public static void CertificateToDerPem(Org.BouncyCastle.X509.X509Certificate caSsl)
{
System.Security.Cryptography.X509Certificates.X509Certificate inputCert1 = null;
inputCert1 = Org.BouncyCastle.Security.DotNetUtilities.ToX509Certificate(caSsl);
System.Security.Cryptography.X509Certificates.X509Certificate2 inputCert2 = new System.Security.Cryptography.X509Certificates.X509Certificate2(inputCert1);
string pemOrDerFile = "foo.derpem";
string foo = CerGenerator.ToPem(caSsl.GetEncoded());
System.IO.File.WriteAllText(pemOrDerFile, foo, System.Text.Encoding.ASCII);
Org.BouncyCastle.X509.X509CertificateParser kpp = new Org.BouncyCastle.X509.X509CertificateParser();
Org.BouncyCastle.X509.X509Certificate cert = kpp.ReadCertificate(System.IO.File.OpenRead(pemOrDerFile));
System.Console.WriteLine(cert);
System.Security.Cryptography.X509Certificates.X509Certificate dotCert1 = null;
dotCert1 = Org.BouncyCastle.Security.DotNetUtilities.ToX509Certificate(cert);
System.Security.Cryptography.X509Certificates.X509Certificate2 dotCert = new System.Security.Cryptography.X509Certificates.X509Certificate2(dotCert1);
System.Console.WriteLine(dotCert.PublicKey);
System.Console.WriteLine(dotCert.PrivateKey);
}
public static byte[] CreateSelfSignedCertificate(string[] alternativeNames, string password)
{
string pemKey = SecretManager.GetSecret <string>("skynet_key");
string pemCert = SecretManager.GetSecret <string>("skynet_cert");
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair rootKey = ReadAsymmetricKeyParameter(pemKey);
Org.BouncyCastle.X509.X509Certificate rootCert = PemStringToX509(pemCert);
Org.BouncyCastle.Security.SecureRandom random = new Org.BouncyCastle.Security.SecureRandom(NonBackdooredPrng.Create());
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateRsaKeyPair(2048, random);
Org.BouncyCastle.X509.X509Certificate sslCertificate = SelfSignSslCertificate(
random
, rootCert
, certKeyPair.Public
, rootKey.Private
, alternativeNames
);
bool val = CerGenerator.ValidateSelfSignedCert(sslCertificate, rootCert.GetPublicKey());
if (val == false)
{
throw new System.InvalidOperationException("SSL certificate does NOT validate successfully.");
}
byte[] pfx = CreatePfxBytes(sslCertificate, certKeyPair.Private, password);
return(pfx);
} // End Function CreateSelfSignedCertificate
public static void GenerateSslCertificate(PfxData pfx, Org.BouncyCastle.Security.SecureRandom random)
{
string curveName = "curve25519"; curveName = "secp256k1";
// IIS does not support Elliptic Curve...
