/// <summary>
/// Create a self signed certificate.
/// </summary>
public static X509Certificate2 GenerateCertificate(
string subjectName,
AsymmetricCipherKeyPair keyPair)
{
if (string.IsNullOrEmpty(subjectName))
{
subjectName = "NuGetTest";
}
var certGen = new X509V3CertificateGenerator();
certGen.SetSubjectDN(new X509Name($"CN={subjectName}"));
certGen.SetIssuerDN(new X509Name($"CN={subjectName}"));
certGen.SetNotAfter(DateTime.UtcNow.Add(TimeSpan.FromHours(1)));
certGen.SetNotBefore(DateTime.UtcNow.Subtract(TimeSpan.FromHours(1)));
certGen.SetPublicKey(keyPair.Public);
var random = new SecureRandom();
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random);
certGen.SetSerialNumber(serialNumber);
var subjectKeyIdentifier = new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(keyPair.Public));
certGen.AddExtension(X509Extensions.SubjectKeyIdentifier.Id, false, subjectKeyIdentifier);
certGen.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.KeyCertSign));
certGen.AddExtension(X509Extensions.BasicConstraints.Id, true, new BasicConstraints(false));
var usages = new[] { KeyPurposeID.IdKPCodeSigning };
certGen.AddExtension(
X509Extensions.ExtendedKeyUsage.Id,
critical: true,
extensionValue: new ExtendedKeyUsage(usages));
var issuerPrivateKey = keyPair.Private;
var signatureFactory = new Asn1SignatureFactory("SHA256WITHRSA", issuerPrivateKey, random);
var certificate = certGen.Generate(signatureFactory);
var certResult = new X509Certificate2(certificate.GetEncoded());
#if IS_DESKTOP
certResult.PrivateKey = DotNetUtilities.ToRSA(keyPair.Private as RsaPrivateCrtKeyParameters);
#endif
return(certResult);
}
public void TestX509CertificateConversion()
{
BigInteger DSAParaG = new BigInteger(Base64.Decode("AL0fxOTq10OHFbCf8YldyGembqEu08EDVzxyLL29Zn/t4It661YNol1rnhPIs+cirw+yf9zeCe+KL1IbZ/qIMZM="));
BigInteger DSAParaP = new BigInteger(Base64.Decode("AM2b/UeQA+ovv3dL05wlDHEKJ+qhnJBsRT5OB9WuyRC830G79y0R8wuq8jyIYWCYcTn1TeqVPWqiTv6oAoiEeOs="));
BigInteger DSAParaQ = new BigInteger(Base64.Decode("AIlJT7mcKL6SUBMmvm24zX1EvjNx"));
BigInteger DSAPublicY = new BigInteger(Base64.Decode("TtWy2GuT9yGBWOHi1/EpCDa/bWJCk2+yAdr56rAcqP0eHGkMnA9s9GJD2nGU8sFjNHm55swpn6JQb8q0agrCfw=="));
BigInteger DsaPrivateX = new BigInteger(Base64.Decode("MMpBAxNlv7eYfxLTZ2BItJeD31A="));
DsaParameters para = new DsaParameters(DSAParaP, DSAParaQ, DSAParaG);
DsaPrivateKeyParameters dsaPriv = new DsaPrivateKeyParameters(DsaPrivateX, para);
DsaPublicKeyParameters dsaPub = new DsaPublicKeyParameters(DSAPublicY, para);
IDictionary attrs = new Hashtable();
attrs[X509Name.C] = "AU";
attrs[X509Name.O] = "The Legion of the Bouncy Castle";
attrs[X509Name.L] = "Melbourne";
attrs[X509Name.ST] = "Victoria";
attrs[X509Name.E] = "*****@*****.**";
IList ord = new ArrayList(attrs.Keys);
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.SetSerialNumber(BigInteger.One);
certGen.SetIssuerDN(new X509Name(ord, attrs));
certGen.SetNotBefore(DateTime.UtcNow.AddDays(-1));
certGen.SetNotAfter(DateTime.UtcNow.AddDays(1));
certGen.SetSubjectDN(new X509Name(ord, attrs));
certGen.SetPublicKey(dsaPub);
certGen.SetSignatureAlgorithm("SHA1WITHDSA");
X509Certificate cert = certGen.Generate(dsaPriv);
cert.CheckValidity();
cert.Verify(dsaPub);
SystemX509.X509Certificate dotNetCert = DotNetUtilities.ToX509Certificate(cert);
X509Certificate certCopy = DotNetUtilities.FromX509Certificate(dotNetCert);
Assert.AreEqual(cert, certCopy);
certCopy.CheckValidity();
certCopy.Verify(dsaPub);
}
/// <summary>
///Load a RSA key from a PEM file
/// </summary>
/// <param name="file">PEM file</param>
/// <param name="password">Password</param>
public static RSACryptoServiceProvider LoadFromPEM(Stream input, string password = null)
{
using (StreamReader sr = new StreamReader(input, Encoding.Default))
{
PemReader pemReader;
if (!string.IsNullOrEmpty(password))
{
pemReader = new PemReader(sr, new PasswordFinder(password));
}
else
{
pemReader = new PemReader(sr);
}
