Jump to content
Welcome to our new Citrix community!

XML digitally sign with Smart Card


Carlos Silva1709160794

Recommended Posts

I'm responsible for a Development team and we facing problems with a XML digital signature component. We are not able to successfully sign any XML when the application is delivered/launched through the Citrix StoreFront store page, but is fully operational when it’s launched directly from the XenApp Session host server,

 

With the main purpose of narrow down the troubleshooting we have developed  a desktop client application, which eliminates any dependency with the policies of the bowser  and IIS  and it simplifies the communication with smartcards reader/middleware and the certificates access (X509Store).

 

As mentioned before, it’s important to highlight this application and signature process is fully operational when it’s launched from the user session on one of the XenApp Session Host servers, This test can be easily done by connecting to a session host server through the remote desktop connection (RDP).

 

On the other hand, if it’s launched from the published apps on the “StoreFront store page” the signature operation fails:

 

The computesignature function fails and raises a cryptographic exception (Invalid handler),  instead of returning the xml signed document,

 

Although, we are able to:

  • Access to smartcard private information
  • Access to the Smartcard private certificates.
  • Sign PDF files
  • Read all the smartcard certificates needed for the signature process.

 

 

Before moving forward, the signature process used is very standard and doesn’t contain any middleware dependency.

Whether digital signing via RDP connection or via “StoreFront store page”, in both scenarios the full application execution steps can be observed in the event viewer which are as follows:

 

Starts with the preparation of the base XML (canonicalization process)

Creates the certificate chain collection (X509Certificate2Collection) according to the National Health Regulatory Agency requirements

Certificate chain collection verification (add information to keyInfoData)

 

   var keyInfo = new KeyInfo();

   var keyInfoData = new KeyInfoX509Data();

 

    foreach (var certificate in certificates)

    certificate.Verify();

    keyInfoData.AddCertificate(certificate);

   Creates the SignedXML object

 

var signedXml = new SignedXml(objectToSign)

                {

                    SigningKey = (RSACryptoServiceProvider)certificates[0].PrivateKey,

                    KeyInfo = keyInfo,

                    Signature =

                    {

                        SignedInfo =

                        {

                            CanonicalizationMethod = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments",

                            SignatureMethod = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"

                        }

                    }

                };

 

 

Add reference to the signed XML (describes the digest method, digest value and “transformation” to be used for the XML creation digital signature )

 

var reference = new Reference();

var transform = new XmlDsigEnvelopedSignatureTransform();

transform.LoadInput(objectToSign);

reference.Uri = "";

reference.AddTransform(transform);

  

 

 

Compute XML digital signature  

 

signedXml.AddReference(reference);

signedXml.ComputeSignature();   

  

Digital signatures using the Smart cards are generally designed such that we cannot get the private key off of them.  Instead, we need to do the cryptographic operation directly on the card. 

 

The ComputeSignature (step 6) is the failure point, this method is included in the SignedXML Class, which is included in the namespace System.Security.Cryptography.Xml from System.Security.DLL (Microsoft .NET FrameWork)

 

Currently our target Microsoft .NET Framework version is 4.0.

 

I don't a clue why is not working when it's delivered  on StoreFront store page”

 

Thanks so much !!

 

 

Link to comment
Share on other sites

  • 2 weeks later...

Please check whether Client Certificate Authentication is working or not, you can check it from any Windows workstation with a Smart card reader plugged in, open Internet Explorer and navigate to https://StoreFront-FQDN/Citrix/Authentication/Certificate/test.aspx.

 

If it works, then launch a smart card session from a web browser and run “Certutil /scinfo” command inside the session.

 

Here is concise Smart Card Configuration document please check it if any configuration missed.

https://docs.citrix.com/en-us/storefront/downloads/smart-card-configuration-for-citrix-environments.pdf

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...