签名X509数码证书W/BouncyCastle的 - 数字签名无效

Question

可能重复：
Generated signed X.509 client certificate is invalid (no certificate chain to its CA)

我跟着这个例子：

http://www.bouncycastle.org/wiki/display/JA1/X.509+Public+Key+Certificate+and+Certification+Request+Generation

但由此产生的签署客户端证书在Windows中打开时出现以下错误：

“此文件是用作以下无效：安全证书”

如果我反正安装它，并与certmgr查看，证书路径看起来不错 - 我看到我的自签名的证书颁发机构（这是没问题）但客户端证书有以下状态：

“此证书具有无效的数字签名。”

如果我叫X509Certificate.Verify（）它抛出以下异常：

“公钥呈现不证书签名”

但是我使用从Pkcs10CertificationRequest提取完全相同的公钥当我调用Verify（）时就没有问题。

任何想法？在经历了几天的苦苦挣扎之后，除了最后一部分之外，我已经完成了所有部分的工作 - 而令人困惑的是我的自签名CA证书没有问题。客户端证书正在发生一些变化。这是整个代码块：

 TextReader textReader = new StreamReader("certificaterequest.pkcs10"); 
     PemReader pemReader = new PemReader(textReader); 

     Pkcs10CertificationRequest certificationRequest = (Pkcs10CertificationRequest)pemReader.ReadObject(); 
     CertificationRequestInfo certificationRequestInfo = certificationRequest.GetCertificationRequestInfo(); 
     SubjectPublicKeyInfo publicKeyInfo = certificationRequestInfo.SubjectPublicKeyInfo; 

     RsaPublicKeyStructure publicKeyStructure = RsaPublicKeyStructure.GetInstance(publicKeyInfo.GetPublicKey()); 

     RsaKeyParameters publicKey = new RsaKeyParameters(false, publicKeyStructure.Modulus, publicKeyStructure.PublicExponent); 

     bool certIsOK = certificationRequest.Verify(publicKey); 
     // public key is OK here... 

     // get the server certificate 
     Org.BouncyCastle.X509.X509Certificate serverCertificate = DotNetUtilities.FromX509Certificate(System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile("servermastercertificate.cer")); 

     // get the server private key 
     byte[] privateKeyBytes = File.ReadAllBytes("serverprivate.key"); 
     AsymmetricKeyParameter serverPrivateKey = PrivateKeyFactory.CreateKey(privateKeyBytes); 

     // generate the client certificate 
     X509V3CertificateGenerator generator = new X509V3CertificateGenerator(); 

     generator.SetSerialNumber(BigInteger.ProbablePrime(120, new Random())); 
     generator.SetIssuerDN(serverCertificate.SubjectDN); 
     generator.SetNotBefore(DateTime.Now); 
     generator.SetNotAfter(DateTime.Now.AddYears(5)); 
     generator.SetSubjectDN(certificationRequestInfo.Subject); 
     generator.SetPublicKey(publicKey); 
     generator.SetSignatureAlgorithm("SHA512withRSA"); 
     generator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(serverCertificate)); 
     generator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(publicKey)); 

     var newClientCert = generator.Generate(serverPrivateKey); 

     newClientCert.Verify(publicKey); // <-- this blows up 

     return DotNetUtilities.ToX509Certificate(newClientCert).Export(X509ContentType.Pkcs12, "user password"); 

Answer 1

我想通了。如果您拨打X509Certificate.Verify(publicKey)，您必须通过CA的公钥，而不是Pkcs10CertificationRequest中的客户公钥。