RSAParameters parameters;
object obj = pemReader.ReadObject();
if (obj == null)
{
throw new PemException("PemReader.ReadObject() returned null");
}
Type objType = obj.GetType();
if (objType == typeof(AsymmetricCipherKeyPair))
{
AsymmetricCipherKeyPair ackp = (AsymmetricCipherKeyPair)obj;
parameters = DotNetUtilities.ToRSAParameters((RsaPrivateCrtKeyParameters)ackp.Private);
}
else if (objType == typeof(RsaPrivateCrtKeyParameters))
{
parameters = DotNetUtilities.ToRSAParameters((RsaPrivateCrtKeyParameters)obj);
}
else if (objType == typeof(RsaKeyParameters))
{
parameters = DotNetUtilities.ToRSAParameters((RsaKeyParameters)obj);
}
else
{
throw new PemException($"Cannot handle type '{objType}' returned by PemReader.ReadObject()");
}
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();
rsa.ImportParameters(parameters);
return(rsa);
}
}
public static X509Certificate2 GenerateSelfSignedCertificate(string domain, DateTime?dateFrom = null, DateTime?dateTo = null)
{
// configure generators
var random = new SecureRandom(new CryptoApiRandomGenerator());
var keyGenerationParameters = new KeyGenerationParameters(random, 2048);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
// create self-signed certificate
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
var certificateGenerator = new X509V3CertificateGenerator();
certificateGenerator.SetSubjectDN(new X509Name($"CN={domain}"));
certificateGenerator.SetIssuerDN(new X509Name($"CN={domain}"));
certificateGenerator.SetSerialNumber(serialNumber);
certificateGenerator.SetNotBefore(dateFrom ?? DateTime.UtcNow);
certificateGenerator.SetNotAfter(dateTo ?? DateTime.UtcNow.AddMinutes(5));
certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName.Id, false, new DerSequence(new Asn1Encodable[] { new GeneralName(GeneralName.DnsName, domain) }));
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(new KeyPurposeID[] { KeyPurposeID.IdKPServerAuth, KeyPurposeID.IdKPClientAuth }));
certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.KeyEncipherment | KeyUsage.DigitalSignature));
var keyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(keyPair.Public);
var bouncy_cert = certificateGenerator.Generate(new Asn1SignatureFactory("SHA256WithRSA", keyPair.Private, random));
// get private key into machine key store
var csp = new RSACryptoServiceProvider(
new CspParameters
{
KeyContainerName = Guid.NewGuid().ToString(),
KeyNumber = 1,
Flags = CspProviderFlags.UseMachineKeyStore
});
var rp = DotNetUtilities.ToRSAParameters((RsaPrivateCrtKeyParameters)keyPair.Private);
csp.ImportParameters(rp);
// convert from bouncy cert to X509Certificate2
return(new X509Certificate2(bouncy_cert.GetEncoded(), (string)null, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet)
{
FriendlyName = domain + " [Certify] Self Signed - " + bouncy_cert.NotBefore + " to " + bouncy_cert.NotAfter,
PrivateKey = csp
});
}
public async Task Install_TamperedAndRevokedCertificateSignaturePackage_FailsAsync()
{
// Arrange
var nupkg = new SimpleTestPackageContext("A", "1.0.0");
var testServer = await _testFixture.GetSigningTestServerAsync();
var certificateAuthority = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
var issueOptions = IssueCertificateOptions.CreateDefaultForEndCertificate();
var bcCertificate = certificateAuthority.IssueCertificate(issueOptions);
using (var context = new SimpleTestPathContext())
using (var testCertificate = new X509Certificate2(bcCertificate.GetEncoded()))
{
testCertificate.PrivateKey = DotNetUtilities.ToRSA(issueOptions.KeyPair.Private as RsaPrivateCrtKeyParameters);
var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(testCertificate, nupkg, context.WorkingDirectory);
SignedArchiveTestUtility.TamperWithPackage(signedPackagePath);
certificateAuthority.Revoke(
bcCertificate,
RevocationReason.KeyCompromise,
DateTimeOffset.UtcNow);
var args = new string[]
{
nupkg.Id,
"-Version",
nupkg.Version,
"-DirectDownload",
"-NoCache",
"-Source",
context.WorkingDirectory,
"-OutputDirectory",
Path.Combine(context.WorkingDirectory, "packages")
};
// Act
var result = RunInstall(_nugetExePath, context, expectedExitCode: 1, additionalArgs: args);
// Assert
result.ExitCode.Should().Be(1);
result.Errors.Should().Contain(_NU3008);
result.Errors.Should().Contain(_NU3012);
result.AllOutput.Should().Contain($"WARNING: {_NU3027}");
}
}
private PdfPKCS7 GetPublicKeyManager(IPdfPreSigningSession sessionData)
{
var chain = new X509Chain();
var certificates = new List <Org.BouncyCastle.X509.X509Certificate>();
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EndCertificateOnly;
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
chain.Build(sessionData.UserCertificate);
foreach (var chainElement in chain.ChainElements)
{
certificates.Add(DotNetUtilities.FromX509Certificate(chainElement.Certificate));
}
return(new PdfPKCS7(null, certificates, sessionData.HashAlgorithm, false));
}
public CertEncryptedKeySet(IKeySet keySet, string thumbPrint)
{
var certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
var certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, thumbPrint, false);
var cert = certCollection.OfType <X509Certificate2>().FirstOrDefault();
var privKey = cert?.GetRSAPrivateKey();
var keyParam = DotNetUtilities.GetRsaKeyPair(privKey).Private as RsaPrivateCrtKeyParameters;
var key = KeyFromBouncyCastle(keyParam);
_certKeySet = new ImportedKeySet(key, KeyPurpose.DecryptAndEncrypt, "imported from X509Store");
_keySet = keySet;
_crypter = new Crypter(_certKeySet);
_sessionPacker = new BsonSessionKeyPacker();
}
private bool verifyLicense(byte[] data, byte[] sig)
{
var kparam = key as RsaKeyParameters;
var p1 = DotNetUtilities.ToRSAParameters(kparam);
var rsa = new RSACryptoServiceProvider();
rsa.ImportParameters(p1);
// compute sha256 hash of the data
var sha = new SHA256Managed();
var hash = sha.ComputeHash(data);
var hashName = CryptoConfig.MapNameToOID("SHA256");
// This always returns false
return(rsa.VerifyHash(hash, hashName, sig));
}
public void RevokeUserCertificate(string uid, string cid)
{
//get root cert
X509Certificate rootCert = DotNetUtilities.FromX509Certificate(getRootCert());
//get user cert to be revoked
UserCertificate userCert = GetUserCertificate(uid, cid);
X509Certificate certToRevoke = new X509CertificateParser().ReadCertificate(userCert.RawCertBody);
//parse the last CRL
X509CrlParser crlParser = new X509CrlParser();
FileStream fileStream = File.Open(_configuration["CrlPath"], FileMode.Open);
X509Crl rootCrl = crlParser.ReadCrl(fileStream);
fileStream.Close();
//extract the CRL number
Asn1OctetString prevCrlNum = rootCrl.GetExtensionValue(X509Extensions.CrlNumber);
Asn1Object obj = X509ExtensionUtilities.FromExtensionValue(prevCrlNum);
BigInteger prevCrlNumVal = DerInteger.GetInstance(obj).PositiveValue;
//generate new CRL
X509V2CrlGenerator crlGenerator = new X509V2CrlGenerator();
crlGenerator.SetIssuerDN(rootCert.SubjectDN);
crlGenerator.SetThisUpdate(DateTime.UtcNow);
crlGenerator.SetNextUpdate(DateTime.UtcNow.AddDays(10));
crlGenerator.AddCrl(rootCrl); //add the old CRL entries
//add the newly revoked certificates
crlGenerator.AddCrlEntry(certToRevoke.SerialNumber, DateTime.UtcNow, CrlReason.PrivilegeWithdrawn);
//increment CRL Number by 1
crlGenerator.AddExtension("2.5.29.20", false, new CrlNumber(prevCrlNumVal.Add(BigInteger.One)));
AsymmetricKeyParameter bouncyCastlePrivateKey = PrivateKeyFactory.CreateKey(getRootPrivateKey().ExportPkcs8PrivateKey());
var sigFactory = new Asn1SignatureFactory("SHA256WITHECDSA", bouncyCastlePrivateKey);
X509Crl nextCrl = crlGenerator.Generate(sigFactory);
// writePem(_configuration["CrlOldPath"], rootCrl); // write old CRL as backup
writePem(_configuration["CrlPath"], nextCrl); //write new CRL
// sanity check
nextCrl.Verify(rootCert.GetPublicKey());
userCert.Revoked = true;
_context.UserCertificates.Update(userCert);
}
/// <summary>
/// Checks if certificate has been revoked.
