public virtual Task VerifySigningRequestAsync(
ApplicationRecordDataType application,
byte[] certificateRequest)
{
try
{
var pkcs10CertificationRequest = new Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest(certificateRequest);
if (!pkcs10CertificationRequest.Verify())
{
throw new ServiceResultException(StatusCodes.BadInvalidArgument, "CSR signature invalid.");
}
var info = pkcs10CertificationRequest.GetCertificationRequestInfo();
var altNameExtension = GetAltNameExtensionFromCSRInfo(info);
if (altNameExtension != null)
{
if (altNameExtension.Uris.Count > 0)
{
if (!altNameExtension.Uris.Contains(application.ApplicationUri))
{
throw new ServiceResultException(StatusCodes.BadCertificateUriInvalid,
"CSR AltNameExtension does not match " + application.ApplicationUri);
}
}
}
return(Task.CompletedTask);
}
catch (Exception ex)
{
if (ex is ServiceResultException)
{
throw ex as ServiceResultException;
}
throw new ServiceResultException(StatusCodes.BadInvalidArgument, ex.Message);
}
}
// Using BouncyCastle API, how do I sign a Certificate Signing Request (CSR) using my own CA?
// https://stackoverflow.com/questions/44440974/bouncy-castle-decode-csr-c-sharp
// You will have to add some code to read the subject's public key info
// from the CSR and then generate a version 3 certificate as shown in the example.
// The OpenSSL equivalent for this is
// openssl ca –in <CSR> -cert <CA-cert-file> -out <signed-cert>
public static void ReadCertificationRequest(string csr)
{
Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest decodedCsr = null;
using (System.IO.TextReader sr = new System.IO.StringReader(csr))
{
Org.BouncyCastle.OpenSsl.PemReader pr = new Org.BouncyCastle.OpenSsl.PemReader(sr);
object obj = pr.ReadObject();
decodedCsr = (Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest)obj;
} // End Using sr
Org.BouncyCastle.Asn1.Pkcs.CertificationRequestInfo csri = decodedCsr.GetCertificationRequestInfo();
GetX509ExtensionsFromCsr(csri);
Org.BouncyCastle.Asn1.X509.X509Name subj = csri.Subject;
// decodedCsr.Signature
// decodedCsr.SignatureAlgorithm
GetX509Field(Org.BouncyCastle.Asn1.X509.X509Name.EmailAddress.Id, subj);
System.Console.WriteLine(csri.Subject);
// csri.SubjectPublicKeyInfo
// csri.Version
// csri.Attributes
//Org.BouncyCastle.Asn1.Asn1Set attributes =
// new Org.BouncyCastle.Asn1.DerSet(
// new Org.BouncyCastle.Asn1.Pkcs.AttributePkcs(
// Org.BouncyCastle.Asn1.Pkcs.PkcsObjectIdentifiers.Pkcs9AtExtensionRequest
// , new Org.BouncyCastle.Asn1.DerSet(new Org.BouncyCastle.Asn1.X509.X509Extensions(extensions))
// )
//);
} // End Sub ReadCertificationRequest
protected override ValidationResult IsValid(object value, ValidationContext validationContext)
{
CreateSigningRequestUploadApiModel request = (CreateSigningRequestUploadApiModel)validationContext.ObjectInstance;
var errorList = new List <string>();
if (request.CertificateRequestFile == null &&
String.IsNullOrWhiteSpace(request.ApiModel.CertificateRequest))
{
errorList.Add(nameof(request.CertificateRequestFile));
errorList.Add("ApiModel.CertificateRequest");
return(new ValidationResult("At least one CSR field is required.", errorList));
}
if (request.CertificateRequestFile != null &&
!String.IsNullOrWhiteSpace(request.ApiModel.CertificateRequest))
{
errorList.Add(nameof(request.CertificateRequestFile));
errorList.Add("ApiModel.CertificateRequest");
