방법: 메시지 연대 서명
이 예제에서는 System.Security.Cryptography.Pkcs를 사용하여 CMS/PKCS #7 서명된 메시지를 만듭니다. 한 명의 서명자가 메시지에 서명한 다음 두 명의 다른 서명자가 이 서명에 연대 서명합니다. 그런 다음 이 메시지의 서명 및 연대 서명을 확인합니다.
예제
이 예제에서는 다음 클래스를 사용합니다.
다음 예제에서는 주체 이름이 "MessageSigner1", "CounterSigner1" 및 "CounterSigner2"인 세 개의 공개 키 인증서가 내 인증서 저장소에 포함되어야 하고 해당 공개 키 인증서에는 연관된 개인 키가 있어야 합니다.
.gif) 참고: |
|---|
이 예제는 예시 목적으로만 사용됩니다. 프로덕션 환경에서는 메시지를 보낸 사람 및 받는 사람이 고유한 공개 키 자격 증명을 사용하여 서로 다른 프로세스에서 실행하는 다른 모델을 사용할 수 있습니다. |
이를 위한 여러 방법 중 하나로서 Makecert.exe 유틸리티를 사용하여 이 예제를 설정합니다. Certificate Creation Tool (Makecert.exe)는 테스트 인증서를 생성하는 편리한 유틸리티입니다. 프로덕션 환경에서는 인증 기관에서 인증서를 생성합니다.
다음 Makecert 명령은 필요한 공개 키 인증서 및 개인 키를 생성합니다.
Makecert -n "CN=MessageSigner1" -ss My
Makecert -n "CN=CounterSigner1" -ss My
Makecert -n "CN=CounterSigner2" -ss My
// Copyright (c) Microsoft Corporation. All rights reserved.
#region Using directives
using System;
using System.Security.Cryptography.Pkcs;
using System.Security.Cryptography.X509Certificates;
using System.Text;
#endregion
namespace CountersignAMessage
{
class SignedCmsCountersigned
{
const String signerName = "MessageSigner1";
const String countersignerName1 = "CounterSigner1";
const String countersignerName2 = "CounterSigner2";
static void Main(string[] args)
{
Console.WriteLine("System.Security.Cryptography.Pkcs " +
"Sample: Single-signer multiple " +
"countersigner signed and verified message.");
// The original message.
const String msg = "The following is the approved corporate" +
" reorganization plan.";
Console.WriteLine("\nOriginal message (len {0}): {1} ",
msg.Length, msg);
// Convert the message to an array of bytes for signing.
Encoding unicode = Encoding.Unicode;
byte[] msgBytes = unicode.GetBytes(msg);
Console.WriteLine("\n\n------------------------------");
Console.WriteLine(" SETUP OF CREDENTIALS ");
Console.WriteLine("------------------------------\n");
X509Certificate2Collection signerCerts = GetSignerCerts();
X509Certificate2Collection countersignerCerts =
GetCountersignerCerts();
Console.WriteLine("\n\n----------------------");
Console.WriteLine(" SENDER SIDE ");
Console.WriteLine("----------------------\n");
byte[] encodedSignedCms = null;
try
{
encodedSignedCms = SignMsg(msgBytes, signerCerts,
countersignerCerts);
}
catch (ArgumentOutOfRangeException e)
{
Console.WriteLine(e.Message);
Console.WriteLine("The proper sample certificates are " +
"not in the My store. Refer to the documentation " +
"about this sample for instructions to correct this.");
return;
}
Console.WriteLine("\n\n------------------------");
Console.WriteLine(" RECIPIENT SIDE ");
Console.WriteLine("------------------------\n");
if (VerifyMsg(encodedSignedCms))
{
Console.WriteLine("\nMessage verified");
}
else
{
Console.WriteLine("\nMessage failed to verify");
}
}
// Open the My (or Personal) certificate store and search for
// credentials with which to sign the message. There must be
// a certificate with subject name "MessageSigner1".
static public X509Certificate2Collection GetSignerCerts()
{
// Open the My certificate store.
