我有一些可运行的C#代码可用于某些Windows API调用(基于my Get-CertificatePath.ps1 PowerShell script),但F#版本失败。我确定我缺少了一些东西,很可能是一个属性,但是我还没弄清楚。
有没有办法使F#版本正常工作?
使用csi.exe Chocolatey软件包中的microsoft-build-tools运行。
using System;
using System.Diagnostics.CodeAnalysis;
using System.Runtime.ConstrainedExecution;
using System.Runtime.InteropServices;
using System.Security;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Security.Permissions;
using Microsoft.Win32.SafeHandles;
public static class CryptoApi
{
[DllImport("crypt32.dll")]
internal static extern SafeNCryptKeyHandle CertDuplicateCertificateContext(IntPtr certContext); // CERT_CONTEXT *
[DllImport("crypt32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
internal static extern bool
CryptAcquireCertificatePrivateKey(SafeNCryptKeyHandle pCert,
uint dwFlags,
IntPtr pvReserved, // void *
[Out] out SafeNCryptKeyHandle phCryptProvOrNCryptKey,
[Out] out int dwKeySpec,
[Out, MarshalAs(UnmanagedType.Bool)] out bool pfCallerFreeProvOrNCryptKey);
[SecurityCritical]
[SecurityPermission(SecurityAction.LinkDemand, UnmanagedCode = true)]
public static string GetCngUniqueKeyContainerName(X509Certificate2 certificate)
{
SafeNCryptKeyHandle privateKey = null;
int keySpec = 0;
bool freeKey = true;
CryptAcquireCertificatePrivateKey(CertDuplicateCertificateContext(certificate.Handle),
0x00040000, // AcquireOnlyNCryptKeys
IntPtr.Zero, out privateKey, out keySpec, out freeKey);
return CngKey.Open(privateKey, CngKeyHandleOpenOptions.None).UniqueName;
}
}
X509Certificate2 getMyCert(string subject)
{
using(var store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
store.Open(OpenFlags.OpenExistingOnly);
var certs = store.Certificates.Find(X509FindType.FindBySubjectName, subject, false);
Console.WriteLine("found {0} certs", certs.Count);
store.Close();
return certs[0];
}
}
var cert = getMyCert("localhost");
Console.WriteLine("private key? {0}", cert.HasPrivateKey);
Console.WriteLine("key name: {0}", CryptoApi.GetCngUniqueKeyContainerName(cert));
输出为:
found 1 certs
private key? True
key name: 32fd60███████████████████████████████████-████-████-████-████████████
使用dotnet fsi(版本3.1.100;截至本文发布时的Chocolatey软件包dotnetcore)运行。
#load ".paket/load/netstandard2.1/System.Security.Cryptography.Cng.fsx"
#load ".paket/load/netstandard2.1/System.Security.Cryptography.X509Certificates.fsx"
open System
open System.Diagnostics.CodeAnalysis
open System.Runtime.ConstrainedExecution
open System.Runtime.InteropServices
open System.Security
open System.Security.Cryptography
open System.Security.Cryptography.X509Certificates
open System.Security.Permissions
open Microsoft.Win32.SafeHandles
type CryptoApi () =
[<DllImport("crypt32.dll", CallingConvention = CallingConvention.Cdecl)>]
static extern SafeNCryptKeyHandle internal CertDuplicateCertificateContext(IntPtr certContext) // CERT_CONTEXT *
[<DllImport("crypt32.dll", CallingConvention = CallingConvention.Cdecl, SetLastError = true)>]
static extern [<MarshalAs(UnmanagedType.Bool)>] bool internal