/// </summary>
/// <param name="certificateToValidate">Certificate that is checked.</param>
/// <param name="crlListPath">Path on FS to CRL directory.</param>
/// <param name="caTrustListPath">Path on FS to CA trust list.</param>
/// <returns>true if certificate has been revoked, otherwise false.</returns>
public static bool VerifyCertificateRevocationStatus(X509Certificate2 certificateToValidate, string crlListPath, string caTrustListPath)
{
var dir = new DirectoryInfo(crlListPath);
FileInfo[] crlList = null;
try
{
crlList = dir.GetFiles("*.crl");
}
catch (Exception ex)
{
if (ex is DirectoryNotFoundException || ex is ArgumentNullException)
{
throw new Exception("User certificate validation failed. CRL file is missing.");
}
}
foreach (var crlRaw in crlList)
{
var buffer = File.ReadAllBytes(crlListPath + "\\" + crlRaw.Name);
var crlParser = new X509CrlParser();
var crl = crlParser.ReadCrl(buffer);
try
{
var rootCa = new X509Certificate2(caTrustListPath);
var publicKey = ((RSACryptoServiceProvider)rootCa.PublicKey.Key).ExportParameters(false);
// Check if the crl is issued by a proper root CA.
crl.Verify(DotNetUtilities.GetRsaPublicKey(publicKey));
}
catch (Exception)
{
throw new Exception("User certificate validation failed. CRL isn't issued by a proper root CA.");
}
var revokeStatus = crl.IsRevoked(DotNetUtilities.FromX509Certificate(certificateToValidate));
if (revokeStatus == false)
{
return(false);
}
}
return(true);
}
public static void ExportPEMPrivateKey(X509Certificate2 certificate, string filePath)
{
if (certificate.PrivateKey == null)
{
return;
}
var keyPair = DotNetUtilities.GetKeyPair(certificate.PrivateKey);
using (TextWriter tw = new StreamWriter(filePath))
{
PemWriter pemWriter = new Org.BouncyCastle.OpenSsl.PemWriter(tw);
pemWriter.WriteObject(keyPair.Private);
tw.Flush();
tw.Close();
}
}
public static bool VerifyCertificateSAN(System.Security.Cryptography.X509Certificates.X509Certificate certificate, string sni)
{
// check subject alternate name (must have exactly 1, equal to sni)
var x509 = DotNetUtilities.FromX509Certificate(certificate);
var sans = X509ExtensionUtilities.GetSubjectAlternativeNames(x509);
if (sans.Count != 1)
{
return(false);
}
var san = (System.Collections.IList)((System.Collections.IList)sans)[0];
var sniOK = san[0].Equals(GeneralName.DnsName) && san[1].Equals(sni);
// if subject matches sni and SAN is ok, return true
return(x509.SubjectDN.ToString() == $"CN={sni}" && sniOK);
}
public static bool SignData(byte[] key, string keyType, byte[] data, out byte[] signature) // keyType = RSAFULLPRIVATEBLOB, RSAPRIVATEBLOB, RSAPUBLICBLOB
{
if (keyType != "RSAFULLPRIVATEBLOB")
{
throw new CryptographicException("Only RSAFULLPRIVATEBLOB can be used for signing");
}
var rsaParams = BCryptRsaImport.BlobToParameters(key, out int bitLength, out bool isPrivate);
var rsaKey = DotNetUtilities.GetRsaKeyPair(rsaParams).Private;
ISigner s = SignerUtilities.GetSigner("SHA256withRSA/PSS");
s.Init(true, new ParametersWithRandom(rsaKey));
s.BlockUpdate(data, 0, data.Length);
signature = s.GenerateSignature();
return(true);
}
/// <summary>
/// Converts a string in PEM format to XML format
/// </summary>
/// <param name="pem">a string in PEM format</param>
/// <returns>a string in XML format</returns>
private string PemToXml(string pem)
{
return(GetXmlRsaKey(pem, obj => {
var publicKey = (RsaKeyParameters)obj;
// CspParameters requires Windows. Details: https://github.com/bcgit/bc-csharp/issues/160
if (System.Runtime.InteropServices.RuntimeInformation.IsOSPlatform(System.Runtime.InteropServices.OSPlatform.Windows))
{
return DotNetUtilities.ToRSA(publicKey, new CspParameters {
Flags = CspProviderFlags.UseMachineKeyStore
});
}
var parms = DotNetUtilities.ToRSAParameters(publicKey);
var rsa = RSA.Create();
rsa.ImportParameters(parms);
return rsa;
