refer:
https://blog.csdn.net/WuLex/article/details/54986208 (读写证书 store)
https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html (create 证书)
之前有写过关于如果制作证书
https://www.cnblogs.com/keatkeat/p/13412953.html (git bash)
https://www.cnblogs.com/keatkeat/p/9326389.html (by powershell)
这篇主要是说说在 asp.net core 下如果读写系统里的证书 store 和如果生产一个证书.
还有使用证书做加密解密和签名
x.509 store and create x.509
using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser); // 也可以从 LocalMachine 拿, 通常 LocalMachine 要求权限比较高 store.Open(OpenFlags.ReadWrite); // 如果只是要读, 可以放 ReadOnly // 查找 // var certificates = store.Certificates.Find( // X509FindType.FindBySubjectName, // findValue: "jbreviews.com.my", // validOnly: false // validOnly 可以检查 expired 和 是否 under root 证书 (self sign 的通常不 under root) // ); // 遍历 foreach (var certificate in store.Certificates) { } // 制作 certificate using var algorithm = RSA.Create(keySizeInBits: 2048); var subject = new X500DistinguishedName($"CN=My signing certification"); var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); // X509KeyUsageFlags.DigitalSignature for 签名, X509KeyUsageFlags.KeyEncipherment for 加密 request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, critical: true)); var newCertificate = request.CreateSelfSigned( notBefore: DateTimeOffset.UtcNow, notAfter: DateTimeOffset.UtcNow.AddYears(1) ); var rowData = newCertificate.Export(X509ContentType.Pfx, "password"); // 添加私钥的保护密码, 因为我们要 store 起来所以需要一个保护密码 newCertificate = new X509Certificate2(rowData, "password"); // 添加新的 cert store.Add(newCertificate);
加密解密和签名
refer: https://stackoverflow.com/questions/41594683/encrypt-decrypt-in-c-sharp-using-certificate
注意哦,
加密的话是用 public key 加密, private 解密 (通常对称加密只用来加密对称加密的密钥, 内容要短)
签名和验证签名使用 private key 签名, public key 验证. (要做 sha256 消息摘要哦)
加密解密
using var algorithm = RSA.Create(keySizeInBits: 2048); var subject = new X500DistinguishedName($"CN=jbreviews"); var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pss); request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment, critical: true)); var certificate = request.CreateSelfSigned( notBefore: DateTimeOffset.UtcNow, notAfter: DateTimeOffset.UtcNow.AddDays(30) ); var password = "password"; using var privateKey = certificate.GetRSAPrivateKey()!; using var publicKey = certificate.GetRSAPublicKey()!; var encryption = publicKey.Encrypt(Encoding.UTF8.GetBytes(password), RSAEncryptionPadding.OaepSHA256); var decryption = privateKey.Decrypt(encryption, RSAEncryptionPadding.OaepSHA256); var valid = Encoding.UTF8.GetString(decryption) == password;
签名和验证签名
using var algorithm = RSA.Create(keySizeInBits: 2048); var subject = new X500DistinguishedName($"CN=jbreviews"); var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pss); request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, critical: true)); var certificate = request.CreateSelfSigned( notBefore: DateTimeOffset.UtcNow, notAfter: DateTimeOffset.UtcNow.AddDays(30) ); var message = "value"; using var sha256 = SHA256.Create(); var messageDigest = sha256.ComputeHash(Encoding.UTF8.GetBytes(message)); using var privateKey = certificate.GetRSAPrivateKey()!; using var publicKey = certificate.GetRSAPublicKey()!; var signature = privateKey.SignHash(messageDigest, HashAlgorithmName.SHA256, RSASignaturePadding.Pss); var valid = publicKey.VerifyHash(messageDigest, signature, HashAlgorithmName.SHA256, RSASignaturePadding.Pss);
关于 RSA padding 我没有 research 太多
https://cloud.tencent.com/developer/article/1499219
https://www.cnblogs.com/Janly/p/14007703.html
https://zhuanlan.zhihu.com/p/56678361
https://zhuanlan.zhihu.com/p/45291044
有 3 种
pkcs1 最开始的 (sign 加密都可以用)
Pss, 后来用来做 sign 的
OAEP 后来用来做加密的
openiddict core 的 example 的是 pkcs1, 不知道我换掉 ok 不 ok .