使用 PowerShell 从证书中检索 KeySpec 值
Retrieve KeySpec Value from Certificate Using PowerShell
我正在尝试验证机器商店中的证书是否已将 KeySpec 设置为 AT_KEYEXCHANGE。使用 certutil.exe 确实提供了此信息,但需要进行字符串解析。我宁愿避免字符串解析,以避免对 certutil.exe 的输出做出我不知道在 Windows.
的不同版本中总是正确的假设
我查看了 System.Security.Cryptography.X509Certificates.X509Certificate2 和 System.Security.Cryptography.X509Certificates.RSACertificateExtensions 的属性和方法。
如何从证书存储中的证书中检索 KeySpec?
我怀疑以下内容不是 直接 等同于您正在寻找的内容,但也许 它最终包含信息您正在寻找;它基于将 Get-ChildItem 应用于 PowerShell 的 Cert: 驱动器:
Get-ChildItem Cert:\LocalMachine -Recurse |
Where-Object { -not $_.PSIsContainer -and $_.EnhancedKeyUsageList }
Format-List @{
Name='KeyUsage'
Expression={ ($_.EnhancedKeyUsageList.FriendlyName) -join ', ' }
},
Subject,
Thumbprint
注意:Windows PowerShell 和 PowerShell (Core) 7.1 之间的行为发生了变化,两者都是默认的输出格式以及报告非空 .EnhancedKeyUsageList 属性 值的证书数量:Windows PowerShell 报告 更多.
在 PowerShell (Core) 7.1 中,上面的结果类似于:
KeyUsage : Code Signing, Time Stamping, Encrypting File System
Subject : CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US
Thumbprint : 6E6D0A31B454AF8E8F06CFEB438351056204C28C
KeyUsage : Server Authentication, Client Authentication, ,
Subject : OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network
Thumbprint : 13E8AB4167D5830F9440093564AC0211C2D26E62
KeyUsage : Code Signing, Windows Hardware Driver Verification
Subject : CN=Microsoft Windows Hardware Compatibility, OU=Microsoft Corporation, OU=Microsoft Windows Hardware Compatibility Intermediate CA, OU=Copyright (c) 1997 Microsoft Corp.
Thumbprint : 75F7C7CDC6900B145CF9242910EC037D423F369F
KeyUsage : Code Signing, Time Stamping, Encrypting File System
Subject : CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US
Thumbprint : 59E6BAC5EFE4C1A11B889146BD983F468C5103BA
KeyUsage : Server Authentication
Subject : CN=localhost
Thumbprint : 81F6D78B7A53AE3D03264D178A2E0FEBC978C4D8
在 here and here 的帮助下,我找到了 KeySpec。这
CspKeyContainerInfo class 包含一个名为 KeyNumber 的 属性,certutil 将其称为 KeySpec。
我找到了两种方法。一种仅适用于 PowerShell 5,另一种适用于 PowerShell 5 和 7。
仅限 PowerShell 5
$Cert = (Get-ChildItem -Path Cert:\LocalMachine\My)[1]
$Cert.PrivateKey.CspKeyContainerInfo.KeyNumber
PowerShell 5 和 7
$Cert = (Get-ChildItem -Path Cert:\LocalMachine\My)[1]
$PrivateKey = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($Cert)
$CngProvider = [System.Security.Cryptography.CngProvider]::new($PrivateKey.Key.Provider)
$CngKey = [System.Security.Cryptography.CngKey]::Open($PrivateKey.Key.KeyName, $CngProvider, [System.Security.Cryptography.CngKeyOpenOptions]::MachineKey)
$CspParameters = [System.Security.Cryptography.CspParameters]::New(1, $CngKey.Provider, $CngKey.KeyName)
$CspParameters.Flags = [System.Security.Cryptography.CspProviderFlags]::UseMachineKeyStore
$CspKeyContainerInfo = [System.Security.Cryptography.CspKeyContainerInfo]::New($CspParameters)
$CspKeyContainerInfo.KeyNumber
我正在尝试验证机器商店中的证书是否已将 KeySpec 设置为 AT_KEYEXCHANGE。使用 certutil.exe 确实提供了此信息,但需要进行字符串解析。我宁愿避免字符串解析,以避免对 certutil.exe 的输出做出我不知道在 Windows.
