X.509 Certificate Support X.509 Certificate Support In The .NET FrameworkIn The .NET Framework

Kelvin Yiu – Program Manager Kelvin Yiu – Program Manager Sebastian Lange – Program ManagerSebastian Lange – Program ManagerMicrosoft CorporationMicrosoft Corporation

AgendaAgenda

.NET Framework V1.0 - V1.1.NET Framework V1.0 - V1.1 X.509 certificate related improvementsX.509 certificate related improvements CMS/PKCS #7 signing and enveloping CMS/PKCS #7 signing and enveloping

supportsupport XML signature integrated with X.509 XML signature integrated with X.509

supportsupport When will it be available?When will it be available? Questions and AnswersQuestions and Answers

.NET Framework V1.0 – V1.1.NET Framework V1.0 – V1.1

Limited X.509 supportLimited X.509 support Decoding basic X.509 V1 fieldsDecoding basic X.509 V1 fields No path validationNo path validation No certificate store managementNo certificate store management

X.509 not integrated with XMLDSIGX.509 not integrated with XMLDSIG No CMS / PKCS7 supportNo CMS / PKCS7 support

New Features In “Whidbey”New Features In “Whidbey”

System.Security.Cryptography.System.Security.Cryptography.X509CertificatesX509Certificates X.509 certificate decoding and validationX.509 certificate decoding and validation Support for managing CAPI certificate storesSupport for managing CAPI certificate stores

System.Security.Cryptography.PkcsSystem.Security.Cryptography.Pkcs Encoding and decoding CMS/PKCS #7 messagesEncoding and decoding CMS/PKCS #7 messages Full support for signing and enveloping dataFull support for signing and enveloping data

System.Security.Cryptography.XMLSystem.Security.Cryptography.XML Full support for verifying X.509 based Full support for verifying X.509 based

XMLDSIG signaturesXMLDSIG signatures Support for encrypting to X.509 based recipients Support for encrypting to X.509 based recipients

in EncryptedXmlin EncryptedXml

X.509 DecodingX.509 Decoding

Decodes single certificate and key from Decodes single certificate and key from blobs or filesblobs or files// Opens binary or base64 .cer file// Opens binary or base64 .cer fileX509CertificateEx x509 = X509CertificateEx x509 = n new X509CertificateEx(ew X509CertificateEx(fileNamefileName););

// Opens PKCS12 from blob// Opens PKCS12 from blobX509CertificateEx x509 = X509CertificateEx x509 = new X509CertificateExnew X509CertificateEx(blob, password, (blob, password, X509KeyStorageFlags.UserKeySet);X509KeyStorageFlags.UserKeySet);

Also export to blobsAlso export to blobsbyte[] pfxBlob = xbyte[] pfxBlob = x509509.Export(X509ContentType.Pfx, .Export(X509ContentType.Pfx, password password););

X.509 ExtensionsX.509 Extensions

Access to information in extensionsAccess to information in extensions Classes for Key Usage, Basic Constraints, Classes for Key Usage, Basic Constraints,

Extended Key Usage, and Subject Key Extended Key Usage, and Subject Key IdentifierIdentifier

Or add your own!Or add your own!

foreach(X509Extension extension in x509.Extensions) {foreach(X509Extension extension in x509.Extensions) { Console.WriteLine(extension.Oid.Value);Console.WriteLine(extension.Oid.Value); if (extension.Oid.Value == "2.5.29.14") {if (extension.Oid.Value == "2.5.29.14") { X509SubjectKeyIdentifierExtension ext = X509SubjectKeyIdentifierExtension ext = (X509SubjectKeyIdentifierExtension) extension; (X509SubjectKeyIdentifierExtension) extension; Console.WriteLine(ext.SubjectKeyIdentifier);Console.WriteLine(ext.SubjectKeyIdentifier); }}}}

Certificate Path ValidationCertificate Path Validation Access to platform path validation, Access to platform path validation,

including revocation and AIA retrievalincluding revocation and AIA retrieval Simple path validation with default optionsSimple path validation with default options

if (xif (x509509.Verify()).Verify()) Console.WriteLine( Console.WriteLine("Path "Path is vis valid.");alid.");

Use X509Chain and X509ChainPolicy to set Use X509Chain and X509ChainPolicy to set advance path validation options such as:advance path validation options such as:• Extended Key UsagesExtended Key Usages• Certificate PoliciesCertificate Policies• Revocation optionsRevocation options• Verification TimeVerification Time• Network timeoutNetwork timeout

Certificate Path ValidationCertificate Path Validation

Certificate StoresCertificate Stores

Provides access to common CryptoAPI Provides access to common CryptoAPI store operations (add, remove, store operations (add, remove, enumerate, etc.)enumerate, etc.)

