25

I am trying to create X509Certificate2 from string. Let me show an example:

string keyBase64String = Convert.ToBase64String(file.PKCS7);
var cert = new X509Certificate2(Convert.FromBase64String(keyBase64String));

and keyBase64String has a such content: "MIIF0QYJKoZI ........hvcNAQcCoIIFwjCCBb4CA0="

and file.PKCS7 is byte array which I downloaded from database.

I've got the following exception when creating X509Certificate2:

Cannot find the requested object

And the stack trace:

"Cannot find requested object" X509Certificate2 Exception "Cannot find requested object"} at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) at System.Security.Cryptography.X509Certificates.X509Utils._QueryCertBlobType(Byte[] rawData) at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData) at WebApp.SoupController.d__7.MoveNext() in D:\Projects\WebApp\Controllers\SoupController.cs:line 118

Please, say me what I am doing wrong. Any help would be greatly appreciated!

StepUp
  • 36,391
  • 15
  • 88
  • 148

2 Answers2

5

If file.PKCS7 represents a PKCS#7 SignedData blob (what gets produced from X509Certificate2.Export(X509ContentType.Pkcs7) or X509Certificate2Collection.Export(X509ContentType.Pkcs7)) then there are two different ways of opening it:

  • new X509Certificate2(byte[])/new X509Certificate2(string)
    • The single certificate constructor will extract the signing certificate of the SignedData blob. If this was just being exported as a collection of certs, but not signing anything, there is no such certificate, and so it fails with Cannot find the original signer. (Win 2012r2, other versions could map it to a different string)
  • X509Certificate2Collection::Import(byte[])/X509Certificate2Collection::Import(string)
    • The collection import will consume all of the "extra" certificates, ignoring the signing certificate.

So if it's really PKCS#7 you likely want the collection Import (instance) method. If it isn't, you have some odd variable/field/property names.

bartonjs
  • 30,352
  • 2
  • 71
  • 111
-1

The constructor of of X509Certificate2 expects to get a the certificate file name, but you are giving it a key (X509Certificate2 Constructor (String))

I assume that keyBase64String is the certificate key, and that the certificate is installed on the machine that executes the code. Try this:

var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var certCollection = store.Certificates.Find(X509FindType.FindByThumbprint, keyBase64String , false);
var cert = certCollection[0];

You can also try FindByKeyUsage, FindBySubjectKeyIdentifier, or other types of X509FindType Enumeration

H.Sarxha
  • 157
  • 1
  • 9
Mockingbird
  • 1,023
  • 9
  • 17
  • 1
    I've got an exception `Index was out of range. Must be non-negative and less than the size of the collection. Parameter name: index`. May be we should put certificate into `X509Store`? – StepUp May 19 '17 at 06:29
  • Yes, you would need to add your certificate to the certificate store you try to access using the Find method, as noted in the answer. If the certificate has not been found, the returned collection is empty and therefor the exception occurs. – Michael Beck May 19 '17 at 07:02
  • @MichaelBeck How can I add certificate to the certificate store? I am just downloading from the SQL Server. – StepUp May 19 '17 at 07:39
  • 4
    There is a constructor for `X509Certificate2` that receives a byte array (representing the certificate) as parameter, see the MSDN [X509Certificate 2 Constructor](https://msdn.microsoft.com/en-us/library/ms148413(v=vs.110).aspx) - after that you could add the certificate to the store (see [X509Store.Add](https://msdn.microsoft.com/de-de/library/ms148583(v=vs.110).aspx)) if that is what you need; but you could also directly use the certificate, depending on your requirements. – Michael Beck May 19 '17 at 07:46