/// <summary>
/// Generate, install and and .pfx(which represent CA) to file system
/// </summary>
/// <param name="subjectName">Subject name for CA(Certification authority)</param>
/// <param name="refCaPrivateKey">Private key for generated CA</param>
/// <returns></returns>
public static X509Certificate2 GenerateCACertificate(string subjectName, ref AsymmetricKeyParameter refCaPrivateKey)
{
const int keyStrength = 2048;
// Generating Random Numbers
CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
SecureRandom random = new SecureRandom(randomGenerator);
// The Certificate Generator
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
// Serial Number
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Signature Algorithm
const string signatureAlgorithm = "SHA256WithRSA";
certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm);
// Issuer and Subject Name
X509Name subjectDN = new X509Name(subjectName);
X509Name issuerDN = subjectDN;
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
// Valid For
DateTime notBefore = DateTime.UtcNow.Date;
DateTime notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// Subject Public Key
AsymmetricCipherKeyPair subjectKeyPair;
KeyGenerationParameters keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
RsaKeyPairGenerator keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// Generating the Certificate
AsymmetricCipherKeyPair issuerKeyPair = subjectKeyPair;
// Self-sign certificate
Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(issuerKeyPair.Private, random);
X509Certificate2 x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate.GetEncoded(), "123", X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
RSA rsaPriv = DotNetUtilities.ToRSA(issuerKeyPair.Private as RsaPrivateCrtKeyParameters);
x509.PrivateKey = rsaPriv;
refCaPrivateKey = issuerKeyPair.Private;
// Install certificate
AddCertificateToStore(x509, StoreName.Root, StoreLocation.LocalMachine);
// Export certificate and private key to PFX file
ExportToFileSystem(X509ContentType.Pfx, x509, subjectName);
return(x509);
}
/// <summary>
/// Generates the certificate.
/// </summary>
/// <param name="subjectName">Name of the subject.</param>
/// <param name="issuerName">Name of the issuer.</param>
/// <param name="validFrom">The valid from.</param>
/// <param name="validTo">The valid to.</param>
/// <param name="subjectKeyPair">The key pair.</param>
/// <param name="signatureAlgorithm">The signature algorithm.</param>
/// <param name="issuerPrivateKey">The issuer private key.</param>
/// <param name="hostName">The host name</param>
/// <returns>X509Certificate2 instance.</returns>
/// <exception cref="PemException">Malformed sequence in RSA private key</exception>
private static X509Certificate2 generateCertificate(string?hostName,
string subjectName,
string issuerName, DateTime validFrom,
DateTime validTo, AsymmetricCipherKeyPair subjectKeyPair,
string signatureAlgorithm = "SHA256WithRSA",
AsymmetricKeyParameter?issuerPrivateKey = null)
{
// Generating Random Numbers
var randomGenerator = new CryptoApiRandomGenerator();
var secureRandom = new SecureRandom(randomGenerator);
// The Certificate Generator
var certificateGenerator = new X509V3CertificateGenerator();
// Serial Number
var serialNumber =
BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), secureRandom);
certificateGenerator.SetSerialNumber(serialNumber);
// Issuer and Subject Name
var subjectDn = new X509Name(subjectName);
var issuerDn = new X509Name(issuerName);
certificateGenerator.SetIssuerDN(issuerDn);
certificateGenerator.SetSubjectDN(subjectDn);
certificateGenerator.SetNotBefore(validFrom);
certificateGenerator.SetNotAfter(validTo);
if (hostName != null)
{
// add subject alternative names
var nameType = GeneralName.DnsName;
if (IPAddress.TryParse(hostName, out _))
{
nameType = GeneralName.IPAddress;
}
var subjectAlternativeNames = new Asn1Encodable[] { new GeneralName(nameType, hostName) };
var subjectAlternativeNamesExtension = new DerSequence(subjectAlternativeNames);
certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName.Id, false,
subjectAlternativeNamesExtension);
}
// Subject Public Key
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// Set certificate intended purposes to only Server Authentication
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage.Id, false,
new ExtendedKeyUsage(KeyPurposeID.IdKPServerAuth));
if (issuerPrivateKey == null)
{
certificateGenerator.AddExtension(X509Extensions.BasicConstraints.Id, true, new BasicConstraints(true));
}
var signatureFactory = new Asn1SignatureFactory(signatureAlgorithm,
issuerPrivateKey ?? subjectKeyPair.Private, secureRandom);
// Self-sign the certificate
var certificate = certificateGenerator.Generate(signatureFactory);
// Corresponding private key
var privateKeyInfo = PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private);
var seq = (Asn1Sequence)Asn1Object.FromByteArray(privateKeyInfo.ParsePrivateKey().GetDerEncoded());
if (seq.Count != 9)
{
throw new PemException("Malformed sequence in RSA private key");
}
var rsa = RsaPrivateKeyStructure.GetInstance(seq);
var rsaparams = new RsaPrivateCrtKeyParameters(rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent,
rsa.Prime1, rsa.Prime2, rsa.Exponent1,
rsa.Exponent2, rsa.Coefficient);
// Set private key onto certificate instance
var x509Certificate = withPrivateKey(certificate, rsaparams);
if (!doNotSetFriendlyName)
{
try
{
x509Certificate.FriendlyName = ProxyConstants.CNRemoverRegex.Replace(subjectName, string.Empty);
}
catch (PlatformNotSupportedException)
{
doNotSetFriendlyName = true;
}
}
return(x509Certificate);
}
/// <summary>
/// Creates a self signed application instance certificate.
/// </summary>
/// <param name="storeType">Type of certificate store (Directory) <see cref="CertificateStoreType"/>.</param>
/// <param name="storePath">The store path (syntax depends on storeType).</param>
/// <param name="password">The password to use to protect the certificate.</param>
/// <param name="applicationUri">The application uri (created if not specified).</param>
/// <param name="applicationName">Name of the application (optional if subjectName is specified).</param>
/// <param name="subjectName">The subject used to create the certificate (optional if applicationName is specified).</param>
/// <param name="domainNames">The domain names that can be used to access the server machine (defaults to local computer name if not specified).</param>
/// <param name="keySize">Size of the key (1024, 2048 or 4096).</param>
/// <param name="startTime">The start time.</param>
/// <param name="lifetimeInMonths">The lifetime of the key in months.</param>
/// <param name="hashSizeInBits">The hash size in bits.</param>
/// <param name="isCA">if set to <c>true</c> then a CA certificate is created.</param>
/// <param name="issuerCAKeyCert">The CA cert with the CA private key.</param>
/// <returns>The certificate with a private key.</returns>
public static X509Certificate2 CreateCertificate(
string storeType,
string storePath,
string password,
string applicationUri,
string applicationName,
string subjectName,
IList <String> domainNames,
ushort keySize,
DateTime startTime,
ushort lifetimeInMonths,
ushort hashSizeInBits,
bool isCA,
X509Certificate2 issuerCAKeyCert)
{
if (issuerCAKeyCert != null)
{
if (!issuerCAKeyCert.HasPrivateKey)
{
throw new NotSupportedException("Cannot sign with a CA certificate without a private key.");
}
}
// set default values.
X509Name subjectDN = SetSuitableDefaults(
ref applicationUri,
ref applicationName,
ref subjectName,
ref domainNames,
ref keySize,
ref lifetimeInMonths,
isCA);
using (var cfrg = new CertificateFactoryRandomGenerator())
{
// cert generators
SecureRandom random = new SecureRandom(cfrg);
X509V3CertificateGenerator cg = new X509V3CertificateGenerator();
// Serial Number
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
cg.SetSerialNumber(serialNumber);
X509Name issuerDN = null;
if (issuerCAKeyCert != null)
{
issuerDN = new X509Name(true, issuerCAKeyCert.Subject.Replace("S=", "ST="));
}
else
{
// self signed
issuerDN = subjectDN;
}
cg.SetIssuerDN(issuerDN);
cg.SetSubjectDN(subjectDN);
// valid for
cg.SetNotBefore(startTime);
cg.SetNotAfter(startTime.AddMonths(lifetimeInMonths));
// Private/Public Key
AsymmetricCipherKeyPair subjectKeyPair;
var keyGenerationParameters = new KeyGenerationParameters(random, keySize);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair();
cg.SetPublicKey(subjectKeyPair.Public);
// add extensions
// Subject key identifier
cg.AddExtension(X509Extensions.SubjectKeyIdentifier.Id, false,
new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(subjectKeyPair.Public)));
// Basic constraints
cg.AddExtension(X509Extensions.BasicConstraints.Id, true, new BasicConstraints(isCA));
// Authority Key identifier
var issuerKeyPair = subjectKeyPair;
var issuerSerialNumber = serialNumber;
cg.AddExtension(X509Extensions.AuthorityKeyIdentifier.Id, false,
new AuthorityKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(subjectKeyPair.Public),
new GeneralNames(new GeneralName(issuerDN)), issuerSerialNumber));
if (!isCA)
{
// Key usage
cg.AddExtension(X509Extensions.KeyUsage, true,
new KeyUsage(KeyUsage.DataEncipherment | KeyUsage.DigitalSignature |
KeyUsage.NonRepudiation | KeyUsage.KeyCertSign | KeyUsage.KeyEncipherment));
// Extended Key usage
cg.AddExtension(X509Extensions.ExtendedKeyUsage, true,
new ExtendedKeyUsage(new List <DerObjectIdentifier>()
{
new DerObjectIdentifier("1.3.6.1.5.5.7.3.1"), // server auth
new DerObjectIdentifier("1.3.6.1.5.5.7.3.2"), // client auth
}));
// subject alternate name
cg.AddExtension(X509Extensions.SubjectAlternativeName, false,
new GeneralNames(new GeneralName[] {
new GeneralName(GeneralName.UniformResourceIdentifier, applicationUri),
new GeneralName(GeneralName.DnsName, domainNames[0])
}));
}
else
{
// Key usage CA
cg.AddExtension(X509Extensions.KeyUsage, true,
new KeyUsage(KeyUsage.CrlSign | KeyUsage.DigitalSignature | KeyUsage.KeyCertSign));
}
// sign certificate
AsymmetricKeyParameter privateKey = null;
if (issuerCAKeyCert != null)
{
using (RSA rsa = issuerCAKeyCert.GetRSAPrivateKey())
{
RSAParameters rsaParams = rsa.ExportParameters(true);
RsaPrivateCrtKeyParameters keyParams = new RsaPrivateCrtKeyParameters(
new BigInteger(1, rsaParams.Modulus),
new BigInteger(1, rsaParams.Exponent),
new BigInteger(1, rsaParams.D),
new BigInteger(1, rsaParams.P),
new BigInteger(1, rsaParams.Q),
new BigInteger(1, rsaParams.DP),
new BigInteger(1, rsaParams.DQ),
new BigInteger(1, rsaParams.InverseQ));
privateKey = keyParams;
}
}
else
{
privateKey = subjectKeyPair.Private;
}
ISignatureFactory signatureFactory =
new Asn1SignatureFactory((hashSizeInBits < 256) ? "SHA1WITHRSA" : "SHA256WITHRSA", privateKey, random);
Org.BouncyCastle.X509.X509Certificate x509 = cg.Generate(signatureFactory);
// create pkcs12 store for cert and private key
X509Certificate2 certificate = null;
using (MemoryStream pfxData = new MemoryStream())
{
Pkcs12Store pkcsStore = new Pkcs12StoreBuilder().Build();
X509CertificateEntry[] chain = new X509CertificateEntry[1];
string passcode = Guid.NewGuid().ToString();
chain[0] = new X509CertificateEntry(x509);
pkcsStore.SetKeyEntry(applicationName, new AsymmetricKeyEntry(subjectKeyPair.Private), chain);
pkcsStore.Save(pfxData, passcode.ToCharArray(), random);
// merge into X509Certificate2
certificate = CreateCertificateFromPKCS12(pfxData.ToArray(), passcode);
}
Utils.Trace(Utils.TraceMasks.Security, "Created new certificate: {0}", certificate.Thumbprint);
// add cert to the store.
