2

可能重复:
生成的签名 X.509 客户端证书无效(其 CA 没有证书链)

我按照以下示例进行操作:

http://www.bouncycastle.org/wiki/display/JA1/X.509+Public+Key+Certificate+and+Certification+Request+Generation

但生成的签名客户端证书在 Windows 中打开时出现以下错误:

“此文件无法用作以下用途:安全证书”

如果我仍然安装它并使用 certmgr 查看它,则证书路径看起来不错 - 我看到我的自签名证书颁发机构(很好,没有问题),但客户端证书具有以下状态:

“此证书的数字签名无效。”

如果我调用 X509Certificate.Verify() 它会引发以下异常:

“提供的公钥不用于证书签名”

然而,我使用的是从 Pkcs10CertificationRequest 中提取的完全相同的公钥,当我调用 Verify() 时,这很好。

有任何想法吗?经过几天的努力,除了最后一个之外,我已经完成了所有工作 - 真正令人困惑的是我的自签名 CA 证书很好。客户端证书发生了一些事情。这是整个代码块:

        TextReader textReader = new StreamReader("certificaterequest.pkcs10");
        PemReader pemReader = new PemReader(textReader);

        Pkcs10CertificationRequest certificationRequest = (Pkcs10CertificationRequest)pemReader.ReadObject();
        CertificationRequestInfo certificationRequestInfo = certificationRequest.GetCertificationRequestInfo();
        SubjectPublicKeyInfo publicKeyInfo = certificationRequestInfo.SubjectPublicKeyInfo;

        RsaPublicKeyStructure publicKeyStructure = RsaPublicKeyStructure.GetInstance(publicKeyInfo.GetPublicKey());

        RsaKeyParameters publicKey = new RsaKeyParameters(false, publicKeyStructure.Modulus, publicKeyStructure.PublicExponent);

        bool certIsOK = certificationRequest.Verify(publicKey);
        // public key is OK here...

        // get the server certificate
        Org.BouncyCastle.X509.X509Certificate serverCertificate = DotNetUtilities.FromX509Certificate(System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile("servermastercertificate.cer"));

        // get the server private key
        byte[] privateKeyBytes = File.ReadAllBytes("serverprivate.key");
        AsymmetricKeyParameter serverPrivateKey = PrivateKeyFactory.CreateKey(privateKeyBytes);

        // generate the client certificate
        X509V3CertificateGenerator generator = new X509V3CertificateGenerator();

        generator.SetSerialNumber(BigInteger.ProbablePrime(120, new Random()));
        generator.SetIssuerDN(serverCertificate.SubjectDN);
        generator.SetNotBefore(DateTime.Now);
        generator.SetNotAfter(DateTime.Now.AddYears(5));
        generator.SetSubjectDN(certificationRequestInfo.Subject);
        generator.SetPublicKey(publicKey);
        generator.SetSignatureAlgorithm("SHA512withRSA");
        generator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(serverCertificate));
        generator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(publicKey));

        var newClientCert = generator.Generate(serverPrivateKey);

        newClientCert.Verify(publicKey); // <-- this blows up

        return DotNetUtilities.ToX509Certificate(newClientCert).Export(X509ContentType.Pkcs12, "user password");
4

1 回答 1

1

我想通了。如果您打电话X509Certificate.Verify(publicKey),您必须传递 CA 的公钥,而不是来自Pkcs10CertificationRequest.

于 2011-01-14T01:42:26.260 回答