Open the “Personal” certificate storeOpen the “Personal” certificate storeX509Store myStore = new X509Store(“My”);X509Store myStore = new X509Store(“My”);myStore.Open(OpenFlags.ReadOnly);myStore.Open(OpenFlags.ReadOnly);

Add or remove a certificateAdd or remove a certificate

myStore.Add(x509);myStore.Add(x509);myStore.Remove(x509);myStore.Remove(x509);

Certificates CollectionCertificates Collection

Access content of the store via the Access content of the store via the X509CertificateExCollection classX509CertificateExCollection class

X509CertificateExCollection myCertsCollection = X509CertificateExCollection myCertsCollection = myStore.certificates;myStore.certificates;

X509CertificateExCollection class can X509CertificateExCollection class can also be used for working with also be used for working with PKCS7/CMS “bag of certificates”PKCS7/CMS “bag of certificates”

X509CertificateExCollection collection = X509CertificateExCollection collection = new X509CertificateExCollection();new X509CertificateExCollection();collection.Import(collection.Import(p7FileName);p7FileName);

Certificates CollectionCertificates Collection

Find / filter certificates by Find / filter certificates by subject name, issuer name, SHA1 hash, subject name, issuer name, SHA1 hash,

SKI, key usage, extended key usage, SKI, key usage, extended key usage, certificate policies and more…certificate policies and more…

// Filter certificates without key usage of // Filter certificates without key usage of // digitialSignature or has valid chain // digitialSignature or has valid chain collection = collection.Find(collection = collection.Find(X509FindTypeX509FindType.KeyUsage, .KeyUsage, X509KeyUsageFlags.DigitalSignature, true); X509KeyUsageFlags.DigitalSignature, true);

Use in a sequence for complex filteringUse in a sequence for complex filtering

Certificate DialogsCertificate Dialogs

Certificate viewer dialogCertificate viewer dialog

x509.Display();x509.Display();

Certificate selection dialogCertificate selection dialog

x509Collection.Select(“Title”, x509Collection.Select(“Title”, “ “Descriptive message”, Descriptive message”, X509SelectionFlag.SingleSelection); X509SelectionFlag.SingleSelection);

CMSCMS

CMS support (RFC 3369) on CMS support (RFC 3369) on Windows 2000 and betterWindows 2000 and better

Pre-Windows 2000 clients support Pre-Windows 2000 clients support PKCS #7PKCS #7

Supports SignedData and Supports SignedData and EvelopedData content typesEvelopedData content types

CMS Signed DataCMS Signed Data

Encode CMS Signed data using SignedCms, Encode CMS Signed data using SignedCms, CmsSigner, and ContentInfoCmsSigner, and ContentInfo

Supports multiple signers (co- and Supports multiple signers (co- and counter-signatures)counter-signatures)

X509CertificateEx signerCert = myGetSignerCert();X509CertificateEx signerCert = myGetSignerCert();ContentInfo contentInfo = new ContentInfo(msgBytes);ContentInfo contentInfo = new ContentInfo(msgBytes);

CmsSigner cmsSigner = new CmsSigner(signerCert);CmsSigner cmsSigner = new CmsSigner(signerCert);

SignedCms signedCms = new SignedCms(contentInfo);SignedCms signedCms = new SignedCms(contentInfo);signedCms.ComputeSignature(cmsSigner);signedCms.ComputeSignature(cmsSigner);byte[] encodedCms = signedCms.Encode();byte[] encodedCms = signedCms.Encode();

CMS Enveloped DataCMS Enveloped Data

Encode CMS Enveloped Data using Encode CMS Enveloped Data using ContentInfo, EnvelopedCMS, and ContentInfo, EnvelopedCMS, and CmsRecipientCmsRecipient

