[英]No error encrypting / decrypting data with an expired certificate using RSACryptoServiceProvider
I currently doing a proof of concept to encrypt data using a certificate. 我目前正在做一个概念证明,以使用证书对数据进行加密。 It works well but now, I want to try a scenario when the certificate is expired. 它运作良好,但现在,我想尝试证书过期的情况。 I created an expired certificate and I was surprise to notice that everthing works property even with the expired certificate. 我创建了一个过期的证书,但令我惊讶的是,即使使用了过期的证书,一切正常。 I was expecting an error. 我期待一个错误。
Do you know if it's because it's a self signed certificate ? 您是否知道这是因为它是自签名证书?
Here's the code I using to test my case 这是我用来测试案例的代码
[TestMethod]
public void Encrypt_decrypt_with_expired_certificate()
{
//Arrange
var baseString = "This is an encryption test";
X509Certificate2 newX509Certificate2 = new X509Certificate2("d:\\testx509certExpired.pfx", "apassword");
Console.WriteLine(newX509Certificate2.NotAfter); //Show the expiration date which is in the past
var encryptor = new CertificateEncryptor(newX509Certificate2); //This class is a simple wrapper around RSACryptoServiceProvider
//Act
string encryptedResult = encryptor.Encrypt(baseString); //Exception expected because of the expired certificate but not thrown
//Assert
Console.WriteLine("Base string : {0}", baseString);
Console.WriteLine("Encrypted string : {0}", encryptedResult);
Assert.IsNotNull(encryptedResult);
//revert back
string decryptedString = encryptor.Decrypt(encryptedResult);
Console.WriteLine("Decrypted string : {0}", decryptedString);
Assert.AreEqual(baseString, decryptedString);
}
Thanks 谢谢
As GregS said, RSACryptoServiceProvider
class (not X509Certificate2) provides an ability to perform cryptographic operations. 正如GregS所说, RSACryptoServiceProvider
类(不是X509Certificate2)提供了执行加密操作的能力。 RSACryptoServiceProvider
knows nothing about certificate, it knows only keys and their parameters. RSACryptoServiceProvider
对证书一无所知,只知道密钥及其参数。 This is why you don't see any errors. 这就是为什么您看不到任何错误的原因。
This means that certificate validation -- is your app responsibility. 这意味着证书验证-是您的应用程序责任。 You should check certificate when encrypting data and skip all certificate checks to decrypt data. 加密数据时应检查证书,并跳过所有证书检查以解密数据。
When attempting to access the X509Certificate2.PublicKey.Key attribute of the certificate, a CryptographicException should be thrown if the certificate is not within its validity period. 尝试访问证书的X509Certificate2.PublicKey.Key属性时,如果证书不在其有效期内,则应引发CryptographicException。
Here is how I load the public & private keys from a certificate to perform cryptographic operations: 这是我从证书加载公钥和私钥以执行加密操作的方式:
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
class Example
{
private RSACryptoServiceProvider publicKey,
privateKey;
private bool getRSAKeys(X509Certificate2 cert, StoreLocation location)
{
try
{
//This will throw a CryptographicException if the certificate is expired
publicKey = (RSACryptoServiceProvider)cert.PublicKey.Key;
privateKey = (RSACryptoServiceProvider)cert.PrivateKey;
return true;
}
catch (CryptographicException e)
{
Console.WriteLine("The certificate is expired or otherwise unusable\r\n" + e.ToString());
return false;
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.