再次指定无效的提供商类型
Invalid provider type specified one more time
我已经看过这些问题及其答案:
"Invalid provider type specified" CryptographicException when trying to load private key of certificate
How do I create client certificates for local testing of two-way authentication over SSL?
还有第二个问题引用的这篇博客。
我怀疑证书颁发者有问题,但我可能错了。
前言
我是身份验证的新手(你可以把它读成白痴)。当前项目是将现有网站和用 Visual Studio 2013 .Net 4.5.1 编写的 Web 应用程序升级到 Visual Studio 2017 2017 .Net 版本 4.6.1 以满足新消息代理的要求。
环境
Windows10
Visual Studio 2017 (15.8.1)
IIS 10
微软 SQL 服务器 2017
问题描述
用 C# 编写的 Web 服务器在身份验证期间抛出此错误
{"IDX10614: AsymmetricSecurityKey.GetSignatureFormater( 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' ) threw an exception.
Key:
'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'\nSignatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', check to make sure the SignatureAlgorithm is supported.\nException:'System.Security.Cryptography.CryptographicException: Invalid provider type specified.
at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)\r\n at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()\r\n at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)
at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures)'.
If you only need to verify signatures the parameter 'willBeUseForSigning' should be false if the private key is not be available."}
已走步数
最初没有要检查的证书,因此产生了不同的错误。
在 PowerShell 运行 中以管理员身份
New-SelfSignedCertificate -Subject "CN= XxxxxxxXXCA" -DnsName "localhost" -FriendlyName "XxxxxxxXXCA" -KeyUsage DigitalSignature -KeyUsageProperty ALL -KeyAlgorithm RSA -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My"
启动 MMC
将创建的证书复制到 Local Machine Personal
将证书复制到本地计算机受信任的根证书颁发机构
将证书复制到本地机器受信任的发布者
在 IIS 中启动网站
运行 Web 服务器 Visual Studio 2017
使用高级 REST 客户端 (ARC) 从客户端向服务器发送登录请求。
在下面的代码中遍历 Visual Studio 2017 调试器中的身份验证代码:
在return语句中抛出异常。
public string GenerateToken(string email)
{
X509Store store = new X509Store(StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var certs = store.Certificates;
X509Certificate2 signingCert =
certs.Cast<X509Certificate2>().FirstOrDefault(cert => cert.FriendlyName == "XxxxxxxXXCA");
SigningCredentials signingCredentials = new X509SigningCredentials(signingCert);
var tokenHandler = new JwtSecurityTokenHandler();
var now = DateTime.UtcNow;
var customer = _customerService.GetCustomerByEmail(email);
var emailClaim = new Claim(ClaimTypes.Email, customer.Email, ClaimValueTypes.String);
var userIdClaim = new Claim(ClaimTypes.NameIdentifier, customer.Id.ToString(), ClaimValueTypes.Integer);
var roleClaim = new Claim(ClaimTypes.Role, "customer", ClaimValueTypes.String);
var claimsList = new List<Claim> { emailClaim, userIdClaim, roleClaim };
var tokenDescriptor = new SecurityTokenDescriptor()
{
AppliesToAddress = "http://localhost/api",
SigningCredentials = signingCredentials,
TokenIssuerName = "http://localhost",
Lifetime = new Lifetime(now, now.AddDays(30)),
//Lifetime = new Lifetime(now, now.AddDays(1)),
Subject = new ClaimsIdentity(claimsList)
};
store.Close();
return tokenHandler.WriteToken(tokenHandler.CreateToken(tokenDescriptor));
}
New-SelfSignedCertificate cmdlet 默认使用密钥存储提供程序。大多数 .NET Framework(特别是 X509Certificate2)不支持 CNG 密钥。结果,当您使用存储在 CNG 中的私钥从证书创建 X509Certificate2 实例时,PrivateKey 属性 上的 get 访问器抛出异常:
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
我相信,您不拥有在 PrivateKey 上调用 getter 的代码,因此,您需要通过在 [=17] 中明确提供旧版提供商名称来重新创建证书=] New-SelfSignedCertificate cmdlet 调用中的参数。例如,您可以使用 microsoft enhanced rsa and aes cryptographic provider provider 作为参数值。
我已经看过这些问题及其答案:
"Invalid provider type specified" CryptographicException when trying to load private key of certificate
How do I create client certificates for local testing of two-way authentication over SSL?
