[英]Can I use an X509Certificate2 within ASP.NET without using a certificate store?
[英]How to use windows store certificate (X509Certificate2) in GRPC server using .Net framework 4.7?
我從 Windows 10 證書商店獲得證書。 我從 windows 證書存儲區獲得了 X509Certificate2。 現在,我如何在 SslServerCredentials 中使用這個X509Certificate2
。 我知道我可以使用 SSL 如下:
var serverKey = File.ReadAllText("C:/repos/TestCert/server-key.pem");
var keyPair = new KeyCertificatePair(serverCert, serverKey);
var caCert = File.ReadAllText("C:/repos/TestCert/client-cert.pem");
var servCred = new SslServerCredentials(new List<KeyCertificatePair>() { keyPair }, caCert, true);
但我沒有在單獨的位置擁有上述所有證書。 我只想使用 windows 證書存儲中已有的證書。 我從 windows 商店獲得了X509Certificate2
class object。 如何將此X509Certificate2
與SslServerCredentials
class 一起使用。
為了使它起作用,您的證書在添加到存儲時必須將其私鑰標記為可導出,否則將出現錯誤。 幾年前我一起破解了這個可能針對 .NET 框架 4.7(但可能是 4.8) - 證書導出代碼完全來自其他 Stack Overflow 答案(可能包括評論中鏈接的答案)
public static class CertificateExporter
{
public static string ExportX509CertificateAsPEM(this X509Certificate2 certificate)
{
StringBuilder builder = new StringBuilder();
builder.AppendLine("-----BEGIN CERTIFICATE-----");
AppendByteArrayAsPEM(builder, certificate.Export(X509ContentType.Cert));
builder.AppendLine("-----END CERTIFICATE-----");
return builder.ToString();
}
private static void AppendByteArrayAsPEM(StringBuilder builder, byte[] input)
{
var base64 = Convert.ToBase64String(input);
for (int i = 0; i < base64.Length; i += 64)
{
var line = base64.Substring(i, Math.Min(64, base64.Length - i));
builder.AppendLine(line);
}
}
public static string ExportX509PrivateRSAKey(this X509Certificate2 cert)
{
var csp = (RSACryptoServiceProvider)cert.PrivateKey;
if (csp.PublicOnly)
throw new ArgumentException("CSP does not contain a private key", "csp");
var parameters = csp.ExportParameters(true);
using (var stream = new MemoryStream())
{
var writer = new BinaryWriter(stream);
writer.Write((byte)0x30); // SEQUENCE
using (var innerStream = new MemoryStream())
{
var innerWriter = new BinaryWriter(innerStream);
EncodeIntegerBigEndian(innerWriter, new byte[] { 0x00 }); // Version
EncodeIntegerBigEndian(innerWriter, parameters.Modulus);
EncodeIntegerBigEndian(innerWriter, parameters.Exponent);
EncodeIntegerBigEndian(innerWriter, parameters.D);
EncodeIntegerBigEndian(innerWriter, parameters.P);
EncodeIntegerBigEndian(innerWriter, parameters.Q);
EncodeIntegerBigEndian(innerWriter, parameters.DP);
EncodeIntegerBigEndian(innerWriter, parameters.DQ);
EncodeIntegerBigEndian(innerWriter, parameters.InverseQ);
var length = (int)innerStream.Length;
EncodeLength(writer, length);
writer.Write(innerStream.GetBuffer(), 0, length);
}
var outputStream = new StringWriter();
var base64 = Convert.ToBase64String(stream.GetBuffer(), 0, (int)stream.Length).ToCharArray();
outputStream.WriteLine("-----BEGIN RSA PRIVATE KEY-----");
// Output as Base64 with lines chopped at 64 characters
for (var i = 0; i < base64.Length; i += 64)
{
outputStream.WriteLine(base64, i, Math.Min(64, base64.Length - i));
}
outputStream.WriteLine("-----END RSA PRIVATE KEY-----");
return outputStream.ToString();
}
}
private static void EncodeLength(BinaryWriter stream, int length)
{
if (length < 0) throw new ArgumentOutOfRangeException("length", "Length must be non-negative");
if (length < 0x80)
{
// Short form
stream.Write((byte)length);
}
else
{
// Long form
var temp = length;
var bytesRequired = 0;
while (temp > 0)
{
temp >>= 8;
bytesRequired++;
}
stream.Write((byte)(bytesRequired | 0x80));
for (var i = bytesRequired - 1; i >= 0; i--)
{
stream.Write((byte)(length >> (8 * i) & 0xff));
}
}
}
private static void EncodeIntegerBigEndian(BinaryWriter stream, byte[] value, bool forceUnsigned = true)
{
stream.Write((byte)0x02); // INTEGER
var prefixZeros = 0;
for (var i = 0; i < value.Length; i++)
{
if (value[i] != 0) break;
prefixZeros++;
}
if (value.Length - prefixZeros == 0)
{
EncodeLength(stream, 1);
stream.Write((byte)0);
}
else
{
if (forceUnsigned && value[prefixZeros] > 0x7f)
{
// Add a prefix zero to force unsigned if the MSB is 1
EncodeLength(stream, value.Length - prefixZeros + 1);
stream.Write((byte)0);
}
else
{
EncodeLength(stream, value.Length - prefixZeros);
}
for (var i = prefixZeros; i < value.Length; i++)
{
stream.Write(value[i]);
}
}
}
}
然后創建憑據:
public class SslCredentialReader
{
public SslServerCredentials CreateSslServerCredentials(string subject)
{
var certificate = GetServerCertificate(subject);
var keyPair = new KeyCertificatePair(certificate.ExportX509CertificateAsPEM(),
certificate.ExportX509PrivateRSAKey());
return new SslServerCredentials(new[] {keyPair});
}
public X509Certificate2 GetServerCertificate(string subject)
{
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var certificates = store.Certificates.Find(X509FindType.FindBySubjectName, subject, true);
store.Close();
if (certificates.Count == 0)
throw new ArgumentException($"No certificate matching the subject name {subject} could be found");
return certificates[0];
}
}
我有這個代碼工作,但它在一個舊分支上並且未經測試,希望它足以讓你到達那里。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.