C# sign data ECDSA from smartcard

Question

I am trying to sign some data using the private key from the smart card. The key algorithm is ECDSA. when I try to get the private key object it occurs system not supported exception.

Then after some research, I get to know that X509Certificate2 is not supporting EC Keys.

sysSec.X509Certificate2 cert = CertHelper.GetSignCertificate(serialNumber); //Get Certificate from Store var

key = cert.PrivateKey;

Then i try to use Bouncy Castle library. But in here i couldn't get ECPrivateKeyParameters after parsing X509Certificate2 . There is a code :

 byte[] pkcs12Bytes = cert.Export(sysSec.X509ContentType.Pkcs12,"test");

            Pkcs12Store pkcs12 = new Pkcs12StoreBuilder().Build();
            pkcs12.Load(new MemoryStream(pkcs12Bytes, false), "test".ToCharArray());


            ECPrivateKeyParameters privKey = null;
            foreach (string alias in pkcs12.Aliases)
            {
                if (pkcs12.IsKeyEntry(alias))
                {
                    privKey = (ECPrivateKeyParameters)pkcs12.GetKey(alias).Key;
                    break;
                }
            }

It also not works. But strange things happen when I create CMS file. It works.

  public  byte[] Sign(byte[] data , X509Certificate2 certificate ,bool detached )
        {

            if (data == null)
                throw new ArgumentNullException("data");
            if (certificate == null)
                throw new ArgumentNullException("certificate");

            // setup the data to sign
           // ContentInfo content = new ContentInfo( new Oid("1.3.14.3.2.26"), data);
            ContentInfo content = new ContentInfo( data);
            SignedCms signedCms = new SignedCms(content, detached);

            CmsSigner signer = new CmsSigner(SubjectIdentifierType.IssuerAndSerialNumber, certificate);

            signer.SignedAttributes.Add(new Pkcs9DocumentName("testname"));
            signer.SignedAttributes.Add(new Pkcs9SigningTime());
            //signer.;

            // CmsRecipientCollection recipest =new CmsRecipientCollection ()
            // create the signature


            signedCms.ComputeSignature(signer);
           // signedCms.ComputeSignature()
            byte[] res =  signedCms.Encode();
            foreach (SignerInfo info in signedCms.SignerInfos)
            {

                foreach (var item in info.SignedAttributes)
                {
                    string frname = item.Oid.FriendlyName ?? "null";
                    Console.WriteLine(string.Format(" OID {0}  : Value {1}", frname, item.Oid.Value.ToString()));
                }

                foreach (var item in info.UnsignedAttributes)
                {
                    string frname = item.Oid.FriendlyName ?? "null";
                    Console.WriteLine(string.Format(" OID {0}  : Value {1}", frname, item.Oid.Value.ToString()));
                }
            }
            Console.WriteLine("Signed !");
            return res; 
        }

So do anyone knows how to handle it? Also how to sign from smartCard using Bouncy Castle?

Answer 1

According to my understanding BouncyCastle is a cryptographic library. It can sign something, if you provide the key. Smart cards however don't typically export private keys (so I have some doubts, whether your certificate contains the one from the smart card) but expect commands to sign something, e. g. by receiving the respective hash value and returning the signature (after ensuring appropriate user authentication).

This is typically accomplished using a PKCS#11 interface (assumed you have a driver for it matching the command set of your card) or by sending the appropriate command APDUs directly to the card (quite complicated) from your application. I found nothing on the bouncy castle website, suggesting that there is some support for addressing smart cards. (It may be hidden in the OpenPGP functionality, if your card is compliant to that standard.)

So without being acquainted with BouncyCastle it seems to me, that it won't match your expectations.