public static void SerialNumber_AlwaysPositive(string desiredSerial, string expectedSerial) { using (ECDsa ecdsa = ECDsa.Create(EccTestData.Secp521r1_DiminishedPublic_Data.KeyParameters)) { var generator = X509SignatureGenerator.CreateForECDsa(ecdsa); CertificateRequest request = new CertificateRequest( new X500DistinguishedName("CN=Test Cert"), generator.PublicKey, HashAlgorithmName.SHA512); DateTimeOffset now = DateTimeOffset.UtcNow; byte[] serialNumber = desiredSerial.HexToByteArray(); // byte[] serialNumber X509Certificate2 cert = request.Create( request.SubjectName, generator, now, now.AddDays(1), serialNumber); using (cert) { Assert.Equal(expectedSerial, cert.SerialNumber); } // ReadOnlySpan<byte> serialNumber cert = request.Create( request.SubjectName, generator, now, now.AddDays(1), serialNumber.AsSpan()); using (cert) { Assert.Equal(expectedSerial, cert.SerialNumber); } } }
public static void ECDSA_Signing_RSAPublicKey() { using (RSA rsa = RSA.Create()) using (ECDsa ecdsa = ECDsa.Create()) { var request = new CertificateRequest( new X500DistinguishedName("CN=Test"), ecdsa, HashAlgorithmName.SHA256); request.CertificateExtensions.Add( new X509BasicConstraintsExtension(true, false, 0, true)); DateTimeOffset now = DateTimeOffset.UtcNow; using (X509Certificate2 cert = request.CreateSelfSigned(now, now.AddDays(1))) { X509SignatureGenerator rsaGenerator = X509SignatureGenerator.CreateForRSA(rsa, RSASignaturePadding.Pkcs1); request = new CertificateRequest( new X500DistinguishedName("CN=Leaf"), rsaGenerator.PublicKey, HashAlgorithmName.SHA256); byte[] serialNumber = { 1, 1, 2, 3, 5, 8, 13 }; Assert.Throws <ArgumentException>( () => request.Create(cert, now, now.AddHours(3), serialNumber)); X509SignatureGenerator ecdsaGenerator = X509SignatureGenerator.CreateForECDsa(ecdsa); // Passes with the generator using (request.Create(cert.SubjectName, ecdsaGenerator, now, now.AddHours(3), serialNumber)) { } } } }
public static X509Certificate2 CreateSelfSignedCertificateAsync( string CA = "MoHA Corp .Inc", int validForDays = 30) { using RSA rootRSA = RSA.Create(4096); using RSA certRSA = RSA.Create(2048); var certAuthorityReq = new CertificateRequest( $"CN={CA}", rootRSA, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); certAuthorityReq.CertificateExtensions.Add( new X509BasicConstraintsExtension(true, false, 0, true)); certAuthorityReq.CertificateExtensions.Add( new X509SubjectKeyIdentifierExtension(certAuthorityReq.PublicKey, false)); using var rootCertificate = certAuthorityReq .CreateSelfSigned( DateTimeOffset.UtcNow.AddDays(-30), DateTimeOffset.UtcNow.AddDays(365)); var csr = new CertificateRequest( $"CN={CA}", certRSA, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); csr.CertificateExtensions.Add( new X509BasicConstraintsExtension(false, false, 0, false)); csr.CertificateExtensions.Add( new X509KeyUsageExtension( X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.NonRepudiation | X509KeyUsageFlags.CrlSign | X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyAgreement | X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.KeyEncipherment, false)); csr.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension(new OidCollection { new Oid("1.3.6.1.5.5.7.3.8") }, true)); csr.CertificateExtensions.Add( new X509SubjectKeyIdentifierExtension(csr.PublicKey, false)); using var certificate = csr.Create( rootCertificate, DateTimeOffset.UtcNow.AddDays(-1), DateTimeOffset.UtcNow.AddDays(validForDays), new byte[] { 1, 2, 3, 4 }); return(certificate.CopyWithPrivateKey(certRSA)); }
public static void DisplayCertificateTest() { using (ECDsa ecdsa = ECDsa.Create(EccTestData.Secp256r1Data.KeyParameters)) { CertificateRequest request = new CertificateRequest("CN=Test", ecdsa, HashAlgorithmName.SHA256); DateTimeOffset now = DateTimeOffset.UtcNow; using (X509Certificate2 cert = request.Create(request.SubjectName, X509SignatureGenerator.CreateForECDsa(ecdsa), now, now.AddMinutes(10), new byte[1])) { X509Certificate2UI.DisplayCertificate(cert); } } }
public static void AssociatePersistedKey_CAPI_RSA(int provType, KeyNumber keyNumber) { const string KeyName = nameof(AssociatePersistedKey_CAPI_RSA); CspParameters cspParameters = new CspParameters(provType) { KeyNumber = (int)keyNumber, KeyContainerName = KeyName, Flags = CspProviderFlags.UseNonExportableKey, }; using (RSACryptoServiceProvider rsaCsp = new RSACryptoServiceProvider(cspParameters)) { rsaCsp.PersistKeyInCsp = false; // Use SHA-1 because the FULL and SCHANNEL providers can't handle SHA-2. HashAlgorithmName hashAlgorithm = HashAlgorithmName.SHA1; var generator = new RSASha1Pkcs1SignatureGenerator(rsaCsp); byte[] signature; CertificateRequest request = new CertificateRequest( new X500DistinguishedName($"CN={KeyName}-{provType}-{keyNumber}"), generator.PublicKey, hashAlgorithm); DateTimeOffset