// Certificate Revocation Lists
/**
* Gets the URL of the Certificate Revocation List for a Certificate
* @param certificate the Certificate
* @return the String where you can check if the certificate was revoked
* @throws CertificateParsingException
* @throws IOException
*/
public static String GetCRLURL(X509Certificate certificate)
{
try {
Asn1Object obj = GetExtensionValue(certificate, X509Extensions.CrlDistributionPoints.Id);
if (obj == null)
{
return(null);
}
CrlDistPoint dist = CrlDistPoint.GetInstance(obj);
DistributionPoint[] dists = dist.GetDistributionPoints();
foreach (DistributionPoint p in dists)
{
DistributionPointName distributionPointName = p.DistributionPointName;
if (DistributionPointName.FullName != distributionPointName.PointType)
{
continue;
}
GeneralNames generalNames = (GeneralNames)distributionPointName.Name;
GeneralName[] names = generalNames.GetNames();
foreach (GeneralName name in names)
{
if (name.TagNo != GeneralName.UniformResourceIdentifier)
{
continue;
}
DerIA5String derStr = DerIA5String.GetInstance((Asn1TaggedObject)name.ToAsn1Object(), false);
return(derStr.GetString());
}
}
} catch {
}
return(null);
}
internal static CertContainer IssueSignerCertificate(X509Name dnName, int keySize = DefaultKeySize)
{
CertContainer issuerCert = IntermediateCa;
RsaKeyPairGenerator keyPairGen = new RsaKeyPairGenerator();
keyPairGen.Init(new KeyGenerationParameters(_secureRandom, keySize));
AsymmetricCipherKeyPair keyPair = keyPairGen.GenerateKeyPair();
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.SetSerialNumber(BigInteger.One);
certGen.SetIssuerDN(issuerCert.Certificate.SubjectDN);
certGen.SetNotBefore(DateTime.Now);
certGen.SetNotAfter(DateTime.Now.AddYears(1));
certGen.SetSubjectDN(dnName);
certGen.SetPublicKey(keyPair.Public);
certGen.SetSignatureAlgorithm("SHA256withRSA");
certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(issuerCert.Certificate.GetPublicKey()));
certGen.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
certGen.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(X509KeyUsage.NonRepudiation | X509KeyUsage.DigitalSignature));
certGen.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(keyPair.Public));
certGen.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeID.IdKPClientAuth));
// Add CRL endpoint
Uri currentBaseUri = new Uri("https://localhost/");
Uri crlUri = new Uri(currentBaseUri, IntermediateCrlPath);
GeneralName generalName = new GeneralName(GeneralName.UniformResourceIdentifier, crlUri.ToString());
GeneralNames generalNames = new GeneralNames(generalName);
DistributionPointName distPointName = new DistributionPointName(generalNames);
DistributionPoint distPoint = new DistributionPoint(distPointName, null, null);
certGen.AddExtension(X509Extensions.CrlDistributionPoints, false, new CrlDistPoint(new DistributionPoint[] { distPoint }));
// Add OCSP endpoint
Uri ocspUri = new Uri(currentBaseUri, OcspPath);
AccessDescription ocsp = new AccessDescription(AccessDescription.IdADOcsp,
new GeneralName(GeneralName.UniformResourceIdentifier, ocspUri.ToString()));
Asn1EncodableVector aiaASN = new Asn1EncodableVector();
aiaASN.Add(ocsp);
certGen.AddExtension(X509Extensions.AuthorityInfoAccess, false, new DerSequence(aiaASN));
X509Certificate generatedCert = certGen.Generate(issuerCert.PrivateKey);
Pkcs12StoreBuilder pfxBuilder = new Pkcs12StoreBuilder();
Pkcs12Store pfxStore = pfxBuilder.Build();
X509CertificateEntry certEntry = new X509CertificateEntry(generatedCert);
pfxStore.SetCertificateEntry(generatedCert.SubjectDN.ToString(), certEntry);
pfxStore.SetKeyEntry(generatedCert.SubjectDN + "_key", new AsymmetricKeyEntry(keyPair.Private), new X509CertificateEntry[] { certEntry });
return(new CertContainer(pfxStore, issuerCert.GetIssuerChain(true)));
}
private static CrlDistPoint CreateCrlDistributionPoint(string uri)
{
var gn = new GeneralName(GeneralName.UniformResourceIdentifier, uri);
var distributionPointname = new DistributionPointName(DistributionPointName.FullName, gn);
var distributionPoint = new DistributionPoint(distributionPointname, null, null);
return(new CrlDistPoint(new[] { distributionPoint }));
}
/// <summary>
/// Read a DistributionPoint list
/// </summary>
/// <param name="dps">DistributionPoint list</param>
protected void decode(DistributionPoint[] dps)
{
foreach (DistributionPoint dp in dps)
{
DistributionPointName dpn = dp.DistributionPointName;
OSCAGeneralName ogn = new OSCAGeneralName()
{
Name = dpn.Name.ToString(),
Type = (GenName)dpn.PointType
};
distPoints.Add(ogn);
}
}
/// <summary>
/// Create a Distribution Point list
/// </summary>
/// <returns>Distribution Point list</returns>
protected virtual DistributionPoint[] encode()
{
DistributionPoint[] dplist = new DistributionPoint[distPoints.Count()];
int i = 0;
foreach (OSCAGeneralName cdp in distPoints)
{
GeneralNames gn = generalNames.createGeneralNames(cdp.Type.ToString(), cdp.Name);
