c# - 无法让 C# SslStream 与我的 X509 证书一起使用

问题描述

我是做安全和加密的新手，所以如果我犯了一个非常愚蠢的错误，请提前道歉。我需要一个服务器和一个客户端通过使用 SslStream 的安全连接进行通信。但是我的证书不起作用。我收到以下错误：System.NotSupportedException: 'The server mode SSL must use a certificate with the associated private key.' 我的代码是文档中给出的微软示例：https ://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstream?view=netframework-4.8ss

我试过了：

• 使用 makecert 的自签名证书（就像在这篇文章中一样：SSLStream 示例 - 我如何获得有效的证书？）
• 使用 OpenSSL 的证书
• 本网站上的程序：http ://www.reliablesoftware.com/DasBlog/PermaLink,guid,6507b2c6-473e-4ddc-9e66-8a161e5df6e9.aspx
• 使用 .pfx 文件而不是 .cer 文件（如在这篇文章中：X509Certificate2 服务器模式 SSL 必须使用具有关联私钥的证书），但出现以下异常：Win32Exception: The certificate chain was issued by an authority that is not trusted.

除了最后一个之外，所有的都给出了System.NotSupportedException: 'The server mode SSL must use a certificate with the associated private key.'例外。这是否意味着自签名证书不起作用？我需要购买证书吗？

编辑：这是我使用的代码。它是修改后的示例（对不起，如果我的代码很糟糕）并且是可执行的，模拟服务器和客户端并引发异常：

class Program
{

    static void Main(string[] args)
    {
        //Temporarily added the arguments here for you to see
        args = new string[2] { @"C:\Users\jacke\Documents\CA\TempCert.cer", "FakeServerName" };
        Console.WriteLine("Starting server in seperate thread...");
        Task t = Task.Run(() => { Server.Initialize(args[0]); });
        Task.Delay(500).Wait();
        Client.RunClient(args[1]);
    }
}

public static class Server
{
    private static X509Certificate cert;
    private static TcpListener server;

    public static void Initialize(string certificate)
    {
        cert = X509Certificate.CreateFromCertFile(certificate);
        server = new TcpListener(IPAddress.Any, 12321);
        server.Start();
        while (true)
        {
            Console.WriteLine("Waiting for a client to connect...");

            TcpClient client = server.AcceptTcpClient();
            ProcessClient(client);
        }
    }


    private static void ProcessClient(TcpClient client)
    {

        SslStream sslStream = new SslStream(client.GetStream(), false);
        try
        {
            sslStream.AuthenticateAsServer(cert, clientCertificateRequired: false, checkCertificateRevocation: true);
            sslStream.ReadTimeout = 5000;
            sslStream.WriteTimeout = 5000;   
            Console.WriteLine("Waiting for client message...");
            string messageData = Helpers.ReadMessage(sslStream);
            byte[] message = Encoding.UTF8.GetBytes("Hello from the server.<EOF>");
            Console.WriteLine("Sending hello message.");
            sslStream.Write(message);
        }
        catch (AuthenticationException e)
        {
            Console.WriteLine("Exception: {0}", e.Message);
            if (e.InnerException != null)
            {
                Console.WriteLine("Inner exception: {0}", e.InnerException.Message);
            }
            Console.WriteLine("Authentication failed - closing the connection.");
            sslStream.Close();
            client.Close();
            return;
        }
        finally
        {                
            sslStream.Close();
            client.Close();
        }
    }



}

public static class Client
{
    private static Hashtable certificateErrors = new Hashtable();
    public static bool ValidateServerCertificate(
          object sender,
          X509Certificate certificate,
          X509Chain chain,
          SslPolicyErrors sslPolicyErrors)
    {
        if (sslPolicyErrors == SslPolicyErrors.None)
            return true;

        Console.WriteLine("Certificate error: {0}", sslPolicyErrors);
        return false;
    }


    public static void RunClient(string serverName)
    {
        TcpClient client = new TcpClient("localhost", 12321);
        Console.WriteLine("Client connected.");
        SslStream sslStream = new SslStream(
            client.GetStream(),
            false,
            new RemoteCertificateValidationCallback(ValidateServerCertificate),
            null
            );
        try
        {
            sslStream.AuthenticateAsClient(serverName);
        }
        catch (AuthenticationException e)
        {
            Console.WriteLine("Exception: {0}", e.Message);
            if (e.InnerException != null)
            {
                Console.WriteLine("Inner exception: {0}", e.InnerException.Message);
            }
            Console.WriteLine("Authentication failed - closing the connection.");
            client.Close();
            return;
        }
        byte[] messsage = Encoding.UTF8.GetBytes("Hello from the client.<EOF>");
        sslStream.Write(messsage);
        string serverMessage = Helpers.ReadMessage(sslStream);
        Console.WriteLine("Server says: {0}", serverMessage);

        client.Close();
        Console.WriteLine("Client closed.");
    }


}

public static class Helpers
{
    public static string ReadMessage(SslStream sslStream)
    {
        // Read the  message sent by the server.
        // The end of the message is signaled using the
        // "<EOF>" marker.
        byte[] buffer = new byte[2048];
        StringBuilder messageData = new StringBuilder();
        int bytes = -1;
        do
        {
            bytes = sslStream.Read(buffer, 0, buffer.Length);
            Decoder decoder = Encoding.UTF8.GetDecoder();
            char[] chars = new char[decoder.GetCharCount(buffer, 0, bytes)];
            decoder.GetChars(buffer, 0, bytes, chars, 0);
            messageData.Append(chars);
            // Check for EOF.
            if (messageData.ToString().IndexOf("<EOF>") != -1)
            {
                break;
            }
        } while (bytes != 0);

        return messageData.ToString();
    }
}

这是我创建证书的方式（如我上面链接的帖子中所述）：

makecert -sv RootCATest.pvk -r -n "CN=FakeServerName" RootCATest.cer
makecert -ic RootCATest.cer -iv RootCATest.pvk -n "CN=FakeServerName" -sv
TempCert.pvk -pe -sky exchange TempCert.cer
cert2spc TempCert.cer TempCert.spc
pvkimprt -pfx TempCert.spc TempCert.pvk

我使用上述命令输入的其他信息：

• 当前 2 个命令要求输入密码时，我将其留空
• 我检查了导出私钥并将“A”设置为最后一个命令的密码

然后我在本地证书存储中导入了 .pfx 文件（我之前也尝试过机器范围）并让程序选择正确的存储。它警告我 CA 的所有证书都是可信的，我应该联系 CA 以检查这确实是他们的证书，但我继续了。然后我运行代码（使用我刚刚创建的“TempCert.cer”文件）并得到了错误。任何建议都非常感谢！

标签： c#sslx509