如何从 C# 中的智能卡读取凭据

问题描述

在我的组织中，用户必须使用智能卡以交互方式登录到 Windows 站点(95、Vista 和 7).几乎每天，我们都需要读取存储在 SmartCard 中的凭据并将它们与 ActiveDirectory 进行比较，而无需实现自定义凭据管理器.我们比较的字段是:userPrincialName 和 sAMAccountName.

In my organization, users must use SmartCard for interactive login to a Windows stations (95,Vista and 7). almost daily, we need to read the credentials stored in the SmartCard and compaire them with the ActiveDirectory, without implementing a custom credentials manager. The fields we compare are: userPrincialName and sAMAccountName.

能否给我看一段代码，演示如何从 SmartCard 读取凭据或引导我阅读 Internet 上的文章/代码?

Can you please show me a code that demonstrates how to read the credentials from the SmartCard or guide me to an article / code on the internet?

在 Internet 上的搜索建议实施凭证管理器或使用其他语言(如 C、C++).另外，我看到了这篇文章:http://www.51sjk.com/Upload/Articles/1/0/335/335135_20221028143452263.jpg 由 orouit 编写，这是一个使用智能卡的框架 - 但我认为这对于我的简单任务来说太过分了.你怎么看?

A search over internet suggeted implementing credentials manager or using other languages (like C, C++). Also, I came across this article : http://www.51sjk.com/Upload/Articles/1/0/335/335135_20221028143452263.jpg written by orouit, which is a framework for working with SmartCards - but I think this too much for my simple task. What do you think?

推荐答案

好吧，如果在 windows 下开发，一旦你插入智能卡 windows 会从智能卡中获取所有证书并将它们放到我的证书存储中.

Well if developing under windows, once you insert smart card windows will fetch all certificates from the smart card place them to the My certificate store.

var smartCardCerts = new List<X509Certificate2>();
var myStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
myStore.Open(OpenFlags.ReadOnly);
foreach(X509Certificate2 cert in myStore.Certificates)
{
  if( !cert.HasPrivateKey ) continue; // not smartcard for sure
  var rsa = cert.PrivateKey as RSACryptoServiceProvider;
  if( rsa==null ) continue; // not smart card cert again
  if( rsa.CspKeyContainerInfo.HardwareDevice ) // sure - smartcard
  {
     // inspect rsa.CspKeyContainerInfo.KeyContainerName Property
     // or rsa.CspKeyContainerInfo.ProviderName (your smartcard provider, such as 
     // "Schlumberger Cryptographic Service Provider" for Schlumberger Cryptoflex 4K
     // card, etc
     var name = cert.Name;
     rsa.SignData(); // to confirm presence of private key - to finally authenticate
  }
}

现在基本上可以通过 .NET 获得很多加密 API.但是你也可以直接使用 API Crypto API

basically a lot of crypto API is available via .NET nowdays. But you could also use API directly Crypto API

例如您可以通过

CryptAcquireContext(&hProv,"\.<Reader Name><Container Name>",...)

其中读卡器名称是读卡器名称，容器名称是上面代码片段中的任何 rsa.KeyContainerName.有多种方法可以访问这样的信息，而 Crypto API 不是很一致或直接.作为提示，.NET 版本的 CryptAcquireContext 是带有 CspParameters 的 RSACryptoServiceProvider，如果需要，您可以在其中指定容器名称.

where reader name is card reader name and container name is whatever rsa.KeyContainerName in code snippet above. There are multiple ways to access information like that and Crypto API is not very consistent or straightforward. as a hint .NET version of CryptAcquireContext is RSACryptoServiceProvider with CspParameters where you can specify container name if needed.

在 ActiveDirectory 中找到用户可以通过 System.DirectoryServices.DirectoyEntry 和 System.DirectoryServices.DirectorySearcher 来完成，但不要忘记 System.DirectoryServices.ActiveDirectory.Forest 和相关的 API，它使某些事情更容易弄清楚.

Well finding user in ActiveDirectory may be done via System.DirectoryServices.DirectoyEntry and System.DirectoryServices.DirectorySearcher, but do not forget System.DirectoryServices.ActiveDirectory.Forest and related API which makes some things a lot easier to figure out.

你可以得到