c# - 无法让 C# SslStream 与我的 X509 证书一起使用
问题描述
我是做安全和加密的新手,所以如果我犯了一个非常愚蠢的错误,请提前道歉。我需要一个服务器和一个客户端通过使用 SslStream 的安全连接进行通信。但是我的证书不起作用。我收到以下错误:System.NotSupportedException: 'The server mode SSL must use a certificate with the associated private key.'
我的代码是文档中给出的微软示例:https ://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstream?view=netframework-4.8ss
我试过了:
- 使用 makecert 的自签名证书(就像在这篇文章中一样:SSLStream 示例 - 我如何获得有效的证书?)
- 使用 OpenSSL 的证书
- 本网站上的程序:http ://www.reliablesoftware.com/DasBlog/PermaLink,guid,6507b2c6-473e-4ddc-9e66-8a161e5df6e9.aspx
- 使用 .pfx 文件而不是 .cer 文件(如在这篇文章中:X509Certificate2 服务器模式 SSL 必须使用具有关联私钥的证书),但出现以下异常:
Win32Exception: The certificate chain was issued by an authority that is not trusted.
除了最后一个之外,所有的都给出了System.NotSupportedException: 'The server mode SSL must use a certificate with the associated private key.'
例外。这是否意味着自签名证书不起作用?我需要购买证书吗?
编辑:这是我使用的代码。它是修改后的示例(对不起,如果我的代码很糟糕)并且是可执行的,模拟服务器和客户端并引发异常:
class Program
{
static void Main(string[] args)
{
//Temporarily added the arguments here for you to see
args = new string[2] { @"C:\Users\jacke\Documents\CA\TempCert.cer", "FakeServerName" };
Console.WriteLine("Starting server in seperate thread...");
Task t = Task.Run(() => { Server.Initialize(args[0]); });
Task.Delay(500).Wait();
Client.RunClient(args[1]);
}
}
public static class Server
{
private static X509Certificate cert;
private static TcpListener server;
public static void Initialize(string certificate)
{
cert = X509Certificate.CreateFromCertFile(certificate);
server = new TcpListener(IPAddress.Any, 12321);
server.Start();
while (true)
{
Console.WriteLine("Waiting for a client to connect...");
TcpClient client = server.AcceptTcpClient();
ProcessClient(client);
}
}
private static void ProcessClient(TcpClient client)
{
SslStream sslStream = new SslStream(client.GetStream(), false);
try
{
sslStream.AuthenticateAsServer(cert, clientCertificateRequired: false, checkCertificateRevocation: true);
sslStream.ReadTimeout = 5000;
sslStream.WriteTimeout = 5000;
Console.WriteLine("Waiting for client message...");
string messageData = Helpers.ReadMessage(sslStream);
byte[] message = Encoding.UTF8.GetBytes("Hello from the server.<EOF>");
Console.WriteLine("Sending hello message.");
sslStream.Write(message);
}
catch (AuthenticationException e)
{
Console.WriteLine("Exception: {0}", e.Message);
if (e.InnerException != null)
{
Console.WriteLine("Inner exception: {0}", e.InnerException.Message);
}
Console.WriteLine("Authentication failed - closing the connection.");
sslStream.Close();
client.Close();
return;
}
finally
{
sslStream.Close();
client.Close();
}
}
}
public static class Client
{
private static Hashtable certificateErrors = new Hashtable();
public static bool ValidateServerCertificate(
object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
return true;
Console.WriteLine("Certificate error: {0}", sslPolicyErrors);
return false;
}
public static void RunClient(string serverName)
{
TcpClient client = new TcpClient("localhost", 12321);
Console.WriteLine("Client connected.");
SslStream sslStream = new SslStream(
client.GetStream(),
false,
new RemoteCertificateValidationCallback(ValidateServerCertificate),
null
);
try
{
sslStream.AuthenticateAsClient(serverName);
}
catch (AuthenticationException e)
{
Console.WriteLine("Exception: {0}", e.Message);
if (e.InnerException != null)
{
Console.WriteLine("Inner exception: {0}", e.InnerException.Message);
}
Console.WriteLine("Authentication failed - closing the connection.");
client.Close();
return;
}
byte[] messsage = Encoding.UTF8.GetBytes("Hello from the client.<EOF>");
sslStream.Write(messsage);
string serverMessage = Helpers.ReadMessage(sslStream);
Console.WriteLine("Server says: {0}", serverMessage);
client.Close();
Console.WriteLine("Client closed.");
}
}
public static class Helpers
{
public static string ReadMessage(SslStream sslStream)
{
// Read the message sent by the server.