if (!String.IsNullOrEmpty(storePath))
{
ICertificateStore store = null;
if (storeType == CertificateStoreType.X509Store)
{
store = new X509CertificateStore();
}
else if (storeType == CertificateStoreType.Directory)
{
store = new DirectoryCertificateStore();
}
else
{
throw new ArgumentException("Invalid store type");
}
store.Open(storePath);
store.Add(certificate, password);
store.Close();
store.Dispose();
}
// note: this cert has a private key!
return(certificate);
}
}
public static X509Certificate2 GenerateSelfSignedCertificate(X509Name issuer, X509Name subject, AsymmetricKeyParameter issuerPrivKey)
{
const int keyStrength = 2048;
//generate random numbers
CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
SecureRandom random = new SecureRandom(randomGenerator);
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA256WITHRSA", issuerPrivKey, random);
//the certificate generator
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage.Id, true, new ExtendedKeyUsage(KeyPurposeID.IdKPServerAuth));
//serial number
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Issuer and Subject Name
//X509Name subjectDN = new X509Name("CN=" + subjectName);
//X509Name issuerDN = new X509Name("CN=" + issuerName);
certificateGenerator.SetIssuerDN(issuer);
certificateGenerator.SetSubjectDN(subject);
//valid For
DateTime notBefore = DateTime.Now.AddDays(-1);
DateTime notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
//Subject Public Key
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
//selfSign certificate
Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(signatureFactory);
//var dotNetPrivateKey = ToDotNetKey((RsaPrivateCrtKeyParameters)subjectKeyPair.Private);
//merge into X509Certificate2
var certificate2 = new X509Certificate2(DotNetUtilities.ToX509Certificate(certificate))
{
FriendlyName = "fulu sso", //设置友好名称
};
certificate2 = certificate2.CopyWithPrivateKey(DotNetUtilities.ToRSA((RsaPrivateCrtKeyParameters)subjectKeyPair.Private));
certificate2.FriendlyName = "fulu sso";
var bytes2 = certificate2.Export(X509ContentType.Pfx, "123456");
using (var fs = new FileStream("mypfx2.pfx", FileMode.Create))
{
fs.Write(bytes2, 0, bytes2.Length);
}
//var x509 = new X509Certificate2(DotNetUtilities.ToX509Certificate(certificate))
//{
// PrivateKey = dotNetPrivateKey,
// FriendlyName = "fulu sso"
//};
return(certificate2);
}
public static X509Certificate2 CreateSelfSignedCertificateBasedOnPrivateKey(string commonNameValue,
X509Name issuer,
AsymmetricKeyParameter issuerPrivKey,
bool isClientCertificate,
bool isCaCertificate,
int yearsUntilExpiration)
{
const int keyStrength = 2048;
// Generating Random Numbers
var random = GetSeededSecureRandom();
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerPrivKey, random);
// The Certificate Generator
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
if (isClientCertificate)
{
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage.Id, true, new ExtendedKeyUsage(KeyPurposeID.IdKPClientAuth));
}
else
{
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage.Id, true,
new ExtendedKeyUsage(KeyPurposeID.IdKPServerAuth, KeyPurposeID.IdKPClientAuth));
}
if (isCaCertificate)
{
certificateGenerator.AddExtension(X509Extensions.BasicConstraints.Id, true, new BasicConstraints(0));
certificateGenerator.AddExtension(X509Extensions.KeyUsage.Id, false,
new X509KeyUsage(X509KeyUsage.KeyCertSign | X509KeyUsage.CrlSign));
}
// Serial Number
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Issuer and Subject Name
X509Name subjectDN = new X509Name("CN=" + commonNameValue);
certificateGenerator.SetIssuerDN(issuer);
certificateGenerator.SetSubjectDN(subjectDN);
// Valid For
DateTime notBefore = DateTime.UtcNow.Date.AddDays(-7);
DateTime notAfter = notBefore.AddYears(yearsUntilExpiration);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// Subject Public Key
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
X509Certificate certificate = certificateGenerator.Generate(signatureFactory);
var store = new Pkcs12Store();
string friendlyName = certificate.SubjectDN.ToString();
var certificateEntry = new X509CertificateEntry(certificate);
store.SetCertificateEntry(friendlyName, certificateEntry);
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry });
var stream = new MemoryStream();
store.Save(stream, new char[0], random);
var convertedCertificate =
new X509Certificate2(
stream.ToArray(), (string)null,
X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
stream.Position = 0;
return(convertedCertificate);
}
public static void Main(string[] args)
{
var x509NameOids = CreateX509NameOidMapping();
var oids = new List <DerObjectIdentifier> ();
var values = new List <string> ();
var privateKey = new PrivateKeyOptions();
var options = new GeneratorOptions();
AsymmetricCipherKeyPair key;
string section = null;
string alias = null;
options.Output = Path.ChangeExtension(args[0], ".pfx");
using (var reader = File.OpenText(args[0])) {
string line;
while ((line = reader.ReadLine()) != null)
{
if (line.Length == 0 || line[0] == '#')
{
continue;
}
if (line[0] == '[')
{
int endIndex = line.IndexOf(']');
if (endIndex == -1)
{
Console.Error.WriteLine("Incomplete section: ", line);
return;
}
section = line.Substring(1, endIndex - 1);
continue;
}
var kvp = line.Split(new char[] { '=' }, 2);
var property = kvp[0].ToLowerInvariant().Trim();
var value = kvp[1].Trim();
switch (section.ToLowerInvariant())
{
case "privatekey":
switch (property)
{
case "algorithm":
privateKey.Algorithm = value;
break;
case "bitlength":
if (int.TryParse(value, out int bitLength))
{
privateKey.BitLength = bitLength;
}
else
{
Console.Error.WriteLine("Invalid [PrivateKey] BitLength: {0}", value);
return;
}
break;
case "filename":
privateKey.FileName = value;
break;
default:
Console.Error.WriteLine("Unknown [PrivateKey] property: {0}", kvp[0]);
return;
}
break;
case "subject":
if (x509NameOids.TryGetValue(property, out DerObjectIdentifier oid))
{
if (oid == X509Name.CN)
{
alias = value;
}
else if (alias == null && oid == X509Name.E)
{
alias = value;
}
values.Add(value);
oids.Add(oid);
}
else
{
Console.Error.WriteLine("Unknown [Subject] property: {0}", kvp[0]);
return;
}
break;
case "generator":
switch (property)
{
case "basicconstraints":
options.BasicConstraints = value;
break;
case "daysvalid":
if (int.TryParse(value, out int days))
{
options.DaysValid = days;
}
else
{
Console.Error.WriteLine("Invalid [Generator] DaysValid: {0}", value);
return;
}
break;
case "issuer":
options.Issuer = value;
break;
case "issuerpassword":
options.IssuerPassword = value;
break;
case "keyusage":
options.KeyUsage = value;
break;
case "output":
options.Output = value;
break;
case "password":
options.Password = value;
break;
case "signaturealgorithm":
options.SignatureAlgorithm = value;
break;
default:
Console.Error.WriteLine("Unknown [Generator] property: {0}", kvp[0]);
return;
}
break;
default:
Console.Error.WriteLine("Unknown section: {0}", section);
break;
}
}
}
// Sanity Checks
if (!string.IsNullOrEmpty(privateKey.FileName) && !File.Exists(privateKey.FileName))
{
Console.Error.WriteLine("[PrivateKey] FileName `{0}' does not exist!", privateKey.FileName);
return;
}
if (oids.Count == 0)
{
Console.Error.WriteLine("No [Subject] specified.");
return;
}
if (string.IsNullOrEmpty(options.Issuer))
{
Console.Error.WriteLine("[Generator] Issuer property cannot be empty!");
return;
}
else if (options.Issuer != "this" && !File.Exists(options.Issuer))
{
Console.Error.WriteLine("[Generator] Issuer `{0}' does not exist!", options.Issuer);
return;
}
if (string.IsNullOrEmpty(options.Output))
{
Console.Error.WriteLine("[Generator] Output property cannot be empty!");
return;
}
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
var subject = new X509Name(oids, values);
if (string.IsNullOrEmpty(privateKey.FileName))
{
var keyGenerationParameters = new KeyGenerationParameters(random, privateKey.BitLength);
IAsymmetricCipherKeyPairGenerator keyPairGenerator;
switch (privateKey.Algorithm.ToLowerInvariant())
{
case "rsa": keyPairGenerator = new RsaKeyPairGenerator(); break;
case "ecdsa": keyPairGenerator = new ECKeyPairGenerator("ECDSA"); break;
default: Console.Error.WriteLine("Unsupported PrivateKey algorithm: {0}", privateKey.Algorithm); return;
}
keyPairGenerator.Init(keyGenerationParameters);
key = keyPairGenerator.GenerateKeyPair();
}
else
{
try {
key = LoadAsymmetricCipherKeyPair(privateKey.FileName);
} catch (Exception ex) {
Console.Error.WriteLine("[PrivateKey] Failed to load `{0}': {1}", privateKey.FileName, ex.Message);
return;
}
}
AsymmetricKeyParameter signingKey;
X509Certificate issuerCertificate;
X509Certificate[] chain;
X509Name issuer;
if (options.Issuer != "this")
{
try {
chain = LoadPkcs12CertificateChain(options.Issuer, options.IssuerPassword, out signingKey);
issuerCertificate = chain[0];
issuer = chain[0].SubjectDN;
} catch (Exception ex) {
Console.Error.WriteLine("[Generator] failed to load `{0}': {1}", options.Issuer, ex.Message);
return;
}
}
else
{
chain = new X509Certificate[0];
issuerCertificate = null;
signingKey = key.Private;
issuer = subject;
}
string signatureAlgorithm;
if (string.IsNullOrEmpty(options.SignatureAlgorithm))
{
if (signingKey is RsaPrivateCrtKeyParameters)
{
signatureAlgorithm = "SHA256WithRSA";
}
else if (signingKey is ECPrivateKeyParameters ec)
{
if (ec.AlgorithmName == "ECGOST3410")
{
signatureAlgorithm = "GOST3411WithECGOST3410";
}
else
{
signatureAlgorithm = "SHA256withECDSA";
}
}
else
{
signatureAlgorithm = "GOST3411WithGOST3410";
}
}
else
{
signatureAlgorithm = options.SignatureAlgorithm;
}
int serialNumberIndex = oids.IndexOf(X509Name.SerialNumber);
BigInteger serialNumber;
if (serialNumberIndex == -1)
{
serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random);
}
else
{
try {
serialNumber = new BigInteger(values[serialNumberIndex]);
} catch {
Console.Error.WriteLine("Invalid [Subject] SerialNumber: {0}", values[serialNumberIndex]);
return;
}
}
var notBefore = DateTime.UtcNow;
var notAfter = notBefore.AddDays(options.DaysValid);
var signatureFactory = new Asn1SignatureFactory(signatureAlgorithm, signingKey, random);
var generator = new X509V3CertificateGenerator();
generator.SetSerialNumber(serialNumber);
generator.SetPublicKey(key.Public);
generator.SetNotBefore(notBefore);
generator.SetNotAfter(notAfter);
generator.SetSubjectDN(subject);
generator.SetIssuerDN(issuer);
generator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(key.Public));
if (issuerCertificate != null)
{
generator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(issuerCertificate));
}
if (!string.IsNullOrEmpty(options.BasicConstraints))
{
var basicConstraints = options.BasicConstraints.Split(new char[] { ',' }, StringSplitOptions.RemoveEmptyEntries);
bool critical = false;
bool ca = false;
foreach (var constraint in basicConstraints)
{
switch (constraint.Trim().ToLowerInvariant())
{
case "critical": critical = true; break;
case "ca:false": ca = false; break;
case "ca:true": ca = true; break;
}
}
generator.AddExtension(X509Extensions.BasicConstraints, critical, new BasicConstraints(ca));
}
if (!string.IsNullOrEmpty(options.KeyUsage))
{
var keyUsages = options.KeyUsage.Split(new char[] { ',' }, StringSplitOptions.RemoveEmptyEntries);
bool critical = false;
int keyUsage = 0;
foreach (var usage in keyUsages)
{
switch (usage.Trim().ToLowerInvariant())
{
case "critical": critical = true; break;
case "digitalsignature": keyUsage |= X509KeyUsage.DigitalSignature; break;
case "nonrepudiation": keyUsage |= X509KeyUsage.NonRepudiation; break;
case "keyencipherment": keyUsage |= X509KeyUsage.KeyEncipherment; break;
case "dataencipherment": keyUsage |= X509KeyUsage.DataEncipherment; break;
case "keyagreement": keyUsage |= X509KeyUsage.KeyAgreement; break;
case "keycertsign": keyUsage |= X509KeyUsage.KeyCertSign; break;
case "crlsign": keyUsage |= X509KeyUsage.CrlSign; break;
case "encipheronly": keyUsage |= X509KeyUsage.EncipherOnly; break;
case "decipheronly": keyUsage |= X509KeyUsage.DecipherOnly; break;
}
}
generator.AddExtension(X509Extensions.KeyUsage, critical, new KeyUsage(keyUsage));
}
var certificate = generator.Generate(signatureFactory);
var keyEntry = new AsymmetricKeyEntry(key.Private);
var chainEntries = new X509CertificateEntry[chain.Length + 1];
chainEntries[0] = new X509CertificateEntry(certificate);
for (int i = 0; i < chain.Length; i++)
{
chainEntries[i + 1] = new X509CertificateEntry(chain[i]);
}
var pkcs12 = new Pkcs12Store();
pkcs12.SetKeyEntry(alias ?? string.Empty, keyEntry, chainEntries);
using (var stream = File.Create(options.Output))
pkcs12.Save(stream, options.Password.ToCharArray(), random);
Console.WriteLine("{0} {1}", options.Output, GetFingerprint(certificate));
}
private static X509Certificate2 CreateSelfSignedCertificate(string agentGuid, string logAnalyticsWorkspaceId)
{
var random = new SecureRandom();
var certificateGenerator = new X509V3CertificateGenerator();
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
var dirName = string.Format("CN={0}, CN={1}, OU=Linux Monitoring Agent, O=Microsoft", logAnalyticsWorkspaceId, agentGuid);
X509Name certName = new X509Name(dirName);
certificateGenerator.SetIssuerDN(certName);
certificateGenerator.SetSubjectDN(certName);
certificateGenerator.SetNotBefore(DateTime.UtcNow.Date);
certificateGenerator.SetNotAfter(DateTime.UtcNow.Date.AddYears(1));
const int strength = 2048;
var keyGenerationParameters = new KeyGenerationParameters(random, strength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// Get Private key for the Certificate
TextWriter textWriter = new StringWriter();
PemWriter pemWriter = new PemWriter(textWriter);
pemWriter.WriteObject(subjectKeyPair.Private);
pemWriter.Writer.Flush();
string privateKeyString = textWriter.ToString();
// The magic extension that on commenting made the certificate work with ODS!!!!!
//certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage.Id, false,
// new ExtendedKeyUsage(new[] { KeyPurposeID.IdKPServerAuth, KeyPurposeID.IdKPClientAuth }));
//certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage.Id, false,
// new AuthorityKeyIdentifier(
// new GeneralNames(new GeneralName(certName)), serialNumber));
//certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage.Id, false,
// new AuthorityKeyIdentifier(
// SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(subjectKeyPair.Public),
// new GeneralNames(new GeneralName(certName)), serialNumber));
var issuerKeyPair = subjectKeyPair;
var signatureFactory = new Asn1SignatureFactory(Constants.DEFAULT_SIGNATURE_ALOGIRTHM, issuerKeyPair.Private);
var bouncyCert = certificateGenerator.Generate(signatureFactory);
// Lets convert it to X509Certificate2
X509Certificate2 certificate;
Pkcs12Store store = new Pkcs12StoreBuilder().Build();
store.SetKeyEntry($"{agentGuid}_key", new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { new X509CertificateEntry(bouncyCert) });
string exportpw = Guid.NewGuid().ToString("x");
using (var ms = new MemoryStream())
{
store.Save(ms, exportpw.ToCharArray(), random);
certificate = new X509Certificate2(ms.ToArray(), exportpw, X509KeyStorageFlags.Exportable);
}
// Get the value.
string resultsTrue = certificate.ToString(true);
// Display the value to the console.
Console.WriteLine(resultsTrue);
//Get Certificate in PEM format
StringBuilder builder = new StringBuilder();
builder.AppendLine("-----BEGIN CERTIFICATE-----");
builder.AppendLine(
Convert.ToBase64String(certificate.RawData, Base64FormattingOptions.InsertLineBreaks));
builder.AppendLine("-----END CERTIFICATE-----");
Console.WriteLine("Writing certificate and key to two files");
string crt_location = "C://oms.crt";
string key_location = "C://oms.key";
try
{
if (!String.IsNullOrEmpty(Environment.GetEnvironmentVariable("CI_CRT_LOCATION")))
{
crt_location = Environment.GetEnvironmentVariable("CI_CRT_LOCATION");
}
}
catch (Exception ex)
{
Console.WriteLine("Reading env variables (CI_CRT_LOCATION) is too much to ask for " + ex.Message);
}
try
{
if (!String.IsNullOrEmpty(Environment.GetEnvironmentVariable("CI_KEY_LOCATION")))
{
key_location = Environment.GetEnvironmentVariable("CI_KEY_LOCATION");
}
}
catch (Exception ex)
{
Console.WriteLine("Reading env variables (CI_KEY_LOCATION) is too much to ask for " + ex.Message);
}
File.WriteAllText(crt_location, builder.ToString());
File.WriteAllText(key_location, privateKeyString);
// Saving certificate in the store
// SaveCertificate(certificate);
// For local testing : reading a random cert
//string newcer = "E://oms.crt";
//X509Certificate2 cert1 = new X509Certificate2(newcer);
return(certificate);
}
/// <summary>
/// Creates a self signed application instance certificate.
/// </summary>
/// <param name="storeType">Type of certificate store (Directory) <see cref="CertificateStoreType"/>.</param>
/// <param name="storePath">The store path (syntax depends on storeType).</param>
/// <param name="password">The password to use to protect the certificate.</param>
/// <param name="applicationUri">The application uri (created if not specified).</param>
/// <param name="applicationName">Name of the application (optional if subjectName is specified).</param>
/// <param name="subjectName">The subject used to create the certificate (optional if applicationName is specified).</param>
/// <param name="domainNames">The domain names that can be used to access the server machine (defaults to local computer name if not specified).</param>
/// <param name="keySize">Size of the key (1024, 2048 or 4096).</param>
/// <param name="startTime">The start time.</param>
/// <param name="lifetimeInMonths">The lifetime of the key in months.</param>
/// <param name="hashSizeInBits">The hash size in bits.</param>
/// <param name="isCA">if set to <c>true</c> then a CA certificate is created.</param>
/// <param name="issuerCAKeyCert">The CA cert with the CA private key.</param>
/// <returns>The certificate with a private key.</returns>
public static X509Certificate2 CreateCertificate(
string storeType,
string storePath,
string password,
string applicationUri,
string applicationName,
string subjectName,
IList <String> domainNames,
ushort keySize,
DateTime startTime,
ushort lifetimeInMonths,
ushort hashSizeInBits,
bool isCA = false,
X509Certificate2 issuerCAKeyCert = null,
byte[] publicKey = null)
{
if (issuerCAKeyCert != null)
{
if (!issuerCAKeyCert.HasPrivateKey)
{
throw new NotSupportedException("Cannot sign with a CA certificate without a private key.");
}
}
if (publicKey != null && issuerCAKeyCert == null)
{
throw new NotSupportedException("Cannot use a public key without a CA certificate with a private key.");
}
// set default values.
X509Name subjectDN = SetSuitableDefaults(
ref applicationUri,
ref applicationName,
ref subjectName,
ref domainNames,
ref keySize,
ref lifetimeInMonths);
using (var cfrg = new CertificateFactoryRandomGenerator())
{
// cert generators
SecureRandom random = new SecureRandom(cfrg);
X509V3CertificateGenerator cg = new X509V3CertificateGenerator();
// Serial Number
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
cg.SetSerialNumber(serialNumber);
// subject and issuer DN
X509Name issuerDN = null;
if (issuerCAKeyCert != null)
{
issuerDN = new CertificateFactoryX509Name(issuerCAKeyCert.Subject);
}
else
{
// self signed
issuerDN = subjectDN;
}
cg.SetIssuerDN(issuerDN);
cg.SetSubjectDN(subjectDN);
// valid for
cg.SetNotBefore(startTime);
cg.SetNotAfter(startTime.AddMonths(lifetimeInMonths));
// set Private/Public Key
AsymmetricKeyParameter subjectPublicKey;
AsymmetricKeyParameter subjectPrivateKey;
if (publicKey == null)
{
var keyGenerationParameters = new KeyGenerationParameters(random, keySize);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
AsymmetricCipherKeyPair subjectKeyPair = keyPairGenerator.GenerateKeyPair();
subjectPublicKey = subjectKeyPair.Public;
subjectPrivateKey = subjectKeyPair.Private;
}
else
{
// special case, if a cert is signed by CA, the private key of the cert is not needed
subjectPublicKey = PublicKeyFactory.CreateKey(publicKey);
subjectPrivateKey = null;
}
cg.SetPublicKey(subjectPublicKey);
// add extensions
// Subject key identifier
cg.AddExtension(X509Extensions.SubjectKeyIdentifier.Id, false,
new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(subjectPublicKey)));
// Basic constraints
cg.AddExtension(X509Extensions.BasicConstraints.Id, true, new BasicConstraints(isCA));
// Authority Key identifier references the issuer cert or itself when self signed
AsymmetricKeyParameter issuerPublicKey;
BigInteger issuerSerialNumber;
if (issuerCAKeyCert != null)
{
issuerPublicKey = GetPublicKeyParameter(issuerCAKeyCert);
issuerSerialNumber = GetSerialNumber(issuerCAKeyCert);
if (startTime.AddMonths(lifetimeInMonths) > issuerCAKeyCert.NotAfter)
{
cg.SetNotAfter(issuerCAKeyCert.NotAfter);
}
}
else
{
issuerPublicKey = subjectPublicKey;
issuerSerialNumber = serialNumber;
}
cg.AddExtension(X509Extensions.AuthorityKeyIdentifier.Id, false,
new AuthorityKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(issuerPublicKey),
new GeneralNames(new GeneralName(issuerDN)), issuerSerialNumber));
if (!isCA)
{
// Key usage
cg.AddExtension(X509Extensions.KeyUsage, true,
new KeyUsage(KeyUsage.DataEncipherment | KeyUsage.DigitalSignature |
KeyUsage.NonRepudiation | KeyUsage.KeyCertSign | KeyUsage.KeyEncipherment));
// Extended Key usage
cg.AddExtension(X509Extensions.ExtendedKeyUsage, true,
new ExtendedKeyUsage(new List <DerObjectIdentifier>()
{
new DerObjectIdentifier("1.3.6.1.5.5.7.3.1"), // server auth
new DerObjectIdentifier("1.3.6.1.5.5.7.3.2"), // client auth
}));
// subject alternate name
List <GeneralName> generalNames = new List <GeneralName>();
generalNames.Add(new GeneralName(GeneralName.UniformResourceIdentifier, applicationUri));
generalNames.AddRange(CreateSubjectAlternateNameDomains(domainNames));
cg.AddExtension(X509Extensions.SubjectAlternativeName, false, new GeneralNames(generalNames.ToArray()));
}
else
{
// Key usage CA
cg.AddExtension(X509Extensions.KeyUsage, true,
new KeyUsage(KeyUsage.CrlSign | KeyUsage.DigitalSignature | KeyUsage.KeyCertSign));
}
// sign certificate
AsymmetricKeyParameter signingKey;
if (issuerCAKeyCert != null)
{
// signed by issuer
signingKey = GetPrivateKeyParameter(issuerCAKeyCert);
}
else
{
// self signed
signingKey = subjectPrivateKey;
}
ISignatureFactory signatureFactory =
new Asn1SignatureFactory(GetRSAHashAlgorithm(hashSizeInBits), signingKey, random);
Org.BouncyCastle.X509.X509Certificate x509 = cg.Generate(signatureFactory);
// convert to X509Certificate2
X509Certificate2 certificate = null;
if (subjectPrivateKey == null)
{
// create the cert without the private key
certificate = new X509Certificate2(x509.GetEncoded());
}
else
{
// note: this cert has a private key!
certificate = CreateCertificateWithPrivateKey(x509, null, subjectPrivateKey, random);
}
Utils.Trace(Utils.TraceMasks.Security, "Created new certificate: {0}", certificate.Thumbprint);
// add cert to the store.
if (!String.IsNullOrEmpty(storePath) && !String.IsNullOrEmpty(storeType))
{
using (ICertificateStore store = CertificateStoreIdentifier.CreateStore(storeType))
{
if (store == null)
{
throw new ArgumentException("Invalid store type");
}
store.Open(storePath);
store.Add(certificate, password).Wait();
store.Close();
}
}
return(certificate);
}
}
static BigInteger GenerateSerialNumber(SecureRandom random)
{
return(BigIntegers.CreateRandomInRange(
BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random));
}
static void Main(string[] args)
{
PolicyInformation[] certPolicies = new PolicyInformation[2];
certPolicies[0] = new PolicyInformation(new DerObjectIdentifier("2.16.840.1.101.2.1.11.5"));
certPolicies[1] = new PolicyInformation(new DerObjectIdentifier("2.16.840.1.101.2.1.11.18"));
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
var certificateGenerator = new X509V3CertificateGenerator();
//serial
var serialNumber =
BigIntegers.CreateRandomInRange(
BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// sig alg
const string signatureAlgorithm = "SHA1WithRSA";
certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm);
// Subjects
// Time x = new Time();
var subjectDN = new X509Name("CN=localhost, O=Arsslensoft, C=TN,surname=Idadi,givenname=Arsslen, uniqueidentifier=15002060,businesscategory=Production,initials=Hello, gender=male, placeofbirth=El Manar, pseudonym=Arsslinko, postaladdress=2076, countryofcitizenship=TN, countryofresidence=TN,telephonenumber=53299093");
var issuerDN = subjectDN;
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
// Validity
var notBefore = DateTime.UtcNow.Date.Subtract(new TimeSpan(5, 0, 0));
var notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// PKEY
const int strength = 512;
var keyGenerationParameters = new KeyGenerationParameters(random, strength);
// var x= new Al.Security.Crypto.Generators.DsaKeyPairGenerator();
// X9ECParameters ecP = NistNamedCurves.GetByName("B-571");
// ECDomainParameters ecSpec = new ECDomainParameters(ecP.Curve, ecP.G, ecP.N, ecP.H, ecP.GetSeed());
// ECKeyPairGenerator keyPairGenerator = new ECKeyPairGenerator("ECDSA");
// //ECPA par = new DsaParametersGenerator();
// //par.Init(2048, 100, random);
// //ECKeyGenerationParameters pa = new ECKeyGenerationParameters(random, par.GenerateParameters());
//// var keyPairGenerator = new DHKeyPairGenerator();
// //DsaParametersGenerator par = new DsaParametersGenerator();
// //par.Init(2048, 100, random);
// //DsaKeyGenerationParameters pa = new DsaKeyGenerationParameters(random, par.GenerateParameters());
// // keyPairGenerator.Init(pa);
// keyPairGenerator.Init(new ECKeyGenerationParameters(ecSpec, new SecureRandom()));
//var keyPairGenerator = new DsaKeyPairGenerator();
//DsaParametersGenerator par = new DsaParametersGenerator();
//par.Init(1024, 100, random);
//DsaKeyGenerationParameters pa = new DsaKeyGenerationParameters(random, par.GenerateParameters());
//keyPairGenerator.Init(pa);
// KeyPair = keyPairGenerator.GenerateKeyPair();
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
StreamReader str = new StreamReader("D:\\test.key");
PemReader pem = new PemReader(str);
AsymmetricCipherKeyPair keypair = (AsymmetricCipherKeyPair)pem.ReadObject();
var subjectKeyPair = keypair;
str.Close();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// ext
X509Extensions
certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false,
new SubjectKeyIdentifierStructure(subjectKeyPair.Public));
certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(subjectKeyPair.Public));
certificateGenerator.AddExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(false));
// key usage
certificateGenerator.AddExtension(
X509Extensions.KeyUsage,
true,
new KeyUsage(KeyUsage.KeyAgreement | KeyUsage.DataEncipherment | KeyUsage.DigitalSignature));
// extended key usage
var usages = new[] { KeyPurposeID.IdKPServerAuth, KeyPurposeID.IdKPClientAuth };
ExtendedKeyUsage extendedKeyUsage = new ExtendedKeyUsage(usages);
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, false, extendedKeyUsage);
// Test Policy
DerSequence seq = CreatePolicyInformationsSequence("http://www.arsslensoft.com", "Arsslensoft", "1.3.6.1.4.1.23823.1.1.1", "Test Notice");
// certificateGenerator.AddExtension(X509Extensions.CertificatePolicies, false, new DerSequence(certPolicies));
// Authority access
List <GeneralSubtree> ees = new List <GeneralSubtree>();
ees.Add(new GeneralSubtree(new GeneralName(GeneralName.UniformResourceIdentifier, "http://www.google.com")));
certificateGenerator.AddExtension(X509Extensions.NameConstraints, true, new NameConstraints(null, ees));
certificateGenerator.AddExtension(X509Extensions.NetscapeComment, true, new DerVisibleString("NS COMMENT"));
certificateGenerator.AddExtension(X509Extensions.NetscapeBaseUrl, true, new DerIA5String("http://www.google.com"));
certificateGenerator.AddExtension(X509Extensions.InhibitAnyPolicy, true, new DerInteger(12));
// Policy constraints
byte inhibit = 12;
byte explicitc = 12;
// certificateGenerator.AddExtension(X509Extensions.PolicyConstraints, false, new DerOctetSequence(new byte[] { 128, 1, explicitc, 129, 1, inhibit }));
certificateGenerator.AddExtension(X509Extensions.NetscapeCertUsage, false, new KeyUsage(KeyUsage.KeyAgreement));
certificateGenerator.AddExtension(X509Extensions.AuthorityInfoAccess, false, CreateAuthorityAccessInformationSequence("http://www.arsslensoft.com", null));
// Subhect Issuer Alternative name
GeneralName altName = new GeneralName(GeneralName.DnsName, "localhost");
GeneralNames subjectAltName = new GeneralNames(altName);
certificateGenerator.AddExtension(X509Extensions.IssuerAlternativeName, false, subjectAltName);
certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName);
// certificateGenerator.AddExtension(new DerObjectIdentifier("2.16.840.1.11730.29.53"), false, subjectAltName);
//
GeneralNames s;
//CRL Distribution Points
DistributionPointName distPointOne = new DistributionPointName(new GeneralNames(
new GeneralName(GeneralName.UniformResourceIdentifier, "http://crl.somewebsite.com/master.crl")));
GeneralNames gns = new GeneralNames(new GeneralName[] {
new GeneralName(GeneralName.UniformResourceIdentifier, "ldap://crl.somewebsite.com/cn%3dSecureCA%2cou%3dPKI%2co%3dCyberdyne%2cc%3dUS?certificaterevocationlist;binary"), new GeneralName(GeneralName.Rfc822Name, "Arslen")
});
DistributionPointName distPointTwo = new DistributionPointName(gns);
DistributionPoint[] distPoints = new DistributionPoint[2];
distPoints[0] = new DistributionPoint(distPointOne, null, null);
distPoints[1] = new DistributionPoint(distPointTwo, null, gns);
IssuingDistributionPoint iss = new IssuingDistributionPoint(distPointOne, false, true, null, false, false);
certificateGenerator.AddExtension(X509Extensions.IssuingDistributionPoint, false, iss);
certificateGenerator.AddExtension(X509Extensions.CrlDistributionPoints, false, new CrlDistPoint(distPoints));
// Biometric
Asn1EncodableVector v = new Asn1EncodableVector();
BiometricData bdat = new BiometricData(new TypeOfBiometricData(TypeOfBiometricData.HandwrittenSignature), new AlgorithmIdentifier(new DerObjectIdentifier("1.3.14.3.2.26")), new DerOctetString(new byte[] { 169, 74, 143, 229, 204, 177, 155, 166, 28, 76, 8, 115, 211, 145, 233, 135, 152, 47, 187, 211 }), new DerIA5String("http://www.google.com"));
v.Add(bdat);
v.Add(new BiometricData(new TypeOfBiometricData(TypeOfBiometricData.HandwrittenSignature), new AlgorithmIdentifier(new DerObjectIdentifier("1.3.14.3.2.26")), new DerOctetString(new byte[] { 169, 74, 143, 229, 204, 177, 155, 166, 28, 76, 8, 115, 211, 145, 233, 135, 152, 47, 187, 211 }), new DerIA5String("http://www.google.co")));
certificateGenerator.AddExtension(X509Extensions.BiometricInfo, false, new DerSequenceOf(v));
QCStatement st = new QCStatement(Rfc3739QCObjectIdentifiers.IdQcs);
certificateGenerator.AddExtension(X509Extensions.QCStatements, false, st);
//Al.Security.Pkcs.Pkcs10CertificationRequest c = new Al.Security.Pkcs.Pkcs10CertificationRequest(
//certificateGenerator.AddExtension(X509Extensions.ReasonCode, false, ce);
// test done
certificateGenerator.AddExtension(X509Extensions.SubjectInfoAccess, false, CreateAuthorityAccessInformationSequence("http://www.arsslensoft.com", null));
//// 2
//TargetInformation ti = new Al.Security.Asn1.X509.TargetInformation(new Target[] { new Target(Target.Choice.Name, new GeneralName(GeneralName.UniformResourceIdentifier, "http://www.go.com")) });
//certificateGenerator.AddExtension(X509Extensions.TargetInformation, false, new DerSequence(ti));
// 3
PrivateKeyUsagePeriod kup = new PrivateKeyUsagePeriod(DateTime.Now, DateTime.Now.AddYears(2));
certificateGenerator.AddExtension(X509Extensions.PrivateKeyUsagePeriod, false, new DerSequence(kup));
//generate
var issuerKeyPair = subjectKeyPair;
var certificate = certificateGenerator.Generate(issuerKeyPair.Private, random);
StreamWriter wstr = new StreamWriter(Path.ChangeExtension("D:\\test.crt", ".pem"), false);
PemWriter pemWriter = new PemWriter(wstr);
pemWriter.WriteObject(certificate);
pemWriter.WriteObject(issuerKeyPair.Private);
wstr.Flush();
wstr.Close();
// System.Security.Cryptography.X509Certificates.X509Certificate x509_ = DotNetUtilities.ToX509Certificate(certificate.CertificateStructure);
//File.WriteAllBytes(@"D:\\test.crt", x509_.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Pkcs12));
}
public static X509Certificate2 GenerateSelfSignedCertificate(string subjectName, string issuerName, AsymmetricKeyParameter issuerPrivKey)
{
const int keyStrength = 2048;
// Generating Random Numbers
CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
SecureRandom random = new SecureRandom(randomGenerator);
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerPrivKey, random);
// The Certificate Generator
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage.Id, true, new ExtendedKeyUsage(KeyPurposeID.IdKPServerAuth));
// Serial Number
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Signature Algorithm
//const string signatureAlgorithm = "SHA512WITHRSA";
//certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm);
// Issuer and Subject Name
X509Name subjectDN = new X509Name(subjectName);
X509Name issuerDN = new X509Name(issuerName);
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
// Valid For
DateTime notBefore = DateTime.UtcNow.Date;
DateTime notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// Subject Public Key
AsymmetricCipherKeyPair subjectKeyPair;
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// Generating the Certificate
AsymmetricCipherKeyPair issuerKeyPair = subjectKeyPair;
// selfsign certificate
var certificate = certificateGenerator.Generate(signatureFactory);
// correcponding private key
PrivateKeyInfo info = PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private);
// merge into X509Certificate2
X509Certificate2 x509 = new X509Certificate2(certificate.GetEncoded());
Asn1Sequence seq = (Asn1Sequence)Asn1Object.FromByteArray(info.ParsePrivateKey().GetDerEncoded());
if (seq.Count != 9)
{
//throw new PemException("malformed sequence in RSA private key");
}
RsaPrivateKeyStructure rsa = RsaPrivateKeyStructure.GetInstance(seq); //new RsaPrivateKeyStructure(seq);
RsaPrivateCrtKeyParameters rsaparams = new RsaPrivateCrtKeyParameters(
rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient);
return(x509.CopyWithPrivateKey(DotNetUtilities.ToRSA(rsaparams)));
}
private static (X509Certificate2, (string, byte[]), string) CreateSelfSignedCertificate(string agentGuid, string logAnalyticsWorkspaceId)
{
var random = new SecureRandom();
var certificateGenerator = new X509V3CertificateGenerator();
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
var dirName = string.Format("CN={0}, CN={1}, OU=Microsoft Monitoring Agent, O=Microsoft", logAnalyticsWorkspaceId, agentGuid);
X509Name certName = new X509Name(dirName);
certificateGenerator.SetIssuerDN(certName);
certificateGenerator.SetSubjectDN(certName);
certificateGenerator.SetNotBefore(DateTime.UtcNow.Date);
certificateGenerator.SetNotAfter(DateTime.UtcNow.Date.AddYears(1));
const int strength = 2048;
var keyGenerationParameters = new KeyGenerationParameters(random, strength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// Get Private key for the Certificate
TextWriter textWriter = new StringWriter();
PemWriter pemWriter = new PemWriter(textWriter);
pemWriter.WriteObject(subjectKeyPair.Private);
pemWriter.Writer.Flush();
string privateKeyString = textWriter.ToString();
var issuerKeyPair = subjectKeyPair;
var signatureFactory = new Asn1SignatureFactory(Constants.DEFAULT_SIGNATURE_ALOGIRTHM, issuerKeyPair.Private);
var bouncyCert = certificateGenerator.Generate(signatureFactory);
// Lets convert it to X509Certificate2
X509Certificate2 certificate;
Pkcs12Store store = new Pkcs12StoreBuilder().Build();
store.SetKeyEntry($"{agentGuid}_key", new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { new X509CertificateEntry(bouncyCert) });
string exportpw = Guid.NewGuid().ToString("x");
using (var ms = new MemoryStream())
{
store.Save(ms, exportpw.ToCharArray(), random);
certificate = new X509Certificate2(ms.ToArray(), exportpw, X509KeyStorageFlags.Exportable);
}
// // Get the value.
