Export private key (PKCS#8) of CNG RSA certificate with oldschool .NET(使用 oldschool .NET 导出 CNG RSA 证书的私钥 (PKCS#8))
问题描述
我有一个 PKCS #12 (PFX) 文件,它是一个带有 CNG RSA 密钥的证书,我想导出私钥.
I have a PKCS #12 (PFX) file that is a certificate with CNG RSA key and want to export the private key.
MIIJ4gIBAzCCCZ4GCSqGSIb3DQEHAaCCCY8EggmLMIIJhzCCBgAGCSqGSIb3DQEHAaCCBfEEggXtMII
F6TCCBeUGCyqGSIb3DQEMCgECoIIE/CCBPowHAYKKoZIhvcNAQwBAzAOBAjBalb3hEiYXQICB9AEggT
Y80gGrPwpOpwdA1V9f55nVex6JzumPGb000ePt4jilZ3ktcY9SaE9krxBycNzRVFRVosJOZfHby8u2z
8PDj0bCgNUOE1yU5Jzf5yDyq1bRyLSi4zpwPaN5zj3CsJ3zqhvzzSmTRW2S4zeT1CgjQnsPkRHOMluX
0b+qNo+oY2v1fqRXwh5S2GX7joFHWOp5Xr425LiNLCZVxfnO64znKhzZLPJoG0jb8rfZkVC9p3zKt/J
VJJodqV+9jmnBcdGkQTN1jY7GRpi3aykLHGyaxDmp+0dSKZ5yMognY2tabJxAVQBnesCfwhtmZlxPx2
KBN2GHyfGV+4377t6crvPq4chVMEpX7regGO3uLl0ks4PhZwr0peCGfOTueRC+HWt6zwnCl6Iw8gTu/
99EjJgMp7OK98aHpBfWeUeFwHVnxcYSd/OElEL7wqyXHU3MeeTxYmAojRWN3SrlcL3LPtT9THxQO5Yq
vLPWhk2gSiqz8AommoJOv5roeB+tnR7LLFrJvYicPcRi0rjsCk0v8a/c6SeMvfdao2xrATFT6yEbHB9
xAoHGnWLTi4KCAP+sWCU+yr6/0iZCB76XFJsHUP/pt6rPQsBDfHmz/mC8DqYlmQZ5Xibv2jYpXu2DyM
LTgGzM3cbjdIFWnjJtPYpvH55q++Lws3rInQL/mR9M7oCwtFVA0s8IyDFhQbd1+r4VuJ3f9nRjaBfNJ
rKQlUzfvn/WGOEZe/+jRue/JfYSLUo59JwWe+8TFDxjO+5DnXXbCtBQsEZcPVtlUCCD6KopoWo4zTBO
l6lvguqTvFd8tvJPSR2bGvckSHw4JfF2ITVqMWzMqye7Dfck8J6CjnqDcYAOPfZ8btQMvKNyHS+Sex2
Kf7LfOsi5Fb1qE2RjMGO6YyzgsU80clS0A4U3okhXBbRmuZLDgXKOM08EejQPJycDPfX0irtIu06zRO
PgbCT8Zmx6Ch3dEx+NmuV86bA/WDNvl+ARIFD9ZQjIYsCjYrqp0LSfVSaZ2MSFU/avtaUYAEwri/Kkc
clmxD9S3H1SoY7H4Wrh3yXT/kR4LF+O2BkzJD4nMyR1NQ6t3fFkz4boXTWZv8k0QXkVxffnf1w80BAv
1VGf7jQNK2aSBI7kVoVYqbf31LVxoQ8sKmUVP3/v2vXc8bdZR5/hoYsIIAddCaYmmRGY31SGef/0G7k
z1XK/0QForcaug51yJOWGGrcOEBT1vfG2k2DTX1NVE0y+XL8pAL2rq2nmDUL2h7Al3LuonQMwyjrEQC
z08Tw/J8AMZVwj9QuhgCrsFeFfFD7n6xete8sQdGEqb2vyC/1IQgPAWWU3gu5LCd2BL5HDSSH3XQVHB
MbDYBWJeAAmhNSQZlGNqMaCcFhR0Q3Z5YwAs1a1fFE0isQf1xeqjxDzggH9d5RmXdH0MWd/BcBKH40y
