从字符串加载.Net中的Jira公共证书（如何将ASN.1编码的SubjectPublicKeyInfo转换为.Net中的X509证书）

发布于 2024-10-27 22:18:12 字数 2721 浏览 12 评论 0原文

我正在构建一个 oauth 1.0a 服务，该服务将由 Jira 中的小工具使用，它是一个用 C# 编写的 .Net 3.5 应用程序。

Jira 使用 RSA-SHA1 签名方法向此服务发出请求，这意味着要验证请求的签名，我需要从其公共证书创建一个 X509Certificate 实例。

在 Jira 应用程序中，您可以通过转到消费者信息屏幕（其中还有 Jira 等的消费者密钥）来获取公共证书，它以这种格式显示公共密钥：

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCObJRTGSZbAo
jRkvKmm0cwFXnKcPMfR4t/sghvLe/+QVs6TJOz5cUh5UokSqyz
VeMsL0jomP18ZcR3SPcIFT7xtOGQjLwLk7ghfYSsxjTGs9VxsC
/PQk5OQRP3v43IxFNF3M2SYhFWJZTOnqrab5AsMh2Kxdv+D69D
CINXCu5ltQIDAQAB

查看生成此密钥的 Jira 代码，我可以看到它（据说）是 PEM 编码的，没有 BEGIN/END 证书页眉/页脚。

RSAKeys.toPemEncoding(consumer.getPublicKey())

RSAKeys 是一个开源类，可在此处找到：

https://studio.atlassian.com/source/browse/OAUTH/trunk/api/src/main/java/com/atlassian/oauth/util/RSAKeys.java？ r=HEAD

我希望将此公共证书（密钥）加载到 .Net 内的 X509Certificate 实例中，但到目前为止我的尝试失败了。这是我的代码：

static readonly Regex stripRegex = new Regex("-----[A-Z ]*-----");

public string ConvertFromOpenSsl(string key)
{
    return stripRegex.Replace(key, "").Replace("\r", "").Replace("\n", "");
}

public X509Certificate2 GetConsumerCertificate(IConsumer consumer)
{
    string cert =               
    @"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCObJRTGSZbAo
    jRkvKmm0cwFXnKcPMfR4t/sghvLe/+QVs6TJOz5cUh5UokSqyz
    VeMsL0jomP18ZcR3SPcIFT7xtOGQjLwLk7ghfYSsxjTGs9VxsC
    /PQk5OQRP3v43IxFNF3M2SYhFWJZTOnqrab5AsMh2Kxdv+D69D
    CINXCu5ltQIDAQAB";

    string converted = ConvertFromOpenSsl(cert);

    var bytes = Convert.FromBase64String(converted);


    var cert = new X509Certificate2(bytes); // throws here

但是在代码的最后一行我抛出了一个异常：

System.Security.Cryptography.CryptographicException: Cannot find the requested object.

    at System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr)
    at System.Security.Cryptography.X509Certificates.X509Utils._QueryCertBlobType(Byte[] rawData)
    at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
    at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] data)
    at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData)

我很确定我错过了一些基本的东西，但我可以想到它是什么。

更新

好的，经过进一步调查，这似乎是公钥的SubjectPublicKeyInfo序列化，因此它是ASN.1，base 64编码（162字节未编码），这是Java使用java的默认输出.security.PublicKey.getEncoded()。

因此，考虑到所有这些 - 是否有任何简单的方法来创建包装此公钥的 X509Certificate2 实例 - 或者除了公钥之外是否还需要其他元数据来创建 x509Certificate2 实例？

原文

I am building an oauth 1.0a service that will be consumed by a gadget within Jira, it's a .Net 3.5 Application written in C#.

Jira makes requests to this service using the RSA-SHA1 signature method, which means to verify the signature of the request I need create an X509Certificate instance form their public cert.

Within the Jira application you can get the public cert by going to the consumer info screen (which also has the consumer key for Jira etc.) and it presents the public key in this format:

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCObJRTGSZbAo
jRkvKmm0cwFXnKcPMfR4t/sghvLe/+QVs6TJOz5cUh5UokSqyz
VeMsL0jomP18ZcR3SPcIFT7xtOGQjLwLk7ghfYSsxjTGs9VxsC
/PQk5OQRP3v43IxFNF3M2SYhFWJZTOnqrab5AsMh2Kxdv+D69D
CINXCu5ltQIDAQAB

Looking at the Jira code which generates this key I can see it's (supposedly) PEM encoded without the BEGIN/END certificate header/footer.

RSAKeys.toPemEncoding(consumer.getPublicKey())

RSAKeys is an open source class found here:

https://studio.atlassian.com/source/browse/OAUTH/trunk/api/src/main/java/com/atlassian/oauth/util/RSAKeys.java?r=HEAD

I wish to load this public cert (key) into an X509Certificate instance within .Net, but my attempts so far have failed. Here's the code I have:

static readonly Regex stripRegex = new Regex("-----[A-Z ]*-----");

public string ConvertFromOpenSsl(string key)
{
    return stripRegex.Replace(key, "").Replace("\r", "").Replace("\n", "");
}

public X509Certificate2 GetConsumerCertificate(IConsumer consumer)
{
    string cert =               
    @"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCObJRTGSZbAo
    jRkvKmm0cwFXnKcPMfR4t/sghvLe/+QVs6TJOz5cUh5UokSqyz
    VeMsL0jomP18ZcR3SPcIFT7xtOGQjLwLk7ghfYSsxjTGs9VxsC
    /PQk5OQRP3v43IxFNF3M2SYhFWJZTOnqrab5AsMh2Kxdv+D69D
    CINXCu5ltQIDAQAB";

    string converted = ConvertFromOpenSsl(cert);

    var bytes = Convert.FromBase64String(converted);


    var cert = new X509Certificate2(bytes); // throws here

But on the last line of code I have an exception thrown:

System.Security.Cryptography.CryptographicException: Cannot find the requested object.

    at System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr)
    at System.Security.Cryptography.X509Certificates.X509Utils._QueryCertBlobType(Byte[] rawData)
    at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
    at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] data)
    at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData)

I'm pretty sure I am missing something elementary, but I can think what it is.

UPDATE

OK, on further investigation it appears that this is a SubjectPublicKeyInfo serialization of the public key, so it's ASN.1, base 64 encoded (162 bytes unencoded), which is the default output from Java using java.security.PublicKey.getEncoded().

So given all that - is there any easy way to create an X509Certificate2 instance wrapping this public key - or is additional metadata required beyond the public key to create an x509Certificate2 instance?

分享到QQ

分享到微博