public static byte[] GenerateRootCACertificate(CertificateSubject subject, DateTime startDate, DateTime expiryDate,
SignatureHashAlgorithm signatureAlgorithm, TCertificateFormat certificateFormat)
{
if (subject == null)
{
throw new ArgumentNullException(nameof(subject));
}
if (signatureAlgorithm == null)
{
throw new ArgumentNullException(nameof(signatureAlgorithm));
}
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
var certificateGenerator = new X509V3CertificateGenerator();
AddStandardCertificateInfo(certificateGenerator, random, subject, subject, startDate, expiryDate);
var subjectKeyPair = GenerateKeys(certificateGenerator, random, signatureAlgorithm);
certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true));
certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyCertSign));
var subjectKeyID = new byte[20];
random.NextBytes(subjectKeyID, 0, 20);
certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(subjectKeyID));
certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(subjectKeyID));
var algorithm = GetAlgorithm(signatureAlgorithm);
// selfsign certificate
var certificate = certificateGenerator.Generate(new Asn1SignatureFactory(algorithm, subjectKeyPair.Private, random));
return(ExportCertificate(certificate, subjectKeyPair, certificateFormat));
}
public static byte[] GenerateCertificate(CertificateSubject subject, CertificateInfo issuer, DateTime startDate,
DateTime expiryDate, SignatureHashAlgorithm signatureAlgorithm, TCertificateFormat certificateFormat)
{
if (subject == null)
{
throw new ArgumentNullException(nameof(subject));
}
if (issuer == null)
{
throw new ArgumentNullException(nameof(issuer));
}
if (signatureAlgorithm == null)
{
throw new ArgumentNullException(nameof(issuer));
}
if (!(issuer.PrivateKey is AsymmetricKeyParameter privateKey))
{
return(null);
}
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
var certificateGenerator = new X509V3CertificateGenerator();
AddStandardCertificateInfo(certificateGenerator, random, subject, issuer.Subject, startDate, expiryDate);
var subjectKeyPair = GenerateKeys(certificateGenerator, random, signatureAlgorithm);
var algorithm = GetAlgorithm(signatureAlgorithm);
certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyEncipherment));
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(new KeyPurposeID[] { KeyPurposeID.IdKPServerAuth, KeyPurposeID.IdKPClientAuth }));
var subjectKeyID = new byte[20];
random.NextBytes(subjectKeyID, 0, 20);
certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(subjectKeyID));
if (issuer.SubjectKeyID != null)
{
certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(issuer.SubjectKeyID));
}
//if ((subject.AlternativeNames != null) && (subject.AlternativeNames.Count > 0))
//{
// certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, true, new SubjectAlternativeNames(false));
// //SubjectAlternativeName
// //GeneralName.DirectoryName
// //GeneralName.IPAddress
//}
var certificate = certificateGenerator.Generate(new Asn1SignatureFactory(algorithm, privateKey, random));
return(ExportCertificate(certificate, subjectKeyPair, certificateFormat));
}
private static string GetAlgorithm(SignatureHashAlgorithm signatureAlgorithm)
{
// eg "SHA256WithRSA", "SHA224WithECDSA",;
StringBuilder result = new StringBuilder();
result.Append(signatureAlgorithm.Hash.ToString());
result.Append("With");
result.Append(signatureAlgorithm.Signature.ToString());
return(result.ToString());
}
private static string GetAlgorithm(SignatureHashAlgorithm signatureAlgorithm)
{
if (signatureAlgorithm == null)
{
throw new ArgumentNullException(nameof(signatureAlgorithm));
}
