(转)C#创建数字证书并导出为pfx，并使用pfx进行非对称加解密

OStack程序员社区-中国程序员成长平台 › 门户 › 编程› Node.js›Node.js教程

原作者: [db:作者] 来自: [db:来源] 收藏邀请

我的项目当中，考虑到安全性，需要为每个客户端分发一个数字证书，同时使用数字证书中的公私钥来进行数据的加解密。为了完成这个安全模块，特写了如下一个DEMO程序，该DEMO程序包含的功能有：

1：调用.NET2.0的MAKECERT创建含有私钥的数字证书，并存储到个人证书区；

2：将该证书导出为pfx文件，并为其指定一个用来打开pfx文件的password；

3：读取pfx文件，导出pfx中公钥和私钥；

4：用pfx证书中的公钥进行数据的加密，用私钥进行数据的解密；

代码如下：

view plain copy to clipboard print ?

/// <summary>
/// 将证书从证书存储区导出，并存储为pfx文件，同时为pfx文件指定打开的密码
/// 本函数同时也演示如何用公钥进行加密，私钥进行解密
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
private void btn_toPfxFile_Click(object sender, EventArgs e)
{
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadWrite);
X509Certificate2Collection storecollection = (X509Certificate2Collection)store.Certificates;
foreach (X509Certificate2 x509 in storecollection)
{
if (x509.Subject == "CN=luminji")
{
Debug.Print(string.Format("certificate name: {0}", x509.Subject));
byte[] pfxByte = x509.Export(X509ContentType.Pfx, "123");
using (FileStream fileStream = new FileStream("luminji.pfx", FileMode.Create))
{
// Write the data to the file, byte by byte.
for (int i = 0; i < pfxByte.Length; i++)
fileStream.WriteByte(pfxByte[i]);
// Set the stream position to the beginning of the file.
fileStream.Seek(0, SeekOrigin.Begin);
// Read and verify the data.
for (int i = 0; i < fileStream.Length; i++)
{
if (pfxByte[i] != fileStream.ReadByte())
{
Debug.Print("Error writing data.");
return;
}
}
fileStream.Close();
Debug.Print("The data was written to {0} " +
"and verified.", fileStream.Name);
}
string myname = "my name is luminji! and i love huzhonghua!";
string enStr = this.RSAEncrypt(x509.PublicKey.Key.ToXmlString(false), myname);
MessageBox.Show("密文是：" + enStr);
string deStr = this.RSADecrypt(x509.PrivateKey.ToXmlString(true), enStr);
MessageBox.Show("明文是：" + deStr);
}
}
store.Close();
store = null;
storecollection = null;
}
/// <summary>
/// 创建还有私钥的证书
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
private void btn_createPfx_Click(object sender, EventArgs e)
{
string MakeCert = "C:\\Program Files\\Microsoft Visual Studio 8\\SDK\\v2.0\\Bin\\makecert.exe";
string x509Name = "CN=luminji";
string param = " -pe -ss my -n \"" + x509Name + "\" " ;
Process p = Process.Start(MakeCert, param);
p.WaitForExit();
p.Close();
MessageBox.Show("over");
}
/// <summary>
/// 从pfx文件读取证书信息
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
private void btn_readFromPfxFile(object sender, EventArgs e)
{
X509Certificate2 pc = new X509Certificate2("luminji.pfx", "123");
MessageBox.Show("name:" + pc.SubjectName.Name);
MessageBox.Show("public:" + pc.PublicKey.ToString());
MessageBox.Show("private:" + pc.PrivateKey.ToString());
pc = null;
}
/// <summary>
/// RSA解密
/// </summary>
/// <param name="xmlPrivateKey"></param>
/// <param name="m_strDecryptString"></param>
/// <returns></returns>
public string RSADecrypt(string xmlPrivateKey, string m_strDecryptString)
{
RSACryptoServiceProvider provider = new RSACryptoServiceProvider();
provider.FromXmlString(xmlPrivateKey);
byte[] rgb = Convert.FromBase64String(m_strDecryptString);
byte[] bytes = provider.Decrypt(rgb, false);
return new UnicodeEncoding().GetString(bytes);
}
/// <summary>
/// RSA加密
/// </summary>
/// <param name="xmlPublicKey"></param>
/// <param name="m_strEncryptString"></param>
/// <returns></returns>
public string RSAEncrypt(string xmlPublicKey, string m_strEncryptString)
{
RSACryptoServiceProvider provider = new RSACryptoServiceProvider();
provider.FromXmlString(xmlPublicKey);
byte[] bytes = new UnicodeEncoding().GetBytes(m_strEncryptString);
return Convert.ToBase64String(provider.Encrypt(bytes, false));
}

