使用 RSACryptoServiceProvider 使用过期证书加密/解密数据时没有错误
No error encrypting / decrypting data with an expired certificate using RSACryptoServiceProvider
我目前正在进行概念验证以使用证书加密数据。它运行良好,但现在,我想尝试证书过期的场景。我创建了一个过期的证书,我惊讶地发现即使使用过期的证书,一切都有效 属性。我期待一个错误。
你知道是不是因为它是自签名证书?
这是我用来测试案例的代码
[TestMethod]
public void Encrypt_decrypt_with_expired_certificate()
{
//Arrange
var baseString = "This is an encryption test";
X509Certificate2 newX509Certificate2 = new X509Certificate2("d:\testx509certExpired.pfx", "apassword");
Console.WriteLine(newX509Certificate2.NotAfter); //Show the expiration date which is in the past
var encryptor = new CertificateEncryptor(newX509Certificate2); //This class is a simple wrapper around RSACryptoServiceProvider
//Act
string encryptedResult = encryptor.Encrypt(baseString); //Exception expected because of the expired certificate but not thrown
//Assert
Console.WriteLine("Base string : {0}", baseString);
Console.WriteLine("Encrypted string : {0}", encryptedResult);
Assert.IsNotNull(encryptedResult);
//revert back
string decryptedString = encryptor.Decrypt(encryptedResult);
Console.WriteLine("Decrypted string : {0}", decryptedString);
Assert.AreEqual(baseString, decryptedString);
}
谢谢
正如 GregS 所说,RSACryptoServiceProvider class(不是 X509Certificate2)提供了执行加密操作的能力。 RSACryptoServiceProvider 对证书一无所知,它只知道密钥及其参数。这就是您看不到任何错误的原因。
这意味着证书验证 -- 是您的应用程序责任。您应该在加密数据时检查证书并跳过所有证书检查以解密数据。
尝试访问证书的 X509Certificate2.PublicKey.Key 属性时,如果证书不在有效期内,则应抛出 CryptographicException。
以下是我如何从证书加载 public 和私钥以执行加密操作:
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
class Example
{
private RSACryptoServiceProvider publicKey,
privateKey;
private bool getRSAKeys(X509Certificate2 cert, StoreLocation location)
{
try
{
//This will throw a CryptographicException if the certificate is expired
publicKey = (RSACryptoServiceProvider)cert.PublicKey.Key;
privateKey = (RSACryptoServiceProvider)cert.PrivateKey;
return true;
}
catch (CryptographicException e)
{
Console.WriteLine("The certificate is expired or otherwise unusable\r\n" + e.ToString());
return false;
}
}
我目前正在进行概念验证以使用证书加密数据。它运行良好,但现在,我想尝试证书过期的场景。我创建了一个过期的证书,我惊讶地发现即使使用过期的证书,一切都有效 属性。我期待一个错误。
你知道是不是因为它是自签名证书?
这是我用来测试案例的代码
[TestMethod]
public void Encrypt_decrypt_with_expired_certificate()
{
//Arrange
var baseString = "This is an encryption test";
X509Certificate2 newX509Certificate2 = new X509Certificate2("d:\testx509certExpired.pfx", "apassword");
Console.WriteLine(newX509Certificate2.NotAfter); //Show the expiration date which is in the past
var encryptor = new CertificateEncryptor(newX509Certificate2); //This class is a simple wrapper around RSACryptoServiceProvider
//Act
string encryptedResult = encryptor.Encrypt(baseString); //Exception expected because of the expired certificate but not thrown
//Assert
Console.WriteLine("Base string : {0}", baseString);
Console.WriteLine("Encrypted string : {0}", encryptedResult);
Assert.IsNotNull(encryptedResult);
//revert back
string decryptedString = encryptor.Decrypt(encryptedResult);
Console.WriteLine("Decrypted string : {0}", decryptedString);
Assert.AreEqual(baseString, decryptedString);
}
谢谢
正如 GregS 所说,RSACryptoServiceProvider class(不是 X509Certificate2)提供了执行加密操作的能力。 RSACryptoServiceProvider 对证书一无所知,它只知道密钥及其参数。这就是您看不到任何错误的原因。
这意味着证书验证 -- 是您的应用程序责任。您应该在加密数据时检查证书并跳过所有证书检查以解密数据。
尝试访问证书的 X509Certificate2.PublicKey.Key 属性时,如果证书不在有效期内,则应抛出 CryptographicException。
以下是我如何从证书加载 public 和私钥以执行加密操作:
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
class Example
{
private RSACryptoServiceProvider publicKey,
privateKey;
private bool getRSAKeys(X509Certificate2 cert, StoreLocation location)
{
try
{
//This will throw a CryptographicException if the certificate is expired
publicKey = (RSACryptoServiceProvider)cert.PublicKey.Key;
privateKey = (RSACryptoServiceProvider)cert.PrivateKey;
return true;
}
catch (CryptographicException e)
{
Console.WriteLine("The certificate is expired or otherwise unusable\r\n" + e.ToString());
return false;
}
}