問題描述

我正在嘗試從字節數組中的 PKCS#12 blob 構造 X509Certificate2 并得到一個相當令人費解的錯誤.此代碼在 Windows XP 上具有管理員權限的桌面應用程序中運行.

I'm trying to construct an X509Certificate2 from a PKCS#12 blob in a byte array and getting a rather puzzling error. This code is running in a desktop application with administrator rights on Windows XP.

堆棧跟蹤如下，但我在嘗試排除故障時迷路了，因為 _LoadCertFromBlob 被標記為 [MethodImpl(MethodImplOptions.InternalCall)].

The stack trace is as follows, but I got lost trying to troubleshoot because _LoadCertFromBlob is marked [MethodImpl(MethodImplOptions.InternalCall)].

System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
  at System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr)
  at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[] rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
  at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
  at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)

Blob 是由 BouncyCastle for C#<生成的真正 PKCS#12/a> 包含 RSA 私鑰和證書(自簽名或最近向 CA 注冊)——我正在嘗試將私鑰和證書從 BouncyCastle 庫轉換為 System.Security.Cryptography 庫通過從一個導出并導入到另一個.該代碼適用于它嘗試過的絕大多數系統.我只是從未見過該構造函數拋出的特定錯誤.那個盒子上可能有某種環境怪異.

The blob is a true PKCS#12 generated by BouncyCastle for C# containing a RSA private key and certificate (either self-signed or recently enrolled with a CA) -- what I'm trying to do is convert the private key and certificate from the BouncyCastle library to the System.Security.Cryptography library by exporting from one and importing to the other. This code works on the vast majority of systems it's been tried on; I've just never seen that particular error thrown from that constructor. It may be some sort of environmental weirdness on that one box.

編輯 2: 錯誤發生在不同城市的不同環境中，我無法在本地重現它，因此我最終可能不得不將其歸咎于 XP 損壞安裝.

EDIT 2: The error is occurring in a different environment in a different city, and I'm unable to reproduce it locally, so I may end up having to chalk it up to a broken XP installation.

既然你問了，這里是有問題的片段.該代碼采用 BouncyCastle 表示形式的私鑰和證書，從個人密鑰存儲中刪除相同專有名稱的任何先前證書，并通過中間 PKCS#12 blob 將新的私鑰和證書導入個人密鑰存儲.

Since you asked, though, here is the fragment in question. The code takes a private key and certificate in BouncyCastle representation, deletes any previous certificates for the same Distinguished Name from the personal key store, and imports the new private key and certificate into the personal key store via an intermediate PKCS#12 blob.

// open the personal keystore
var msMyStore = new X509Store(StoreName.My);
msMyStore.Open(OpenFlags.MaxAllowed);

// remove any certs previously issued for the same DN
var oldCerts =
    msMyStore.Certificates.Cast<X509Certificate2>()
        .Where(c => X509Name
                        .GetInstance(Asn1Object.FromByteArray(c.SubjectName.RawData))
                        .Equivalent(CurrentCertificate.SubjectDN))
        .ToArray();
if (oldCerts.Length > 0) msMyStore.RemoveRange(new X509Certificate2Collection(oldCerts));

// build a PKCS#12 blob from the private key and certificate
var pkcs12store = new Pkcs12StoreBuilder().Build();
pkcs12store.SetKeyEntry(_Pkcs12KeyName,
                        new AsymmetricKeyEntry(KeyPair.Private),
                        new[] {new X509CertificateEntry(CurrentCertificate)});
var pkcs12data = new MemoryStream();
pkcs12store.Save(pkcs12data, _Pkcs12Password.ToCharArray(), Random);

// and import it.  this constructor call blows up
_MyCertificate2 = new X509Certificate2(pkcs12data.ToArray(),
                                       _Pkcs12Password,
                                       X509KeyStorageFlags.Exportable);
msMyStore.Add(_MyCertificate2);
msMyStore.Close();

推薦答案

你有 PKCS#12 還是只有 PFX 文件?在 Microsoft 世界中是一樣的，但其他人認為不同(參見 此存檔頁面).

Do you have PKCS#12 or just PFX-file? In the Microsoft world it is the same, but other think another (see this archived page).

你可以試試關注

X509Certificate2 cert = X509Certificate2(byte[] rawData, "password");
X509Certificate2 cert2 = X509Certificate2(byte[] rawData, "password",
              X509KeyStorageFlags.MachineKeySet |
              X509KeyStorageFlags.PersistKeySet |
              X509KeyStorageFlags.Exportable);

(X509Certificate2(Byte[])) 或

X509Certificate2 cert = X509Certificate2("C:Pathmy.pfx", "password");

(請參閱 X509Certificate2(String, String) 和 Import(String, String, X509KeyStorageFlags) 如果您需要使用一些標志，請參閱 Microsoft Docs)

(see X509Certificate2(String, String) and Import(String, String, X509KeyStorageFlags) on Microsoft Docs if you need use some flags)

已更新:如果您插入代碼片段而不僅僅是異常堆棧跟蹤，將會很有幫助.

UPDATED: It would be helpful if you insert a code fragment and not only the exception stack trace.

您使用哪個 X509KeyStorageFlags?您可以使用 Process Monitor 找出哪個文件找不到X509Certificate2 構造函數.例如，在出現問題的 Windows XP 上，當前用戶沒有默認密鑰容器.您可以創建它并重試導入.

Which X509KeyStorageFlags do you use? You can use Process Monitor to find out which file could not find the X509Certificate2 constructor. It can be for example that there are no default key container for the current user on the Windows XP having the problem. You can create it and retry the import.

這篇關于如何從 PKCS#12 字節數組構造 X509Certificate2 拋出 CryptographicException(“系統找不到指定的文件.")?的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！