/// <summary>         /// 将证书从证书存储区导出，并存储为pfx文件，同时为pfx文件指定打开的密码         /// 本函数同时也演示如何用公钥进行加密，私钥进行解密         /// </summary>         /// <param name="sender"></param>         /// <param name="e"></param>         private void btn_toPfxFile_Click(object sender, EventArgs e)         {             X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);             store.Open(OpenFlags.ReadWrite);             X509Certificate2Collection storecollection = (X509Certificate2Collection)store.Certificates;             foreach (X509Certificate2 x509 in storecollection)             {                 if (x509.Subject == "CN=luminji")                 {                     Debug.Print(string.Format("certificate name: {0}", x509.Subject));                     byte[] pfxByte = x509.Export(X509ContentType.Pfx, "123");                     using (FileStream  fileStream = new FileStream("luminji.pfx", FileMode.Create))                     {                         // Write the data to the file, byte by byte.                         for (int i = 0; i < pfxByte.Length; i++)                             fileStream.WriteByte(pfxByte[i]);                         // Set the stream position to the beginning of the file.                         fileStream.Seek(0, SeekOrigin.Begin);                         // Read and verify the data.                         for (int i = 0; i < fileStream.Length; i++)                         {                             if (pfxByte[i] != fileStream.ReadByte())                             {                                 Debug.Print("Error writing data.");                                 return;                             }                         }                         fileStream.Close();                         Debug.Print("The data was written to {0} " +                             "and verified.", fileStream.Name);                     }                     string myname = "my name is luminji! and i love huzhonghua!";                     string enStr = this.RSAEncrypt(x509.PublicKey.Key.ToXmlString(false), myname);                     MessageBox.Show("密文是：" + enStr);                     string deStr = this.RSADecrypt(x509.PrivateKey.ToXmlString(true), enStr);                     MessageBox.Show("明文是：" + deStr);                 }             }             store.Close();             store = null;             storecollection = null;         }         /// <summary>         /// 创建还有私钥的证书         /// </summary>         /// <param name="sender"></param>         /// <param name="e"></param>         private void btn_createPfx_Click(object sender, EventArgs e)         {             string MakeCert = "C:\\Program Files\\Microsoft Visual Studio 8\\SDK\\v2.0\\Bin\\makecert.exe";             string x509Name = "CN=luminji";             string param = " -pe -ss my -n \"" + x509Name + "\" " ;             Process p = Process.Start(MakeCert, param);             p.WaitForExit();             p.Close();             MessageBox.Show("over");         }         /// <summary>         /// 从pfx文件读取证书信息         /// </summary>         /// <param name="sender"></param>         /// <param name="e"></param>         private void btn_readFromPfxFile(object sender, EventArgs e)         {             X509Certificate2 pc = new X509Certificate2("luminji.pfx", "123");             MessageBox.Show("name:" + pc.SubjectName.Name);             MessageBox.Show("public:" + pc.PublicKey.ToString());             MessageBox.Show("private:" + pc.PrivateKey.ToString());             pc = null;         }         /// <summary>         /// RSA解密         /// </summary>         /// <param name="xmlPrivateKey"></param>         /// <param name="m_strDecryptString"></param>         /// <returns></returns>         public string RSADecrypt(string xmlPrivateKey, string m_strDecryptString)         {             RSACryptoServiceProvider provider = new RSACryptoServiceProvider();             provider.FromXmlString(xmlPrivateKey);             byte[] rgb = Convert.FromBase64String(m_strDecryptString);             byte[] bytes = provider.Decrypt(rgb, false);             return new UnicodeEncoding().GetString(bytes);         }         /// <summary>         /// RSA加密         /// </summary>         /// <param name="xmlPublicKey"></param>         /// <param name="m_strEncryptString"></param>         /// <returns></returns>         public string RSAEncrypt(string xmlPublicKey, string m_strEncryptString)         {             RSACryptoServiceProvider provider = new RSACryptoServiceProvider();             provider.FromXmlString(xmlPublicKey);             byte[] bytes = new UnicodeEncoding().GetBytes(m_strEncryptString);             return Convert.ToBase64String(provider.Encrypt(bytes, false));         }

上文是一个示例程序，一个完整的证书工具类如下：

view plain copy to clipboard print ?

·········10········20········30········40········50········60········70········80········90········100·······110·······120·······130·······140·······150

