public Certificate(X509Certificate2 cert)
{
if (cert == null)
{
throw new ArgumentNullException("cert");
}
certificate = cert;
KeyAlgorithm = certificate.GetKeyAlgorithm();
HasPrivateKey = certificate.HasPrivateKey;
SerialNumber = certificate.SerialNumber;
Thumbprint = certificate.Thumbprint;
FriendlyName = certificate.FriendlyName;// !string.IsNullOrWhiteSpace(_certificate.FriendlyName) ? _certificate.FriendlyName : string.Format("[{0}]\t[{1}]", _certificate.Issuer, _certificate.Subject);
Subject = certificate.Subject;
EffectiveDate = certificate.NotBefore;
ExpirationDate = certificate.NotAfter;
Format = certificate.GetFormat();
Issuer = certificate.Issuer;
SignatureAlgorithm = certificate.SignatureAlgorithm.FriendlyName;
Version = certificate.Version.ToString();
Extentions = new List<string>();
foreach (X509Extension ext in certificate.Extensions)
{
Extentions.Add(ext.Format(false));
}
}
public static Dictionary <string, string> ParseCert(byte[] certDER)
{
var ret = new Dictionary <string, string>();
try {
var x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certDER);
//logger.Debug("X.509v3証明書の発行先であるプリンシパルの名前(古い形式)");
//logger.Debug(x509.GetName());
ret.Add("X.509v3証明書の形式の名前", x509.GetFormat());
ret.Add("バージョン", $"{x509.Version}");
ret.Add("シリアル番号", x509.GetSerialNumberString());
ret.Add("署名アルゴリズム", x509.SignatureAlgorithm.FriendlyName);
ret.Add("証明書を発行した証明機関の名前", x509.Issuer);
ret.Add("サブジェクトの識別名", x509.Subject);
ret.Add("証明書のハッシュ値の16進文字列", x509.GetCertHashString());
ret.Add("証明書の発効日", x509.GetEffectiveDateString());
ret.Add("証明書の失効日", x509.GetExpirationDateString());
ret.Add("キーアルゴリズム情報", x509.GetKeyAlgorithm());
ret.Add("キーアルゴリズムパラメータ", x509.GetKeyAlgorithmParametersString());
ret.Add("公開鍵", x509.GetPublicKeyString());
foreach (var extension in x509.Extensions)
{
/*
* if (extension.Oid.FriendlyName == "キー使用法") {
* var ext = (X509KeyUsageExtension)extension;
* ret.Add("Extension キー使用法", ext.KeyUsages.ToString());
* }
* if (extension.Oid.FriendlyName == "拡張キー使用法") {
* var ext = (X509EnhancedKeyUsageExtension)extension;
* string value = "";
* var oids = ext.EnhancedKeyUsages;
* foreach (var oid in oids) {
* value = value + oid.FriendlyName + "(" + oid.Value + ")";
* }
* ret.Add("Extension 拡張キー使用法", value);
* }
*/
ret.Add($"- Extension {extension.Oid.FriendlyName}", extension.Oid.Value);
}
//logger.Debug("X.509v3証明書を発行した証明機関の名前(古い形式)");
//logger.Debug(x509.GetIssuerName());
//logger.Debug("X.509証明書全体の生データ");
//logger.Debug(x509.GetRawCertDataString());
} catch (Exception ex) {
logger.Debug(ex);
}
return(ret);
}
public void TestCertMangling()
{
string certString = @"MIICSjCCAdECCQDje/no7mXkVzAKBggqhkjOPQQDAjCBjjELMAkGA1UEBhMCVVMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFDAS
BgNVBAoMC0dvb2dsZSwgSW5jMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTEjMCEG
CSqGSIb3DQEJARYUZ29sYW5nLWRldkBnbWFpbC5jb20wHhcNMTIwNTIxMDYxMDM0
