我正在尝试将OpenSSL.net设置为1)创建用于CA签名的密钥对,以及2)使用此CA创建和签署证书。我已经设法创建了一个RSA / SHA1 X509CertificateAuthority,并创建了一个X509Request和密钥,但我遇到了实际签署请求的问题。
'create the request and request key
Dim rsa As OpenSSL.Crypto.RSA = New OpenSSL.Crypto.RSA()
rsa.GenerateKeys(1024, 65569, Nothing, Nothing)
Dim req_key As OpenSSL.Crypto.CryptoKey = New OpenSSL.Crypto.CryptoKey(rsa)
Dim req_key_b As OpenSSL.Core.BIO = OpenSSL.Core.BIO.MemoryBuffer
req_key_b.Write(req_key.GetRSA.PrivateKeyAsPEM)
WriteBio(req_key_b, IO.Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "req.key"))
'make the request
Dim req As OpenSSL.X509.X509Request = New OpenSSL.X509.X509Request(3, "CN=newcert", req_key)
Dim req_cert As OpenSSL.X509.X509Certificate = ca.ProcessRequest(req, Now, Now.AddDays(365))
'** ^^^ Exception on this line ^^^ ***
Dim req_cert_b As OpenSSL.Core.BIO = OpenSSL.Core.BIO.MemoryBuffer
req_cert.Write(req_cert_b)
WriteBio(req_cert_b, IO.Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "req.crt"))
我在上面提到的行上收到了一个OpenSslException,并带有消息
错误:0606B06E:数字信封例程:EVP_SignFinal:错误公开 密钥类型错误:0D0C3006:asn1编码例程:ASN1_item_sign:EVP lib
有什么想法吗?
答案 0 :(得分:1)
我有同样的错误。经过一些研究后,当我手动指定MessageDigest时,它似乎有效:
var certificate = ca.ProcessRequest(req, Now, Now.AddDays(365), MessageDigest.SHA1)
您还可以在openssl.conf中指定默认消息摘要:default_md
。但你可能没有配置就初始化了CA,就像我一样:)
var ca = new X509CertificateAuthority(pkcs12.Certificate, pkcs12.PrivateKey, new SimpleSerialNumber(42), null);
我知道你放弃了并使用了BouncyCastle,但希望这对其他人有用:)
答案 1 :(得分:0)
实际上问题是默认摘要方法DSS1在用于签名时会出错。因此,指定其他签名方法将解决问题。