}, rsa => rsa.ToXmlString(false)));
}
static string Sign(string stringToSign)
{
var privateKey = File.ReadAllText("private.key");
byte[] bytesToSign = Encoding.UTF8.GetBytes(stringToSign);
var pemReader = new PemReader(new StringReader(privateKey));
var keyPair = (AsymmetricCipherKeyPair)pemReader.ReadObject();
var rsaParameters = DotNetUtilities.ToRSAParameters((RsaPrivateCrtKeyParameters)keyPair.Private);
using (var rsa = new RSACryptoServiceProvider())
{
rsa.ImportParameters(rsaParameters);
var encryptedData = rsa.SignData(bytesToSign, CryptoConfig.MapNameToOID("SHA256"));
var base64Encrypted = Convert.ToBase64String(encryptedData);
return(base64Encrypted);
}
}
public static bool CheckValidation(User user)
{
bool value;
string CrlPath = Path.GetDirectoryName(System.Reflection.Assembly.GetExecutingAssembly().GetName().CodeBase) + "\\Certs\\" + crlName;
CrlPath = new Uri(CrlPath).LocalPath;
X509CrlParser parser = new X509CrlParser();
using (BinaryReader reader = new BinaryReader(File.Open(CrlPath, FileMode.Open)))
{
X509Crl crlData = parser.ReadCrl(reader.ReadBytes((int)new FileInfo(CrlPath).Length));
X509Certificate2 certificate = new X509Certificate2(user.CertPath, PASSWORD);
var bouncyCert = DotNetUtilities.FromX509Certificate(certificate);
value = crlData.IsRevoked(bouncyCert);
}
return(value);
}
/// <summary>
/// This method is used for integrity update.
/// Integrity update implies data copy from hot to backup server.
/// </summary>
/// <param name="param">Data from hot server</param>
/// <returns></returns>
public bool SetModel(CAModelDto param)
{
bool retVal = true;
// Copy and install valid CA certificate to backup server
if (File.Exists(PFX_PATH))
{
System.IO.File.Delete(PFX_PATH);
}
CertificateHandler.ReplaceCACertificateInStore(caCertificate, param.CaCertificate.GetCert());
caCertificate = param.CaCertificate.GetCert();
caPrivateKey = DotNetUtilities.GetKeyPair(caCertificate.PrivateKey).Private;
CertificateHandler.ExportToFileSystem(X509ContentType.Pfx, caCertificate, caCertificate.SubjectName.Name);
// Export and install active client certificates on backup server
activeCertificates.Clear();
foreach(var cerDto in param.ActiveCertificates)
{
X509Certificate2 cert = cerDto.GetCert();
activeCertificates.Add(cert);
CertificateHandler.ExportToFileSystem(X509ContentType.Pfx, cert, cert.SubjectName.Name);
string fileName = cert.SubjectName.Name.Contains("=") ? cert.SubjectName.Name.Split('=')[1] : cert.SubjectName.Name;
if (!File.Exists(CERT_FOLDER_PATH + cert.SubjectName.Name + fileName + ".pfx"))
{
CertificateHandler.AddCertificateToStore(cert, StoreName.TrustedPeople, StoreLocation.LocalMachine);
}
}
// Set active revocation list on backup server
revocationList.Clear();
foreach (var cerDto in param.RevocationList)
{
X509Certificate2 cert = cerDto.GetCert();
revocationList.Add(cert);
}
clientDict.Clear();
foreach (var pair in param.ClientDict)
{
clientDict.Add(pair.Key, pair.Value);
}
return retVal;
}
static X509Certificate2 AttemptToGenerate(string fullName)
{
var kpgen = new RsaKeyPairGenerator();
kpgen.Init(new KeyGenerationParameters(Random, 2048));
var cerKp = kpgen.GenerateKeyPair();
IDictionary attrs = new Hashtable();
attrs[X509Name.E] = "";
attrs[X509Name.CN] = fullName;
attrs[X509Name.O] = fullName;
attrs[X509Name.C] = fullName;
IList ord = new ArrayList();
ord.Add(X509Name.E);
ord.Add(X509Name.CN);
ord.Add(X509Name.O);
ord.Add(X509Name.C);
var certGen = new X509V3CertificateGenerator();
var serial = new byte[32];
Random.NextBytes(serial);
certGen.SetSerialNumber(new BigInteger(serial).Abs());
certGen.SetIssuerDN(new X509Name(ord, attrs));
certGen.SetNotBefore(DateTime.Today.Subtract(new TimeSpan(1, 0, 0, 0)));
certGen.SetNotAfter(DateTime.Today.AddYears(100));
certGen.SetSubjectDN(new X509Name(ord, attrs));
certGen.SetPublicKey(cerKp.Public);
certGen.SetSignatureAlgorithm("SHA1WithRSA");
certGen.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, true, new AuthorityKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(cerKp.Public)));
var x509 = certGen.Generate(cerKp.Private);
var x509Certificate = DotNetUtilities.ToX509Certificate(x509);
return(new X509Certificate2(x509Certificate)
{
PrivateKey = AddPrivateKey(cerKp)
});
}
private static byte[] AsymmetricallyDecrypt(byte[] privateKey, string toDecrypt)
{
try
{
var key = (RsaPrivateCrtKeyParameters)PrivateKeyFactory.CreateKey(privateKey);
var rsaParameters2 = DotNetUtilities.ToRSAParameters(key);
using var rsa = new RSACryptoServiceProvider();
rsa.ImportParameters(rsaParameters2);
var decrypted = rsa.Decrypt(Convert.FromBase64String(toDecrypt), false);
return(decrypted);
}
catch (Exception ex)
{
throw new CryptographicException("An error occurred while decrypting the value. This is most likely due to an incorrect private key. See InnerException for more details.", ex);
}
}
private static AsymmetricAlgorithm ConvertToRsaPrivateKey(AsymmetricCipherKeyPair keyPair)
{
var keyInfo = PrivateKeyInfoFactory.CreatePrivateKeyInfo(keyPair.Private);
var seq = (Asn1Sequence)Asn1Object.FromByteArray(keyInfo.PrivateKeyAlgorithm.GetDerEncoded());
if (seq.Count != 9)
{
throw new PemException("malformed sequence in RSA private key");
}
var rsa = new RsaPrivateKeyStructure(seq);
var rsaparams = new RsaPrivateCrtKeyParameters(
rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1,
rsa.Exponent2, rsa.Coefficient);
return(DotNetUtilities.ToRSA(rsaparams));
}
internal static X509Certificate2 BuildRootCertificate()
{
var name = "!!! PassiveX Root CA !!!";
var random = new SecureRandom();
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(new KeyGenerationParameters(random, KeyStrength));
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
var certificateGenerator = new X509V3CertificateGenerator();
var serialNumber = BigInteger.ProbablePrime(120, random);
certificateGenerator.SetSerialNumber(serialNumber);
certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true));
certificateGenerator.AddExtension(X509Extensions.KeyUsage, true,
new KeyUsage(KeyUsage.KeyCertSign | KeyUsage.CrlSign));
certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false,
new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(subjectKeyPair.Public)));
certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false,
new AuthorityKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(subjectKeyPair.Public)));
certificateGenerator.SetIssuerDN(new X509Name($"CN={name}"));
certificateGenerator.SetSubjectDN(new X509Name($"CN={name}"));
var notBefore = new DateTime(2000, 01, 01);
var notAfter = new DateTime(2039, 12, 31);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
var signatureFactory = new Asn1SignatureFactory("SHA256WITHRSA", subjectKeyPair.Private, random);
var x509 = certificateGenerator.Generate(signatureFactory);
var certificate = new X509Certificate2(x509.GetEncoded());
certificate.PrivateKey = DotNetUtilities.ToRSA((RsaPrivateCrtKeyParameters)subjectKeyPair.Private);
certificate.FriendlyName = name;
return(certificate);
}
/// <summary>
/// 私钥加密 .Net平台默认是使用公钥进行加密,私钥进行解密。私钥加密需要自己实现或者使用第三方dll
/// </summary>
/// <param name="data"></param>
/// <param name="key"></param>
/// <returns></returns>
public static byte[] encryptByPrivateKey(String data, String key)
{
String priKey = key.Trim();
String xmlPrivateKey = RSAPrivateKeyJava2DotNet(priKey);
//加载私钥
RSACryptoServiceProvider privateRsa = new RSACryptoServiceProvider();
privateRsa.FromXmlString(xmlPrivateKey);
//转换密钥
AsymmetricCipherKeyPair keyPair = DotNetUtilities.GetKeyPair(privateRsa);
IBufferedCipher c = CipherUtilities.GetCipher("RSA/ECB/PKCS1Padding"); // 参数与Java中加密解密的参数一致