// string resultsTrue = certificate.ToString(true);
//Get Certificate in PEM format
StringBuilder builder = new StringBuilder();
builder.AppendLine("-----BEGIN CERTIFICATE-----");
builder.AppendLine(
Convert.ToBase64String(certificate.RawData, Base64FormattingOptions.InsertLineBreaks));
builder.AppendLine("-----END CERTIFICATE-----");
string certString = builder.ToString();
return(certificate, (certString, certificate.RawData), privateKeyString);
}
public static X509Certificate2 GenerateSelfSignedCertificate(string subjectName, string issuerName, AsymmetricKeyParameter issuerPrivKey)
{
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
var certificateGenerator = new X509V3CertificateGenerator();
// Serial Number
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Issuer and SN
var subjectDN = new X509Name(subjectName);
var issuerDN = new X509Name(issuerName);
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
// SAN
var subjectAltName = new GeneralNames(new GeneralName(GeneralName.DnsName, "localhost"));
certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName);
// Validity
var notBefore = DateTime.UtcNow.Date;
var notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// Public Key
var keyGenerationParameters = new KeyGenerationParameters(random, KeyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// Sign certificate
var signatureFactory = new Asn1SignatureFactory("SHA256WithRSA", issuerPrivKey, random);
var certificate = certificateGenerator.Generate(signatureFactory);
var x509 = new X509Certificate2(certificate.GetEncoded(), (string)null, X509KeyStorageFlags.Exportable);
// Private key
var privateKeyInfo = PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private);
var seq = (Asn1Sequence)Asn1Object.FromByteArray(privateKeyInfo.ParsePrivateKey().GetDerEncoded());
if (seq.Count != 9)
{
throw new PemException("Invalid RSA private key");
}
var rsa = RsaPrivateKeyStructure.GetInstance(seq);
var rsaparams = new RsaPrivateCrtKeyParameters(rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient);
var parms = DotNetUtilities.ToRSAParameters(rsaparams);
var rsa1 = RSA.Create();
rsa1.ImportParameters(parms);
// https://github.com/dotnet/runtime/issues/23749
var cert = x509.CopyWithPrivateKey(rsa1);
return(new X509Certificate2(cert.Export(X509ContentType.Pkcs12)));
}
private static void setSerialNumber(X509V3CertificateGenerator generator, SecureRandom random)
{
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
generator.SetSerialNumber(serialNumber);
}
/// <summary>
/// Creates a cert with the connectionstring (token) and stores it in the given cert store.
/// </summary>
public async static Task WriteAsync(string name, string connectionString, string storeType, string storePath)
{
if (string.IsNullOrEmpty(connectionString))
{
throw new ArgumentException("Token not found in X509Store and no new token provided!");
}
SecureRandom random = new SecureRandom();
KeyGenerationParameters keyGenerationParameters = new KeyGenerationParameters(random, 2048);
RsaKeyPairGenerator keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
AsymmetricCipherKeyPair keys = keyPairGenerator.GenerateKeyPair();
ArrayList nameOids = new ArrayList();
nameOids.Add(X509Name.CN);
ArrayList nameValues = new ArrayList();
nameValues.Add(name);
X509Name subjectDN = new X509Name(nameOids, nameValues);
X509Name issuerDN = subjectDN;
X509V3CertificateGenerator cg = new X509V3CertificateGenerator();
cg.SetSerialNumber(BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random));
cg.SetIssuerDN(issuerDN);
cg.SetSubjectDN(subjectDN);
cg.SetNotBefore(DateTime.Now);
cg.SetNotAfter(DateTime.Now.AddMonths(12));
cg.SetPublicKey(keys.Public);
cg.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DataEncipherment));
// encrypt the token with the public key so only the owner of the assoc. private key can decrypt it and
// "hide" it in the instruction code cert extension
RSA rsa = RSA.Create();
RSAParameters rsaParams = new RSAParameters();
RsaKeyParameters keyParams = (RsaKeyParameters)keys.Public;
rsaParams.Modulus = new byte[keyParams.Modulus.ToByteArrayUnsigned().Length];
keyParams.Modulus.ToByteArrayUnsigned().CopyTo(rsaParams.Modulus, 0);
rsaParams.Exponent = new byte[keyParams.Exponent.ToByteArrayUnsigned().Length];
keyParams.Exponent.ToByteArrayUnsigned().CopyTo(rsaParams.Exponent, 0);
rsa.ImportParameters(rsaParams);
if (rsa != null)
{
byte[] bytes = rsa.Encrypt(Encoding.ASCII.GetBytes(connectionString), RSAEncryptionPadding.OaepSHA1);
if (bytes != null)
{
cg.AddExtension(X509Extensions.InstructionCode, false, bytes);
}
else
{
RsaUtils.RSADispose(rsa);
throw new CryptographicException("Can not encrypt IoTHub security token using generated public key!");
}
}
RsaUtils.RSADispose(rsa);
// sign the cert with the private key
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA256WITHRSA", keys.Private, random);
Org.BouncyCastle.X509.X509Certificate x509 = cg.Generate(signatureFactory);
// create a PKCS12 store for the cert and its private key
X509Certificate2 certificate = null;
using (MemoryStream pfxData = new MemoryStream())
{
Pkcs12StoreBuilder builder = new Pkcs12StoreBuilder();
builder.SetUseDerEncoding(true);
Pkcs12Store pkcsStore = builder.Build();
X509CertificateEntry[] chain = new X509CertificateEntry[1];
string passcode = Guid.NewGuid().ToString();
chain[0] = new X509CertificateEntry(x509);
pkcsStore.SetKeyEntry(name, new AsymmetricKeyEntry(keys.Private), chain);
pkcsStore.Save(pfxData, passcode.ToCharArray(), random);
// create X509Certificate2 object from PKCS12 file
certificate = CertificateFactory.CreateCertificateFromPKCS12(pfxData.ToArray(), passcode);
// handle each store type differently
switch (storeType)
{
case CertificateStoreType.Directory:
{
// Add to DirectoryStore
using (DirectoryCertificateStore store = new DirectoryCertificateStore())
{
store.Open(storePath);
X509CertificateCollection certificates = await store.Enumerate();
// remove any existing cert with our name from the store
foreach (X509Certificate2 cert in certificates)
{
if (cert.SubjectName.Decode(X500DistinguishedNameFlags.None | X500DistinguishedNameFlags.DoNotUseQuotes).Equals("CN=" + name, StringComparison.OrdinalIgnoreCase))
{
await store.Delete(cert.Thumbprint);
}
}
// add new one
await store.Add(certificate);
}
break;
}
case CertificateStoreType.X509Store:
{
// Add to X509Store
using (X509Store store = new X509Store(storePath, StoreLocation.CurrentUser))
{
store.Open(OpenFlags.ReadWrite);
// remove any existing cert with our name from the store
foreach (X509Certificate2 cert in store.Certificates)
{
if (cert.SubjectName.Decode(X500DistinguishedNameFlags.None | X500DistinguishedNameFlags.DoNotUseQuotes).Equals("CN=" + name, StringComparison.OrdinalIgnoreCase))
{
store.Remove(cert);
}
}
// add new cert to store
try
{
store.Add(certificate);
}
catch (Exception e)
{
throw new Exception($"Not able to add cert to the requested store type '{storeType}' (exception message: '{e.Message}'.");
}
}
break;
}
default:
{
throw new Exception($"The requested store type '{storeType}' is not supported. Please change.");
}
}
return;
}
}
public SelfCertificateDialog(IServiceProvider serviceProvider, CertificatesFeature feature)
: base(serviceProvider)
{
InitializeComponent();
cbStore.SelectedIndex = 0;
cbLength.SelectedIndex = 3;
cbHashing.SelectedIndex = 1;
txtCommonName.Text = Environment.MachineName;
dtpFrom.Value = DateTime.Now;
dtpTo.Value = dtpFrom.Value.AddYears(1);
if (Environment.OSVersion.Version < Version.Parse("6.2"))
{
// IMPORTANT: WebHosting store is available since Windows 8.
