小贝子编程

无法将智能卡证书添加到Yubikey



我正在尝试创建一个智能卡证书并将其添加到Yubikey(我正在使用Yubico的迷你驱动程序,因此Yubikey的行为就像SmartCard,无法使用其Pivmanager或Ykman(。我能够使用以下代码成功地使用Yubikey签署CSR:

certificateRequest.CertRequest = new CX509CertificateRequestPkcs10();
certificateRequest.CertRequest.Initialize(X509CertificateEnrollmentContext.ContextUser);
certificateRequest.CertRequest.PrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_NONE;
certificateRequest.CertRequest.PrivateKey.Length = 2048;
certificateRequest.CertRequest.PrivateKey.ProviderName = "Microsoft Smart Card Key Storage Provider";
certificateRequest.CertRequest.PrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_SIGNING_FLAG;
certificateRequest.CertRequest.PrivateKey.KeySpec = X509KeySpec.XCN_AT_NONE;
certificateRequest.CertRequest.PrivateKey.MachineContext = false;
var subjectEncoded = new CX500DistinguishedNameClass();
subjectEncoded.Encode(certificateRequest.SubjectName);
certificateRequest.CertRequest.Subject = subjectEncoded;
certificateRequest.CertRequest.Encode();
certificateRequest.CSR = certificateRequest.CertRequest.RawData[EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER];

然后我去CA并恢复证书。当我尝试将证书添加回Yubikey时,我会收到以下错误:

CERTENROLL :: CX509ENROLLMENT :: installResponse:找不到对象或属性。0x80092004(-2146885628 crypt_e_not_found(

根据我在Google上发现的内容,这意味着系统无法找到签署证书的私钥。我正在使用该请求来初始化容器,但仍然找不到它是由SmartCard完成的,这是参考的代码:

CX509Enrollment objEnroll = new CX509EnrollmentClass();
objEnroll.InitializeFromRequest(certificateRequest.CertRequest);
objEnroll.InstallResponse(
    InstallResponseRestrictionFlags.AllowUntrustedRoot,
    certificateRequest.StringCert,
    EncodingType.XCN_CRYPT_STRING_BASE64,
    null
);

有没有办法告诉窗户在Yubikey中查找私钥?

我错过了私钥的实际创建,这里的请求是新的完整代码:

certificateRequest.CertRequest = new CX509CertificateRequestPkcs10();
certificateRequest.CertRequest.Initialize(X509CertificateEnrollmentContext.ContextUser);
certificateRequest.CertRequest.PrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_NONE;
certificateRequest.CertRequest.PrivateKey.Length = 2048;
certificateRequest.CertRequest.PrivateKey.ProviderName = "Microsoft Smart Card Key Storage Provider";
certificateRequest.CertRequest.PrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_SIGNING_FLAG;
certificateRequest.CertRequest.PrivateKey.KeySpec = X509KeySpec.XCN_AT_NONE;
certificateRequest.CertRequest.PrivateKey.MachineContext = false;
certificateRequest.CertRequest.PrivateKey.Create();
var subjectEncoded = new CX500DistinguishedNameClass();
subjectEncoded.Encode(certificateRequest.SubjectName);
certificateRequest.CertRequest.Subject = subjectEncoded;
certificateRequest.CertRequest.Encode();
certificateRequest.CSR = certificateRequest.CertRequest.RawData[EncodingType.XCN_CRYPT_STRING_BASE64REQUESTHEADER];

然后我去CA并恢复证书。当我尝试将证书添加回Yubikey时:

CX509Enrollment objEnroll = new CX509EnrollmentClass();
objEnroll.InitializeFromRequest(certificateRequest.CertRequest);
objEnroll.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
objEnroll.InstallResponse(
    InstallResponseRestrictionFlags.AllowUntrustedRoot,
    certificateRequest.StringCert,
    EncodingType.XCN_CRYPT_STRING_BASE64,
    null
);

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium