HOW TO:封套單一收件者的訊息
此範例會使用 System.Security.Cryptography.Pkcs 建立 CMS/PKCS #7 封套訊息。此訊息只為單一收件者加密。接著,系統會使用該收件者的私密金鑰將訊息解密。範例中使用了 EnvelopedCms 物件,它可以讓訊息為一或多個收件者加密 (或稱*「封套」*)。
範例
本範例使用下列類別:
若要在單一電腦上執行,下列範例的「通訊錄」憑證存放區和「我的」憑證存放區中都必須具有主體名稱為 "Recipient1" 的公開金鑰憑證。該電腦上也必須存放關聯的私密金鑰。這個範例首先做為訊息傳送者,然後做為訊息收件者,兩個角色中都使用相同的公開金鑰認證。做為傳送者時,它會在「通訊錄」憑證存放區中搜尋收件者的憑證,並使用該憑證來加密訊息。做為收件者時,它會在「我的」憑證存放區中搜尋憑證,並使用關聯的私密金鑰將訊息解密。
.gif) 注意: |
|---|
此範例僅用於示範。實際執行環境中可能使用不同的模型,其中訊息的傳送者和收件者會使用其唯一公開金鑰認證,在不同的處理序中執行。 |
使用 Makecert.exe 公用程式設定此範例,這是完成此工作的方法之一。Certificate Creation Tool (Makecert.exe) 是測試憑證的方便公用程式。在實際執行環境中,憑證是由憑證授權單位所產生。
下面的 Makecert 命令會產生必要的公開金鑰憑證和私密金鑰。
Makecert -n "CN=Recipient1" -ss My
這個命令會將適當的公開金鑰憑證置於「我的」憑證存放區中,並產生私密金鑰。此時,您必須取得一份公開金鑰憑證的複本,並將它放入「通訊錄」憑證存放區。若要這麼做,請匯出公開金鑰憑證,然後依照HOW TO:匯出和匯入公開金鑰憑證中的程序,將其匯入 「通訊錄」憑證存放區。
// Copyright (c) Microsoft Corporation. All rights reserved.
#region Using directives
using System;
using System.Security.Cryptography;
using System.Security.Cryptography.Pkcs;
using System.Security.Cryptography.X509Certificates;
using System.Text;
#endregion
namespace EnvelopAMessageForOneRecipient
{
class EnvelopedCmsSingleRecipient
{
const String recipientName = "Recipient1";
static void Main(string[] args)
{
Console.WriteLine("System.Security.Cryptography.Pkcs " +
"Sample: Single-recipient encrypted and decrypted message");
// Original message.
const String msg = "Here is your personal identification number:";
Console.WriteLine("\nOriginal message (len {0}): {1} ",
msg.Length, msg);
// Convert message to an array of Unicode bytes for signing.
UnicodeEncoding unicode = new UnicodeEncoding();
byte[] msgBytes = unicode.GetBytes(msg);
Console.WriteLine("\n\n------------------------------");
Console.WriteLine(" SETUP OF CREDENTIALS ");
Console.WriteLine("------------------------------\n");
// The recipient's certificate is necessary to encrypt
// the message for that recipient.
X509Certificate2 recipientCert = GetRecipientCert();
Console.WriteLine("\n\n----------------------");
Console.WriteLine(" SENDER SIDE ");
Console.WriteLine("----------------------\n");
byte[] encodedEnvelopedCms = EncryptMsg(msgBytes,
recipientCert);
Console.Write("\nMessage after encryption (len {0}): ",
encodedEnvelopedCms.Length);
foreach (byte b in encodedEnvelopedCms)
{
Console.Write("{0:x}", b);
}
Console.WriteLine();
Console.WriteLine("\n\n------------------------");
Console.WriteLine(" RECIPIENT SIDE ");
Console.WriteLine("------------------------\n");
Byte[] decryptedMsg = DecryptMsg(encodedEnvelopedCms);
// Convert Unicode bytes to the original message string.
Console.WriteLine("\nDecrypted Message: {0}",
unicode.GetString(decryptedMsg));
}
// Open the AddressBook (also known as Other in
// Internet Explorer) certificate store and search for
// a recipient certificate with which to encrypt the
// message. The certificate must have a subject name
// of "Recipient1".
static public X509Certificate2 GetRecipientCert()
{
// Open the AddressBook local user X509 certificate store.
X509Store storeAddressBook = new X509Store(StoreName.
AddressBook, StoreLocation.CurrentUser);
storeAddressBook.Open(OpenFlags.ReadOnly);
// Display certificates to help troubleshoot
// the example's setup.
