堆栈内存溢出
  简体   繁体   English

如何检查 X509Certificate2 是否可导出

[英]How to check is X509Certificate2 exportable or not

 原文  2015-09-02 13:39:18       c#/ .net/ certificate

问题描述

var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);

var certificates = store.Certificates.Find(
    X509FindType.FindByThumbprint, thumbprint, false);

X509Certificate2 cert = certificates[0];

Now we have X509Certificate2 instance.现在我们有 X509Certificate2 实例。 How to check exportable private key or not?如何检查可导出的私钥? (preferably without trying to export explicitly) (最好不要尝试明确导出)

3 个解决方案

解决方案1
 2  2015-09-03 07:27:57

Another approach I found here: How to determine whether an X509Certificate2 is exportable我在这里找到的另一种方法: 如何确定 X509Certificate2 是否可导出

X509Certificate2.PrivateKey Gets the AsymmetricAlgorithm object that represents the private key associated with a certificate. X509Certificate2.PrivateKey 获取表示与证书关联的私钥的 AsymmetricAlgorithm 对象。

The RSACryptoServiceProvider class is a AsymmetricAlgorithm RSACryptoServiceProvider 类是一个非对称算法

Then get the RSACryptoServiceProvider.CspKeyContainerInfo which is a CspKeyContainerInfo object that has a Exportable property that: Gets a value indicating whether a key can be exported from a key container.然后获取 RSACryptoServiceProvider.CspKeyContainerInfo,它是一个 CspKeyContainerInfo 对象,它具有可导出属性: 获取一个值,该值指示是否可以从密钥容器中导出密钥。

Update: works.更新:有效。 So, if you use RSA certificates, it is acceptable approach.因此,如果您使用 RSA 证书,这是可以接受的方法。

解决方案2
 1  2015-09-02 14:32:05

Looking at the reference source , the implementation of the Export method makes the following checks:查看参考源Export方法的实现做了以下检查:

  • That the X509ContentType parameter is Cert , SerializedCert or Pfx . X509ContentType参数是CertSerializedCertPfx
  • When the content type is Pfx it makes a key container permission demand for both Export and Open permissions.当内容类型为Pfx它对ExportOpen权限提出关键容器权限要求。

Beyond this, everything else happens via internal calls to the CLR, so it's much harder to say what demands are made of the caller.除此之外,其他一切都通过对 CLR 的内部调用发生,因此很难说对调用者有什么要求。 I can't observe a check in the source which tests for the exportable flag.我无法观察到测试可导出标志的源中的检查。

This is a scenario where I would suggest you attempt to perform the export and handle any exceptions as feedback;在这种情况下,我建议您尝试执行导出并处理任何异常作为反馈; you cannot reasonably predict the outcome of the call with the information exposed by the certificate.您无法使用证书公开的信息合理预测通话结果。

解决方案3
 0  2019-10-30 20:26:52

Use this method:使用这个方法:

public static bool CheckCertificateIsExportable(X509Certificate2 certForCheck, X509ContentType certType)
    {
        try
        {
            certForCheck.Export(certType);
            return true;
        }
        catch
        {
            return false;
        }
    }

How to use:如何使用:

if (CheckCertificateIsExportable(certForCheck, X509ContentType.Pkcs12))
        {
            // Do...
        }

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 c#X509Certificate2添加证书如何标记为可导出 - c# X509Certificate2 add certificate how mark as exportable X509Certificate2 的私钥不可导出? - X509Certificate2 has private key not exportable? 如何判断X.509证书是否可导出? - How to tell if X.509 Certificate is Exportable? X509Certificate2的RemoteCertificateValidationCallback - RemoteCertificateValidationCallback with X509Certificate2 X509Certificate2到EccKey - X509Certificate2 to EccKey X509Certificate2信息 - X509Certificate2 Info 使用存储在证书存储中并使用 BouncyCastle 和 C# 标记为不可导出的 X509Certificate2 的私钥 - Use PrivateKey of a X509Certificate2 stored in Certificate Store and marked as non-exportable using BouncyCastle and C# 如何获得数字证书X509Certificate2的名称 - How to get the name of a Digital Certificate X509Certificate2 如何以编程方式为 X509Certificate2 设置 PIN? - How can I set PIN for a X509Certificate2 programmatically? 如何使用Moq模拟X509Certificate2? - How to use Moq to mock X509Certificate2?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM