// TODO Replace with something that returns a list of DerObjectIdentifier
public virtual IList GetExtendedKeyUsage()
{
Asn1OctetString str = this.GetExtensionValue(new DerObjectIdentifier("2.5.29.37"));
if (str == null)
{
return(null);
}
try
{
Asn1Sequence seq = Asn1Sequence.GetInstance(
X509ExtensionUtilities.FromExtensionValue(str));
IList list = Platform.CreateArrayList();
foreach (DerObjectIdentifier oid in seq)
{
list.Add(oid.Id);
}
return(list);
}
catch (Exception e)
{
throw new CertificateParsingException("error processing extended key usage extension", e);
}
}
private X509Name loadCertificateIssuer()
{
if (!this.isIndirect)
{
return(null);
}
Asn1OctetString extensionValue = this.GetExtensionValue(X509Extensions.CertificateIssuer);
if (extensionValue == null)
{
return(this.previousCertificateIssuer);
}
try
{
GeneralName[] names = GeneralNames.GetInstance(X509ExtensionUtilities.FromExtensionValue(extensionValue)).GetNames();
for (int i = 0; i < names.Length; i++)
{
if (names[i].TagNo == 4)
{
return(X509Name.GetInstance(names[i].Name));
}
}
}
catch (Exception)
{
}
return(null);
}
protected virtual ICollection GetAlternativeNames(
string oid)
{
Asn1OctetString altNames = GetExtensionValue(new DerObjectIdentifier(oid));
if (altNames == null)
{
return(null);
}
Asn1Object asn1Object = X509ExtensionUtilities.FromExtensionValue(altNames);
GeneralNames gns = GeneralNames.GetInstance(asn1Object);
IList result = Platform.CreateArrayList();
foreach (GeneralName gn in gns.GetNames())
{
IList entry = Platform.CreateArrayList();
entry.Add(gn.TagNo);
entry.Add(gn.Name.ToString());
result.Add(entry);
}
return(result);
}
internal static Asn1Object GetExtensionValue(IX509Extension ext, DerObjectIdentifier oid)
{
Asn1OctetString extensionValue = ext.GetExtensionValue(oid);
if (extensionValue == null)
{
return(null);
}
return(X509ExtensionUtilities.FromExtensionValue(extensionValue));
}
/// <summary>
/// Get the value of an extension oid.
/// </summary>
private static Asn1Object GetExtensionValue(IX509Extension extension, DerObjectIdentifier oid)
{
Asn1OctetString asn1Octet = extension.GetExtensionValue(oid);
if (asn1Octet != null)
{
return(X509ExtensionUtilities.FromExtensionValue(asn1Octet));
}
return(null);
}
private long?GetCRLNumber(X509Crl crlEntry)
{
Asn1OctetString extensionValue = crlEntry.GetExtensionValue(X509Extensions.CrlNumber);
if (extensionValue == null)
{
return(null);
}
Asn1Object obj = X509ExtensionUtilities.FromExtensionValue(extensionValue);
return(DerInteger.GetInstance(obj).PositiveValue.LongValue);
}
private long?GetCRLNumber(Org.BouncyCastle.X509.X509Crl crlEntry)
{
Asn1OctetString extValue = crlEntry.GetExtensionValue(X509Extensions.CrlNumber);
if (extValue != null)
{
Asn1Object asn1Value = X509ExtensionUtilities.FromExtensionValue(extValue);
return(DerInteger.GetInstance(asn1Value).PositiveValue.LongValue);
}
return(null);
}
private TrustAnchor GetTrustAnchor(string trustAnchorName)
{
X509Certificate cert = LoadCert(trustAnchorName);
Asn1OctetString extBytes = cert.GetExtensionValue(X509Extensions.NameConstraints);
if (extBytes != null)
{
Asn1Encodable extValue = X509ExtensionUtilities.FromExtensionValue(extBytes);
return(new TrustAnchor(cert, extValue.GetDerEncoded()));
}
return(new TrustAnchor(cert, null));
}
public X509Certificate(
X509CertificateStructure c)
{
this.c = c;
try
{
Asn1OctetString str = this.GetExtensionValue(new DerObjectIdentifier("2.5.29.19"));
if (str != null)
{
basicConstraints = BasicConstraints.GetInstance(
X509ExtensionUtilities.FromExtensionValue(str));
}
}
catch (Exception e)
{
throw new CertificateParsingException("cannot construct BasicConstraints: " + e);
}
try
{
Asn1OctetString str = this.GetExtensionValue(new DerObjectIdentifier("2.5.29.15"));
if (str != null)
{
DerBitString bits = DerBitString.GetInstance(
X509ExtensionUtilities.FromExtensionValue(str));
byte[] bytes = bits.GetBytes();
int length = (bytes.Length * 8) - bits.PadBits;
keyUsage = new bool[(length < 9) ? 9 : length];
for (int i = 0; i != length; i++)
{
// keyUsage[i] = (bytes[i / 8] & (0x80 >>> (i % 8))) != 0;
keyUsage[i] = (bytes[i / 8] & (0x80 >> (i % 8))) != 0;
}
}
else
{
keyUsage = null;
}
}
catch (Exception e)
{
throw new CertificateParsingException("cannot construct KeyUsage: " + e);
}
}
public static string GetCrlNumber(X509Crl crl)
{
Asn1OctetString extVal = crl.GetExtensionValue(X509Extensions.CrlNumber);
if (extVal == null)
{
return(null);
}
BigInteger cn = DerInteger.GetInstance(
X509ExtensionUtilities.FromExtensionValue(extVal)).PositiveValue;
return(cn.ToString());
}
public static string GetSubjectKeyIdentifierFromCertificate(X509Certificate certificate)
{
Asn1OctetString sujectKeyIdentifierValue = certificate.GetExtensionValue(X509Extensions.SubjectKeyIdentifier);
if (sujectKeyIdentifierValue != null)
{
var val = (Asn1OctetString)X509ExtensionUtilities.FromExtensionValue(sujectKeyIdentifierValue);
if (val != null)
{
return(Hex.ToHexString(new BigInteger(val.GetOctets()).ToByteArray()));
}
}
return(null);
}
private bool IsCA(X509Certificate certificate)
{
Asn1OctetString extension = certificate.GetExtensionValue(X509Extensions.BasicConstraints);
if (extension != null)
{
BasicConstraints constraint = BasicConstraints.GetInstance(
X509ExtensionUtilities.FromExtensionValue(extension));
if (constraint != null)
{
return(constraint.IsCA());
}
}
return(false);
}
public static bool VerifyCertificateSAN(System.Security.Cryptography.X509Certificates.X509Certificate certificate, string sni)
{
// check subject alternate name (must have exactly 1, equal to sni)
var x509 = DotNetUtilities.FromX509Certificate(certificate);
var sans = X509ExtensionUtilities.GetSubjectAlternativeNames(x509);
if (sans.Count != 1)
{
return(false);
}
var san = (System.Collections.IList)((System.Collections.IList)sans)[0];
var sniOK = san[0].Equals(GeneralName.DnsName) && san[1].Equals(sni);
// if subject matches sni and SAN is ok, return true
return(x509.SubjectDN.ToString() == $"CN={sni}" && sniOK);
}
private static List <String> GetCRLUrls(X509Certificate certificate)
{
var result = new List <string> ();
var crlDPExtension = certificate.GetExtensionValue(X509Extensions.CrlDistributionPoints);
if (crlDPExtension != null)
{
CrlDistPoint crlDistPoints = null;
try {
crlDistPoints = CrlDistPoint.GetInstance(X509ExtensionUtilities.FromExtensionValue(crlDPExtension));
} catch (IOException) {
// TODO: Log
}
if (crlDistPoints != null)
{
var distPoints = crlDistPoints.GetDistributionPoints();
foreach (var distPoint in distPoints)
{
var dpName = distPoint.DistributionPointName;
var generalNames = (GeneralNames)dpName.Name;
if (generalNames != null)
{
var generalNameArray = generalNames.GetNames();
foreach (var generalName in generalNameArray)
{
if (generalName.TagNo == GeneralName.UniformResourceIdentifier)
{
var derString = (IAsn1String)generalName.Name;
var uri = derString.GetString();
if (!string.IsNullOrEmpty(uri) && uri.StartsWith("http"))
{
result.Add(uri);
break;
}
}
}
}
}
}
}
return(result);
}
/// <summary>
/// Parse certificate for alternate name extension.
