} // End Sub WritePrivatePublicKey
public static void WriteCerAndCrt(
string fileName
, Org.BouncyCastle.X509.X509Certificate certificate
)
{
using (System.IO.Stream fs = System.IO.File.Open(fileName + ".cer", System.IO.FileMode.Create))
{
byte[] buf = certificate.GetEncoded();
fs.Write(buf, 0, buf.Length);
fs.Flush();
} // End Using fs
// new System.Text.ASCIIEncoding(false)
// new System.Text.UTF8Encoding(false)
using (System.IO.Stream fs = System.IO.File.Open(fileName + ".crt", System.IO.FileMode.Create))
{
using (System.IO.StreamWriter sw = new System.IO.StreamWriter(fs, System.Text.Encoding.ASCII))
{
byte[] buf = certificate.GetEncoded();
string pem = ToPem(buf);
sw.Write(pem);
sw.Flush();
fs.Flush();
} // End Using sw
} // End Using fs
} // End Sub WriteCerAndCrt
public static X509Certificate2 GetCertificateWithPrivateKey(X509Certificate bcCertificate, AsymmetricCipherKeyPair keyPair)
{
Assert.IsType <RsaPrivateCrtKeyParameters>(keyPair.Private);
var privateKeyParameters = (RsaPrivateCrtKeyParameters)keyPair.Private;
#if IS_DESKTOP
RSA privateKey = DotNetUtilities.ToRSA(privateKeyParameters);
var certificate = new X509Certificate2(bcCertificate.GetEncoded());
certificate.PrivateKey = privateKey;
#else
RSAParameters rsaParameters = DotNetUtilities.ToRSAParameters(privateKeyParameters);
var privateKey = new RSACryptoServiceProvider();
privateKey.ImportParameters(rsaParameters);
X509Certificate2 certificate;
using (var certificateTmp = new X509Certificate2(bcCertificate.GetEncoded()))
{
certificate = RSACertificateExtensions.CopyWithPrivateKey(certificateTmp, privateKey);
}
#endif
return(certificate);
}
/// <param name="issuerCertificate"></param>
/// <inheritdoc />
public async Task <X509Certificate[]> GetChain(X509Certificate issuerCertificate)
{
var dotNetCertificate = new X509Certificate2(issuerCertificate.GetEncoded());
var certificates = await OcspResponderRepository.GetChain(dotNetCertificate);
return(certificates.Select(DotNetUtilities.FromX509Certificate).ToArray());
}
/// <inheritdoc />
public async Task <AsymmetricKeyParameter> GetResponderPublicKey(X509Certificate caCertificate)
{
var dotNetCertificate = new X509Certificate2(caCertificate.GetEncoded());
var privateKey = await OcspResponderRepository.GetResponderPrivateKey(dotNetCertificate);
return(DotNetUtilities.GetKeyPair(privateKey).Public);
}
public static void CertificateToDerPem(Org.BouncyCastle.X509.X509Certificate caSsl)
{
System.Security.Cryptography.X509Certificates.X509Certificate inputCert1 = null;
inputCert1 = Org.BouncyCastle.Security.DotNetUtilities.ToX509Certificate(caSsl);
System.Security.Cryptography.X509Certificates.X509Certificate2 inputCert2 = new System.Security.Cryptography.X509Certificates.X509Certificate2(inputCert1);
string pemOrDerFile = "foo.derpem";
string foo = CerGenerator.ToPem(caSsl.GetEncoded());
System.IO.File.WriteAllText(pemOrDerFile, foo, System.Text.Encoding.ASCII);
Org.BouncyCastle.X509.X509CertificateParser kpp = new Org.BouncyCastle.X509.X509CertificateParser();
Org.BouncyCastle.X509.X509Certificate cert = kpp.ReadCertificate(System.IO.File.OpenRead(pemOrDerFile));
System.Console.WriteLine(cert);
System.Security.Cryptography.X509Certificates.X509Certificate dotCert1 = null;
dotCert1 = Org.BouncyCastle.Security.DotNetUtilities.ToX509Certificate(cert);
System.Security.Cryptography.X509Certificates.X509Certificate2 dotCert = new System.Security.Cryptography.X509Certificates.X509Certificate2(dotCert1);
System.Console.WriteLine(dotCert.PublicKey);
System.Console.WriteLine(dotCert.PrivateKey);
}
private void init(string aPfxFilePath, string aPassword)
{
FileStream fin = new FileStream(aPfxFilePath, FileMode.Open, FileAccess.Read);
Pkcs12StoreBuilder storeBuilder = new Pkcs12StoreBuilder();
Pkcs12Store pkcs12Store = storeBuilder.Build();
pkcs12Store.Load(fin, aPassword.ToCharArray());
fin.Close();
IEnumerable aliases = pkcs12Store.Aliases;
IEnumerator aliasesEnumerator = aliases.GetEnumerator();
while (aliasesEnumerator.MoveNext())
{
string alias = (string)aliasesEnumerator.Current;
signingBouncyCert = pkcs12Store.GetCertificate(alias);
X509Certificate x509Certificate = signingBouncyCert.Certificate;
ECertificate cert = new ECertificate(x509Certificate.GetEncoded());
EKeyUsage eKeyUsage = cert.getExtensions().getKeyUsage();
bool isDigitalSignature = eKeyUsage.isDigitalSignature();
if (isDigitalSignature)
{
signingBouncyKeyEntry = pkcs12Store.GetKey(alias);
signingCertificate = cert;
break;
}
}
}
internal static string GenerateFingerprint(X509Certificate certificate)
{
using (var hashAlgorithm = NuGet.Common.HashAlgorithmName.SHA256.GetHashProvider())
{
var hash = hashAlgorithm.ComputeHash(certificate.GetEncoded());
return(BitConverter.ToString(hash).Replace("-", ""));
}
}
internal static string GenerateFingerprint(X509Certificate certificate)
{
using (var hashAlgorithm = CryptoHashUtility.GetSha1HashProvider())
{
var hash = hashAlgorithm.ComputeHash(certificate.GetEncoded());
return(BitConverter.ToString(hash).Replace("-", ""));
}
}
public async Task GetTimestampCertificateChain_WithMismatchedEssCertIdCertificateHash_ReturnsChain(
SigningCertificateUsage signingCertificateUsage)
{
ISigningTestServer testServer = await _fixture.GetSigningTestServerAsync();
CertificateAuthority rootCa = await _fixture.GetDefaultTrustedCertificateAuthorityAsync();
var options = new TimestampServiceOptions()
{
SigningCertificateUsage = signingCertificateUsage,
SigningCertificateV1Hash = new byte[SHA1HashLength]
};
TimestampService timestampService = TimestampService.Create(rootCa, options);
using (testServer.RegisterResponder(timestampService))
{
var nupkg = new SimpleTestPackageContext();
using (var certificate = new X509Certificate2(_fixture.TrustedTestCertificate.Source.Cert))
using (var directory = TestDirectory.Create())
{
var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate,
nupkg,
directory,
timestampService.Url);
using (FileStream stream = File.OpenRead(signedPackagePath))
using (var reader = new PackageArchiveReader(stream))
{
PrimarySignature signature = await reader.GetPrimarySignatureAsync(CancellationToken.None);
using (IX509CertificateChain actualChain = SignatureUtility.GetTimestampCertificateChain(signature))
{
Assert.NotEmpty(actualChain);
IReadOnlyList <Org.BouncyCastle.X509.X509Certificate> expectedChain = GetExpectedCertificateChain(timestampService);
Assert.Equal(expectedChain.Count, actualChain.Count);
for (var i = 0; i < expectedChain.Count; ++i)
{
Org.BouncyCastle.X509.X509Certificate expectedCertificate = expectedChain[i];
X509Certificate2 actualCertificate = actualChain[i];
Assert.True(
expectedCertificate.GetEncoded().SequenceEqual(actualCertificate.RawData),
$"The certificate at index {i} in the chain is unexpected.");
}
}
}
}
}
}
public Signature(string signatureFieldName, FileFormat fileFormat, Org.BouncyCastle.X509.X509Certificate certificateBC, DateTime signDate)
{
SignatureFieldName = signatureFieldName;
FileFormat = fileFormat;
Certificate = new X509Certificate2(certificateBC.GetEncoded());
CertificateBouncyCastle = certificateBC;
SignDate = signDate;
Chain = new X509Chain();
Chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 30);
Chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreWrongUsage;
Chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
Chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
}
public void writeCertificate(Org.BouncyCastle.X509.X509Certificate cert, long enrollmentID)
{
// converting from bouncycastle X509Certificate to System.Security.Cryptography.X509Certificates.X509Certificate2
System.Security.Cryptography.X509Certificates.X509Certificate2 certificate = new System.Security.Cryptography.X509Certificates.X509Certificate2();
certificate.Import(cert.GetEncoded());
// Finding the corresponding privatekey from windows keystore using the container-name
RSACryptoServiceProvider rsaPrivate = retrievePrivateKey(enrollmentID);
// linking the retrieved private key to the certificate
certificate.PrivateKey = rsaPrivate;
// opening up the windows cert store because thats where I want to save it.
System.Security.Cryptography.X509Certificates.X509Store store = new System.Security.Cryptography.X509Certificates.X509Store(System.Security.Cryptography.X509Certificates.StoreName.My, System.Security.Cryptography.X509Certificates.StoreLocation.CurrentUser);
store.Open(System.Security.Cryptography.X509Certificates.OpenFlags.MaxAllowed);
store.Add(certificate);
store.Close();
}
/// <summary>Gets the SHA-256 Thumbprint of the certificate.</summary>
/// <remarks>
/// A Thumbprint is a SHA-256 hash of the raw certificate data and is often used
/// as a unique identifier for a particular certificate in a certificate store.
