尝试从现有公钥创建证书请求(以编程方式)

时间:2014-11-19 07:14:24

标签: c# pki certenroll

我正在尝试以编程方式从现有公钥创建证书请求。但我得到一个"请求的属性值为空。 (HRESULT异常:0x80094004)"例外。 这是我的代码:

    private static string CreateCertRequestMessage(string encodedPublicKeyInfo)
    {
        CObjectId objAlg = new CObjectId();
        objAlg.InitializeFromAlgorithmName(
            ObjectIdGroupId.XCN_CRYPT_PUBKEY_ALG_OID_GROUP_ID, 
            ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, 
            AlgorithmFlags.AlgorithmFlagsNone, 
            "RSA");

        CX509PublicKey objPublicKey = new CX509PublicKey();
        objPublicKey.Initialize(objAlg, encodedPublicKeyInfo, "", EncodingType.XCN_CRYPT_STRING_HEX);
        Console.WriteLine(objPublicKey.Algorithm.FriendlyName);
        Console.WriteLine(objPublicKey.Algorithm.Value);
        Console.WriteLine(objPublicKey.Length);
        Console.WriteLine(objPublicKey.EncodedKey);

        var objPkcs10 = new CX509CertificateRequestCertificate();

        objPkcs10.InitializeFromPublicKey(
            X509CertificateEnrollmentContext.ContextUser,
            objPublicKey,
            string.Empty);


        var objExtensionKeyUsage = new CX509ExtensionKeyUsage();
        objExtensionKeyUsage.InitializeEncode(
            CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE |
            CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_NON_REPUDIATION_KEY_USAGE |
            CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE |
            CERTENROLLLib.X509KeyUsageFlags.XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE);
        objPkcs10.X509Extensions.Add((CX509Extension)objExtensionKeyUsage);

        var objObjectId = new CObjectId();
        var objObjectIds = new CObjectIds();
        var objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage();
        objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2");
        objObjectIds.Add(objObjectId);
        objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds);
        objPkcs10.X509Extensions.Add((CX509Extension)objX509ExtensionEnhancedKeyUsage);

        string templateName = "MHM Template";
        CX509ExtensionTemplateName template = new CX509ExtensionTemplateName();
        template.InitializeEncode(templateName);
        objPkcs10.X509Extensions.Add((CX509Extension)template);

        var objDN = new CX500DistinguishedName();
        var subjectName = "CN = shaunxu.me, OU = ADCS, O = Blog, L = Beijng, S = Beijing, C = CN";
        objDN.Encode(subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
        objPkcs10.Subject = objDN;

        CObjectId objHash = new CObjectId();
        objHash.InitializeFromAlgorithmName(
            ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, 
            ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, 
            AlgorithmFlags.AlgorithmFlagsNone, 
            "SHA1");
        objPkcs10.HashAlgorithm = objHash;

        var objEnroll = new CX509Enrollment();
        objEnroll.InitializeFromRequest(objPkcs10);

        var strRequest = objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
        return strRequest;
    }

我成功地从私钥创建请求。 但我需要从公钥创建请求。 请帮我。我到底错过了什么。

提前致谢

1 个答案:

答案 0 :(得分:1)

公钥证书的目的是确认密钥对(私钥和公钥)的所有权。这意味着,当我向其他方出示带有我姓名的证书时,证书颁发机构确认(通过签署证书)密钥对实际上属于我。特别是,这意味着我“拥有”私有键。 (在这种情况下的所有权意味着我知道但其他人没有。)

为了确认这一点,证书颁发机构必须确保我拥有私钥。因此,任何认证过程在某些时候都必须涉及私钥。我不会泄露私钥,但至少我必须在挑战/响应交换中使用它。公钥用于验证我的响应的有效性,因此证书颁发机构知道我有私钥。

以不同的方式看待它。公钥是公开的。有证书确认我是公钥的“所有者”有什么用?每个人都知道,你不能“拥有”公钥。

相关问题
最新问题