The new security components in .NET 2.0 can help you greatly reduce the amount of code you need to write in order to make your applications secure. Security is difficult to get right, and it is a good strategy to leverage the code provided by Microsoft and other security vendors. To that end, .NET 2.0 provides numerous additional types that encapsulate functionality already provided in the base Windows OS., as well a new functionality only available in .NET 2.0. The improvements affect public key cryptography, Windows security, remoting, ASP.NET and Code Access Security. Even if you plan to stick with .NET 1.1 for a while and implement your own security classes, you might want to take inspiration from.NET 2.0 beta.
This article will concentrate on changes to the way certificates and public keys are handled.
Certificates and certificate stores
While it is possible to store certificates in files, it is more convenient and more manageable to have them in a certificate store. Put simply, a certificate store is a database containing certificates. With the new X509Store class, you can open a store and query its certificates using several criteria including subject name and thumbprint. The new X509CertificateEx class is much richer and provides support for checking the certificate revocation list.
The following snippet finds a certificate and prints its status on the console:
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
X509CertificateEx certificate =
store.Certificates.Find(X509FindType.FindBySerialNumber, serialNumber, false)[0];
X509Chain chain = new X509Chain();
...
chain.Build(certificate);
foreach (X509ChainElement e in chain.ChainElements)
{
foreach (X509ChainStatus s in e.ChainElementStatus)
{
Debug.WriteLine(s.Status);
Debug.WriteLine(s.StatusInformation);
}
Debug.WriteLine(e.Information);
}
Public Key Cryptography Standard
In the Pkcs namespace, the new EnvelopedCms and SignedCms classes define ways to create encrypted or signed messages that contain a reference to the certificate used. As a result, processing this message is much easier because you don't have to locate the key yourself.
For example, to encrypt a message, you simply specify the content to protect and the certificate to use.
ContentInfo contentInfo = new ContentInfo(stuffToEncrypt);
EnvelopedCms envelopedMessage = new EnvelopedCms(contentInfo);
CmsRecipient recipient =
new CmsRecipient(SubjectIdentifierType.IssuerAndSerialNumber,
recipientCertificate);
envelopedMessage.Encrypt(recipient);
byte[] encryptedBytes = envelopedMessage.Encode();
Decrypting the message is effortless because you don't have to specify a key; the framework finds it automatically in the appropriate store based on the embedded serial number.
envelopedMessage = new EnvelopedCms();
envelopedMessage.Decode(encryptedBytes);
byte[] decryptedBytes = envelopedMessage.ContentInfo.Content;
foreach (RecipientInfo r in envelopedMessage.RecipientInfos)
{
Debug.WriteLine("The message was sent for " +
r.RecipientIdentifier.Value + (r.RecipientIdentifier.Type));
}
In addition, the Xml cryptography namespace has been improved to the level provided by the web services enhancements.
The rest of this article discusses .NET 2.0 enhancements to support for accounts, security identifiers, object level security, data protection API, and secure communication. Read it at The ServerSide.NET.
Pierre Nallet is a software consultant in the San Francisco area. He specializes in all areas of the .NET platform. He has experience in data access, object-oriented programming, component architecture, and compiler technology. He is the author of OLE DB Consumer Templates: A Programmer's Guide published by Addison-Wesley. He is also the creator of XC#, an extensible C# compiler.