/// </summary>
private void Parse(byte[] data)
{
if (Oid.Value != Oids.SubjectAltName &&
Oid.Value != Oids.SubjectAltName2)
{
throw new FormatException("Extension has unknown oid.");
}
Uris.Clear();
DomainNames.Clear();
IPAddresses.Clear();
var altNames = new DerOctetString(data);
var altNamesObjects = X509ExtensionUtilities.FromExtensionValue(altNames);
var generalNames =
Org.BouncyCastle.Asn1.X509.GeneralNames.GetInstance(altNamesObjects);
foreach (var generalName in generalNames.GetNames())
{
switch (generalName.TagNo)
{
case Org.BouncyCastle.Asn1.X509.GeneralName.UniformResourceIdentifier:
Uris.Add(generalName.Name.ToString());
break;
case Org.BouncyCastle.Asn1.X509.GeneralName.DnsName:
DomainNames.Add(generalName.Name.ToString());
break;
case Org.BouncyCastle.Asn1.X509.GeneralName.IPAddress:
try {
var addr = Asn1OctetString
.GetInstance(generalName.Name)
.GetOctets();
IPAddresses.Add(new IPAddress(addr).ToString());
}
catch {
throw new FormatException(
"Certificate contains invalid IP address.");
}
break;
default:
break;
}
}
}
public void RevokeUserCertificate(string uid, string cid)
{
//get root cert
X509Certificate rootCert = DotNetUtilities.FromX509Certificate(getRootCert());
//get user cert to be revoked
UserCertificate userCert = GetUserCertificate(uid, cid);
X509Certificate certToRevoke = new X509CertificateParser().ReadCertificate(userCert.RawCertBody);
//parse the last CRL
X509CrlParser crlParser = new X509CrlParser();
FileStream fileStream = File.Open(_configuration["CrlPath"], FileMode.Open);
X509Crl rootCrl = crlParser.ReadCrl(fileStream);
fileStream.Close();
//extract the CRL number
Asn1OctetString prevCrlNum = rootCrl.GetExtensionValue(X509Extensions.CrlNumber);
Asn1Object obj = X509ExtensionUtilities.FromExtensionValue(prevCrlNum);
BigInteger prevCrlNumVal = DerInteger.GetInstance(obj).PositiveValue;
//generate new CRL
X509V2CrlGenerator crlGenerator = new X509V2CrlGenerator();
crlGenerator.SetIssuerDN(rootCert.SubjectDN);
crlGenerator.SetThisUpdate(DateTime.UtcNow);
crlGenerator.SetNextUpdate(DateTime.UtcNow.AddDays(10));
crlGenerator.AddCrl(rootCrl); //add the old CRL entries
//add the newly revoked certificates
crlGenerator.AddCrlEntry(certToRevoke.SerialNumber, DateTime.UtcNow, CrlReason.PrivilegeWithdrawn);
//increment CRL Number by 1
crlGenerator.AddExtension("2.5.29.20", false, new CrlNumber(prevCrlNumVal.Add(BigInteger.One)));
AsymmetricKeyParameter bouncyCastlePrivateKey = PrivateKeyFactory.CreateKey(getRootPrivateKey().ExportPkcs8PrivateKey());
var sigFactory = new Asn1SignatureFactory("SHA256WITHECDSA", bouncyCastlePrivateKey);
X509Crl nextCrl = crlGenerator.Generate(sigFactory);
// writePem(_configuration["CrlOldPath"], rootCrl); // write old CRL as backup
writePem(_configuration["CrlPath"], nextCrl); //write new CRL
// sanity check
nextCrl.Verify(rootCert.GetPublicKey());
userCert.Revoked = true;
_context.UserCertificates.Update(userCert);
}
public void CopyAndAddExtension(DerObjectIdentifier oid, bool critical, X509Certificate cert)
{
Asn1OctetString extensionValue = cert.GetExtensionValue(oid);
if (extensionValue == null)
{
throw new CertificateParsingException(string.Concat((object)"extension ", (object)oid, (object)" not present"));
}
try
{
Asn1Encodable extensionValue2 = X509ExtensionUtilities.FromExtensionValue(extensionValue);
AddExtension(oid, critical, extensionValue2);
}
catch (global::System.Exception ex)
{
throw new CertificateParsingException(ex.get_Message(), ex);
}
}
public void CopyAndAddExtension(DerObjectIdentifier oid, bool critical, X509Certificate cert)
{
Asn1OctetString extensionValue = cert.GetExtensionValue(oid);
if (extensionValue == null)
{
throw new CertificateParsingException("extension " + oid + " not present");
}
try
{
Asn1Encodable extensionValue2 = X509ExtensionUtilities.FromExtensionValue(extensionValue);
AddExtension(oid, critical, extensionValue2);
}
catch (Exception ex)
{
throw new CertificateParsingException(ex.Message, ex);
}
}
protected virtual ICollection GetAlternativeNames(string oid)
{
Asn1OctetString extensionValue = this.GetExtensionValue(new DerObjectIdentifier(oid));
if (extensionValue == null)
{
return(null);
}
GeneralNames instance = GeneralNames.GetInstance(X509ExtensionUtilities.FromExtensionValue(extensionValue));
IList list = Platform.CreateArrayList();
foreach (GeneralName name in instance.GetNames())
{
IList list2 = Platform.CreateArrayList();
list2.Add(name.TagNo);
list2.Add(name.Name.ToString());
list.Add(list2);
}
return(list);
}
public X509Certificate(X509CertificateStructure c)
{
this.c = c;
try
{
Asn1OctetString extensionValue = GetExtensionValue(new DerObjectIdentifier("2.5.29.19"));
if (extensionValue != null)
{
basicConstraints = BasicConstraints.GetInstance(X509ExtensionUtilities.FromExtensionValue(extensionValue));
}
}
catch (Exception arg)
{
throw new CertificateParsingException("cannot construct BasicConstraints: " + arg);
IL_004c :;
}
try
{
Asn1OctetString extensionValue2 = GetExtensionValue(new DerObjectIdentifier("2.5.29.15"));
if (extensionValue2 != null)
{
DerBitString instance = DerBitString.GetInstance(X509ExtensionUtilities.FromExtensionValue(extensionValue2));
byte[] bytes = instance.GetBytes();
int num = bytes.Length * 8 - instance.PadBits;
keyUsage = new bool[(num >= 9) ? num : 9];
for (int i = 0; i != num; i++)
{
keyUsage[i] = ((bytes[i / 8] & (128 >> i % 8)) != 0);
}
}
else
{
keyUsage = null;
}
}
catch (Exception arg2)
{
throw new CertificateParsingException("cannot construct KeyUsage: " + arg2);
IL_0108 :;
}
}
protected virtual global::System.Collections.ICollection GetAlternativeNames(string oid)
{
Asn1OctetString extensionValue = GetExtensionValue(new DerObjectIdentifier(oid));
if (extensionValue == null)
{
return(null);
}
Asn1Object obj = X509ExtensionUtilities.FromExtensionValue(extensionValue);
GeneralNames instance = GeneralNames.GetInstance(obj);
global::System.Collections.IList list = Platform.CreateArrayList();
GeneralName[] names = instance.GetNames();
foreach (GeneralName generalName in names)
{
global::System.Collections.IList list2 = Platform.CreateArrayList();
list2.Add((object)generalName.TagNo);
list2.Add((object)((object)generalName.Name).ToString());
list.Add((object)list2);
}
return((global::System.Collections.ICollection)list);
}
private static Asn1Sequence FromCertificate(X509Certificate certificate)
{
try
{
GeneralName name = new GeneralName(PrincipalUtilities.GetIssuerX509Principal(certificate));
if (certificate.Version == 3)
{
Asn1OctetString extensionValue = certificate.GetExtensionValue(X509Extensions.SubjectKeyIdentifier);
if (extensionValue != null)
{
Asn1OctetString asn1OctetString = (Asn1OctetString)X509ExtensionUtilities.FromExtensionValue(extensionValue);
return((Asn1Sequence) new AuthorityKeyIdentifier(asn1OctetString.GetOctets(), new GeneralNames(name), certificate.SerialNumber).ToAsn1Object());
}
}
SubjectPublicKeyInfo spki = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(certificate.GetPublicKey());
return((Asn1Sequence) new AuthorityKeyIdentifier(spki, new GeneralNames(name), certificate.SerialNumber).ToAsn1Object());
