問題描述

我正在嘗試從字節(jié)數(shù)組中的 PKCS#12 blob 構(gòu)造 X509Certificate2 并得到一個(gè)相當(dāng)令人費(fèi)解的錯(cuò)誤.此代碼在 Windows XP 上具有管理員權(quán)限的桌面應(yīng)用程序中運(yùn)行.

I'm trying to construct an X509Certificate2 from a PKCS#12 blob in a byte array and getting a rather puzzling error. This code is running in a desktop application with administrator rights on Windows XP.

堆棧跟蹤如下，但我在嘗試排除故障時(shí)迷路了，因?yàn)?_LoadCertFromBlob 被標(biāo)記為 [MethodImpl(MethodImplOptions.InternalCall)].

The stack trace is as follows, but I got lost trying to troubleshoot because _LoadCertFromBlob is marked [MethodImpl(MethodImplOptions.InternalCall)].

System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
  at System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr)
  at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[] rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
  at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
  at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)

Blob 是由 BouncyCastle for C#<生成的真正 PKCS#12/a> 包含 RSA 私鑰和證書(自簽名或最近向 CA 注冊(cè))——我正在嘗試將私鑰和證書從 BouncyCastle 庫(kù)轉(zhuǎn)換為 System.Security.Cryptography 庫(kù)通過從一個(gè)導(dǎo)出并導(dǎo)入到另一個(gè).該代碼適用于它嘗試過的絕大多數(shù)系統(tǒng).我只是從未見過該構(gòu)造函數(shù)拋出的特定錯(cuò)誤.那個(gè)盒子上可能有某種環(huán)境怪異.

The blob is a true PKCS#12 generated by BouncyCastle for C# containing a RSA private key and certificate (either self-signed or recently enrolled with a CA) -- what I'm trying to do is convert the private key and certificate from the BouncyCastle library to the System.Security.Cryptography library by exporting from one and importing to the other. This code works on the vast majority of systems it's been tried on; I've just never seen that particular error thrown from that constructor. It may be some sort of environmental weirdness on that one box.

編輯 2: 錯(cuò)誤發(fā)生在不同城市的不同環(huán)境中，我無(wú)法在本地重現(xiàn)它，因此我最終可能不得不將其歸咎于 XP 損壞安裝.

EDIT 2: The error is occurring in a different environment in a different city, and I'm unable to reproduce it locally, so I may end up having to chalk it up to a broken XP installation.

既然你問了，這里是有問題的片段.該代碼采用 BouncyCastle 表示形式的私鑰和證書，從個(gè)人密鑰存儲(chǔ)中刪除相同專有名稱的任何先前證書，并通過中間 PKCS#12 blob 將新的私鑰和證書導(dǎo)入個(gè)人密鑰存儲(chǔ).

Since you asked, though, here is the fragment in question. The code takes a private key and certificate in BouncyCastle representation, deletes any previous certificates for the same Distinguished Name from the personal key store, and imports the new private key and certificate into the personal key store via an intermediate PKCS#12 blob.

// open the personal keystore
var msMyStore = new X509Store(StoreName.My);
msMyStore.Open(OpenFlags.MaxAllowed);

// remove any certs previously issued for the same DN
var oldCerts =
    msMyStore.Certificates.Cast<X509Certificate2>()
        .Where(c => X509Name
                        .GetInstance(Asn1Object.FromByteArray(c.SubjectName.RawData))
                        .Equivalent(CurrentCertificate.SubjectDN))
        .ToArray();
if (oldCerts.Length > 0) msMyStore.RemoveRange(new X509Certificate2Collection(oldCerts));

// build a PKCS#12 blob from the private key and certificate
var pkcs12store = new Pkcs12StoreBuilder().Build();
pkcs12store.SetKeyEntry(_Pkcs12KeyName,
                        new AsymmetricKeyEntry(KeyPair.Private),
                        new[] {new X509CertificateEntry(CurrentCertificate)});
var pkcs12data = new MemoryStream();
pkcs12store.Save(pkcs12data, _Pkcs12Password.ToCharArray(), Random);

// and import it.  this constructor call blows up
_MyCertificate2 = new X509Certificate2(pkcs12data.ToArray(),
                                       _Pkcs12Password,
                                       X509KeyStorageFlags.Exportable);
msMyStore.Add(_MyCertificate2);
msMyStore.Close();

推薦答案

你有 PKCS#12 還是只有 PFX 文件?在 Microsoft 世界中是一樣的，但其他人認(rèn)為不同(參見 此存檔頁(yè)面).

Do you have PKCS#12 or just PFX-file? In the Microsoft world it is the same, but other think another (see this archived page).

你可以試試關(guān)注

X509Certificate2 cert = X509Certificate2(byte[] rawData, "password");
X509Certificate2 cert2 = X509Certificate2(byte[] rawData, "password",
              X509KeyStorageFlags.MachineKeySet |
              X509KeyStorageFlags.PersistKeySet |
              X509KeyStorageFlags.Exportable);

(X509Certificate2(Byte[])) 或

X509Certificate2 cert = X509Certificate2("C:Pathmy.pfx", "password");

(請(qǐng)參閱 X509Certificate2(String, String) 和 Import(String, String, X509KeyStorageFlags) 如果您需要使用一些標(biāo)志，請(qǐng)參閱 Microsoft Docs)

(see X509Certificate2(String, String) and Import(String, String, X509KeyStorageFlags) on Microsoft Docs if you need use some flags)

已更新:如果您插入代碼片段而不僅僅是異常堆棧跟蹤，將會(huì)很有幫助.

UPDATED: It would be helpful if you insert a code fragment and not only the exception stack trace.

您使用哪個(gè) X509KeyStorageFlags?您可以使用 Process Monitor 找出哪個(gè)文件找不到X509Certificate2 構(gòu)造函數(shù).例如，在出現(xiàn)問題的 Windows XP 上，當(dāng)前用戶沒有默認(rèn)密鑰容器.您可以創(chuàng)建它并重試導(dǎo)入.

Which X509KeyStorageFlags do you use? You can use Process Monitor to find out which file could not find the X509Certificate2 constructor. It can be for example that there are no default key container for the current user on the Windows XP having the problem. You can create it and retry the import.

這篇關(guān)于如何從 PKCS#12 字節(jié)數(shù)組構(gòu)造 X509Certificate2 拋出 CryptographicException(“系統(tǒng)找不到指定的文件.")?的文章就介紹到這了，希望我們推薦的答案對(duì)大家有所幫助，也希望大家多多支持html5模板網(wǎng)！