X509Store storeMy = new X509Store(StoreName.My,
StoreLocation.CurrentUser);
storeMy.Open(OpenFlags.ReadOnly);
// Display certificates to help troubleshoot
// the example's setup.
Console.WriteLine("Found certs with the following subject " +
"names in the {0} store:",
storeMy.Name);
foreach (X509Certificate2 cert in storeMy.Certificates)
Console.WriteLine("\t{0}", cert.SubjectName.Name);
// Start the collection of signer certificates to be returned.
X509Certificate2Collection signerCertsColl = new
X509Certificate2Collection();
// Find the signer's certificate.
// Add it to the signers' certificates collection.
X509Certificate2Collection foundCertColl = storeMy.
Certificates.Find(X509FindType.FindBySubjectName,
signerName, false);
Console.WriteLine(
"Found {0} certificates in the {1} store with name {2}",
foundCertColl.Count, storeMy.Name, signerName);
// Check to see if the certificate suggested by the example
// requirements is not present.
if (foundCertColl.Count == 0)
{
Console.WriteLine(
"A suggested certificate to use for this example " +
"is not in the certificate store. Select " +
"an alternate certificate to use for " +
"signing the message.");
}
signerCertsColl.Add(foundCertColl[0]);
storeMy.Close();
return signerCertsColl;
}
// Open the My (or Personal) certificate store and search for
// credentials with which to countersign the message. There must
// be two certificates: one with the subject name
// "Countersigner1", and the other with the subject name
// "Countersigner2".
static public X509Certificate2Collection GetCountersignerCerts()
{
// Open the My certificate store.
X509Store storeMy = new X509Store(StoreName.My,
StoreLocation.CurrentUser);
storeMy.Open(OpenFlags.ReadOnly);
// Start the collection of signer certificates to be returned.
X509Certificate2Collection countersignerCertsColl = new
X509Certificate2Collection();
// Find the first countersigner's certificate.
// Add it to the countersigners' certificates collection.
X509Certificate2Collection foundCertColl = storeMy.
Certificates.Find(X509FindType.FindBySubjectName,
countersignerName1, false);
Console.WriteLine(
"Found {0} certificates in the {1} store with name {2}",
foundCertColl.Count, storeMy.Name, countersignerName1);
// Check to see if the certificate suggested by the example
// requirements is not present.
if (foundCertColl.Count == 0)
{
Console.WriteLine(
"A suggested certificate to use for this example " +
"is not in the certificate store. Select " +
"an alternate certificate to use for " +
"signing the message.");
}
countersignerCertsColl.Add(foundCertColl[0]);
// Find the second countersigner's certificate.
// Add it to the countersigners' certificates collection.
foundCertColl = storeMy.
Certificates.Find(X509FindType.FindBySubjectName,
countersignerName2, false);
Console.WriteLine(
"Found {0} certificates in the {1} store with name {2}",
foundCertColl.Count, storeMy.Name, countersignerName2);
// Check to see if the certificate suggested by the example
// requirements is not present.
if (foundCertColl.Count == 0)
{
Console.WriteLine(
"A suggested certificate to use for this example " +
"is not in the certificate store. Select " +
"an alternate certificate to use for " +
"signing the message.");
}
countersignerCertsColl.Add(foundCertColl[0]);
storeMy.Close();
return countersignerCertsColl;
}
// Sign the message with the private key of the signer,
// and countersign that signature with the private key
// of each of the countersigners.
static public byte[] SignMsg(
Byte[] msg,
X509Certificate2Collection signerCerts,
X509Certificate2Collection countersignerCerts)
{
// There must be at least one certificate in the collection.
if (signerCerts.Count == 0 || countersignerCerts.Count == 0)
{
throw new ArgumentOutOfRangeException("Empty certificate" +
" collection passed to SignMsg.");
}
// Place the message in a ContentInfo object.