public sealed class DataCertificate
{
#region 生成证书
/// <summary>
/// 根据指定的证书名和makecert全路径生成证书（包含公钥和私钥，并保存在MY存储区）
/// </summary>
/// <param name="subjectName"></param>
/// <param name="makecertPath"></param>
/// <returns></returns>
public static bool CreateCertWithPrivateKey(string subjectName, string makecertPath)
{
subjectName = "CN=" + subjectName;
string param = " -pe -ss my -n \"" + subjectName + "\" ";
try
{
Process p = Process.Start(makecertPath, param);
p.WaitForExit();
p.Close();
}
catch (Exception e)
{
LogRecord.putErrorLog(e.ToString(), "DataCerficate.CreateCertWithPrivateKey");
return false;
}
return true;
}
#endregion
#region 文件导入导出
/// <summary>
/// 从WINDOWS证书存储区的个人MY区找到主题为subjectName的证书，
/// 并导出为pfx文件，同时为其指定一个密码
/// 并将证书从个人区删除(如果isDelFromstor为true)
/// </summary>
/// <param name="subjectName">证书主题，不包含CN=</param>
/// <param name="pfxFileName">pfx文件名</param>
/// <param name="password">pfx文件密码</param>
/// <param name="isDelFromStore">是否从存储区删除</param>
/// <returns></returns>
public static bool ExportToPfxFile(string subjectName, string pfxFileName,
string password, bool isDelFromStore)
{
subjectName = "CN=" + subjectName;
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadWrite);
X509Certificate2Collection storecollection = (X509Certificate2Collection)store.Certificates;
foreach (X509Certificate2 x509 in storecollection)
{
if (x509.Subject == subjectName)
{
Debug.Print(string.Format("certificate name: {0}", x509.Subject));
byte[] pfxByte = x509.Export(X509ContentType.Pfx, password);
using (FileStream fileStream = new FileStream(pfxFileName, FileMode.Create))
{
// Write the data to the file, byte by byte.
for (int i = 0; i < pfxByte.Length; i++)
fileStream.WriteByte(pfxByte[i]);
// Set the stream position to the beginning of the file.
fileStream.Seek(0, SeekOrigin.Begin);
// Read and verify the data.
for (int i = 0; i < fileStream.Length; i++)
{
if (pfxByte[i] != fileStream.ReadByte())
{
LogRecord.putErrorLog("Export pfx error while verify the pfx file!", "ExportToPfxFile");
fileStream.Close();
return false;
}
}
fileStream.Close();
}
if( isDelFromStore == true)
store.Remove(x509);
}
}
store.Close();
store = null;
storecollection = null;
return true;
}
/// <summary>
/// 从WINDOWS证书存储区的个人MY区找到主题为subjectName的证书，
/// 并导出为CER文件（即，只含公钥的）
/// </summary>
/// <param name="subjectName"></param>
/// <param name="cerFileName"></param>
/// <returns></returns>
public static bool ExportToCerFile(string subjectName, string cerFileName)
{
subjectName = "CN=" + subjectName;
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadWrite);
X509Certificate2Collection storecollection = (X509Certificate2Collection)store.Certificates;
foreach (X509Certificate2 x509 in storecollection)
{
if (x509.Subject == subjectName)
{
Debug.Print(string.Format("certificate name: {0}", x509.Subject));
//byte[] pfxByte = x509.Export(X509ContentType.Pfx, password);
byte[] cerByte = x509.Export(X509ContentType.Cert);
using (FileStream fileStream = new FileStream(cerFileName, FileMode.Create))
{
// Write the data to the file, byte by byte.
for (int i = 0; i < cerByte.Length; i++)
fileStream.WriteByte(cerByte[i]);
// Set the stream position to the beginning of the file.
fileStream.Seek(0, SeekOrigin.Begin);
// Read and verify the data.
for (int i = 0; i < fileStream.Length; i++)
{
if (cerByte[i] != fileStream.ReadByte())
{
LogRecord.putErrorLog("Export CER error while verify the CERT file!", "ExportToCERFile");
fileStream.Close();
return false;
}
}
fileStream.Close();
}
}
}
store.Close();
store = null;
storecollection = null;
return true;
}
#endregion
#region 从证书中获取信息
/// <summary>
/// 根据私钥证书得到证书实体，得到实体后可以根据其公钥和私钥进行加解密
/// 加解密函数使用DEncrypt的RSACryption类
/// </summary>
/// <param name="pfxFileName"></param>
/// <param name="password"></param>
/// <returns></returns>
public static X509Certificate2 GetCertificateFromPfxFile(string pfxFileName,
string password)
{
try
{
return new X509Certificate2(pfxFileName, password, X509KeyStorageFlags.Exportable);
}
catch (Exception e)
{
LogRecord.putErrorLog("get certificate from pfx" + pfxFileName + " error:" + e.ToString(),
"GetCertificateFromPfxFile");
return null;
}
}
/// <summary>
/// 到存储区获取证书
/// </summary>
/// <param name="subjectName"></param>
/// <returns></returns>
public static X509Certificate2 GetCertificateFromStore(string subjectName)
{
subjectName = "CN=" + subjectName;
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadWrite);
X509Certificate2Collection storecollection = (X509Certificate2Collection)store.Certificates;
foreach (X509Certificate2 x509 in storecollection)
{
if (x509.Subject == subjectName)
{
return x509;
}
}
store.Close();
store = null;
storecollection = null;
return null;
}
/// <summary>
/// 根据公钥证书，返回证书实体
/// </summary>
/// <param name="cerPath"></param>
public static X509Certificate2 GetCertFromCerFile(string cerPath)
{
try
{
return new X509Certificate2(cerPath);
}
catch (Exception e)
{
LogRecord.putErrorLog(e.ToString(), "DataCertificate.LoadStudentPublicKey");
return null;
}
}
#endregion
}