[Mono-list] Can SignedCms be usable?

[Sebastien Pouliot]

Hello Mathias,

On Tue, 2008-06-03 at 15:27 +0200, Mathias Tausig wrote:
> > On Tue, 2008-06-03 at 10:34 +0200, Mathias Tausig wrote:
> >> >> unless you know the details of the private
> >> >> key?
> >> >
> >> > No sure if I understand your meaning. Windows tends to "hide" the
> >> > private keys (in it's stores) from the users. However there's nothing
> >> > you can do, with them, unless you know their "details" (i.e. at least
> >> > how to access or use, not necessarily read, it).
> >> >
> >>
> >> What I mean is, that it obviously only works with software keys but not
> >> with hardware tokens (which can be used via an overloaded
> >> AsymetricAlgorithm class in SignedXml).
> >
> > What is the basis of this "obvious" assertion ? The API is identical so
> > it should[1] work with either software or hardware[2] based crypto.
> > However your job may be a bit more complex if your hardware does not
> > provide the same level of functionality as the API requires.
> 
> I've looked through some code samples and the msdn articles on the Cms
> classes and that lead me to the assumption the code uses windows specific
> stuff (windows certificate store, installed CSPs) to get hold of the
> private key which makes it impossible for me to use it non non-windows
> systems with a smartcard.

MSDN samples only have to work on Windows so they often jump to the
easiest solutions ;-) However it should be possible to make Cms class,
once completed, work under Mono / non-Windows OS. 

note: since a lot of code copy from MSDN samples it's likely they won't
work without modification - but that should not influence your own code.

> > [1] it's a bit more complex under MS implementation since the [RSA|
> > DSA]CryptoServiceProvider are special cases that do not play well with
> > other, more general, classes. A possible solution is to supply a native
> > CSP and use the *CryptoServiceProvider to access it (but that won't work
> > on Mono).
> 
> I guess that writing my own CSP is not really an option, especially since
> I want a portable program.

I would not advise it. It's quite complex since you have to supply a lot
of extra logic (90%) beside what you want to add (10%).

> > [2] some hardware, like smartcards, have limitations that does not fit
> > well with (most) cryptographic API. E.g. some will do the padding
> > themselves and that, in the .NET framework case, will require you to
> > provider your own [Def|F]ormatter classes.
> >
> > Sebastien
> >
> > p.s. you jumped from SignedCms to SignedXml ;-)
> >
>  On Purpose. I just wanted to state, that what I want to worked for me for
> SignedXml (by deriving from RSA, and with your help, of course :-) ) but
> does not seem to work for PKCS#7 signatures, at least wast of windows ...

AFAIK it should work based on the design - but I could be wrong (it's
been known to happen ;-) and I did not try it myself...

Sebastien