DistributionPointName dpn = new DistributionPointName(gn);
DistributionPoint dp = new DistributionPoint(dpn, null, null);
dplist[i] = dp;
i++;
}
return(dplist);
}
/// <summary>
/// Adds the CRL URLs to the CRL Distribution Points extension
/// </summary>
/// <param name="certGen"><see cref="X509V3CertificateGenerator"/></param>
/// <param name="crlUrls">List of <seealso cref="Uri"/></param>
public static void AddCrlDistributionPoints(this X509V3CertificateGenerator certGen, List <Uri> crlUrls)
{
if (crlUrls != null)
{
List <DistributionPoint> distributionPoints = new List <DistributionPoint>();
foreach (Uri url in crlUrls)
{
GeneralName gn = new GeneralName(GeneralName.UniformResourceIdentifier, url.ToString());
DistributionPointName distributionPointname = new DistributionPointName(DistributionPointName.FullName, gn);
distributionPoints.Add(new DistributionPoint(distributionPointname, null, null));
}
certGen.AddExtension(X509Extensions.CrlDistributionPoints, true, new CrlDistPoint(distributionPoints.ToArray()));
}
}
/// <summary>
/// Attaches multiple distribution points to the certificate currently in the chain.
/// </summary>
/// <param name="urls">A list of http CRL locations</param>
/// <returns></returns>
public CertificateBuilder AddCRLDistributionPoints(string[] urls)
{
var dps = new DistributionPoint[urls.Length];
for (int i = 0; i < urls.Length; i++)
{
string url = urls[i];
var name = new GeneralName(GeneralName.UniformResourceIdentifier, url.Trim());
var dpName = new DistributionPointName(DistributionPointName.FullName, name);
dps[i] = new DistributionPoint(dpName, null, null);
logger.Debug($"[ADD DISTRIBUTION POINT] => {url}");
}
certificateGenerator.AddExtension(X509Extensions.CrlDistributionPoints, false, new CrlDistPoint(dps));
return(this);
}
public void AddCrlDistributionPoints()
{
var distributionPoints = new List <Asn1Encodable>();
foreach (var endpoint in CrlEndpoints)
{
var generalName = new GeneralName(GeneralName.UniformResourceIdentifier, new DerIA5String(endpoint));
var gns = new GeneralNames(generalName);
var dpn = new DistributionPointName(gns);
var distp = new DistributionPoint(dpn, null, null);
distributionPoints.Add(distp);
}
var seq = new DerSequence(distributionPoints.ToArray());
certificateGenerator.AddExtension(X509Extensions.CrlDistributionPoints, false, seq);
}
static Asn1Encodable ExtractGeneralName(CrlDistPoint distributionPointsExtension, int tagNumber)
{
foreach (var distributionPoint in distributionPointsExtension.GetDistributionPoints())
{
DistributionPointName dpn = distributionPoint.DistributionPointName;
if (dpn.PointType == DistributionPointName.FullName)
{
foreach (var generalName in GeneralNames.GetInstance(dpn.Name).GetNames())
{
if (generalName.TagNo == tagNumber)
{
return generalName.Name;
}
}
}
}
return null;
}
internal static void AddAdditionalStoresFromCrlDistributionPoint(
CrlDistPoint crldp,
PkixParameters pkixParams)
{
if (crldp != null)
{
DistributionPoint[] dps = null;
try
{
dps = crldp.GetDistributionPoints();
}
catch (Exception e)
{
throw new Exception(
"Distribution points could not be read.", e);
}
for (int i = 0; i < dps.Length; i++)
{
DistributionPointName dpn = dps[i].DistributionPointName;
// look for URIs in fullName
if (dpn != null)
{
if (dpn.PointType == DistributionPointName.FullName)
{
GeneralName[] genNames = GeneralNames.GetInstance(
dpn.Name).GetNames();
// look for an URI
for (int j = 0; j < genNames.Length; j++)
{
if (genNames[j].TagNo == GeneralName.UniformResourceIdentifier)
{
string location = DerIA5String.GetInstance(
genNames[j].Name).GetString();
PkixCertPathValidatorUtilities.AddAdditionalStoreFromLocation(
location, pkixParams);
}
}
}
}
}
}
}
// Certificate Revocation Lists
/**
* Gets the URL of the Certificate Revocation List for a Certificate
* @param certificate the Certificate
* @return the String where you can check if the certificate was revoked
* @throws CertificateParsingException
* @throws IOException
*/
public static String GetCRLURL(X509Certificate certificate)
{
try {
Asn1Object obj = GetExtensionValue(certificate, X509Extensions.CrlDistributionPoints.Id);
if (obj == null)
{
return(null);
}
CrlDistPoint dist = CrlDistPoint.GetInstance(obj);
DistributionPoint[] dists = dist.GetDistributionPoints();
foreach (DistributionPoint p in dists)
{
DistributionPointName distributionPointName = p.DistributionPointName;
if (DistributionPointName.FullName != distributionPointName.PointType)
{
continue;
}
GeneralNames generalNames = (GeneralNames)distributionPointName.Name;
GeneralName[] names = generalNames.GetNames();
foreach (GeneralName name in names)
{
if (name.TagNo != GeneralName.UniformResourceIdentifier)
{
continue;
}
DerIA5String derStr = DerIA5String.GetInstance((Asn1TaggedObject)name.ToAsn1Object(), false);
//return derStr.GetString();
//jbonilla - El URL del CRL para el BCE está en la tercera posición y solo se puede acceder desde HTTP.
string urlCrl = derStr.GetString();
if (urlCrl.ToUpperInvariant().StartsWith("HTTP") && urlCrl.ToUpperInvariant().Contains("CRL"))
{
return(derStr.GetString());
}
}
}
} catch {
}
return(null);
}
private void checkValues(
IssuingDistributionPoint point,
DistributionPointName distributionPoint,
bool onlyContainsUserCerts,
bool onlyContainsCACerts,
ReasonFlags onlySomeReasons,
bool indirectCRL,
bool onlyContainsAttributeCerts)
{
if (point.OnlyContainsUserCerts != onlyContainsUserCerts)
{
Fail("mismatch on onlyContainsUserCerts");
}
if (point.OnlyContainsCACerts != onlyContainsCACerts)
{
Fail("mismatch on onlyContainsCACerts");
}
if (point.IsIndirectCrl != indirectCRL)
{
Fail("mismatch on indirectCRL");
}
if (point.OnlyContainsAttributeCerts != onlyContainsAttributeCerts)
{
Fail("mismatch on onlyContainsAttributeCerts");
}
if (!isEquiv(onlySomeReasons, point.OnlySomeReasons))
{
Fail("mismatch on onlySomeReasons");
}
if (!isEquiv(distributionPoint, point.DistributionPoint))
{
Fail("mismatch on distributionPoint");
}
}
public override void PerformTest()
{
DistributionPointName name = new DistributionPointName(
new GeneralNames(new GeneralName(new X509Name("cn=test"))));
ReasonFlags reasonFlags = new ReasonFlags(ReasonFlags.CACompromise);
checkPoint(6, name, true, true, reasonFlags, true, true);
checkPoint(2, name, false, false, reasonFlags, false, false);
checkPoint(0, null, false, false, null, false, false);
try
{
IssuingDistributionPoint.GetInstance(new object());
Fail("GetInstance() failed to detect bad object.");
}
catch (ArgumentException)
{
// expected
}
}
private IssuingDistributionPoint(Asn1Sequence seq)
{
this.seq = seq;
for (int i = 0; i != seq.Count; i++)
{
Asn1TaggedObject instance = Asn1TaggedObject.GetInstance(seq[i]);
switch (instance.TagNo)
{
case 0:
_distributionPoint = DistributionPointName.GetInstance(instance, explicitly: true);
break;
case 1:
_onlyContainsUserCerts = DerBoolean.GetInstance(instance, isExplicit: false).IsTrue;
break;
case 2:
_onlyContainsCACerts = DerBoolean.GetInstance(instance, isExplicit: false).IsTrue;
break;
case 3:
_onlySomeReasons = new ReasonFlags(DerBitString.GetInstance(instance, isExplicit: false));
break;
case 4:
_indirectCRL = DerBoolean.GetInstance(instance, isExplicit: false).IsTrue;
break;
case 5:
_onlyContainsAttributeCerts = DerBoolean.GetInstance(instance, isExplicit: false).IsTrue;
break;
default:
throw new ArgumentException("unknown tag in IssuingDistributionPoint");
}
}
}
public IssuingDistributionPoint(DistributionPointName distributionPoint, bool onlyContainsUserCerts, bool onlyContainsCACerts, ReasonFlags onlySomeReasons, bool indirectCRL, bool onlyContainsAttributeCerts)
{
_distributionPoint = distributionPoint;
_indirectCRL = indirectCRL;
_onlyContainsAttributeCerts = onlyContainsAttributeCerts;
_onlyContainsCACerts = onlyContainsCACerts;
_onlyContainsUserCerts = onlyContainsUserCerts;
_onlySomeReasons = onlySomeReasons;
Asn1EncodableVector asn1EncodableVector = new Asn1EncodableVector();
if (distributionPoint != null)
{
asn1EncodableVector.Add(new DerTaggedObject(explicitly: true, 0, distributionPoint));
}
if (onlyContainsUserCerts)
{
asn1EncodableVector.Add(new DerTaggedObject(explicitly: false, 1, DerBoolean.True));
}
if (onlyContainsCACerts)
{
asn1EncodableVector.Add(new DerTaggedObject(explicitly: false, 2, DerBoolean.True));
}
if (onlySomeReasons != null)
{
asn1EncodableVector.Add(new DerTaggedObject(explicitly: false, 3, onlySomeReasons));
}
if (indirectCRL)
{
asn1EncodableVector.Add(new DerTaggedObject(explicitly: false, 4, DerBoolean.True));
}
if (onlyContainsAttributeCerts)
{
asn1EncodableVector.Add(new DerTaggedObject(explicitly: false, 5, DerBoolean.True));
}
seq = new DerSequence(asn1EncodableVector);
}
private void checkPoint(
int size,
DistributionPointName distributionPoint,
bool onlyContainsUserCerts,
bool onlyContainsCACerts,
ReasonFlags onlySomeReasons,
bool indirectCRL,
bool onlyContainsAttributeCerts)
{
IssuingDistributionPoint point = new IssuingDistributionPoint(distributionPoint, onlyContainsUserCerts, onlyContainsCACerts, onlySomeReasons, indirectCRL, onlyContainsAttributeCerts);
checkValues(point, distributionPoint, onlyContainsUserCerts, onlyContainsCACerts, onlySomeReasons, indirectCRL, onlyContainsAttributeCerts);
Asn1Sequence seq = Asn1Sequence.GetInstance(Asn1Object.FromByteArray(point.GetEncoded()));
if (seq.Count != size)
{
Fail("size mismatch");
}
point = IssuingDistributionPoint.GetInstance(seq);
checkValues(point, distributionPoint, onlyContainsUserCerts, onlyContainsCACerts, onlySomeReasons, indirectCRL, onlyContainsAttributeCerts);
}
protected void ApplyCrlExtension(
X509V3CertificateGenerator certGen,
string crlLink
)
{
if (string.IsNullOrEmpty(crlLink))
{
return;
}
var distPointOne =
new DistributionPointName(
new GeneralNames(new GeneralName(GeneralName.UniformResourceIdentifier, crlLink)));
var distPoints = new DistributionPoint[1];
distPoints[0] = new DistributionPoint(distPointOne, null, null);
certGen.AddExtension(
X509Extensions.CrlDistributionPoints,
false,
new CrlDistPoint(distPoints)
);
}
private static X509Certificate2 GenerateCertificate(
string subjectName,
Action <TestCertificateGenerator> modifyGenerator,
RSA rsa,
NuGet.Common.HashAlgorithmName hashAlgorithm,
RSASignaturePaddingMode paddingMode,
ChainCertificateRequest chainCertificateRequest)
{
if (string.IsNullOrEmpty(subjectName))
{
subjectName = "NuGetTest";
}
// Create cert
var subjectDN = $"CN={subjectName}";
var certGen = new TestCertificateGenerator();
var isSelfSigned = true;
X509Certificate2 issuer = null;
DateTimeOffset? notAfter = null;
var keyUsage = X509KeyUsageFlags.DigitalSignature;
if (chainCertificateRequest == null)
{
// Self-signed certificates should have this flag set.
