证书链X509

编程问答 2022-06-12

问题描述

嗨,我想使用c#生成证书链。 像这样:

certificate chain

我创建此代码用于生成:

using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;

namespace CC.CertificateCore
{
    public class CertBuilder
    {
        public static CertResult BuildChain()
        {
            CertResult result = new CertResult();

            using ECDsa rootKey = ECDsa.Create(ECCurve.NamedCurves.brainpoolP256t1);

            result.Root = CreateCert(rootKey,"CN=Root CA","Root");

            using ECDsa aKey = result.Root.GetECDsaPublicKey();

            result.A = CreateCert(aKey,"A");

            using ECDsa bKey = result.A.GetECDsaPublicKey();

            result.B = CreateCert(bKey,"CN=A CA","B",selfSigned: true);

            return result;
        }

        private static X509Certificate2 CreateCert(ECDsa key,string issuer,string friendlyName,bool selfSigned = false)
        {
            var distinguishedName = new X500DistinguishedName(issuer);

            var request = new CertificateRequest(distinguishedName,key,HashAlgorithmName.MD5);
            request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature,false));

            var certificate = selfSigned 
                ? request.CreateSelfSigned(NotBefore(),NotAfter()) 
                : request.Create(distinguishedName,X509SignatureGenerator.CreateForECDsa(key),NotBefore(),NotAfter(),Serial());
            
            certificate.FriendlyName = friendlyName;
            
            return certificate;
        }

        public static byte[] Serial()
        {
            byte[] serial = new byte[12];

            using (RandomNumberGenerator rng = RandomNumberGenerator.Create())
            {
                rng.GetBytes(serial);
            }

            return serial;
        }

        public static DateTimeOffset NotBefore()
        {
            return new DateTimeOffset(DateTime.UtcNow.AddDays(-1));
        }

        public static DateTimeOffset NotAfter()
        {
            return new DateTimeOffset(DateTime.UtcNow.AddDays(3650));
        }
    }

    public class CertResult
    {
        public X509Certificate2 Root { get; set; }
        public X509Certificate2 A { get; set; }
        public X509Certificate2 B { get; set; }
    }
}

我收到此错误(WindowsCryptographicException:'密钥不存在。):

error

我做错了什么?这条链甚至可能吗?链条是必需的,我正在实施一个概念探查,以验证是否可以完成。 该项目是一个控制台项目netcore 3.1

预先感谢

致谢

解决方法

using ECDsa aKey = result.Root.GetECDsaPublicKey();

result.A = CreateCert(aKey,"CN=Root CA","A");

...

 : request.Create(distinguishedName,X509SignatureGenerator.CreateForECDsa(key),NotBefore(),NotAfter(),Serial());

您正在尝试使用公共密钥签名。公钥无法签名。例外是说密钥的私有部分丢失了。

由于您的代码最终将使用与主题公用密钥和签名密钥相同的密钥,因此您试图将所有证书创建为自签名。您可以在每个证书中使用相同的可分辨名称来发行人和主题来加强这一点。因此根本没有链接发生。

.net-corec#c#cryptographyecdsax509certificate2

相关问答

导入项目后报错问题
依赖报错 idea导入项目后依赖报错,解决方案:https://blog....
idea不能识别yaml文件
使用mybatis plus常见错误
错误1:代码生成器依赖和mybatis依赖冲突 启动项目时报错如下...
gradle常见问题与错误
错误1:gradle项目控制台输出为乱码 # 解决方案:https://bl...
Mybatis Plus传入参数0不起作用
错误还原:在查询的过程中,传入的workType为0时,该条件不起...
linux中make编译源码包失败
报错如下,gcc版本太低 ^ server.c:5346:31: 错误:‘struct...