EDnX89OEi/AlqyAFKzbC17dYEJWbOk9eny5YMohMVATAMLRr3KtzSeJZcb4zUfa/ayOmABjixQeODYx
eKksQW5+lkRipTqn9Hr5cIFTVkgB6irQHxecLShDKILiH/jJGgLH3G6X2q8y5uJuAb6WGN2aq4MyMsY
pHFcxs554/ueWcUHjQEfZ95ppJJmbea7iPo8rV2k1Ahox7ghRBik4mMuTfJGcx8sf6iTRslElkTGB0z
ATBgkqhkiG9w0BCRUxBgQEAQAAADBdBgkqhkiG9w0BCRQxUB5OAHQAcAAtADcAMgBkAGMANABlADMAN
gAtAGMAMwBjAGUALQA0ADkAMwBiAC0AOAA2ADYAMgAtADAAOQBjADQAMgBkAGQANABlAGMAYQBlMF0G
CSsGAQQBgjcRATFQHk4ATQBpAGMAcgBvAHMAbwBmAHQAIABTAG8AZgB0AHcAYQByAGUAIABLAGUAeQA
gAFMAdABvAHIAYQBnAGUAIABQAHIAbwB2AGkAZABlAHIwggN/BgkqhkiG9w0BBwagggNwMIIDbAIBAD
CCA2UGCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEDMA4ECPbFkV7hGKnVAgIH0ICCAzis/V3JhKnazUT5y
ENekVJQ3HMH+CT1GTCgCMI2tZ41zCyLnEQ0qCxoxVmeGrx5AD7bIFA3bbedwjvyAASP74Co0A9uTPTc
fHet1aVwTE8cMk+7kzQl6yM3qvVjqb9zVyrvnBugLha02iHfSn+ssj08Rar0oji0gUIUuvDYsB2jkzB
Mny+KJo7JtXIAeK5L82N7R3+Q4LSZzrgC5GO/B4cQolNfYjoiopcTebAKC4Jm5F9pyo1pgnTGQD+gy1
jo8+NJqT0BVB2He7Fyh07PJuHjtT6Un93SbQVmZ+TuJf39yvvH4LsGv3XQU3u8w25Jtvt7FO5GTOaQU
QcntWFm/xw67Z0mShBGtTv8132Uu6lg4jiqEvNKEomzjk4wxqtdnTbuOtMvN7cnPMXBFMHRyaIXr8wM
X9P9qJhcos4Zbx6KNc7eQWr9YJv/nyeGQK4ffuv4hMIYZJxV/WPkHbthDx7LYWDouXjolXQDXbpq2L0
9ro7N7T0KgP19SqNqxcUTdYbF5LxQFRe7cZP1xBeiXiSbk4W1YNXl6syz5Dm4UBS6rVz1qtwPjkc636
CBr0HdTMbfst3BDq2J1DP13cMFPTBZ4RYYmoKfG67e7n2DMTI035dfeHJD/2zSloaG32tfJK6mrcbdX
86+01wj/8meQI3gY/OiL9Zcz2JnvBvsJoTuarV0sJUL7oAGZP3m5QvTRenR07Qj/aZ0Oe6nDU8lsV8l
Ss5XpyGIm0YM2Sr3Z8/SVCkuXeu03WNEkRSaZhpmeSg4winf7unx2019k2KhQj0ic+5BQk0LhcTsA8J
+PhnuB/jh7qBrr8hu9rnvwGEHs9FAnGot9lUtBeNSDGw94mKPQnf4Ff+TXacpKfCMeUOVuwcIxZN4u4
ueKwhOOOY9eCbZeYk2SMu8B6xadp2NV2j8ALPBpDddL4sHx5kXeaMJtRfeki8+RUlY7oudo4vaf6N26
lw6YjwVvikvLQLLF20e4fPoAs5kcxthKUslZ+IMs1jRZijPbBnqzHCkIbY37xXTiKbB5Et43voqI4bR
3Rj2fQIEx0So1hhsjpJnseoM7vdvT290e9UwvqXSxHA/2iDRGD0ZgYL0jDA7MB8wBwYFKw4DAhoEFEw
MfAVl0oh+KBfFBh+2O+zNA+qRBBTacVg8LCnjGHYUuC+PXDW7UOVSNgICB9A=
文件为复制样本,密码为:1234
我已经尝试导出 RsaParameters
以及从 CngKey
导出私钥但没有成功 - 操作不支持
.
