C# windows-installer certificate custom-action

在 .MSI 自定义操作中安装证书无法正常工作

发布于 2024-08-04 10:31:18 字数 996 浏览 2 评论 0原文

我正在尝试通过自定义操作在本地计算机存储中安装证书。证书已安装，但当我使用它查询 AWS 时，出现以下错误：

对象仅包含公共部分的密钥对。私钥还必须提供。

安装程序正在运行提升，目标是Windows Vista。

如果我使用单独的 .exe 安装完全相同的证书，使用完全相同的代码，它就可以工作。那么使用 Windows Installer 安装证书有什么不同呢？

代码：

private void InstallCertificate(string certificatePath, string certificatePassword)
{
  if (IsAdmin())
  {
    try
    {
      X509Certificate2 cert = new X509Certificate2(certificatePath, certificatePassword,
        X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);

      X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
      store.Open(OpenFlags.ReadWrite);
      store.Add(cert);
      store.Close();
    }
    catch (Exception ex)
    {
      throw new DataException("Certificate appeared to load successfully but also seems to be null.", ex);
    }
  }
  else
  {
    throw new Exception("Not enough priviliges to install certificate");
  }
}

原文

I'm trying to install a certificate in the Local Machine Store in a custom action.
The certificate is installed, but when I use it to query AWS, I get this error:

Object contains only the public half
of a key pair. A private key must also
be provided.

The installer is running elevated, the target is Windows Vista.

If I use a separate .exe to install the exact same certificate, using the exact same code, it works.
So what is it that differs when installing a certificate using the Windows Installer?

The code:

private void InstallCertificate(string certificatePath, string certificatePassword)
{
  if (IsAdmin())
  {
    try
    {
      X509Certificate2 cert = new X509Certificate2(certificatePath, certificatePassword,
        X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);

      X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
      store.Open(OpenFlags.ReadWrite);
      store.Add(cert);
      store.Close();
    }
    catch (Exception ex)
    {
      throw new DataException("Certificate appeared to load successfully but also seems to be null.", ex);
    }
  }
  else
  {
    throw new Exception("Not enough priviliges to install certificate");
  }
}

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

美人迟暮 2024-08-11 10:31:18

好吧，至少这个问题为我赢得了一个翻滚杂草徽章......

事实证明是对已安装密钥文件的权限。我必须授予所有用户读取权限。

这是我用来授予所有（本地）用户读取权限的代码：

private static void AddAccessToCertificate(X509Certificate2 cert)
{
  RSACryptoServiceProvider rsa = cert.PrivateKey as RSACryptoServiceProvider;
  if (rsa == null) return;

  string keyfilepath = FindKeyLocation(rsa.CspKeyContainerInfo.UniqueKeyContainerName);

  FileInfo file = new FileInfo(System.IO.Path.Combine(keyfilepath, rsa.CspKeyContainerInfo.UniqueKeyContainerName));

  FileSecurity fs = file.GetAccessControl();

  SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null);
  fs.AddAccessRule(new FileSystemAccessRule(sid, FileSystemRights.Read, AccessControlType.Allow));
  file.SetAccessControl(fs);
}

private static string FindKeyLocation(string keyFileName)
{
  string pathCommAppData = System.IO.Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData), @"Microsoft\Crypto\RSA\MachineKeys");
  string[] textArray = Directory.GetFiles(pathCommAppData, keyFileName);
  if (textArray.Length > 0) return pathCommAppData;

  string pathAppData = System.IO.Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), @"Microsoft\Crypto\RSA\");
  textArray = Directory.GetDirectories(pathAppData);
  if (textArray.Length > 0)
  {
    foreach (string str in textArray)
    {
      textArray = Directory.GetFiles(str, keyFileName);
      if (textArray.Length != 0) return str;
    }
  }
  return "Private key exists but is not accessible";
}

Well, at least this question earned me a tumble weed badge...

It turned out to be the permissions on the installed key file. I had to grant all users read permissions.

And here is the code I used to grant all (local) users read permissions:

private static void AddAccessToCertificate(X509Certificate2 cert)
{
  RSACryptoServiceProvider rsa = cert.PrivateKey as RSACryptoServiceProvider;
  if (rsa == null) return;

  string keyfilepath = FindKeyLocation(rsa.CspKeyContainerInfo.UniqueKeyContainerName);

  FileInfo file = new FileInfo(System.IO.Path.Combine(keyfilepath, rsa.CspKeyContainerInfo.UniqueKeyContainerName));

  FileSecurity fs = file.GetAccessControl();

  SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null);
  fs.AddAccessRule(new FileSystemAccessRule(sid, FileSystemRights.Read, AccessControlType.Allow));
  file.SetAccessControl(fs);
}

private static string FindKeyLocation(string keyFileName)
{
  string pathCommAppData = System.IO.Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData), @"Microsoft\Crypto\RSA\MachineKeys");
  string[] textArray = Directory.GetFiles(pathCommAppData, keyFileName);
  if (textArray.Length > 0) return pathCommAppData;

  string pathAppData = System.IO.Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), @"Microsoft\Crypto\RSA\");
  textArray = Directory.GetDirectories(pathAppData);
  if (textArray.Length > 0)
  {
    foreach (string str in textArray)
    {
      textArray = Directory.GetFiles(str, keyFileName);
      if (textArray.Length != 0) return str;
    }
  }
  return "Private key exists but is not accessible";
}

回复收藏 0 原文

~没有更多了~