X509Certificate2在Linux上无法解析，但在Windows上可以使用 [英] X509Certificate2 fails to parse on Linux but works on Windows

问题描述

从字节数组创建X509Certificate2实例在Windows上有效，但在Linux上却出现 CryptographicException失败。

Creating a X509Certificate2 instance from a byte array works on Windows but fails on Linux with a "CryptographicException".

static void Main(string[] args)
{
    var cert = new X509Certificate2(Cert.CertBytes);
}

在Windows上：创建了有效的X509Certificate2实例
在Linux上：抛出异常：

On Windows: Valid X509Certificate2 instance is created On Linux: An exception is thrown:


{System.Security.Cryptography.CryptographicException：找不到
原始签名者。 Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs7（SafePkcs7Handle pkcs7，Boolean single，ICertificatePal& certPal，List`1& certPals）中的
Internal.Cryptography.Pal.PkcsFormatReader.TryDataPByte [ ，布尔值单一，ICertificatePal和certPal，列表1和certPal）
（位于Internal.Cryptography.Pal.CertificatePal.FromBlob（Byte [] rawData，SafePasswordHandle密码），X509KeyStorageFlags keyStorageFlags）（位于System.Security.Cryptography） .X509Certificates.X509Certificate.ctor（Byte [] data）
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor（Byte [] rawData）
CertTest.Program.Main（String [] args），位于/home/CertTest/Program.cs:line 14}


我做错了吗？我假设证书是一个证书，而不管它在哪个操作系统上解析。

Am I doing something wrong? I assume that a certificate is a certificate, regardless of the OS on which it is parsed.

您在这里找到了可以在Windows上但不能在Linux上解析的有效X509证书。 ： https://gist.github.com/secana/9c13f8fa495681f8a30adb5d8754450e

You find a valid X509 certificate which can be parsed on Windows but not Linux here: https://gist.github.com/secana/9c13f8fa495681f8a30adb5d8754450e

我尝试了多个证书，但是没有一个在Linux上起作用。我没有Mac，所以无法测试它是否可以在这里工作。

I tried multiple certificates, but none worked on Linux. I don't own a Mac so I couldn't test if it would work there.

在Ubuntu 16.04上使用.Net Core 2.0.2
测试， Ubuntu 17.10，OpenSuse Tumbleweed，Windows 10

Tested with .Net Core 2.0.2 on Ubuntu 16.04, Ubuntu 17.10, OpenSuse Tumbleweed, Windows 10

推荐答案

自新X509Certficate2（）在Linux下不会像在Windows下那样返回签名证书，您必须解析PKCS7的ASN.1结构以找到签名证书。

Since new X509Certficate2() does not return the signing certificate under Linux like it does under Windows you have to parse the ASN.1 structure of the PKCS7 to find the signing certificate.

示例：

 // Import all certificates in the structure into a collection
 var collection = new X509Certificate2Collection();
 collection.Import(Cert.CertBytes);

 // Find the signing cert
 var signingCert = collection.Cast<X509Certificate2>().FirstOrDefault(cert => 
 string.Equals(cert.SerialNumber, SignerSerialNumber, 
 StringComparison.CurrentCultureIgnoreCase));

唯一的困难是获取签名证书的序列号。为此，我分析了ASN.1结构。序列号在ASN.1路径 1/0/4/0/1/1 中。

The only difficulty is to get the serial number of the signing cert. For that I've parsed the ASN.1 structure. The serial number is in the ASN.1 path 1/0/4/0/1/1.

示例：

// Get signing cert serial number from ASN.1
var serialNumber = asn1[1][0][4][0][1][1];

作为ASN.1解析器，我使用了Mono项目中的代码，但是有几个解析器在Nuget上可用。

As an ASN.1 parser I've used code from the Mono project, but there are several parser available on Nuget.

这篇关于X509Certificate2在Linux上无法解析，但在Windows上可以使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！