Powershell System.Security.Cryptography.RSACryptoServiceProvider 不接受长度超过 50 个字符的加密密码

Powershell System.Security.Cryptography.RSACryptoServiceProvider doesn't accept encrypting password with length more than 50 chars

当我尝试使用 System.Security.Cryptography.RSACryptoServiceProvider 对象加密 50 个字符的字符串时,我在调用加密时遇到错误的长度错误。 我有根据的猜测是字符串的长度太多(可能是 [byte] 的限制?),因为当我有一个 39char 字符串时一切正常。

以下完整错误:

Exception calling "Encrypt" with "2" argument(s): "Bad Length. "At [omitted]
+ $encrypted = $rsa.Encrypt($bytes,$true) + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : CryptographicException

Exception calling "Decrypt" with "2" argument(s): "Error occurred while decoding OAEP padding." At [omitted] + $Password = [char[]]$rsa.Decrypt($encrypted, $true) -join "" | Co ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : CryptographicException

我的代码:

function Checkpassword([String] $Type) {
$pwpath = "$root$Type.pw"
$encrypted = ''

if (test-path $pwpath -erroraction silentlycontinue) {
    $encrypted = Import-Clixml $pwpath
}

if(!($encrypted)) {
    write-host "No $Type password file found, create one now by entering your $Type password." -fore yellow

    # Create password file using local encryption
    $key = (2,3,56,34,254,222,1,1,2,23,42,54,33,233,1,34,2,7,6,5,35,43,6,6,6,6,6,6,31,33,60,23)
    $pass = Read-Host "Enter your $Type password" -AsSecureString
    $securepass = $pass |ConvertFrom-SecureString -Key $key
    $bytes = [byte[]][char[]]$securepass            

    $csp = New-Object System.Security.Cryptography.CspParameters
    $csp.KeyContainerName = "SuperSecretProcessOnMachine"
    $csp.Flags = $csp.Flags -bor [System.Security.Cryptography.CspProviderFlags]::UseMachineKeyStore
    $rsa = New-Object System.Security.Cryptography.RSACryptoServiceProvider -ArgumentList 5120,$csp
    $rsa.PersistKeyInCsp = $true

    $encrypted = $rsa.Encrypt($bytes,$true)
    $encrypted |Export-Clixml "$root$Type.pw" -force
}

$key = (2,3,56,34,254,222,1,1,2,23,42,54,33,233,1,34,2,7,6,5,35,43,6,6,6,6,6,6,31,33,60,23)            

$csp = New-Object System.Security.Cryptography.CspParameters
$csp.KeyContainerName = "SuperSecretProcessOnMachine"
$csp.Flags = $csp.Flags -bor [System.Security.Cryptography.CspProviderFlags]::UseMachineKeyStore
$rsa = New-Object System.Security.Cryptography.RSACryptoServiceProvider -ArgumentList 5120,$csp
$rsa.PersistKeyInCsp = $true

$Password = [char[]]$rsa.Decrypt($encrypted, $true) -join "" |ConvertTo-SecureString -Key $key
$credential = New-Object System.Management.Automation.PsCredential ".",$Password }

请记住,您在调用 ConvertFrom-SecureString -Key $Key 时已经使用 3DES 隐式加密了字符串。

这意味着即使字符串本身只有 ~100 字节,生成的有效负载 ($bytes) 的大小也 >500 字节,已经超过了使用 OEAP 加密的明文的最大大小,并且一个 4096 位密钥。

您可以在密钥容器中安装更大的密钥,或者(更确切地说)使用另一种更适合长消息加密的加密算法