Implementing certificate authorization in asp.net

First of all I'm sorry for my bad english.

In past two days i read a lot, but didn't find out solution for my problem.

I need to implement such authorization: User openning web page, special form appears. On this form just one button "Choose certificate file". When user click it - he must choose certificate file, which will be used for authorization. This file must be stored on a flash drive and etc. Not on a computers hard drive.

I read about cer/开发者_开发知识库pfx files, but nothing about such model.

Maybe it's impossible to make this using this classes in .net

System.Security.Cryptography.X509Certificates.X509Certificate
System.Security.Cryptography.X509Certificates.X509Certificate2

At the same time forms authorization will be implemented on this site, so user can choose how to authorize.

Update: I think that these classes can't be used for this model. Can you advise me anything else?

First of all you will need a SSL enabled web page. You can't develop it with the included development web server (cassini). It is possible to develop such an authentication model using IIS Express or a local IIS instance. SSL authentication cannot be controlled from your code directly and depends on IIS web page folder settings. Take a look at this article.

As for the GUI experience, certificates are normally stored in certificate stores, which are secure, and cannot be controlled from within client-side pages/scripts. When the web browser gets a response with a client certificate negotiation request a browser/platform specific dialog is displayed showing all compatible client certificates. On the server-side you can control which certificates are viable for the client to select by installing the appropriate root certificates from the trusted certificate authorities. However you cannot control what certificates (weather they are stored on a supported smart-card or are stored locally on the hard drive) are available to the client for selection any further.

UPDATE

In your case, I think what you want is not possible within a web browser over a client authenticated HTTPS session since you cannot control how it manages it's certificate store.

However it would be possible if you developed a plug-in that would access a portable certificate store on the client's USB drive. I think I would go with a JAVA applet running in background, and creating a public API that could be accessed from the page's javascript, for the following reasons:

• Available on multiple platforms/browsers
• Can run in full trust mode in a SSL enabled web page
• Can threat PFX files as certificate stores (see)

You would need to implement the authentication/handshake part yourself, say by having the applet sign an XML document/fragment (could also an addition containt username and password hash) using XMLDSIG (which can contain the singer's public key and is supported in .net). Upon successful validation of the signed XML you could then return a normal authentication cookie to the client.