return(new ValidationResult("Only one CSR field is required.", errorList));
}
byte[] certificateRequest = null;
if (request.ApiModel.CertificateRequest != null)
{
errorList.Add("ApiModel.CertificateRequest");
try
{
const string certRequestPemHeader = "-----BEGIN CERTIFICATE REQUEST-----";
const string certRequestPemFooter = "-----END CERTIFICATE REQUEST-----";
if (request.ApiModel.CertificateRequest.Contains(certRequestPemHeader, StringComparison.OrdinalIgnoreCase))
{
var strippedCertificateRequest = request.ApiModel.CertificateRequest.Replace(certRequestPemHeader, "", StringComparison.OrdinalIgnoreCase);
strippedCertificateRequest = strippedCertificateRequest.Replace(certRequestPemFooter, "", StringComparison.OrdinalIgnoreCase);
certificateRequest = Convert.FromBase64String(strippedCertificateRequest);
}
else
{
certificateRequest = Convert.FromBase64String(request.ApiModel.CertificateRequest);
}
}
catch
{
return(new ValidationResult("Cannot decode base64 encoded CSR.", errorList));
}
}
if (request.CertificateRequestFile != null)
{
errorList.Add(nameof(request.CertificateRequestFile));
try
{
using (var memoryStream = new MemoryStream())
{
request.CertificateRequestFile.CopyToAsync(memoryStream).Wait();
certificateRequest = memoryStream.ToArray();
}
}
catch
{
errorList.Add(nameof(request.CertificateRequestFile));
return(new ValidationResult("Invalid CSR file.", errorList));
}
}
if (certificateRequest != null)
{
try
{
var pkcs10CertificationRequest = new Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest(certificateRequest);
if (!pkcs10CertificationRequest.Verify())
{
return(new ValidationResult("CSR signature invalid.", errorList));
}
var info = pkcs10CertificationRequest.GetCertificationRequestInfo();
var altNameExtension = GetAltNameExtensionFromCSRInfo(info);
if (altNameExtension != null &&
altNameExtension.Uris.Count > 0)
{
if (!altNameExtension.Uris.Contains(request.ApplicationUri))
{
return(new ValidationResult(altNameExtension.Uris[0] + " doesn't match the ApplicationUri.", errorList));
}
}
else
{
return(new ValidationResult("The CSR does not contain a valid Application Uri.", errorList));
}
}
catch
{
return(new ValidationResult("CSR decoding failed. Invalid data?", errorList));
}
}
return(ValidationResult.Success);
}
public virtual async Task <X509Certificate2> SigningRequestAsync(
ApplicationRecordDataType application,
string[] domainNames,
byte[] certificateRequest)
{
try
{
var pkcs10CertificationRequest = new Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest(certificateRequest);
if (!pkcs10CertificationRequest.Verify())
{
throw new ServiceResultException(StatusCodes.BadInvalidArgument, "CSR signature invalid.");
}
var info = pkcs10CertificationRequest.GetCertificationRequestInfo();
var altNameExtension = GetAltNameExtensionFromCSRInfo(info);
if (altNameExtension != null)
{
if (altNameExtension.Uris.Count > 0)
{
if (!altNameExtension.Uris.Contains(application.ApplicationUri))
{
throw new ServiceResultException(StatusCodes.BadCertificateUriInvalid,
"CSR AltNameExtension does not match " + application.ApplicationUri);
}
}
if (altNameExtension.IPAddresses.Count > 0 || altNameExtension.DomainNames.Count > 0)
{
var domainNameList = new List <string>();
domainNameList.AddRange(altNameExtension.DomainNames);
domainNameList.AddRange(altNameExtension.IPAddresses);
domainNames = domainNameList.ToArray();
}
}
DateTime yesterday = DateTime.UtcNow.AddDays(-1);