// eg "SHA256WithRSA", "SHA224WithECDSA",;
var result = new StringBuilder();
result.Append(signatureAlgorithm.Hash.ToString());
result.Append("With");
result.Append(signatureAlgorithm.Signature.ToString());
return(result.ToString());
}
private static AsymmetricCipherKeyPair GenerateKeys(X509V3CertificateGenerator certificateGenerator, SecureRandom random, SignatureHashAlgorithm signatureAlgorithm)
{
AsymmetricCipherKeyPair result = null;
switch (signatureAlgorithm.Signature)
{
case TSignatureAlgorithm.Anonymous:
break;
case TSignatureAlgorithm.RSA:
KeyGenerationParameters keyGenerationParameters = new KeyGenerationParameters(random, 2048);
RsaKeyPairGenerator rsaKeyPairGenerator = new RsaKeyPairGenerator();
rsaKeyPairGenerator.Init(keyGenerationParameters);
result = rsaKeyPairGenerator.GenerateKeyPair();
break;
case TSignatureAlgorithm.DSA:
break;
case TSignatureAlgorithm.ECDSA:
//ECDomainParameters ellipticCurveParameters = EllipticCurveFactory.GetEllipticCurveParameters(TEllipticCurve.secp256r1);
ECKeyPairGenerator keyPairGenerator = new ECKeyPairGenerator();
//keyPairGenerator.Init(new ECKeyGenerationParameters(ellipticCurveParameters, random));
keyPairGenerator.Init(new ECKeyGenerationParameters(Org.BouncyCastle.Asn1.Sec.SecObjectIdentifiers.SecP256r1, random));
result = keyPairGenerator.GenerateKeyPair();
//certificateGenerator.AddExtension(X509Extensions.SubjectPublicKeyInfo)
//PrivateKey = (ECPrivateKeyParameters)keys.Private;
//PublicKey = (ECPublicKeyParameters)keys.Public;
break;
default:
break;
}
certificateGenerator.SetPublicKey(result.Public);
return result;
}
public static byte[] GenerateRootCACertificate(CertificateSubject subject, DateTime startDate, DateTime expiryDate, SignatureHashAlgorithm signatureAlgorithm, TCertificateFormat certificateFormat)
{
byte[] result = null;
SecureRandom random = Porthelp.CreateSecureRandom();
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
AddStandardCertificateInfo(certificateGenerator, random, subject, subject, startDate, expiryDate);
AsymmetricCipherKeyPair subjectKeyPair = GenerateKeys(certificateGenerator, random, signatureAlgorithm);
certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true));
certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyCertSign));
byte[] subjectKeyID = new byte[20];
random.NextBytes(subjectKeyID, 0, 20);
certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(subjectKeyID));
certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(subjectKeyID));
string algorithm = GetAlgorithm(signatureAlgorithm);
// selfsign certificate
Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(new Asn1SignatureFactory(algorithm, subjectKeyPair.Private, random));
result = ExportCertificate(certificate, subjectKeyPair, certificateFormat);
return(result);
}
public static byte[] GenerateCertificate(CertificateSubject subject, CertificateInfo issuer, DateTime startDate, DateTime expiryDate, SignatureHashAlgorithm signatureAlgorithm, TCertificateFormat certificateFormat)
{
byte[] result = null;
AsymmetricKeyParameter privateKey = issuer.PrivateKey as AsymmetricKeyParameter;
if (privateKey != null)
{
SecureRandom random = Porthelp.CreateSecureRandom();
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
AddStandardCertificateInfo(certificateGenerator, random, subject, issuer.Subject, startDate, expiryDate);
AsymmetricCipherKeyPair subjectKeyPair = GenerateKeys(certificateGenerator, random, signatureAlgorithm);
string algorithm = GetAlgorithm(signatureAlgorithm);
certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyEncipherment));
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(new KeyPurposeID[] { KeyPurposeID.IdKPServerAuth, KeyPurposeID.IdKPClientAuth }));
byte[] subjectKeyID = new byte[20];
random.NextBytes(subjectKeyID, 0, 20);
certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(subjectKeyID));
if (issuer.SubjectKeyID != null)
{
certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(issuer.SubjectKeyID));
}
//if ((subject.AlternativeNames != null) && (subject.AlternativeNames.Count > 0))
//{
// certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, true, new SubjectAlternativeNames(false));
// //SubjectAlternativeName
// //GeneralName.DirectoryName
// //GeneralName.IPAddress
//}
Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(new Asn1SignatureFactory(algorithm, privateKey, random));
result = ExportCertificate(certificate, subjectKeyPair, certificateFormat);
}
return(result);
}
private static AsymmetricCipherKeyPair GenerateKeys(X509V3CertificateGenerator certificateGenerator, SecureRandom random, SignatureHashAlgorithm signatureAlgorithm)
{
AsymmetricCipherKeyPair result = null;
switch (signatureAlgorithm.Signature)
{
case TSignatureAlgorithm.Anonymous:
break;
case TSignatureAlgorithm.RSA:
KeyGenerationParameters keyGenerationParameters = new KeyGenerationParameters(random, 2048);
RsaKeyPairGenerator rsaKeyPairGenerator = new RsaKeyPairGenerator();
rsaKeyPairGenerator.Init(keyGenerationParameters);
result = rsaKeyPairGenerator.GenerateKeyPair();
break;
case TSignatureAlgorithm.DSA:
break;
case TSignatureAlgorithm.ECDSA:
//ECDomainParameters ellipticCurveParameters = EllipticCurveFactory.GetEllipticCurveParameters(TEllipticCurve.secp256r1);
ECKeyPairGenerator keyPairGenerator = new ECKeyPairGenerator();
//keyPairGenerator.Init(new ECKeyGenerationParameters(ellipticCurveParameters, random));
keyPairGenerator.Init(new ECKeyGenerationParameters(Org.BouncyCastle.Asn1.Sec.SecObjectIdentifiers.SecP256r1, random));
result = keyPairGenerator.GenerateKeyPair();
//certificateGenerator.AddExtension(X509Extensions.SubjectPublicKeyInfo)
//PrivateKey = (ECPrivateKeyParameters)keys.Private;
//PublicKey = (ECPublicKeyParameters)keys.Public;
break;
default:
break;
}
certificateGenerator.SetPublicKey(result.Public);
return(result);
}
private async Task _ProcessHandshakeAsync(DTLSRecord record)
{
if (record == null)
{
throw new ArgumentNullException(nameof(record));
}
var data = record.Fragment;
if (this._EncyptedServerEpoch == record.Epoch)
{
var count = 0;
while ((this._Cipher == null) && (count < 500))
{
await Task.Delay(10).ConfigureAwait(false);
count++;
}
if (this._Cipher == null)
{
throw new Exception("Need Cipher for Encrypted Session");
}
var sequenceNumber = ((long)record.Epoch << 48) + record.SequenceNumber;
data = this._Cipher.DecodeCiphertext(sequenceNumber, (byte)TRecordType.Handshake, record.Fragment, 0, record.Fragment.Length);
}
using (var tempStream = new MemoryStream(data))
{
var handshakeRec = HandshakeRecord.Deserialise(tempStream);
if (handshakeRec.Length > (handshakeRec.FragmentLength + handshakeRec.FragmentOffset))
{
this._IsFragment = true;
this._FragmentedRecordList.Add(data);
return;
}
else if (this._IsFragment)
{
this._FragmentedRecordList.Add(data);
data = new byte[0];
foreach (var rec in this._FragmentedRecordList)
{
data = data.Concat(rec.Skip(HandshakeRecord.RECORD_OVERHEAD)).ToArray();
}
var tempHandshakeRec = new HandshakeRecord()
{
Length = handshakeRec.Length,
MessageSeq = handshakeRec.MessageSeq,
MessageType = handshakeRec.MessageType,
FragmentLength = handshakeRec.Length,
FragmentOffset = 0
};
var tempHandshakeBytes = new byte[HandshakeRecord.RECORD_OVERHEAD];
using (var updateStream = new MemoryStream(tempHandshakeBytes))
{
tempHandshakeRec.Serialise(updateStream);
}
data = tempHandshakeBytes.Concat(data).ToArray();
}
}
using (var stream = new MemoryStream(data))
{
var handshakeRecord = HandshakeRecord.Deserialise(stream);
switch (handshakeRecord.MessageType)
{
case THandshakeType.HelloRequest:
{
break;
}
case THandshakeType.ClientHello:
{
break;
}
case THandshakeType.ServerHello:
{
var serverHello = ServerHello.Deserialise(stream);
this._HandshakeInfo.UpdateHandshakeHash(data);
this._ServerEpoch = record.Epoch;
this._HandshakeInfo.CipherSuite = (TCipherSuite)serverHello.CipherSuite;
this._HandshakeInfo.ServerRandom = serverHello.Random;
this._Version = serverHello.ServerVersion <= this._Version ? serverHello.ServerVersion : _SupportedVersion;
break;
}
case THandshakeType.HelloVerifyRequest:
{
var helloVerifyRequest = HelloVerifyRequest.Deserialise(stream);
this._Version = helloVerifyRequest.ServerVersion;
await this._SendHelloAsync(helloVerifyRequest.Cookie).ConfigureAwait(false);
break;
}
case THandshakeType.Certificate:
{
var cert = Certificate.Deserialise(stream, TCertificateType.X509);
this._HandshakeInfo.UpdateHandshakeHash(data);
this.ServerCertificate = cert.Cert;
break;
}
case THandshakeType.ServerKeyExchange:
{
this._HandshakeInfo.UpdateHandshakeHash(data);
var keyExchangeAlgorithm = CipherSuites.GetKeyExchangeAlgorithm(this._HandshakeInfo.CipherSuite);
byte[] preMasterSecret = null;
IKeyExchange keyExchange = null;
if (keyExchangeAlgorithm == TKeyExchangeAlgorithm.ECDHE_ECDSA)
{
var serverKeyExchange = ECDHEServerKeyExchange.Deserialise(stream, this._Version);
var keyExchangeECDHE = new ECDHEKeyExchange
{
CipherSuite = this._HandshakeInfo.CipherSuite,
Curve = serverKeyExchange.EllipticCurve,
KeyExchangeAlgorithm = keyExchangeAlgorithm,
ClientRandom = this._HandshakeInfo.ClientRandom,
ServerRandom = this._HandshakeInfo.ServerRandom
};
keyExchangeECDHE.GenerateEphemeralKey();
var clientKeyExchange = new ECDHEClientKeyExchange(keyExchangeECDHE.PublicKey);
this._ClientKeyExchange = clientKeyExchange;
preMasterSecret = keyExchangeECDHE.GetPreMasterSecret(serverKeyExchange.PublicKeyBytes);
keyExchange = keyExchangeECDHE;
}
else if (keyExchangeAlgorithm == TKeyExchangeAlgorithm.ECDHE_PSK)
{
var serverKeyExchange = ECDHEPSKServerKeyExchange.Deserialise(stream);
var keyExchangeECDHE = new ECDHEKeyExchange
{
CipherSuite = this._HandshakeInfo.CipherSuite,
Curve = serverKeyExchange.EllipticCurve,
KeyExchangeAlgorithm = keyExchangeAlgorithm,
ClientRandom = this._HandshakeInfo.ClientRandom,
ServerRandom = this._HandshakeInfo.ServerRandom
};
keyExchangeECDHE.GenerateEphemeralKey();
var clientKeyExchange = new ECDHEPSKClientKeyExchange(keyExchangeECDHE.PublicKey);
if (serverKeyExchange.PSKIdentityHint != null)
{
var key = this.PSKIdentities.GetKey(serverKeyExchange.PSKIdentityHint);
if (key != null)
{
this._PSKIdentity = new PSKIdentity()
{
Identity = serverKeyExchange.PSKIdentityHint, Key = key
};
}
}
if (this._PSKIdentity == null)
{
this._PSKIdentity = this.PSKIdentities.GetRandom();
}
clientKeyExchange.PSKIdentity = this._PSKIdentity.Identity;
this._ClientKeyExchange = clientKeyExchange;
var otherSecret = keyExchangeECDHE.GetPreMasterSecret(serverKeyExchange.PublicKeyBytes);
preMasterSecret = TLSUtils.GetPSKPreMasterSecret(otherSecret, this._PSKIdentity.Key);
keyExchange = keyExchangeECDHE;
}
else if (keyExchangeAlgorithm == TKeyExchangeAlgorithm.PSK)
{
var serverKeyExchange = PSKServerKeyExchange.Deserialise(stream);
var clientKeyExchange = new PSKClientKeyExchange();
if (serverKeyExchange.PSKIdentityHint != null)
{
var key = this.PSKIdentities.GetKey(serverKeyExchange.PSKIdentityHint);