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateEcKeyPair(curveName, random);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateRsaKeyPair(2048, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateDsaKeyPair(1024, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateDHKeyPair(1024, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateGostKeyPair(4096, random);
Org.BouncyCastle.X509.X509Certificate sslCertificate = SelfSignSslCertificate(random, pfx.Certificate, certKeyPair.Public, pfx.PrivateKey);
bool val = CerGenerator.ValidateSelfSignedCert(sslCertificate, pfx.Certificate.GetPublicKey());
// SSL
(string Private, string Public)certKeys = KeyPairToPem(certKeyPair);
PfxFile.Create(@"obelix.pfx", sslCertificate, certKeyPair.Private, "");
WriteCerAndCrt(sslCertificate, @"obelix");
System.IO.File.WriteAllText(@"obelix_private.key", certKeys.Private, System.Text.Encoding.ASCII);
// System.IO.File.WriteAllText(@"obelix_public.key", certKeys.Public, System.Text.Encoding.ASCII);
string pemCert = ToPem(sslCertificate);
System.IO.File.WriteAllText(@"obelix.pem", pemCert, System.Text.Encoding.ASCII);
} // End Sub GenerateSslCertificate
} // End Sub GenerateRootCertificate
public static Org.BouncyCastle.X509.X509Certificate SelfSignSslCertificate(
Org.BouncyCastle.Security.SecureRandom random
, Org.BouncyCastle.X509.X509Certificate caRoot
, Org.BouncyCastle.Crypto.AsymmetricKeyParameter subjectPublicKey
, Org.BouncyCastle.Crypto.AsymmetricKeyParameter rootCertPrivateKey
) // PrivatePublicPemKeyPair subjectKeyPair)
{
Org.BouncyCastle.X509.X509Certificate caSsl = null;
string countryIso2Characters = "GA";
string stateOrProvince = "Aremorica";
string localityOrCity = "Erquy, Bretagne";
string companyName = "Coopérative Ménhir Obelix Gmbh & Co. KGaA";
string division = "Neanderthal Technology Group (NT)";
string domainName = "localhost";
domainName = "*.sql.guru";
domainName = "localhost";
string email = "webmaster@localhost";
CertificateInfo ci = new CertificateInfo(
countryIso2Characters, stateOrProvince
, localityOrCity, companyName
, division, domainName, email
, System.DateTime.UtcNow
, System.DateTime.UtcNow.AddYears(5)
);
ci.AddAlternativeNames("localhost", System.Environment.MachineName, "127.0.0.1",
"sql.guru", "*.sql.guru", "example.int", "foo.int", "bar.int", "foobar.int", "*.com");
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateEcKeyPair(curveName, random);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateRsaKeyPair(2048, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateDsaKeyPair(1024, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateDHKeyPair(1024, random);
caSsl = CerGenerator.GenerateSslCertificate(
ci
, subjectPublicKey
, rootCertPrivateKey
, caRoot
, random
);
/*
* PfxGenerator.CreatePfxFile(@"obelix.pfx", caSsl, kp1.Private, "");
* CerGenerator.WritePrivatePublicKey("obelix", ci.SubjectKeyPair);
*
*
* CerGenerator.WriteCerAndCrt(@"ca", caRoot);
* CerGenerator.WriteCerAndCrt(@"obelix", caSsl);
*/
return(caSsl);
} // End Sub SelfSignSslCertificate
} // End Sub SelfSignSslCertificate
// https://stackoverflow.com/questions/51703109/nginx-the-ssl-directive-is-deprecated-use-the-listen-ssl
public static Org.BouncyCastle.X509.X509Certificate GenerateRootCertificate()
{
string countryIso2Characters = "EA";
string stateOrProvince = "Europe";
string localityOrCity = "NeutralZone";
string companyName = "Skynet Earth Inc.";
string division = "Skynet mbH";
string domainName = "Skynet";
string email = "*****@*****.**";
Org.BouncyCastle.Security.SecureRandom sr = new Org.BouncyCastle.Security.SecureRandom(NonBackdooredPrng.Create());
Org.BouncyCastle.X509.X509Certificate caRoot = null;
Org.BouncyCastle.X509.X509Certificate caSsl = null;
// string curveName = "curve25519"; curveName = "secp256k1";
CertificateInfo caCertInfo = new CertificateInfo(
countryIso2Characters, stateOrProvince
, localityOrCity, companyName
, division, domainName, email