using (var signingKey = await LoadSigningKeyAsync(Certificate, string.Empty))
{
return(CertificateFactory.CreateCertificate(
null,
null,
null,
application.ApplicationUri ?? "urn:ApplicationURI",
application.ApplicationNames.Count > 0 ? application.ApplicationNames[0].Text : "ApplicationName",
info.Subject.ToString(),
domainNames,
Configuration.DefaultCertificateKeySize,
yesterday,
Configuration.DefaultCertificateLifetime,
Configuration.DefaultCertificateHashSize,
false,
signingKey,
info.SubjectPublicKeyInfo.GetEncoded()));
}
}
catch (Exception ex)
{
if (ex is ServiceResultException)
{
throw ex as ServiceResultException;
}
throw new ServiceResultException(StatusCodes.BadInvalidArgument, ex.Message);
}
}
public virtual async Task <X509Certificate2> SigningRequestAsync(
ApplicationRecordDataType application,
string[] domainNames,
byte[] certificateRequest)
{
try
{
var pkcs10CertificationRequest = new Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest(certificateRequest);
if (!pkcs10CertificationRequest.Verify())
{
throw new ServiceResultException(StatusCodes.BadInvalidArgument, "CSR signature invalid.");
}
var info = pkcs10CertificationRequest.GetCertificationRequestInfo();
var altNameExtension = GetAltNameExtensionFromCSRInfo(info);
if (altNameExtension != null)
{
if (altNameExtension.Uris.Count > 0)
{
if (!altNameExtension.Uris.Contains(application.ApplicationUri))
{
throw new ServiceResultException(StatusCodes.BadCertificateUriInvalid,
"CSR AltNameExtension does not match " + application.ApplicationUri);
}
}
if (altNameExtension.IPAddresses.Count > 0 || altNameExtension.DomainNames.Count > 0)
{
var domainNameList = new List <string>();
domainNameList.AddRange(altNameExtension.DomainNames);
domainNameList.AddRange(altNameExtension.IPAddresses);
domainNames = domainNameList.ToArray();
}
}
DateTime yesterday = DateTime.Today.AddDays(-1);
using (var signingKey = await LoadSigningKeyAsync(Certificate, string.Empty).ConfigureAwait(false))
{
return(CertificateFactory.CreateCertificate(
application.ApplicationUri,
null,
info.Subject.ToString(),
domainNames)
.SetNotBefore(yesterday)
.SetLifeTime(Configuration.DefaultCertificateLifetime)
.SetHashAlgorithm(X509Utils.GetRSAHashAlgorithmName(Configuration.DefaultCertificateHashSize))
.SetIssuer(signingKey)
.SetRSAPublicKey(info.SubjectPublicKeyInfo.GetEncoded())
.CreateForRSA());
}
}
catch (Exception ex)
{
if (ex is ServiceResultException)
{
throw ex as ServiceResultException;
}
throw new ServiceResultException(StatusCodes.BadInvalidArgument, ex.Message);
}
}
/// <summary>
/// Creates a new signed application certificate in group id.
/// </summary>
/// <remarks>
/// The key for the certificate is created in KeyVault, then exported.
/// In order to deleted the created key, the impersonated user needs
/// create, get and delete rights for KeyVault certificates
/// </remarks>
public async Task <X509Certificate2> CreateSignedKeyPairCertAsync(
string caCertId,
X509Certificate2 issuerCert,
string applicationUri,
string applicationName,
string subjectName,
string[] domainNames,
DateTime notBefore,
DateTime notAfter,
int keySize,
int hashSize,
KeyVaultSignatureGenerator generator,
string authorityInformationAccess,
CancellationToken ct = default)
{
CertificateOperation createResult = null;
var certName = KeyStoreName(caCertId, Guid.NewGuid().ToString());
try
{
// policy unknown issuer, new key, exportable