还有第二个问题引用的这篇博客。
我怀疑证书颁发者有问题,但我可能错了。
前言
我是身份验证的新手(你可以把它读成白痴)。当前项目是将现有网站和用 Visual Studio 2013 .Net 4.5.1 编写的 Web 应用程序升级到 Visual Studio 2017 2017 .Net 版本 4.6.1 以满足新消息代理的要求。
环境
Windows10
Visual Studio 2017 (15.8.1)
IIS 10
微软 SQL 服务器 2017
问题描述
用 C# 编写的 Web 服务器在身份验证期间抛出此错误
{"IDX10614: AsymmetricSecurityKey.GetSignatureFormater( 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' ) threw an exception.
Key:
'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'\nSignatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', check to make sure the SignatureAlgorithm is supported.\nException:'System.Security.Cryptography.CryptographicException: Invalid provider type specified.
at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)\r\n at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()\r\n at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)
at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures)'.
If you only need to verify signatures the parameter 'willBeUseForSigning' should be false if the private key is not be available."}
已走步数
最初没有要检查的证书,因此产生了不同的错误。
在 PowerShell 运行 中以管理员身份
New-SelfSignedCertificate -Subject "CN= XxxxxxxXXCA" -DnsName "localhost" -FriendlyName "XxxxxxxXXCA" -KeyUsage DigitalSignature -KeyUsageProperty ALL -KeyAlgorithm RSA -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My"
启动 MMC
将创建的证书复制到 Local Machine Personal
将证书复制到本地计算机受信任的根证书颁发机构
将证书复制到本地机器受信任的发布者
在 IIS 中启动网站
运行 Web 服务器 Visual Studio 2017
使用高级 REST 客户端 (ARC) 从客户端向服务器发送登录请求。
在下面的代码中遍历 Visual Studio 2017 调试器中的身份验证代码:
在return语句中抛出异常。
public string GenerateToken(string email)
{
X509Store store = new X509Store(StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var certs = store.Certificates;
X509Certificate2 signingCert =
certs.Cast<X509Certificate2>().FirstOrDefault(cert => cert.FriendlyName == "XxxxxxxXXCA");
SigningCredentials signingCredentials = new X509SigningCredentials(signingCert);
var tokenHandler = new JwtSecurityTokenHandler();
var now = DateTime.UtcNow;
var customer = _customerService.GetCustomerByEmail(email);
var emailClaim = new Claim(ClaimTypes.Email, customer.Email, ClaimValueTypes.String);
var userIdClaim = new Claim(ClaimTypes.NameIdentifier, customer.Id.ToString(), ClaimValueTypes.Integer);
var roleClaim = new Claim(ClaimTypes.Role, "customer", ClaimValueTypes.String);
var claimsList = new List<Claim> { emailClaim, userIdClaim, roleClaim };
var tokenDescriptor = new SecurityTokenDescriptor()
{
AppliesToAddress = "http://localhost/api",
SigningCredentials = signingCredentials,
TokenIssuerName = "http://localhost",
Lifetime = new Lifetime(now, now.AddDays(30)),
//Lifetime = new Lifetime(now, now.AddDays(1)),
Subject = new ClaimsIdentity(claimsList)
};
store.Close();
return tokenHandler.WriteToken(tokenHandler.CreateToken(tokenDescriptor));
}
New-SelfSignedCertificate cmdlet 默认使用密钥存储提供程序。大多数 .NET Framework(特别是 X509Certificate2)不支持 CNG 密钥。结果,当您使用存储在 CNG 中的私钥从证书创建 X509Certificate2 实例时,PrivateKey 属性 上的 get 访问器抛出异常:
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
我相信,您不拥有在 PrivateKey 上调用 getter 的代码,因此,您需要通过在 [=17] 中明确提供旧版提供商名称来重新创建证书=] New-SelfSignedCertificate cmdlet 调用中的参数。例如,您可以使用 microsoft enhanced rsa and aes cryptographic provider provider 作为参数值。