WhcNMjIwNTE5MDYxMDM0WjCBjjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlm
b3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFDASBgNVBAoMC0dvb2dsZSwg
SW5jMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTEjMCEGCSqGSIb3DQEJARYUZ29s
YW5nLWRldkBnbWFpbC5jb20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARRuzRNIKRK
jIktEmXanNmrTR/q/FaHXLhWRZ6nHWe26Fw7Rsrbk+VjGy4vfWtNn7xSFKrOu5ze
qxKnmE0h5E480MNgrUiRkaGO2GMJJVmxx20aqkXOk59U8yGA4CghE6MwCgYIKoZI
zj0EAwIDZwAwZAIwBZEN8gvmRmfeP/9C1PRLzODIY4JqWub2PLRT4mv9GU+yw3Gr
PU9A3CHMdEcdw/MEAjBBO1lId8KOCh9UZunsSMfqXiVurpzmhWd6VYZ/32G+M+Mh
3yILeYQzllt/g0rKVRk=";
X509Certificate2 c = new X509Certificate2();
c.Import(Convert.FromBase64String(certString));
Assert.AreEqual("[email protected], CN=www.google.com, O=\"Google, Inc\", L=Mountain View, S=California, C=US", c.Issuer);
//Assert.AreEqual("CN=Microsoft Corporate Root CA, O=Microsoft Corporation", c.Subject);
Assert.AreEqual("X509", c.GetFormat());
Assert.AreEqual("1.2.840.10045.2.1", c.GetKeyAlgorithm());
Assert.AreEqual("06052B81040022", c.GetKeyAlgorithmParametersString());
Assert.AreEqual("ECC", c.PublicKey.Oid.FriendlyName);
ECDiffieHellmanPublicKey certKey = CryptoUtils.ImportEccPublicKeyFromCertificate(c);
//Console.WriteLine(certKey.ToXmlString());
// https://blogs.msdn.microsoft.com/shawnfa/2007/01/22/elliptic-curve-diffie-hellman/
// http://stackoverflow.com/questions/11266711/using-cngkey-to-generate-rsa-key-pair-in-pem-dkim-compatible-using-c-simi
{
string input = "eyJhbGciOiJFUzM4NCIsIng1dSI6Ik1IWXdFQVlIS29aSXpqMENBUVlGSzRFRUFDSURZZ0FFN25uWnBDZnhtQ3JTd0RkQnY3ZUJYWE10S2hyb3hPcmlFcjNobU1PSkF1dy9acFFYajFLNUdHdEhTNENwRk50dGQxSllBS1lvSnhZZ2F5a3BpZTBFeUF2M3FpSzZ1dElIMnFuT0F0M1ZOclFZWGZJWkpTL1ZSZTNJbDhQZ3U5Q0IifQo.eyJleHAiOjE0NjQ5ODM4NDUsImV4dHJhRGF0YSI6eyJkaXNwbGF5TmFtZSI6Imd1cnVueCIsImlkZW50aXR5IjoiYWY2ZjdjNWUtZmNlYS0zZTQzLWJmM2EtZTAwNWU0MDBlNTc4In0sImlkZW50aXR5UHVibGljS2V5IjoiTUhZd0VBWUhLb1pJemowQ0FRWUZLNEVFQUNJRFlnQUU3bm5acENmeG1DclN3RGRCdjdlQlhYTXRLaHJveE9yaUVyM2htTU9KQXV3L1pwUVhqMUs1R0d0SFM0Q3BGTnR0ZDFKWUFLWW9KeFlnYXlrcGllMEV5QXYzcWlLNnV0SUgycW5PQXQzVk5yUVlYZklaSlMvVlJlM0lsOFBndTlDQiIsIm5iZiI6MTQ2NDk4Mzg0NH0K.4OrvYYbX09iwOkz-7_N_5yEejuATcUogEbe69fB-kr7r6sH_qSu6bxp9L64SEgABb0rU7tyYCLVnaCSQjd9Dvb34WI9EducgOPJ92qHspcpXr7j716LDfhZE31ksMtWQ";
ECDiffieHellmanPublicKey rootKey = CryptoUtils.CreateEcDiffieHellmanPublicKey("MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8ELkixyLcwlZryUQcu1TvPOmI2B7vX83ndnWRUaXm74wFfa5f/lwQNTfrLVHa2PmenpGI6JhIMUJaWZrjmMj90NoKNFSNBuKdm8rYiXsfaz3K36x/1U26HpG0ZxK/V1V");
Console.WriteLine($"Root Public Key:\n{rootKey.ToXmlString()}");
CngKey key = CngKey.Import(rootKey.ToByteArray(), CngKeyBlobFormat.EccPublicBlob);
Console.WriteLine("Key family: " + key.AlgorithmGroup);
// "identityPublicKey": "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE7nnZpCfxmCrSwDdBv7eBXXMtKhroxOriEr3hmMOJAuw/ZpQXj1K5GGtHS4CpFNttd1JYAKYoJxYgaykpie0EyAv3qiK6utIH2qnOAt3VNrQYXfIZJS/VRe3Il8Pgu9CB",