if (key != null)
{
this._PSKIdentity = new PSKIdentity()
{
Identity = serverKeyExchange.PSKIdentityHint, Key = key
};
}
}
if (this._PSKIdentity == null)
{
this._PSKIdentity = this.PSKIdentities.GetRandom();
}
var otherSecret = new byte[this._PSKIdentity.Key.Length];
clientKeyExchange.PSKIdentity = this._PSKIdentity.Identity;
this._ClientKeyExchange = clientKeyExchange;
preMasterSecret = TLSUtils.GetPSKPreMasterSecret(otherSecret, this._PSKIdentity.Key);
}
this._Cipher = TLSUtils.AssignCipher(preMasterSecret, true, this._Version, this._HandshakeInfo);
break;
}
case THandshakeType.CertificateRequest:
{
this._HandshakeInfo.UpdateHandshakeHash(data);
this._SendCertificate = true;
break;
}
case THandshakeType.ServerHelloDone:
{
this._HandshakeInfo.UpdateHandshakeHash(data);
var keyExchangeAlgorithm = CipherSuites.GetKeyExchangeAlgorithm(this._HandshakeInfo.CipherSuite);
if (this._Cipher == null)
{
if (keyExchangeAlgorithm == TKeyExchangeAlgorithm.PSK)
{
var clientKeyExchange = new PSKClientKeyExchange();
this._PSKIdentity = this.PSKIdentities.GetRandom();
var otherSecret = new byte[this._PSKIdentity.Key.Length];
clientKeyExchange.PSKIdentity = this._PSKIdentity.Identity;
this._ClientKeyExchange = clientKeyExchange;
var preMasterSecret = TLSUtils.GetPSKPreMasterSecret(otherSecret, this._PSKIdentity.Key);
this._Cipher = TLSUtils.AssignCipher(preMasterSecret, true, this._Version, this._HandshakeInfo);
}
else if (keyExchangeAlgorithm == TKeyExchangeAlgorithm.RSA)
{
var clientKeyExchange = new RSAClientKeyExchange();
this._ClientKeyExchange = clientKeyExchange;
var PreMasterSecret = TLSUtils.GetRsaPreMasterSecret(this._Version);
clientKeyExchange.PremasterSecret = TLSUtils.GetEncryptedRsaPreMasterSecret(this.ServerCertificate, PreMasterSecret);
this._Cipher = TLSUtils.AssignCipher(PreMasterSecret, true, this._Version, this._HandshakeInfo);
}
else
{
throw new NotImplementedException($"Key Exchange Algorithm {keyExchangeAlgorithm} Not Implemented");
}
}
if (this._SendCertificate)
{
await this._SendHandshakeMessageAsync(this._Certificate, false).ConfigureAwait(false);
}
await this._SendHandshakeMessageAsync(this._ClientKeyExchange, false).ConfigureAwait(false);
if (this._SendCertificate)
{
var signatureHashAlgorithm = new SignatureHashAlgorithm()
{
Signature = TSignatureAlgorithm.ECDSA, Hash = THashAlgorithm.SHA256
};
if (keyExchangeAlgorithm == TKeyExchangeAlgorithm.RSA)
{
signatureHashAlgorithm = new SignatureHashAlgorithm()
{
Signature = TSignatureAlgorithm.RSA, Hash = THashAlgorithm.SHA1
};
}
var certVerify = new CertificateVerify
{
SignatureHashAlgorithm = signatureHashAlgorithm,
Signature = TLSUtils.Sign(this._PrivateKey, this._PrivateKeyRsa, true, this._Version, this._HandshakeInfo, signatureHashAlgorithm, this._HandshakeInfo.GetHash(this._Version))
};
await this._SendHandshakeMessageAsync(certVerify, false).ConfigureAwait(false);
}
await this._SendChangeCipherSpecAsync().ConfigureAwait(false);
var handshakeHash = this._HandshakeInfo.GetHash(this._Version);
var finished = new Finished
{
VerifyData = TLSUtils.GetVerifyData(this._Version, this._HandshakeInfo, true, true, handshakeHash)
};
await this._SendHandshakeMessageAsync(finished, true).ConfigureAwait(false);
break;
}
case THandshakeType.NewSessionTicket:
{
this._HandshakeInfo.UpdateHandshakeHash(data);
break;
}
case THandshakeType.CertificateVerify:
{
break;
}
case THandshakeType.ClientKeyExchange:
{
break;
}
case THandshakeType.Finished:
{
var serverFinished = Finished.Deserialise(stream);
var handshakeHash = this._HandshakeInfo.GetHash(this._Version);