keyUsage |= X509KeyUsageFlags.KeyCertSign;
}
else
{
if (chainCertificateRequest.Issuer != null)
{
isSelfSigned = false;
// for a certificate with an issuer assign Authority Key Identifier
issuer = chainCertificateRequest?.Issuer;
notAfter = issuer.NotAfter.Subtract(TimeSpan.FromMinutes(5));
var publicKey = DotNetUtilities.GetRsaPublicKey(issuer.GetRSAPublicKey());
certGen.Extensions.Add(
new X509Extension(
Oids.AuthorityKeyIdentifier,
new AuthorityKeyIdentifierStructure(publicKey).GetEncoded(),
critical: false));
}
if (chainCertificateRequest.ConfigureCrl)
{
// for a certificate in a chain create CRL distribution point extension
var issuerDN = chainCertificateRequest?.Issuer?.Subject ?? subjectDN;
var crlServerUri = $"{chainCertificateRequest.CrlServerBaseUri}{issuerDN}.crl";
var generalName = new Org.BouncyCastle.Asn1.X509.GeneralName(Org.BouncyCastle.Asn1.X509.GeneralName.UniformResourceIdentifier, new DerIA5String(crlServerUri));
var distPointName = new DistributionPointName(new GeneralNames(generalName));
var distPoint = new DistributionPoint(distPointName, null, null);
certGen.Extensions.Add(
new X509Extension(
TestOids.CrlDistributionPoints,
new DerSequence(distPoint).GetDerEncoded(),
critical: false));
}
if (chainCertificateRequest.IsCA)
{
// update key usage with CA cert sign and crl sign attributes
keyUsage |= X509KeyUsageFlags.CrlSign | X509KeyUsageFlags.KeyCertSign;
}
}
var padding = paddingMode.ToPadding();
var request = new CertificateRequest(subjectDN, rsa, hashAlgorithm.ConvertToSystemSecurityHashAlgorithmName(), padding);
bool isCa = isSelfSigned ? true : (chainCertificateRequest?.IsCA ?? false);
certGen.NotAfter = notAfter ?? DateTime.UtcNow.Add(TimeSpan.FromMinutes(30));
certGen.NotBefore = DateTime.UtcNow.Subtract(TimeSpan.FromMinutes(30));
var random = new Random();
var serial = random.Next();
var serialNumber = BitConverter.GetBytes(serial);
Array.Reverse(serialNumber);
certGen.SetSerialNumber(serialNumber);
certGen.Extensions.Add(
new X509SubjectKeyIdentifierExtension(request.PublicKey, critical: false));
certGen.Extensions.Add(
new X509KeyUsageExtension(keyUsage, critical: false));
certGen.Extensions.Add(
new X509BasicConstraintsExtension(certificateAuthority: isCa, hasPathLengthConstraint: false, pathLengthConstraint: 0, critical: true));
// Allow changes
modifyGenerator?.Invoke(certGen);
foreach (var extension in certGen.Extensions)
{
request.CertificateExtensions.Add(extension);
}
X509Certificate2 certResult;
if (isSelfSigned)
{
certResult = request.CreateSelfSigned(certGen.NotBefore, certGen.NotAfter);
}
else
{
using (var temp = request.Create(issuer, certGen.NotBefore, certGen.NotAfter, certGen.SerialNumber))
{
certResult = temp.CopyWithPrivateKey(rsa);
}
}
return(new X509Certificate2(certResult.Export(X509ContentType.Pkcs12), password: (string)null, keyStorageFlags: X509KeyStorageFlags.Exportable));
}
/// <summary>Gives back the CRL URI meta-data found within the given X509 certificate.
/// </summary>
/// <remarks>Gives back the CRL URI meta-data found within the given X509 certificate.
/// </remarks>
/// <param name="certificate">the X509 certificate.</param>
/// <returns>the CRL URI, or <code>null</code> if the extension is not present.</returns>
/// <exception cref="System.UriFormatException">System.UriFormatException</exception>
public virtual string GetCrlUri(X509Certificate certificate)
{
//byte[] crlDistributionPointsValue = certificate.GetExtensionValue(X509Extensions.
// CrlDistributionPoints);
Asn1OctetString crlDistributionPointsValue = certificate.GetExtensionValue(X509Extensions.
CrlDistributionPoints);
if (null == crlDistributionPointsValue)
{
return(null);
}
Asn1Sequence seq;
try
{
DerOctetString oct;
//oct = (DEROctetString)(new ASN1InputStream(new ByteArrayInputStream(crlDistributionPointsValue
// )).ReadObject());
oct = (DerOctetString)crlDistributionPointsValue;
seq = (Asn1Sequence) new Asn1InputStream(oct.GetOctets()).ReadObject();
}
catch (IOException e)
{
throw new RuntimeException("IO error: " + e.Message, e);
}
CrlDistPoint distPoint = CrlDistPoint.GetInstance(seq);
DistributionPoint[] distributionPoints = distPoint.GetDistributionPoints();
foreach (DistributionPoint distributionPoint in distributionPoints)
{
DistributionPointName distributionPointName = distributionPoint.DistributionPointName;
if (DistributionPointName.FullName != distributionPointName.PointType)
{
continue;
}
GeneralNames generalNames = (GeneralNames)distributionPointName.Name;
GeneralName[] names = generalNames.GetNames();
foreach (GeneralName name in names)
{
if (name.TagNo != GeneralName.UniformResourceIdentifier)
{
LOG.Info("not a uniform resource identifier");
continue;
}
string str = null;
if (name.ToAsn1Object() is DerTaggedObject)
{
DerTaggedObject taggedObject = (DerTaggedObject)name.ToAsn1Object();
DerIA5String derStr = DerIA5String.GetInstance(taggedObject.GetObject());
str = derStr.GetString();
}
else
{
DerIA5String derStr = DerIA5String.GetInstance(name.ToAsn1Object());
str = derStr.GetString();
}
if (str != null && (str.StartsWith("http://") || str.StartsWith("https://")) &&
str.ToUpperInvariant().Contains("CRL")) //jbonilla - El URL del CRL para el BCE está en la tercera posición y solo se puede acceder desde HTTP.
