本文介绍了生成CrypoAPI(CAPI)私钥的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试使用 IXmlEncryptor .特别是使用CertificateEncryptor.(这是IXmlRepository系统的一部分,用于共享用于解密cookie的密钥和常规密钥管理(在ASP.NET Core中).

文档页面讨论了为此目的使用X.509证书的问题.

它表示仅支持具有 CAPI私钥的证书".

Google搜索表明CAPI表示Microsoft CryptAPI.但是我找不到更多有关它的信息,而且我发现似乎与C ++有关.

当我问他"CAPI私钥"是什么时,我的证书人"基本上告诉了我:

是同一回事吗?

如果没有,如何创建带有CAPI私钥的X.509证书?

注意:X.509证书是文档页面,它将在Linux机器(容器)上运行.这就是为什么我不考虑其他任何选项(可能更简单)的原因.

解决方案

您的证书人"不正确.

Microsoft有两种版本的密码学系统:旧版CrypotAPI(简称CryptoAPI或CAPI)和下一代密码学(CNG,CAPI2).

CrytpoAPI在Windows 2000中发明.传统的CryptoAPI在道德上已过时,不支持ECC,SHA2:仅RSA/传统DSA(最多1k长密钥),DES/3DES,RCx,无内置AES.密钥存储在旧式密码服务提供程序(或CSP)中.但是,在Windows Vista +中,添加了具有SHA2和AES的旧版CSP,以帮助较旧的应用程序在不进行大量代码更改的情况下使用它们.

CNG最早于2007年在Windows Vista/Windows Server 2008中引入,它的确是一个不错的东西:它相当可扩展,具有对NSA Suite B加密技术(ECC非对称密钥,SHA2算法组),密钥隔离,BCrypt函数的统一集,并且还必须更多.大多数仅使用CNG的API的名称中都包含 NCrypt BCrypt CNG NG 后缀/前缀,以便明确声明这是CNG API.在CNG中,密钥存储在经过重新设计的称为密钥存储提供程序(KSP)的CSP中,以将其与传统CSP区别开来,因为它们并不相同(尽管有一个单向桥接器,可以从KSP访问CSP,但不是这样)./p>

但是,.NET努力采用CNG,使其只能在.NET 4.7(以前存在实现,但是有已知的限制)中使用,而第三方应用程序仅在明确添加对CNG的支持时才支持CNG.,因为CNG使用不同的API,并且.NET Framework升级不会使应用程序具有CNG功能.

这是关于CAPI和CAPI2有什么区别的理论.

您的文档说,它要求使用旧版CSP的证书来存储私钥.在Windows中创建时,如果使用以下提供程序之一,则使用旧版CSP:

  Microsoft基本密码提供程序v1.0Microsoft基本DSS和Diffie-Hellman密码提供程序Microsoft基本DSS密码提供程序Microsoft基本智能卡加密提供程序Microsoft DH SChannel加密提供程序Microsoft增强加密提供程序v1.0Microsoft增强型DSS和Diffie-Hellman密码提供程序Microsoft增强型RSA和AES密码提供程序Microsoft RSA SChannel加密提供程序<-对于传统CSP而言,它是首选Microsoft强密码提供者 

您可以在Windows上创建证书(密钥对)时指定其中任何一个.例如,当使用 New-SelfSignedCertificate PowerShell cmdlet(默认为CNG KSP)或certreq.exe工具生成要由外部CA签名的请求时.这部分取决于您用来创建证书/证书请求的工具.

I am trying to implement encryption at rest using an IXmlEncryptor. Specifically using a CertificateEncryptor. (This is part of the IXmlRepository system for sharing keys for decrypting cookies and general key management in ASP.NET Core.)

This docs page discusses using an X.509 certificate for this purpose.

It indicates that "only certificates with CAPI private keys are supported".

Googling that shows that CAPI means Microsoft CryptAPI. But I can not find much more about it, and what I can find seems to be C++ related.

My "certificates guy" basically told me this when I asked him what a "CAPI private key" was:

Is that the same thing?

If not, how is a X.509 certificate with a CAPI private key created?

NOTE: The X.509 Certificate is the only option of those listed on the docs page that will work on a Linux machine (container). That is why I am not looking at any of the other (possibly easier) options.

解决方案

Your "certificate guy" is incorrect.

Microsoft has two versions of cryptography susbsytems: Legacy CrypotAPI (simply CryptoAPI or CAPI) and Cryptography Next Generation (CNG, CAPI2).

CrytpoAPI was invented in Windows 2000. Legacy CryptoAPI is morally outdated with no support for ECC, SHA2: only RSA/legacy DSA (up to 1k long keys), DES/3DES, RCx, no built-in AES. Keys are stored in legacy Cryptography Service Provider (or CSP). Though, in Windows Vista+, a legacy CSP with SHA2 and AES was added to help older applications to utilize them without much changes in code.

CNG was first introduced back in 2007 in Windows Vista/Windows Server 2008 and is really a good stuff: it is pretty extensible, with native support of NSA Suite B cryptography (ECC asymmetric keys, SHA2 algorithm groups), key isolation, unified set of BCrypt functions and must more. Most CNG-only APIs include NCrypt, BCrypt, CNG, NG suffixes/prefixes in their names to explicitly say it is CNG APIs. In CNG, keys are stored in redesigned CSP called Key Storage Provider (KSP) to distinguish it from legacy CSP, because they are not same (though, there is a one-way bridge to access CSP from KSP, but not otherwise).

However, .NET was struggling in adopting CNG and made it more-or-less usable only in .NET 4.7 (implementations existed before, but with known limitations) and 3rd party applications support CNG only when they explicitly add support for it, because CNG uses different APIs and .NET Framework upgrade doesn't make application CNG-capable.

This was a bit of theory on what is the difference between CAPI and CAPI2.

And your documentation says that it requires certificates that use legacy CSP to store private keys. When creating in Windows, legacy CSP is used when one of the following providers is used:

Microsoft Base Cryptographic Provider v1.0
Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
Microsoft Base DSS Cryptographic Provider
Microsoft Base Smart Card Crypto Provider
Microsoft DH SChannel Cryptographic Provider
Microsoft Enhanced Cryptographic Provider v1.0
Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
Microsoft Enhanced RSA and AES Cryptographic Provider
Microsoft RSA SChannel Cryptographic Provider <- this is preferred for legacy CSPs
Microsoft Strong Cryptographic Provider

You can specify any of them when creating certificate (key pair) on Windows. For example, when using New-SelfSignedCertificate PowerShell cmdlet (which defaults to CNG KSP), or certreq.exe tool to generate request to be signed by external CA. This part depends on tooling you use to create certificates/certificate requests.

这篇关于生成CrypoAPI(CAPI)私钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-13 13:30