public virtual void ProcessServerCertificate(Certificate serverCertificate)
{
X509CertificateStructure x509Cert = serverCertificate.certs[0];
SubjectPublicKeyInfo keyInfo = x509Cert.SubjectPublicKeyInfo;
try
{
this.serverPublicKey = PublicKeyFactory.CreateKey(keyInfo);
}
// catch (RuntimeException)
catch (Exception)
{
throw new TlsFatalAlert(AlertDescription.unsupported_certificate);
}
// Sanity check the PublicKeyFactory
if (this.serverPublicKey.IsPrivate)
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
this.rsaServerPublicKey = ValidateRsaPublicKey((RsaKeyParameters)this.serverPublicKey);
TlsUtilities.ValidateKeyUsage(x509Cert, KeyUsage.KeyEncipherment);
// TODO
/*
* Perform various checks per RFC2246 7.4.2: "Unless otherwise specified, the
* signing algorithm for the certificate must be the same as the algorithm for the
* certificate key."
*/
}
/**
* Constructor for an encrypted private key PEM object.
*
* @param key private key to be encoded
* @param algorithm encryption algorithm to use
* @param provider provider to use
* @throws NoSuchAlgorithmException if algorithm/mode cannot be found
*/
public Pkcs8Generator(AsymmetricKeyParameter privKey, string algorithm)
{
// TODO Check privKey.IsPrivate
this.privKey = privKey;
this.algorithm = algorithm;
this.iterationCount = 2048;
}
public virtual void ProcessServerCertificate(Certificate serverCertificate)
{
if (tlsSigner == null)
{
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
X509CertificateStructure x509Cert = serverCertificate.certs[0];
SubjectPublicKeyInfo keyInfo = x509Cert.SubjectPublicKeyInfo;
try
{
this.serverPublicKey = PublicKeyFactory.CreateKey(keyInfo);
}
// catch (RuntimeException)
catch (Exception)
{
throw new TlsFatalAlert(AlertDescription.unsupported_certificate);
}
if (!tlsSigner.IsValidPublicKey(this.serverPublicKey))
{
throw new TlsFatalAlert(AlertDescription.certificate_unknown);
}
TlsUtilities.ValidateKeyUsage(x509Cert, KeyUsage.DigitalSignature);
// TODO
/*
* Perform various checks per RFC2246 7.4.2: "Unless otherwise specified, the
* signing algorithm for the certificate must be the same as the algorithm for the
* certificate key."
*/
}
private AsymmetricKeyParameter GetSenderPublicKey(
AsymmetricKeyParameter receiverPrivateKey,
OriginatorIdentifierOrKey originator)
{
OriginatorPublicKey opk = originator.OriginatorPublicKey;
if (opk != null)
{
return GetPublicKeyFromOriginatorPublicKey(receiverPrivateKey, opk);
}
OriginatorID origID = new OriginatorID();
Asn1.Cms.IssuerAndSerialNumber iAndSN = originator.IssuerAndSerialNumber;
if (iAndSN != null)
{
origID.Issuer = iAndSN.Name;
origID.SerialNumber = iAndSN.SerialNumber.Value;
}
else
{
SubjectKeyIdentifier ski = originator.SubjectKeyIdentifier;
origID.SubjectKeyIdentifier = ski.GetKeyIdentifier();
}
return GetPublicKeyFromOriginatorID(origID);
}
/**
* basic creation - only the default attributes will be included here.
*/
public TimeStampTokenGenerator(
AsymmetricKeyParameter key,
X509Certificate cert,
string digestOID,
string tsaPolicyOID)
: this(key, cert, digestOID, tsaPolicyOID, null, null)
{
}
public PgpKeyPair(
PublicKeyAlgorithmTag algorithm,
AsymmetricKeyParameter pubKey,
AsymmetricKeyParameter privKey,
DateTime time)
{
this.pub = new PgpPublicKey(algorithm, pubKey, time);
this.priv = new PgpPrivateKey(privKey, pub.KeyId);
}
public Pkcs10CertificationRequestDelaySigned(
string signatureAlgorithm,
X509Name subject,
AsymmetricKeyParameter publicKey,
Asn1Set attributes,
AsymmetricKeyParameter signingKey)
: base(signatureAlgorithm, subject, publicKey, attributes, signingKey)
{
}
/// <summary>
/// Create a PgpPrivateKey from a regular private key and the ID of its
/// associated public key.
/// </summary>
/// <param name="privateKey">Private key to use.</param>
/// <param name="keyId">ID of the corresponding public key.</param>
public PgpPrivateKey(
AsymmetricKeyParameter privateKey,
long keyId)
{
if (!privateKey.IsPrivate)
throw new ArgumentException("Expected a private key", "privateKey");
this.privateKey = privateKey;
this.keyId = keyId;
}
public static EncryptedPrivateKeyInfo CreateEncryptedPrivateKeyInfo(
string algorithm,
char[] passPhrase,
byte[] salt,
int iterationCount,
AsymmetricKeyParameter key)
{
return CreateEncryptedPrivateKeyInfo(
algorithm, passPhrase, salt, iterationCount,
PrivateKeyInfoFactory.CreatePrivateKeyInfo(key));
}
public PkixCertPathBuilderResult(
PkixCertPath certPath,
TrustAnchor trustAnchor,
PkixPolicyNode policyTree,
AsymmetricKeyParameter subjectPublicKey)
: base(trustAnchor, policyTree, subjectPublicKey)
{
if (certPath == null)
throw new ArgumentNullException("certPath");
this.certPath = certPath;
}
/**
* basic constructor.
*
* @param publicParam a public key parameters object.
* @param privateParam the corresponding private key parameters.
*/
public AsymmetricCipherKeyPair(
AsymmetricKeyParameter publicParameter,
AsymmetricKeyParameter privateParameter)
{
if (publicParameter.IsPrivate)
throw new ArgumentException("Expected a public key", "publicParameter");
if (!privateParameter.IsPrivate)
throw new ArgumentException("Expected a private key", "privateParameter");
this.publicParameter = publicParameter;
this.privateParameter = privateParameter;
}
/**
* create with a signer with extra signed/unsigned attributes.
*/
public TimeStampTokenGenerator(
AsymmetricKeyParameter key,
X509Certificate cert,
string digestOID,
string tsaPolicyOID,
Asn1.Cms.AttributeTable signedAttr,
Asn1.Cms.AttributeTable unsignedAttr)
{
this.key = key;
this.cert = cert;
this.digestOID = digestOID;
this.tsaPolicyOID = tsaPolicyOID;
this.unsignedAttr = unsignedAttr;
TspUtil.ValidateCertificate(cert);
//
// Add the ESSCertID attribute
//
IDictionary signedAttrs;
if (signedAttr != null)
{
signedAttrs = signedAttr.ToDictionary();
}
else
{
signedAttrs = Platform.CreateHashtable();
}
try
{
byte[] hash = DigestUtilities.CalculateDigest("SHA-1", cert.GetEncoded());
EssCertID essCertid = new EssCertID(hash);
Asn1.Cms.Attribute attr = new Asn1.Cms.Attribute(
PkcsObjectIdentifiers.IdAASigningCertificate,
new DerSet(new SigningCertificate(essCertid)));
signedAttrs[attr.AttrType] = attr;
}
catch (CertificateEncodingException e)
{
throw new TspException("Exception processing certificate.", e);
}
catch (SecurityUtilityException e)
{
throw new TspException("Can't find a SHA-1 implementation.", e);
}
this.signedAttr = new Asn1.Cms.AttributeTable(signedAttrs);
}
/// <summary>
/// Creates an instance of TrustAnchor with the specified X509Certificate and
/// optional name constraints, which are intended to be used as additional
/// constraints when validating an X.509 certification path.
/// The name constraints are specified as a byte array. This byte array
/// should contain the DER encoded form of the name constraints, as they
/// would appear in the NameConstraints structure defined in RFC 2459 and
/// X.509. The ASN.1 definition of this structure appears below.
///
/// <pre>
/// NameConstraints ::= SEQUENCE {
/// permittedSubtrees [0] GeneralSubtrees OPTIONAL,
/// excludedSubtrees [1] GeneralSubtrees OPTIONAL }
///
/// GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
///
/// GeneralSubtree ::= SEQUENCE {
/// base GeneralName,
/// minimum [0] BaseDistance DEFAULT 0,
/// maximum [1] BaseDistance OPTIONAL }
///
/// BaseDistance ::= INTEGER (0..MAX)
///
/// GeneralName ::= CHOICE {
/// otherName [0] OtherName,
/// rfc822Name [1] IA5String,
/// dNSName [2] IA5String,
/// x400Address [3] ORAddress,
/// directoryName [4] Name,
/// ediPartyName [5] EDIPartyName,
/// uniformResourceIdentifier [6] IA5String,
/// iPAddress [7] OCTET STRING,
/// registeredID [8] OBJECT IDENTIFIER}
/// </pre>
///
/// Note that the name constraints byte array supplied is cloned to protect
/// against subsequent modifications.
/// </summary>
/// <param name="trustedCert">a trusted X509Certificate</param>
/// <param name="nameConstraints">a byte array containing the ASN.1 DER encoding of a
/// NameConstraints extension to be used for checking name
/// constraints. Only the value of the extension is included, not
/// the OID or criticality flag. Specify null to omit the
/// parameter.</param>
/// <exception cref="ArgumentNullException">if the specified X509Certificate is null</exception>
public TrustAnchor(
X509Certificate trustedCert,
byte[] nameConstraints)
{
if (trustedCert == null)
throw new ArgumentNullException("trustedCert");
this.trustedCert = trustedCert;
this.pubKey = null;
this.caName = null;
this.caPrincipal = null;
setNameConstraints(nameConstraints);
}
private static Asn1OctetString FromPublicKey(
AsymmetricKeyParameter pubKey)
{
try
{
SubjectPublicKeyInfo info = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(pubKey);
return (Asn1OctetString) new SubjectKeyIdentifier(info).ToAsn1Object();
}
catch (Exception e)
{
throw new CertificateParsingException("Exception extracting certificate details: " + e.ToString());
}
}
private static Asn1Sequence FromKey(
AsymmetricKeyParameter pubKey)
{
try
{
SubjectPublicKeyInfo info = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(pubKey);
return (Asn1Sequence) new AuthorityKeyIdentifier(info).ToAsn1Object();
}
catch (Exception e)
{
throw new InvalidKeyException("can't process key: " + e);
}
}
public RespID(
AsymmetricKeyParameter publicKey)
{
try
{
SubjectPublicKeyInfo info = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(publicKey);
byte[] keyHash = DigestUtilities.CalculateDigest("SHA1", info.PublicKeyData.GetBytes());
this.id = new ResponderID(new DerOctetString(keyHash));
}
catch (Exception e)
{
throw new OcspException("problem creating ID: " + e, e);
}
}
public PkixCertPathValidatorResult(
TrustAnchor trustAnchor,
PkixPolicyNode policyTree,
AsymmetricKeyParameter subjectPublicKey)
{
if (subjectPublicKey == null)
{
throw new NullReferenceException("subjectPublicKey must be non-null");
}
if (trustAnchor == null)
{
throw new NullReferenceException("trustAnchor must be non-null");
}
this.trustAnchor = trustAnchor;
this.policyTree = policyTree;
this.subjectPublicKey = subjectPublicKey;
}
public virtual void Verify(
AsymmetricKeyParameter publicKey)
{
if (!c.SignatureAlgorithm.Equals(c.TbsCertList.Signature))
{
throw new CrlException("Signature algorithm on CertificateList does not match TbsCertList.");
}
ISigner sig = SignerUtilities.GetSigner(SigAlgName);
sig.Init(false, publicKey);
byte[] encoded = this.GetTbsCertList();
sig.BlockUpdate(encoded, 0, encoded.Length);
if (!sig.VerifySignature(this.GetSignature()))
{
throw new SignatureException("CRL does not verify with supplied public key.");
}
}
/// <summary>
/// Generate a new X509Certificate.
/// </summary>
/// <param name="privateKey">The private key of the issuer used to sign this certificate.</param>
/// <returns>An X509Certificate.</returns>
public X509Certificate Generate(
AsymmetricKeyParameter privateKey)
{
return Generate(privateKey, null);
}
/// <summary>
/// Verify the signature against the tbsResponseData object we contain.
/// </summary>
public bool Verify(
AsymmetricKeyParameter publicKey)
{
try
{
ISigner signature = SignerUtilities.GetSigner(this.SignatureAlgName);
signature.Init(false, publicKey);
byte[] bs = data.GetDerEncoded();
signature.BlockUpdate(bs, 0, bs.Length);
return signature.VerifySignature(this.GetSignature());
}
catch (Exception e)
{
throw new OcspException("exception processing sig: " + e, e);
}
}
/**
* Verify the signature against the TBSRequest object we contain.
*/
public bool Verify(
AsymmetricKeyParameter publicKey)
{
if (!this.IsSigned)
throw new OcspException("attempt to Verify signature on unsigned object");
try
{
ISigner signature = SignerUtilities.GetSigner(this.SignatureAlgOid);
signature.Init(false, publicKey);
byte[] encoded = req.TbsRequest.GetEncoded();
signature.BlockUpdate(encoded, 0, encoded.Length);
return signature.VerifySignature(this.GetSignature());
}
catch (Exception e)
{
throw new OcspException("exception processing sig: " + e, e);
}
}
private static OriginatorPublicKey CreateOriginatorPublicKey(
AsymmetricKeyParameter publicKey)
{
SubjectPublicKeyInfo spki = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(publicKey);
return new OriginatorPublicKey(
new AlgorithmIdentifier(spki.AlgorithmID.ObjectID, DerNull.Instance),
spki.PublicKeyData.GetBytes());
}
/**
* Create an AuthorityKeyIdentifier using just the hash of the
* public key.
*
* @param pubKey the key to generate the hash from.
* @throws InvalidKeyException if there is a problem using the key.
*/
public AuthorityKeyIdentifierStructure(
AsymmetricKeyParameter pubKey)
: base(FromKey(pubKey))
{
}
internal KeyParameter GetSessionKey(
AsymmetricKeyParameter receiverPrivateKey)
{
try
{
string wrapAlg = DerObjectIdentifier.GetInstance(
Asn1Sequence.GetInstance(keyEncAlg.Parameters)[0]).Id;
AsymmetricKeyParameter senderPublicKey = GetSenderPublicKey(
receiverPrivateKey, info.Originator);
KeyParameter agreedWrapKey = CalculateAgreedWrapKey(wrapAlg,
senderPublicKey, receiverPrivateKey);
return UnwrapSessionKey(wrapAlg, agreedWrapKey);
}
catch (SecurityUtilityException e)
{
throw new CmsException("couldn't create cipher.", e);
}
catch (InvalidKeyException e)
{
throw new CmsException("key invalid in message.", e);
}
catch (Exception e)
{
throw new CmsException("originator key invalid.", e);
}
}
/// <summary>
/// Generate a new X509Certificate specifying a SecureRandom instance that you would like to use.
/// </summary>
/// <param name="privateKey">The private key of the issuer used to sign this certificate.</param>
/// <param name="random">The Secure Random you want to use.</param>
/// <returns>An X509Certificate.</returns>
public X509Certificate Generate(
AsymmetricKeyParameter privateKey,
SecureRandom random)
{
TbsCertificateStructure tbsCert = tbsGen.GenerateTbsCertificate();
byte[] signature;
try
{
signature = X509Utilities.GetSignatureForObject(
sigOID, signatureAlgorithm, privateKey, random, tbsCert);
}
catch (Exception e)
{
// TODO
// throw new ExtCertificateEncodingException("exception encoding TBS cert", e);
throw new CertificateEncodingException("exception encoding TBS cert", e);
}
try
{
return GenerateJcaObject(tbsCert, signature);
}
catch (CertificateParsingException e)
{
// TODO
// throw new ExtCertificateEncodingException("exception producing certificate object", e);
throw new CertificateEncodingException("exception producing certificate object", e);
}
}
private KeyParameter CalculateAgreedWrapKey(
string wrapAlg,
AsymmetricKeyParameter senderPublicKey,
AsymmetricKeyParameter receiverPrivateKey)
{
DerObjectIdentifier agreeAlgID = keyEncAlg.ObjectID;
ICipherParameters senderPublicParams = senderPublicKey;
ICipherParameters receiverPrivateParams = receiverPrivateKey;
if (agreeAlgID.Id.Equals(CmsEnvelopedGenerator.ECMqvSha1Kdf))
{
byte[] ukmEncoding = info.UserKeyingMaterial.GetOctets();
MQVuserKeyingMaterial ukm = MQVuserKeyingMaterial.GetInstance(
Asn1Object.FromByteArray(ukmEncoding));
AsymmetricKeyParameter ephemeralKey = GetPublicKeyFromOriginatorPublicKey(
receiverPrivateKey, ukm.EphemeralPublicKey);
senderPublicParams = new MqvPublicParameters(
(ECPublicKeyParameters)senderPublicParams,
(ECPublicKeyParameters)ephemeralKey);
receiverPrivateParams = new MqvPrivateParameters(
(ECPrivateKeyParameters)receiverPrivateParams,
(ECPrivateKeyParameters)receiverPrivateParams);
}
IBasicAgreement agreement = AgreementUtilities.GetBasicAgreementWithKdf(
agreeAlgID, wrapAlg);
agreement.Init(receiverPrivateParams);
BigInteger agreedValue = agreement.CalculateAgreement(senderPublicParams);
int wrapKeySize = GeneratorUtilities.GetDefaultKeySize(wrapAlg) / 8;
byte[] wrapKeyBytes = X9IntegerConverter.IntegerToBytes(agreedValue, wrapKeySize);
return ParameterUtilities.CreateKeyParameter(wrapAlg, wrapKeyBytes);
}
/// <summary>
/// Set the public key that this certificate identifies.
