public void Reset()
{
s_certGenerator.Reset();
s_crlGenerator.Reset();
_authorityCertificate = null;
_isInitialized = false;
}
/**
* intermediate cert
*/
private X509Certificate CreateIntmedCert(
AsymmetricKeyParameter pubKey,
AsymmetricKeyParameter caPrivKey,
AsymmetricKeyParameter caPubKey,
Asn1EncodableVector policies,
Hashtable policyMap)
{
string issuer = "C=JP, O=policyMappingAdditionalTest, OU=trustAnchor";
string subject = "C=JP, O=policyMappingAdditionalTest, OU=intmedCA";
v3CertGen.Reset();
v3CertGen.SetSerialNumber(BigInteger.ValueOf(20));
v3CertGen.SetIssuerDN(new X509Name(issuer));
v3CertGen.SetNotBefore(DateTime.UtcNow.AddDays(-30));
v3CertGen.SetNotAfter(DateTime.UtcNow.AddDays(30));
v3CertGen.SetSubjectDN(new X509Name(subject));
v3CertGen.SetPublicKey(pubKey);
v3CertGen.SetSignatureAlgorithm("SHA1WithRSAEncryption");
v3CertGen.AddExtension(X509Extensions.CertificatePolicies, true, new DerSequence(policies));
v3CertGen.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true));
v3CertGen.AddExtension(X509Extensions.PolicyMappings, true, new PolicyMappings(policyMap));
X509Certificate cert = v3CertGen.Generate(caPrivKey);
return(cert);
}
public static X509Certificate MakeCertificate(IAsymmetricCipherKeyPair _subKP,
string _subDN, IAsymmetricCipherKeyPair _issKP, string _issDN, string algorithm, bool _ca)
{
IAsymmetricKeyParameter _subPub = _subKP.Public;
IAsymmetricKeyParameter _issPriv = _issKP.Private;
IAsymmetricKeyParameter _issPub = _issKP.Public;
X509V3CertificateGenerator _v3CertGen = new X509V3CertificateGenerator();
_v3CertGen.Reset();
_v3CertGen.SetSerialNumber(allocateSerialNumber());
_v3CertGen.SetIssuerDN(new X509Name(_issDN));
_v3CertGen.SetNotBefore(DateTime.UtcNow);
_v3CertGen.SetNotAfter(DateTime.UtcNow.AddDays(100));
_v3CertGen.SetSubjectDN(new X509Name(_subDN));
_v3CertGen.SetPublicKey(_subPub);
_v3CertGen.SetSignatureAlgorithm(algorithm);
_v3CertGen.AddExtension(X509Extensions.SubjectKeyIdentifier, false,
createSubjectKeyId(_subPub));
_v3CertGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false,
createAuthorityKeyId(_issPub));
_v3CertGen.AddExtension(X509Extensions.BasicConstraints, false,
new BasicConstraints(_ca));
X509Certificate _cert = _v3CertGen.Generate(_issPriv);
_cert.CheckValidity(DateTime.UtcNow);
_cert.Verify(_issPub);
return(_cert);
}
private byte[] MakeCertificateFromCSR(string CSR, AsymmetricCipherKeyPair rootKeyPair, X509Name rootSubject)
{
byte[] encoded;
try
{
Pkcs10CertificationRequest pkcs10CertificationRequest = (Pkcs10CertificationRequest)(new PemReader(new StringReader(CSR))).ReadObject();
AsymmetricKeyParameter @private = rootKeyPair.Private;
AsymmetricKeyParameter @public = rootKeyPair.Public;
X509V3CertificateGenerator x509V3CertificateGenerator = new X509V3CertificateGenerator();
x509V3CertificateGenerator.Reset();
if (this.SerialNumber != -9223372036854775808L)
{
x509V3CertificateGenerator.SetSerialNumber(new BigInteger(this.SerialNumber.ToString()));
}
else
{
DateTime now = DateTime.Now;
x509V3CertificateGenerator.SetSerialNumber(new BigInteger(128, new Random(now.Millisecond + Environment.TickCount)));
}
x509V3CertificateGenerator.SetIssuerDN(rootSubject);
x509V3CertificateGenerator.SetNotBefore(this.ValidFrom.ToUniversalTime());
x509V3CertificateGenerator.SetNotAfter(this.ValidTo.ToUniversalTime());
x509V3CertificateGenerator.SetSubjectDN(pkcs10CertificationRequest.GetCertificationRequestInfo().Subject);
x509V3CertificateGenerator.SetPublicKey(pkcs10CertificationRequest.GetPublicKey());
x509V3CertificateGenerator.SetSignatureAlgorithm(string.Concat(this.SignatureAlgorithm.ToString(), "Encryption"));
x509V3CertificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(pkcs10CertificationRequest.GetPublicKey())));
x509V3CertificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(@public)));
int extensionType = 0;
