public void CanAddExtensions()
{
var extList = new List <X509V3ExtensionValue> {
new X509V3ExtensionValue("subjectKeyIdentifier", false, "hash"),
new X509V3ExtensionValue("authorityKeyIdentifier", false, "keyid:always,issuer:always"),
new X509V3ExtensionValue("basicConstraints", true, "critical,CA:true"),
new X509V3ExtensionValue("keyUsage", false, "cRLSign,keyCertSign"),
};
var start = DateTime.Now;
var end = start + TimeSpan.FromMinutes(10);
using (var key = new CryptoKey(new DSA(true)))
using (var cert = new X509Certificate(101, "CN=Root", "CN=Root", key, start, end))
{
foreach (var extValue in extList)
{
using (var ext = new X509Extension(cert, cert, extValue.Name, extValue.IsCritical, extValue.Value))
{
cert.AddExtension(ext);
}
}
foreach (var ext in cert.Extensions)
{
Console.WriteLine(ext);
}
Assert.AreEqual(extList.Count, cert.Extensions.Count);
}
}
public void CanAddExtensions()
{
X509V3ExtensionList extList = new X509V3ExtensionList();
extList.Add(new X509V3ExtensionValue("subjectKeyIdentifier", false, "hash"));
extList.Add(new X509V3ExtensionValue("authorityKeyIdentifier", false, "keyid:always,issuer:always"));
extList.Add(new X509V3ExtensionValue("basicConstraints", true, "critical,CA:true"));
extList.Add(new X509V3ExtensionValue("keyUsage", false, "cRLSign,keyCertSign"));
DateTime start = DateTime.Now;
DateTime end = start + TimeSpan.FromMinutes(10);
CryptoKey key = new CryptoKey(new DSA(true));
using (X509Certificate cert = new X509Certificate(101, "CN=Root", "CN=Root", key, start, end)) {
foreach (X509V3ExtensionValue extValue in extList) {
using (X509Extension ext = new X509Extension(cert, cert, extValue.Name, extValue.IsCritical, extValue.Value)) {
cert.AddExtension(ext);
}
}
foreach (X509Extension ext in cert.Extensions) {
Console.WriteLine(ext);
}
Assert.AreEqual(extList.Count, cert.Extensions.Count);
}
}
public FileInfo SignCertFromRequest(Byte[] requestData, Boolean ca)
{
FileInfo file = null;
using (BIO bio = new BIO(requestData))
using (X509Request request = new X509Request(bio))
{
file = new FileInfo(Path.Combine(certDir.FullName, request.Subject.Common + ".cer"));
using (X509Certificate certificate = RootCA.ProcessRequest(request, DateTime.Now.AddHours(-24), DateTime.Now + TimeSpan.FromDays(365), MessageDigest.SHA1))
{
if (ca)
{
certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "basicConstraints", true, "CA:true"));
certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "keyUsage", true, "critical, cRLSign, keyCertSign, digitalSignature"));
certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "certificatePolicies", true, "2.5.29.32.0"));
}
else
{
certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "basicConstraints", true, "CA:false"));
}
certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "issuerAltName", true, "issuer:copy"));
certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "nsComment", true, "IAM Tester Generated Certificate"));
certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "subjectKeyIdentifier", true, "hash"));
certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "authorityKeyIdentifier", true, "keyid,issuer:always"));
certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "subjectAltName", true, "DNS:" + request.Subject.Common));
certificate.Sign(RootCA.Key, MessageDigest.SHA1);
using (FileStream fs = new FileStream(file.FullName, FileMode.Create, FileAccess.ReadWrite))
using (BinaryWriter bw = new BinaryWriter(fs))
using (BIO bio2 = BIO.MemoryBuffer())
{
certificate.Write(bio2);
Byte[] certData = bio2.ReadBytes((Int32)bio2.NumberWritten).Array;
bw.Write(certData);
bw.Close();
}
//Para atualizar com o tamanho e outros dados do arquivo
file = new FileInfo(file.FullName);
}
}
return(file);
}
/// <summary>
/// Factory method that creates a X509CertificateAuthority instance with
/// an internal self signed certificate. This method allows creation without
/// the need for the Configuration file, X509V3Extensions may be added
/// with the X509V3ExtensionList parameter
/// </summary>
/// <param name="seq"></param>
/// <param name="key"></param>
/// <param name="digest"></param>
/// <param name="subject"></param>
/// <param name="start"></param>
/// <param name="validity"></param>
/// <param name="extensions"></param>
/// <returns></returns>
public static X509CertificateAuthority SelfSigned(
ISequenceNumber seq,
CryptoKey key,
MessageDigest digest,
X509Name subject,
DateTime start,
TimeSpan validity,
IEnumerable<X509V3ExtensionValue> extensions)
{
var cert = new X509Certificate(
seq.Next(),
subject,
subject,
key,
