CngKey.Create不支持请求的操作 [英] The requested operation is not supported in CngKey.Create

问题描述

我试图在C＃程序集中（以 .NET 4.0 为目标）动态地（以编程方式）生成自签名证书，以用作根CA生成其他证书。证书不需要保留在Windows证书存储区中，我将其导出为文件。

I'm trying to generate a self-signed certificate on the fly (programmatically) in a C# assembly (targeting .NET 4.0), to serve as a root CA to generate other certificates. The certificate doesn't need to be persisted in the Windows certificate store, I'll export it as a file.

通过这个问题（尤其是 @dthorpe的答案） ，我决定尝试 CLR安全性。

Reading through this question (and in particular, @dthorpe's answer), I decided to give a try to CLR Security.

CLR安全性库在 CngKey类来生成自签名证书，但是我无法成功创建 CngKey ，其中：

The CLR Security library put an extension method on CngKey class to generate a self-signed certificate, but I couldn't succeed in creating an instance of CngKey with:

var key = CngKey.Create(CngAlgorithm.Sha1); //same with Sha256, Sha512 and MD5
//or
var key = CngKey.Create(CngAlgorithm.Sha1, null, new CngKeyCreationParameters()
{
    ExportPolicy = CngExportPolicies.AllowExport,
    KeyUsage = CngKeyUsages.AllUsages,
    KeyCreationOptions = CngKeyCreationOptions.MachineKey,
});

以下任何一行都会引发异常：

Any of these lines raises the exception:

未处理System.Security.Cryptography.CryptographicException

HResult = -2146893783

Message =不支持请求的操作。

System.Security.Cryptography.CryptographicException was unhandled
HResult=-2146893783
Message=The requested operation is not supported.

Source=System.Core  
StackTrace:  
  at System.Security.Cryptography.NCryptNative.CreatePersistedKey(SafeNCryptProviderHandle provider, String algorithm, String name, CngKeyCreationOptions options)  
  at System.Security.Cryptography.CngKey.Create(CngAlgorithm algorithm,  String keyName, CngKeyCreationParameters creationParameters)  
  at System.Security.Cryptography.CngKey.Create(CngAlgorithm algorithm)  
  at Tests.Program.Main(String[] args) at Program.cs:line 51

通过SO和互联网进行搜索，我检查了以下内容：

Searching through SO and the internet, I've checked the following:

• 我正在运行Windows 7 box（因此它根据 MSDN ）


• 尝试了Windows Server 2012框，相同错误


• 该进程正在以管理员身份运行（因此，无论如何它都可以访问所有证书存储）


• 服务 CNG密钥隔离和远程过程调用（RPC）正在运行

• I'm running a Windows 7 box (so it supports RPC as per MSDN)
• Tried on a Windows Server 2012 box, same error
• The process is running as admin (so it have access to all cert storages, anyway)
• The services CNG Key Isolation and Remote Procedure Call (RPC) are running

任何帮助将不胜感激。

推荐答案

小题外话：在Google搜索期间找到了这个问题具有 HRESULT 描述的网站和SO和MSDN上的便捷搜索工具（我只是用Google搜索您的 HRESULT 代码 -2146893783 ）

Small off-topic: during google search for this question found a site with HRESULT descriptions and handy search tool on SO and MSDN (I simply googled for your HRESULT code -2146893783)

我发现了主题，其中包含类似 HRESULT 的代码失败，并且作者提供了链接到有关CNG的MSDN文章：

I found a topic on MSDN which contains code failing with similar HRESULT, and the author provides a link to MSDN article about CNG:

NCRYPT_ALGORITHM_GROUP_PROPERTY
L算法组

以空字符结尾的Unicode字符串，其中包含对象的算法组。此属性仅适用于键。 Microsoft密钥存储提供程序返回以下标识符：

NCRYPT_ALGORITHM_GROUP_PROPERTY L"Algorithm Group"
A null-terminated Unicode string that contains the name of the object's algorithm group. This property only applies to keys. The following identifiers are returned by the Microsoft key storage provider:

• NCRYPT_RSA_ALGORITHM_GROUP
  
  RSA， RSA 算法组。


• NCRYPT_DH_ALGORITHM_GROUP
  
  DH， Diffie-Hellman 算法组。


• NCRYPT_DSA_ALGORITHM_GROUP
  
  DSA， DSA 算法组。


• NCRYPT_ECDSA_ALGORITHM_GROUP
  
  ECDSA，椭圆曲线DSA 算法组。


• NCRYPT_ECDH_ALGORITHM_GROUP
  
  ECDH，椭圆曲线Diffie-Hellman 算法组。

• NCRYPT_RSA_ALGORITHM_GROUP
  "RSA", The RSA algorithm group.
• NCRYPT_DH_ALGORITHM_GROUP
  "DH", The Diffie-Hellman algorithm group.
• NCRYPT_DSA_ALGORITHM_GROUP
  "DSA", The DSA algorithm group.
• NCRYPT_ECDSA_ALGORITHM_GROUP
  "ECDSA", The elliptic curve DSA algorithm group.
• NCRYPT_ECDH_ALGORITHM_GROUP
  "ECDH", The elliptic curve Diffie-Hellman algorithm group.

我还在MSDN上找到了有关 CNG密钥存储提供程序，其中包含类似的算法列表：

Also I found an article on MSDN about CNG Key Storage Providers, which contains similar list of the algorithms:

• Diffie-Hellman（DH）
  
  秘密协议和密钥交换， 512至4096 in 64位增量


• 数字签名算法（DSA）
  签名， 512至1024以64位增量


• 椭圆曲线Diffie-Hellman（ECDH）
  秘密协议和密钥交换， P256，P384，P521


• 椭圆曲线数字签名算法（ECDSA）
  签名， P256，P384，P521


• RSA
  非对称加密和签名， 512至16384，以64位为增量



• Diffie-Hellman (DH)
  Secret agreement and key exchange, 512 to 4096 in 64-bit increments
• Digital Signature Algorithm (DSA) Signatures, 512 to 1024 in 64-bit increments
• Elliptic Curve Diffie-Hellman (ECDH) Secret agreement and key exchange, P256, P384, P521
• Elliptic Curve Digital Signature Algorithm (ECDSA) Signatures, P256, P384, P521
• RSA Asymmetric encryption and signing, 512 to 16384 in 64-bit increments

因此，正如您所说，您只尝试了 Sha1 ， Sha256 ， Sha512 和 MD5 ，也许您只是使用另一个算法从可用列表中？您可以找到上面提到的内容：

So, as you've said that you've tried only Sha1, Sha256, Sha512 and MD5, maybe you simply use another algorithm from list available? You can find there ones mentioned above:

• RSA


• ECDsa
  
  
  
  
  • P256
  
  
  • P384
  
  
  • P521
  
  
  • RSA
  • ECDsa
    • P256
    • P384
    • P521
    
    
    • P256
    
    
    • P384
    
    
    • P521
    
    
    • P256
    • P384
    • P521

    其他开发人员在这里成功创建了其中一个并且能够导出它：

    Here other developers successfully created one of them and was able to export it:

    var cngKey = CngKey.Create(CngAlgorithm.ECDiffieHellmanP256, null,
        new CngKeyCreationParameters { ExportPolicy = CngExportPolicies.AllowPlaintextExport });
    

    这篇关于CngKey.Create不支持请求的操作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！