1. X.509 Certificate Support In The .NET Framework
Kelvin Yiu – Program Manager
Sebastian Lange – Program Manager
Microsoft Corporation

2. Agenda .NET Framework V1.0 - V1.1
X.509 certificate related improvements
CMS/PKCS #7 signing and enveloping support
XML signature integrated with X.509 support
When will it be available?
Questions and Answers

3. .NET Framework V1.0 – V1.1 Limited X.509 support
Decoding basic X.509 V1 fields
No path validation
No certificate store management
X.509 not integrated with XMLDSIG
No CMS / PKCS7 support

4. New Features In “Whidbey”
System.Security.Cryptography. X509Certificates
X.509 certificate decoding and validation
Support for managing CAPI certificate stores
System.Security.Cryptography.Pkcs
Encoding and decoding CMS/PKCS #7 messages
Full support for signing and enveloping data
System.Security.Cryptography.XML
Full support for verifying X.509 based XMLDSIG signatures
Support for encrypting to X.509 based recipients in EncryptedXml

5. X.509 Decoding Decodes single certificate and key from blobs or files
// Opens binary or base64 .cer file
X509CertificateEx x509 = new X509CertificateEx(fileName);
// Opens PKCS12 from blob
X509CertificateEx x509 = new X509CertificateEx(blob, password, X509KeyStorageFlags.UserKeySet);
Also export to blobs
byte[] pfxBlob = x509.Export(X509ContentType.Pfx, password);

6. X.509 Extensions Access to information in extensions
Classes for Key Usage, Basic Constraints, Extended Key Usage, and Subject Key Identifier
Or add your own!
foreach(X509Extension extension in x509.Extensions) {
Console.WriteLine(extension.Oid.Value);
if (extension.Oid.Value == " ") {
X509SubjectKeyIdentifierExtension ext = (X509SubjectKeyIdentifierExtension) extension;
Console.WriteLine(ext.SubjectKeyIdentifier); }

7. Certificate Path Validation
Access to platform path validation, including revocation and AIA retrieval
Simple path validation with default options
if (x509.Verify()) Console.WriteLine("Path is valid.");
Use X509Chain and X509ChainPolicy to set advance path validation options such as:
Extended Key Usages
Certificate Policies
Revocation options
Verification Time
Network timeout

8. Certificate Path Validation

9. Certificate Stores
Provides access to common CryptoAPI store operations (add, remove, enumerate, etc.)
Open the “Personal” certificate store
X509Store myStore = new X509Store(“My”);
myStore.Open(OpenFlags.ReadOnly);
Add or remove a certificate
myStore.Add(x509);
myStore.Remove(x509);

10. Certificates Collection
Access content of the store via the X509CertificateExCollection class
X509CertificateExCollection myCertsCollection =
myStore.certificates;
X509CertificateExCollection class can also be used for working with PKCS7/CMS “bag of certificates”
X509CertificateExCollection collection =
new X509CertificateExCollection();
collection.Import(p7FileName);

11. Certificates Collection
Find / filter certificates by
subject name, issuer name, SHA1 hash, SKI, key usage, extended key usage, certificate policies and more…
// Filter certificates without key usage of // digitialSignature or has valid chain
collection = collection.Find(X509FindType.KeyUsage,
X509KeyUsageFlags.DigitalSignature, true);
Use in a sequence for complex filtering

12. Certificate Dialogs Certificate viewer dialog
x509.Display();
Certificate selection dialog
x509Collection.Select(“Title”,
“Descriptive message”,
X509SelectionFlag.SingleSelection);

13. CMS CMS support (RFC 3369) on Windows 2000 and better
Pre-Windows 2000 clients support PKCS #7
Supports SignedData and EvelopedData content types

14. CMS Signed Data
Encode CMS Signed data using SignedCms, CmsSigner, and ContentInfo
Supports multiple signers (co- and counter-signatures)
X509CertificateEx signerCert = myGetSignerCert();
ContentInfo contentInfo = new ContentInfo(msgBytes);
CmsSigner cmsSigner = new CmsSigner(signerCert);
SignedCms signedCms = new SignedCms(contentInfo);
signedCms.ComputeSignature(cmsSigner);
byte[] encodedCms = signedCms.Encode();