I already tried to export the RsaParameters
as well as exporting the private key from the CngKey
with no success - operation not supported
.
问题是缺少 CngExportPolicies.AllowPlaintextExport
标志.由于密钥处于最终状态,因此我在使用原生 NCrypt
调用设置标志时也没有成功.
The issue is the missing CngExportPolicies.AllowPlaintextExport
flag. I also had no success in setting the flag with native NCrypt
calls as the key is in a finalized state.
在另一个问题评论(无法导出 RSA 私钥参数,不支持请求的操作),它也指向几行 .NET 核心代码.
There was a hint on the process (export, import & set flag & export) in another questions comment (Cannot export RSA private key parameters, the requested operation is not supported) that also points to a few lines of .NET core code.
我尝试将代码移植到 oldschool C# .NET(例如,没有 Span<T>
),但在以下调用中获得了 invalid argument
:
I tried to port the code to oldschool C# .NET (without Span<T>
for instance) but get a invalid argument
on the following call:
internal static unsafe bool ExportPkcs8KeyBlob(
SafeNCryptKeyHandle keyHandle,
string password,
int kdfCount,
out int bytesWritten,
out byte[] allocated)
{
using (var stringHandle = new SafeUnicodeStringHandle(password))
{
var pbrParamsPtr =
Marshal.AllocHGlobal(Marshal.SizeOf(typeof(NativeMethods.NCrypt.PbeParams)));
var pbeParams = new NativeMethods.NCrypt.PbeParams();
fixed (byte* oidPtr = s_pkcs12TripleDesOidBytes)
{
var salt = new byte[8];
RandomNumberGenerator.GetBytes(salt);
pbeParams.rgbSalt = salt;
pbeParams.Params.cbSalt = pbeParams.rgbSalt.Length;
pbeParams.Params.iIterations = kdfCount;
var buffers = stackalloc NativeMethods.NCrypt.NCryptBuffer[3];
buffers[0] = new NativeMethods.NCrypt.NCryptBuffer
{
BufferType = NativeMethods.NCrypt.BufferType.PkcsSecret,
cbBuffer = checked(2 * (password.Length + 1)),
pvBuffer = stringHandle.DangerousGetHandle(),
};
if (buffers[0].pvBuffer == IntPtr.Zero)
{
buffers[0].cbBuffer = 0;
}
buffers[1] = new NativeMethods.NCrypt.NCryptBuffer
{
BufferType = NativeMethods.NCrypt.BufferType.PkcsAlgOid,
cbBuffer = s_pkcs12TripleDesOidBytes.Length,
pvBuffer = (IntPtr)oidPtr,
};
Marshal.StructureToPtr(pbeParams, pbrParamsPtr, true);
buffers[2] = new NativeMethods.NCrypt.NCryptBuffer
{
BufferType = NativeMethods.NCrypt.BufferType.PkcsAlgParam,
cbBuffer = Marshal.SizeOf(typeof(NativeMethods.NCrypt.PbeParams)),
pvBuffer = pbrParamsPtr
};
var desc = new NativeMethods.NCrypt.NCryptBufferDesc
{
cBuffers = 3,
pBuffers = (IntPtr)buffers,
ulVersion = 0,
};
var pbOutput = Array.Empty<byte>();
var errorCode = NativeMethods.NCrypt.NCryptExportKey(
keyHandle,
IntPtr.Zero,
NCRYPT_PKCS8_PRIVATE_KEY_BLOB,
ref desc,
ref pbOutput,
0,
out int numBytesNeeded,
0);
if (errorCode != 0)
{
throw new Win32Exception(errorCode);
...
我为完整代码创建了一个存储库,其中包含在 github 上失败的单元测试:https://github.com/lennybacon/CngPfxKeyExport
I created a repository for the complete code with a unit test that fails at github: https://github.com/lennybacon/CngPfxKeyExport
欢迎任何提示我从 .Net Core 转换失败或填充错误的数据或指针,因为有关使用的文档似乎非常罕见...
Any hints where I failed in the conversion from .Net Core or stuffed wrong data or pointers are welcome as documentation on the usage seems to be very rare...
推荐答案
您似乎引入了两个主要的移植错误和一个调用本机方法:
You seem to have introduced two main porting errors and one calling the native method:
1) PbeParams
.
你的:
[StructLayout(LayoutKind.Sequential)]
internal struct PbeParams
{
internal const int RgbSaltSize = 8;
internal CryptPkcs12PbeParams Params;
internal byte[] rgbSalt;
}
CoreFX:
[StructLayout(LayoutKind.Sequential)]
internal unsafe struct PBE_PARAMS
{
internal const int RgbSaltSize = 8;
internal CRYPT_PKCS12_PBE_PARAMS Params;
internal fixed byte rgbSalt[RgbSaltSize];
}
你的内存布局是在 CRYPT_PKCS12_PBE_PARAMS 值之后是指向更多数据的指针.CoreFX 版本的布局是直接在 CRYPT_PKCS12_PBE_PARAMS 之后是 8 个字节的占位符用于 salt,这是加密 API 所期望的(因为它不需要 pbSalt).
The layout in memory of yours is that after the CRYPT_PKCS12_PBE_PARAMS value is a pointer to more data. The layout of the CoreFX version is that directly after CRYPT_PKCS12_PBE_PARAMS is 8 bytes of placeholder for the salt, which is what the crypto API expects (since it doesn't take pbSalt).
恢复固定字节rgbSalt[RgbSaltSize]
很重要.
2) NCryptExportKey
的pbOutput
:
你的:
[DllImport("ncrypt.dll", CharSet = CharSet.Unicode)]
internal static extern int NCryptExportKey(
SafeNCryptKeyHandle hKey,
IntPtr hExportKey,
string pszBlobType,
ref NCryptBufferDesc pParameterList,
ref byte[] pbOutput,
int cbOutput,
[Out] out int pcbResult,
int dwFlags);
CoreFX:
[DllImport(Interop.Libraries.NCrypt, CharSet = CharSet.Unicode)]
internal static extern ErrorCode NCryptExportKey(
SafeNCryptKeyHandle hKey,
IntPtr hExportKey,
string pszBlobType,
ref NCryptBufferDesc pParameterList,
ref byte pbOutput,
int cbOutput,
[Out] out int pcbResult,
int dwFlags);
值得注意的是,CoreFX 版本是 ref byte pbOutput
而你的版本是 ref byte[] pbOutput
,使得值因指针间接而不同.
Notably, the CoreFX version was ref byte pbOutput
and yours is ref byte[] pbOutput
, making the value differ by a pointer indirection.
3) 第一次调用 export 需要 C NULL
,不是有效的指针.
3) The first call to export wants C NULL
, not valid pointer.
将更正后的互操作代码压缩到一个文件中,删除评论和未使用的枚举成员(以减少帖子大小)并修复它(然后简化使用,因为您可以使用 string
(保证