/// </remarks>
/// <returns>The SHA-256 Thumbprint.</returns>
/// <param name="certificate">The certificate.</param>
/// <exception cref="T:System.ArgumentNullException">
/// <paramref name="certificate" /> is <c>null</c>.
/// </exception>
public static string GetSha256Thumbprint(this X509Certificate certificate)
{
if (certificate == null)
{
throw new ArgumentNullException(nameof(certificate));
}
var encoded = certificate.GetEncoded();
byte[] hashBytes;
using (var hasher = new SHA256Managed())
{
hashBytes = hasher.ComputeHash(encoded);
}
string result = BitConverter.ToString(hashBytes)
// this will remove all the dashes in between each two characters
.Replace("-", string.Empty).ToLower();
return(result);
}
public void verify(byte[] byte_pdfData, X509Certificate2 trustCert, string signatureName)
{
PdfReader pdfReader = new PdfReader(byte_pdfData);
AcroFields acroField = pdfReader.AcroFields;
if (signatureName == null || "".CompareTo(signatureName) != 0)
{
signatureName = acroField.GetSignatureNames().Last();
}
PdfPKCS7 pdfP7 = acroField.VerifySignature(signatureName);
if (pdfP7 == null)
{
throw new NullReferenceException("Invalid signatureName:" + signatureName);
}
if (!pdfP7.Verify())
{
throw new PdfException("Unable to verify specified signature field, specify signature invalid");
}
byte[] pkcs7Signatue = pdfP7.GetEncodedPKCS7();
CmsSignedData signedData = new CmsSignedData(pkcs7Signatue);
// Get signer certificate from CMSSignedData
IX509Store x509Certs = signedData.GetCertificates("Collection");
ICollection cerlist = x509Certs.GetMatches(null);
IEnumerator cEnum = cerlist.GetEnumerator();
ArrayList _chain = new ArrayList();
while (cEnum.MoveNext())
{
Org.BouncyCastle.X509.X509Certificate cer = (Org.BouncyCastle.X509.X509Certificate)cEnum.Current;
X509Certificate2 cer2 = new X509Certificate2(cer.GetEncoded());
_chain.Add(cer2);
}
X509Certificate2[] certChain = (X509Certificate2[])_chain.ToArray(typeof(X509Certificate2));
validateSignature(signedData, certChain[0]);
}
public static void RootVerifyUserCA()
{
try
{
X509Certificate2 userCert2 = new X509Certificate2(CAUserPfx, PIN, X509KeyStorageFlags.Exportable);
X509Certificate userCert = DotNetUtilities.FromX509Certificate(userCert2);
userCert2.p
var userKeyPair = userCert.GetPublicKey();
//var publicKey = userCert2.PublicKey;
X509Certificate2 rootCert2 = new X509Certificate2(CARootPfx, PIN, X509KeyStorageFlags.Exportable);
//var rootKeyPair = Cert2.ReadPrivateKey(rootCert2);
var add = Cert2.AddCertToStore(rootCert2, StoreName.Root, StoreLocation.LocalMachine);
var rootCert = DotNetUtilities.FromX509Certificate(userCert2);
var rootKeyPair = rootCert.GetPublicKey();
//rootCert.Verify(userKeyPair);
var a = Cert2.VerifySha2(rootCert2, userCert.GetEncoded(), userCert.GetSignature());
}
catch (Exception ex)
{
//throw;
}
}
/// <inheritdoc />
public Task <bool> SerialExists(BigInteger serial, X509Certificate issuerCertificate)
{
var dotNetCertificate = new X509Certificate2(issuerCertificate.GetEncoded());
return(OcspResponderRepository.SerialExists(serial.ToString(), dotNetCertificate));
}
/// <inheritdoc />
public Task <CertificateRevocationStatus> SerialIsRevoked(BigInteger serial, X509Certificate issuerCertificate)
{
var dotNetCertificate = new X509Certificate2(issuerCertificate.GetEncoded());
return(OcspResponderRepository.SerialIsRevoked(serial.ToString(), dotNetCertificate));
}
static byte[] CalculateThumbprint(Org.BouncyCastle.X509.X509Certificate certificate)
{
var der = certificate.GetEncoded();
return(DigestUtilities.CalculateDigest("SHA1", der));
}
// http://stackoverflow.com/questions/36942094/how-can-i-generate-a-self-signed-cert-without-using-obsolete-bouncycastle-1-7-0
public static System.Security.Cryptography.X509Certificates.X509Certificate2 CreateX509Cert2(string certName)
{
var keypairgen = new Org.BouncyCastle.Crypto.Generators.RsaKeyPairGenerator();
keypairgen.Init(new Org.BouncyCastle.Crypto.KeyGenerationParameters(
new Org.BouncyCastle.Security.SecureRandom(
new Org.BouncyCastle.Crypto.Prng.CryptoApiRandomGenerator()
)
, 1024
)
);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair keypair = keypairgen.GenerateKeyPair();
// --- Until here we generate a keypair
var random = new Org.BouncyCastle.Security.SecureRandom(
new Org.BouncyCastle.Crypto.Prng.CryptoApiRandomGenerator()
);
// SHA1WITHRSA
// SHA256WITHRSA
// SHA384WITHRSA
// SHA512WITHRSA
// SHA1WITHECDSA
// SHA224WITHECDSA
// SHA256WITHECDSA
// SHA384WITHECDSA
// SHA512WITHECDSA
Org.BouncyCastle.Crypto.ISignatureFactory signatureFactory =
new Org.BouncyCastle.Crypto.Operators.Asn1SignatureFactory("SHA512WITHRSA", keypair.Private, random)
;
var gen = new Org.BouncyCastle.X509.X509V3CertificateGenerator();
var CN = new Org.BouncyCastle.Asn1.X509.X509Name("CN=" + certName);
var SN = Org.BouncyCastle.Math.BigInteger.ProbablePrime(120, new Random());
gen.SetSerialNumber(SN);
gen.SetSubjectDN(CN);
gen.SetIssuerDN(CN);
gen.SetNotAfter(DateTime.Now.AddYears(1));
gen.SetNotBefore(DateTime.Now.Subtract(new TimeSpan(7, 0, 0, 0)));
gen.SetPublicKey(keypair.Public);
// -- Are these necessary ?
// public static readonly DerObjectIdentifier AuthorityKeyIdentifier = new DerObjectIdentifier("2.5.29.35");
// OID value: 2.5.29.35
// OID description: id-ce-authorityKeyIdentifier
// This extension may be used either as a certificate or CRL extension.
// It identifies the public key to be used to verify the signature on this certificate or CRL.
// It enables distinct keys used by the same CA to be distinguished (e.g., as key updating occurs).
// http://stackoverflow.com/questions/14930381/generating-x509-certificate-using-bouncy-castle-java
gen.AddExtension(
Org.BouncyCastle.Asn1.X509.X509Extensions.AuthorityKeyIdentifier.Id,
false,
new Org.BouncyCastle.Asn1.X509.AuthorityKeyIdentifier(
Org.BouncyCastle.X509.SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(keypair.Public),
new Org.BouncyCastle.Asn1.X509.GeneralNames(new Org.BouncyCastle.Asn1.X509.GeneralName(CN)),
SN
));
// OID value: 1.3.6.1.5.5.7.3.1
// OID description: Indicates that a certificate can be used as an SSL server certificate.
gen.AddExtension(
Org.BouncyCastle.Asn1.X509.X509Extensions.ExtendedKeyUsage.Id,
false,
new Org.BouncyCastle.Asn1.X509.ExtendedKeyUsage(new ArrayList()
{
new Org.BouncyCastle.Asn1.DerObjectIdentifier("1.3.6.1.5.5.7.3.1")
}));
// -- End are these necessary ?
Org.BouncyCastle.X509.X509Certificate bouncyCert = gen.Generate(signatureFactory);
byte[] ba = bouncyCert.GetEncoded();
System.Security.Cryptography.X509Certificates.X509Certificate2 msCert = new System.Security.Cryptography.X509Certificates.X509Certificate2(ba);
return(msCert);
}
public static System.Security.Cryptography.X509Certificates.X509Certificate2 tox(Org.BouncyCastle.X509.X509Certificate bouncyCert)
{
byte[] ba = bouncyCert.GetEncoded();
//return new System.Security.Cryptography.X509Certificates.X509Certificate(ba);
return(new System.Security.Cryptography.X509Certificates.X509Certificate2(ba));
}
} // End Function ToPem
public static string ToPem(Org.BouncyCastle.X509.X509Certificate cert)
{
byte[] buf = cert.GetEncoded();
return(ToPem(buf));
}
private static X509Certificate2 ConvertToCertificate2(X509Certificate cert)
{
return new X509Certificate2(cert.GetEncoded());
}
public static X509Certificate2 ToX509Certificate2(this BCCertificate certificate)
{
return(new X509Certificate2(certificate.GetEncoded()));
}
private static void WriteCert(ISession session, byte[] encodedCert, X509Certificate2 cert,
X509Certificate bCert)
{
RSAParameters privateKeyParamsNet;
privateKeyParamsNet = cert.GetRSAPrivateKey().ExportParameters(true);
//Org.BouncyCastle.Security.DotNetUtilities.ToRSA(privateKeyParamsNet)
var cn = cert.Subject.ToString();
//var cn2 = cert.SubjectName.Name;
byte[] thumbPrint = null;
using (SHA1Managed sha1Managed = new SHA1Managed())
thumbPrint = sha1Managed.ComputeHash(cert.RawData);
//var pair = DotNetUtilities.GetRsaKeyPair(privateKeyParamsNet);
//var pair2 = DotNetUtilities.GetRsaPublicKey(privateKeyParamsNet);
//AsymmetricKeyParameter pairPrivate;
//pairPrivate = pair.Private;
var privateKeyParams = new RsaPrivateCrtKeyParameters(
new BigInteger(1, privateKeyParamsNet.Modulus),
new BigInteger(1, privateKeyParamsNet.Exponent),
new BigInteger(1, privateKeyParamsNet.D),
new BigInteger(1, privateKeyParamsNet.P),
new BigInteger(1, privateKeyParamsNet.Q),
new BigInteger(1, privateKeyParamsNet.DP),
new BigInteger(1, privateKeyParamsNet.DQ),
new BigInteger(1, privateKeyParamsNet.InverseQ));
var unencryptedPrivateKey = PrivateKeyInfoFactory.CreatePrivateKeyInfo(privateKeyParams)
.GetEncoded();
//var privateKeyParams = pairPrivate;
//var result = new MemoryStream();
//byte[] iv={0,0,0,0};