, System.DateTime.UtcNow
, System.DateTime.UtcNow.AddYears(5)
);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateEcKeyPair(curveName, sr);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateRsaKeyPair(2048, sr);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateDsaKeyPair(1024, sr);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateDHKeyPair(1024, sr);
// kp1 = KeyGenerator.GenerateGhostKeyPair(4096, s_secureRandom.Value);
caCertInfo.SubjectKeyPair = KeyImportExport.GetPemKeyPair(kp1);
caCertInfo.IssuerKeyPair = KeyImportExport.GetPemKeyPair(kp1);
caRoot = CerGenerator.GenerateRootCertificate(caCertInfo, sr);
PfxGenerator.CreatePfxFile(@"ca.pfx", caRoot, kp1.Private, null);
CerGenerator.WritePrivatePublicKey("issuer", caCertInfo.IssuerKeyPair);
return(caRoot);
} // End Sub GenerateRootCertificate
private static Org.BouncyCastle.X509.X509Certificate SelfSignSslCertificate(
Org.BouncyCastle.Security.SecureRandom random
, Org.BouncyCastle.X509.X509Certificate caRoot
, Org.BouncyCastle.Crypto.AsymmetricKeyParameter subjectPublicKey
, Org.BouncyCastle.Crypto.AsymmetricKeyParameter rootCertPrivateKey
, string[] alternativeNames
)
{
Org.BouncyCastle.X509.X509Certificate caSsl = null;
string countryIso2Characters = "GA";
string stateOrProvince = "Aremorica";
string localityOrCity = "Erquy, Bretagne";
string companyName = "Coopérative Ménhir Obelix Gmbh & Co. KGaA";
string division = "Neanderthal Technology Group (NT)";
string domainName = "localhost";
string email = "webmaster@localhost";
CertificateInfo ci = new CertificateInfo(
countryIso2Characters, stateOrProvince
, localityOrCity, companyName
, division, domainName, email
, System.DateTime.UtcNow
, System.DateTime.UtcNow.AddYears(50)
);
ci.AddAlternativeNames(alternativeNames);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateEcKeyPair(curveName, random);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateRsaKeyPair(2048, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateDsaKeyPair(1024, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateDHKeyPair(1024, random);
caSsl = CerGenerator.GenerateSslCertificate(
ci
, subjectPublicKey
, rootCertPrivateKey
, caRoot
, random
);
return(caSsl);
} // End Sub SelfSignSslCertificate
} // End Sub WriteCerAndCrt
// https://stackoverflow.com/questions/51703109/nginx-the-ssl-directive-is-deprecated-use-the-listen-ssl
public static Org.BouncyCastle.X509.X509Certificate GenerateRootCertificate(
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair rootKeyPair
, Org.BouncyCastle.Security.SecureRandom sr)
{
string countryIso2Characters = "Laniakea Supercluster";
string stateOrProvince = "Milky Way Galaxy";
string localityOrCity = "Planet Earth";
string companyName = "Skynet Earth Inc.";
string division = "Skynet Ltd.";
string domainName = "sky.net";
string email = "*****@*****.**";
Org.BouncyCastle.X509.X509Certificate caRoot = null;
Org.BouncyCastle.X509.X509Certificate caSsl = null;
// string curveName = "curve25519"; curveName = "secp256k1";
CertificateInfo caCertInfo = new CertificateInfo(
countryIso2Characters, stateOrProvince
, localityOrCity, companyName
, division, domainName, email
, System.DateTime.UtcNow
, System.DateTime.UtcNow.AddYears(5)
);
caRoot = CerGenerator.GenerateRootCertificate(caCertInfo, sr, rootKeyPair.Public, rootKeyPair.Private);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certificateKeyPair = KeyGenerator.GenerateRsaKeyPair(2048, sr);
// PfxGenerator.CreatePfxFile(@"ca.pfx", caRoot, kp1.Private, null);
// CerGenerator.WritePrivatePublicKey("issuer", caCertInfo.IssuerKeyPair);
return(caRoot);
} // End Sub GenerateRootCertificate
// https://twitter.com/HackerNewsOnion/status/740228588520247296?lang=en
// Announcing Let’s Decrypt, A SSL Certificate Authority Backed By The NSA
// Talk about throwing a skunk in the jury pool! I feel like now we need proof this is fiction!
// ok this activated my paranoia.
