X509Certificate2 在 Linux 上解析失败，但在 Windows 上工作

本文介绍了X509Certificate2 在 Linux 上解析失败，但在 Windows 上工作的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

从字节数组创建 X509Certificate2 实例在 Windows 上可行，但在 Linux 上失败，并显示CryptographicException".

Creating a X509Certificate2 instance from a byte array works on Windows but fails on Linux with a "CryptographicException".

static void Main(string[] args) { var cert = new X509Certificate2(Cert.CertBytes); }

在 Windows 上:创建了有效的 X509Certificate2 实例在 Linux 上:抛出异常:

On Windows: Valid X509Certificate2 instance is created On Linux: An exception is thrown:

{System.Security.Cryptography.CryptographicException:找不到原始签名者.在 Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs7(SafePkcs7Handle pkcs7, Boolean single, ICertificatePal& certPal, List`1& certPals)在 Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs7Der(Byte[] rawData, Boolean single, ICertificatePal& certPal, List`1& certPals)在 Internal.Cryptography.Pal.CertificatePal.FromBlob(Byte[] rawData, SafePasswordHandle 密码, X509KeyStorageFlags keyStorageFlags)在 System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] 数据)在 System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData)在 CertTest.Program.Main(String[] args) 在/home/CertTest/Program.cs:line 14}

我做错了吗?我假设一个证书是一个证书，不管它是在哪个操作系统上解析的.

Am I doing something wrong? I assume that a certificate is a certificate, regardless of the OS on which it is parsed.

您可以在这里找到一个有效的 X509 证书，该证书可以在 Windows 上解析，但不能在 Linux 上解析:gist.github/secana/9c13f8fa495681f8a30adb5d8754450e

You find a valid X509 certificate which can be parsed on Windows but not Linux here: gist.github/secana/9c13f8fa495681f8a30adb5d8754450e

我尝试了多个证书，但没有一个适用于 Linux.我没有 Mac，所以我无法测试它是否可以在那里工作.

I tried multiple certificates, but none worked on Linux. I don't own a Mac so I couldn't test if it would work there.

使用 .Net Core 2.0.2 测试在 Ubuntu 16.04、Ubuntu 17.10、OpenSuse Tumbleweed、Windows 10 上

Tested with .Net Core 2.0.2 on Ubuntu 16.04, Ubuntu 17.10, OpenSuse Tumbleweed, Windows 10

推荐答案

由于 new X509Certficate2() 在 Linux 下不像在 Windows 下那样返回签名证书，因此您必须解析 ASN.1PKCS7 的结构以查找签名证书.

Since new X509Certficate2() does not return the signing certificate under Linux like it does under Windows you have to parse the ASN.1 structure of the PKCS7 to find the signing certificate.

示例:

// Import all certificates in the structure into a collection var collection = new X509Certificate2Collection(); collection.Import(Cert.CertBytes); // Find the signing cert var signingCert = collection.Cast<X509Certificate2>().FirstOrDefault(cert => string.Equals(cert.SerialNumber, SignerSerialNumber, StringComparison.CurrentCultureIgnoreCase));

唯一的难点是获取签名证书的序列号.为此，我解析了 ASN.1 结构.序列号在ASN.1路径1/0/4/0/1/1.

The only difficulty is to get the serial number of the signing cert. For that I've parsed the ASN.1 structure. The serial number is in the ASN.1 path 1/0/4/0/1/1.

示例:

// Get signing cert serial number from ASN.1 var serialNumber = asn1[1][0][4][0][1][1];

作为 ASN.1 解析器，我使用了 Mono 项目中的代码，但 Nuget 上有几个可用的解析器.

As an ASN.1 parser I've used code from the Mono project, but there are several parser available on Nuget.