我正在尝试验证机器存储中的证书是否将KeySpec设置为AT_KEYEXCHANGE。使用certutil.exe确实提供了这些信息,但需要字符串解析。我宁愿避免字符串解析,以避免对certutil.exe输出的假设,我不知道在不同版本的Windows中总是正确的。
我已经看了System.Security.Cryptography.X509Certificates.X509Certificate2和System.Security.Cryptography.X509Certificates.RSACertificateExtensions的属性和方法。
如何从证书存储库中的证书中检索KeySpec ?
我怀疑下面的内容不是直接的等效的,但是也许它最终包含了您正在寻找的信息;它是基于将Get-ChildItem应用到PowerShell的Cert:驱动器:
Get-ChildItem Cert:LocalMachine -Recurse |
Where-Object { -not $_.PSIsContainer -and $_.EnhancedKeyUsageList }
Format-List @{
Name='KeyUsage'
Expression={ ($_.EnhancedKeyUsageList.FriendlyName) -join ', ' }
},
Subject,
Thumbprint
注意:Windows PowerShell和PowerShell (Core) 7.1之间的行为发生了变化,包括默认输出格式和有多少证书报告非空.EnhancedKeyUsageList属性值:Windows PowerShell报告更多。
在PowerShell (Core) 7.1中,上面的结果类似于:
KeyUsage : Code Signing, Time Stamping, Encrypting File System
Subject : CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US
Thumbprint : 6E6D0A31B454AF8E8F06CFEB438351056204C28C
KeyUsage : Server Authentication, Client Authentication, ,
Subject : OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network
Thumbprint : 13E8AB4167D5830F9440093564AC0211C2D26E62
KeyUsage : Code Signing, Windows Hardware Driver Verification
Subject : CN=Microsoft Windows Hardware Compatibility, OU=Microsoft Corporation, OU=Microsoft Windows Hardware Compatibility Intermediate CA, OU=Copyright (c) 1997 Microsoft Corp.
Thumbprint : 75F7C7CDC6900B145CF9242910EC037D423F369F
KeyUsage : Code Signing, Time Stamping, Encrypting File System
Subject : CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US
Thumbprint : 59E6BAC5EFE4C1A11B889146BD983F468C5103BA
KeyUsage : Server Authentication
Subject : CN=localhost
Thumbprint : 81F6D78B7A53AE3D03264D178A2E0FEBC978C4D8
我能够在这里和这里的帮助下找到KeySpec。的CspKeyContainerInfo类包含一个名为KeyNumber的属性,certutil将其称为KeySpec。
我找到了两种方法。一个只适用于PowerShell 5,另一个适用于PowerShell 5和7。
PowerShell 5 Only
$Cert = (Get-ChildItem -Path Cert:LocalMachineMy)[1]
$Cert.PrivateKey.CspKeyContainerInfo.KeyNumber
PowerShell 5和7
$Cert = (Get-ChildItem -Path Cert:LocalMachineMy)[1]
$PrivateKey = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($Cert)
$CngProvider = [System.Security.Cryptography.CngProvider]::new($PrivateKey.Key.Provider)
$CngKey = [System.Security.Cryptography.CngKey]::Open($PrivateKey.Key.KeyName, $CngProvider, [System.Security.Cryptography.CngKeyOpenOptions]::MachineKey)
$CspParameters = [System.Security.Cryptography.CspParameters]::New(1, $CngKey.Provider, $CngKey.KeyName)
$CspParameters.Flags = [System.Security.Cryptography.CspProviderFlags]::UseMachineKeyStore
$CspKeyContainerInfo = [System.Security.Cryptography.CspKeyContainerInfo]::New($CspParameters)
$CspKeyContainerInfo.KeyNumber