15. CMS Enveloped Data
Encode CMS Enveloped Data using ContentInfo, EnvelopedCMS, and CmsRecipient
Supports key transport and key agreement
X509CertificateEx recipientCert = GetRecipientCert();
ContentInfo contentInfo = new ContentInfo(msg);
CmsRecipient recipient =
new CmsRecipient(SubjectIdentifierType.
IssuerAndSerialNumber, recipientCert);
EnvelopedCms envelopedCms = new EnvelopedCms(contentInfo);
envelopedCms.Encrypt(recipient);
envelopedCms.Encode();

16. Validating CMS Signed Data

17. PKI And XML Signatures SignedXML
SignedXML.CheckSignature updated to support validating X.509 based signatures and chains
X509CertificateEx exposes all the information necessary to produce a X509 KeyInfo node without P/Invoke
signedXml.SigningKey = (AsymmetricAlgorithm) certificate.PrivateKey;

18. PKI Integration with XML Signature

19. PKI And XML Encryption EncryptedXML
New Classes to support W3C compliant XML Encryption
Fully interoperable with other XML Encryption implementations
Easy to encrypt to a recipient based on their X.509 certificate
Does not require XML input, can encrypt portions of a XML document (using different keys)

20. XML Encryption Several types of encryption Driven through
Triple DES
AES 128
AES 192
AES 256
RSA
X509CertificateEx
Driven through
System.Security.Cryptography.Xml.EncryptedXml Class
Integration with XML Digital Signature
XmlDecryptionTransform

21. Sample Input <PurchaseOrder> <Items>
<Item Code=" " Quantity="1“>
Inside C#, Second Edition
</Item>
</Items>
<ShippingAddress>
One Redmond Way, Redmond, WA 98052
</ShippingAddress>
<PaymentInfo>
<CreditCard type="Visa" expiration="09/15/05">
</CreditCard>
</PaymentInfo>
</PurchaseOrder>

22. Encryption Code EncryptedXml exml = new EncryptedXml(xmlDoc);
// encrypt the credit card element using AES-256
// object ccKey
exml.AddKeyNameMapping(“ccKey”, ccKey);
EncryptedData ccEncrypted = exml.Encrypt(ccElem,
“ccKey”);
EncryptedXml.ReplaceElement(ccElem, ccEncrypted, true);
// encrypt the customer element using AES-256
// object customerKey
exml.AddKeyNameMapping(“customerKey”, customerKey);
EncrypteData customerEncrypted =
exml.Encrypt(customerElem, “customerKey”);
EncryptedXml.ReplaceElement(customerElem,
stomerEncrypted, true);

23. Resulting XML <PurchaseOrder> <Items>
<Item Code=" " Quantity="1“>Inside C#, Second Edition</Item>
</Items>
<EncryptedData Type=“ xmlns=…>
<EncryptionMethod lgorithm=" />
<KeyInfo xmlns=…><KeyName>customerKey</KeyName></KeyInfo>
CipherData><CipherValue>pdDtiyd7XQ.....</CipherValue></CipherData>
</EncryptedData>
<EncryptedData Type=“ xmlns=….>
<EncryptionMethod Algorithm=" />
<KeyInfo xmlns=…..><KeyName>ccKey</KeyName></KeyInfo>
<CipherData><CipherValue>bJlsW+q04...</CipherValue></CipherData>
</PurchaseOrder>

24. FIPS 140-2
FIPS 140-2: a federally mandated standard to ensure the reliability and security of crypto algorithms
Most Managed Crypto Classes in the .Net Framework call through to CAPI
Most of CAPI is a FIPS validator
For FIPS enforcing clients, .Net Framework will only allow instantiation of crypto algorithms that call through to CAPI FIPS validators

25. Summary Better PKI Integration
Now possible to perform all PKI tasks in managed code
X.509 validation
Certificate store management
CMS / PKCS7 support
X.509 Integration with XML Signature
XML Encryption

26. When Will These Feature Be Available?
New X.509, CMS and XML encryption classes ship as part of the .Net Framework Whidbey release
Whidbey beta released at TechEd 2004
You can try the new features now!
Whidbey release will approximately be early 2005

27. Resources http://msdn.microsoft.com/security/ http://www.gotdotnet.com
microsoft.public.dotnet.security newsgroup
microsoft.public.security.crypto newsgroup
“.Net Framework Security” book

28. Questions?

29. © 2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.