var calculatedVerifyData = TLSUtils.GetVerifyData(this._Version, this._HandshakeInfo, true, false, handshakeHash);
if (serverFinished.VerifyData.SequenceEqual(calculatedVerifyData))
{
this._ConnectionComplete = true;
}
break;
}
default:
{
break;
}
}
}
this._IsFragment = false;
this._FragmentedRecordList.RemoveAll(x => true);
}
public static byte[] Sign(Org.BouncyCastle.Crypto.AsymmetricKeyParameter privateKey, bool client, Version version, HandshakeInfo handshakeInfo, SignatureHashAlgorithm signatureHashAlgorithm, byte[] hash)
{
TlsSigner signer = null;
switch (signatureHashAlgorithm.Signature)
{
case TSignatureAlgorithm.Anonymous:
break;
case TSignatureAlgorithm.RSA:
signer = new TlsRsaSigner();
break;
case TSignatureAlgorithm.DSA:
signer = new TlsDssSigner();
break;
case TSignatureAlgorithm.ECDSA:
signer = new TlsECDsaSigner();
break;
default:
break;
}
DTLSContext context = new DTLSContext(client, version, handshakeInfo);
Org.BouncyCastle.Crypto.Prng.CryptoApiRandomGenerator randomGenerator = new Org.BouncyCastle.Crypto.Prng.CryptoApiRandomGenerator();
context.SecureRandom = new Org.BouncyCastle.Security.SecureRandom(randomGenerator);
signer.Init(context);
if (TlsUtilities.IsTlsV12(context))
{
SignatureAndHashAlgorithm signatureAndHashAlgorithm = new SignatureAndHashAlgorithm((byte)signatureHashAlgorithm.Hash, (byte)signatureHashAlgorithm.Signature);
return signer.GenerateRawSignature(signatureAndHashAlgorithm, privateKey, hash);
}
else
{
return signer.GenerateRawSignature(privateKey, hash);
}
}
public static byte[] GenerateRootCACertificate(CertificateSubject subject, DateTime startDate, DateTime expiryDate, SignatureHashAlgorithm signatureAlgorithm, TCertificateFormat certificateFormat)
{
byte[] result = null;
CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
SecureRandom random = new SecureRandom(randomGenerator);
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
AddStandardCertificateInfo(certificateGenerator, random, subject, subject, startDate, expiryDate);
AsymmetricCipherKeyPair subjectKeyPair = GenerateKeys(certificateGenerator, random, signatureAlgorithm);
certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true));
certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyCertSign));
byte[] subjectKeyID = new byte[20];
random.NextBytes(subjectKeyID, 0, 20);
certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(subjectKeyID));
certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(subjectKeyID));
string algorithm = GetAlgorithm(signatureAlgorithm);
// selfsign certificate
Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(new Asn1SignatureFactory(algorithm, subjectKeyPair.Private, random));
result = ExportCertificate(certificate, subjectKeyPair, certificateFormat);
return result;
}
private static AsymmetricCipherKeyPair GenerateKeys(X509V3CertificateGenerator certificateGenerator, SecureRandom random,
SignatureHashAlgorithm signatureAlgorithm)
{
if (certificateGenerator == null)
{
throw new ArgumentNullException(nameof(certificateGenerator));
}
if (random == null)
{
throw new ArgumentNullException(nameof(random));
}
if (signatureAlgorithm == null)
{
throw new ArgumentNullException(nameof(signatureAlgorithm));
}
AsymmetricCipherKeyPair result = null;
switch (signatureAlgorithm.Signature)
{
case TSignatureAlgorithm.Anonymous:
{
break;
}
case TSignatureAlgorithm.RSA:
{
var keyGenerationParameters = new KeyGenerationParameters(random, 2048);
var rsaKeyPairGenerator = new RsaKeyPairGenerator();
rsaKeyPairGenerator.Init(keyGenerationParameters);
result = rsaKeyPairGenerator.GenerateKeyPair();
break;
}
case TSignatureAlgorithm.DSA:
{
break;
}
case TSignatureAlgorithm.ECDSA:
{
//ECDomainParameters ellipticCurveParameters = EllipticCurveFactory.GetEllipticCurveParameters(TEllipticCurve.secp256r1);
var keyPairGenerator = new ECKeyPairGenerator();
//keyPairGenerator.Init(new ECKeyGenerationParameters(ellipticCurveParameters, random));
keyPairGenerator.Init(new ECKeyGenerationParameters(SecObjectIdentifiers.SecP256r1, random));
result = keyPairGenerator.GenerateKeyPair();
//certificateGenerator.AddExtension(X509Extensions.SubjectPublicKeyInfo)
//PrivateKey = (ECPrivateKeyParameters)keys.Private;
//PublicKey = (ECPublicKeyParameters)keys.Public;
break;
}
default:
{
break;
}
}
certificateGenerator.SetPublicKey(result.Public);
return(result);
}
public static byte[] GenerateCertificate(CertificateSubject subject, CertificateInfo issuer, DateTime startDate, DateTime expiryDate, SignatureHashAlgorithm signatureAlgorithm, TCertificateFormat certificateFormat)
{
byte[] result = null;
AsymmetricKeyParameter privateKey = issuer.PrivateKey as AsymmetricKeyParameter;
if (privateKey != null)
{
CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
SecureRandom random = new SecureRandom(randomGenerator);
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
AddStandardCertificateInfo(certificateGenerator, random, subject, issuer.Subject, startDate, expiryDate);
AsymmetricCipherKeyPair subjectKeyPair = GenerateKeys(certificateGenerator, random, signatureAlgorithm);
string algorithm = GetAlgorithm(signatureAlgorithm);
certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyEncipherment));
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(new KeyPurposeID[] { KeyPurposeID.IdKPServerAuth, KeyPurposeID.IdKPClientAuth }));
byte[] subjectKeyID = new byte[20];
random.NextBytes(subjectKeyID, 0, 20);
certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(subjectKeyID));
if (issuer.SubjectKeyID != null)
certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(issuer.SubjectKeyID));
//if ((subject.AlternativeNames != null) && (subject.AlternativeNames.Count > 0))
//{
// certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, true, new SubjectAlternativeNames(false));
// //SubjectAlternativeName
// //GeneralName.DirectoryName
// //GeneralName.IPAddress
//}
Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(new Asn1SignatureFactory(algorithm, privateKey, random));
result = ExportCertificate(certificate, subjectKeyPair, certificateFormat);
}
return result;
}
public static byte[] Sign(Org.BouncyCastle.Crypto.AsymmetricKeyParameter privateKey, bool client, Version version, HandshakeInfo handshakeInfo, SignatureHashAlgorithm signatureHashAlgorithm, byte[] hash)
{
TlsSigner signer = null;
switch (signatureHashAlgorithm.Signature)
{
case TSignatureAlgorithm.Anonymous:
break;
case TSignatureAlgorithm.RSA:
signer = new TlsRsaSigner();
break;
case TSignatureAlgorithm.DSA:
signer = new TlsDssSigner();
break;
case TSignatureAlgorithm.ECDSA:
signer = new TlsECDsaSigner();
break;
default:
break;
}
DTLSContext context = new DTLSContext(client, version, handshakeInfo);
Org.BouncyCastle.Crypto.Prng.CryptoApiRandomGenerator randomGenerator = new Org.BouncyCastle.Crypto.Prng.CryptoApiRandomGenerator();
context.SecureRandom = new Org.BouncyCastle.Security.SecureRandom(randomGenerator);
signer.Init(context);
if (TlsUtilities.IsTlsV12(context))
{
SignatureAndHashAlgorithm signatureAndHashAlgorithm = new SignatureAndHashAlgorithm((byte)signatureHashAlgorithm.Hash, (byte)signatureHashAlgorithm.Signature);
return(signer.GenerateRawSignature(signatureAndHashAlgorithm, privateKey, hash));
}
else
{
return(signer.GenerateRawSignature(privateKey, hash));
}
}