now = DateTimeOffset.UtcNow; using (X509Certificate2 cert = request.Create(request.SubjectName, generator, now, now.AddDays(1), new byte[1])) using (X509Certificate2 withPrivateKey = cert.CopyWithPrivateKey(rsaCsp)) using (RSA rsa = withPrivateKey.GetRSAPrivateKey()) { signature = rsa.SignData(Array.Empty <byte>(), hashAlgorithm, RSASignaturePadding.Pkcs1); Assert.True( rsaCsp.VerifyData(Array.Empty <byte>(), signature, hashAlgorithm, RSASignaturePadding.Pkcs1)); } // Some certs have disposed, did they delete the key? cspParameters.Flags = CspProviderFlags.UseExistingKey; using (RSACryptoServiceProvider stillPersistedKey = new RSACryptoServiceProvider(cspParameters)) { byte[] signature2 = stillPersistedKey.SignData( Array.Empty <byte>(), hashAlgorithm, RSASignaturePadding.Pkcs1); Assert.Equal(signature, signature2); } } }
public static void Sign_ArgumentValidation() { using (X509Certificate2 testRoot = new X509Certificate2(TestData.PfxData, TestData.PfxDataPassword)) { CertificateRequest request = new CertificateRequest("CN=Test", testRoot.GetRSAPublicKey(), HashAlgorithmName.SHA256); Assert.Throws <ArgumentNullException>( "generator", () => request.Create(testRoot.SubjectName, null, DateTimeOffset.MinValue, DateTimeOffset.MinValue, null)); Assert.Throws <ArgumentException>( null, () => request.Create(testRoot, DateTimeOffset.MaxValue, DateTimeOffset.MinValue, null)); Assert.Throws <ArgumentException>( "serialNumber", () => request.Create(testRoot, DateTimeOffset.MinValue, DateTimeOffset.MaxValue, null)); Assert.Throws <ArgumentException>( "serialNumber", () => request.Create(testRoot, DateTimeOffset.MinValue, DateTimeOffset.MaxValue, Array.Empty <byte>())); } }
/// <summary> /// Create a self signed certificate, optionally providing a locally existente CA certificate /// </summary> /// <param name="subjectName"></param> /// <param name="organization"></param> /// <param name="country"></param> /// <param name="authority">Optional authority cert to sign this one against.</param> /// <param name="expirationDays"></param> /// <returns></returns> public static X509Certificate2 GenerateSelfSignedCertificate( string subjectName, string organization, string country, X509Certificate2 authority = null, int expirationDays = 90) { // Have this certificate work with localhost, etc.. SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName("localhost"); sanBuilder.AddDnsName(Environment.MachineName); X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={subjectName}, O={organization}, C={country}"); using (RSA rsa = RSA.Create(2048)) { var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); DateTimeOffset notBefore = DateTimeOffset.UtcNow; DateTimeOffset notAfter = notBefore.AddDays(expirationDays); X509Certificate2 certWithPrivateKey; if (authority == null) { certWithPrivateKey = request.CreateSelfSigned(notBefore, notAfter); } else { byte[] serialnumber = Encoding.ASCII.GetBytes(DateTime.UtcNow.ToString("MMMMddyyyyHHmmss")); certWithPrivateKey = request.Create(authority, notBefore, notAfter, serialnumber); } return(certWithPrivateKey); } }
private static X509Certificate2 CreateIntermediate(string name, X509Certificate2 issuer) { using var key = RSA.Create(); var request = new CertificateRequest(name, key, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, false, 0, true)); var serialNumber = new byte[8]; using var rng = RandomNumberGenerator.Create(); rng.GetBytes(serialNumber); return(request.Create(issuer, DateTimeOffset.UtcNow, issuer.NotAfter, serialNumber).CopyWithPrivateKey(key)); }
//public static X509Certificate2 CreateSelfSignedCertificateWithBouncyCastle(CertificateData certificateData, bool addPrivateKey) //{ // IDictionary attributes = GetNameParametersTable(certificateData); // X509Name name = new X509Name(_orderedAttributes, attributes); // var kpgen = new RsaKeyPairGenerator(); // var randomGenerator = new CryptoApiRandomGenerator(); // var random = new SecureRandom(randomGenerator); // AsymmetricCipherKeyPair subjectKeyPair = default(AsymmetricCipherKeyPair); // var keyGenerationParameters = new KeyGenerationParameters(random, 2048); // kpgen.Init(keyGenerationParameters); // subjectKeyPair = kpgen.GenerateKeyPair(); // AsymmetricCipherKeyPair issuerKeyPair = subjectKeyPair; // ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA256WITHRSA", issuerKeyPair.Private, random); // var cerKp = kpgen.GenerateKeyPair(); // X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); // certGen.SetSerialNumber(BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random)); // certGen.SetIssuerDN(name); // certGen.SetNotBefore(DateTime.Today.Subtract(new TimeSpan(1, 0, 0, 0))); // certGen.SetNotAfter(DateTime.Today.AddDays(5000)); // certGen.SetSubjectDN(name); // certGen.SetPublicKey(cerKp.Public); // certGen.