CryptAcquireCertificatePrivateKey(SafeNCryptKeyHandle pCert,
uint32 dwFlags,
IntPtr pvReserved, // void *
SafeNCryptKeyHandle& phCryptProvOrNCryptKey,
int& dwKeySpec,
[<MarshalAs(UnmanagedType.Bool)>] bool& pfCallerFreeProvOrNCryptKey)
[<SecurityCritical>]
[<SecurityPermission(SecurityAction.LinkDemand, UnmanagedCode = true)>]
static member GetCngUniqueKeyContainerName (certificate : X509Certificate2) =
let mutable privateKey : SafeNCryptKeyHandle = null
let mutable keySpec = 0
let mutable freeKey = true
CryptAcquireCertificatePrivateKey(CertDuplicateCertificateContext(certificate.Handle),
0x00040000u, // AcquireOnlyNCryptKeys
IntPtr.Zero, &privateKey, &keySpec, &freeKey) |> ignore
CngKey.Open(privateKey, CngKeyHandleOpenOptions.None).UniqueName
let getMyCert subject =
use store = new X509Store(StoreName.My, StoreLocation.CurrentUser)
store.Open(OpenFlags.OpenExistingOnly)
let certs = store.Certificates.Find(X509FindType.FindBySubjectName, subject, false)
printfn "found %d certs" certs.Count
store.Close()
certs.[0]
let cert = getMyCert "localhost"
printfn "private key? %b" cert.HasPrivateKey
CryptoApi.GetCngUniqueKeyContainerName(cert) |> printfn "%s"
输出为:
found 1 certs
private key? true
System.ArgumentNullException: SafeHandle cannot be null. (Parameter 'pHandle')
at System.StubHelpers.StubHelpers.SafeHandleAddRef(SafeHandle pHandle, Boolean& success)
at System.StubHelpers.StubHelpers.AddToCleanupList(CleanupWorkListElement& pCleanupWorkList, SafeHandle handle)
at FSI_0003.CryptoApi.CryptAcquireCertificatePrivateKey(SafeNCryptKeyHandle pCert, UInt32 dwFlags, IntPtr pvReserved, SafeNCryptKeyHandle& phCryptProvOrNCryptKey, Int32& dwKeySpec, Boolean& pfCallerFreeProvOrNCryptKey)
at FSI_0003.CryptoApi.GetCngUniqueKeyContainerName(X509Certificate2 certificate)
at <StartupCode$FSI_0003>.$FSI_0003.main@()
Stopped due to error
要使上述.fsx文件正常工作,然后运行paket install,这是必需的。
generate_load_scripts: true
source https://api.nuget.org/v3/index.json
storage: none
framework: netcore3.0, netstandard2.0, netstandard2.1
nuget System.Security.Cryptography.Cng
nuget System.Security.Cryptography.X509Certificates
编辑:初始化let mutable privateKey = new SafeNCryptKeyHandle ()似乎可以解决此问题。
答案 0 :(得分:2)
看起来您有一个参数传递了一个不能为null的null。跳到我身上的就是这个。
let mutable privateKey : SafeNCryptKeyHandle = null
这应该是一个新对象吗?
答案 1 :(得分:2)
您似乎需要声明与this document对应的函数参数的引用类型。
这里也是@phoog的答案中的sample。
在F#中使用byref /在C#中使用ref需要初始化,请尝试使用
let mutable privateKey : SafeNCryptKeyHandle = new SafeNCryptKeyHandle()
更新:
整个样本:
open System
open System.Diagnostics.CodeAnalysis
open System.Runtime.ConstrainedExecution
open System.Runtime.InteropServices
open System.Security
open System.Security.Cryptography
open System.Security.Cryptography.X509Certificates
open System.Security.Permissions
open Microsoft.Win32.SafeHandles
type CryptoApi () =
[<DllImport("crypt32.dll", CallingConvention = CallingConvention.Cdecl)>]
