我对执行安全性和加密有点陌生,因此,如果我犯了一个非常愚蠢的错误,请提前抱歉。我需要服务器和客户端通过使用SslStream的安全连接进行通信。但是我的证书不起作用。我收到以下错误:System.NotSupportedException: 'The server mode SSL must use a certificate with the associated private key.'
我的代码是文档中给出的Microsoft示例:https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstream?view=netframework-4.8ss
我尝试过:
Win32Exception: The certificate chain was issued by an authority that is not trusted.除最后一个以外的所有都给了System.NotSupportedException: 'The server mode SSL must use a certificate with the associated private key.'例外。这是否意味着自签名证书不起作用?我需要购买证书吗?
编辑:这是我使用的代码。这是修改后的示例(很抱歉,如果我对此进行了严格的编码),并且是可执行的,可以模拟服务器和客户端并抛出异常:
class Program
{
static void Main(string[] args)
{
//Temporarily added the arguments here for you to see
args = new string[2] { @"C:\Users\jacke\Documents\CA\TempCert.cer", "FakeServerName" };
Console.WriteLine("Starting server in seperate thread...");
Task t = Task.Run(() => { Server.Initialize(args[0]); });
Task.Delay(500).Wait();
Client.RunClient(args[1]);
}
}
public static class Server
{
private static X509Certificate cert;
private static TcpListener server;
public static void Initialize(string certificate)
{
cert = X509Certificate.CreateFromCertFile(certificate);
server = new TcpListener(IPAddress.Any, 12321);
server.Start();
while (true)
{
Console.WriteLine("Waiting for a client to connect...");
TcpClient client = server.AcceptTcpClient();
ProcessClient(client);
}
}
private static void ProcessClient(TcpClient client)
{
SslStream sslStream = new SslStream(client.GetStream(), false);
try
{
sslStream.AuthenticateAsServer(cert, clientCertificateRequired: false, checkCertificateRevocation: true);
sslStream.ReadTimeout = 5000;
sslStream.WriteTimeout = 5000;
Console.WriteLine("Waiting for client message...");
string messageData = Helpers.ReadMessage(sslStream);
byte[] message = Encoding.UTF8.GetBytes("Hello from the server.<EOF>");
Console.WriteLine("Sending hello message.");
sslStream.Write(message);
}
catch (AuthenticationException e)
{
Console.WriteLine("Exception: {0}", e.Message);
if (e.InnerException != null)
{
Console.WriteLine("Inner exception: {0}", e.InnerException.Message);
}
Console.WriteLine("Authentication failed - closing the connection.");
sslStream.Close();
client.Close();
return;
}
finally
{
sslStream.Close();
client.Close();
}
}
}
public static class Client
{
private static Hashtable certificateErrors = new Hashtable();
public static bool ValidateServerCertificate(
object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
return true;
Console.WriteLine("Certificate error: {0}", sslPolicyErrors);
return false;
}
public static void RunClient(string serverName)
{
TcpClient client = new TcpClient("localhost", 12321);
Console.WriteLine("Client connected.");
SslStream sslStream = new SslStream(
client.GetStream(),
false,
new RemoteCertificateValidationCallback(ValidateServerCertificate),
null
);
try
{
sslStream.AuthenticateAsClient(serverName);
}
catch (AuthenticationException e)
{
Console.WriteLine("Exception: {0}", e.Message);
if (e.InnerException != null)
{
Console.WriteLine("Inner exception: {0}", e.InnerException.Message);
}
Console.WriteLine("Authentication failed - closing the connection.");
client.Close();
return;
}
byte[] messsage = Encoding.UTF8.GetBytes("Hello from the client.<EOF>");
sslStream.Write(messsage);
string serverMessage = Helpers.ReadMessage(sslStream);
Console.WriteLine("Server says: {0}", serverMessage);
client.Close();
Console.WriteLine("Client closed.");
}
}
public static class Helpers
{
public static string ReadMessage(SslStream sslStream)
{
// Read the message sent by the server.
// The end of the message is signaled using the
// "<EOF>" marker.
byte[] buffer = new byte[2048];
StringBuilder messageData = new StringBuilder();
int bytes = -1;
do
{
bytes = sslStream.Read(buffer, 0, buffer.Length);
Decoder decoder = Encoding.UTF8.GetDecoder();
char[] chars = new char[decoder.GetCharCount(buffer, 0, bytes)];
decoder.GetChars(buffer, 0, bytes, chars, 0);
messageData.Append(chars);
// Check for EOF.
if (messageData.ToString().IndexOf("<EOF>") != -1)
{
break;
}
} while (bytes != 0);
return messageData.ToString();
}
}
这是我创建证书的方式(如我上面链接的帖子中所述:]
makecert -sv RootCATest.pvk -r -n "CN=FakeServerName" RootCATest.cer
makecert -ic RootCATest.cer -iv RootCATest.pvk -n "CN=FakeServerName" -sv
TempCert.pvk -pe -sky exchange TempCert.cer
cert2spc TempCert.cer TempCert.spc
pvkimprt -pfx TempCert.spc TempCert.pvk
我通过上述命令输入的其他信息:
然后,我将.pfx文件导入本地证书存储中(我之前也尝试过在整个计算机上进行存储),然后让程序选择正确的存储。它警告我,将信任CA的所有证书,因此我应该联系CA以检查这确实是他们的证书,但是我继续进行。然后,我运行了代码(使用我刚刚创建的“ TempCert.cer”文件)并得到了错误。任何建议都将受到高度赞赏!
如果我没记错的话,.cer文件不包含私钥,并且我假设通过从文件中加载证书来不检查证书存储。您可以导出.pfx,并在导出中包含私钥。
[我不知道为什么.pvk尝试失败了(但是我自己从未尝试过这种格式)-SslStream肯定可以使用自签名证书;客户端只需忽略验证失败即可。
但是,如果您已经将其导入商店,则应该可以直接加载它:
using System.Security.Cryptography.X509Certificates;
// ...
using (X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine))
{
store.Open(OpenFlags.ReadOnly);
var certs = store.Certificates.Find(X509FindType.FindBySubjectName, "FakeServerName", false);
return new X509Certificate2(certs[0]);
}
针对您评论中的错误:
提供给软件包的凭据未被识别
我不知道我是否确切地收到了该消息,但我确实记得必须将访问权限授予该应用程序所运行的用户。您必须打开正确证书工具:
https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in(运行mmc,选择文件/添加管理单元,选择证书)
然后授予用户对私钥的访问权限:
https://docs.secureauth.com/display/KBA/Grant+Permission+to+Use+Signing+Certificate+Private+Key(右键单击证书,选择所有任务/管理私钥)