C# Cades P7M with Smartcard

Question

I read this post how can sign a file with BouncyCastle dll in c# and I would to know if it is possible found some support for certificates stored in smartcard.

What I'm trying to do is to create P7M cades but it seems impossibile to found any dopcumentation, .NET classes or free library.

possible duplicate of [Read - Write P7M Files](http://stackoverflow.com/questions/17639156/read-write-p7m-files) — Eugene Mayevski 'Callback, Aug 07 '13 at 05:25

score 4 · Answer 1 · answered Jun 09 '14 at 05:25

4

You can also try this c# ported version of an European Commission initiative:

DSS .NET

It supports CAdES. Try using the MSCAPISignatureToken and the guide in the CookBook

CookBook

answered Jun 09 '14 at 05:25

nonorganic

41
3

score 2 · Answer 2 · answered Aug 21 '15 at 09:40

I used DSS.NET with this code:

using System.Security.Cryptography.X509Certificates;
using EU.Europa.EC.Markt.Dss;
using EU.Europa.EC.Markt.Dss.Signature;
using EU.Europa.EC.Markt.Dss.Signature.Cades;
using EU.Europa.EC.Markt.Dss.Signature.Token;

   private static void SignP7M(X509Certificate2 card, string sourcepath)
            {
                var service = new CAdESService();

                // Creation of MS CAPI signature token
                var token = new MSCAPISignatureToken { Cert = card };

                var parameters = new SignatureParameters
                {
                    SignatureAlgorithm = SignatureAlgorithm.RSA,
                    SignatureFormat = SignatureFormat.CAdES_BES,
                    DigestAlgorithm = DigestAlgorithm.SHA256,
                    SignaturePackaging = SignaturePackaging.ENVELOPING,
                    SigningCertificate = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(token.Cert),
                    SigningDate = DateTime.UtcNow
                };

                var toBeSigned = new FileDocument(sourcepath);

                var iStream = service.ToBeSigned(toBeSigned, parameters);

                var signatureValue = token.Sign(iStream, parameters.DigestAlgorithm, token.GetKeys()[0]);

                var signedDocument = service.SignDocument(toBeSigned, parameters, signatureValue);

                var dest = sourcepath + ".p7m";
                if (File.Exists(dest)) File.Delete(dest);
                var fout = File.OpenWrite(dest);
                signedDocument.OpenStream().CopyTo(fout);
                fout.Close();
            }

You can get the card in two ways:

from cert store
from cert serial number

here the samples:

public static X509Certificate2 GetCertificate(string _certSn)
        {
            //selezione del token di firma

            var st = new X509Store(StoreName.My, StoreLocation.CurrentUser);
            st.Open(OpenFlags.ReadOnly);
            var col = st.Certificates;
            var card = col.Cast<X509Certificate2>().FirstOrDefault(t => t.SerialNumber == _certSn);

            st.Close();

            return card;
        }


public static X509Certificate2 selectCert(StoreName store, StoreLocation location, string windowTitle, string windowMsg)
{

    X509Certificate2 certSelected = null;
    X509Store x509Store = new X509Store(store, location);
    x509Store.Open(OpenFlags.ReadOnly);

    X509Certificate2Collection col = x509Store.Certificates;
    X509Certificate2Collection sel = X509Certificate2UI.SelectFromCollection(col, windowTitle, windowMsg, X509SelectionFlag.SingleSelection);

    if (sel.Count > 0)
    {
        X509Certificate2Enumerator en = sel.GetEnumerator();
        en.MoveNext();
        certSelected = en.Current;
    }

    x509Store.Close();

    return certSelected;
}

Eugene Mayevski 'Callback · Answer 3 · 2013-07-17T17:22:31.360

-1

If the smartcard is mapped to Windows Certificate storage, then you can use certificates available via CryptoAPI. If the smartcard is available via PKCS#11, you can use PKIBlackbox package of our SecureBlackbox product to use it. Also PKIBlackbox supports CAdES format, not just PKCS#7/CMS.

edited Jul 17 '13 at 17:22

answered Jul 17 '13 at 17:09

Eugene Mayevski 'Callback

45,135
8
71
121

PKIBlackBox use managed code. I'm using pkcs11 wrapper for my smartcard. For instance, when I must sign pdf files I use IExternalSignature interface implementation by calling Sign method of my wrapper. I would doing something like this for p7m without use any other components.. – bit Jul 17 '13 at 17:39
PKIBlackbox is available in native C++ and VCL editions as well. Still you won't do CAdES with just .NET (of course unless you want to rewrite plenty of protocol implementations yourself ). – Eugene Mayevski 'Callback Jul 17 '13 at 18:52
Ok, but it isn't free of cost. ther's something to freeware? – bit Jul 17 '13 at 19:13
@bit everything costs something. Free software costs time spent on bugs and lack of documentation, as you have already discovered. – Eugene Mayevski 'Callback Jul 18 '13 at 05:36
Sure. But if I am already able to sign through my smartcard, get info about CSP and other stuff I would better happy to achieve a simple p7M without cost.. – bit Jul 18 '13 at 06:46
@bit P7M is not CAdES and CaDES is not p7m. p7m stands for PKCS#7/CMS. CAdES is an advanced standard for signing, that uses CMS but is much wider. You need to determine what exactly you need. – Eugene Mayevski 'Callback Jul 18 '13 at 09:44

C# Cades P7M with Smartcard

3 Answers3

Linked