将PKCS＃8加密密钥导入到RSACng？ [英] Importing PKCS#8 encrypted key to RSACng?

问题描述

如果我已在PKCS＃8中加密了RSA密钥，我可以以某种方式将其作为 CngKeyBlobFormat.Pkcs8PrivateBlob RSACng >？还是此 CngKeyBlobFormat.Pkcs8PrivateBlob 仅显示 CngKey ，在导入期间必须从DER解码密钥才能获取密钥参数然后将它们导入到 RSACng 中，因此答案是否定的？

If I have encrypted RSA key in PKCS#8, can I somehow import it to RSACng as CngKeyBlobFormat.Pkcs8PrivateBlob? Or does this CngKeyBlobFormat.Pkcs8PrivateBlob just shows the CngKey that during import the key must be decoded from DER to get key parameters and then they are imported into RSACng, thus the answer is no?

推荐答案

CNG知道如何解密加密的PKCS＃8，但是您需要输入密码。由于.NET不会要求您输入密码（而且密码是通过属性以外的其他方式传递的），因此没有一个好的方法。

CNG understands how to decrypt encrypted PKCS#8, but you need to give it a password. Since .NET doesn't ask you for the password (and it gets passed via a manner other than the properties) there isn't a good way to do it.

您有很多选择：

• P /调用，因此您可以指定NCRYPTBUFFER_PKCS_SECRET值。


• 更改您的过程，以使您拥有未加密的PKCS＃8。


• 等待将来版本的.NET Core，它将能够直接将PKCS＃8，加密的PKCS＃8和某些其他格式加载到RSA / DSA / ECDsa / ECDiffieHellman对象（该功能当前位于master分支中）。


• 找到可以为您解密的库。弹力城堡可能可以做到。

• P/Invoke so you can specify the NCRYPTBUFFER_PKCS_SECRET value.
• Change your process so that you have an unencrypted PKCS#8.
• Change your process so that you have a PFX/PKCS#12 instead of an encrypted PKCS#8 (and then change to reading it via X509Certificate2).
• Wait for a future version of .NET Core, which will have the ability to load a PKCS#8, encrypted PKCS#8, and some other formats, directly into the RSA/DSA/ECDsa/ECDiffieHellman objects (feature is currently in the master branch).
• Find a library which can decrypt it for you. Bouncy Castle can probably do it.

另请参见：在不使用BouncyCastle的情况下使用c＃进行数字签名

这篇关于将PKCS＃8加密密钥导入到RSACng？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！