堆栈内存溢出
  繁体   English   中英

设置 X509Certificate2 PrivateKey 时出错

[英]Error setting X509Certificate2 PrivateKey

 原文  2019-02-18 17:52:28       c#/ .net-core

问题描述

我正在将 .NetFramework 4.6.1 库迁移到 .NetCore 2.2。 但我无法设置 x509certificate.PrivateKey 如下所示。

我读过这可能是由于 RSAServiceProvider 但我不知道如何设置此属性。 甚至实例化:
x509certificate.PrivateKey = 新的 RSACryptoServiceProvider();
抛出 PlatformNotSupportedException。

// selfsign certificate
Org.BouncyCastle.X509.X509Certificate certificate = 
certificateGenerator.Generate(signatureFactory);

// correponding private key
PrivateKeyInfo info = 
PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private);

// merge into X509Certificate2
var x509certificate = new X509Certificate2(certificate.GetEncoded());

Asn1Sequence seq = (Asn1Sequence)
Asn1Object.FromByteArray(info.ParsePrivateKey().GetDerEncoded() 
);

RsaPrivateKeyStructure rsa = RsaPrivateKeyStructure.GetInstance(seq);
RsaPrivateCrtKeyParameters rsaParams = new 
RsaPrivateCrtKeyParameters(
rsa.Modulus,
rsa.PublicExponent,
rsa.PrivateExponent,
rsa.Prime1,
rsa.Prime2,
rsa.Exponent1,
rsa.Exponent2,
rsa.Coefficient);

x509certificate.PrivateKey = DotNetUtilities.ToRSA(rsaParams);

在 .NetCore 库设置 x509certificate.PrivateKey 与来自 DotNetUtilities.ToRSA(rsaParams) 的 RSA 抛出 PlatformNotSupportedException。

System.PlatformNotSupportedException
  HResult=0x80131539
  Message=Operation is not supported on this platform.
  Source=System.Security.Cryptography.X509Certificates
  StackTrace:
   at System.Security.Cryptography.X509Certificates.X509Certificate2.set_PrivateKey(AsymmetricAlgorithm value)

2 个解决方案

解决方案1
 20 已采纳  2019-02-19 15:56:36

正如 LexLi 所说,.net core 中的设计不可能在现有证书上设置私钥。

按照此处描述的内容,您可以使用 RSACertificateExtensions.CopyWithPrivateKey 方法。

代替

x509certificate.PrivateKey = DotNetUtilities.ToRSA(rsaParams);

你可以有

var rsa = DotNetUtilities.ToRSA(rsaParams);
var cert = x509certificate.CopyWithPrivateKey(rsa);
return cert;

要访问“CopyWithPrivateKey”扩展方法,请使用以下命令添加:

using System.Security.Cryptography.X509Certificates; /* for getting access to extension methods in RSACertificateExtensions */

“(CopyWithPrivateKey) 将私钥与 RSA 证书的公钥结合以生成新的 RSA 证书。”

https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.rsacertificateextensions.copywithprivatekey?view=netcore-3.0

解决方案2
 2  2019-02-25 13:32:36

提供的解决方案对我没有帮助,所以我将把这个解决方案留在这里,希望它能帮助下一个遇到这个问题的人。

使用 CertBuilder().ConvertBouncyCert 可以将 BouncyCastle X509Certificate 转换为嵌入了公钥/私钥的 X509Certificate2。

X509Certificate2 _x509certificate2 = new CertBuilder().ConvertBouncyCert(_bouncyCertificate, subjectKeyPair);

以及我正在使用它的完整示例(基于此处提供的答案: Bouncy Castle 的 X509V3CertificateGenerator.SetSignatureAlgorithm 标记为过时。我该怎么办? )。

        public static X509Certificate2 CreateSelfSignedCertificateBasedOnCertificateAuthorityPrivateKey(string ipAddress, string issuerName, AsymmetricKeyParameter issuerPrivKey)
    {
        const int keyStrength = 4096;

        // Generating Random Numbers            
        CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
        SecureRandom random = new SecureRandom(randomGenerator);
        ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerPrivKey, random);
        // The Certificate Generator
        X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
        certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage((new List<DerObjectIdentifier>() { new DerObjectIdentifier("1.3.6.1.5.5.7.3.1"), new DerObjectIdentifier("1.3.6.1.5.5.7.3.2") })));

        // Serial Number
        BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
        certificateGenerator.SetSerialNumber(serialNumber);

        // Issuer and Subject Name
        X509Name subjectDN = new X509Name("CN=" + ipAddress);
        X509Name issuerDN = new X509Name(issuerName);
        certificateGenerator.SetIssuerDN(issuerDN);
        certificateGenerator.SetSubjectDN(subjectDN);

        // Valid For
        DateTime notBefore = DateTime.UtcNow.Date;
        DateTime notAfter = notBefore.AddYears(2);

        certificateGenerator.SetNotBefore(notBefore);
        certificateGenerator.SetNotAfter(notAfter);

        // Subject Public Key
        AsymmetricCipherKeyPair subjectKeyPair;
        var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
        var keyPairGenerator = new RsaKeyPairGenerator();
        keyPairGenerator.Init(keyGenerationParameters);
        subjectKeyPair = keyPairGenerator.GenerateKeyPair();

        certificateGenerator.SetPublicKey(subjectKeyPair.Public);

        GeneralNames subjectAltName = new GeneralNames(new GeneralName(GeneralName.IPAddress, ipAddress));
        certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName);

        // self sign certificate
        Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(signatureFactory);

        X509Certificate2 certificate2 = new CertBuilder().ConvertBouncyCert(certificate, subjectKeyPair);
        return certificate2;
    }

使用过的 nuget 包:

  • Portable.BouncyCastle by Oren Novotny 1.8.5 版
  • CryptLink.CertBuilder 由 Jermy Peterson 版本 1.1.0

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 BouncyCastle PrivateKey 到 X509Certificate2 PrivateKey 在x509certificate2中清空PrivateKey BouncyCastle PrivateKey 到 X509Certificate2 PrivateKey (ECC) X509Certificate2:使用私钥解密时访问被拒绝 获取私钥 null X509Certificate2 c# X509Certificate2:内部错误 .NET Framework x509Certificate2类,HasPrivateKey == true &amp;&amp; PrivateKey == null? 如何在 .NET Standard 2.0/Core 2.1 中使用 PrivateKey 创建 X509Certificate2? 如何获取具有 oid 的 X509Certificate2 的 PrivateKey 与 1.2.840 不同...? X509Certificate2信息
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM