我尝试使用System.Security.Cryptography.Pkcs加密和解密数据,但如果我使用 ECC (曲线ECDH_brainpoolP512r1)证书,它只适用于 RSA 证书X509Certificate2的构造函数与Access Denied异常崩溃。
New-SelfSignedCertificate `
-Subject "CN=Test Code Signing RSA" `
-Type DocumentEncryptionCert `
-KeyUsage "DigitalSignature" `
-FriendlyName "Test Code Signing" `
-NotAfter (get-date).AddYears(5) `
-KeyExportPolicy Exportable `
-SmimeCapabilities `
-KeyAlgorithm ECDH_brainpoolP512r1
var base64cert = "MIIF/wIBAzCCBbsGCSqGSIb3DQEHAaCCBawEggWoMIIFpDCCAkcGCSqGSIb3DQEHAaCCAjgEggI0MIICMDCCAiwGCyqGSIb3DQEMCgECoIIBNjCCATIwHAYKKoZIhvcNAQwBAzAOBAi2P5j9EliEaQICB9AEggEQyJLkopAMyHJh0jQXtnlwK4yjpE0WqYXf9sNPPLOFXgaxNU7gLKc3F6kPJUxLCxnvjOe7bRJS3v4A0GQBBqeFEJjBT9hd88RaQ2NsNxDrQEh/ZAyTUg+l6CyApUtcJb5uehPVnj7xnWtu4vvxDh5hRqSVxSR50wOjk/MKlyX1hhF1JybzRiqESKIMLx84HWJqZ6Fp87asJ0/0isL+kVxarqLrTkv0CGt2QaLxZzu9YDGj6nuGy2EBQwGHwMCEVTFupX55njV4aU3YTG2U+BHFl667NekTtOXH5GXDbp6D+9PntXBxW2d3E68v7lBVMjPKfTsTeCs4aLOwQzsXIFgvouw6GgGsZCrYaQwMNuGayC4xgeIwDQYJKwYBBAGCNxECMQAwEwYJKoZIhvcNAQkVMQYEBAEAAAAwXQYJKoZIhvcNAQkUMVAeTgB0AGUALQA0ADYANwBmADEAOAAxAGMALQBiAGQAZQA0AC0ANAA5AGUANgAtAGEANABjADMALQA4ADQAOAAwADYAMgBmADIANgA4ADEAMTBdBgkrBgEEAYI3EQExUB5OAE0AaQBjAHIAbwBzAG8AZgB0ACAAUwBvAGYAdAB3AGEAcgBlACAASwBlAHkAIABTAHQAbwByAGEAZwBlACAAUAByAG8AdgBpAGQAZQByMIIDVQYJKoZIhvcNAQcBoIIDRgSCA0IwggM+MIIDOgYLKoZIhvcNAQwKAQOgggLdMIIC2QYKKoZIhvcNAQkWAaCCAskEggLFMIICwTCCAiagAwIBAgIQXQFCNRCYc4hHLhQAD247rTAJBgcqhkjOPQQBMDAxLjAsBgNVBAMMJVRlc3QgQ29kZSBTaWduaW5nIEVDQyBicmFpbnBvb2xQNTEycjEwHhcNMTgwMzAyMTQyMTQ1WhcNMjMwMzAyMTQzMTQ2WjAwMS4wLAYDVQQDDCVUZXN0IENvZGUgU2lnbmluZyBFQ0MgYnJhaW5wb29sUDUxMnIxMIGbMBQGByqGSM49AgEGCSskAwMCCAEBDQOBggAETcwT2kPzMxF5upq+xb2NpTmRk2Gkp1mThVESNI9A1tgWk3wIylN72b1t5yHxveiWdopn3LkeT0hTaXSJ4fZsHmYRo0KZS5fKZbSSiFlLbxAwndgG99HLakz/I59WtXzSenSaM6HkP+Nz0Kmxvvy0umOXLg0bU8qpX5tLUtEFAxOjgd8wgdwwDgYDVR0PAQH/BAQDAgeAMBQGA1UdJQQNMAsGCSsGAQQBgjdQATCBlAYJKoZIhvcNAQkPBIGGMIGDMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAS0wCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBGTALBglghkgBZQMEAQIwCwYJYIZIAWUDBAEFMAoGCCqGSIb3DQMHMAcGBSsOAwIHMA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAgAwHQYDVR0OBBYEFMmLfUI9zvfjMlvbolK8pP0zeZNhMAkGByqGSM49BAEDgYkAMIGFAkEAlCq9PiR4Yl0A+kIZO1yyfmKpcmJI6++jZJJ1P2LxZIi9ZgIJQLIWjmBTMP1nswAzNbnqetOBuJy55+SkO2OsngJAGXIYtW8RBFcTmRYnhCLeIsB/De3khytnaeHNBZVB/x0n/gFqVNMaPZp6l4MPGhEBS8pcvLN4zvO7phxR0Xt3HDFKMBMGCSqGSIb3DQEJFTEGBAQBAAAAMDMGCSqGSIb3DQEJFDEmHiQAVABlAHMAdAAgAEMAbwBkAGUAIABTAGkAZwBuAGkAbgBnAAAwOzAfMAcGBSsOAwIaBBSas13IRWnhNtoPLKp29FJpLmCptgQUkF0JRqyYiDG0Ql7zAPED2uVWzykCAgfQ";
new System.Security.Cryptography.X509Certificates.X509Certificate2(Convert.FromBase64String(base64cert), "qwert");
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Access Denied
at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password)
at PkcsEncryption.Program.Certificate(Boolean rsa) in c:\git\PkcsEncryption\PkcsEncryption\Program.cs:line 88
at PkcsEncryption.Program.Encrypt(Byte[] dataPlain, Boolean useRsa) in c:\git\PkcsEncryption\PkcsEncryption\Program.cs:line 56
at PkcsEncryption.Program.Main(String[] args) in c:\git\PkcsEncryption\PkcsEncryption\Program.cs:line 22
答案 0 :(得分:3)
您编码为base64的PFX在内部设置了标记,表明它是从机器密钥库导出的。您的访问被拒绝表示您没有以管理员身份运行(因此无权将密钥添加到计算机的密钥库)。
要确保将来自PFX的密钥添加到当前用户的密钥存储区,请设置X509KeyStorageFlags.UserKeySet标记。或者,如果您已安装.NET Framework v4.7.2的早期访问构建(或将来,已发布的构建版本),则可以使用EphemeralKeySet将私钥保留在内存中并完全避免密钥库。
new System.Security.Cryptography.X509Certificates.X509Certificate2(
Convert.FromBase64String(base64cert),
"qwert",
X509KeyStorageFlags.UserKeySet);