我正在尝试在 C# 程序集(针对 .NET 4.0
)中动态(以编程方式)生成自签名证书,以用作生成其他证书的根 CA。证书不需要保存在 Windows 证书存储中,我会将其导出为文件。
通读this question (特别是 @dthorpe's answer ),我决定尝试 CLR Security .
CLR Security
库在 CngKey class 上放置了一个扩展方法生成自签名证书,但我无法成功创建 CngKey
的实例:
var key = CngKey.Create(CngAlgorithm.Sha1); //same with Sha256, Sha512 and MD5
//or
var key = CngKey.Create(CngAlgorithm.Sha1, null, new CngKeyCreationParameters()
{
ExportPolicy = CngExportPolicies.AllowExport,
KeyUsage = CngKeyUsages.AllUsages,
KeyCreationOptions = CngKeyCreationOptions.MachineKey,
});
任何这些行都会引发异常:
System.Security.Cryptography.CryptographicException was unhandled
HResult=-2146893783
Message=The requested operation is not supported.
Source=System.Core
StackTrace:
at System.Security.Cryptography.NCryptNative.CreatePersistedKey(SafeNCryptProviderHandle provider, String algorithm, String name, CngKeyCreationOptions options)
at System.Security.Cryptography.CngKey.Create(CngAlgorithm algorithm, String keyName, CngKeyCreationParameters creationParameters)
at System.Security.Cryptography.CngKey.Create(CngAlgorithm algorithm)
at Tests.Program.Main(String[] args) at Program.cs:line 51
通过 SO 和互联网搜索,我检查了以下内容:
- 我运行的是 Windows 7 机器(因此它支持 RPC,符合 MSDN )
- 在 Windows Server 2012 机器上试过,同样的错误
- 该进程以管理员身份运行(因此无论如何它都可以访问所有证书存储)
- 服务
CNG Key Isolation
和Remote Procedure Call (RPC)
正在运行
如有任何帮助,我们将不胜感激。
最佳答案
小题外话:在google搜索这个问题时发现a site with HRESULT
descriptions以及 SO 和 MSDN 上方便的搜索工具(我只是用谷歌搜索了你的 HRESULT
代码 -2146893783
)
我找到了一个 topic on MSDN其中包含因类似 HRESULT
而失败的代码,作者提供了一个 link to MSDN article about CNG :
NCRYPT_ALGORITHM_GROUP_PROPERTY
L"Algorithm Group"
A null-terminated Unicode string that contains the name of the object's algorithm group. This property only applies to keys. The following identifiers are returned by the Microsoft key storage provider:
- NCRYPT_RSA_ALGORITHM_GROUP
"RSA", TheRSA
algorithm group.- NCRYPT_DH_ALGORITHM_GROUP
"DH", TheDiffie-Hellman
algorithm group.- NCRYPT_DSA_ALGORITHM_GROUP
"DSA", TheDSA
algorithm group.- NCRYPT_ECDSA_ALGORITHM_GROUP
"ECDSA", Theelliptic curve DSA
algorithm group.- NCRYPT_ECDH_ALGORITHM_GROUP
"ECDH", Theelliptic curve Diffie-Hellman
algorithm group.
我还在 MSDN 上找到了一篇关于 CNG Key Storage Providers 的文章,其中包含类似的算法列表:
- Diffie-Hellman (DH)
Secret agreement and key exchange,512 to 4096 in 64-bit increments
- Digital Signature Algorithm (DSA) Signatures,
512 to 1024 in 64-bit increments
- Elliptic Curve Diffie-Hellman (ECDH) Secret agreement and key exchange,
P256, P384, P521
- Elliptic Curve Digital Signature Algorithm (ECDSA) Signatures,
P256, P384, P521
- RSA Asymmetric encryption and signing,
512 to 16384 in 64-bit increments
所以,正如您所说,您只尝试了 Sha1
、Sha256
、Sha512
和 MD5
,也许你只是使用另一个 algorithm from list available ?你可以找到上面提到的:
Here other developers successfully created其中之一,并且能够将其导出:
var cngKey = CngKey.Create(CngAlgorithm.ECDiffieHellmanP256, null,
new CngKeyCreationParameters { ExportPolicy = CngExportPolicies.AllowPlaintextExport });
关于c# - CngKey.Create 不支持请求的操作,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/40912625/