var policyUnknownNewExportable = CreateCertificatePolicy(subjectName, keySize, false, false, true);
var attributes = CreateCertificateAttributes(notBefore, notAfter);
// create the CSR
createResult = await _keyVaultClient.CreateCertificateAsync(
_vaultBaseUrl,
certName,
policyUnknownNewExportable,
attributes,
null,
ct)
.ConfigureAwait(false);
if (createResult.Csr == null)
{
throw new ServiceResultException(StatusCodes.BadInvalidArgument, "Failed to read CSR from CreateCertificate.");
}
// decode the CSR and verify consistency
var pkcs10CertificationRequest = new Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest(createResult.Csr);
var info = pkcs10CertificationRequest.GetCertificationRequestInfo();
if (createResult.Csr == null ||
pkcs10CertificationRequest == null ||
!pkcs10CertificationRequest.Verify())
{
throw new ServiceResultException(StatusCodes.BadInvalidArgument, "Invalid CSR.");
}
// create the self signed app cert
var publicKey = KeyVaultCertFactory.GetRSAPublicKey(info.SubjectPublicKeyInfo);
var signedcert = await KeyVaultCertFactory.CreateSignedCertificate(
applicationUri,
applicationName,
subjectName,
domainNames,
(ushort)keySize,
notBefore,
notAfter,
(ushort)hashSize,
issuerCert,
publicKey,
generator,
extensionUrl : authorityInformationAccess);
// merge signed cert with keystore
var mergeResult = await _keyVaultClient.MergeCertificateAsync(
_vaultBaseUrl,
certName,
new X509Certificate2Collection(signedcert)
);
X509Certificate2 keyPair = null;
var secret = await _keyVaultClient.GetSecretAsync(mergeResult.SecretIdentifier.Identifier, ct);
if (secret.ContentType == CertificateContentType.Pfx)
{
var certBlob = Convert.FromBase64String(secret.Value);
keyPair = CertificateFactory.CreateCertificateFromPKCS12(certBlob, string.Empty);
}
else if (secret.ContentType == CertificateContentType.Pem)
{
Encoding encoder = Encoding.UTF8;
var privateKey = encoder.GetBytes(secret.Value.ToCharArray());
keyPair = CertificateFactory.CreateCertificateWithPEMPrivateKey(signedcert, privateKey, string.Empty);
}
return(keyPair);
}
catch
{
throw new ServiceResultException(StatusCodes.BadInternalError, "Failed to create new key pair certificate");
}
finally
{
try
{
var deletedCertBundle = await _keyVaultClient.DeleteCertificateAsync(_vaultBaseUrl, certName, ct);
await _keyVaultClient.PurgeDeletedCertificateAsync(_vaultBaseUrl, certName, ct);
}
catch
{
// intentionally fall through, purge may fail
}
}
}
/// <summary>
/// Creates a new Root CA certificate in group id, tags it for trusted or issuer store.
/// </summary>
public async Task <X509Certificate2> CreateCACertificateAsync(
string id,
string subject,
DateTime notBefore,
DateTime notAfter,
int keySize,
int hashSize,
bool trusted,
string crlDistributionPoint = null,
CancellationToken ct = default)
{
try
{
// delete pending operations
await _keyVaultClient.DeleteCertificateOperationAsync(_vaultBaseUrl, id);
}
catch
{
// intentionally ignore errors
}
string caTempCertIdentifier = null;
try
{
// policy self signed, new key
var policySelfSignedNewKey = CreateCertificatePolicy(subject, keySize, true, false);
var tempAttributes = CreateCertificateAttributes(DateTime.UtcNow.AddMinutes(-10), DateTime.UtcNow.AddMinutes(10));
var createKey = await _keyVaultClient.CreateCertificateAsync(
_vaultBaseUrl,
id,
policySelfSignedNewKey,
tempAttributes,
null,
ct)
.ConfigureAwait(false);
CertificateOperation operation;