我查看了 System.Security.Cryptography.X509Certificates.X509Certificate2 和 System.Security.Cryptography.X509Certificates.RSACertificateExtensions 的属性和方法。
如何从证书存储中的证书中检索 KeySpec?
我怀疑以下内容不是 直接 等同于您正在寻找的内容,但也许 它最终包含信息您正在寻找;它基于将 Get-ChildItem 应用于 PowerShell 的 Cert: 驱动器:
Get-ChildItem Cert:\LocalMachine -Recurse |
Where-Object { -not $_.PSIsContainer -and $_.EnhancedKeyUsageList }
Format-List @{
Name='KeyUsage'
Expression={ ($_.EnhancedKeyUsageList.FriendlyName) -join ', ' }
},
Subject,
Thumbprint
注意:Windows PowerShell 和 PowerShell (Core) 7.1 之间的行为发生了变化,两者都是默认的输出格式以及报告非空 .EnhancedKeyUsageList 属性 值的证书数量:Windows PowerShell 报告 更多.
在 PowerShell (Core) 7.1 中,上面的结果类似于:
KeyUsage : Code Signing, Time Stamping, Encrypting File System
Subject : CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US
Thumbprint : 6E6D0A31B454AF8E8F06CFEB438351056204C28C
KeyUsage : Server Authentication, Client Authentication, ,
Subject : OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network
Thumbprint : 13E8AB4167D5830F9440093564AC0211C2D26E62
KeyUsage : Code Signing, Windows Hardware Driver Verification
Subject : CN=Microsoft Windows Hardware Compatibility, OU=Microsoft Corporation, OU=Microsoft Windows Hardware Compatibility Intermediate CA, OU=Copyright (c) 1997 Microsoft Corp.
Thumbprint : 75F7C7CDC6900B145CF9242910EC037D423F369F
KeyUsage : Code Signing, Time Stamping, Encrypting File System
Subject : CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US
Thumbprint : 59E6BAC5EFE4C1A11B889146BD983F468C5103BA
KeyUsage : Server Authentication
Subject : CN=localhost
Thumbprint : 81F6D78B7A53AE3D03264D178A2E0FEBC978C4D8
在 here and here 的帮助下,我找到了 KeySpec。这 CspKeyContainerInfo class 包含一个名为 KeyNumber 的 属性,certutil 将其称为 KeySpec。
我找到了两种方法。一种仅适用于 PowerShell 5,另一种适用于 PowerShell 5 和 7。
仅限 PowerShell 5
$Cert = (Get-ChildItem -Path Cert:\LocalMachine\My)[1]
$Cert.PrivateKey.CspKeyContainerInfo.KeyNumber
PowerShell 5 和 7
$Cert = (Get-ChildItem -Path Cert:\LocalMachine\My)[1]
$PrivateKey = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($Cert)
$CngProvider = [System.Security.Cryptography.CngProvider]::new($PrivateKey.Key.Provider)
$CngKey = [System.Security.Cryptography.CngKey]::Open($PrivateKey.Key.KeyName, $CngProvider, [System.Security.Cryptography.CngKeyOpenOptions]::MachineKey)
$CspParameters = [System.Security.Cryptography.CspParameters]::New(1, $CngKey.Provider, $CngKey.KeyName)
$CspParameters.Flags = [System.Security.Cryptography.CspProviderFlags]::UseMachineKeyStore
$CspKeyContainerInfo = [System.Security.Cryptography.CspKeyContainerInfo]::New($CspParameters)
$CspKeyContainerInfo.KeyNumber