}
catch (Exception exception)
{
throw new CertificateParsingException("Exception extracting certificate details", exception);
}
}
public X509Certificate(X509CertificateStructure c)
{
this.c = c;
try
{
Asn1OctetString extensionValue = GetExtensionValue(new DerObjectIdentifier("2.5.29.19"));
if (extensionValue != null)
{
basicConstraints = BasicConstraints.GetInstance(X509ExtensionUtilities.FromExtensionValue(extensionValue));
}
}
catch (global::System.Exception ex)
{
throw new CertificateParsingException(string.Concat((object)"cannot construct BasicConstraints: ", (object)ex));
}
try
{
Asn1OctetString extensionValue2 = GetExtensionValue(new DerObjectIdentifier("2.5.29.15"));
if (extensionValue2 != null)
{
DerBitString instance = DerBitString.GetInstance(X509ExtensionUtilities.FromExtensionValue(extensionValue2));
byte[] bytes = instance.GetBytes();
int num = bytes.Length * 8 - instance.PadBits;
keyUsage = new bool[(num < 9) ? 9 : num];
for (int i = 0; i != num; i++)
{
keyUsage[i] = (bytes[i / 8] & (128 >> i % 8)) != 0;
}
}
else
{
keyUsage = null;
}
}
catch (global::System.Exception ex2)
{
throw new CertificateParsingException(string.Concat((object)"cannot construct KeyUsage: ", (object)ex2));
}
}
public X509Certificate(X509CertificateStructure c)
{
this.c = c;
try
{
Asn1OctetString extensionValue = this.GetExtensionValue(new DerObjectIdentifier("2.5.29.19"));
if (extensionValue != null)
{
this.basicConstraints = BasicConstraints.GetInstance(X509ExtensionUtilities.FromExtensionValue(extensionValue));
}
}
catch (Exception arg)
{
throw new CertificateParsingException("cannot construct BasicConstraints: " + arg);
}
try
{
Asn1OctetString extensionValue2 = this.GetExtensionValue(new DerObjectIdentifier("2.5.29.15"));
if (extensionValue2 != null)
{
DerBitString instance = DerBitString.GetInstance(X509ExtensionUtilities.FromExtensionValue(extensionValue2));
byte[] bytes = instance.GetBytes();
int num = bytes.Length * 8 - instance.PadBits;
this.keyUsage = new bool[(num < 9) ? 9 : num];
for (int num2 = 0; num2 != num; num2++)
{
this.keyUsage[num2] = (((int)bytes[num2 / 8] & 128 >> num2 % 8) != 0);
}
}
else
{
this.keyUsage = null;
}
}
catch (Exception arg2)
{
throw new CertificateParsingException("cannot construct KeyUsage: " + arg2);
}
}
public X509Certificate(X509CertificateStructure c)
{
this.c = c;
try
{
Asn1OctetString extensionValue = this.GetExtensionValue(new DerObjectIdentifier("2.5.29.19"));
if (extensionValue != null)
{
this.basicConstraints = BasicConstraints.GetInstance(X509ExtensionUtilities.FromExtensionValue(extensionValue));
}
}
catch (Exception exception)
{
throw new CertificateParsingException("cannot construct BasicConstraints: " + exception);
}
try
{
Asn1OctetString extensionValue = this.GetExtensionValue(new DerObjectIdentifier("2.5.29.15"));
if (extensionValue != null)
{
DerBitString instance = DerBitString.GetInstance(X509ExtensionUtilities.FromExtensionValue(extensionValue));
byte[] bytes = instance.GetBytes();
int num = (bytes.Length * 8) - instance.PadBits;
this.keyUsage = new bool[(num >= 9) ? num : 9];
for (int i = 0; i != num; i++)
{
this.keyUsage[i] = (bytes[i / 8] & (((int)0x80) >> (i % 8))) != 0;
}
}
else
{
this.keyUsage = null;
}
}
catch (Exception exception2)
{
throw new CertificateParsingException("cannot construct KeyUsage: " + exception2);
}
}
public virtual IList GetExtendedKeyUsage()
{
IList list2;
Asn1OctetString extensionValue = this.GetExtensionValue(new DerObjectIdentifier("2.5.29.37"));
if (extensionValue == null)
{
return(null);
}
try
{
Asn1Sequence instance = Asn1Sequence.GetInstance(X509ExtensionUtilities.FromExtensionValue(extensionValue));
IList list = Platform.CreateArrayList();
IEnumerator enumerator = instance.GetEnumerator();
try
{
while (enumerator.MoveNext())
{
DerObjectIdentifier current = (DerObjectIdentifier)enumerator.Current;
list.Add(current.Id);
}
}
finally
{
if (enumerator is IDisposable disposable)
{
IDisposable disposable;
disposable.Dispose();
}
}
list2 = list;
}
catch (Exception exception)
{
throw new CertificateParsingException("error processing extended key usage extension", exception);
}
return(list2);
}
protected virtual ICollection GetAlternativeNames(string oid)
{
Asn1OctetString extensionValue = this.GetExtensionValue(new DerObjectIdentifier(oid));
if (extensionValue == null)
{
return(null);
}
Asn1Object obj = X509ExtensionUtilities.FromExtensionValue(extensionValue);
GeneralNames instance = GeneralNames.GetInstance(obj);
IList list = Platform.CreateArrayList();
GeneralName[] names = instance.GetNames();
for (int i = 0; i < names.Length; i++)
{
GeneralName generalName = names[i];
IList list2 = Platform.CreateArrayList();
list2.Add(generalName.TagNo);
list2.Add(generalName.Name.ToString());
list.Add(list2);
}
return(list);
}
public virtual global::System.Collections.IList GetExtendedKeyUsage()
{
Asn1OctetString extensionValue = GetExtensionValue(new DerObjectIdentifier("2.5.29.37"));
if (extensionValue == null)
{
return(null);
}
try
{
Asn1Sequence instance = Asn1Sequence.GetInstance(X509ExtensionUtilities.FromExtensionValue(extensionValue));
global::System.Collections.IList list = Platform.CreateArrayList();
global::System.Collections.IEnumerator enumerator = instance.GetEnumerator();
try
{
while (enumerator.MoveNext())
{
DerObjectIdentifier derObjectIdentifier = (DerObjectIdentifier)enumerator.get_Current();
list.Add((object)derObjectIdentifier.Id);
}
}
finally
{
global::System.IDisposable disposable = enumerator as global::System.IDisposable;
if (disposable != null)
{
disposable.Dispose();
}
}
return(list);
}
catch (global::System.Exception exception)
{
throw new CertificateParsingException("error processing extended key usage extension", exception);
}
}
/// <inheritdoc/>
public async Task <(X509Certificate Certificate, RsaKeyParameters Key)> GetLocalCertificateAsync(ApplicationDescription applicationDescription, ILogger logger = null)
{
string applicationUri = applicationDescription.ApplicationUri;
if (string.IsNullOrEmpty(applicationUri))
{
throw new ArgumentOutOfRangeException(nameof(applicationDescription), "Expecting ApplicationUri in the form of 'http://{hostname}/{appname}' -or- 'urn:{hostname}:{appname}'.");
}
string subjectName = null;
string hostName = null;
string appName = null;
UriBuilder appUri = new UriBuilder(applicationUri);
if (appUri.Scheme == "http" && !string.IsNullOrEmpty(appUri.Host))
{
var path = appUri.Path.Trim('/');
if (!string.IsNullOrEmpty(path))
{
hostName = appUri.Host;
appName = path;
subjectName = $"CN={appName},DC={hostName}";
}
}
if (appUri.Scheme == "urn")
{
var parts = appUri.Path.Split(new[] { ':' }, 2);
if (parts.Length == 2)
{
hostName = parts[0];
appName = parts[1];
subjectName = $"CN={appName},DC={hostName}";
}
}
if (subjectName == null)
{
throw new ArgumentOutOfRangeException(nameof(applicationDescription), "Expecting ApplicationUri in the form of 'http://{hostname}/{appname}' -or- 'urn:{hostname}:{appname}'.");
}
var crt = default(X509Certificate);
var key = default(RsaKeyParameters);
// Build 'own/certs' certificate store.