Supports key transport and key agreementSupports key transport and key agreement

X509CertificateEx recipientCert = GetRecipientCert();X509CertificateEx recipientCert = GetRecipientCert();ContentInfo contentInfo = new ContentInfo(msg);ContentInfo contentInfo = new ContentInfo(msg);

CmsRecipient recipient = CmsRecipient recipient = new CmsRecipient(SubjectIdentifierType.new CmsRecipient(SubjectIdentifierType. IssuerAndSerialNumber, recipientCert);IssuerAndSerialNumber, recipientCert);

EnvelopedCms envelopedCms = new EnvelopedCms(contentInfo);EnvelopedCms envelopedCms = new EnvelopedCms(contentInfo);envelopedCms.Encrypt(recipient);envelopedCms.Encrypt(recipient);envelopedCms.Encode();envelopedCms.Encode();

Validating CMS Signed DataValidating CMS Signed Data

PKI And XML SignaturesPKI And XML Signatures

SignedXMLSignedXML SignedXML.CheckSignature updated to SignedXML.CheckSignature updated to

support validating X.509 based signatures support validating X.509 based signatures and chainsand chains

X509CertificateEx exposes all the X509CertificateEx exposes all the information necessary to produce a X509 information necessary to produce a X509 KeyInfo node without P/InvokeKeyInfo node without P/Invoke

signedXml.SigningKey = (AsymmetricAlgorithm) signedXml.SigningKey = (AsymmetricAlgorithm) certificate.PrivateKey; certificate.PrivateKey;

PKI Integration with PKI Integration with XML SignatureXML Signature

PKI And XML EncryptionPKI And XML Encryption

EncryptedXMLEncryptedXML New Classes to support W3C compliant New Classes to support W3C compliant

XML EncryptionXML Encryption Fully interoperable with other Fully interoperable with other

XML EncryptionXML Encryption implementations implementations Easy to encrypt to a recipient based on Easy to encrypt to a recipient based on

their X.509 certificatetheir X.509 certificate Does not require XML input, can encrypt Does not require XML input, can encrypt

portions of a XML document (using portions of a XML document (using different keys)different keys)

XML EncryptionXML Encryption

Several types of encryptionSeveral types of encryption Triple DESTriple DES AES 128AES 128 AES 192AES 192 AES 256AES 256 RSARSA X509CertificateExX509CertificateEx

Driven throughDriven through System.Security.Cryptography.Xml.EncryptedXml ClassSystem.Security.Cryptography.Xml.EncryptedXml Class

Integration with XML Digital SignatureIntegration with XML Digital Signature XmlDecryptionTransformXmlDecryptionTransform

Sample InputSample Input<PurchaseOrder><PurchaseOrder>

<Items><Items>

<Item Code="001-001-001" Quantity="1“><Item Code="001-001-001" Quantity="1“>

Inside C#, Second EditionInside C#, Second Edition

</Item></Item>

</Items></Items>

<ShippingAddress><ShippingAddress>

One Redmond Way, Redmond, WA 98052One Redmond Way, Redmond, WA 98052

</ShippingAddress></ShippingAddress>

<PaymentInfo><PaymentInfo>

<CreditCard type="Visa" expiration="09/15/05"><CreditCard type="Visa" expiration="09/15/05">

1234-5678-9123-45671234-5678-9123-4567

</CreditCard></CreditCard>

</PaymentInfo></PaymentInfo>

</PurchaseOrder></PurchaseOrder>

Encryption CodeEncryption Code

EncryptedXml exml = new EncryptedXml(xmlDoc);EncryptedXml exml = new EncryptedXml(xmlDoc);

// encrypt the credit card element using AES-256 // encrypt the credit card element using AES-256 // object ccKey// object ccKeyexml.AddKeyNameMapping(“ccKey”, ccKey);exml.AddKeyNameMapping(“ccKey”, ccKey);EncryptedData ccEncrypted = exml.Encrypt(ccElem, EncryptedData ccEncrypted = exml.Encrypt(ccElem, “ “ccKey”);ccKey”);EncryptedXml.ReplaceElement(ccElem, ccEncrypted, true);EncryptedXml.ReplaceElement(ccElem, ccEncrypted, true);