cbStore.Enabled = false;
}
if (!Helper.IsRunningOnMono())
{
NativeMethods.TryAddShieldToButton(btnOK);
}
var container = new CompositeDisposable();
FormClosed += (sender, args) => container.Dispose();
container.Add(
Observable.FromEventPattern <EventArgs>(txtName, "TextChanged")
.ObserveOn(System.Threading.SynchronizationContext.Current)
.Subscribe(evt =>
{
btnOK.Enabled = !string.IsNullOrWhiteSpace(txtName.Text);
}));
container.Add(
Observable.FromEventPattern <EventArgs>(btnOK, "Click")
.ObserveOn(System.Threading.SynchronizationContext.Current)
.Subscribe(evt =>
{
var names = txtCommonName.Text;
if (string.IsNullOrWhiteSpace(names))
{
ShowMessage("DNS names cannot be empty.", MessageBoxButtons.OK, MessageBoxIcon.Error, MessageBoxDefaultButton.Button1);
return;
}
var dnsNames = names.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries).Select(item => item.Trim()).ToArray();
if (dnsNames.Length == 0)
{
ShowMessage("DNS names cannot be empty.", MessageBoxButtons.OK, MessageBoxIcon.Error, MessageBoxDefaultButton.Button1);
return;
}
// Generate certificate
string defaultIssuer = string.Format("CN={0}", dnsNames[0]);
string defaultSubject = defaultIssuer;
string subject = defaultSubject;
string issuer = defaultIssuer;
if (subject == null)
{
throw new Exception("Missing Subject Name");
}
DateTime notBefore = dtpFrom.Value;
DateTime notAfter = dtpTo.Value;
var random = new SecureRandom(new CryptoApiRandomGenerator());
var kpgen = new RsaKeyPairGenerator();
kpgen.Init(new KeyGenerationParameters(random, int.Parse(cbLength.Text)));
var cerKp = kpgen.GenerateKeyPair();
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random);
certGen.SetSerialNumber(serialNumber);
certGen.SetIssuerDN(new X509Name(issuer));
certGen.SetNotBefore(notBefore);
certGen.SetNotAfter(notAfter);
if (dnsNames.Length == 1)
{
certGen.SetSubjectDN(new X509Name(subject));
}
certGen.SetPublicKey(cerKp.Public);
certGen.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true));
var keyInfo = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(cerKp.Public);
certGen.AddExtension(X509Extensions.SubjectKeyIdentifier, true, new SubjectKeyIdentifier(keyInfo));
certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, true, new AuthorityKeyIdentifier(keyInfo));
certGen.AddExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeID.IdKPServerAuth));
if (cbGenerate.Checked)
{
var subjectAlternativeNames = new List <Asn1Encodable>();
foreach (var item in dnsNames)
{
subjectAlternativeNames.Add(new GeneralName(GeneralName.DnsName, item));
}
var subjectAlternativeNamesExtension = new DerSequence(subjectAlternativeNames.ToArray());
certGen.AddExtension(X509Extensions.SubjectAlternativeName, true, subjectAlternativeNamesExtension);
}
string hashName = cbHashing.SelectedIndex == 0 ? "SHA1WithRSA" : "SHA256WithRSA";
var factory = new Asn1SignatureFactory(hashName, cerKp.Private, random);
string p12File = Path.GetTempFileName();
string p12pwd = "test";
try
{
Org.BouncyCastle.X509.X509Certificate x509 = certGen.Generate(factory);
var store = new Pkcs12Store();
var certificateEntry = new X509CertificateEntry(x509);
var friendlyName = txtName.Text;
store.SetCertificateEntry(friendlyName, certificateEntry);
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(cerKp.Private), new[] { certificateEntry });
var stream = new MemoryStream();
store.Save(stream, p12pwd.ToCharArray(), random);
File.WriteAllBytes(p12File, stream.ToArray());
Item = new X509Certificate2(p12File, p12pwd)
{
FriendlyName = friendlyName
};
Store = cbStore.SelectedIndex == 0 ? "Personal" : "WebHosting";
try
{
using (var process = new Process())
{
// add certificate
var start = process.StartInfo;
start.Verb = "runas";
start.UseShellExecute = true;
start.FileName = "cmd";
start.Arguments = $"/c \"\"{CertificateInstallerLocator.FileName}\" /f:\"{p12File}\" /p:{p12pwd} /n:\"{txtName.Text}\" /s:{(cbStore.SelectedIndex == 0 ? "MY" : "WebHosting")}\"";
start.CreateNoWindow = true;
start.WindowStyle = ProcessWindowStyle.Hidden;
process.Start();
process.WaitForExit();
File.Delete(p12File);
if (process.ExitCode == 0)
{
DialogResult = DialogResult.OK;
}
else
{
ShowMessage(process.ExitCode.ToString(), MessageBoxButtons.OK, MessageBoxIcon.Error, MessageBoxDefaultButton.Button1);
}
}
}
catch (Win32Exception ex)
{
// elevation is cancelled.
if (ex.NativeErrorCode != Microsoft.Web.Administration.NativeMethods.ErrorCancelled)
{
RollbarLocator.RollbarInstance.Error(ex, new Dictionary <string, object> {
{ "native", ex.NativeErrorCode }
});
// throw;
}
}
catch (Exception ex)
{
RollbarLocator.RollbarInstance.Error(ex);
}
}
catch (Exception ex)
{
RollbarLocator.RollbarInstance.Error(ex);
ShowError(ex, "Certificate generation error", false);
return;
}
}));
container.Add(
Observable.FromEventPattern <CancelEventArgs>(this, "HelpButtonClicked")
.ObserveOn(System.Threading.SynchronizationContext.Current)
.Subscribe(EnvironmentVariableTarget =>
{
feature.ShowHelp();
}));
}
private static BigInteger GetRandomInteger()
{
var random = new SecureRandom();
return(BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random));
}
public static X509Certificate2 GenerateCACertificate(string subjectName, int keyStrength = 2048)
{
// Generating Random Numbers
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
// The Certificate Generator
var certificateGenerator = new X509V3CertificateGenerator();
// Serial Number
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Signature Algorithm
const string signatureAlgorithm = "SHA1WithRSA";
certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm);
// Subject Public Key
AsymmetricCipherKeyPair subjectKeyPair;
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair();
// Issuer and Subject Name
var subjectDN = new X509Name(subjectName);
var issuerDN = subjectDN;
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
// certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, true, new AuthorityKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(subjectKeyPair.Public), new GeneralNames(new GeneralName(issuerDN)), serialNumber));
// Valid For
var notBefore = DateTime.UtcNow.Date;
var notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// Generating the Certificate
var issuerKeyPair = subjectKeyPair;
// selfsign certificate
var certificate = certificateGenerator.Generate(issuerKeyPair.Private, random);
var x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate.GetEncoded());
// Add CA certificate to Root store
X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
store.Add(x509);
store.Close();
store = new X509Store(StoreName.TrustedPublisher, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
store.Add(x509);
store.Close();
RsaPrivateCrtKeyParameters rsaparams = (RsaPrivateCrtKeyParameters)issuerKeyPair.Private;
x509.PrivateKey = DotNetUtilities.ToRSA(rsaparams);
store = new X509Store("PrivateCertStore", StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadWrite);
store.Add(x509);
store.Close();
return(x509);
}
public string CreateAndStoreNewClientCertificate(string subjectName, string pvkPass, X509Certificate2 issuer)
{
X509V3CertificateGenerator generator = new X509V3CertificateGenerator();
// Generate pseudo random number
var randomGen = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGen);
// Set certificate serial number
var serialNumber =
BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
generator.SetSerialNumber(serialNumber);
// Set certificate subject name
var subjectDN = new X509Name(subjectName);
generator.SetSubjectDN(subjectDN);
// Set issuer subject name
var issuerDN = new X509Name(issuer.Subject);
generator.SetIssuerDN(issuerDN);
// Set certificate validity
var notBefore = DateTime.UtcNow.Date;
generator.SetNotBefore(notBefore);
generator.SetNotAfter(notBefore.AddYears(2));
// Generate new RSA key pair for certificate
var keyGeneratorParameters = new KeyGenerationParameters(random, RSAKeyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGeneratorParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
// Import public key into generator
generator.SetPublicKey(subjectKeyPair.Public);
var issuerKeyPair = DotNetUtilities.GetKeyPair(issuer.PrivateKey);
// Get key pair from .net issuer certificate
//var issuerKeyPair = DotNetUtilities.GetKeyPair(issuer.PrivateKey);
var issuerSerialNumber = new BigInteger(issuer.GetSerialNumber());
// Sign CA key with serial
var caKeyIdentifier = new AuthorityKeyIdentifier(
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(issuerKeyPair.Public),
new GeneralNames(new GeneralName(issuerDN)),
issuerSerialNumber);
generator.AddExtension(
X509Extensions.AuthorityKeyIdentifier.Id,
false,
caKeyIdentifier);
// Create signature factory to sign new cert
ISignatureFactory signatureFactory = new Asn1SignatureFactory(SignatureAlgorithm, issuerKeyPair.Private);
// Generate new bouncy castle certificate signed by issuer
var newCertificate = generator.Generate(signatureFactory);
var store = new Pkcs12Store();
string friendlyName = newCertificate.SubjectDN.ToString().Split('=')[1];
var certificateEntry = new X509CertificateEntry(newCertificate);
// Set certificate
store.SetCertificateEntry(friendlyName, certificateEntry);
// Set private key
store.SetKeyEntry(
friendlyName,
new AsymmetricKeyEntry(subjectKeyPair.Private),
new X509CertificateEntry[] { certificateEntry });
var privatePath = @".\certs\" + $"{friendlyName}.pfx";
var publicPath = @".\certs\" + $"{friendlyName}.cer";
using (var stream = new MemoryStream())
{
// Convert bouncy castle cert => .net cert
store.Save(stream, pvkPass.ToCharArray(), random);
var dotNetCertificate = new X509Certificate2(
stream.ToArray(),
pvkPass,
X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
// Extract public part to store in server storage
var publicCert = dotNetCertificate.Export(X509ContentType.Cert);
// Extract private parameters to export into .pfx for distribution
var privateCert = dotNetCertificate.Export(X509ContentType.Pfx, pvkPass);
dotNetCertificate.Reset();
dotNetCertificate.Import(publicCert);
// Store public cert info in storage
using (var storage = new X509Store(StoreName.My, StoreLocation.LocalMachine))
{
storage.Open(OpenFlags.ReadWrite);
storage.Add(dotNetCertificate);
storage.Close();
}
dotNetCertificate.Dispose();
// Write private parameters to .pfx file to install at client
File.WriteAllBytes(privatePath, privateCert);
File.WriteAllBytes(publicPath, publicCert);
}
return(privatePath);
}
private static X509Certificate2 GenerateSelfSignedCertificate(string subjectName, int keyStrength = 2048)
{
// Generating Random Numbers
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
// The Certificate Generator
var certificateGenerator = new X509V3CertificateGenerator();
// Serial Number
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Issuer and Subject Name
var x500DistinguishedName = new X509Name("CN=" + subjectName);
certificateGenerator.SetIssuerDN(x500DistinguishedName);
certificateGenerator.SetSubjectDN(x500DistinguishedName);
// Valid For
var notBefore = DateTime.UtcNow.Date;
var notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// Subject Public Key
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// Generating the Certificate
var issuerKeyPair = subjectKeyPair;
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerKeyPair.Private, random);
certificateGenerator.AddExtension(
X509Extensions.BasicConstraints,
true,
new BasicConstraints(false));
certificateGenerator.AddExtension(
X509Extensions.KeyUsage,
true,
new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyEncipherment));
certificateGenerator.AddExtension(
X509Extensions.ExtendedKeyUsage,
false,
ExtendedKeyUsage.GetInstance(new ExtendedKeyUsage(KeyPurposeID.IdKPServerAuth, KeyPurposeID.IdKPClientAuth)));
// selfsign certificate
var certificate = certificateGenerator.Generate(signatureFactory);
// correcponding private key
var info = PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private);
// merge into X509Certificate2
var x509 = new X509Certificate2(certificate.GetEncoded())
{
FriendlyName = $"{subjectName} self-signed"
};
var seq = (Asn1Sequence)Asn1Object.FromByteArray(info.ParsePrivateKey().GetDerEncoded());
if (seq.Count != 9)
{
throw new PemException("malformed sequence in RSA private key");
