stackoom
  简体   繁体   中英

How to tell if X.509 Certificate is Exportable?

 原文  2016-11-07 14:09:57       c#/ windows/ ssl/ certificate/ x509certificate

Question

I have a simple C# DotNet console app that enumerates the certificates in a location/store. It displays things like the following:

  • x509.SerialNumber
  • x509.Issuer
  • x509.Subject
  • x509.HasPrivateKey

Is there any property that will tell whether the Certificate is exportable? I could not find one, but I am fairly new to this.

2 answers

solution1
 1  2016-11-07 14:27:40

If it's an RSA certificate you could do something like this: 

RSACryptoServiceProvider rsa = cert.PrivateKey;
var isExportable = rsa.CspKeyContainerInfo.Exportable;

solution2
 1 ACCPTED  2016-11-08 17:34:02

There's not a reliable way of doing it, because you have to cross the boundary from "implementation independent" to "implementation dependent" -- exportability isn't inherent to certificates or keys, but a function of how the key was stored.

If you're only on Windows, and you're on Windows XP or older, this will work fairly reliably: 

try
{
    ICspAsymmetricAlgorithm key = cert.PrivateKey;

    if (key != null)
    {
        return key.CspKeyContainerInfo.Exportable;
    }
}
catch (CryptographicException) {}

return whateverYouWantUnknownToBe;

Once you're on Vista or newer then it's possible to get certificates where HasPrivateKey is true, but PrivateKey throws an "invalid provider specified" exception, to work around that you need to jump up to .NET 4.6. 

// AllowExport says whether it can be exported in a PFX (encrypted key)
// AllowPlainTextExport says whether it can be exported as (e.g.) an RSAParameters structure
const CngExportPolicies RequiredPolicies = CngExportPolicies.AllowExport;

RSACng rsaCng = cert.GetRSAPrivateKey() as RSACng;

if (rsaCng != null)
{
    return (rsaCng.Key.ExportPolicy & RequiredPolicies) == RequiredPolicies;
}

// Requires 4.6.1
ECDsaCng ecdsaCng = cert.GetECDsaPrivateKey() as ECDsaCng;

if (ecdsaCng != null)
{
    return (ecdsaCng.Key.ExportPolicy & RequiredPolicies) == RequiredPolicies;
}

// Requires 4.6.2
DSACng dsaCng = cert.GetDSAPrivateKey() as DSACng;

if (dsaCng != null)
{
    return (dsaCng.Key.ExportPolicy & RequiredPolicies) == RequiredPolicies;
}

// previous code goes here.

But, ultimately, the only foolproof way is to actually try it.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to check is X509Certificate2 exportable or not How to encrypt/decrypt XMl wiith X.509 certificate correctly? c# X509Certificate2 add certificate how mark as exportable Converting a byte array to a X.509 certificate Decrypt with PrivateKey X.509 Certificate Reading an X.509 Certificate2 PrivateKey Why is this X.509 certificate considered invalid? How do you retrieve the X.509 certificate that was used to construct a X509AsymmetricSecurityKey? X509Certificate2 has private key not exportable? How to use WCF service reference client with X.509 client certificate, which is only available as .pfx file?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM