如何解决建立TLS频道失败,具体取决于我们如何创建X509Certificate2
我们正在研究如何将自定义RSA实现与HttpClient集成。 我们正在使用以下测试用例(出于隐私考虑,对其进行了稍微编辑)。 它成功完成。 我们正在.NET Framework 4.7.2中运行测试。
using System;
using System.Collections.Generic;
using System.Net.Http;
using System.Security.Authentication;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using Microsoft.VisualStudio.TestTools.UnitTesting;
using Org.BouncyCastle.Asn1;
using Org.BouncyCastle.Asn1.Pkcs;
using Org.BouncyCastle.Asn1.X509;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Generators;
using Org.BouncyCastle.Crypto.Operators;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Crypto.Prng;
using Org.BouncyCastle.Math;
using Org.BouncyCastle.OpenSsl;
using Org.BouncyCastle.Pkcs;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.Utilities;
using Org.BouncyCastle.X509;
namespace test
{
[TestClass]
public class ExchangeTest
{
[TestMethod]
public void Smoke ()
{
var keys = GenerateKeys();
var certificate = GenerateCertificate(keys);
Assert.IsNotNull(certificate);
var http = new HttpClientHandler();
http.SslProtocols = SslProtocols.Tls12;
http.ClientCertificates.Add(certificate);
http.ClientCertificateOptions = ClientCertificateOption.Manual;
http.ServerCertificateCustomValidationCallback = (message,certificate2,chain,errors) => { return true; };
var httpClient = new HttpClient(http);
var response = httpClient.GetAsync("https://localhost:12345/api/v1").Result;
Assert.IsNotNull(response);
}
public static X509Certificate2 GenerateCertificate(RSA keys)
{
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA256WITHRSA",DotNetUtilities.GetKeyPair(keys).Private,random);
var certificateGenerator = new X509V3CertificateGenerator();
certificateGenerator.SetPublicKey(DotNetUtilities.GetKeyPair(keys).Public);
var subjectDN = new X509Name("CN=Test,C=BR");
certificateGenerator.SetSubjectDN(subjectDN);
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One,BigInteger.ValueOf(Int64.MaxValue),random);
certificateGenerator.SetIssuerDN(subjectDN);
certificateGenerator.SetSerialNumber(serialNumber);
var notBefore = DateTime.UtcNow.Date;
var notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
var certificate = certificateGenerator.Generate(signatureFactory);
var info = PrivateKeyInfoFactory.CreatePrivateKeyInfo(DotNetUtilities.GetKeyPair(keys).Private);
var rsa = RsaPrivateKeyStructure.GetInstance(info.ParsePrivateKey());
var rsaparams = new RsaPrivateCrtKeyParameters(rsa.Modulus,rsa.PublicExponent,rsa.PrivateExponent,rsa.Prime1,rsa.Prime2,rsa.Exponent1,rsa.Exponent2,rsa.Coefficient);
var x509 = new X509Certificate2(certificate.GetEncoded());
return x509.CopyWithPrivateKey(DotNetUtilities.ToRSA(rsaparams));
}
public static RSA GenerateKeys()
{
return RSA.Create(2048);
}
}
}
当我们减少这些行时:
var info = PrivateKeyInfoFactory.CreatePrivateKeyInfo(DotNetUtilities.GetKeyPair(keys).Private);
var rsa = RsaPrivateKeyStructure.GetInstance(info.ParsePrivateKey());
var rsaparams = new RsaPrivateCrtKeyParameters(rsa.Modulus,rsa.Coefficient);
var x509 = new X509Certificate2(certificate.GetEncoded());
return x509.CopyWithPrivateKey(DotNetUtilities.ToRSA(rsaparams));
包含以下几行:
var x509 = new X509Certificate2(certificate.GetEncoded());
return x509.CopyWithPrivateKey(keys);
代码编译成功,但测试失败,并显示System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
对于C#和.NET来说,我们相对较新。 我们错过了什么吗? 我们该如何调试呢?
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。