{
return(str);
}
else
{
LOG.Info("Supports only http:// and https:// protocol for CRL");
}
}
}
//jbonilla
#region BCE
if (certificate.SubjectDN.ToString()
.Contains("AC BANCO CENTRAL DEL ECUADOR"))
{
return(this.IntermediateAcUrl);
}
#endregion
return(null);
}
/// <summary>
/// Create a self signed certificate with bouncy castle.
/// </summary>
public static X509Certificate2 GenerateCertificate(
string subjectName,
Action <X509V3CertificateGenerator> modifyGenerator,
string signatureAlgorithm = "SHA256WITHRSA",
int publicKeyLength = 2048,
ChainCertificateRequest chainCertificateRequest = null)
{
if (string.IsNullOrEmpty(subjectName))
{
subjectName = "NuGetTest";
}
var random = new SecureRandom();
var keyPair = GenerateKeyPair(publicKeyLength);
// Create cert
var subjectDN = $"CN={subjectName}";
var certGen = new X509V3CertificateGenerator();
certGen.SetSubjectDN(new X509Name(subjectDN));
// default to new key pair
var issuerPrivateKey = keyPair.Private;
var keyUsage = KeyUsage.DigitalSignature;
var issuerDN = chainCertificateRequest?.IssuerDN ?? subjectDN;
certGen.SetIssuerDN(new X509Name(issuerDN));
#if IS_DESKTOP
if (chainCertificateRequest != null)
{
if (chainCertificateRequest.Issuer != null)
{
// for a certificate with an issuer assign Authority Key Identifier
var issuer = chainCertificateRequest?.Issuer;
var bcIssuer = DotNetUtilities.FromX509Certificate(issuer);
var authorityKeyIdentifier = new AuthorityKeyIdentifierStructure(bcIssuer);
issuerPrivateKey = DotNetUtilities.GetKeyPair(issuer.PrivateKey).Private;
certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier.Id, false, authorityKeyIdentifier);
}
if (chainCertificateRequest.ConfigureCrl)
{
// for a certificate in a chain create CRL distribution point extension
var crlServerUri = $"{chainCertificateRequest.CrlServerBaseUri}{issuerDN}.crl";
var generalName = new Org.BouncyCastle.Asn1.X509.GeneralName(Org.BouncyCastle.Asn1.X509.GeneralName.UniformResourceIdentifier, new DerIA5String(crlServerUri));
var distPointName = new DistributionPointName(new GeneralNames(generalName));
var distPoint = new DistributionPoint(distPointName, null, null);
certGen.AddExtension(X509Extensions.CrlDistributionPoints, critical: false, extensionValue: new DerSequence(distPoint));
}
if (chainCertificateRequest.IsCA)
{
// update key usage with CA cert sign and crl sign attributes
keyUsage |= KeyUsage.CrlSign | KeyUsage.KeyCertSign;
}
}
#endif
certGen.SetNotAfter(DateTime.UtcNow.Add(TimeSpan.FromHours(1)));
certGen.SetNotBefore(DateTime.UtcNow.Subtract(TimeSpan.FromHours(1)));
certGen.SetPublicKey(keyPair.Public);
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random);
certGen.SetSerialNumber(serialNumber);
var subjectKeyIdentifier = new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(keyPair.Public));
certGen.AddExtension(X509Extensions.SubjectKeyIdentifier.Id, false, subjectKeyIdentifier);
certGen.AddExtension(X509Extensions.KeyUsage.Id, false, new KeyUsage(keyUsage));
certGen.AddExtension(X509Extensions.BasicConstraints.Id, true, new BasicConstraints(chainCertificateRequest?.IsCA ?? false));
// Allow changes
modifyGenerator?.Invoke(certGen);
var signatureFactory = new Asn1SignatureFactory(signatureAlgorithm, issuerPrivateKey, random);
var certificate = certGen.Generate(signatureFactory);
var certResult = new X509Certificate2(certificate.GetEncoded());
#if IS_DESKTOP
certResult.PrivateKey = DotNetUtilities.ToRSA(keyPair.Private as RsaPrivateCrtKeyParameters);
#endif
return(certResult);
}
static void Main(string[] args)
{
PolicyInformation[] certPolicies = new PolicyInformation[2];
certPolicies[0] = new PolicyInformation(new DerObjectIdentifier("2.16.840.1.101.2.1.11.5"));
certPolicies[1] = new PolicyInformation(new DerObjectIdentifier("2.16.840.1.101.2.1.11.18"));
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
var certificateGenerator = new X509V3CertificateGenerator();
//serial
var serialNumber =
BigIntegers.CreateRandomInRange(
BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// sig alg
const string signatureAlgorithm = "SHA1WithRSA";
certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm);
// Subjects
// Time x = new Time();
var subjectDN = new X509Name("CN=localhost, O=Arsslensoft, C=TN,surname=Idadi,givenname=Arsslen, uniqueidentifier=15002060,businesscategory=Production,initials=Hello, gender=male, placeofbirth=El Manar, pseudonym=Arsslinko, postaladdress=2076, countryofcitizenship=TN, countryofresidence=TN,telephonenumber=53299093");
var issuerDN = subjectDN;
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
// Validity
var notBefore = DateTime.UtcNow.Date.Subtract(new TimeSpan(5, 0, 0));
var notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// PKEY
const int strength = 512;
var keyGenerationParameters = new KeyGenerationParameters(random, strength);
// var x= new Al.Security.Crypto.Generators.DsaKeyPairGenerator();
// X9ECParameters ecP = NistNamedCurves.GetByName("B-571");
// ECDomainParameters ecSpec = new ECDomainParameters(ecP.Curve, ecP.G, ecP.N, ecP.H, ecP.GetSeed());
// ECKeyPairGenerator keyPairGenerator = new ECKeyPairGenerator("ECDSA");
// //ECPA par = new DsaParametersGenerator();
// //par.Init(2048, 100, random);
// //ECKeyGenerationParameters pa = new ECKeyGenerationParameters(random, par.GenerateParameters());
//// var keyPairGenerator = new DHKeyPairGenerator();
// //DsaParametersGenerator par = new DsaParametersGenerator();
// //par.Init(2048, 100, random);
// //DsaKeyGenerationParameters pa = new DsaKeyGenerationParameters(random, par.GenerateParameters());
// // keyPairGenerator.Init(pa);
// keyPairGenerator.Init(new ECKeyGenerationParameters(ecSpec, new SecureRandom()));
//var keyPairGenerator = new DsaKeyPairGenerator();
//DsaParametersGenerator par = new DsaParametersGenerator();
//par.Init(1024, 100, random);
//DsaKeyGenerationParameters pa = new DsaKeyGenerationParameters(random, par.GenerateParameters());
//keyPairGenerator.Init(pa);
// KeyPair = keyPairGenerator.GenerateKeyPair();
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
StreamReader str = new StreamReader("D:\\test.key");
PemReader pem = new PemReader(str);
AsymmetricCipherKeyPair keypair = (AsymmetricCipherKeyPair)pem.ReadObject();
var subjectKeyPair = keypair;
str.Close();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// ext
X509Extensions
certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false,
new SubjectKeyIdentifierStructure(subjectKeyPair.Public));
certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(subjectKeyPair.Public));
certificateGenerator.AddExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(false));
// key usage
certificateGenerator.AddExtension(
X509Extensions.KeyUsage,
true,
new KeyUsage(KeyUsage.KeyAgreement | KeyUsage.DataEncipherment | KeyUsage.DigitalSignature));
// extended key usage
var usages = new[] { KeyPurposeID.IdKPServerAuth, KeyPurposeID.IdKPClientAuth };
ExtendedKeyUsage extendedKeyUsage = new ExtendedKeyUsage(usages);
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, false, extendedKeyUsage);
// Test Policy
DerSequence seq = CreatePolicyInformationsSequence("http://www.arsslensoft.com", "Arsslensoft", "1.3.6.1.4.1.23823.1.1.1", "Test Notice");
// certificateGenerator.AddExtension(X509Extensions.CertificatePolicies, false, new DerSequence(certPolicies));
// Authority access
List <GeneralSubtree> ees = new List <GeneralSubtree>();
ees.Add(new GeneralSubtree(new GeneralName(GeneralName.UniformResourceIdentifier, "http://www.google.com")));
certificateGenerator.AddExtension(X509Extensions.NameConstraints, true, new NameConstraints(null, ees));
certificateGenerator.AddExtension(X509Extensions.NetscapeComment, true, new DerVisibleString("NS COMMENT"));
certificateGenerator.AddExtension(X509Extensions.NetscapeBaseUrl, true, new DerIA5String("http://www.google.com"));
certificateGenerator.AddExtension(X509Extensions.InhibitAnyPolicy, true, new DerInteger(12));
// Policy constraints
byte inhibit = 12;
byte explicitc = 12;
// certificateGenerator.AddExtension(X509Extensions.PolicyConstraints, false, new DerOctetSequence(new byte[] { 128, 1, explicitc, 129, 1, inhibit }));
certificateGenerator.AddExtension(X509Extensions.NetscapeCertUsage, false, new KeyUsage(KeyUsage.KeyAgreement));
certificateGenerator.AddExtension(X509Extensions.AuthorityInfoAccess, false, CreateAuthorityAccessInformationSequence("http://www.arsslensoft.com", null));
// Subhect Issuer Alternative name
GeneralName altName = new GeneralName(GeneralName.DnsName, "localhost");
GeneralNames subjectAltName = new GeneralNames(altName);
certificateGenerator.AddExtension(X509Extensions.IssuerAlternativeName, false, subjectAltName);
certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName);
// certificateGenerator.AddExtension(new DerObjectIdentifier("2.16.840.1.11730.29.53"), false, subjectAltName);
//
GeneralNames s;
//CRL Distribution Points
DistributionPointName distPointOne = new DistributionPointName(new GeneralNames(
new GeneralName(GeneralName.UniformResourceIdentifier, "http://crl.somewebsite.com/master.crl")));
GeneralNames gns = new GeneralNames(new GeneralName[] {
new GeneralName(GeneralName.UniformResourceIdentifier, "ldap://crl.somewebsite.com/cn%3dSecureCA%2cou%3dPKI%2co%3dCyberdyne%2cc%3dUS?certificaterevocationlist;binary"), new GeneralName(GeneralName.Rfc822Name, "Arslen")
});
DistributionPointName distPointTwo = new DistributionPointName(gns);
DistributionPoint[] distPoints = new DistributionPoint[2];
distPoints[0] = new DistributionPoint(distPointOne, null, null);
distPoints[1] = new DistributionPoint(distPointTwo, null, gns);
IssuingDistributionPoint iss = new IssuingDistributionPoint(distPointOne, false, true, null, false, false);
certificateGenerator.AddExtension(X509Extensions.IssuingDistributionPoint, false, iss);
certificateGenerator.AddExtension(X509Extensions.CrlDistributionPoints, false, new CrlDistPoint(distPoints));
// Biometric
Asn1EncodableVector v = new Asn1EncodableVector();
BiometricData bdat = new BiometricData(new TypeOfBiometricData(TypeOfBiometricData.HandwrittenSignature), new AlgorithmIdentifier(new DerObjectIdentifier("1.3.14.3.2.26")), new DerOctetString(new byte[] { 169, 74, 143, 229, 204, 177, 155, 166, 28, 76, 8, 115, 211, 145, 233, 135, 152, 47, 187, 211 }), new DerIA5String("http://www.google.com"));
v.Add(bdat);
v.Add(new BiometricData(new TypeOfBiometricData(TypeOfBiometricData.HandwrittenSignature), new AlgorithmIdentifier(new DerObjectIdentifier("1.3.14.3.2.26")), new DerOctetString(new byte[] { 169, 74, 143, 229, 204, 177, 155, 166, 28, 76, 8, 115, 211, 145, 233, 135, 152, 47, 187, 211 }), new DerIA5String("http://www.google.co")));
certificateGenerator.AddExtension(X509Extensions.BiometricInfo, false, new DerSequenceOf(v));
QCStatement st = new QCStatement(Rfc3739QCObjectIdentifiers.IdQcs);
certificateGenerator.AddExtension(X509Extensions.QCStatements, false, st);
//Al.Security.Pkcs.Pkcs10CertificationRequest c = new Al.Security.Pkcs.Pkcs10CertificationRequest(
//certificateGenerator.AddExtension(X509Extensions.ReasonCode, false, ce);
// test done
certificateGenerator.AddExtension(X509Extensions.SubjectInfoAccess, false, CreateAuthorityAccessInformationSequence("http://www.arsslensoft.com", null));
//// 2
//TargetInformation ti = new Al.Security.Asn1.X509.TargetInformation(new Target[] { new Target(Target.Choice.Name, new GeneralName(GeneralName.UniformResourceIdentifier, "http://www.go.com")) });
//certificateGenerator.AddExtension(X509Extensions.TargetInformation, false, new DerSequence(ti));
// 3
PrivateKeyUsagePeriod kup = new PrivateKeyUsagePeriod(DateTime.Now, DateTime.Now.AddYears(2));
certificateGenerator.AddExtension(X509Extensions.PrivateKeyUsagePeriod, false, new DerSequence(kup));
//generate
var issuerKeyPair = subjectKeyPair;
var certificate = certificateGenerator.Generate(issuerKeyPair.Private, random);
StreamWriter wstr = new StreamWriter(Path.ChangeExtension("D:\\test.crt", ".pem"), false);
PemWriter pemWriter = new PemWriter(wstr);
pemWriter.WriteObject(certificate);
pemWriter.WriteObject(issuerKeyPair.Private);
wstr.Flush();
wstr.Close();
// System.Security.Cryptography.X509Certificates.X509Certificate x509_ = DotNetUtilities.ToX509Certificate(certificate.CertificateStructure);
//File.WriteAllBytes(@"D:\\test.crt", x509_.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Pkcs12));
}