// Announcing Let’s Decrypt, A SSL Certificate Authority Backed By The NSA < It’s totes secure. Promise.
public static async System.Threading.Tasks.Task Main(string[] args)
{
// CreateSslCertificate();
// SetRegistry();
// SelfSignedCertificateGenerator.Test.MonitoringTest.TestMonitorChanges();
string pemKey = SecretManager.GetSecret <string>("skynet_key");
string pemCert = SecretManager.GetSecret <string>("skynet_cert");
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair rootKey = ReadAsymmetricKeyParameter(pemKey);
System.Console.WriteLine(rootKey.Private);
Org.BouncyCastle.X509.X509Certificate rootCert = PemStringToX509(pemCert);
System.Console.WriteLine(rootCert);
Org.BouncyCastle.Security.SecureRandom random = new Org.BouncyCastle.Security.SecureRandom(NonBackdooredPrng.Create());
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateRsaKeyPair(2048, random);
Org.BouncyCastle.X509.X509Certificate sslCertificate = SelfSignSslCertificate(
random
, rootCert
, certKeyPair.Public
, rootKey.Private
);
bool val = CerGenerator.ValidateSelfSignedCert(sslCertificate, rootCert.GetPublicKey());
if (val == false)
{
throw new System.InvalidOperationException("SSL certificate does NOT validate successfully.");
}
CreatePfxBytes(sslCertificate, certKeyPair.Private, "");
System.Console.WriteLine(" --- Press any key to continue --- ");
System.Console.ReadKey();
await System.Threading.Tasks.Task.CompletedTask;
}
} // End Sub Test
public static void SelfSignSslCertificate(Org.BouncyCastle.Security.SecureRandom random, Org.BouncyCastle.X509.X509Certificate caRoot, Org.BouncyCastle.Crypto.AsymmetricKeyParameter rootCertPrivateKey) // PrivatePublicPemKeyPair subjectKeyPair)
{
Org.BouncyCastle.X509.X509Certificate caSsl = null;
string countryIso2Characters = "GA";
string stateOrProvince = "Aremorica";
string localityOrCity = "Erquy, Bretagne";
string companyName = "Coopérative Ménhir Obelix Gmbh & Co. KGaA";
string division = "NT (Neanderthal Technology)";
string domainName = "localhost";
domainName = "*.sql.guru";
domainName = "localhost";
string email = "webmaster@localhost";
CertificateInfo ci = new CertificateInfo(
countryIso2Characters, stateOrProvince
, localityOrCity, companyName
, division, domainName, email
, System.DateTime.UtcNow
, System.DateTime.UtcNow.AddYears(5)
);
ci.AddAlternativeNames("localhost", System.Environment.MachineName, "127.0.0.1",
"sql.guru", "*.sql.guru");
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateEcKeyPair(curveName, random);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateRsaKeyPair(2048, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateDsaKeyPair(1024, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateDHKeyPair(1024, random);
ci.SubjectKeyPair = KeyImportExport.GetPemKeyPair(kp1);
// ci.IssuerKeyPair.PrivateKey = rootCert.PrivateKey;
// caSsl = CerGenerator.GenerateSslCertificate(ci, random, caRoot);
Org.BouncyCastle.Crypto.AsymmetricKeyParameter subjectPublicKey = null;
// This is the private key of the root certificate
Org.BouncyCastle.Crypto.AsymmetricKeyParameter issuerPrivateKey = null;
caSsl = CerGenerator.GenerateSslCertificate(
ci
, subjectPublicKey
, issuerPrivateKey
, caRoot
, random
);
CertificateToDerPem(caSsl);
// Just to clarify, an X.509 certificate does not contain the private key
// The whole point of using certificates is to send them more or less openly,
// without sending the private key, which must be kept secret.
// An X509Certificate2 object may have a private key associated with it (via its PrivateKey property),
// but that's only a convenience as part of the design of this class.
// System.Security.Cryptography.X509Certificates.X509Certificate2 = new System.Security.Cryptography.X509Certificates.X509Certificate2(caRoot.GetEncoded());
// System.Console.WriteLine(cc.PublicKey);
// System.Console.WriteLine(cc.PrivateKey);
bool val = CerGenerator.ValidateSelfSignedCert(caSsl, caRoot.GetPublicKey());
System.Console.WriteLine(val);
PfxGenerator.CreatePfxFile(@"obelix.pfx", caSsl, kp1.Private, "");
CerGenerator.WritePrivatePublicKey("obelix", ci.SubjectKeyPair);
CerGenerator.WriteCerAndCrt(@"ca", caRoot);
CerGenerator.WriteCerAndCrt(@"obelix", caSsl);
} // End Sub SelfSignSslCertificate