//List<IObjectAttribute> privateKeyAttributes = new List<IObjectAttribute>();
//privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_CLASS, CKO.CKO_DATA));
//privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_ID, thumbPrint));
//privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_LABEL, cn));
//privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_CLASS, CKO.CKO_PRIVATE_KEY));
//privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_KEY_TYPE, CKK.CKK_RSA));
//privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_TOKEN, true));
//privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PRIVATE, true));
//privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_SENSITIVE, true));//true
//privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_EXTRACTABLE, true));
//privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_DECRYPT, true));//true
//privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_SIGN, true));
//privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_SIGN_RECOVER, true));
//privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_UNWRAP, true));
//privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_MODULUS, privateKeyParamsNet.Modulus));
//privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PUBLIC_EXPONENT, privateKeyParamsNet.Exponent));
//privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PRIVATE_EXPONENT, privateKeyParamsNet.D));
//privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PRIME_1, privateKeyParamsNet.P));
//privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PRIME_2, privateKeyParamsNet.Q));
//privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_EXPONENT_1, privateKeyParamsNet.DP));
//privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_EXPONENT_2, privateKeyParamsNet.DQ));
//privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_COEFFICIENT, privateKeyParamsNet.InverseQ));
var privateKeyAttributes = new List <IObjectAttribute>()
{
session.Factories.ObjectAttributeFactory.Create(CKA.CKA_CLASS, CKO.CKO_PRIVATE_KEY),
session.Factories.ObjectAttributeFactory.Create(CKA.CKA_TOKEN, true),
session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PRIVATE, true),
session.Factories.ObjectAttributeFactory.Create(CKA.CKA_MODIFIABLE, true),
session.Factories.ObjectAttributeFactory.Create(CKA.CKA_LABEL, cn),
session.Factories.ObjectAttributeFactory.Create(CKA.CKA_ID, thumbPrint),
session.Factories.ObjectAttributeFactory.Create(CKA.CKA_KEY_TYPE, CKK.CKK_RSA),
session.Factories.ObjectAttributeFactory.Create(CKA.CKA_MODULUS, privateKeyParams.Modulus.ToByteArrayUnsigned()),
session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PUBLIC_EXPONENT, privateKeyParams.PublicExponent.ToByteArrayUnsigned()),
session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PRIVATE_EXPONENT, privateKeyParams.Exponent.ToByteArrayUnsigned()),
session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PRIME_1, privateKeyParams.P.ToByteArrayUnsigned()),
session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PRIME_2, privateKeyParams.Q.ToByteArrayUnsigned()),
session.Factories.ObjectAttributeFactory.Create(CKA.CKA_EXPONENT_1, privateKeyParams.DP.ToByteArrayUnsigned()),
session.Factories.ObjectAttributeFactory.Create(CKA.CKA_EXPONENT_2, privateKeyParams.DQ.ToByteArrayUnsigned()),
session.Factories.ObjectAttributeFactory.Create(CKA.CKA_COEFFICIENT, privateKeyParams.QInv.ToByteArrayUnsigned())
};
List <IObjectAttribute> certificateAttributes = new List <IObjectAttribute>();
certificateAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_CLASS, CKO.CKO_CERTIFICATE));
certificateAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_TOKEN, true));
certificateAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PRIVATE, false));
certificateAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_MODIFIABLE, true));
certificateAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_LABEL, cn));// privKeyAttributes[0].GetValueAsString()));
certificateAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_CERTIFICATE_TYPE, CKC.CKC_X_509));
certificateAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_TRUSTED, false));
certificateAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_SUBJECT, bCert.SubjectDN.GetDerEncoded()));
certificateAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_ID, thumbPrint));//Encoding.ASCII.GetBytes(cn)));// privKeyAttributes[1].GetValueAsByteArray()));
certificateAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_ISSUER, bCert.IssuerDN.GetDerEncoded()));
certificateAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_SERIAL_NUMBER, new DerInteger(bCert.SerialNumber).GetDerEncoded()));
certificateAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_VALUE, bCert.GetEncoded()));
IMechanism mechanism1 = session.Factories.MechanismFactory.Create(CKM.CKM_RSA_PKCS_KEY_PAIR_GEN);
// Generate key pair
session.GenerateKeyPair(mechanism1, certificateAttributes, privateKeyAttributes, out var publicKeyHandle, out var privateKeyHandle1);
//var privateKeyHandle2 = session.CreateObject(privateKeyAttributes);
// Generate random initialization vector
//// Create temporary DES3 key for wrapping/unwrapping
//var tempKeyAttributes = new List<IObjectAttribute>();
//tempKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_CLASS, CKO.CKO_SECRET_KEY));
//tempKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_KEY_TYPE, CKK.CKK_DES3));
//tempKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_ENCRYPT, true));
//tempKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_UNWRAP, true));
//var tempKey = session.GenerateKey(session.Factories.MechanismFactory.Create(CKM.CKM_DES3_KEY_GEN), tempKeyAttributes);
IObjectHandle generatedKey = GenerateKey(session);
byte[] iv = session.GenerateRandom(8);
//IMechanism mechanism = session.Factories.MechanismFactory.Create(CKM.CKM_DES3_CBC, iv);
IMechanism mechanism = session.Factories.MechanismFactory.Create(CKM.CKM_RSA_PKCS);
byte[] wrappedKey = session.WrapKey(mechanism, generatedKey, privateKeyHandle1);
// Define attributes for unwrapped key
List <IObjectAttribute> objectAttributes = new List <IObjectAttribute>();
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_CLASS, CKO.CKO_PRIVATE_KEY));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_KEY_TYPE, CKK.CKK_RSA));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_TOKEN, true));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PRIVATE, true));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_LABEL, "unwrapped_private"));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_SENSITIVE, true));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_DECRYPT, true));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_SIGN, true));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_SIGN_RECOVER, true));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_UNWRAP, true));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_EXTRACTABLE, true));
// Unwrap private key
var unwrappedKey = session.UnwrapKey(mechanism, generatedKey, wrappedKey, objectAttributes);
//byte[] encryptedPrivateKey = session.Encrypt(mechanism, generatedKey, unencryptedPrivateKey);
//session.WrapKey(mechanism, , generatedKey);
//var result = new MemoryStream();
////session.Encrypt(session.Factories.MechanismFactory.Create(CKM.CKM_DES3_CBC_PAD, iv), tempKey, new MemoryStream(unencryptedPrivateKey), result);
//var encryptedPrivateKey = result.ToArray();
//var privateKeyHandle = session.CreateObject(privateKeyAttributes);
//var privateKeyHandle = session.UnwrapKey(session.Factories.MechanismFactory.Create(CKM.CKM_DES3_CBC_PAD, iv), generatedKey, encryptedPrivateKey, privateKeyAttributes);
}
private byte[] CreateSignatureElemente(string TheHash, Org.BouncyCastle.X509.X509Certificate cert)
{
string sCert = Convert.ToBase64String(cert.GetEncoded());
sCert = sCert.Replace("\r\n", "\n");
XmlElement XmlDsigSignature = m_doc.CreateElement(ns_dsig_prefix, "Signature", ns_dsig_uri);
XmlDsigSignature.SetAttribute("Id", "signature-" + m_SignatureId.ToString());
XmlElement XmlDsigSignedInfo = m_doc.CreateElement(ns_dsig_prefix, "SignedInfo", ns_dsig_uri);
XmlDsigSignedInfo.SetAttribute("Id", "signedinfo-" + m_SignatureId.ToString());
XmlDsigSignature.AppendChild(XmlDsigSignedInfo);
XmlElement XmlDsigCanonicalizationMethod = m_doc.CreateElement(ns_dsig_prefix, "CanonicalizationMethod", ns_dsig_uri);
XmlDsigSignedInfo.AppendChild(XmlDsigCanonicalizationMethod);
XmlAttribute algo1 = m_doc.CreateAttribute("Algorithm");
algo1.Value = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315";
XmlDsigCanonicalizationMethod.Attributes.Append(algo1);
XmlElement XmlDsigSignatureMethod = m_doc.CreateElement(ns_dsig_prefix, "SignatureMethod", ns_dsig_uri);