var newKey = CryptoUtils.ImportECDsaCngKeyFromString("MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE7nnZpCfxmCrSwDdBv7eBXXMtKhroxOriEr3hmMOJAuw/ZpQXj1K5GGtHS4CpFNttd1JYAKYoJxYgaykpie0EyAv3qiK6utIH2qnOAt3VNrQYXfIZJS/VRe3Il8Pgu9CB");
string decoded = JWT.Decode(input, newKey);
//Assert.AreEqual("", decoded);
//ECDsaCng t = new ECDsaCng();
//t.HashAlgorithm = CngAlgorithm.ECDiffieHellmanP384;
//t.KeySize = 384;
//byte[] test = t.Key.Export(CngKeyBlobFormat.EccPublicBlob);
//Assert.AreEqual(test, newKey);
//string decoded = JWT.Decode(input, t.Key);
}
// Private key (in reality this is not necessary since we will generate it)
AsymmetricKeyParameter privKey = PrivateKeyFactory.CreateKey(Base64Url.Decode("MB8CAQAwEAYHKoZIzj0CAQYFK4EEACIECDAGAgEBBAEB"));
PrivateKeyInfo privKeyInfo = PrivateKeyInfoFactory.CreatePrivateKeyInfo(privKey);
byte[] derKey = privKeyInfo.GetDerEncoded();
CngKey privCngKey = CngKey.Import(derKey, CngKeyBlobFormat.Pkcs8PrivateBlob);
Console.WriteLine(privKeyInfo.PrivateKeyAlgorithm.Algorithm);
Console.WriteLine(privCngKey.Algorithm.Algorithm);
// Public key
ECDiffieHellmanPublicKey clientKey = CryptoUtils.CreateEcDiffieHellmanPublicKey("MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEDEKneqEvcqUqqFMM1HM1A4zWjJC+I8Y+aKzG5dl+6wNOHHQ4NmG2PEXRJYhujyodFH+wO0dEr4GM1WoaWog8xsYQ6mQJAC0eVpBM96spUB1eMN56+BwlJ4H3Qx4TAvAs");
// EC key to generate shared secret
ECDiffieHellmanCng ecKey = new ECDiffieHellmanCng(privCngKey);
ecKey.HashAlgorithm = CngAlgorithm.Sha256;
ecKey.KeyDerivationFunction = ECDiffieHellmanKeyDerivationFunction.Hash;
ecKey.SecretPrepend = new byte[128]; // Server token
//ecKey.SecretPrepend = new byte[0]; // Server token
Console.WriteLine(ecKey.HashAlgorithm);
Console.WriteLine(ecKey.KeyExchangeAlgorithm);
byte[] secret = ecKey.DeriveKeyMaterial(clientKey);
Console.WriteLine(Package.HexDump(secret));
Console.WriteLine(Package.HexDump(Base64Url.Decode("ZOBpyzki/M8UZv5tiBih048eYOBVPkQE3r5Fl0gmUP4=")));
Console.WriteLine(Package.HexDump(Base64Url.Decode("DEKneqEvcqUqqFMM1HM1A4zWjJC+I8Y+aKzG5dl+6wNOHHQ4NmG2PEXRJYhujyod")));
//Console.WriteLine(Package.HexDump(Base64Url.Decode("DEKneqEvcqUqqFMM1HM1A4zWjJC+I8Y+aKzG5dl+6wNOHHQ4NmG2PEXRJYhujyod")));
}
public override void AssignSession(Session oS)
{
base.AssignSession(oS);
var dataItems = new List<DataItem>();
dataItems.Add(new DataItem("Is Https", oS.isHTTPS));
if (oS.isHTTPS && oS.oFlags.ContainsKey(CertificateStorage.CeritificateRequestPropertyName))
{
try
{
var thumbprint = oS.oFlags[CertificateStorage.CeritificateRequestPropertyName];
FiddlerApplication.Log.LogString(thumbprint);
if (CertificateStorage.Certificates.ContainsKey(thumbprint))
{
var certificate = CertificateStorage.Certificates[thumbprint];
var cert = new X509Certificate2(certificate);
_informationTab.Certificate = cert;
//most commonly desired information up top.
dataItems.InsertRange(0, new[] { new DataItem("FriendlyName", cert.FriendlyName),
new DataItem("Subject", cert.Subject),
new DataItem("Issuer", cert.Issuer),
new DataItem("Effective Date", cert.GetEffectiveDateString()),
new DataItem("Expiration Date", cert.GetExpirationDateString()),
new DataItem("Thumbprint", cert.Thumbprint),
new DataItem("------------------------", "------------------------")});
//alphabatized data properties below
dataItems.Add(new DataItem("Archived", cert.Archived));
dataItems.Add(new DataItem("FriendlyName", cert.FriendlyName));
dataItems.Add(new DataItem("Certficate Hash", cert.GetCertHashString()));
dataItems.Add(new DataItem("Certificate Format", cert.GetFormat()));
dataItems.Add(new DataItem("Effective Date", cert.GetEffectiveDateString()));
dataItems.Add(new DataItem("Expiration Date", cert.GetExpirationDateString()));
dataItems.Add(new DataItem("Full Issuer Name", cert.IssuerName.Format(true)));
dataItems.Add(new DataItem("Full Subject Name", cert.SubjectName.Format(true)));
dataItems.Add(new DataItem("Has Private Key", cert.HasPrivateKey));
dataItems.Add(new DataItem("Issuer", cert.Issuer));
dataItems.Add(new DataItem("Key Algorithm", cert.GetKeyAlgorithm()));
dataItems.Add(new DataItem("Key Algorithm Parameters", cert.GetKeyAlgorithmParametersString()));
dataItems.Add(new DataItem("Public Key", cert.GetPublicKeyString()));
dataItems.Add(new DataItem("Raw Certificate Data", cert.GetRawCertDataString()));
dataItems.Add(new DataItem("SerialNumberString", cert.GetSerialNumberString()));
dataItems.Add(new DataItem("Subject", cert.Subject));
dataItems.Add(new DataItem("Thumbprint", cert.Thumbprint));
dataItems.Add(new DataItem("Version", cert.Version));
dataItems.Add(new DataItem("------------------------", "------------------------"));
dataItems.Add(new DataItem("Extensions", string.Empty));
dataItems.Add(new DataItem("------------------------", "------------------------"));
foreach (var extension in cert.Extensions)
{
dataItems.Add(new DataItem(extension.Oid.FriendlyName, extension.Format(true)));
}
}
}
catch (Exception ex)
{
FiddlerApplication.Log.LogString("Unexpected error loading the assigned certificate." + ex.Message);
}
}
_informationTab.DataGrid.DataSource = dataItems;
}
private void OutputCertificate(X509Certificate2 x509Certificate)
{
System.Diagnostics.Debug.WriteLine("");
System.Diagnostics.Debug.WriteLine("Certificate Data: ******************************************************************");
System.Diagnostics.Debug.WriteLine("");
System.Diagnostics.Debug.WriteLine("Basic Certificate Information");
//System.Diagnostics.Debug.WriteLine("\t Content Type: " + X509Certificate2.GetCertContentType(x509Certificate.RawData));
System.Diagnostics.Debug.WriteLine("\t Format: " + x509Certificate.GetFormat());
System.Diagnostics.Debug.WriteLine("\t Version: " + x509Certificate.Version.ToString());
System.Diagnostics.Debug.WriteLine("\t Hash String: " + x509Certificate.GetCertHashString());
System.Diagnostics.Debug.WriteLine("\t Issuer Name: " + x509Certificate.IssuerName.Name);