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); // certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, true, // new AuthorityKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(cerKp.Public))); // var certificate = certGen.Generate(signatureFactory); // if (addPrivateKey) // { // return AddPrivateKey(certificate, subjectKeyPair, random); // } // System.Security.Cryptography.X509Certificates.X509Certificate initialCert = DotNetUtilities.ToX509Certificate(certificate); // return new X509Certificate2(initialCert); //} //public static X509Certificate2 AddPrivateKey(Org.BouncyCastle.X509.X509Certificate certificate, // AsymmetricCipherKeyPair subjectKeyPair, SecureRandom random) //{ // var store = new Pkcs12Store(); // string friendlyName = certificate.SubjectDN.ToString(); // X509Certificate2 cert = new X509Certificate2(); // var certificateEntry = new X509CertificateEntry(certificate); // store.SetCertificateEntry(friendlyName, certificateEntry); // store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry }); // var stream = new MemoryStream(); // store.Save(stream, "".ToCharArray(), random); // var convertedCertificate = new X509Certificate2(stream.ToArray(), "", // X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable); // return convertedCertificate; //} //public static X509Certificate2 AddPrivateKey(Org.BouncyCastle.X509.X509Certificate certificate, // AsymmetricCipherKeyPair subjectKeyPair) //{ // var randomGenerator = new CryptoApiRandomGenerator(); // var random = new SecureRandom(randomGenerator); // return AddPrivateKey(certificate, subjectKeyPair, random); //} //public static Pkcs10CertificationRequest CreateCertificateSignRequest(CertificateData certificateData, out AsymmetricCipherKeyPair subjectKP) //{ // IDictionary attributes = GetNameParametersTable(certificateData); // var kpgen = new RsaKeyPairGenerator(); // var randomGenerator = new CryptoApiRandomGenerator(); // var random = new SecureRandom(randomGenerator); // var keyGenerationParameters = new KeyGenerationParameters(random, 2048); // kpgen.Init(keyGenerationParameters); // AsymmetricCipherKeyPair subjectKeyPair = default(AsymmetricCipherKeyPair); // subjectKeyPair = kpgen.GenerateKeyPair(); // AsymmetricCipherKeyPair issuerKeyPair = subjectKeyPair; // ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA256WITHRSA", issuerKeyPair.Private, random); // X509Name subject = new X509Name(new ArrayList(attributes.Keys), attributes); // Pkcs10CertificationRequest result = new Pkcs10CertificationRequest(signatureFactory, subject, // subjectKeyPair.Public, null); // subjectKP = subjectKeyPair; // return result; //} public static X509Certificate2 CreateAndSignCertificate(string subject, RSA key, X509Certificate2 caCertificate) { CertificateRequest request = new CertificateRequest(subject, key, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, false)); request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.NonRepudiation | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add(new X509SubjectKeyIdentifierExtension(request.PublicKey, false)); byte[] serialNumber = BitConverter.GetBytes(DateTime.Now.ToBinary()); DateTimeOffset expiration = DateTimeOffset.Now.AddYears(14); var clientCertificate = request.Create(caCertificate, DateTimeOffset.Now, expiration, serialNumber); return(clientCertificate.CopyWithPrivateKey(key)); }
public byte[] GenerateDeviceCertificate(string commonName, string password) { using RSA rsa = RSA.Create(2048); var certificateRequest = new CertificateRequest(new X500DistinguishedName($"CN={commonName}"), rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); certificateRequest.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, false)); certificateRequest.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.NonRepudiation, false)); certificateRequest.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection { new Oid("1.3.6.1.5.5.7.3.8") }, true)); certificateRequest.CertificateExtensions.Add(new X509SubjectKeyIdentifierExtension(certificateRequest.PublicKey, false)); return(certificateRequest .Create(_intermediateCertificate, DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddDays(360), new byte[] { 1, 2, 3, 4 }) .Export(X509ContentType.Pfx, password)); }
public async Task <X509Certificate2> IssueCertificateAsync(string subjectName, RSAPublicKeyParameters publicKey) { var certificateBundle = await _keyVaultClient.GetCertificateAsync(_rootCertificateId); using var issuerCertificate = new X509Certificate2(certificateBundle.Cer); using RSA certificateKey = CreateCertificateKey(publicKey); CertificateRequest request = CreateCertificateRequest(subjectName, certificateKey, issuerCertificate.Extensions[SubjectIdExtensionOid]); byte[] certificateSerialNumber = await _serialNumberGenerator.GenerateSerialAsync(); using var rsaKeyVault = _keyVaultClient.ToRSA(certificateBundle.KeyIdentifier, issuerCertificate); var generator = X509SignatureGenerator.CreateForRSA(rsaKeyVault, RSASignaturePadding.Pkcs1); return(request.Create(issuerCertificate.SubjectName, generator, DateTime.Today.AddDays(-1), DateTime.Today.AddYears(1), certificateSerialNumber)); }
/// <summary> /// /// </summary> /// <param name="subjectName"></param> /// <param name="organization"></param> /// <param name="country"></param> /// <param name="authority"></param> /// <param name="expirationDays"></param> /// <returns></returns> public static X509Certificate2 GenerateSelfSignedCertificateBackup( string subjectName, string organization, string country, X509Certificate2 authority = null, int expirationDays = 90) { var ecdsa = ECDsa.Create(); // generate asymmetric key pair CertificateRequest request = new CertificateRequest( $"CN={subjectName}, O={organization}, C={country}", ecdsa, HashAlgorithmName.SHA256); // Indicate this certificate is to be used as a TLS Server via the EKU extension request.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); // Indicate the Subject Alternative Names requested // SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); // sanBuilder.AddDnsName("www.adatum.com"); // sanBuilder.AddDnsName("adatum.com"); // request.CertificateExtensions.Add(sanBuilder.Build()); // Produce a certificate good for a year DateTimeOffset notBefore = DateTimeOffset.UtcNow; DateTimeOffset notAfter = notBefore.AddDays(expirationDays); X509Certificate2 certWithPrivateKey; if (authority == null) { certWithPrivateKey = request.CreateSelfSigned(notBefore, notAfter); } else { byte[] serialnumber = Encoding.ASCII.GetBytes(DateTime.UtcNow.ToString("MMMMddyyyyHHmmss")); certWithPrivateKey = request.Create(authority, notBefore, notAfter, serialnumber); } return(certWithPrivateKey); }
public static X509Certificate2 CreateTlsCertificate(string commonName, X509Certificate2 caCertificate, int keySize, int days, params string[] subjectAltNames) { string subjectName = $"CN = {commonName}"; var rsa = RSA.Create(keySize); var certificateRequest = new CertificateRequest(subjectName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); AddExtension(certificateRequest.CertificateExtensions, subjectAltNames); var dateTime = DateTime.UtcNow; X509Certificate2 tlsCertificate = certificateRequest.Create(caCertificate, new DateTimeOffset(dateTime), new DateTimeOffset(dateTime.AddDays(days)), Create20SerialNumber()); return(new X509Certificate2(tlsCertificate.CopyWithPrivateKey(rsa).Export(X509ContentType.Pfx), string.Empty, X509KeyStorageFlags.Exportable)); }
public static void AssociatePersistedKey_CAPI_DSA(int provType) { const string KeyName = nameof(AssociatePersistedKey_CAPI_DSA); CspParameters cspParameters = new CspParameters(provType) { KeyContainerName = KeyName, Flags = CspProviderFlags.UseNonExportableKey, }; using (DSACryptoServiceProvider dsaCsp = new DSACryptoServiceProvider(cspParameters)) { dsaCsp.PersistKeyInCsp = false; X509SignatureGenerator dsaGen = new DSAX509SignatureGenerator(dsaCsp); // Use SHA-1 because that's all DSACryptoServiceProvider understands. HashAlgorithmName hashAlgorithm = HashAlgorithmName.SHA1; CertificateRequest request = new CertificateRequest( new X500DistinguishedName($"CN={KeyName}-{provType}"), dsaGen.PublicKey, hashAlgorithm); DateTimeOffset now = DateTimeOffset.UtcNow; using (X509Certificate2 cert = request.Create(request.SubjectName, dsaGen, now, now.AddDays(1), new byte[1])) using (X509Certificate2 certWithPrivateKey = cert.CopyWithPrivateKey(dsaCsp)) using (DSA dsa = certWithPrivateKey.GetDSAPrivateKey()) { byte[] signature = dsa.SignData(Array.Empty <byte>(), hashAlgorithm); Assert.True(dsaCsp.VerifyData(Array.Empty <byte>(), signature, hashAlgorithm)); } // Some certs have disposed, did they delete the key? cspParameters.Flags = CspProviderFlags.UseExistingKey; using (var stillPersistedKey = new DSACryptoServiceProvider(cspParameters)) { stillPersistedKey.SignData(Array.Empty <byte>(), hashAlgorithm); } } }
/// <summary> /// Request a new certificate. /// </summary> /// <param name="subject">The complete subject list</param> /// <param name="certificatePassPhrase">The certificate request password</param> /// <param name="certificatePath">The certificate full path and file name.</param> public void RequestCertificateMultiDomain(Subject subject, string certificatePassPhrase, string certificatePath) { if (subject == null) { throw new ArgumentNullException("subject"); } if (String.IsNullOrEmpty(certificatePath)) { throw new ArgumentNullException("certificatePath"); } // Create a new certificate request. CertificateRequest certificate = new CertificateRequest( Nequeo.Security.OpenSsl.Properties.Settings.Default.OpenSSLExecutable, Nequeo.Security.OpenSsl.Properties.Settings.Default.OpenSSLMultiDomainConfiguration); // Create the certificate. certificate.Create(subject, certificatePassPhrase, certificatePath, true); }
public static void SelectCertificateSingleSelectionTest(int count) { using (ECDsa ecdsa = ECDsa.Create(EccTestData.Secp256r1Data.KeyParameters)) { CertificateRequest request = new CertificateRequest("CN=Test", ecdsa, HashAlgorithmName.SHA256); DateTimeOffset now = DateTimeOffset.UtcNow; using (X509Certificate2 cert = request.Create(request.SubjectName, X509SignatureGenerator.CreateForECDsa(ecdsa), now, now.AddMinutes(10), new byte[1])) { X509Certificate2Collection collection = new X509Certificate2Collection() { cert, cert }; X509Certificate2Collection actual = X509Certificate2UI.SelectFromCollection( collection, $"Choose {count} Certificate", string.Empty, count < 2 ? X509SelectionFlag.SingleSelection : X509SelectionFlag.MultiSelection, IntPtr.Zero); Assert.Equal(count, actual.Count); } } }
public void BasicRsaCertificateRequestTest() { // Load PKCS#11 based store using (var pkcs11Store = new Pkcs11X509Store(SoftHsm2Manager.LibraryPath, SoftHsm2Manager.PinProvider)) { // Find signing certificate (CA certificate) Pkcs11X509Certificate pkcs11CertOfCertificateAuthority = Helpers.GetCertificate(pkcs11Store, SoftHsm2Manager.Token1Label, SoftHsm2Manager.Token1TestUserRsaLabel); // Generate new key pair for end entity RSA rsaKeyPairOfEndEntity = RSA.Create(2048); // Define certificate request CertificateRequest certificateRequest = new CertificateRequest( new X500DistinguishedName("C=SK,L=Bratislava,CN=BasicRsaCertificateRequestTest"), rsaKeyPairOfEndEntity, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); // Define certificate extensions certificateRequest.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, true)); certificateRequest.CertificateExtensions.Add(new X509SubjectKeyIdentifierExtension(certificateRequest.PublicKey, false)); certificateRequest.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, false)); // Issue X.509 certificate for end entity X509Certificate2 certificateOfEndEntity = certificateRequest.Create( pkcs11CertOfCertificateAuthority.Info.ParsedCertificate.SubjectName, X509SignatureGenerator.CreateForRSA(pkcs11CertOfCertificateAuthority.GetRSAPrivateKey(), RSASignaturePadding.Pkcs1), DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddDays(365), new BigInteger(1).ToByteArray()); // Verify signature on X.509 certificate for end entity Assert.IsTrue(CaCertSignedEndEntityCert(pkcs11CertOfCertificateAuthority.Info.ParsedCertificate.RawData, certificateOfEndEntity.RawData)); // Asociate end entity certificate with its private key certificateOfEndEntity = certificateOfEndEntity.CopyWithPrivateKey(rsaKeyPairOfEndEntity); // Export end entity certificate to PKCS#12 file string basePath = Helpers.GetBasePath(); string pkcs12FilePath = Path.Combine(basePath, "BasicRsaCertificateRequestTest.p12"); File.WriteAllBytes(pkcs12FilePath, certificateOfEndEntity.Export(X509ContentType.Pkcs12, "password")); } }
public X509Certificate2 CreateSignedCertificate(string certificateName, string dnsName, X509Certificate2 issuerCertificate) { var sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddIpAddress(IPAddress.Loopback); sanBuilder.AddIpAddress(IPAddress.IPv6Loopback); sanBuilder.AddDnsName(dnsName); sanBuilder.AddDnsName(Environment.MachineName); var distinguishedName = new X500DistinguishedName($"CN={certificateName}"); using var rsa = RSA.Create(2048); var request = new CertificateRequest( distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension( X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); var notBefore = issuerCertificate.NotBefore; var notAfter = issuerCertificate.NotAfter.AddDays(-1); // cert serial is the epoch/unix timestamp var epoch = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc); var unixTime = Convert.ToInt64((DateTime.UtcNow - epoch).TotalSeconds); var serial = BitConverter.GetBytes(unixTime); var certificate = request.Create(issuerCertificate, notBefore, notAfter, serial); return(certificate.CopyWithPrivateKey(rsa)); }
static bool createChildCert(string subjectName, DateTimeOffset expirate) { try { Console.WriteLine($"Creating certificate for {subjectName}"); var clientKey = RSA.Create(2048); string clientSubject = $"CN={subjectName}"; var clientReq = new CertificateRequest(clientSubject, clientKey, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); clientReq.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, false)); clientReq.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.NonRepudiation, false)); clientReq.CertificateExtensions.Add(new X509SubjectKeyIdentifierExtension(clientReq.PublicKey, false)); byte[] serialNumber = BitConverter.GetBytes(DateTime.Now.ToBinary()); //var clientCert = clientReq.Create(rootCert, DateTimeOffset.Now, expirate, serialNumber); var clientCert = clientReq.Create(rootCert, DateTimeOffset.Now, expirate, serialNumber); clientCert = clientCert.CopyWithPrivateKey(clientKey); File.WriteAllBytes($"{subjectName}.pfx", clientCert.Export(X509ContentType.Pfx)); // Создание .crt и .key StringBuilder builder = new StringBuilder(); builder.AppendLine("-----BEGIN CERTIFICATE-----"); builder.AppendLine(Convert.ToBase64String(clientCert.RawData, Base64FormattingOptions.InsertLineBreaks)); builder.AppendLine("-----END CERTIFICATE-----"); File.WriteAllText($"{subjectName}.crt", builder.ToString()); builder.Clear(); /* * string name = clientKey.SignatureAlgorithm.ToUpper(); * builder.AppendLine($"-----BEGIN {name} PRIVATE KEY-----"); * builder.AppendLine(Convert.ToBase64String(clientKey.ExportRSAPrivateKey(), Base64FormattingOptions.InsertLineBreaks)); * builder.AppendLine($"-----END {name} PRIVATE KEY-----"); * File.WriteAllText($"{subjectName}.key", builder.ToString()); */ return(true); } catch (Exception e) { Console.WriteLine($"An error occurred during creating a cerificate for {subjectName}.\n + {e.Message}"); return(false); } }
public static void TestInvalidAia() { using (RSA key = RSA.Create()) { CertificateRequest rootReq = new CertificateRequest( "CN=Root", key, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); rootReq.CertificateExtensions.Add( new X509BasicConstraintsExtension(true, false, 0, true)); CertificateRequest certReq = new CertificateRequest( "CN=test", key, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); certReq.CertificateExtensions.Add( new X509BasicConstraintsExtension(false, false, 0, false)); certReq.CertificateExtensions.Add( new X509Extension( "1.3.6.1.5.5.7.1.1", new byte[] { 5 }, critical: false)); DateTimeOffset notBefore = DateTimeOffset.UtcNow.AddDays(-1); DateTimeOffset notAfter = notBefore.AddDays(30); using (X509Certificate2 root = rootReq.CreateSelfSigned(notBefore, notAfter)) using (X509Certificate2 ee = certReq.Create(root, notBefore, notAfter, root.GetSerialNumber())) { X509Chain chain = new X509Chain(); chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; Assert.False(chain.Build(ee)); Assert.Equal(1, chain.ChainElements.Count); Assert.Equal(X509ChainStatusFlags.PartialChain, chain.AllStatusFlags()); } } }
public X509Certificate2 CreateFakeCertificate(string fakeCN, string rootCertSerialNumber) { using (var userStore = new X509Store(StoreName.Root, StoreLocation.CurrentUser)) using (var rsa = RSA.Create(4096)) using (var random = new RNGCryptoServiceProvider()) { var parsedParams = JsonConvert.DeserializeObject <RSAParameters>(RsaParams); rsa.ImportParameters(parsedParams); userStore.Open(OpenFlags.MaxAllowed); using (var rootCert = userStore.Certificates.Cast <X509Certificate2>().Single(c => c.SerialNumber.Equals(rootCertSerialNumber, StringComparison.InvariantCultureIgnoreCase))) { var req = new CertificateRequest($"CN={fakeCN}", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); req.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, false)); req.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false)); req.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection { new Oid("1.3.6.1.5.5.7.3.1"), // server auth new Oid("1.3.6.1.5.5.7.3.2") // client auth }, true)); req.CertificateExtensions.Add(new X509SubjectKeyIdentifierExtension(req.PublicKey, false)); var sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddDnsName(fakeCN); var sanExtension = sanBuilder.Build(); req.CertificateExtensions.Add(sanExtension); var serialNumber = new byte[16]; //random.GetBytes(serialNumber); var notBefore = new DateTime(2018, 07, 10); var notAfter = new DateTime(2019, 01, 01); // https://github.com/dotnet/corefx/issues/24454#issuecomment-388231655 using (var corruptFakeCert = req.Create(rootCert, notBefore, notAfter, serialNumber).CopyWithPrivateKey(rsa)) { var fixedFakeCert = new X509Certificate2(corruptFakeCert.Export(X509ContentType.Pkcs12)); return(fixedFakeCert); } } } }
public static X509Certificate2 GenerateCertificate( string issuerName, string subjectName, RSA issuerAlgorithm, RSA algorithm) { var subjectDN = $"CN={subjectName}"; var issuerDN = new X500DistinguishedName($"CN={issuerName}"); var notAfter = DateTime.UtcNow.Add(TimeSpan.FromHours(1)); var notBefore = DateTime.UtcNow.Subtract(TimeSpan.FromHours(1)); var random = new Random(); var serial = random.Next(); var serialNumber = BitConverter.GetBytes(serial); Array.Reverse(serialNumber); var hashAlgorithm = System.Security.Cryptography.HashAlgorithmName.SHA256; var request = new CertificateRequest(subjectDN, algorithm, hashAlgorithm, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509BasicConstraintsExtension(certificateAuthority: true, hasPathLengthConstraint: false, pathLengthConstraint: 0, critical: true)); request.CertificateExtensions.Add( new X509SubjectKeyIdentifierExtension(request.PublicKey, critical: false)); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.KeyCertSign, critical: true)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension(new OidCollection { new Oid(Oids.CodeSigningEku) }, critical: true)); var generator = X509SignatureGenerator.CreateForRSA(issuerAlgorithm, RSASignaturePadding.Pkcs1); using (var temp = request.Create(issuerDN, generator, notBefore, notAfter, serialNumber)) { var certResult = temp.CopyWithPrivateKey(algorithm); return(new X509Certificate2(certResult.Export(X509ContentType.Pkcs12), password: (string)null, keyStorageFlags: X509KeyStorageFlags.Exportable)); } }
public static void InvalidPublicKeyEncoding(string caseName, string parametersHex) { var generator = new InvalidSignatureGenerator( Array.Empty <byte>(), parametersHex.HexToByteArray(), new byte[] { 0x05, 0x00 }); CertificateRequest request = new CertificateRequest( new X500DistinguishedName("CN=Test"), generator.PublicKey, HashAlgorithmName.SHA256); DateTimeOffset now = DateTimeOffset.UtcNow; Exception exception = Assert.Throws <CryptographicException>( () => request.Create(request.SubjectName, generator, now, now.AddDays(1), new byte[1])); if (CultureInfo.CurrentCulture.Name == "en-US") { Assert.Contains("ASN1", exception.Message); } }
/// <inheritdoc/> public override X509Certificate2 CreateForRSA(X509SignatureGenerator generator) { CreateDefaults(); if (m_rsaPublicKey == null && IssuerCAKeyCert == null) { throw new NotSupportedException("Need an issuer certificate or a public key for a signature generator."); } var issuerSubjectName = SubjectName; if (IssuerCAKeyCert != null) { issuerSubjectName = IssuerCAKeyCert.SubjectName; } RSA rsaKeyPair = null; RSA rsaPublicKey = m_rsaPublicKey; if (rsaPublicKey == null) { rsaKeyPair = RSA.Create(m_keySize == 0 ? X509Defaults.RSAKeySize : m_keySize); rsaPublicKey = rsaKeyPair; } var request = new CertificateRequest(SubjectName, rsaPublicKey, HashAlgorithmName, RSASignaturePadding.Pkcs1); CreateX509Extensions(request, false); X509Certificate2 signedCert = request.Create( issuerSubjectName, generator, NotBefore, NotAfter, m_serialNumber.Reverse().ToArray() ); return((rsaKeyPair == null) ? signedCert : signedCert.CopyWithPrivateKey(rsaKeyPair)); }
/// <inheritdoc/> public override X509Certificate2 CreateForECDsa(X509SignatureGenerator generator) { if (IssuerCAKeyCert == null) { throw new NotSupportedException("X509 Signature generator requires an issuer certificate."); } if (m_ecdsaPublicKey == null && m_curve == null) { throw new NotSupportedException("Need a public key or a ECCurve to create the certificate."); } CreateDefaults(); ECDsa key = null; ECDsa publicKey = m_ecdsaPublicKey; if (publicKey == null) { key = ECDsa.Create((ECCurve)m_curve); publicKey = key; } var request = new CertificateRequest(SubjectName, publicKey, HashAlgorithmName); CreateX509Extensions(request, true); X509Certificate2 signedCert = request.Create( IssuerCAKeyCert.SubjectName, generator, NotBefore, NotAfter, m_serialNumber.Reverse().ToArray() ); // return a X509Certificate2 return((key == null) ? signedCert : signedCert.CopyWithPrivateKey(key)); }
public static void ECDSA_Signing_UnknownPublicKeyAlgorithm() { using ECDsa ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256); PublicKey gostRPublicKey = PublicKey.CreateFromSubjectPublicKeyInfo( TestData.GostR3410SubjectPublicKeyInfo, out _); CertificateRequest issuerRequest = new CertificateRequest( new X500DistinguishedName("CN=root"), ecdsa, HashAlgorithmName.SHA256); issuerRequest.CertificateExtensions.Add( new X509BasicConstraintsExtension(true, false, 0, true)); CertificateRequest request = new CertificateRequest( new X500DistinguishedName("CN=test"), gostRPublicKey, HashAlgorithmName.SHA256); request.CertificateExtensions.Add( new X509BasicConstraintsExtension(false, false, 0, true)); DateTimeOffset notBefore = DateTimeOffset.UtcNow; DateTimeOffset notAfter = notBefore.AddDays(30); byte[] serial = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8 }; using X509Certificate2 issuer = issuerRequest.CreateSelfSigned(notBefore, notAfter); X509SignatureGenerator ecdsaGenerator = X509SignatureGenerator.CreateForECDsa(ecdsa); using X509Certificate2 cert = request.Create(issuer.SubjectName, ecdsaGenerator, notBefore, notAfter, serial); Assert.Null(cert.GetECDsaPublicKey()); Assert.Null(cert.GetECDiffieHellmanPublicKey()); Assert.Equal("1.2.643.2.2.19", cert.PublicKey.Oid.Value); }