do
{
await Task.Delay(1000);
operation = await _keyVaultClient.GetCertificateOperationAsync(_vaultBaseUrl, id, ct);
} while (operation.Status == "inProgress" && !ct.IsCancellationRequested);
if (operation.Status != "completed")
{
throw new ServiceResultException(StatusCodes.BadUnexpectedError, "Failed to create new key pair.");
}
var createdCertificateBundle = await _keyVaultClient.GetCertificateAsync(_vaultBaseUrl, id).ConfigureAwait(false);
var caCertKeyIdentifier = createdCertificateBundle.KeyIdentifier.Identifier;
caTempCertIdentifier = createdCertificateBundle.CertificateIdentifier.Identifier;
// policy unknown issuer, reuse key
var policyUnknownReuse = CreateCertificatePolicy(subject, keySize, false, true);
var attributes = CreateCertificateAttributes(notBefore, notAfter);
var tags = CreateCertificateTags(id, trusted);
// create the CSR
var createResult = await _keyVaultClient.CreateCertificateAsync(
_vaultBaseUrl,
id,
policyUnknownReuse,
attributes,
tags,
ct)
.ConfigureAwait(false);
if (createResult.Csr == null)
{
throw new ServiceResultException(StatusCodes.BadInvalidArgument, "Failed to read CSR from CreateCertificate.");
}
// decode the CSR and verify consistency
var pkcs10CertificationRequest = new Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest(createResult.Csr);
var info = pkcs10CertificationRequest.GetCertificationRequestInfo();
if (createResult.Csr == null ||
pkcs10CertificationRequest == null ||
!pkcs10CertificationRequest.Verify())
{
throw new ServiceResultException(StatusCodes.BadInvalidArgument, "Invalid CSR.");
}
// create the self signed root CA cert
var publicKey = KeyVaultCertFactory.GetRSAPublicKey(info.SubjectPublicKeyInfo);
var signedcert = await KeyVaultCertFactory.CreateSignedCertificate(
null,
null,
subject,
null,
(ushort)keySize,
notBefore,
notAfter,
(ushort)hashSize,
null,
publicKey,
new KeyVaultSignatureGenerator(this, caCertKeyIdentifier, null),
true,
crlDistributionPoint);
// merge Root CA cert with
var mergeResult = await _keyVaultClient.MergeCertificateAsync(
_vaultBaseUrl,
id,
new X509Certificate2Collection(signedcert)
);
return(signedcert);
}
catch (KeyVaultErrorException kex)
{
var ex = kex;
throw new ServiceResultException(StatusCodes.BadInternalError, "Failed to create new Root CA certificate");
}
finally
{
if (caTempCertIdentifier != null)
{
try
{
// disable the temp cert for self signing operation
var attr = new CertificateAttributes()
{
Enabled = false
};
await _keyVaultClient.UpdateCertificateAsync(caTempCertIdentifier, null, attr);
}
catch
{
// intentionally ignore error
}
}
}
}
void ValidateParameters(Common.ParametersValidation validationRequest, ref string logMessage, ref bool passed, XmlNode test)
{
foreach (Common.ValidationRule rule in validationRequest.ValidationRules)
{
string parameterPath = string.Format("RequestParameters/{0}", rule.ParameterPath);
switch (rule.Type)
{
case ParameterType.String:
CommonCompare.StringCompare(parameterPath, rule.ParameterName, (string)rule.Value,
ref logMessage, ref passed, test);
break;
case ParameterType.Int:
CommonCompare.IntCompare(parameterPath, rule.ParameterName, (int)rule.Value,
ref logMessage, ref passed, test);
break;
case ParameterType.OptionalInt:
int?value = (int?)rule.Value;
if (CommonCompare.Exist2(parameterPath, rule.ParameterName, value.HasValue, ref logMessage, ref passed, test))
{