start,
start + validity);
if (extensions != null)
{
foreach (var extValue in extensions)
{
using (var ext = new X509Extension(cert, cert, extValue.Name, extValue.IsCritical, extValue.Value))
{
cert.AddExtension(ext);
}
}
}
cert.Sign(key, digest);
return new X509CertificateAuthority(cert, key, seq);
}
/// <summary>
/// Factory method that creates a X509CertificateAuthority instance with
/// an internal self signed certificate. This method allows creation without
/// the need for the Configuration file, X509V3Extensions may be added
/// with the X509V3ExtensionList parameter
/// </summary>
/// <param name="seq"></param>
/// <param name="key"></param>
/// <param name="digest"></param>
/// <param name="subject"></param>
/// <param name="start"></param>
/// <param name="validity"></param>
/// <param name="extensions"></param>
/// <returns></returns>
public static X509CertificateAuthority SelfSigned(
ISequenceNumber seq,
CryptoKey key,
MessageDigest digest,
X509Name subject,
DateTime start,
TimeSpan validity,
X509V3ExtensionList extensions)
{
X509Certificate cert = new X509Certificate(
seq.Next(),
subject,
subject,
key,
start,
start + validity);
if (null != extensions)
{
foreach (X509V3ExtensionValue extValue in extensions)
{
X509Extension ext = new X509Extension(cert, cert, extValue.Name, extValue.IsCritical, extValue.Value);
cert.AddExtension(ext);
}
}
cert.Sign(key, digest);
return new X509CertificateAuthority(cert, key, seq, null);
}
public String SignCert(X509Name Name, Boolean ca, subjectAltName altNames, Boolean saveFile, DateTime?expirationDate)
{
String certData = "";
FileInfo file = new FileInfo(Path.Combine(certDir.FullName, Name.Common + ".pfx"));
using (CryptoKey key = CreateNewRSAKey(4096))
{
int version = 2; // Version 2 is X.509 Version 3
using (X509Request request = new X509Request(version, Name, key))
using (X509Certificate certificate = RootCA.ProcessRequest(request, DateTime.Now.AddHours(-24), (expirationDate.HasValue ? expirationDate.Value : DateTime.Now + TimeSpan.FromDays(365)), MessageDigest.SHA1))
{
if (ca)
{
certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "basicConstraints", true, "CA:true"));
certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "keyUsage", true, "critical, cRLSign, keyCertSign, digitalSignature"));
certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "certificatePolicies", true, "2.5.29.32.0"));
}
else
{
certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "basicConstraints", true, "CA:false"));
}
certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "issuerAltName", true, "issuer:copy"));
certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "nsComment", true, "SafeID - IAM Generated Certificate"));
certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "subjectKeyIdentifier", true, "hash"));
certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "authorityKeyIdentifier", true, "keyid,issuer:always"));
//certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "subjectAltName", true, "DNS:" + Name.Common));
if (altNames != null)
{
foreach (Uri u in altNames.Uri)
{
certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "subjectAltName", true, "URI:" + u.AbsoluteUri.ToLower()));
}
foreach (String m in altNames.Mail)
{
certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "subjectAltName", true, "email:" + m));
}
foreach (String s in altNames.Dns)
{
certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "subjectAltName", true, "DNS:" + s));
}
foreach (String s in altNames.Text)
{
certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "subjectAltName", true, "otherName:1.2.3.4;UTF8:" + s));
}
}
/*
* subjectAltName=email:copy,email:[email protected],URI:http://my.url.here/
* subjectAltName=IP:192.168.7.1
* subjectAltName=IP:13::17
* subjectAltName=email:[email protected],RID:1.2.3.4
* subjectAltName=otherName:1.2.3.4;UTF8:some other identifier*/
//certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "keyUsage", true, "nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, encipherOnly, decipherOnly, keyAgreement"));
//certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "extendedKeyUsage", true, "clientAuth"));
//certificate.AddExtension(new X509Extension(RootCA.Certificate, certificate, "crlDistributionPoints", true, "URI:http://ok/certEnroll/ok-ca.crl"));
certificate.Sign(RootCA.Key, MessageDigest.SHA1);
if (saveFile)
{
certData = BuildPKCS12AndSave(file.FullName, this.signedPassword, key, certificate);
}
else
{
certData = BuildPKCS12(this.signedPassword, key, certificate);
}
}
}
return(certData);
}