// The end of the message is signaled using the
// "<EOF>" marker.
byte[] buffer = new byte[2048];
StringBuilder messageData = new StringBuilder();
int bytes = -1;
do
{
bytes = sslStream.Read(buffer, 0, buffer.Length);
Decoder decoder = Encoding.UTF8.GetDecoder();
char[] chars = new char[decoder.GetCharCount(buffer, 0, bytes)];
decoder.GetChars(buffer, 0, bytes, chars, 0);
messageData.Append(chars);
// Check for EOF.
if (messageData.ToString().IndexOf("<EOF>") != -1)
{
break;
}
} while (bytes != 0);
return messageData.ToString();
}
}
这是我创建证书的方式(如我上面链接的帖子中所述):
makecert -sv RootCATest.pvk -r -n "CN=FakeServerName" RootCATest.cer
makecert -ic RootCATest.cer -iv RootCATest.pvk -n "CN=FakeServerName" -sv
TempCert.pvk -pe -sky exchange TempCert.cer
cert2spc TempCert.cer TempCert.spc
pvkimprt -pfx TempCert.spc TempCert.pvk
我使用上述命令输入的其他信息:
- 当前 2 个命令要求输入密码时,我将其留空
- 我检查了导出私钥并将“A”设置为最后一个命令的密码
然后我在本地证书存储中导入了 .pfx 文件(我之前也尝试过机器范围)并让程序选择正确的存储。它警告我 CA 的所有证书都是可信的,我应该联系 CA 以检查这确实是他们的证书,但我继续了。然后我运行代码(使用我刚刚创建的“TempCert.cer”文件)并得到了错误。任何建议都非常感谢!
解决方案
如果我没记错的话,.cer
文件不包含私钥,并且我假设通过从文件加载证书,不会检查证书存储。您可以导出 a.pfx
并将私钥包含在导出中。
我不知道为什么.pvk
尝试失败(我自己从未尝试过这种格式) -SslStream
绝对可以使用自签名证书;客户端只需忽略验证失败。
但是,如果您已经将其导入商店,您应该可以直接加载它:
using System.Security.Cryptography.X509Certificates;
// ...
using (X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine))
{
store.Open(OpenFlags.ReadOnly);
var certs = store.Certificates.Find(X509FindType.FindBySubjectName, "FakeServerName", false);
return new X509Certificate2(certs[0]);
}
回应您评论中的错误:
无法识别提供给包裹的凭据
我不知道我是否收到了确切的消息,但我确实记得必须授予应用程序遇到的用户访问权限。您必须打开正确的证书工具:
https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in (运行 mmc,选择文件/添加快照-在,选择证书)
然后授予用户对私钥的访问权限:
https://docs.secureauth.com/display/KBA/Grant+Permission+to+Use+Signing+Certificate+Private+Key (右键证书,选择所有任务/管理私钥)
推荐阅读
- c# - 使用 LINQ 计算值范围内的元素
- java - 如何在双数组中找到非零数?
- reactjs - 带有 OptimisticResponse 的 Apollo Mutation 组件创建重复记录,直到重新加载
- amazon-web-services - AWS Glue 作业输入参数
- json - Kotlin 序列化为 JSON:如何忽略实际的字段类型
- sql - SQL按日期向行添加序号
- ios - 类型“NSNotification.Name”没有成员“keyboardDidShowNotification”
- javascript - 模型 [App\Coin] 没有查询结果。- Laravel - Vuejs
- python - 引用类型的 np.nditer 返回类型
- nginx - Nginx 简单重定向 URL