}
var rsa = RsaPrivateKeyStructure.GetInstance(seq);
var rsaparams = new RsaPrivateCrtKeyParameters(
rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient);
x509.PrivateKey = DotNetUtilities.ToRSA(rsaparams);
return(x509);
}
static void Main(string[] args)
{
string subjectName = "testsubject";
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
var certificateGenerator = new X509V3CertificateGenerator();
var serialNumber =
BigIntegers.CreateRandomInRange(
BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
const string signatureAlgorithm = "SHA256WithRSA";
certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm);
var subjectDN = new Org.BouncyCastle.Asn1.X509.X509Name(subjectName);
var issuerDN = subjectDN;
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
var notBefore = DateTime.UtcNow.Date;
var notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
const int strength = 2048;
var keyGenerationParameters = new KeyGenerationParameters(random, strength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
var issuerKeyPair = subjectKeyPair;
var certificate = certificateGenerator.Generate(issuerKeyPair.Private, random);
PdfReader reader = new PdfReader(this.inputPDF);
////var kpgen = new RsaKeyPairGenerator();
////kpgen.Init(new KeyGenerationParameters(new SecureRandom(new CryptoApiRandomGenerator()), 1024));
////var kp = kpgen.GenerateKeyPair();
////var gen = new X509V3CertificateGenerator();
////var certName = new Org.BouncyCastle.Asn1.X509.X509Name("CN=" + subjectName);
////var serialNo = BigInteger.ProbablePrime(120, new Random());
////gen.SetSerialNumber(serialNo);
////gen.SetSubjectDN(certName);
////gen.SetIssuerDN(certName);
////gen.SetNotAfter(DateTime.Now.AddYears(100));
////gen.SetNotBefore(DateTime.Now.Subtract(new TimeSpan(7, 0, 0, 0)));
////gen.SetSignatureAlgorithm("MD5WithRSA");
////gen.SetPublicKey(kp.Public);
////gen.AddExtension(
//// X509Extensions.AuthorityKeyIdentifier.Id,
//// false,
//// new AuthorityKeyIdentifier(
//// SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(kp.Public),
//// new GeneralNames(new GeneralName(certName)),
//// serialNo));
////gen.AddExtension(
//// X509Extensions.ExtendedKeyUsage.Id,
//// false,
//// new ExtendedKeyUsage(new ArrayList() { new DerObjectIdentifier("1.3.6.1.5.5.7.3.1") }));
////var newCert = gen.Generate(kp.Private);
////DotNetUtilities.ToX509Certificate(newCert).Export(System.Security.Cryptography.X509Certificates.X509ContentType.Pkcs12, "password");
}
public static (Certificate crtificate, AsymmetricKeyParameter privateKey) CreateSelfSignedTlsCert(
string subjectName, string issuerName, AsymmetricKeyParameter issuerPrivateKey)
{
const int keyStrength = DEFAULT_KEY_SIZE;
if (issuerPrivateKey == null)
{
issuerPrivateKey = CreatePrivateKeyResource(issuerName);
}
// Generating Random Numbers
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA256WITHRSA", issuerPrivateKey, random);
// The Certificate Generator
var certificateGenerator = new X509V3CertificateGenerator();
certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false,
new GeneralNames(new GeneralName[]
{
new GeneralName(GeneralName.DnsName, "localhost"), new GeneralName(GeneralName.DnsName, "127.0.0.1")
}));
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, true,
new ExtendedKeyUsage(new List <DerObjectIdentifier>()
{
new DerObjectIdentifier("1.3.6.1.5.5.7.3.1")
}));
// Serial Number
var serialNumber =
BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Issuer and Subject Name
var subjectDn = new X509Name(subjectName);
var issuerDn = new X509Name(issuerName);
certificateGenerator.SetIssuerDN(issuerDn);
certificateGenerator.SetSubjectDN(subjectDn);
// Valid For
var notBefore = DateTime.UtcNow.Date;
var notAfter = notBefore.AddYears(70);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// Subject Public Key
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// self sign certificate
var certificate = certificateGenerator.Generate(signatureFactory);
var chain = new X509CertificateStructure[] { X509CertificateStructure.GetInstance(certificate.GetEncoded()) };
var tlsCertificate = new Certificate(chain);
return(tlsCertificate, subjectKeyPair.Private);
}
/// <summary>
/// 生成X509 V3证书
/// </summary>
/// <param name="certPath">Cert证书路径</param>
/// <param name="endDate">证书失效时间</param>
/// <param name="keySize">密钥长度</param>
/// <param name="password">证书密码</param>
/// <param name="signatureAlgorithm">设置将用于签署此证书的签名算法</param>
/// <param name="issuer">设置此证书颁发者的DN</param>
/// <param name="subject">设置此证书使用者的DN</param>
/// <param name="pfxPath">Pfx证书路径</param>
/// <param name="friendlyName">设置证书友好名称(可选)</param>
/// <param name="startDate">证书生效时间</param>
/// <param name="algorithm">加密算法</param>
public static void X509V3(string algorithm, int keySize, string password, string signatureAlgorithm,
DateTime startDate, DateTime endDate, X509Name issuer, X509Name subject, string certPath, string pfxPath,
string friendlyName = "")
{
//generate Random Numbers
CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
SecureRandom random = new SecureRandom(randomGenerator);
var keyGenerator = GeneratorUtilities.GetKeyPairGenerator(algorithm);
keyGenerator.Init(new KeyGenerationParameters(new SecureRandom(), keySize));
var keyPair = keyGenerator.GenerateKeyPair();
var v3CertGen = new X509V3CertificateGenerator();
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random);
v3CertGen.SetSerialNumber(serialNumber); //设置证书的序列号
v3CertGen.SetIssuerDN(issuer); //设置颁发者信息
v3CertGen.SetSubjectDN(subject); //设置使用者信息
v3CertGen.SetNotBefore(startDate); //设置证书的生效日期
v3CertGen.SetNotAfter(endDate); //设置证书失效的日期
v3CertGen.SetPublicKey(keyPair.Public); //设置此证书的公钥
ISignatureFactory sigFact = new Asn1SignatureFactory(signatureAlgorithm, keyPair.Private); //签名算法&设置此证书的私钥
var spki = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(keyPair.Public);
//设置一些扩展字段
//基本约束
v3CertGen.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true));
//使用者密钥标识符
v3CertGen.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(spki));
//授权密钥标识符
v3CertGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(spki));
var x509Certificate = v3CertGen.Generate(sigFact); //生成证书
x509Certificate.CheckValidity(); //检查当前日期是否在证书的有效期内
x509Certificate.Verify(keyPair.Public); //使用公钥验证证书的签名
var certificate2 = new X509Certificate2(DotNetUtilities.ToX509Certificate(x509Certificate))
{
FriendlyName = friendlyName, //设置友好名称
};
//cer公钥文件
var bytes = certificate2.Export(X509ContentType.Cert);
using (var fs = new FileStream(certPath, FileMode.Create))
{
fs.Write(bytes, 0, bytes.Length);
}
//pfx证书,包含公钥私钥
//CopyWithPrivateKey netstandard2.1支持
certificate2 =
certificate2.CopyWithPrivateKey(DotNetUtilities.ToRSA((RsaPrivateCrtKeyParameters)keyPair.Private));
var bytes2 = certificate2.Export(X509ContentType.Pfx, password);
using (var fs = new FileStream(pfxPath, FileMode.Create))
{
fs.Write(bytes2, 0, bytes2.Length);
}
//如果使用 netstandard2.0 请使用下面的代码
#if NETSTANDARD2_0
var certEntry = new X509CertificateEntry(x509Certificate);
var store = new Pkcs12StoreBuilder().Build();
store.SetCertificateEntry(friendlyName, certEntry); //设置证书
var chain = new X509CertificateEntry[1];
chain[0] = certEntry;
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(keyPair.Private), chain); //设置私钥
using (var fs = File.Create(pfxPath))
{
store.Save(fs, password.ToCharArray(), new SecureRandom()); //保存
}
#endif
}
public static (CertPrivateKey, BcCertificate) GenerateRsaCACertificate(string subjectName, int keyStrength = 2048)
{
// Generating Random Numbers
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
// The Certificate Generator
var certificateGenerator = new X509V3CertificateGenerator();
// Serial Number
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Signature Algorithm
const string signatureAlgorithm = "SHA256WithRSA";
#pragma warning disable CS0618 // Type or member is obsolete
certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm);
#pragma warning restore CS0618 // Type or member is obsolete
// Issuer and Subject Name
var subjectDN = new X509Name(subjectName);
var issuerDN = subjectDN;
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
// Valid For
var notBefore = DateTime.UtcNow.Date;
var notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// Subject Public Key
AsymmetricCipherKeyPair subjectKeyPair;
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// Generating the Certificate
var issuerKeyPair = subjectKeyPair;
// selfsign certificate
#pragma warning disable CS0618 // Type or member is obsolete
var certificate = certificateGenerator.Generate(issuerKeyPair.Private, random);
#pragma warning restore CS0618 // Type or member is obsolete
// var x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate.GetEncoded());
// // Add CA certificate to Root store
// addCertToStore(cert, StoreName.Root, StoreLocation.CurrentUser);
var key = new CertPrivateKey
{
KeyPair = issuerKeyPair,
};
return(key, certificate);
}
/// <summary>
/// Create a self signed certificate with bouncy castle.
/// </summary>
public static X509Certificate2 GenerateCertificate(
string subjectName,
Action <X509V3CertificateGenerator> modifyGenerator,
string signatureAlgorithm = "SHA256WITHRSA",
int publicKeyLength = 2048,
ChainCertificateRequest chainCertificateRequest = null)
{
if (string.IsNullOrEmpty(subjectName))
{
subjectName = "NuGetTest";
}
var random = new SecureRandom();
var keyPair = GenerateKeyPair(publicKeyLength);
// Create cert
var subjectDN = $"CN={subjectName}";
var certGen = new X509V3CertificateGenerator();
certGen.SetSubjectDN(new X509Name(subjectDN));
// default to new key pair
var issuerPrivateKey = keyPair.Private;
var keyUsage = KeyUsage.DigitalSignature;
var issuerDN = chainCertificateRequest?.IssuerDN ?? subjectDN;
certGen.SetIssuerDN(new X509Name(issuerDN));
#if IS_DESKTOP
if (chainCertificateRequest != null)
{
if (chainCertificateRequest.Issuer != null)
{
// for a certificate with an issuer assign Authority Key Identifier
var issuer = chainCertificateRequest?.Issuer;
var bcIssuer = DotNetUtilities.FromX509Certificate(issuer);
var authorityKeyIdentifier = new AuthorityKeyIdentifierStructure(bcIssuer);
issuerPrivateKey = DotNetUtilities.GetKeyPair(issuer.PrivateKey).Private;
certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier.Id, false, authorityKeyIdentifier);
}
if (chainCertificateRequest.ConfigureCrl)
{
// for a certificate in a chain create CRL distribution point extension
var crlServerUri = $"{chainCertificateRequest.CrlServerBaseUri}{issuerDN}.crl";
var generalName = new Org.BouncyCastle.Asn1.X509.GeneralName(Org.BouncyCastle.Asn1.X509.GeneralName.UniformResourceIdentifier, new DerIA5String(crlServerUri));
var distPointName = new DistributionPointName(new GeneralNames(generalName));
var distPoint = new DistributionPoint(distPointName, null, null);
certGen.AddExtension(X509Extensions.CrlDistributionPoints, critical: false, extensionValue: new DerSequence(distPoint));
}
if (chainCertificateRequest.IsCA)
{
// update key usage with CA cert sign and crl sign attributes
keyUsage |= KeyUsage.CrlSign | KeyUsage.KeyCertSign;
}
}
#endif
certGen.SetNotAfter(DateTime.UtcNow.Add(TimeSpan.FromHours(1)));
certGen.SetNotBefore(DateTime.UtcNow.Subtract(TimeSpan.FromHours(1)));
certGen.SetPublicKey(keyPair.Public);
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random);
certGen.SetSerialNumber(serialNumber);
var subjectKeyIdentifier = new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(keyPair.Public));
certGen.AddExtension(X509Extensions.SubjectKeyIdentifier.Id, false, subjectKeyIdentifier);
certGen.AddExtension(X509Extensions.KeyUsage.Id, false, new KeyUsage(keyUsage));
certGen.AddExtension(X509Extensions.BasicConstraints.Id, true, new BasicConstraints(chainCertificateRequest?.IsCA ?? false));
// Allow changes
modifyGenerator?.Invoke(certGen);
var signatureFactory = new Asn1SignatureFactory(signatureAlgorithm, issuerPrivateKey, random);
var certificate = certGen.Generate(signatureFactory);
var certResult = new X509Certificate2(certificate.GetEncoded());
#if IS_DESKTOP
certResult.PrivateKey = DotNetUtilities.ToRSA(keyPair.Private as RsaPrivateCrtKeyParameters);
#endif
return(certResult);
}
//[Obsolete("Use CreateSelfSignedTlsCert instead.")]