// This is required to build a SignedCms object.
ContentInfo contentInfo = new ContentInfo(msg);
// Instantiate a SignedCms object with the ContentInfo above.
// Use the default SubjectIdentifierType
// IssuerAndSerialNumber.
// Use the default Detached property value FALSE so that the
// message is included in the encoded SignedCms.
SignedCms signedCms = new SignedCms(contentInfo);
// Sign the CMS/PKCS #7 message once for each
// signer certificate.
foreach (X509Certificate2 cert in signerCerts)
{
Console.Write("Computing signature with signer subject " +
"name {0} ... ", cert.SubjectName.Name);
signedCms.ComputeSignature(new CmsSigner(cert));
Console.WriteLine("Done.");
}
// Countersign the first signature in the CMS/PKCS #7 message
// once for each countersigner certificate.
foreach (X509Certificate2 cert in countersignerCerts)
{
Console.Write("Computing countersignature with signer " +
"subject name {0} ... ",
cert.SubjectName.Name);
signedCms.SignerInfos[0].ComputeCounterSignature(new
CmsSigner(cert));
Console.WriteLine("Done.");
}
// Encode the CMS/PKCS #7 message.
return signedCms.Encode();
}
// Verify the encoded SignedCms message and return a Boolean
// value that specifies whether the verification was successful.
static public bool VerifyMsg(byte[] encodedSignedCms)
{
// Prepare an object in which to decode and verify.
SignedCms signedCms = new SignedCms();
signedCms.Decode(encodedSignedCms);
// Check the number of signers and countersigners.
DisplaySignedCmsProperties("In VerifyMsg method", signedCms);
// Catch a verification exception if you want to
// advise the message recipient that security actions
// might be appropriate.
try
{
// Verify signature. Do not validate the signer
// certificate chain for the purposes of this example.
// Note that in a production environment, validating
// the signer certificate chain will probably
// be necessary.
Console.Write("Checking signature and countersignatures" +
" on message ... ");
signedCms.CheckSignature(true);
Console.WriteLine("Done.");
}
catch (System.Security.Cryptography.CryptographicException e)
{
Console.WriteLine("VerifyMsg caught exception: {0}",
e.Message);
Console.WriteLine("Verification of the signed " +
"CMS/PKCS #7 failed. The message, signatures, or " +
"countersignatures might have been modified " +
"in transit or storage. The message signers or " +
"countersigners might not be who they claim to be. " +
"The message's authenticity or integrity, or both, " +
"are not guaranteed.");
return false;
}
return true;
}
// This method displays some properties of a signed
// CMS/PKCS #7 message. These properties include the number of
// signers and countersigners for each signer, whether the
// message is detached, and the version of the message.
static void DisplaySignedCmsProperties(String info, SignedCms s)
{
Console.WriteLine();
Console.WriteLine("\n>>>>> SignedCms Signer Info: {0}", info);
Console.WriteLine("\tNumber of signers:\t\t\t{0}",
s.SignerInfos.Count);
for (int i = 0; i < s.SignerInfos.Count; i++)
{
Console.WriteLine("\tSubject name of signer #{0}:\t\t{1}",
i + 1, s.SignerInfos[i].Certificate.SubjectName.Name);
Console.WriteLine("\tNumber of countersigners for " +
"signer #{0}:\t{1}",
i + 1, s.SignerInfos[i].CounterSignerInfos.Count);
}
Console.WriteLine("\tMessage detached state:\t\t\t{0}",
s.Detached);
Console.WriteLine("\tMessage version:\t\t\t{0}", s.Version);
Console.WriteLine();
}
}
}
참고 항목
작업
방법: 한 명의 서명자가 메시지 서명
방법: 여러 명의 서명자가 메시지 서명
방법: 한 명의 받는 사람의 메시지 포함
방법: 여러 명의 받는 사람의 메시지 포함
개념
.gif)
Copyright © 2007 by Microsoft Corporation. All rights reserved.