CngKey.Create不支持请求的操作 [英] The requested operation is not supported in CngKey.Create
问题描述
我试图在C#程序集中(以 .NET 4.0
为目标)动态地(以编程方式)生成自签名证书,以用作根CA生成其他证书。证书不需要保留在Windows证书存储区中,我将其导出为文件。
I'm trying to generate a self-signed certificate on the fly (programmatically) in a C# assembly (targeting .NET 4.0
), to serve as a root CA to generate other certificates. The certificate doesn't need to be persisted in the Windows certificate store, I'll export it as a file.
通过这个问题(尤其是 @dthorpe的答案) ,我决定尝试 CLR安全性。
Reading through this question (and in particular, @dthorpe's answer), I decided to give a try to CLR Security.
CLR安全性
库在 CngKey类来生成自签名证书,但是我无法成功创建 CngKey
,其中:
The CLR Security
library put an extension method on CngKey class to generate a self-signed certificate, but I couldn't succeed in creating an instance of CngKey
with:
var key = CngKey.Create(CngAlgorithm.Sha1); //same with Sha256, Sha512 and MD5
//or
var key = CngKey.Create(CngAlgorithm.Sha1, null, new CngKeyCreationParameters()
{
ExportPolicy = CngExportPolicies.AllowExport,
KeyUsage = CngKeyUsages.AllUsages,
KeyCreationOptions = CngKeyCreationOptions.MachineKey,
});
以下任何一行都会引发异常:
Any of these lines raises the exception:
未处理System.Security.Cryptography.CryptographicException
HResult = -2146893783
Message =不支持请求的操作。
System.Security.Cryptography.CryptographicException was unhandled
HResult=-2146893783
Message=The requested operation is not supported.
Source=System.Core
StackTrace:
at System.Security.Cryptography.NCryptNative.CreatePersistedKey(SafeNCryptProviderHandle provider, String algorithm, String name, CngKeyCreationOptions options)
at System.Security.Cryptography.CngKey.Create(CngAlgorithm algorithm, String keyName, CngKeyCreationParameters creationParameters)
at System.Security.Cryptography.CngKey.Create(CngAlgorithm algorithm)
at Tests.Program.Main(String[] args) at Program.cs:line 51
通过SO和互联网进行搜索,我检查了以下内容:
Searching through SO and the internet, I've checked the following:
- 我正在运行Windows 7 box(因此它根据 MSDN )
- 尝试了Windows Server 2012框,相同错误
- 该进程正在以管理员身份运行(因此,无论如何它都可以访问所有证书存储)
- 服务
CNG密钥隔离
和远程过程调用(RPC)
正在运行
- I'm running a Windows 7 box (so it supports RPC as per MSDN)
- Tried on a Windows Server 2012 box, same error
- The process is running as admin (so it have access to all cert storages, anyway)
- The services
CNG Key Isolation
andRemote Procedure Call (RPC)
are running
任何帮助将不胜感激。
推荐答案
小题外话:在Google搜索期间找到了这个问题具有 HRESULT
描述的网站和SO和MSDN上的便捷搜索工具(我只是用Google搜索您的 HRESULT
代码 -2146893783
)
Small off-topic: during google search for this question found a site with HRESULT
descriptions and handy search tool on SO and MSDN (I simply googled for your HRESULT
code -2146893783
)
我发现了主题,其中包含类似 HRESULT
的代码失败,并且作者提供了链接到有关CNG的MSDN文章:
I found a topic on MSDN which contains code failing with similar HRESULT
, and the author provides a link to MSDN article about CNG:
NCRYPT_ALGORITHM_GROUP_PROPERTY
L算法组
以空字符结尾的Unicode字符串,其中包含对象的算法组。此属性仅适用于键。 Microsoft密钥存储提供程序返回以下标识符:
NCRYPT_ALGORITHM_GROUP_PROPERTY
L"Algorithm Group"
A null-terminated Unicode string that contains the name of the object's algorithm group. This property only applies to keys. The following identifiers are returned by the Microsoft key storage provider:
- NCRYPT_RSA_ALGORITHM_GROUP
RSA,RSA
算法组。 - NCRYPT_DH_ALGORITHM_GROUP
DH,Diffie-Hellman
算法组。 - NCRYPT_DSA_ALGORITHM_GROUP
DSA,DSA
算法组。 - NCRYPT_ECDSA_ALGORITHM_GROUP
ECDSA,椭圆曲线DSA
算法组。 - NCRYPT_ECDH_ALGORITHM_GROUP
ECDH,椭圆曲线Diffie-Hellman
算法组。
- NCRYPT_RSA_ALGORITHM_GROUP
"RSA", TheRSA
algorithm group. - NCRYPT_DH_ALGORITHM_GROUP
"DH", TheDiffie-Hellman
algorithm group. - NCRYPT_DSA_ALGORITHM_GROUP
"DSA", TheDSA
algorithm group. - NCRYPT_ECDSA_ALGORITHM_GROUP
"ECDSA", Theelliptic curve DSA
algorithm group. - NCRYPT_ECDH_ALGORITHM_GROUP
"ECDH", Theelliptic curve Diffie-Hellman
algorithm group.
我还在MSDN上找到了有关 CNG密钥存储提供程序,其中包含类似的算法列表:
Also I found an article on MSDN about CNG Key Storage Providers, which contains similar list of the algorithms:
- Diffie-Hellman(DH)
秘密协议和密钥交换,512至4096 in 64位增量
- 数字签名算法(DSA)
签名,512至1024以64位增量
- 椭圆曲线Diffie-Hellman(ECDH)
秘密协议和密钥交换,P256,P384,P521
- 椭圆曲线数字签名算法(ECDSA)
签名,P256,P384,P521
- RSA
非对称加密和签名,512至16384,以64位为增量
- Diffie-Hellman (DH)
Secret agreement and key exchange,512 to 4096 in 64-bit increments
- Digital Signature Algorithm (DSA) Signatures,
512 to 1024 in 64-bit increments
- Elliptic Curve Diffie-Hellman (ECDH) Secret agreement and key exchange,
P256, P384, P521
- Elliptic Curve Digital Signature Algorithm (ECDSA) Signatures,
P256, P384, P521
- RSA Asymmetric encryption and signing,
512 to 16384 in 64-bit increments
因此,正如您所说,您只尝试了 Sha1
, Sha256
, Sha512
和 MD5
,也许您只是使用另一个算法从可用列表中?您可以找到上面提到的内容:
So, as you've said that you've tried only Sha1
, Sha256
, Sha512
and MD5
, maybe you simply use another algorithm from list available? You can find there ones mentioned above:
- RSA
- ECDsa
- RSA
- ECDsa
- P256
- P384
- P521
- P256
- P384
- P521
其他开发人员在这里成功创建了其中一个并且能够导出它:
Here other developers successfully created one of them and was able to export it:
var cngKey = CngKey.Create(CngAlgorithm.ECDiffieHellmanP256, null, new CngKeyCreationParameters { ExportPolicy = CngExportPolicies.AllowPlaintextExport });
这篇关于CngKey.Create不支持请求的操作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!