/// </summary>
/// <param name="publicKey"/>
public void SetPublicKey(
AsymmetricKeyParameter publicKey)
{
try
{
tbsGen.SetSubjectPublicKeyInfo(
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(publicKey));
}
catch (Exception e)
{
throw new ArgumentException("unable to process key - " + e.ToString());
}
}
/// <summary>
/// Creates an instance of <code>TrustAnchor</code> where the most-trusted
/// CA is specified as a distinguished name and public key. Name constraints
/// are an optional parameter, and are intended to be used as additional
/// constraints when validating an X.509 certification path.
/// <br/>
/// The name constraints are specified as a byte array. This byte array
/// contains the DER encoded form of the name constraints, as they would
/// appear in the NameConstraints structure defined in RFC 2459 and X.509.
/// </summary>
/// <param name="caName">the X.500 distinguished name of the most-trusted CA in RFC
/// 2253 string format</param>
/// <param name="pubKey">the public key of the most-trusted CA</param>
/// <param name="nameConstraints">a byte array containing the ASN.1 DER encoding of a
/// NameConstraints extension to be used for checking name
/// constraints. Only the value of the extension is included, not
/// the OID or criticality flag. Specify null to omit the
/// parameter.</param>
/// throws NullPointerException, IllegalArgumentException
public TrustAnchor(
string caName,
AsymmetricKeyParameter pubKey,
byte[] nameConstraints)
{
if (caName == null)
throw new ArgumentNullException("caName");
if (pubKey == null)
throw new ArgumentNullException("pubKey");
if (caName.Length == 0)
throw new ArgumentException("caName can not be an empty string");
this.caPrincipal = new X509Name(caName);
this.pubKey = pubKey;
this.caName = caName;
this.trustedCert = null;
setNameConstraints(nameConstraints);
}
public SubjectKeyIdentifierStructure(
AsymmetricKeyParameter pubKey)
: base(FromPublicKey(pubKey))
{
}
/// <summary>
/// Creates an instance of <c>TrustAnchor</c> where the
/// most-trusted CA is specified as an X500Principal and public key.
/// </summary>
/// <remarks>
/// <p>
/// Name constraints are an optional parameter, and are intended to be used
/// as additional constraints when validating an X.509 certification path.
/// </p><p>
/// The name constraints are specified as a byte array. This byte array
/// contains the DER encoded form of the name constraints, as they
/// would appear in the NameConstraints structure defined in RFC 2459
/// and X.509. The ASN.1 notation for this structure is supplied in the
/// documentation for the other constructors.
/// </p><p>
/// Note that the name constraints byte array supplied here is cloned to
/// protect against subsequent modifications.
/// </p>
/// </remarks>
/// <param name="caPrincipal">the name of the most-trusted CA as X509Name</param>
/// <param name="pubKey">the public key of the most-trusted CA</param>
/// <param name="nameConstraints">
/// a byte array containing the ASN.1 DER encoding of a NameConstraints extension to
/// be used for checking name constraints. Only the value of the extension is included,
/// not the OID or criticality flag. Specify <c>null</c> to omit the parameter.
/// </param>
/// <exception cref="ArgumentNullException">
/// if <c>caPrincipal</c> or <c>pubKey</c> is null
/// </exception>
public TrustAnchor(
X509Name caPrincipal,
AsymmetricKeyParameter pubKey,
byte[] nameConstraints)
{
if (caPrincipal == null)
throw new ArgumentNullException("caPrincipal");
if (pubKey == null)
throw new ArgumentNullException("pubKey");
this.trustedCert = null;
this.caPrincipal = caPrincipal;
this.caName = caPrincipal.ToString();
this.pubKey = pubKey;
setNameConstraints(nameConstraints);
}
