/// <summary>
/// 证书方式签名(多证书时使用),指定证书路径。
/// </summary>
/// <param name="reqData">请求的数据源</param>
/// <param name="certRawData">证书数据</param>
/// <param name="certPwd">证书密码</param>
/// <param name="encoding">编码方式</param>
public static void SignByCertInfo(Dictionary <string, string> reqData, byte[] certRawData, string certPwd, Encoding encoding)
{
var cert = new X509Certificate2(certRawData, certPwd, X509KeyStorageFlags.Exportable);
reqData["certId"] = new System.Numerics.BigInteger(cert.GetSerialNumber()).ToString();
//将Dictionary信息转换成key1=value1&key2=value2的形式
string stringData = SDKUtil.CreateLinkString(reqData, true, false, encoding);
byte[] signDigest = System.Security.Cryptography.SHA256.Create().ComputeHash(encoding.GetBytes(stringData));
string stringSignDigest = SDKUtil.ByteArray2HexString(signDigest);
var rsa = cert.PrivateKey as System.Security.Cryptography.RSACryptoServiceProvider;
// Create a new RSACryptoServiceProvider
var rsaClear = new System.Security.Cryptography.RSACryptoServiceProvider();
// Export RSA parameters from 'rsa' and import them into 'rsaClear'
rsaClear.ImportParameters(rsa.ExportParameters(true));
byte[] byteSign = rsaClear.SignData(encoding.GetBytes(stringSignDigest), System.Security.Cryptography.SHA256.Create());
string stringSign = Convert.ToBase64String(byteSign);
//设置签名域值
reqData["signature"] = stringSign;
}
/// <summary>
/// 验证签名
/// </summary>
/// <param name="rspData">数据源</param>
/// <param name="encoding">编码格式</param>
/// <param name="rootCertRawData">根证书的数据</param>
/// <param name="middleCertRawData">中级证书数据</param>
/// <returns></returns>
public static bool Validate(Dictionary <string, string> rspData, Encoding encoding, byte[] rootCertRawData, byte[] middleCertRawData)
{
if (!ValidateBaseData(rspData))
{
return(false);
}
byte[] signByte = Convert.FromBase64String(rspData["signature"]);
rspData.Remove("signature");
string stringData = SDKUtil.CreateLinkString(rspData, true, false, encoding);
byte[] signDigest = System.Security.Cryptography.SHA256.Create().ComputeHash(encoding.GetBytes(stringData));
string stringSignDigest = SDKUtil.ByteArray2HexString(signDigest);
string signPubKeyCert = rspData["signPubKeyCert"];
signPubKeyCert = signPubKeyCert.Replace("-----END CERTIFICATE-----", "").Replace("-----BEGIN CERTIFICATE-----", "");
var signCert = new X509Certificate2(Convert.FromBase64String(signPubKeyCert));
var rootCert = new X509Certificate2(rootCertRawData);
var middleCert = new X509Certificate2(middleCertRawData);
var chain = new X509Chain();
chain.ChainPolicy.ExtraStore.Add(rootCert);
chain.ChainPolicy.ExtraStore.Add(middleCert);
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
chain.Build(signCert);
if (chain.ChainElements.Count != chain.ChainPolicy.ExtraStore.Count + 1)
{
return(false);
}
//bug 修复,类型对不上, 直接继承公共的基类,避免类型错误。
var rsa = signCert.PublicKey.Key as System.Security.Cryptography.RSA;
return(rsa.VerifyData(encoding.GetBytes(stringSignDigest), signByte, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1));
}