Asn1EncodableVector asn1EncodableVectors = new Asn1EncodableVector(new Asn1Encodable[0]);
foreach (ExtensionInfo extension in this.Extensions.extensionInfo)
{
if (!extension.ExtendedKeyUsage)
{
extensionType |= (int)extension.ExtensionType;
}
if (!extension.ExtendedKeyUsage)
{
continue;
}
asn1EncodableVectors.Add(new Asn1Encodable[] { (Asn1Encodable)extension.ExtensionType });
}
if (extensionType != 0)
{
x509V3CertificateGenerator.AddExtension(X509Extensions.KeyUsage, this.Extensions.KeyUsageIsCritical, new KeyUsage(extensionType));
}
if (asn1EncodableVectors.Count > 0)
{
x509V3CertificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, this.Extensions.EnhancedKeyUsageIsCritical, ExtendedKeyUsage.GetInstance(new DerSequence(asn1EncodableVectors)));
}
X509Certificate x509Certificate = x509V3CertificateGenerator.Generate(@private, this.GetSecureRandom());
x509Certificate.Verify(@public);
encoded = x509Certificate.GetEncoded();
}
catch
{
throw;
}
return(encoded);
}
public X509Certificate2 MakeCertificate(string password, string issuedToDomainName, int validYears)
{
_certificateGenerator.Reset();
_certificateGenerator.SetSignatureAlgorithm(SignatureAlgorithm);
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), _random);
_certificateGenerator.SetSerialNumber(serialNumber);
_certificateGenerator.SetSubjectDN(new X509Name(issuedToDomainName));
_certificateGenerator.SetIssuerDN(_issuer);
var subjectAlternativeNames = new Asn1Encodable[_generalNames.Length + 1];
// first subject alternative name is the same as the subject
subjectAlternativeNames[0] = new GeneralName(new X509Name(issuedToDomainName));
for (int t = 1; t <= _generalNames.Length; t++)
{
subjectAlternativeNames[t] = _generalNames[t - 1];
}
var subjectAlternativeNamesExtension = new DerSequence(subjectAlternativeNames);
_certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName.Id, false, subjectAlternativeNamesExtension);
_certificateGenerator.SetNotBefore(DateTime.UtcNow.Date);
_certificateGenerator.SetNotAfter(DateTime.UtcNow.Date.AddYears(validYears));
var keyGenerationParameters = new KeyGenerationParameters(_random, _strength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
_certificateGenerator.SetPublicKey(subjectKeyPair.Public);
var issuerKeyPair = subjectKeyPair;
var certificate = _certificateGenerator.Generate(issuerKeyPair.Private, _random);
var store = new Pkcs12Store();
string friendlyName = certificate.SubjectDN.ToString();
var certificateEntry = new X509CertificateEntry(certificate);
store.SetCertificateEntry(friendlyName, certificateEntry);
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry });
using (var stream = new MemoryStream())
{
store.Save(stream, password.ToCharArray(), _random);
return(new X509Certificate2(stream.ToArray(), password, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable));
}
}
public static X509Certificate MakeCertificate(AsymmetricCipherKeyPair _subKP,
string _subDN, AsymmetricCipherKeyPair _issKP, string _issDN, bool _ca)
{
AsymmetricKeyParameter _subPub = _subKP.Public;
AsymmetricKeyParameter _issPriv = _issKP.Private;
AsymmetricKeyParameter _issPub = _issKP.Public;
X509V3CertificateGenerator _v3CertGen = new X509V3CertificateGenerator();
_v3CertGen.Reset();
_v3CertGen.SetSerialNumber(allocateSerialNumber());
_v3CertGen.SetIssuerDN(new X509Name(_issDN));
_v3CertGen.SetNotBefore(DateTime.UtcNow);
_v3CertGen.SetNotAfter(DateTime.UtcNow.AddDays(100));
_v3CertGen.SetSubjectDN(new X509Name(_subDN));
_v3CertGen.SetPublicKey(_subPub);
_v3CertGen.SetSignatureAlgorithm("MD5WithRSAEncryption");
_v3CertGen.AddExtension(X509Extensions.SubjectKeyIdentifier, false,
createSubjectKeyId(_subPub));
_v3CertGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false,
createAuthorityKeyId(_issPub));
if (_ca)
{
_v3CertGen.AddExtension(X509Extensions.BasicConstraints, false,
new BasicConstraints(_ca));
}
else
{
_v3CertGen.AddExtension(X509Extensions.ExtendedKeyUsage, true,