// encrypt the customer element using AES-256 // encrypt the customer element using AES-256 // object customerKey// object customerKeyexml.AddKeyNameMapping(“customerKey”, customerKey);exml.AddKeyNameMapping(“customerKey”, customerKey);EncrypteData customerEncrypted = EncrypteData customerEncrypted = exml.Encrypt(customerElem, “customerKey”);exml.Encrypt(customerElem, “customerKey”);EncryptedXml.ReplaceElement(customerElem, EncryptedXml.ReplaceElement(customerElem, stomerEncrypted, true);stomerEncrypted, true);

Resulting XMLResulting XML<PurchaseOrder><PurchaseOrder> <Items><Items> <Item Code="001-001-001" Quantity="1“>Inside C#, Second <Item Code="001-001-001" Quantity="1“>Inside C#, Second

Edition</Item>Edition</Item> </Items></Items> <EncryptedData Type=“http://www.w3.org/2001/04/xmlenc#Element” <EncryptedData Type=“http://www.w3.org/2001/04/xmlenc#Element”

xmlns=…>xmlns=…> <EncryptionMethod <EncryptionMethod

lgorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />lgorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> <KeyInfo xmlns=…><KeyName>customerKey</KeyName></KeyInfo><KeyInfo xmlns=…><KeyName>customerKey</KeyName></KeyInfo> CipherData><CipherValue>pdDtiyd7XQ.....</CipherValue></CipherData>CipherData><CipherValue>pdDtiyd7XQ.....</CipherValue></CipherData> </EncryptedData></EncryptedData> <EncryptedData Type=“http://www.w3.org/2001/04/xmlenc#Element” <EncryptedData Type=“http://www.w3.org/2001/04/xmlenc#Element”

xmlns=….>xmlns=….> <EncryptionMethod <EncryptionMethod

Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> <KeyInfo xmlns=…..><KeyName>ccKey</KeyName></KeyInfo><KeyInfo xmlns=…..><KeyName>ccKey</KeyName></KeyInfo> <CipherData><CipherValue>bJlsW+q04...</CipherValue></CipherData><CipherData><CipherValue>bJlsW+q04...</CipherValue></CipherData> </EncryptedData></EncryptedData></PurchaseOrder></PurchaseOrder>

FIPS 140-2 FIPS 140-2

FIPS 140-2: a federally mandated standard FIPS 140-2: a federally mandated standard to ensure the reliability and security of to ensure the reliability and security of crypto algorithmscrypto algorithms

Most Managed Crypto Classes in the .Net Most Managed Crypto Classes in the .Net Framework call through to CAPIFramework call through to CAPI

Most of CAPI is a FIPS 140-2 validatorMost of CAPI is a FIPS 140-2 validator For FIPS 140-2 enforcing clients, .Net For FIPS 140-2 enforcing clients, .Net

Framework will only allow instantiation of Framework will only allow instantiation of crypto algorithms that call through to CAPI crypto algorithms that call through to CAPI FIPS validators FIPS validators

SummarySummary

Better PKI IntegrationBetter PKI Integration Now possible to perform all PKI tasks in Now possible to perform all PKI tasks in

managed codemanaged code X.509 validationX.509 validation Certificate store managementCertificate store management CMS / PKCS7 supportCMS / PKCS7 support X.509 Integration with XML SignatureX.509 Integration with XML Signature XML EncryptionXML Encryption

When Will These Feature When Will These Feature Be Available?Be Available? New X.509, CMS and XML encryption New X.509, CMS and XML encryption

classes ship as part of the .Net classes ship as part of the .Net Framework Whidbey releaseFramework Whidbey release

Whidbey beta released at TechEd 2004Whidbey beta released at TechEd 2004 You can try the new features now!You can try the new features now!

Whidbey release will approximately be Whidbey release will approximately be early 2005early 2005

ResourcesResources

http://msdn.microsoft.com/security/http://msdn.microsoft.com/security/ http://http://www.gotdotnet.comwww.gotdotnet.com microsoft.public.dotnet.securitymicrosoft.public.dotnet.security

newsgroupnewsgroup microsoft.public.securitymicrosoft.public.security.crypto .crypto

newsgroupnewsgroup ““.Net Framework Security” book.Net Framework Security” book

Questions?Questions?

© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.