XmlDsigSignedInfo.AppendChild(XmlDsigSignatureMethod);
XmlAttribute algo2 = m_doc.CreateAttribute("Algorithm");
algo2.Value = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
XmlDsigSignatureMethod.Attributes.Append(algo2);
AddReferenceDoc(TheHash, XmlDsigSignedInfo);
AddReferenceXades(XmlDsigSignedInfo);
m_root.AppendChild(XmlDsigSignature);
m_XmlDsigSignatureValue = m_doc.CreateElement(ns_dsig_prefix, "SignatureValue", ns_dsig_uri);
XmlDsigSignature.AppendChild(m_XmlDsigSignatureValue);
//set value after signing
// x509
XmlElement XmlDsigKeyInfo = m_doc.CreateElement(ns_dsig_prefix, "KeyInfo", ns_dsig_uri);
XmlDsigSignature.AppendChild(XmlDsigKeyInfo);
XmlElement XmlDsigX509Data = m_doc.CreateElement(ns_dsig_prefix, "X509Data", ns_dsig_uri);
XmlDsigKeyInfo.AppendChild(XmlDsigX509Data);
XmlElement XmlDsigX509Certificate = m_doc.CreateElement(ns_dsig_prefix, "X509Certificate", ns_dsig_uri);
XmlDsigX509Data.AppendChild(XmlDsigX509Certificate);
XmlDsigX509Certificate.AppendChild(m_doc.CreateTextNode(sCert));
XmlElement ele = CreateXadesObject(cert);
XmlDsigSignature.AppendChild(ele);
byte[] tohash = DoC14N_Xades(m_doc);
//string xml = System.Text.Encoding.UTF8.GetString(tohash);
HashAlgorithm hash = new SHA256Managed();
byte[] TheHash2 = hash.ComputeHash(tohash);
XADES_DsigDigestValue.AppendChild(m_doc.CreateTextNode(Convert.ToBase64String(TheHash2)));
byte[] toBeSigned = DoC14N(m_doc, "//*[@Id='signedinfo-" + m_SignatureId.ToString() + "'] /descendant-or-self::node()|//*[@Id='signedinfo-" + m_SignatureId.ToString() + "']//@*");
//string xml = System.Text.Encoding.UTF8.GetString(toBeSigned);
return(toBeSigned);
}
BouncyCertToNetCert(Org.BouncyCastle.X509.X509Certificate bouncyCert)
{
byte[] derEncoded = bouncyCert.GetEncoded();
return(new System.Security.Cryptography.X509Certificates.X509Certificate2(derEncoded));
}
/// <param name="caCertificate"></param>
/// <inheritdoc />
public Task <CaCompromisedStatus> IsCaCompromised(X509Certificate caCertificate)
{
var dotNetCertificate = new X509Certificate2(caCertificate.GetEncoded());
return(OcspResponderRepository.IsCaCompromised(dotNetCertificate));
}
} // End Sub WriteCerAndCrt
public static void Test()
{
Org.BouncyCastle.Asn1.X509.X509Name caName = new Org.BouncyCastle.Asn1.X509.X509Name("CN=TestCA");
Org.BouncyCastle.Asn1.X509.X509Name eeName = new Org.BouncyCastle.Asn1.X509.X509Name("CN=TestEE");
Org.BouncyCastle.Asn1.X509.X509Name eeName25519 = new Org.BouncyCastle.Asn1.X509.X509Name("CN=TestEE25519");
string countryIso2Characters = "EA";
string stateOrProvince = "ERA";
string localityOrCity = "NeutralZone";
string companyName = "Skynet Earth Inc.";
string division = "Skynet mbH";
string domainName = "sky.net";
string email = "*****@*****.**";
Org.BouncyCastle.Asn1.X509.X509Name subj = CertificateInfo.CreateSubject(
countryIso2Characters, stateOrProvince
, localityOrCity, companyName
, division, domainName, email);
System.Console.WriteLine(subj);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair caKey25519 = KeyGenerator.GenerateEcKeyPair("curve25519", s_secureRandom.Value);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair caKey = KeyGenerator.GenerateEcKeyPair("secp256r1", s_secureRandom.Value);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair eeKey = KeyGenerator.GenerateRsaKeyPair(2048, s_secureRandom.Value);
string publicKey = null;
// id_rsa.pub
using (System.IO.TextWriter textWriter = new System.IO.StringWriter())
{
Org.BouncyCastle.OpenSsl.PemWriter pemWriter = new Org.BouncyCastle.OpenSsl.PemWriter(textWriter);
pemWriter.WriteObject(eeKey);
pemWriter.Writer.Flush();
publicKey = textWriter.ToString();
} // End Using textWriter
System.Console.WriteLine(publicKey);
// https://social.msdn.microsoft.com/Forums/vstudio/de-DE/8d49a681-22c6-417f-af3c-8daebd6f10dd/signierung-eines-hashs-mit-ellipticcurve-crypto?forum=visualcsharpde
// https://stackoverflow.com/questions/22963581/reading-elliptic-curve-private-key-from-file-with-bouncycastle/41947163
// PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(pkcs8key);
// The EC PARAMETERS block in your file is an accident of the way openssl ecparam - genkey works by default;
// it is not needed or used as part of the actual key and you can omit it by specifying - noout
// which is admittedly somewhat unobvious.
