0

In a web application (aspx/C#) that will sign documents, how can I list the certificates located on the user USB key (authentication / signing key) ?

Here is my code : 

using System;  
using System.Collections.Generic;  
using System.Linq;  
using System.Security.Cryptography.X509Certificates;  
using System.Web;  
using System.Web.UI;  
using System.Web.UI.WebControls;  

namespace Signature1  
{  
    public partial class signature : System.Web.UI.Page  
    {  
        string strTxt = "Certificates : ";

        protected void Page_Load(object sender, EventArgs e)
        {
            X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

            store.Open(OpenFlags.ReadOnly);
            foreach (X509Certificate2 cert in store.Certificates)
            {
                strTxt += "\nDélivered to " + cert.SubjectName.Name + " by " + cert.IssuerName.Name;

            }
            store.Close();
            myTextbox.Text = strTxt ;

        }
    }
}

This code works fine on the local machine (debug mode) but returns an empty list when published on an application server.
Thank you for your help.

Mister B.
  • 13
  • 1
  • 7

1 Answers1

0

If you need to read ceritificates from the device located on the server:

On an application server your code works under service account (most likely). In this case CurrentUser store (which you are referencing with StoreLocation.CurrentUser parameter) will be empty.

Now it depends on the driver of your hardware how it maps the certificates from the USB token. If it can map certificates to LocalMachine store, then you can modify your code to enumerate certificates from LocalMachine. If the driver only maps them to current user, then most likely you will need to run your code under that user account. It's possible to impersonate as user (or see this SO question) in Windows so you can switch to specific user account for just one thread.

One more alternative is to access the device via PKCS#11 interface (if the corresponding driver DLL is provided by the hardware vendor and if you have rights to put it to the server system). In this case you login to the hardware in code and it doesn't care about the user. PKCS11 interface is very different from X509Store though and requires third-party libraries (such as our SecureBlackbox) to work with. But this can appear to be the only option in some cases.

If you need to read certificates from the device located on the remote client:

The only option is have a client-side module (most often it's Java applet) which will have access to the device. Java applets can work with PKCS#11 and with Windows Certificate Storage on Windows.

The downside is that Java applets don't work on mobile platforms, on which your only option would be a client application of some kind (so far this problem has no good general solution).

Community
  • 1
  • 1
Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • Do you mean that using the PKCS#11 interface, a **web application** can access the LocalMachine store on a **client machine** ? – Mister B. Oct 28 '14 at 22:27
  • @MisterB. seems that I've misread your question (it was easy to misread cause you have not specified that you want to read the certificates on the connected remote client system). I'll update my answer. – Eugene Mayevski 'Callback Oct 29 '14 at 05:31