堆栈内存溢出
  简体   繁体   English

我应该处理 X509Certificate2 吗?

[英]Should I dispose of X509Certificate2?

 原文  2019-05-28 07:51:34       c#/ identityserver4/ idisposable/ x509certificate2/ asp.net-core-2.2

问题描述

I'm using IdentityServer4 and I want to load signing certificate from file.我正在使用 IdentityServer4,我想从文件加载签名证书。 For example,例如,

var certificate = new X509Certificate2(
        path, 
        password, 
        X509KeyStorageFlags.EphemeralKeySet);

services.AddIdentityServer()
        .AddSigningCredential(certificate)
...
certificate.Dispose();

The code above won't work when I request the token from IdentityServer.当我从 IdentityServer 请求令牌时,上面的代码将不起作用。 But it will work in case I remove certificate.Dispose();但它会在我删除certificate.Dispose();情况下工作certificate.Dispose(); . .

I also tried another option.我也尝试了另一种选择。 I created RsaSecurityKey from certificate's private key and used it for adding signing credential.我从证书的私钥创建了RsaSecurityKey并将其用于添加签名凭据。 And in this case disposing will not break anything.在这种情况下,处理不会破坏任何东西。

var rsk = new RsaSecurityKey(certificate.GetRSAPrivateKey()))

services.AddIdentityServer()
        .AddSigningCredential(rsk)
...
certificate.Dispose()

So my question is more general.所以我的问题更笼统。 Should I dispose X509Certificate2 object created from the existing certificate?我应该处理从现有证书创建的X509Certificate2对象吗?

From Microsoft Docs :来自微软文档

Starting with the .NET Framework 4.6, this type implements the IDisposable interface.从 .NET Framework 4.6 开始,此类型实现 IDisposable 接口。 When you have finished using the type, you should dispose of it either directly or indirectly.使用完类型后,应直接或间接处理它。

2 个解决方案

解决方案1
 9 已采纳  2019-07-30 09:39:10

By looking at .NET Core source code, X509Certificate2 and its base class X509Certificate use class CertificatePal to deal with the certificate.通过查看.NET Core源代码, X509Certificate2及其基类X509Certificate使用CertificatePal类来处理证书。 The CertificatePal class supports creation of objects of the class from various sources: blob, file, certificate store. CertificatePal类支持从各种来源创建类的对象:blob、文件、证书存储。 It calls Windows CryptoAPI to get a handle to the certificate when creating the object.它在创建对象时调用 Windows CryptoAPI 来获取证书的句柄。 So, after using the object, it would be necessary to free the resources pointed to by the handle.因此,在使用对象后,需要释放句柄指向的资源。 The good news is that, the handle is stored in a SafeCertContextHandle object, which is guaranteed to close the handle after garbage collector collects the X509Certificate2 object and finishes calling the finalizers of the objects.好消息是,句柄存储在一个SafeCertContextHandle对象中,保证垃圾收集器收集到X509Certificate2对象并调用完对象的终结器后关闭句柄。 My understanding is that, we don't need to call the Dispose method manually.我的理解是,我们不需要手动调用Dispose方法。

解决方案2
 5  2019-05-28 09:20:36

不,您不应该在应用程序运行时释放证书对象,因为当被请求时,IdentityServer 将尝试使用已释放的证书对象并且会失败。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 X509Certificate2的RemoteCertificateValidationCallback - RemoteCertificateValidationCallback with X509Certificate2 X509Certificate2到EccKey - X509Certificate2 to EccKey X509Certificate2信息 - X509Certificate2 Info 如何以编程方式为 X509Certificate2 设置 PIN? - How can I set PIN for a X509Certificate2 programmatically? 如何将 BouncyCastle X509Certificate 转换为 X509Certificate2? - How can I convert a BouncyCastle X509Certificate to an X509Certificate2? Windows Phone 8上的X509Certificate2到X509Certificate - X509Certificate2 to X509Certificate on Windows Phone 8 检索X509Certificate2对象的颁发者 - Retrieving issuer of a X509Certificate2 object 使用X509Certificate2(JwtSecurityTokenHandler)保护JWT - Securing the JWT with a X509Certificate2 (JwtSecurityTokenHandler) RSAParameters到pfx(X509Certificate2)转换 - RSAParameters to pfx (X509Certificate2) conversion 将FileUpload转换为X509Certificate2 - Convert FileUpload to X509Certificate2
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM