2
可能重複:
Generated signed X.509 client certificate is invalid (no certificate chain to its CA)簽名X509數碼證書W/BouncyCastle的 - 數字簽名無效
我跟着這個例子:
但由此產生的簽署客戶端證書在Windows中打開時出現以下錯誤:
「此文件是用作以下無效:安全證書」
如果我反正安裝它,並與certmgr查看,證書路徑看起來不錯 - 我看到我的自簽名的證書頒發機構(這是沒問題)但客戶端證書有以下狀態:
「此證書具有無效的數字簽名。」
如果我叫X509Certificate.Verify()它拋出以下異常:
「公鑰呈現不證書籤名」
但是我使用從Pkcs10CertificationRequest提取完全相同的公鑰當我調用Verify()時就沒有問題。
任何想法?在經歷了幾天的苦苦掙扎之後,除了最後一部分之外,我已經完成了所有部分的工作 - 而令人困惑的是我的自簽名CA證書沒有問題。客戶端證書正在發生一些變化。這是整個代碼塊:
TextReader textReader = new StreamReader("certificaterequest.pkcs10");
PemReader pemReader = new PemReader(textReader);
Pkcs10CertificationRequest certificationRequest = (Pkcs10CertificationRequest)pemReader.ReadObject();
CertificationRequestInfo certificationRequestInfo = certificationRequest.GetCertificationRequestInfo();
SubjectPublicKeyInfo publicKeyInfo = certificationRequestInfo.SubjectPublicKeyInfo;
RsaPublicKeyStructure publicKeyStructure = RsaPublicKeyStructure.GetInstance(publicKeyInfo.GetPublicKey());
RsaKeyParameters publicKey = new RsaKeyParameters(false, publicKeyStructure.Modulus, publicKeyStructure.PublicExponent);
bool certIsOK = certificationRequest.Verify(publicKey);
// public key is OK here...
// get the server certificate
Org.BouncyCastle.X509.X509Certificate serverCertificate = DotNetUtilities.FromX509Certificate(System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile("servermastercertificate.cer"));
// get the server private key
byte[] privateKeyBytes = File.ReadAllBytes("serverprivate.key");
AsymmetricKeyParameter serverPrivateKey = PrivateKeyFactory.CreateKey(privateKeyBytes);
// generate the client certificate
X509V3CertificateGenerator generator = new X509V3CertificateGenerator();
generator.SetSerialNumber(BigInteger.ProbablePrime(120, new Random()));
generator.SetIssuerDN(serverCertificate.SubjectDN);
generator.SetNotBefore(DateTime.Now);
generator.SetNotAfter(DateTime.Now.AddYears(5));
generator.SetSubjectDN(certificationRequestInfo.Subject);
generator.SetPublicKey(publicKey);
generator.SetSignatureAlgorithm("SHA512withRSA");
generator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(serverCertificate));
generator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(publicKey));
var newClientCert = generator.Generate(serverPrivateKey);
newClientCert.Verify(publicKey); // <-- this blows up
return DotNetUtilities.ToX509Certificate(newClientCert).Export(X509ContentType.Pkcs12, "user password");
至少你還沒有設置關鍵用法。 – 2011-01-13 06:19:17