ExtendedKeyUsage.GetInstance(new DerSequence(KeyPurposeID.IdKPTimeStamping)));
}
X509Certificate _cert = _v3CertGen.Generate(_issPriv);
_cert.CheckValidity(DateTime.UtcNow);
_cert.Verify(_issPub);
return(_cert);
}
public X509Certificate2 MakeCertificate(string password,
string issuedToDomainName,
string friendlyName,
int validDays)
{
_certificateGenerator.Reset();
_certificateGenerator.SetSignatureAlgorithm(SignatureAlgorithm);
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), _random);
_certificateGenerator.SetSerialNumber(serialNumber);
_certificateGenerator.SetSubjectDN(new X509Name(issuedToDomainName));
_certificateGenerator.SetIssuerDN(_issuer);
var utcNow = DateTime.UtcNow.AddDays(-1);
_certificateGenerator.SetNotBefore(utcNow);
_certificateGenerator.SetNotAfter(utcNow.AddDays(validDays));
var keyGenerationParameters = new KeyGenerationParameters(_random, _strength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
_certificateGenerator.SetPublicKey(subjectKeyPair.Public);
var issuerKeyPair = subjectKeyPair;
var certificate = _certificateGenerator.Generate(issuerKeyPair.Private, _random);
var store = new Pkcs12Store();
var certificateEntry = new X509CertificateEntry(certificate);
store.SetCertificateEntry(friendlyName, certificateEntry);
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry });
using (var stream = new MemoryStream())
{
store.Save(stream, password.ToCharArray(), _random);
return(new X509Certificate2(stream.ToArray(), password, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable));
}
}
private X509Certificate MakeCertificate(AsymmetricCipherKeyPair subjectKeyPair, X509Name certificateSubject, AsymmetricCipherKeyPair rootKeyPair, X509Name rootSubject, bool isRootCertificate, bool addAuthorityKeyIdentifier)
{
X509Certificate x509Certificate;
try
{
AsymmetricKeyParameter @public = subjectKeyPair.Public;
AsymmetricKeyParameter @private = rootKeyPair.Private;
AsymmetricKeyParameter asymmetricKeyParameter = rootKeyPair.Public;
X509V3CertificateGenerator x509V3CertificateGenerator = new X509V3CertificateGenerator();
x509V3CertificateGenerator.Reset();
if (this.SerialNumber != -9223372036854775808L)
{
x509V3CertificateGenerator.SetSerialNumber(new BigInteger(this.SerialNumber.ToString()));
}
else
{
DateTime now = DateTime.Now;
x509V3CertificateGenerator.SetSerialNumber(new BigInteger(128, new Random(now.Millisecond + Environment.TickCount)));
}
x509V3CertificateGenerator.SetIssuerDN(rootSubject);
x509V3CertificateGenerator.SetNotBefore(this.ValidFrom.ToUniversalTime());
x509V3CertificateGenerator.SetNotAfter(this.ValidTo.ToUniversalTime());
x509V3CertificateGenerator.SetSubjectDN(certificateSubject);
x509V3CertificateGenerator.SetPublicKey(@public);
x509V3CertificateGenerator.SetSignatureAlgorithm(string.Concat(this.SignatureAlgorithm.ToString(), "Encryption"));
int extensionType = 0;
Asn1EncodableVector asn1EncodableVectors = new Asn1EncodableVector(new Asn1Encodable[0]);
foreach (ExtensionInfo extension in this.Extensions.extensionInfo)
{
if (!extension.ExtendedKeyUsage)
{
extensionType |= (int)extension.ExtensionType;
}
if (!extension.ExtendedKeyUsage)
{
continue;
}
asn1EncodableVectors.Add(new Asn1Encodable[] { (Asn1Encodable)extension.ExtensionType });
}
bool keyUsageIsCritical = this.Extensions.KeyUsageIsCritical;
if (isRootCertificate)
{
x509V3CertificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true));
extensionType |= 6;
keyUsageIsCritical = true;
}
if (extensionType != 0)
{
x509V3CertificateGenerator.AddExtension(X509Extensions.KeyUsage, keyUsageIsCritical, new KeyUsage(extensionType));
}
if (asn1EncodableVectors.Count > 0)
{
x509V3CertificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, this.Extensions.EnhancedKeyUsageIsCritical, ExtendedKeyUsage.GetInstance(new DerSequence(asn1EncodableVectors)));
}
x509V3CertificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(@public)));
