问题描述
我需要在字节数组中导出和导入带有私钥的生成证书,除非我使用 .NET 框架 4.0 和 4.5,否则我没有任何问题.我正在使用 BouncyCastle 库生成自签名证书,然后将它们转换为 .NET 格式(X509Certificate2目的).不幸的是,升级到最新框架后,我无法导出私钥.代码如下:
I need to export and import generated certificates with private keys to and from byte arrays, and I don't have any problems unless I use .NET framework 4.0 and 4.5. I'm generating self-signed certificates with BouncyCastle library and then converting them to .NET format (X509Certificate2 object). Unfortunately with the upgrade to a newest framework I cannot export private keys. Here is the code:
using System;
using System.Diagnostics;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using Org.BouncyCastle.Asn1.X509;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Generators;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Crypto.Prng;
using Org.BouncyCastle.Math;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.X509;
namespace X509CertificateExport
{
class Program
{
static void Main(string[] args)
{
var certificate = Generate();
var exported = certificate.Export(X509ContentType.Pfx);
var imported = new X509Certificate2(exported, (string)null, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
Console.WriteLine("Certificate has private key: " + imported.HasPrivateKey);
Console.ReadKey();
}
public static X509Certificate2 Generate()
{
var keyPairGenerator = new RsaKeyPairGenerator();
var secureRandom = new SecureRandom(new CryptoApiRandomGenerator());
keyPairGenerator.Init(new KeyGenerationParameters(secureRandom, 1024));
var keyPair = keyPairGenerator.GenerateKeyPair();
var publicKey = keyPair.Public;
var privateKey = (RsaPrivateCrtKeyParameters)keyPair.Private;
var generator = new X509V3CertificateGenerator();
generator.SetSerialNumber(BigInteger.ProbablePrime(120, new Random()));
generator.SetSubjectDN(new X509Name("CN=Test"));
generator.SetIssuerDN(new X509Name("CN=Test"));
generator.SetNotAfter(DateTime.Now + new TimeSpan(10, 10, 10, 10));
generator.SetNotBefore(DateTime.Now.Subtract(new TimeSpan(7, 0, 0, 0)));
generator.SetSignatureAlgorithm("MD5WithRSA");
generator.SetPublicKey(publicKey);
var newCert = generator.Generate(privateKey);
var dotNetPrivateKey = ToDotNetKey(privateKey);
var dotNetCert = new X509Certificate2(DotNetUtilities.ToX509Certificate(newCert));
dotNetCert.PrivateKey = dotNetPrivateKey;
return dotNetCert;
}
public static AsymmetricAlgorithm ToDotNetKey(RsaPrivateCrtKeyParameters privateKey)
{
var rsaProvider = new RSACryptoServiceProvider();
var parameters = new RSAParameters
{
Modulus = privateKey.Modulus.ToByteArrayUnsigned(),
P = privateKey.P.ToByteArrayUnsigned(),
Q = privateKey.Q.ToByteArrayUnsigned(),
DP = privateKey.DP.ToByteArrayUnsigned(),
DQ = privateKey.DQ.ToByteArrayUnsigned(),
InverseQ = privateKey.QInv.ToByteArrayUnsigned(),
D = privateKey.Exponent.ToByteArrayUnsigned(),
Exponent = privateKey.PublicExponent.ToByteArrayUnsigned()
};
rsaProvider.ImportParameters(parameters);
return rsaProvider;
}
}
}
仔细查看生成的证书后,我注意到 PrivateKey.CspKeyContainerInfo.Exportable 标志对于 .NET 框架 3.5 是正确的,但对于更高版本,它会抛出:
After a closer look to the generated certificate I've noticed that PrivateKey.CspKeyContainerInfo.Exportable flag is true for .NET framework 3.5, but for later versions it throws:
'Exportable' threw an exception of type
'System.Security.Cryptography.CryptographicException' / Key does not exist
我看到的唯一区别是 PrivateKey.CspKeyContainerInfo.m_parameters.Flags:.NET 3.5 - 'NoFlags';.NET 4.5 - 'CreateEphemeralKey'.文档指出,CreateEphemeralKey"创建了一个临时密钥,该密钥在关联的 RSA 对象关闭时释放.它是在 4.0 框架中引入的,之前并不存在.我试图通过显式创建 CspParameters 来摆脱这个标志:
The only difference I see is in PrivateKey.CspKeyContainerInfo.m_parameters.Flags: .NET 3.5 - 'NoFlags'; .NET 4.5 - 'CreateEphemeralKey'. Documentation states that 'CreateEphemeralKey' creates a temporary key that is released when the associated RSA object is closed. It was introduced with 4.0 framework and didn't exist before. I've tried to get rid off this flag by creating CspParameters explicitly:
public static AsymmetricAlgorithm ToDotNetKey(RsaPrivateCrtKeyParameters privateKey)
{
var cspParams = new CspParameters
{
Flags = CspProviderFlags.UseMachineKeyStore
};
var rsaProvider = new RSACryptoServiceProvider(cspParams);
// ...
但没有运气.无论如何都添加了CreateEphemeralKey",所以我得到了结果 UseMachineKeyStore |CreateEphemeralKey
标志,我不知道如何删除它.有没有办法可以忽略此标志并正常导出带有私钥的证书?
but with no luck. 'CreateEphemeralKey' is added anyway, so I'm getting as a result UseMachineKeyStore | CreateEphemeralKey
flags and I don't see how I can remove it. Is there a way I can ignore this flag and export the certificate with private key normally?
推荐答案
我没有注意到在.NET 4.0 和.NET 4.5 中创建密钥后 CspKeyContainerInfo.CspParameters.KeyContainerName
为空,但是它是在 .NET 3.5 中自动生成的.我已经为容器设置了一个唯一的名称,现在我可以导出私钥了.
I haven't noticed that CspKeyContainerInfo.CspParameters.KeyContainerName
is empty after key creation in .NET 4.0 and .NET 4.5, but it was autogenerated in .NET 3.5. I've set a unique name for container and now I'm able to export the private key.
public static AsymmetricAlgorithm ToDotNetKey(RsaPrivateCrtKeyParameters privateKey)
{
var cspParams = new CspParameters
{
KeyContainerName = Guid.NewGuid().ToString(),
KeyNumber = (int)KeyNumber.Exchange,
Flags = CspProviderFlags.UseMachineKeyStore
};
var rsaProvider = new RSACryptoServiceProvider(cspParams);
// ...
这篇关于无法使用私钥将生成的证书导出到 .NET 4.0/4.5 中的字节数组的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!