问题描述

我正在使用 RSACryptoServiceProvider 用于签名 JWT 令牌，并且一切正常.现在遵循 JWT 和 JWK 规范，我需要提供 x5c 值给客户端，以验证签名的 JWT 的签名.因此，如果我有一个有效的值，如何生成 x5c 值 RSACryptoServiceProvider C#中的实例?

I am using RSACryptoServiceProvider for signing JWT tokens, and everying works fine. Now following the JWT and JWK spec, I need provide x5c value to client for validating the signature of the signed JWT. So, How can I generate the x5c value given I have a valid RSACryptoServiceProvider instance in C#?

我找到了 RSACryptoServiceProvider.ExportParameters 方法可以导出RSA的所有参数，但不知道如何编写 x5c 值基于此.

I found RSACryptoServiceProvider.ExportParameters method can export all parameters of the RSA, but have no idea how to compose the x5c value based on that.

推荐答案

x5c是X.509链，它要求您具有证书(而不是原始RSA密钥).

x5c is the X.509 chain, which requires that you have a certificate (instead of a raw RSA key).

如果您具有用于私钥检索的X509Certificate2对象，或者具有代表该密钥的证书，则可以通过以下方式构建链:

If you have an X509Certificate2 object which you used for private key retrieval, or otherwise have a certificate representing that key, you can build the chain via

X509Chain chain = new X509Chain()
bool success = chain.Build(cert);

if (!success)
    throw new Exception("eep");

然后对于每个chain.ChainElements值，采用Certificate属性RawValue属性(并对其进行base64编码).

Then for each chain.ChainElements value, take the Certificate property RawValue property (and base64 encode it).

我对规格的了解还不足以知道您是否应该跳过第一个元素(您的证书)和/或最后一个元素(根证书).但这应该足以开始.

I didn't look at the spec enough to know if you should skip the first element (your cert) and/or the last one (the root cert). But that should be enough to get started.

这篇关于如何从RSACryptoServiceProvider获取x5c的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！