// The actual key structure('hidden' in the base64/ DER data) for EC(DSA / DH)
// does contain some parameter info which RSA doesn't but DSA does.
PrivatePublicPemKeyPair keyPair = KeyImportExport.GetPemKeyPair(caKey25519);
// PrivatePublicPemKeyPair keyPair = PrivatePublicPemKeyPair.ImportFrom("", "");
Org.BouncyCastle.X509.X509Certificate caCert = GenerateCertificate(caName, caName, caKey.Private, caKey.Public, s_secureRandom.Value);
Org.BouncyCastle.X509.X509Certificate eeCert = GenerateCertificate(caName, eeName, caKey.Private, eeKey.Public, s_secureRandom.Value);
Org.BouncyCastle.X509.X509Certificate ee25519Cert = GenerateCertificate(caName, eeName25519, caKey25519.Private, caKey25519.Public, s_secureRandom.Value);
bool caOk = ValidateSelfSignedCert(caCert, caKey.Public);
bool eeOk = ValidateSelfSignedCert(eeCert, caKey.Public);
bool ee25519 = ValidateSelfSignedCert(eeCert, caKey.Public);
PfxGenerator.CreatePfxFile("example.pfx", caCert, caKey.Private, null);
// System.IO.File.WriteAllBytes("fileName", caCert.Export(X509ContentType.Pkcs12, PfxPassword));
// https://info.ssl.com/how-to-der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-conver-them/
// The file extensions .CRT and .CER are interchangeable.
// If your server requires that you use the .CER file extension, you can change the extension
// http://www.networksolutions.com/support/what-is-the-difference-between-a-crt-and-a-cer-file/
// https://stackoverflow.com/questions/642284/apache-with-ssl-how-to-convert-cer-to-crt-certificates
// File extensions for cryptographic certificates aren't really as standardized as you'd expect.
// Windows by default treats double - clicking a.crt file as a request to import the certificate
// So, they're different in that sense, at least, that Windows has some inherent different meaning
// for what happens when you double click each type of file.
// One is a "binary" X.509 encoding, and the other is a "text" base64 encoding that usually starts with "-----BEGIN CERTIFICATE-----".
// into the Windows Root Certificate store, but treats a.cer file as a request just to view the certificate.
// CER is an X.509 certificate in binary form, DER encoded
// CRT is a binary X.509 certificate, encapsulated in text (base-64) encoding
// Most systems accept both formats, but if you need to you can convert one to the other via openssl
// Certificate file should be PEM-encoded X.509 Certificate file:
// openssl x509 -inform DER -in certificate.cer -out certificate.pem
using (System.IO.Stream f = System.IO.File.Open("ca.cer", System.IO.FileMode.Create))
{
byte[] buf = caCert.GetEncoded();
f.Write(buf, 0, buf.Length);
f.Flush();
}
using (System.IO.Stream fs = System.IO.File.Open("ee.cer", System.IO.FileMode.Create))
{
byte[] buf = eeCert.GetEncoded();
fs.Write(buf, 0, buf.Length);
fs.Flush();
} // End Using fs
using (System.IO.Stream fs = System.IO.File.Open("ee25519.cer", System.IO.FileMode.Create))
{
byte[] buf = ee25519Cert.GetEncoded();
fs.Write(buf, 0, buf.Length);
fs.Flush();
} // End Using fs
// new System.Text.ASCIIEncoding(false)
// new System.Text.UTF8Encoding(false)
using (System.IO.Stream fs = System.IO.File.Open("ee.crt", System.IO.FileMode.Create))
{
using (System.IO.StreamWriter sw = new System.IO.StreamWriter(fs, System.Text.Encoding.ASCII))
{
byte[] buf = eeCert.GetEncoded();
string pem = ToPem(buf);
sw.Write(pem);
} // End Using sw
} // End Using fs
using (System.IO.Stream fs = System.IO.File.Open("ee25519.crt", System.IO.FileMode.Create))
{
using (System.IO.StreamWriter sw = new System.IO.StreamWriter(fs, System.Text.Encoding.ASCII))
{
byte[] buf = ee25519Cert.GetEncoded();
string pem = ToPem(buf);
sw.Write(pem);
} // End Using sw
} // End Using fs
Org.BouncyCastle.Asn1.X509.X509Name subject = eeName25519;
} // End Sub Test
private static X509Certificate2 ConvertToCertificate2(X509Certificate cert)
{
return(new X509Certificate2(cert.GetEncoded()));
}