if (addAuthorityKeyIdentifier)
{
x509V3CertificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(asymmetricKeyParameter)));
}
X509Certificate x509Certificate1 = x509V3CertificateGenerator.Generate(@private, this.GetSecureRandom());
x509Certificate1.Verify(asymmetricKeyParameter);
x509Certificate = x509Certificate1;
}
catch
{
throw;
}
return(x509Certificate);
}
public static X509Certificate MakeCertificate(
AsymmetricCipherKeyPair subKP, string _subDN,
AsymmetricCipherKeyPair issKP, string _issDN, bool _ca)
{
AsymmetricKeyParameter subPub = subKP.Public;
AsymmetricKeyParameter issPriv = issKP.Private;
AsymmetricKeyParameter issPub = issKP.Public;
X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();
v3CertGen.Reset();
v3CertGen.SetSerialNumber(AllocateSerialNumber());
v3CertGen.SetIssuerDN(new X509Name(_issDN));
v3CertGen.SetNotBefore(DateTime.UtcNow);
v3CertGen.SetNotAfter(DateTime.UtcNow.AddDays(100));
v3CertGen.SetSubjectDN(new X509Name(_subDN));
v3CertGen.SetPublicKey(subPub);
if (issPub is RsaKeyParameters)
{
v3CertGen.SetSignatureAlgorithm("SHA1WithRSA");
}
else if (issPub is ECPublicKeyParameters)
{
ECPublicKeyParameters ecPub = (ECPublicKeyParameters)issPub;
if (ecPub.AlgorithmName == "ECGOST3410")
{
v3CertGen.SetSignatureAlgorithm("GOST3411withECGOST3410");
}
else
{
v3CertGen.SetSignatureAlgorithm("SHA1withECDSA");
}
}
else
{
v3CertGen.SetSignatureAlgorithm("GOST3411WithGOST3410");
}
v3CertGen.AddExtension(
X509Extensions.SubjectKeyIdentifier,
false,
CreateSubjectKeyId(subPub));
v3CertGen.AddExtension(
X509Extensions.AuthorityKeyIdentifier,
false,
CreateAuthorityKeyId(issPub));
v3CertGen.AddExtension(
X509Extensions.BasicConstraints,
false,
new BasicConstraints(_ca));
X509Certificate _cert = v3CertGen.Generate(issPriv);
_cert.CheckValidity();
_cert.Verify(issPub);
return(_cert);
}
/**
* we generate an intermediate certificate signed by our CA
*/
public static X509CertificateEntry CreateIntermediateCert(
AsymmetricKeyParameter pubKey,
AsymmetricKeyParameter caPrivKey,
X509Certificate caCert)
{
//
// subject name table.
//
IDictionary attrs = new Hashtable();
IList order = new ArrayList();
attrs.Add(X509Name.C, "AU");
attrs.Add(X509Name.O, "The Legion of the Bouncy Castle");
attrs.Add(X509Name.OU, "Bouncy Intermediate Certificate");
attrs.Add(X509Name.EmailAddress, "*****@*****.**");
order.Add(X509Name.C);
order.Add(X509Name.O);
order.Add(X509Name.OU);
order.Add(X509Name.EmailAddress);
//
// create the certificate - version 3
//
v3CertGen.Reset();
v3CertGen.SetSerialNumber(BigInteger.Two);
v3CertGen.SetIssuerDN(PrincipalUtilities.GetSubjectX509Principal(caCert));
v3CertGen.SetNotBefore(DateTime.UtcNow.AddMonths(-1));
v3CertGen.SetNotAfter(DateTime.UtcNow.AddMonths(1));
v3CertGen.SetSubjectDN(new X509Name(order, attrs));
v3CertGen.SetPublicKey(pubKey);
v3CertGen.SetSignatureAlgorithm("SHA1WithRSAEncryption");
//
// extensions
//
v3CertGen.AddExtension(
X509Extensions.SubjectKeyIdentifier,
false,
new SubjectKeyIdentifierStructure(pubKey));
v3CertGen.AddExtension(
X509Extensions.AuthorityKeyIdentifier,
false,
new AuthorityKeyIdentifierStructure(caCert));
v3CertGen.AddExtension(
X509Extensions.BasicConstraints,
true,
new BasicConstraints(0));
X509Certificate cert = v3CertGen.Generate(caPrivKey);
cert.CheckValidity(DateTime.UtcNow);
cert.Verify(caCert.GetPublicKey());
// PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier)cert;
IDictionary bagAttr = new Hashtable();
//
// this is actually optional - but if you want to have control
// over setting the friendly name this is the way to do it...
//
// bagAttr.setBagAttribute(
// PKCSObjectIdentifiers.pkcs_9_at_friendlyName,
// new DERBMPString("Bouncy Intermediate Certificate"));
bagAttr.Add(PkcsObjectIdentifiers.Pkcs9AtFriendlyName.Id,
new DerBmpString("Bouncy Intermediate Certificate"));
return(new X509CertificateEntry(cert, bagAttr));
}