public static X509Certificate2 CreateSelfSignedCert(string subjectName, string issuerName, AsymmetricKeyParameter privateKey)
{
const int keyStrength = DEFAULT_KEY_SIZE;
if (privateKey == null)
{
privateKey = CreatePrivateKeyResource(issuerName);
}
var issuerPrivKey = privateKey;
// Generating Random Numbers
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA256WITHRSA", issuerPrivKey, random);
// The Certificate Generator
var certificateGenerator = new X509V3CertificateGenerator();
certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false, new GeneralNames(new GeneralName[] { new GeneralName(GeneralName.DnsName, "localhost"), new GeneralName(GeneralName.DnsName, "127.0.0.1") }));
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(new List <DerObjectIdentifier>()
{
new DerObjectIdentifier("1.3.6.1.5.5.7.3.1")
}));
// Serial Number
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Issuer and Subject Name
var subjectDn = new X509Name(subjectName);
var issuerDn = new X509Name(issuerName);
certificateGenerator.SetIssuerDN(issuerDn);
certificateGenerator.SetSubjectDN(subjectDn);
// Valid For
var notBefore = DateTime.UtcNow.Date;
var notAfter = notBefore.AddYears(70);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// Subject Public Key
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// self sign certificate
var certificate = certificateGenerator.Generate(signatureFactory);
// Originally pre-processor defines were used to try and pick the supported way to get from a Bouncy Castle
// certificate and private key to a .NET certificate. The problem is that setting the private key on a .NET
// X509 certificate is possible in .NET Framework but NOT in .NET Core. To complicate matters even further
// the workaround in the CovertBouncyCert method of saving a cert + pvt key to a .pfx stream and then
// reloading does not work on macOS or Unity (and possibly elsewhere) due to .pfx serialisation not being
// compatible. This is the exception from Unity:
//
// Mono.Security.ASN1..ctor (System.Byte[] data) (at <6a66fe237d4242c9924192d3c28dd540>:0)
// Mono.Security.X509.X509Certificate.Parse(System.Byte[] data)(at < 6a66fe237d4242c9924192d3c28dd540 >:0)
//
// Summary:
// .NET Framework (including Mono on Linux, macOS and WSL)
// - Set x509.PrivateKey works.
// .NET Standard:
// - Set x509.PrivateKey for a .NET Framework application.
// - Set x509.PrivateKey for a .NET Core application FAILS.
// .NET Core:
// - Set x509.PrivateKey for a .NET Core application FAILS.
// - PFX serialisation works on Windows.
// - PFX serialisation works on WSL and Linux.
// - PFX serialisation FAILS on macOS.
//
// For same issue see https://github.com/dotnet/runtime/issues/23635.
// For fix in net5 see https://github.com/dotnet/corefx/pull/42226.
try
{
// corresponding private key
var info = Org.BouncyCastle.Pkcs.PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private);
// merge into X509Certificate2
var x509 = new X509Certificate2(certificate.GetEncoded());
var seq = (Asn1Sequence)Asn1Object.FromByteArray(info.ParsePrivateKey().GetDerEncoded());
if (seq.Count != 9)
{
throw new Org.BouncyCastle.OpenSsl.PemException("malformed sequence in RSA private key");
}
var rsa = RsaPrivateKeyStructure.GetInstance(seq); //new RsaPrivateKeyStructure(seq);
var rsaparams = new RsaPrivateCrtKeyParameters(
rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient);
x509.PrivateKey = ToRSA(rsaparams);
return(x509);
}
catch
{
return(ConvertBouncyCert(certificate, subjectKeyPair));
}
}
public X509Certificate2 GenerateSelfSignedCertificate(string name)
{
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
var certificateGenerator = new X509V3CertificateGenerator();
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
var subjectDN = new X509Name(name);
var issuerDN = subjectDN;
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
var notBefore = DateTime.UtcNow.Date;
var notAfter = notBefore.AddYears(ExpireTimeInYears);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
var keyGenerationParameters = new KeyGenerationParameters(random, KeyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
var issuerKeyPair = subjectKeyPair;
var signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerKeyPair.Private, random);
var certificate = certificateGenerator.Generate(signatureFactory);
var info = PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private);
var x509 = new X509Certificate2(certificate.GetEncoded());
var privateKey = info.ParsePrivateKey();
var sequence = (Asn1Sequence)Asn1Object.FromByteArray(privateKey.GetDerEncoded());
if (sequence.Count != 9)
{
throw new PemException("Malformed sequence in RSA private key.");
}
var rsa = RsaPrivateKeyStructure.GetInstance(sequence);
var rsaParameters = new RsaPrivateCrtKeyParameters(
rsa.Modulus,
rsa.PublicExponent,
rsa.PrivateExponent,
rsa.Prime1,
rsa.Prime2,
rsa.Exponent1,
rsa.Exponent2,
rsa.Coefficient);
var privateKeyRSA = DotNetUtilities.ToRSA(rsaParameters);
var csp = new CspParameters
{
KeyContainerName = "Shapeshifter"
};
var rsaPrivate = new RSACryptoServiceProvider(csp);
rsaPrivate.ImportParameters(privateKeyRSA.ExportParameters(true));
x509.PrivateKey = rsaPrivate;
return(x509);
}
/**
* FIPS 186-4 C.3.2 Enhanced Miller-Rabin Probabilistic Primality Test
*
* Run several iterations of the Miller-Rabin algorithm with randomly-chosen bases. This is an
* alternative to {@link #isMRProbablePrime(BigInteger, SecureRandom, int)} that provides more
* information about a composite candidate, which may be useful when generating or validating
* RSA moduli.
*
* @param candidate
* the {@link BigInteger} instance to test for primality.
* @param random
* the source of randomness to use to choose bases.
* @param iterations
* the number of randomly-chosen bases to perform the test for.
* @return an {@link MROutput} instance that can be further queried for details.
*/
public static MROutput EnhancedMRProbablePrimeTest(BigInteger candidate, SecureRandom random, int iterations)
{
CheckCandidate(candidate, "candidate");
if (random == null)
{
throw new ArgumentNullException("random");
}
if (iterations < 1)
{
throw new ArgumentException("must be > 0", "iterations");
}
if (candidate.BitLength == 2)
{
return(MROutput.ProbablyPrime());
}
if (!candidate.TestBit(0))
{
return(MROutput.ProvablyCompositeWithFactor(Two));
}
BigInteger w = candidate;
BigInteger wSubOne = candidate.Subtract(One);
BigInteger wSubTwo = candidate.Subtract(Two);
int a = wSubOne.GetLowestSetBit();
BigInteger m = wSubOne.ShiftRight(a);
for (int i = 0; i < iterations; ++i)
{
BigInteger b = BigIntegers.CreateRandomInRange(Two, wSubTwo, random);
BigInteger g = b.Gcd(w);
if (g.CompareTo(One) > 0)
{
return(MROutput.ProvablyCompositeWithFactor(g));
}
BigInteger z = b.ModPow(m, w);
if (z.Equals(One) || z.Equals(wSubOne))
{
continue;
}
bool primeToBase = false;
BigInteger x = z;
for (int j = 1; j < a; ++j)
{
z = z.ModPow(Two, w);
if (z.Equals(wSubOne))
{
primeToBase = true;
break;
}
if (z.Equals(One))
{
break;
}
x = z;
}
if (!primeToBase)
{
if (!z.Equals(One))
{
x = z;
z = z.ModPow(Two, w);
if (!z.Equals(One))
{
x = z;
}
}
g = x.Subtract(One).Gcd(w);
if (g.CompareTo(One) > 0)
{
return(MROutput.ProvablyCompositeWithFactor(g));
}
return(MROutput.ProvablyCompositeNotPrimePower());
}
}
return(MROutput.ProbablyPrime());
}
private static X509Certificate2 GenerateSelfSignedCertificate(string subjectName, string issuerName, AsymmetricKeyParameter issuerPrivKey)
{
const int keyStrength = 2048;
// Generating Random Numbers
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
// The Certificate Generator
var certificateGenerator = new X509V3CertificateGenerator();
// Serial Number
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Signature Algorithm
const string signatureAlgorithm = "SHA256WithRSA";
certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm);
// Issuer and Subject Name
var subjectDN = new X509Name(subjectName);
var issuerDN = new X509Name(issuerName);
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
// Valid For
var notBefore = DateTime.UtcNow.Date;
var notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// Subject Public Key
AsymmetricCipherKeyPair subjectKeyPair;
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// self-sign certificate
var certificate = certificateGenerator.Generate(issuerPrivKey, random);
// corresponding private key
var info = PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private);
// merge into X509Certificate2
var x509 = new X509Certificate2(certificate.GetEncoded());
var seq = (Asn1Sequence)Asn1Object.FromByteArray(info.PrivateKey.GetDerEncoded());
if (seq.Count != 9)
{
//throw new PemException("malformed sequence in RSA private key");
}
var rsa = RsaPrivateKeyStructure.GetInstance(seq);
var rsaparams = new RsaPrivateCrtKeyParameters(
rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient);
x509.PrivateKey = ToDotNetKey(rsaparams);
return(x509);
}
/// <summary>
/// Generate, install and export to file system new certificate
/// </summary>
/// <param name="subjectName">Subject name for new certificate</param>
/// <param name="issuerName">CA(Certificate authority) name</param>
/// <param name="issuerPrivKey">Issuer private key</param>
/// <returns></returns>
public static X509Certificate2 GenerateAuthorizeSignedCertificate(string subjectName, string issuerName, AsymmetricKeyParameter issuerPrivKey)
{
const int keyStrength = 2048;
// Generating random numbers
CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
SecureRandom random = new SecureRandom(randomGenerator);
// The Certificate Generator
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
// Serial Number
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Signature Algorithm
const string signatureAlgorithm = "SHA256WithRSA";
certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm);
// Issuer and Subject Name
X509Name subjectDN = new X509Name("CN=" + subjectName);
X509Name issuerDN = new X509Name(issuerName);
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
// Valid For
DateTime notBefore = DateTime.UtcNow.Date;
DateTime notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// Subject Public Key
AsymmetricCipherKeyPair subjectKeyPair;
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// selfsign certificate
Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(issuerPrivKey, random);
// correcponding private key
PrivateKeyInfo info = PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private);
// merge into X509Certificate2
X509Certificate2 x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate.GetEncoded());
Asn1Sequence seq = (Asn1Sequence)Asn1Object.FromByteArray(info.ParsePrivateKey().GetDerEncoded());
RsaPrivateKeyStructure rsa = RsaPrivateKeyStructure.GetInstance(seq);
RsaPrivateCrtKeyParameters rsaparams = new RsaPrivateCrtKeyParameters(
rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient);
// Set Private Key
x509.PrivateKey = DotNetUtilities.ToRSA(rsaparams);
// Install certificate
AddCertificateToStore(x509, StoreName.TrustedPeople, StoreLocation.LocalMachine);
//Export
ExportToFileSystem(X509ContentType.Pfx, x509, subjectName);
return(x509);
}