var ownCerts = new Org.BouncyCastle.Utilities.Collections.HashSet();
var ownCertsInfo = new DirectoryInfo(Path.Combine(this.pkiPath, "own", "certs"));
if (ownCertsInfo.Exists)
{
foreach (var info in ownCertsInfo.EnumerateFiles())
{
using (var crtStream = info.OpenRead())
{
var c = this.certParser.ReadCertificate(crtStream);
if (c != null)
{
ownCerts.Add(c);
}
}
}
}
IX509Store ownCertStore = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(ownCerts));
// Select the newest certificate that matches by subject name.
var selector = new X509CertStoreSelector()
{
Subject = new X509Name(subjectName)
};
crt = ownCertStore.GetMatches(selector).OfType <X509Certificate>().OrderBy(c => c.NotBefore).LastOrDefault();
if (crt != null)
{
// If certificate found, verify alt-name, and retrieve private key.
var asn1OctetString = crt.GetExtensionValue(X509Extensions.SubjectAlternativeName);
if (asn1OctetString != null)
{
var asn1Object = X509ExtensionUtilities.FromExtensionValue(asn1OctetString);
GeneralNames gns = GeneralNames.GetInstance(asn1Object);
if (gns.GetNames().Any(n => n.TagNo == GeneralName.UniformResourceIdentifier && n.Name.ToString() == applicationUri))
{
var ki = new FileInfo(Path.Combine(this.pkiPath, "own", "private", $"{crt.SerialNumber}.key"));
if (ki.Exists)
{
using (var keyStream = new StreamReader(ki.OpenRead()))
{
var keyReader = new PemReader(keyStream);
var keyPair = keyReader.ReadObject() as AsymmetricCipherKeyPair;
if (keyPair != null)
{
key = keyPair.Private as RsaKeyParameters;
}
}
}
}
}
}
// If certificate and key are found, return to caller.
if (crt != null && key != null)
{
logger?.LogTrace($"Found certificate with subject alt name '{applicationUri}'.");
return(crt, key);
}
if (!this.CreateLocalCertificateIfNotExist)
{
return(null, null);
}
// Create new certificate
var subjectDN = new X509Name(subjectName);
// Create a keypair.
var kp = await Task.Run <AsymmetricCipherKeyPair>(() =>
{
RsaKeyPairGenerator kg = new RsaKeyPairGenerator();
kg.Init(new KeyGenerationParameters(this.rng, 2048));
return(kg.GenerateKeyPair());
});
key = kp.Private as RsaPrivateCrtKeyParameters;
// Create a certificate.