Console.WriteLine(
"Found certs with the following subject names in the " +
"{0} store:", storeAddressBook.Name);
foreach (X509Certificate2 cert in storeAddressBook.Certificates)
{
Console.WriteLine("\t{0}", cert.SubjectName.Name);
}
// Get recipient certificate.
// For purposes of this sample, do not validate the
// certificate. Note that in a production environment,
// validating the certificate will probably be necessary.
X509Certificate2Collection certColl = storeAddressBook.
Certificates.Find(X509FindType.FindBySubjectName,
recipientName, false);
Console.WriteLine(
"Found {0} certificates in the {1} store with name {2}",
certColl.Count, storeAddressBook.Name, recipientName);
// Check to see if the certificate suggested by the example
// requirements is not present.
if (certColl.Count == 0)
{
Console.WriteLine(
"A suggested certificate to use for this example " +
"is not in the certificate store. Select " +
"an alternate certificate to use for " +
"signing the message.");
}
storeAddressBook.Close();
return certColl[0];
}
// Encrypt the message with the public key of
// the recipient. This is done by enveloping the message by
// using an EnvelopedCms object.
static public byte[] EncryptMsg(
Byte[] msg,
X509Certificate2 recipientCert)
{
// Place the message in a ContentInfo object.
// This is required to build an EnvelopedCms object.
ContentInfo contentInfo = new ContentInfo(msg);
// Instantiate an EnvelopedCms object with the ContentInfo
// above.
// Has default SubjectIdentifierType IssuerAndSerialNumber.
// Has default ContentEncryptionAlgorithm property value
// RSA_DES_EDE3_CBC.
EnvelopedCms envelopedCms = new EnvelopedCms(contentInfo);
// Formulate a CmsRecipient object that
// represents information about the recipient
// to encrypt the message for.
CmsRecipient recip1 = new CmsRecipient(
SubjectIdentifierType.IssuerAndSerialNumber,
recipientCert);
Console.Write(
"Encrypting data for a single recipient of " +
"subject name {0} ... ",
recip1.Certificate.SubjectName.Name);
// Encrypt the message for the recipient.
envelopedCms.Encrypt(recip1);
Console.WriteLine("Done.");
// The encoded EnvelopedCms message contains the message
// ciphertext and the information about each recipient
// that the message was enveloped for.
return envelopedCms.Encode();
}
// Decrypt the encoded EnvelopedCms message.
static public Byte[] DecryptMsg(byte[] encodedEnvelopedCms)
{
// Prepare object in which to decode and decrypt.
EnvelopedCms envelopedCms = new EnvelopedCms();
// Decode the message.
envelopedCms.Decode(encodedEnvelopedCms);
// Display the number of recipients the message is
// enveloped for; it should be 1 for this example.
DisplayEnvelopedCms(envelopedCms, false);
// Decrypt the message for the single recipient.
Console.Write("Decrypting Data ... ");
envelopedCms.Decrypt(envelopedCms.RecipientInfos[0]);
Console.WriteLine("Done.");
// The decrypted message occupies the ContentInfo property
// after the Decrypt method is invoked.
return envelopedCms.ContentInfo.Content;
}
// Display the ContentInfo property of an EnvelopedCms object.
static private void DisplayEnvelopedCmsContent(String desc,
EnvelopedCms envelopedCms)
{
Console.WriteLine(desc + " (length {0}): ",
envelopedCms.ContentInfo.Content.Length);
foreach (byte b in envelopedCms.ContentInfo.Content)
{
Console.Write(b.ToString() + " ");
}
Console.WriteLine();
}
// Display some properties of an EnvelopedCms object.
static private void DisplayEnvelopedCms(EnvelopedCms e,
Boolean displayContent)
{
Console.WriteLine("\nEnveloped CMS/PKCS #7 Message " +
"Information:");
Console.WriteLine(
"\tThe number of recipients for the Enveloped CMS/PKCS " +
"#7 is: {0}", e.RecipientInfos.Count);
for (int i = 0; i < e.RecipientInfos.Count; i++)
{
Console.WriteLine(
"\tRecipient #{0} has type {1}.",
i + 1,
e.RecipientInfos[i].RecipientIdentifier.Type);
}
if (displayContent)
{
DisplayEnvelopedCmsContent("Enveloped CMS/PKCS " +
"#7 Content", e);
}
Console.WriteLine();
}
}
}
請參閱
工作
HOW TO:由一位簽署者簽署訊息
HOW TO:由多位簽署者簽署一個訊息
HOW TO:副署訊息
HOW TO:封套多位收件者的訊息
概念
.gif)
Copyright © 2007 by Microsoft Corporation. All rights reserved.