CommonCompare.IntCompare(parameterPath, rule.ParameterName, value.Value, ref logMessage, ref passed, test);
}
break;
case ParameterType.OptionalBool:
if (rule.ValueSpecified)
{
CommonCompare.StringCompare(parameterPath, rule.ParameterName, ((bool)rule.Value).ToString(),
ref logMessage, ref passed, test);
}
else
{
CommonCompare.Exist2(parameterPath, rule.ParameterName, rule.ValueSpecified,
ref logMessage, ref passed, test);
}
break;
case ParameterType.OptionalString:
{
string stringValue = (string)rule.Value;
if (CommonCompare.Exist2(parameterPath, rule.ParameterName, stringValue != null, ref logMessage, ref passed, test))
{
CommonCompare.StringCompare(parameterPath, rule.ParameterName, (string)rule.Value,
ref logMessage, ref passed, test);
}
}
break;
case ParameterType.OptionalElement:
{
CommonCompare.Exist2(parameterPath, rule.ParameterName, rule.Value != null, ref logMessage, ref passed, test);
}
break;
case ParameterType.OptionalElementBoolFlag:
{
CommonCompare.Exist2(parameterPath, rule.ParameterName, (bool)rule.Value, ref logMessage, ref passed, test);
}
break;
case ParameterType.StringArray:
{
CommonCompare.StringArrayCompare(parameterPath, rule.ParameterName, (string[])rule.Value,
ref logMessage, ref passed, test);
}
break;
case ParameterType.Log:
{
if (rule.Value.GetType().ToString() == "System.Byte[]")
{
logMessage = logMessage + rule.ParameterName + " = [Check it manually!]";
}
else
{
logMessage = logMessage + rule.ParameterName + " = " + rule.Value.ToString();
}
}
break;
case ParameterType.OptionalQName:
{
XmlQualifiedName QNameValue = (XmlQualifiedName)rule.Value;
if (CommonCompare.Exist2(parameterPath, rule.ParameterName, QNameValue != null, ref logMessage, ref passed, test))
{
CommonCompare.StringCompare(parameterPath + "/Namespace", rule.ParameterName + "/Namespace", QNameValue.Namespace,
ref logMessage, ref passed, test);
CommonCompare.StringCompare(parameterPath + "/Name", rule.ParameterName + "/Name", QNameValue.Name,
ref logMessage, ref passed, test);
}
}
break;
case ParameterType.X509Cert:
{
Org.BouncyCastle.X509.X509Certificate cert = (new Org.BouncyCastle.X509.X509CertificateParser()).ReadCertificate((byte[])rule.Value);
logMessage = logMessage + "\r\n";
logMessage = logMessage + rule.ParameterName + ": " + "\r\n" + cert.ToString();
logMessage = logMessage + "\r\n";
//TextWriter textWriter = new StringWriter();
//Org.BouncyCastle.Utilities.IO.Pem.PemWriter pemWriter = new Org.BouncyCastle.Utilities.IO.Pem.PemWriter(textWriter);
//pemWriter.WriteObject(cert.CertificateStructure.SubjectPublicKeyInfo.PublicKeyData);
//pemWriter.Writer.Flush();
//string privateKey = textWriter.ToString();
logMessage = logMessage + rule.ParameterName + "(PubK): " + "\r\n" + cert.CertificateStructure.SubjectPublicKeyInfo.PublicKeyData.ToString();
logMessage = logMessage + "\r\n";
logMessage = logMessage + rule.ParameterName + "(SignatureAlgorithm): " + "\r\n" + cert.CertificateStructure.SignatureAlgorithm.ObjectID.ToString();
logMessage = logMessage + "\r\n";
}
break;
case ParameterType.PKCS10:
{
Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest pkcs10 = new Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest((byte[])rule.Value);
logMessage = logMessage + "\r\n";
logMessage = logMessage + rule.ParameterName + ": " + "\r\n" + pkcs10.ToString();
logMessage = logMessage + "\r\n";
}
break;
case ParameterType.PKCS12WithoutPassphrase:
{