static extern SafeNCryptKeyHandle internal CertDuplicateCertificateContext(IntPtr certContext) // CERT_CONTEXT *
[<DllImport("crypt32.dll", CallingConvention = CallingConvention.Cdecl, SetLastError = true)>]
static extern [<MarshalAs(UnmanagedType.Bool)>] bool internal
CryptAcquireCertificatePrivateKey(SafeNCryptKeyHandle pCert,
uint32 dwFlags,
IntPtr pvReserved, // void *
SafeNCryptKeyHandle& phCryptProvOrNCryptKey,
int& dwKeySpec,
[<MarshalAs(UnmanagedType.Bool)>] bool& pfCallerFreeProvOrNCryptKey)
[<SecurityCritical>]
[<SecurityPermission(SecurityAction.LinkDemand, UnmanagedCode = true)>]
static member GetCngUniqueKeyContainerName (certificate : X509Certificate2) =
let mutable privateKey : SafeNCryptKeyHandle = new SafeNCryptKeyHandle()
let mutable keySpec = 0
let mutable freeKey = true
CryptAcquireCertificatePrivateKey(CertDuplicateCertificateContext(certificate.Handle),
0x00040000u, // AcquireOnlyNCryptKeys
IntPtr.Zero, &privateKey, &keySpec, &freeKey) |> ignore
CngKey.Open(privateKey, CngKeyHandleOpenOptions.None).UniqueName
let getMyCert subject =
use store = new X509Store(StoreName.My, StoreLocation.CurrentUser)
store.Open(OpenFlags.OpenExistingOnly)
let certs = store.Certificates.Find(X509FindType.FindBySubjectName, subject, false)
printfn "found %d certs" certs.Count
store.Close()
certs.[0]
let cert = getMyCert "localhost"
printfn "private key? %b" cert.HasPrivateKey
CryptoApi.GetCngUniqueKeyContainerName(cert) |> printfn "%s"
答案 2 :(得分:1)
即使OP具有解决方法,我仍想知道为什么F#代码崩溃。在使用dnspy进行了一些深入研究之后,我发现互操作函数有细微的差别。
首先,F#互操作代码中存在一个错误,即应使用winapi而不是cdecl来调用conventon。但是,修复该错误并不能解决问题。
似乎有所不同的是C#互操作函数out参数被标记为out。
.method assembly hidebysig static pinvokeimpl("crypt32.dll" lasterr winapi)
bool marshal(bool) CryptAcquireCertificatePrivateKey (
class [System.Security.Cryptography.Cng]Microsoft.Win32.SafeHandles.SafeNCryptKeyHandle pCert,
uint32 dwFlags,
native int pvReserved,
[out] class [System.Security.Cryptography.Cng]Microsoft.Win32.SafeHandles.SafeNCryptKeyHandle& phCryptProvOrNCryptKey,
[out] int32& dwKeySpec,
[out] bool& marshal(bool) pfCallerFreeProvOrNCryptKey
) cil managed preservesig
在F#中,它们是ref:
.method assembly static pinvokeimpl("crypt32.dll" lasterr cdecl)
bool CryptAcquireCertificatePrivateKey (
class [System.Security.Cryptography.Cng]Microsoft.Win32.SafeHandles.SafeNCryptKeyHandle pCert,
uint32 dwFlags,
native int pvReserved,
class [System.Security.Cryptography.Cng]Microsoft.Win32.SafeHandles.SafeNCryptKeyHandle& phCryptProvOrNCryptKey,
int32& dwKeySpec,
bool& pfCallerFreeProvOrNCryptKey
) cil managed preservesig
如果我更改F#代码以调用C#互操作函数,那么它对我有用。对我而言,这意味着抖动会增加验证,以确保如果它是SafeHandle参数,则不会传递空ref,如果它是out,则不会传递空。
我试图将[Out]属性添加到F#互操作函数,但是它们似乎已被丢弃(也请注意,F#已丢弃[<MarshalAs(UnmanagedType.Bool)>])。也许有一些方法可以做到,但是F# documentation在这方面相当简洁。
使用outref<_>:s无法编译。
我还检查了F#解析器代码,以查看是否可以找到添加out属性的某种方式,但是可惜,我看不到这样做的方式:https://github.com/dotnet/fsharp/blob/master/src/fsharp/pars.fsy#L2558
但是我确实理解了为什么outref<_>不起作用,因为cType解析器仅支持非常有限的类型。
我认为创建F#问题应该是一个合理的下一步。希望这只是一个文档问题。