为什么创建X509Certificate2对象时出现“拒绝访问"错误? [英] Why do I get an Access Denied error when creating an X509Certificate2 object?
问题描述
我们有一些单元测试,其中嵌入了PFX证书.这些证书在测试执行期间被读取,并转换为 X509Certificate2 对象.不幸的是,当以非特权用户身份运行时,我们会遇到 Access Denied 例外:
We have some unit tests which have PFX certificates embedded in them. These certificates are read during test execution and turned into X509Certificate2 objects. Unfortunately, when run as an unprivileged user, we get Access Denied exceptions:
using (var s = EmbeddedResourceUtilities.GetEmbeddedResourceAsStream(typeThatContainsEmbeddedResource, certFileName))
{
if (s == null)
{
throw new ApplicationException(String.Format("Embedded certificate {0} for type {1} not found.", certFileName, typeThatContainsEmbeddedResource.FullName));
}
try
{
var bytes = new byte[s.Length];
s.Read(bytes, 0, (int)s.Length);
return new X509Certificate2(bytes);
}
catch (Exception ex)
{
throw new ApplicationException(String.Format("Error loading embedded certificate {0} for type {1}.", certFileName, typeThatContainsEmbeddedResource.FullName), ex);
}
}
例外:
System.Security.Cryptography.CryptographicException:访问被拒绝.
在System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)处
在System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte [] rawData,IntPtr密码,UInt32 dwFlags,布尔值persistKeySet,SafeCertContextHandle& pCertCtx)
在System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte [] rawData,对象密码,X509KeyStorageFlags keyStorageFlags)
在System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte [] rawData)
System.Security.Cryptography.CryptographicException : Access denied.
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[] rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData)
我尝试修改构造函数以使用空密码和显式键集标志,但这并不能解决问题:
I've tried modifying the constructor to use an empty password and explicit keyset flags, but that doesn't fix it:
// this doesn't work, either
return new X509Certificate2(bytes, String.Empty, X509KeyStorageFlags.MachineKeySet);
我在其他地方读过,我应该给无特权的用户增加MachineKeys目录的权限,但是我不愿意这样做,因为它可以使生产代码假定那些权限在测试环境之外在该目录上可用.
I've read elsewhere that I should give my unprivileged user increased permissions on the MachineKeys directory, but I'm loathe to do that as it would allow production code to assume those permissions are available on that directory outside the test environment.
有什么方法可以允许非特权用户从文件加载X509证书?
推荐答案
这是我对发生的事情的最佳猜测.
This is my best guess about what's going on.
X509Certificate2构造函数在Machine Keys目录中创建临时的公共/专用密钥对象(我相信是通过Windows本地安全性机构).由于我们的非特权用户无权访问这些密钥或计算机密钥目录,因此测试失败.
The X509Certificate2 constructor creates temporary public/private key objects in the Machine Keys directory (I believe via the Windows local security authority). Because the our unprivileged user doesn’t have access to these keys or the Machine Keys directory, the tests fail.
我们的解决方案是更新我们的环境设置脚本,以提前安装这些测试证书,向其授予非特权用户权限,然后重新编写测试以从相应的证书存储区加载证书.
Our solution was to update our environment setup scripts to install these test certificates ahead of time, grant the unprivileged user permissions to them, and re-write the tests to load the certificates from the appropriate certificate store.
这篇关于为什么创建X509Certificate2对象时出现“拒绝访问"错误?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