Org.BouncyCastle.Pkcs.Pkcs12Store pkcs12Store = new Org.BouncyCastle.Pkcs.Pkcs12Store();
pkcs12Store.Load(new MemoryStream((byte[])rule.Value), ("").ToArray());
logMessage = logMessage + rule.ParameterName + ": " + "\r\n";
foreach (string alias in pkcs12Store.Aliases)
{
logMessage = logMessage + "\r\n";
logMessage = logMessage + "Alias = " + alias + "\r\n";
logMessage = logMessage + "Certificate = " + pkcs12Store.GetCertificate(alias).Certificate.ToString();
}
logMessage = logMessage + "\r\n";
}
break;
case ParameterType.CRL:
{
Org.BouncyCastle.X509.X509Crl crl = (new Org.BouncyCastle.X509.X509CrlParser()).ReadCrl((byte[])rule.Value);
logMessage = logMessage + "\r\n";
logMessage = logMessage + rule.ParameterName + ": " + "\r\n" + crl.ToString();
logMessage = logMessage + "\r\n";
}
break;
case ParameterType.Float:
{
CommonCompare.FloatCompare(parameterPath, rule.ParameterName, (float)rule.Value,
ref logMessage, ref passed, test);
}
break;
case ParameterType.OptionalFloat:
float?fvalue = (float?)rule.Value;
if (CommonCompare.Exist2(parameterPath, rule.ParameterName, fvalue.HasValue, ref logMessage, ref passed, test))
{
CommonCompare.FloatCompare(parameterPath, rule.ParameterName, (float)rule.Value,
ref logMessage, ref passed, test);
}
break;
}
}
}
// https://gist.github.com/Venomed/5337717aadfb61b09e58
// https://www.powershellgallery.com/packages/Posh-ACME/2.2.0/Content/Private%5CNew-Csr.ps1
public static string CreateSignatureRequest(
Org.BouncyCastle.Asn1.X509.X509Name subject
, Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair caKey25519
, Org.BouncyCastle.Security.SecureRandom secureRandom)
{
Org.BouncyCastle.Crypto.ISignatureFactory signatureFactory;
Org.BouncyCastle.Crypto.AsymmetricKeyParameter publicKey = caKey25519.Public;
Org.BouncyCastle.Crypto.AsymmetricKeyParameter signingKey = caKey25519.Private;
if (signingKey is Org.BouncyCastle.Crypto.Parameters.ECPrivateKeyParameters)
{
signatureFactory = new Org.BouncyCastle.Crypto.Operators.Asn1SignatureFactory(
Org.BouncyCastle.Asn1.X9.X9ObjectIdentifiers.ECDsaWithSha256.ToString(),
signingKey);
}
else
{
signatureFactory = new Org.BouncyCastle.Crypto.Operators.Asn1SignatureFactory(
Org.BouncyCastle.Asn1.Pkcs.PkcsObjectIdentifiers.Sha256WithRsaEncryption.ToString(),
signingKey);
}
System.Collections.Generic.Dictionary <Org.BouncyCastle.Asn1.DerObjectIdentifier, Org.BouncyCastle.Asn1.X509.X509Extension> extensions =
new System.Collections.Generic.Dictionary <Org.BouncyCastle.Asn1.DerObjectIdentifier, Org.BouncyCastle.Asn1.X509.X509Extension>()
{
{
Org.BouncyCastle.Asn1.X509.X509Extensions.BasicConstraints,
new Org.BouncyCastle.Asn1.X509.X509Extension(
true
, new Org.BouncyCastle.Asn1.DerOctetString(new Org.BouncyCastle.Asn1.X509.BasicConstraints(false))
)
},
{
Org.BouncyCastle.Asn1.X509.X509Extensions.KeyUsage,
new Org.BouncyCastle.Asn1.X509.X509Extension(true,
new Org.BouncyCastle.Asn1.DerOctetString(
new Org.BouncyCastle.Asn1.X509.KeyUsage(
Org.BouncyCastle.Asn1.X509.KeyUsage.DigitalSignature
| Org.BouncyCastle.Asn1.X509.KeyUsage.KeyEncipherment
| Org.BouncyCastle.Asn1.X509.KeyUsage.DataEncipherment
| Org.BouncyCastle.Asn1.X509.KeyUsage.NonRepudiation
)
)
)
},
{
Org.BouncyCastle.Asn1.X509.X509Extensions.ExtendedKeyUsage,
new Org.BouncyCastle.Asn1.X509.X509Extension(false,
new Org.BouncyCastle.Asn1.DerOctetString(
new Org.BouncyCastle.Asn1.X509.ExtendedKeyUsage(
Org.BouncyCastle.Asn1.X509.KeyPurposeID.IdKPServerAuth,