c.Init(true, keyPair.Private); //第一个参数为true表示加密,为false表示解密;第二个参数表示密钥
byte[] DataToEncrypt = Encoding.UTF8.GetBytes(data);
byte[] outBytes = c.DoFinal(DataToEncrypt); //加密
return(outBytes);
}
internal static RSAParameters PemToRsaParameters(string pem, out bool isPrivate)
{
var obj = new PemReader(new StringReader(pem)).ReadObject();
if (obj is AsymmetricCipherKeyPair keyPair)
{
isPrivate = true;
return(DotNetUtilities.ToRSAParameters((RsaPrivateCrtKeyParameters)keyPair.Private));
}
if (obj is RsaKeyParameters keyParams)
{
isPrivate = false;
return(DotNetUtilities.ToRSAParameters(keyParams));
}
throw new GoodIdException("Unsupported PEM key.");
}
public BoxJWTHelper(string enterpriseId, string clientId, string clientSecret, string privateKey, string privateKeyPassword)
{
this.enterpriseId = enterpriseId;
this.clientId = clientId;
this.clientSecret = clientSecret;
var pwf = new PEMPasswordFinder(privateKeyPassword);
AsymmetricCipherKeyPair key;
using (var reader = new StringReader(privateKey))
{
key = (AsymmetricCipherKeyPair) new PemReader(reader, pwf).ReadObject();
}
var rsa = DotNetUtilities.ToRSA((RsaPrivateCrtKeyParameters)key.Private);
this.credentials = new SigningCredentials(new RsaSecurityKey(rsa), SecurityAlgorithms.RsaSha256Signature, SecurityAlgorithms.Sha256Digest);
}
static string SignChallange(string challange)
{
var pem = $"-----BEGIN PRIVATE KEY-----\n{ PRIVATE_KEY}\n-----END PRIVATE KEY-----";
var pr = new PemReader(new StringReader(pem));
var privateKeyParam = (AsymmetricKeyParameter)pr.ReadObject();
var rsaParams = DotNetUtilities.ToRSAParameters((RsaPrivateCrtKeyParameters)privateKeyParam);
var csp = new RSACryptoServiceProvider();
csp.ImportParameters(rsaParams);
return(Convert.ToBase64String(
csp.SignData(
Convert.FromBase64String(challange),
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1)));
}
virtual public void LoadKey()
{
string import = "";
using (StreamReader streamReader = new StreamReader(KeyStore))
import = streamReader.ReadToEnd();
publicKey = new RSACryptoServiceProvider();
publicKey.FromXmlString(import);
AsymmetricCipherKeyPair cipherKeyPair = DotNetUtilities.GetRsaKeyPair(publicKey.ExportParameters(true));
privateKey = cipherKeyPair.Private;
publicKey.ImportParameters(publicKey.ExportParameters(false));
Directory.CreateDirectory(DestDir);
}
private static X509Certificate2 SetPrivateKey(
X509Certificate2 x509,
AsymmetricKeyParameter privateKey
)
{
var rsaPrivateKey = DotNetUtilities.ToRSA(privateKey as RsaPrivateCrtKeyParameters);
// Setup RSACryptoServiceProvider with "KeyContainerName" set
var csp = new CspParameters();
csp.KeyContainerName = "KeyContainer";
var rsaPrivate = new RSACryptoServiceProvider(csp);
// Import private key from BouncyCastle's rsa
rsaPrivate.ImportParameters(rsaPrivateKey.ExportParameters(true));
x509.PrivateKey = rsaPrivateKey;
//PrivateKeyInfo info = PrivateKeyInfoFactory.CreatePrivateKeyInfo(privateKey);
//Asn1Sequence seq = (Asn1Sequence)Asn1Object.FromByteArray(info.ParsePrivateKey().GetDerEncoded());
//if (seq.Count != 9)
// throw new PemException("malformed sequence in RSA private key");
//var rsa = RsaPrivateKeyStructure.GetInstance(seq);
//RsaPrivateCrtKeyParameters rsaparams =
// new RsaPrivateCrtKeyParameters(
// rsa.Modulus,
// rsa.PublicExponent,
// rsa.PrivateExponent,
// rsa.Prime1,
// rsa.Prime2,
// rsa.Exponent1,
// rsa.Exponent2,
// rsa.Coefficient);
//CspParameters cspParams = new CspParameters();
//cspParams.Flags = CspProviderFlags.UseMachineKeyStore;
//RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(cspParams);
//x509.PrivateKey = DotNetUtilities.ToRSA(rsaparams);
return(x509);
}
// [START iot_mqtt_jwt]
public static string CreateJwtRsa(string projectId, string privateKeyFile)
{
string privateKey = File.ReadAllText(privateKeyFile);
RSAParameters rsaParams;
// Read the private key file.
using (var tr = new StringReader(privateKey))
{
var pemReader = new PemReader(tr);
var KeyParameter = (AsymmetricKeyParameter)
pemReader.ReadObject();
var privateRsaParams = KeyParameter
as RsaPrivateCrtKeyParameters;
rsaParams = DotNetUtilities.ToRSAParameters(privateRsaParams);
pemReader.Reader.Close();
tr.Close();
}
using (RSACryptoServiceProvider rsa = new RSACryptoServiceProvider())
{
rsa.ImportParameters(rsaParams);
var jwtIatTime = SystemClock.Instance.GetCurrentInstant();
// Create a duration
Duration durationExp = Duration.FromMinutes(120);
var jwtExpTime = SystemClock.Instance.
GetCurrentInstant().Plus(durationExp);
Dictionary <string, object> payload =
new Dictionary <string, object> {
{ "iat", jwtIatTime.ToUnixTimeSeconds() },
// The time that the token was issued at
{ "aud", projectId },
// The audience field should always
// be set to the GCP project id.
{ "exp", jwtExpTime.ToUnixTimeSeconds() }
// The time the token expires.
};
Console.WriteLine("iat time {0}", jwtIatTime);
Console.WriteLine("exp time {0}", jwtExpTime);
Console.WriteLine("Creating JWT using RSA from private key " +
"file {0}", privateKeyFile);
return(Jose.JWT.Encode(payload, rsa, Jose.JwsAlgorithm.RS256));
}
}
/// <summary>
/// Prepare certification authority service for use.
/// Load information about CA.
/// </summary>
private void PrepareCAService()
{
bool isPfxCreated = true;
bool isCertFound = false;
X509Certificate2Collection collection = new X509Certificate2Collection();
if(!IsUserAccessGranted(WindowsIdentity.GetCurrent().Name))
{
Audit.WriteEvent("Access to SecurityStore is denied to user '" + WindowsIdentity.GetCurrent().Name + "' based on ACL content.", EventLogEntryType.Warning);
return;
}
try
{
// Try to import pfx file for the CA(Certification authority)
collection.Import(PFX_PATH, PFX_PASSWORD, X509KeyStorageFlags.Exportable);
}
catch
{
isPfxCreated = false;
}
if(isPfxCreated)
{
foreach (X509Certificate2 cert in collection)
{
if (cert.SubjectName.Name.Equals(CA_SUBJECT_NAME))
{
isCertFound = true;
caCertificate = cert;
caPrivateKey = DotNetUtilities.GetKeyPair(cert.PrivateKey).Private;
break;
}
}
}
if (!isCertFound)
{
// if PFX for the CA isn't created generate certificate and PFX for the CA
caCertificate = CertificateHandler.GenerateCACertificate(CA_SUBJECT_NAME, ref caPrivateKey);
}
Audit.WriteEvent("Certificate for the CA is successfully loaded.", EventLogEntryType.Information);
}
public static string Encrypt(string stringToBeEncrypted, string stringPublicKey)
{
var publicKeySequence = (DerSequence)Asn1Object.FromByteArray(Convert.FromBase64String(stringPublicKey));
var encodedPublicKey1 = new DerBitString(publicKeySequence[0]);
var encodedPublicKey2 = new DerBitString(publicKeySequence[1]);
var modulus = (DerInteger)Asn1Object.FromByteArray(encodedPublicKey1.GetBytes());
var exponent = (DerInteger)Asn1Object.FromByteArray(encodedPublicKey2.GetBytes());
var y = new RsaKeyParameters(false, modulus.PositiveValue, exponent.PositiveValue);
var x = DotNetUtilities.ToRSAParameters(y);
using (var provider = new RSACryptoServiceProvider())
{
provider.ImportParameters(x);
var dataToBeEncrypted = Encoding.UTF8.GetBytes(stringToBeEncrypted);
var bytes = provider.Encrypt(dataToBeEncrypted, true);
return(Convert.ToBase64String(bytes));
}
}
