Collection signerCerts = GetSignerCerts();
Console.WriteLine("\n\n----------------------");
Console.WriteLine(" SENDER SIDE ");
Console.WriteLine("----------------------\n");
// Decode the existing SignedCms message and add a signature
// to it.
byte[] encodedSignedCms = SignMsg(signedMessage, signerCerts);
Console.WriteLine("\n\n------------------------");
Console.WriteLine(" RECIPIENT SIDE ");
Console.WriteLine("------------------------\n");
// Verify all signatures in the message.
if (VerifyMsg(encodedSignedCms))
{
Console.WriteLine("\nMessage verified");
}
else
{
Console.WriteLine("\nMessage failed to verify");
}
}
// Open the My (or Personal) certificate store and search for
// credentials to sign the message with. There must be
// a certificate with subject name "MessageSigner2" in that
// certificate store.
static public X509Certificate2Collection GetSignerCerts()
{
// Open the My certificate store.
X509Store storeMy = new X509Store(StoreName.My,
StoreLocation.CurrentUser);
storeMy.Open(OpenFlags.ReadOnly);
// Display certificates to help troubleshoot
// the example's setup.
Console.WriteLine("Found certs with the following subject " +
"names in the {0} store:", storeMy.Name.ToString());
foreach (X509Certificate2 cert in storeMy.Certificates)
{
Console.WriteLine("\t{0}", cert.SubjectName.Name);
}
// Find the signer's certificate.
// Add to the signers' certificate collection.
X509Certificate2Collection signerCertsColl =
storeMy.Certificates.Find(X509FindType.FindBySubjectName,
signerName, false);
Console.WriteLine(
"Found {0} certificates in the {1} store with name {2}",
signerCertsColl.Count, storeMy.Name, signerName);
// Check to see if the certificate suggested by the example
// requirements is not present.
if (signerCertsColl.Count == 0)
{
Console.WriteLine(
"A suggested certificate to use for this example " +
"is not in the certificate store. Select " +
"an alternate certificate to use for " +
"signing the message.");
}
storeMy.Close();
return signerCertsColl;
}
// Sign the message with the private key of the signer.
static public byte[] SignMsg(
Byte[] signedCmsMsg,
X509Certificate2Collection signerCerts)
{
// Instantiate a SignedCms object, and then decode the
// input encoded SignedCms message.
// Has default SubjectIdentifierType IssuerAndSerialNumber.
// Has default Detached property value false, so message is
// included in the encoded SignedCms.
SignedCms signedCms = new SignedCms();
signedCms.Decode(signedCmsMsg);
DisplaySignedCmsProperties("Original message", signedCms);
// Sign the PKCS #7/CMS message once for each
// signer certificate. In this example, one additional
// signer is added to the SignedCms object.
foreach (X509Certificate2 cert in signerCerts)
{
Console.Write("Computing signature with signer subject "
+ "name {0} ... ", cert.SubjectName.Name);
signedCms.ComputeSignature(new CmsSigner(cert));
Console.WriteLine("Done.");
}
DisplaySignedCmsProperties("Message with additional " +
"signer", signedCms);
// Encode the PKCS #7/CMS message.
return signedCms.Encode();
}
// Verify the encoded SignedCms message and return a Boolean
// value that specifies whether the verification was successful.
static public bool VerifyMsg(byte[] encodedSignedCms)
{
// Prepare an object in which to decode and verify.
SignedCms signedCms = new SignedCms();
signedCms.Decode(encodedSignedCms);
// Catch a verification exception if you want to
// advise the message recipient that security actions might
// be appropriate.
try
{
// Verify signature. Do not validate signer
// certificate chain for the purposes of this example.
// Note that in a production environment, validating
// the signer certificate chain will probably
// be necessary.
Console.Write("Checking signatures on message ... ");
signedCms.CheckSignature(true);
Console.WriteLine("Done.");
}
catch (System.Security.Cryptography.CryptographicException e)
{
Console.WriteLine("VerifyMsg caught exception: {0}",
e.Message);
Console.WriteLine("Verification of the signed PKCS #7 " +
"failed. The message, signatures, or " +
"countersignatures might have been modified " +
"in transit or storage. The message signers or " +
"countersigners might not be who they claim to be. " +
"The message's authenticity or integrity, or both, " +
"are not guaranteed.");
return false;
}
return true;
}
// This method displays some properties of a signed
// CMS/PKCS #7 message. These properties include the number of
// signers and countersigners for each signer, whether the
// message is detached, and the version of the message.
static void DisplaySignedCmsProperties(String info, SignedCms s)
{
Console.WriteLine();
Console.WriteLine("\n>>>>> SignedCms Signer Info: {0}", info);
Console.WriteLine("\tNumber of signers:\t\t\t{0}",
s.SignerInfos.Count);
for (int i = 0; i < s.SignerInfos.Count; i++)
{
Console.WriteLine("\tSubject name of signer #{0}:\t\t{1}",
i + 1, s.SignerInfos[i].Certificate.SubjectName.Name);
Console.WriteLine("\tNumber of countersigners for " +
"signer #{0}:\t{1}",
i + 1, s.SignerInfos[i].CounterSignerInfos.Count);
}
Console.WriteLine("\tMessage detached state:\t\t\t{0}",
s.Detached);
Console.WriteLine("\tMessage version:\t\t\t{0}", s.Version);
Console.WriteLine();
}
}
}
Consulte también
Tareas
Cómo firmar mensajes con un firmante
Cómo contrafirmar un mensaje
Cómo envolver un mensaje para un destinatario
Cómo envolver un mensaje para varios destinatarios
Conceptos
Cómo firmar y envolver mensajes
.gif)
Copyright © 2007 Microsoft Corporation. Reservados todos los derechos.