public static CertificateAuthority Create(Uri sharedUri, IssueCertificateOptions options = null)
{
if (sharedUri == null)
{
throw new ArgumentNullException(nameof(sharedUri));
}
if (!sharedUri.AbsoluteUri.EndsWith("/"))
{
sharedUri = new Uri($"{sharedUri.AbsoluteUri}/");
}
options = options ?? IssueCertificateOptions.CreateDefaultForRootCertificateAuthority();
Action <X509V3CertificateGenerator> customizeCertificate = generator =>
{
generator.AddExtension(
X509Extensions.SubjectKeyIdentifier,
critical: false,
extensionValue: new SubjectKeyIdentifierStructure(options.KeyPair.Public));
generator.AddExtension(
X509Extensions.BasicConstraints,
critical: true,
extensionValue: new BasicConstraints(cA: true));
generator.AddExtension(
X509Extensions.KeyUsage,
critical: true,
extensionValue: new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyCertSign | KeyUsage.CrlSign));
};
var signatureFactory = new Asn1SignatureFactory(options.SignatureAlgorithmName, options.IssuerPrivateKey);
var certificate = CreateCertificate(
options.KeyPair.Public,
signatureFactory,
BigInteger.One,
options.SubjectName,
options.SubjectName,
options.NotBefore,
options.NotAfter,
options.CustomizeCertificate ?? customizeCertificate);
return(new CertificateAuthority(certificate, options.KeyPair, sharedUri, parentCa: null));
}
private X509Certificate IssueCaCertificate(
AsymmetricKeyParameter publicKey,
Action <X509V3CertificateGenerator> customizeCertificate = null)
{
var id = Guid.NewGuid().ToString();
var subjectName = new X509Name($"C=US,ST=WA,L=Redmond,O=NuGet,CN=NuGet Test Intermediate Certificate Authority ({id})");
if (customizeCertificate == null)
{
customizeCertificate = generator =>
{
generator.AddExtension(
X509Extensions.AuthorityInfoAccess,
critical: false,
extensionValue: new DerSequence(
new AccessDescription(AccessDescription.IdADOcsp,
new GeneralName(GeneralName.UniformResourceIdentifier, OcspResponderUri.OriginalString)),
new AccessDescription(AccessDescription.IdADCAIssuers,
new GeneralName(GeneralName.UniformResourceIdentifier, CertificateUri.OriginalString))));
generator.AddExtension(
X509Extensions.AuthorityKeyIdentifier,
critical: false,
extensionValue: new AuthorityKeyIdentifierStructure(Certificate));
generator.AddExtension(
X509Extensions.SubjectKeyIdentifier,
critical: false,
extensionValue: new SubjectKeyIdentifierStructure(publicKey));
generator.AddExtension(
X509Extensions.BasicConstraints,
critical: true,
extensionValue: new BasicConstraints(cA: true));
};
}
var options = new IssueCertificateOptions(publicKey)
{
SubjectName = subjectName,
CustomizeCertificate = customizeCertificate
};
return(IssueCertificate(options));
}
public static TimestampService Create(
CertificateAuthority certificateAuthority,
TimestampServiceOptions serviceOptions = null,
IssueCertificateOptions issueCertificateOptions = null)
{
if (certificateAuthority == null)
{
throw new ArgumentNullException(nameof(certificateAuthority));
}
serviceOptions = serviceOptions ?? new TimestampServiceOptions();
if (issueCertificateOptions == null)
{
issueCertificateOptions = IssueCertificateOptions.CreateDefaultForTimestampService();
}
void customizeCertificate(X509V3CertificateGenerator generator)
{
generator.AddExtension(
X509Extensions.AuthorityInfoAccess,
critical: false,
extensionValue: new DerSequence(
new AccessDescription(AccessDescription.IdADOcsp,
new GeneralName(GeneralName.UniformResourceIdentifier, certificateAuthority.OcspResponderUri.OriginalString)),
new AccessDescription(AccessDescription.IdADCAIssuers,
new GeneralName(GeneralName.UniformResourceIdentifier, certificateAuthority.CertificateUri.OriginalString))));
generator.AddExtension(
X509Extensions.AuthorityKeyIdentifier,
critical: false,
extensionValue: new AuthorityKeyIdentifierStructure(certificateAuthority.Certificate));
generator.AddExtension(
X509Extensions.SubjectKeyIdentifier,
critical: false,
extensionValue: new SubjectKeyIdentifierStructure(issueCertificateOptions.KeyPair.Public));
generator.AddExtension(
X509Extensions.BasicConstraints,
critical: true,
extensionValue: new BasicConstraints(cA: false));
generator.AddExtension(
X509Extensions.KeyUsage,
critical: true,
extensionValue: new KeyUsage(KeyUsage.DigitalSignature));
generator.AddExtension(
X509Extensions.ExtendedKeyUsage,
critical: true,
extensionValue: ExtendedKeyUsage.GetInstance(new DerSequence(KeyPurposeID.IdKPTimeStamping)));
}
if (issueCertificateOptions.CustomizeCertificate == null)
{
issueCertificateOptions.CustomizeCertificate = customizeCertificate;
}
if (serviceOptions.IssuedCertificateNotBefore.HasValue)
{
issueCertificateOptions.NotBefore = serviceOptions.IssuedCertificateNotBefore.Value;
}
if (serviceOptions.IssuedCertificateNotAfter.HasValue)
{
issueCertificateOptions.NotAfter = serviceOptions.IssuedCertificateNotAfter.Value;
}
var certificate = certificateAuthority.IssueCertificate(issueCertificateOptions);
var uri = certificateAuthority.GenerateRandomUri();
return(new TimestampService(certificateAuthority, certificate, issueCertificateOptions.KeyPair, uri, serviceOptions));
}
public X509Certificate IssueCertificate(IssueCertificateOptions options)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
var serialNumber = _nextSerialNumber;
var issuerName = PrincipalUtilities.GetSubjectX509Principal(Certificate);
Action <X509V3CertificateGenerator> customizeCertificate;
if (options.CustomizeCertificate == null)
{
customizeCertificate = generator =>
{
generator.AddExtension(
X509Extensions.AuthorityInfoAccess,
critical: false,
extensionValue: new DerSequence(
new AccessDescription(AccessDescription.IdADOcsp,
new GeneralName(GeneralName.UniformResourceIdentifier, OcspResponderUri.OriginalString)),
new AccessDescription(AccessDescription.IdADCAIssuers,
new GeneralName(GeneralName.UniformResourceIdentifier, CertificateUri.OriginalString))));
generator.AddExtension(
X509Extensions.AuthorityKeyIdentifier,
critical: false,
extensionValue: new AuthorityKeyIdentifierStructure(Certificate));
generator.AddExtension(
X509Extensions.SubjectKeyIdentifier,
critical: false,
extensionValue: new SubjectKeyIdentifierStructure(options.PublicKey));
generator.AddExtension(
X509Extensions.BasicConstraints,
critical: true,
extensionValue: new BasicConstraints(cA: false));
};
}
else
{
customizeCertificate = options.CustomizeCertificate;
}
var notAfter = options.NotAfter.UtcDateTime;
// An issued certificate should not have a validity period beyond the issuer's validity period.
if (notAfter > Certificate.NotAfter)
{
notAfter = Certificate.NotAfter;
}
var certificate = CreateCertificate(
options.PublicKey,
KeyPair.Private,
serialNumber,
issuerName,
options.SubjectName,
options.NotBefore.UtcDateTime,
notAfter,
customizeCertificate);
_nextSerialNumber = _nextSerialNumber.Add(BigInteger.One);
_issuedCertificates.Add(certificate.SerialNumber, certificate);
return(certificate);
}
public static TimestampService Create(
CertificateAuthority certificateAuthority,
TimestampServiceOptions serviceOptions = null)
{
if (certificateAuthority == null)
{
throw new ArgumentNullException(nameof(certificateAuthority));
}
serviceOptions = serviceOptions ?? new TimestampServiceOptions();
var keyPair = CertificateUtilities.CreateKeyPair();
var id = Guid.NewGuid().ToString();
var subjectName = new X509Name($"C=US,ST=WA,L=Redmond,O=NuGet,CN=NuGet Test Timestamp Service ({id})");
void customizeCertificate(X509V3CertificateGenerator generator)
{
generator.AddExtension(
X509Extensions.AuthorityInfoAccess,
critical: false,
extensionValue: new DerSequence(
new AccessDescription(AccessDescription.IdADOcsp,
new GeneralName(GeneralName.UniformResourceIdentifier, certificateAuthority.OcspResponderUri.OriginalString)),
new AccessDescription(AccessDescription.IdADCAIssuers,
new GeneralName(GeneralName.UniformResourceIdentifier, certificateAuthority.CertificateUri.OriginalString))));
generator.AddExtension(
X509Extensions.AuthorityKeyIdentifier,
critical: false,
extensionValue: new AuthorityKeyIdentifierStructure(certificateAuthority.Certificate));
generator.AddExtension(
X509Extensions.SubjectKeyIdentifier,
critical: false,
extensionValue: new SubjectKeyIdentifierStructure(keyPair.Public));
generator.AddExtension(
X509Extensions.BasicConstraints,
critical: true,
extensionValue: new BasicConstraints(cA: false));
generator.AddExtension(
X509Extensions.KeyUsage,
critical: true,
extensionValue: new KeyUsage(KeyUsage.DigitalSignature));
generator.AddExtension(
X509Extensions.ExtendedKeyUsage,
critical: true,
extensionValue: ExtendedKeyUsage.GetInstance(new DerSequence(KeyPurposeID.IdKPTimeStamping)));
}
var issueOptions = new IssueCertificateOptions()
{
KeyPair = keyPair,
SubjectName = subjectName,
CustomizeCertificate = customizeCertificate
};
if (serviceOptions.IssuedCertificateNotBefore.HasValue)
{
issueOptions.NotBefore = serviceOptions.IssuedCertificateNotBefore.Value;
}
if (serviceOptions.IssuedCertificateNotAfter.HasValue)
{
issueOptions.NotAfter = serviceOptions.IssuedCertificateNotAfter.Value;
}
var certificate = certificateAuthority.IssueCertificate(issueOptions);
var uri = certificateAuthority.GenerateRandomUri();
return(new TimestampService(certificateAuthority, certificate, keyPair, uri, serviceOptions));
}