X509V3CertificateGenerator cg = new X509V3CertificateGenerator();
var subjectSN = BigInteger.ProbablePrime(120, this.rng);
cg.SetSerialNumber(subjectSN);
cg.SetSubjectDN(subjectDN);
cg.SetIssuerDN(subjectDN);
cg.SetNotBefore(DateTime.Now.Date.ToUniversalTime());
cg.SetNotAfter(DateTime.Now.Date.ToUniversalTime().AddYears(25));
cg.SetPublicKey(kp.Public);
cg.AddExtension(
X509Extensions.BasicConstraints.Id,
true,
new BasicConstraints(false));
cg.AddExtension(
X509Extensions.SubjectKeyIdentifier.Id,
false,
new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(kp.Public)));
cg.AddExtension(
X509Extensions.AuthorityKeyIdentifier.Id,
false,
new AuthorityKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(kp.Public), new GeneralNames(new GeneralName(subjectDN)), subjectSN));
cg.AddExtension(
X509Extensions.SubjectAlternativeName,
false,
new GeneralNames(new[] { new GeneralName(GeneralName.UniformResourceIdentifier, applicationUri), new GeneralName(GeneralName.DnsName, hostName) }));
cg.AddExtension(
X509Extensions.KeyUsage,
true,
new KeyUsage(KeyUsage.DataEncipherment | KeyUsage.DigitalSignature | KeyUsage.NonRepudiation | KeyUsage.KeyCertSign | KeyUsage.KeyEncipherment));
cg.AddExtension(
X509Extensions.ExtendedKeyUsage,
true,
new ExtendedKeyUsage(KeyPurposeID.IdKPClientAuth, KeyPurposeID.IdKPServerAuth));
crt = cg.Generate(new Asn1SignatureFactory("SHA256WITHRSA", key, this.rng));
logger?.LogTrace($"Created certificate with subject alt name '{applicationUri}'.");
var keyInfo = new FileInfo(Path.Combine(this.pkiPath, "own", "private", $"{crt.SerialNumber}.key"));
if (!keyInfo.Directory.Exists)
{
Directory.CreateDirectory(keyInfo.DirectoryName);
}
else if (keyInfo.Exists)
{
keyInfo.Delete();
}
using (var keystream = new StreamWriter(keyInfo.OpenWrite()))
{
var pemwriter = new PemWriter(keystream);
pemwriter.WriteObject(key);
}
var crtInfo = new FileInfo(Path.Combine(this.pkiPath, "own", "certs", $"{crt.SerialNumber}.crt"));
if (!crtInfo.Directory.Exists)
{
Directory.CreateDirectory(crtInfo.DirectoryName);
}
else if (crtInfo.Exists)
{
crtInfo.Delete();
}
using (var crtstream = new StreamWriter(crtInfo.OpenWrite()))
{
var pemwriter = new PemWriter(crtstream);
pemwriter.WriteObject(crt);
}
return(crt, key);
}
/// <summary>
/// Decides if the given attribute certificate should be selected.
/// </summary>
/// <param name="obj">The attribute certificate to be checked.</param>
/// <returns><code>true</code> if the object matches this selector.</returns>
public bool Match(
object obj)
{
if (obj == null)
{
throw new ArgumentNullException("obj");
}
IX509AttributeCertificate attrCert = obj as IX509AttributeCertificate;
if (attrCert == null)
{
return(false);
}
if (this.attributeCert != null && !this.attributeCert.Equals(attrCert))
{
return(false);
}
if (serialNumber != null && !attrCert.SerialNumber.Equals(serialNumber))
{
return(false);
}
if (holder != null && !attrCert.Holder.Equals(holder))
{
return(false);
}
if (issuer != null && !attrCert.Issuer.Equals(issuer))
{
return(false);
}
if (attributeCertificateValid != null && !attrCert.IsValid(attributeCertificateValid.Value))
{
return(false);
}
if (targetNames.Count > 0 || targetGroups.Count > 0)
{
Asn1OctetString targetInfoExt = attrCert.GetExtensionValue(
X509Extensions.TargetInformation);
if (targetInfoExt != null)
{
TargetInformation targetinfo;
try
{
targetinfo = TargetInformation.GetInstance(
X509ExtensionUtilities.FromExtensionValue(targetInfoExt));
}
catch (Exception)
{
return(false);
}
Targets[] targetss = targetinfo.GetTargetsObjects();
if (targetNames.Count > 0)
{
bool found = false;
for (int i = 0; i < targetss.Length && !found; i++)
{
Target[] targets = targetss[i].GetTargets();
for (int j = 0; j < targets.Length; j++)
{
GeneralName targetName = targets[j].TargetName;
if (targetName != null && targetNames.Contains(targetName))
{
found = true;
break;
}
}
}
if (!found)
{
return(false);
}
}
if (targetGroups.Count > 0)
{
bool found = false;
for (int i = 0; i < targetss.Length && !found; i++)
{
Target[] targets = targetss[i].GetTargets();
for (int j = 0; j < targets.Length; j++)
{
GeneralName targetGroup = targets[j].TargetGroup;
if (targetGroup != null && targetGroups.Contains(targetGroup))
{
found = true;
break;
}
}
}
if (!found)
{
return(false);
}
}
}
}
return(true);
}