public static byte[] GenerateIntermediateCACertificate(CertificateSubject subject, CertificateInfo issuer, DateTime startDate, DateTime expiryDate, SignatureHashAlgorithm signatureAlgorithm, TCertificateFormat certificateFormat)
{
byte[] result = null;
AsymmetricKeyParameter privateKey = issuer.PrivateKey as AsymmetricKeyParameter;
if (privateKey != null)
{
CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
SecureRandom random = new SecureRandom(randomGenerator);
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
AddStandardCertificateInfo(certificateGenerator, random, subject, issuer.Subject, startDate, expiryDate);
AsymmetricCipherKeyPair subjectKeyPair = GenerateKeys(certificateGenerator, random, signatureAlgorithm);
certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(0));
certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyCertSign));
byte[] subjectKeyID = new byte[20];
random.NextBytes(subjectKeyID, 0, 20);
certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(subjectKeyID));
if (issuer.SubjectKeyID != null)
{
certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(issuer.SubjectKeyID));
}
string algorithm = GetAlgorithm(signatureAlgorithm);
Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(new Asn1SignatureFactory(algorithm, privateKey, random));
result = ExportCertificate(certificate, subjectKeyPair, certificateFormat);
}
return(result);
}
public static byte[] Sign(AsymmetricKeyParameter privateKey, RSACryptoServiceProvider rsaKey, bool client, Version version, HandshakeInfo handshakeInfo,
SignatureHashAlgorithm signatureHashAlgorithm, byte[] hash)
#endif
{
if (privateKey == null && rsaKey == null)
{
throw new ArgumentException("No key or Rsa CSP provided");
}
if (privateKey == null)
{
if (signatureHashAlgorithm.Signature == TSignatureAlgorithm.RSA)
{
return(SignRsa(rsaKey, hash));
}
throw new ArgumentException("Need private key for non-RSA Algorithms");
}
if (version == null)
{
throw new ArgumentNullException(nameof(version));
}
if (handshakeInfo == null)
{
throw new ArgumentNullException(nameof(handshakeInfo));
}
if (signatureHashAlgorithm == null)
{
throw new ArgumentNullException(nameof(signatureHashAlgorithm));
}
if (hash == null)
{
throw new ArgumentNullException(nameof(hash));
}
TlsSigner signer = null;
switch (signatureHashAlgorithm.Signature)
{
case TSignatureAlgorithm.Anonymous:
break;
case TSignatureAlgorithm.RSA:
signer = new TlsRsaSigner();
break;
case TSignatureAlgorithm.DSA:
signer = new TlsDssSigner();
break;
case TSignatureAlgorithm.ECDSA:
signer = new TlsECDsaSigner();
break;
default:
break;
}
var context = new DTLSContext(client, version, handshakeInfo);
var randomGenerator = new CryptoApiRandomGenerator();
context.SecureRandom = new SecureRandom(randomGenerator);
signer.Init(context);
if (TlsUtilities.IsTlsV12(context))
{
var signatureAndHashAlgorithm = new SignatureAndHashAlgorithm((byte)signatureHashAlgorithm.Hash, (byte)signatureHashAlgorithm.Signature);
return(signer.GenerateRawSignature(signatureAndHashAlgorithm, privateKey, hash));
}
else
{
return(signer.GenerateRawSignature(privateKey, hash));
}
}
public static byte[] Sign(AsymmetricKeyParameter privateKey, CngKey rsaKey, bool client, Version version, HandshakeInfo handshakeInfo,
SignatureHashAlgorithm signatureHashAlgorithm, byte[] hash)
private static string GetAlgorithm(SignatureHashAlgorithm signatureAlgorithm)
{
// eg "SHA256WithRSA", "SHA224WithECDSA",;
StringBuilder result = new StringBuilder();
result.Append(signatureAlgorithm.Hash.ToString());
result.Append("With");
result.Append(signatureAlgorithm.Signature.ToString());
return result.ToString();
}