System.Diagnostics.Debug.WriteLine("\t Issuer Name OID: " + x509Certificate.IssuerName.Oid.Value);
System.Diagnostics.Debug.WriteLine("\t Subject Name: " + x509Certificate.SubjectName.Name);
System.Diagnostics.Debug.WriteLine("\t Serial Number: " + x509Certificate.GetSerialNumberString());
System.Diagnostics.Debug.WriteLine("\t Thumb Print: " + x509Certificate.Thumbprint);
System.Diagnostics.Debug.WriteLine("\t Friendly Name: " + x509Certificate.FriendlyName);
System.Diagnostics.Debug.WriteLine("\t Signature Algorithm: " + x509Certificate.SignatureAlgorithm.FriendlyName);
if (null != x509Certificate.PrivateKey)
System.Diagnostics.Debug.WriteLine("\t Signature Key Exchange Algorithm: " + x509Certificate.PrivateKey.KeyExchangeAlgorithm);
else
System.Diagnostics.Debug.WriteLine("\t Signature Key Exchange Algorithm: ");
System.Diagnostics.Debug.WriteLine("\t Key Algorithm Parameters: " + x509Certificate.GetKeyAlgorithmParametersString());
System.Diagnostics.Debug.WriteLine("\t Not Valid Before: " + x509Certificate.NotBefore.ToString());
System.Diagnostics.Debug.WriteLine("\t Not Valid After: " + x509Certificate.NotAfter.ToString());
System.Diagnostics.Debug.WriteLine("\t Can Be Verified: " + x509Certificate.Verify());
System.Diagnostics.Debug.WriteLine("\t Is Archived: " + x509Certificate.Archived);
System.Diagnostics.Debug.WriteLine("");
System.Diagnostics.Debug.WriteLine("X509 Name Elements");
System.Diagnostics.Debug.WriteLine("\t X509 Simple Name: " + x509Certificate.GetNameInfo(X509NameType.SimpleName, false));
System.Diagnostics.Debug.WriteLine("\t X509 DNS From Alternative Name: " + x509Certificate.GetNameInfo(X509NameType.DnsFromAlternativeName, false));
System.Diagnostics.Debug.WriteLine("\t X509 DNS Name: " + x509Certificate.GetNameInfo(X509NameType.DnsName, false));
System.Diagnostics.Debug.WriteLine("\t X509 Email Name: " + x509Certificate.GetNameInfo(X509NameType.EmailName, false));
System.Diagnostics.Debug.WriteLine("\t X509 UPN Name: " + x509Certificate.GetNameInfo(X509NameType.UpnName, false));
System.Diagnostics.Debug.WriteLine("\t X509 URL Name: " + x509Certificate.GetNameInfo(X509NameType.UrlName, false));
System.Diagnostics.Debug.WriteLine("");
System.Diagnostics.Debug.WriteLine("X509 Name Elements for Issuer");
System.Diagnostics.Debug.WriteLine("\t X509 Simple Name: " + x509Certificate.GetNameInfo(X509NameType.SimpleName, true));
System.Diagnostics.Debug.WriteLine("\t X509 DNS From Alternative Name: " + x509Certificate.GetNameInfo(X509NameType.DnsFromAlternativeName, true));
System.Diagnostics.Debug.WriteLine("\t X509 DNS Name: " + x509Certificate.GetNameInfo(X509NameType.DnsName, true));
System.Diagnostics.Debug.WriteLine("\t X509 Email Name: " + x509Certificate.GetNameInfo(X509NameType.EmailName, true));
System.Diagnostics.Debug.WriteLine("\t X509 UPN Name: " + x509Certificate.GetNameInfo(X509NameType.UpnName, true));
System.Diagnostics.Debug.WriteLine("\t X509 URL Name: " + x509Certificate.GetNameInfo(X509NameType.UrlName, true));
System.Diagnostics.Debug.WriteLine("");
System.Diagnostics.Debug.WriteLine("Keys");
System.Diagnostics.Debug.WriteLine("\t Public Key: " + x509Certificate.PublicKey.Key.ToXmlString(false));
if (null != x509Certificate.PrivateKey)
System.Diagnostics.Debug.WriteLine("\t Private Key: " + x509Certificate.PrivateKey.ToXmlString(false));
else
System.Diagnostics.Debug.WriteLine("\t Private Key: ");
System.Diagnostics.Debug.WriteLine("");
System.Diagnostics.Debug.WriteLine("Raw Cert");
System.Diagnostics.Debug.WriteLine("\t " + x509Certificate.GetRawCertDataString());
System.Diagnostics.Debug.WriteLine("");
System.Diagnostics.Debug.WriteLine("************************************************************************************");
System.Diagnostics.Debug.WriteLine("");
}
public void initTrustStore()
{
this.trustStore = new List<CertificateWrapper>();
string[] iFiles = Directory.GetFiles(CryptoHelper.TRUST_STORE_DIR, "*.pfx");
for (int i = 0; i < iFiles.Length; i++)
{
try
{
X509Certificate2 cert = new X509Certificate2(iFiles[i], CryptoHelper.PUBLIC_STORE_PASSWORD, X509KeyStorageFlags.Exportable);
if (!CryptoHelper.isValidCertificate(cert))
{
throw new CryptoException("Certificate (" + cert.Subject + ") was expired.");
}
if ((cert.Version != 3) || (!cert.GetFormat().Equals("X509")))
{
throw new CryptoException("The certificate (" + cert.Subject + ") must be X.509 v3.");
}
if (!(cert.FriendlyName.Equals(CryptoHelper.FRIENDLYNAME)))
{
throw new CryptoException("The friendly name of the certificate (" + cert.Subject + ") must be \"" + CryptoHelper.FRIENDLYNAME + "\".");
}
this.trustStore.Add(new CertificateWrapper(cert));
}
catch (Exception e)
{
if (this.cryptoEvent != null)
{
this.cryptoEvent("Error while loading certificate (" + Path.GetFileName(iFiles[i]) + "). Details: " + e.Message);
}
}
}
}
public static bool isValidPrivateStore( string filename, string storepass )
{
if ( ( filename == null ) || ( "".Equals(filename) ))
{
throw new CryptoException("Please browse a PKCS12 store or click the 'I haven't got key' button.");
}
X509Certificate2 privatestore = new X509Certificate2(filename, storepass, X509KeyStorageFlags.Exportable);
if (privatestore == null)
{
throw new CryptoException("The store (" + filename + ") is not valid.");
}
if (!privatestore.HasPrivateKey)
{
throw new CryptoException("The store (" + filename + ") hasn't got private key.");
}
if (!CryptoHelper.isValidCertificate(privatestore))
{
throw new CryptoException("The store (" + filename + ") is expired.");
}
if ( (privatestore.Version != 3) || (!privatestore.GetFormat().Equals("X509") ) )
{
throw new CryptoException("The certificate (" + privatestore.Subject + ") must be X.509 v3.");
}
if (!(privatestore.Issuer.Equals(CryptoHelper.PRIVATEKEY_ISSUER)))
{
throw new CryptoException("The common name of the certificate (" + privatestore.Subject + ") must be \"Petri Universitas Budensis Sub CA\".");
}
if (!(privatestore.FriendlyName.Equals(CryptoHelper.FRIENDLYNAME)))
{
throw new CryptoException("The friendly name of the certificate (" + privatestore.Subject + ") must be \"" + CryptoHelper.FRIENDLYNAME + "\".");
}
return true;
}