private static X509Certificate2 Generate() { // Taken from https://github.com/dotnet/corefx/blob/5012dfe0813bf9f3eaf7a6460671e07ea048fd52/src/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CertificateRequestUsageTests.cs#L190 using var rsa = RSA.Create(); var request = new CertificateRequest( "CN=localhost, OU=.NET Framework (CoreFX), O=Microsoft Corporation, L=Redmond, S=Washington, C=US", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); var caFakeIssuer = GenerateCA("CN=Fake Name CA, OU=Fake, O=Fake Org, L=FakeVille, S=Fake State, C=US"); var serialNumber = new byte[8]; RandomNumberGenerator.Fill(serialNumber); var now = DateTimeOffset.UtcNow; var cert = request.Create(caFakeIssuer, now.AddDays(-1), now.AddDays(90), serialNumber); var temp = cert.CopyWithPrivateKey(rsa); // Work around described in https://github.com/dotnet/corefx/issues/35120 return(new X509Certificate2(temp.Export(X509ContentType.Pfx))); }
public static void ThirdPartyProvider_DSA() { using (DSA dsaOther = new DSAOther()) { dsaOther.ImportParameters(TestData.GetDSA1024Params()); X509SignatureGenerator dsaGen = new DSAX509SignatureGenerator(dsaOther); // macOS DSA is limited to FIPS 186-3. HashAlgorithmName hashAlgorithm = HashAlgorithmName.SHA1; CertificateRequest request = new CertificateRequest( new X500DistinguishedName($"CN={nameof(ThirdPartyProvider_DSA)}"), dsaGen.PublicKey, hashAlgorithm); byte[] signature; byte[] data = request.SubjectName.RawData; DateTimeOffset now = DateTimeOffset.UtcNow; using (X509Certificate2 cert = request.Create(request.SubjectName, dsaGen, now, now.AddDays(1), new byte[1])) using (X509Certificate2 certWithPrivateKey = cert.CopyWithPrivateKey(dsaOther)) { using (DSA dsa = certWithPrivateKey.GetDSAPrivateKey()) { signature = dsa.SignData(data, hashAlgorithm); } // DSAOther is exportable, so ensure PFX export succeeds byte[] pfxBytes = certWithPrivateKey.Export(X509ContentType.Pkcs12, request.SubjectName.Name); Assert.InRange(pfxBytes.Length, 100, int.MaxValue); } Assert.True(dsaOther.VerifyData(data, signature, hashAlgorithm)); } }
public static void ECDSA_Signing_ECDSA_NoKeyUsageValidForECDSAAndECDH() { using ECDsa ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256); using ECDsa ecdsaLeaf = ECDsa.Create(ECCurve.NamedCurves.nistP256); CertificateRequest issuerRequest = new CertificateRequest( new X500DistinguishedName("CN=root"), ecdsa, HashAlgorithmName.SHA256); issuerRequest.CertificateExtensions.Add( new X509BasicConstraintsExtension(true, false, 0, true)); CertificateRequest request = new CertificateRequest( new X500DistinguishedName("CN=test"), ecdsaLeaf, HashAlgorithmName.SHA256); request.CertificateExtensions.Add( new X509BasicConstraintsExtension(false, false, 0, true)); DateTimeOffset notBefore = DateTimeOffset.UtcNow; DateTimeOffset notAfter = notBefore.AddDays(30); byte[] serial = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8 }; using X509Certificate2 issuer = issuerRequest.CreateSelfSigned(notBefore, notAfter); using X509Certificate2 cert = request.Create(issuer, notBefore, notAfter, serial); using ECDiffieHellman publicCertEcDhKey = cert.GetECDiffieHellmanPublicKey(); using ECDsa publicCertEcDsaKey = cert.GetECDsaPublicKey(); byte[] expectedSubjectPublicKeyInfo = ecdsaLeaf.ExportSubjectPublicKeyInfo(); Assert.NotNull(publicCertEcDhKey); Assert.NotNull(publicCertEcDsaKey); Assert.Equal(expectedSubjectPublicKeyInfo, publicCertEcDhKey.ExportSubjectPublicKeyInfo()); Assert.Equal(expectedSubjectPublicKeyInfo, publicCertEcDsaKey.ExportSubjectPublicKeyInfo()); }
public static X509Certificate2 CreateCertificateFromCA(X509Certificate2 caCert, string commonName, IEnumerable <string> subjectAlternativeNames = null) { using (var privateKey = RSA.Create(4096)) { subjectAlternativeNames = subjectAlternativeNames ?? Enumerable.Empty <string>(); var req = new CertificateRequest($"CN={commonName}", privateKey, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); // Set SAN names if any var sanBuilder = new SubjectAlternativeNameBuilder(); foreach (var san in subjectAlternativeNames) { sanBuilder.AddDnsName(san); } req.CertificateExtensions.Add(sanBuilder.Build()); // not a CA cert req.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, false)); // allow the cert to be used for TLS req.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection { new Oid("1.3.6.1.5.5.7.3.2"), // client new Oid("1.3.6.1.5.5.7.3.1") // server }, false)); req.CertificateExtensions.Add(new X509SubjectKeyIdentifierExtension(req.PublicKey, false)); // https://blog.rassie.dk/2018/04/creating-an-x-509-certificate-chain-in-c/ // This is a self-signed cert. The serial number doesn't really matter. // Use Unix epoch for a random-enough serial number. var epoch = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc); var unixTime = Convert.ToInt64((DateTime.UtcNow - epoch).TotalSeconds); var serialNumber = BitConverter.GetBytes(unixTime); return(req.Create(caCert, caCert.NotBefore, caCert.NotAfter, serialNumber).CopyWithPrivateKey(privateKey)); } }