Org.BouncyCastle.Asn1.X509.KeyPurposeID.IdKPClientAuth
)
)
)
},
};
// Asn1Set attributes = null;
Org.BouncyCastle.Asn1.Asn1Set attributes =
new Org.BouncyCastle.Asn1.DerSet(
new Org.BouncyCastle.Asn1.Pkcs.AttributePkcs(
Org.BouncyCastle.Asn1.Pkcs.PkcsObjectIdentifiers.Pkcs9AtExtensionRequest
, new Org.BouncyCastle.Asn1.DerSet(new Org.BouncyCastle.Asn1.X509.X509Extensions(extensions))
)
);
Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest csr =
new Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest(
signatureFactory,
subject,
publicKey,
attributes,
signingKey
);
System.Text.StringBuilder csrPem = new System.Text.StringBuilder();
Org.BouncyCastle.OpenSsl.PemWriter csrPemWriter =
new Org.BouncyCastle.OpenSsl.PemWriter(new System.IO.StringWriter(csrPem));
csrPemWriter.WriteObject(csr);
csrPemWriter.Writer.Flush();
string signingRequest = csrPem.ToString();
csrPem.Clear();
csrPem = null;
// System.IO.File.WriteAllText("request.csr", signingRequest, System.Text.Encoding.ASCII);
CertificationRequestReader.ReadCertificationRequest(signingRequest);
// csr.GetDerEncoded();
System.Console.WriteLine(signingRequest);
return(signingRequest);
} // End Sub CreateSignatureRequest
/// <summary>
/// Creates a KeyVault signed certficate from signing request.
/// </summary>
public override async Task <X509Certificate2> SigningRequestAsync(
ApplicationRecordDataType application,
string[] domainNames,
byte[] certificateRequest
)
{
try
{
var pkcs10CertificationRequest = new Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest(certificateRequest);
if (!pkcs10CertificationRequest.Verify())
{
throw new ServiceResultException(StatusCodes.BadInvalidArgument, "CSR signature invalid.");
}
var info = pkcs10CertificationRequest.GetCertificationRequestInfo();
var altNameExtension = GetAltNameExtensionFromCSRInfo(info);
if (altNameExtension != null)
{
if (altNameExtension.Uris.Count > 0)
{
if (!altNameExtension.Uris.Contains(application.ApplicationUri))
{
throw new ServiceResultException(StatusCodes.BadCertificateUriInvalid,
"CSR AltNameExtension does not match " + application.ApplicationUri);
}
}
if (altNameExtension.IPAddresses.Count > 0 || altNameExtension.DomainNames.Count > 0)
{
var domainNameList = new List <string>();
domainNameList.AddRange(altNameExtension.DomainNames);
domainNameList.AddRange(altNameExtension.IPAddresses);
domainNames = domainNameList.ToArray();
}
}
var authorityInformationAccess = BuildAuthorityInformationAccessUrl();
DateTime notBefore = DateTime.UtcNow.AddDays(-1);
await LoadPublicAssets().ConfigureAwait(false);
var signingCert = Certificate;
{
var publicKey = KeyVaultCertFactory.GetRSAPublicKey(info.SubjectPublicKeyInfo);
return(await KeyVaultCertFactory.CreateSignedCertificate(
application.ApplicationUri,
application.ApplicationNames.Count > 0?application.ApplicationNames[0].Text : "ApplicationName",
info.Subject.ToString(),
domainNames,
Configuration.DefaultCertificateKeySize,
notBefore,
notBefore.AddMonths(Configuration.DefaultCertificateLifetime),
Configuration.DefaultCertificateHashSize,
signingCert,
publicKey,
new KeyVaultSignatureGenerator(_keyVaultServiceClient, _caCertKeyIdentifier, signingCert),
extensionUrl : authorityInformationAccess
));
}
}
catch (Exception ex)
{
if (ex is ServiceResultException)
{
throw ex as ServiceResultException;
}
throw new ServiceResultException(StatusCodes.BadInvalidArgument, ex.Message);
}
}
