问题
I am trying to create X509Certificate2 from string. Let me show an example:
string keyBase64String = Convert.ToBase64String(file.PKCS7);
var cert = new X509Certificate2(Convert.FromBase64String(keyBase64String));
and keyBase64String has a such content: "MIIF0QYJKoZI ........hvcNAQcCoIIFwjCCBb4CA0="
and file.PKCS7 is byte array which I downloaded from database.
I've got the following exception when creating X509Certificate2:
Cannot find the requested object
And the stack trace:
"Cannot find requested object" X509Certificate2 Exception "Cannot find requested object"} at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) at System.Security.Cryptography.X509Certificates.X509Utils._QueryCertBlobType(Byte[] rawData) at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData) at WebApp.SoupController.d__7.MoveNext() in D:\Projects\WebApp\Controllers\SoupController.cs:line 118
Please, say me what I am doing wrong. Any help would be greatly appreciated!
回答1:
If file.PKCS7 represents a PKCS#7 SignedData blob (what gets produced from X509Certificate2(Collection).Export(X509ContentType.Pkcs7)) then there are two different ways of opening it:
new X509Certificate2(byte[])/new X509Certificate2(string)- The single certificate constructor will extract the signing certificate of the SignedData blob. If this was just being exported as a collection of certs, but not signing anything, there is no such certificate, and so it fails with
Cannot find the original signer.(Win 2012r2, other versions could map it to a different string)
- The single certificate constructor will extract the signing certificate of the SignedData blob. If this was just being exported as a collection of certs, but not signing anything, there is no such certificate, and so it fails with
X509Certificate2Collection::Import(byte[])/X509Certificate2Collection::Import(string)- The collection import will consume all of the "extra" certificates, ignoring the signing certificate.
So if it's really PKCS#7 you likely want the collection Import (instance) method. If it isn't, you have some odd variable/field/property names.
回答2:
The constructor of of X509Certificate2 expects to get a the certificate file name, but you are giving it a key (X509Certificate2 Constructor (String))
I assume that keyBase64String is the certificate key, and that the certificate is installed on the machine that executes the code. Try this:
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var certCollection = store.Certificates.Find(X509FindType.FindByThumbprint, keyBase64String , false);
//var certCollection = store.Certificates.Find(X509FindType.FindByKeyUsage, keyBase64String , false);
//var certCollection = store.Certificates.Find(X509FindType.FindBySubjectKeyIdentifier, keyBase64String , false);
var cert = certCollection[0];
You can also try FindByKeyUsage, FindBySubjectKeyIdentifier, or other types of X509FindType Enumeration
来源:https://stackoverflow.com/questions/44053426/cannot-find-the-requested-object-exception-while-creating-x509certificate2-fro