不能导出RSA私钥参数,请求的操作不支持

问题描述 投票:0回答:1

我有由另一方这我加载在我的应用程序,并不能导出其私钥参数提供的证书文件。它看起来像证书是使用CNG,而不是CryptoAPI的,所以我不能直接访问私钥,只能用GetRSAPrivateKey()方法。该方法返回RSACngKey而非RSACryptoServiceProvider这是一个不同的实施RSA的。问题是返回键,似乎在其出口政策失踪CngExportPolicies.AllowPlaintextExport,所以我不能从这个证书导出RSA参数。我可以生成必要错过出口政策的新证书重现该问题:

using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;

namespace TestRsaCngConsole
{
    class Program
    {
        static void Main(string[] args)
        {
            var oldCertificate = CreateCertificate();
            var oldCertificateBytes = oldCertificate.Export(X509ContentType.Pfx, "");
            var newCertificate = new X509Certificate2(oldCertificateBytes, "",
                X509KeyStorageFlags.Exportable | 
                X509KeyStorageFlags.MachineKeySet | 
                X509KeyStorageFlags.PersistKeySet);

            LogCertificate(oldCertificate, "old certificate"); // this fails
            LogCertificate(newCertificate, "new certificate"); // works only on Win10
            Console.ReadKey();
        }

        private static X509Certificate2 CreateCertificate()
        {
            var keyParams = new CngKeyCreationParameters();
            keyParams.KeyUsage = CngKeyUsages.Signing;
            keyParams.Provider = CngProvider.MicrosoftSoftwareKeyStorageProvider;
            keyParams.ExportPolicy = CngExportPolicies.AllowExport; // here I don't have AllowPlaintextExport
            keyParams.Parameters.Add(new CngProperty("Length", BitConverter.GetBytes(2048), CngPropertyOptions.None));
            var cngKey = CngKey.Create(CngAlgorithm.Rsa, Guid.NewGuid().ToString(), keyParams);
            var rsaKey = new RSACng(cngKey);
            var req = new CertificateRequest("cn=mah_cert", rsaKey, HashAlgorithmName.SHA256, RSASignaturePadding.Pss); // requires .net 4.7.2
            var cert = req.CreateSelfSigned(DateTimeOffset.Now, DateTimeOffset.Now.AddYears(5));
            return cert;
        }

        private static void LogCertificate(X509Certificate2 certificate, string name)
        {
            Console.WriteLine("----- Testing " + name + " ------");

            try
            {
                var rsaPrivateKey = certificate.GetRSAPrivateKey();
                var parameters = rsaPrivateKey.ExportParameters(true);
                Console.WriteLine("Certificate private key RSA parameters were successfully exported.");

                var privateKey = certificate.PrivateKey;
                Console.WriteLine("Certificate private key is accessible.");
            }
            catch (Exception e)
            {
                Console.WriteLine(e.ToString());
            }
        }
    }
}

该方案显示在Windows 10上运行时的输出如下:

----- Testing old certificate ------
System.Security.Cryptography.CryptographicException: The requested operation is not supported.

   at System.Security.Cryptography.NCryptNative.ExportKey(SafeNCryptKeyHandle key, String format)
   at System.Security.Cryptography.CngKey.Export(CngKeyBlobFormat format)
   at System.Security.Cryptography.RSACng.ExportParameters(Boolean includePrivateParameters)
   at TestRsaCngConsole.Program.LogCertificate(X509Certificate2 certificate, String name) in D:\Projects\TestRsaCngConsole\TestRsaCngConsole\Program.cs:line 44
----- Testing new certificate ------
Certificate private key RSA parameters were successfully exported.
Certificate private key is accessible.

所以第一个证书无法导出私钥,因为它缺少AllowPlaintextExport标志在其出口政策。但经过重新装载旧的证书与导出标志我可以导出新的证书参数就好了。然而,它没有在Windows Server 2012或Windows Server 2016上运行,并引发了这两个证书例外:

----- Testing old certificate ------
System.Security.Cryptography.CryptographicException: The requested operation is not supported.

   at System.Security.Cryptography.NCryptNative.ExportKey(SafeNCryptKeyHandle key, String format)
   at System.Security.Cryptography.CngKey.Export(CngKeyBlobFormat format)
   at System.Security.Cryptography.RSACng.ExportParameters(Boolean includePrivateParameters)
   at TestRsaCngConsole.Program.LogCertificate(X509Certificate2 certificate, String name) in D:\Projects\TestRsaCngConsole\TestRsaCngConsole\Program.cs:line 44
----- Testing new certificate ------
System.Security.Cryptography.CryptographicException: The requested operation is not supported.

   at System.Security.Cryptography.NCryptNative.ExportKey(SafeNCryptKeyHandle key, String format)
   at System.Security.Cryptography.CngKey.Export(CngKeyBlobFormat format)
   at System.Security.Cryptography.RSACng.ExportParameters(Boolean includePrivateParameters)
   at TestRsaCngConsole.Program.LogCertificate(X509Certificate2 certificate, String name) in D:\Projects\TestRsaCngConsole\TestRsaCngConsole\Program.cs:line 44

我需要能够修复的证书,并可以导出RSA参数,即使证书原本缺少AllowPlaintextExport。什么是Windows Server上如此不同,是有办法解决的证书?

c# certificate rsa cng
1个回答
1
投票

不幸的是,导出密钥在该状态下,唯一的办法就是P /调用到NCryptExportKey建立一个加密的出口;然后导入到通过NCryptImportKey一个新的密钥,然后将出口政策AllowPlaintextExport。

在.NET启动核心3.0这将是更容易:

using (RSA exportRewriter = RSA.Create())
{
    // Only one KDF iteration is being used here since it's immediately being
    // imported again.  Use more if you're actually exporting encrypted keys.
    exportRewriter.ImportEncryptedPkcs8(
        "password",
        rsa.ExportEncryptedPkcs8(
            "password",
            new PbeParameters(
                PbeEncryptionAlgorithm.Aes128Cbc,
                HashAlgorithmName.SHA256,
                1)),
        out _);

    return exportRewriter.ExportParameters(true);
}

导出加密的.NET的核心代码是在https://github.com/dotnet/corefx/blob/64477348da1ff57a43deb65a4b12d32986ed00bd/src/System.Security.Cryptography.Cng/src/System/Security/Cryptography/CngKey.Export.cs#L126-L237,这不是一个很好的API必须从C#调用。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.