private void TbsV3CertGenerate()
{
V3TbsCertificateGenerator gen = new V3TbsCertificateGenerator();
DateTime startDate = MakeUtcDateTime(1970, 1, 1, 0, 0, 1);
DateTime endDate = MakeUtcDateTime(1970, 1, 1, 0, 0, 2);
gen.SetSerialNumber(new DerInteger(2));
gen.SetStartDate(new Time(startDate));
gen.SetEndDate(new Time(endDate));
gen.SetIssuer(new X509Name("CN=AU,O=Bouncy Castle"));
gen.SetSubject(new X509Name("CN=AU,O=Bouncy Castle,OU=Test 2"));
gen.SetSignature(new AlgorithmIdentifier(PkcsObjectIdentifiers.MD5WithRsaEncryption, DerNull.Instance));
SubjectPublicKeyInfo info = new SubjectPublicKeyInfo(
new AlgorithmIdentifier(
OiwObjectIdentifiers.ElGamalAlgorithm,
new ElGamalParameter(BigInteger.One, BigInteger.Two)),
new DerInteger(3));
gen.SetSubjectPublicKeyInfo(info);
//
// add extensions
//
IList order = new ArrayList();
IDictionary extensions = new Hashtable();
order.Add(X509Extensions.AuthorityKeyIdentifier);
order.Add(X509Extensions.SubjectKeyIdentifier);
order.Add(X509Extensions.KeyUsage);
extensions.Add(X509Extensions.AuthorityKeyIdentifier, new X509Extension(true, new DerOctetString(CreateAuthorityKeyId(info, new X509Name("CN=AU,O=Bouncy Castle,OU=Test 2"), 2))));
extensions.Add(X509Extensions.SubjectKeyIdentifier, new X509Extension(true, new DerOctetString(new SubjectKeyIdentifier(info))));
extensions.Add(X509Extensions.KeyUsage, new X509Extension(false, new DerOctetString(new KeyUsage(KeyUsage.DataEncipherment))));
X509Extensions ex = new X509Extensions(order, extensions);
gen.SetExtensions(ex);
TbsCertificateStructure tbs = gen.GenerateTbsCertificate();
if (!Arrays.AreEqual(tbs.GetEncoded(), v3Cert))
{
Fail("failed v3 cert generation");
}
//
// read back test
//
Asn1Object o = Asn1Object.FromByteArray(v3Cert);
if (!Arrays.AreEqual(o.GetEncoded(), v3Cert))
{
Fail("failed v3 cert read back test");
}
}
private string GenerateX509Cert(string publicKey, string x509Subject)
{
Asn1Sequence asn1Sequence = null;
using (var reader = new StringReader(publicKey))
{
// Read the RSA public key from the input string.
var pemReader = new PemReader(reader);
var pemObject = pemReader.ReadPemObject();
asn1Sequence = (Asn1Sequence)Asn1Object.FromByteArray(pemObject.Content);
}
// Generate a TBS certificate. We use placeholder-like values since
// the consumer of this certificate should only use the subject
// public key info.
var tbsCertGen = new V3TbsCertificateGenerator();
tbsCertGen.SetSerialNumber(new DerInteger(1));
var signatureAlgId = new AlgorithmIdentifier(PkcsObjectIdentifiers.Sha1WithRsaEncryption, DerNull.Instance);
tbsCertGen.SetSignature(signatureAlgId);
tbsCertGen.SetIssuer(new X509Name("CN=Root Agency"));
var dateTimeNow = DateTime.Now;
tbsCertGen.SetStartDate(new Time(dateTimeNow.AddMinutes(-10)));
tbsCertGen.SetEndDate(new Time(dateTimeNow.AddYears(1))); // Openssh key doesn`t have any start/end date, this is to satisfy RDFE
tbsCertGen.SetSubject(new X509Name(x509Subject));
tbsCertGen.SetSubjectPublicKeyInfo(new SubjectPublicKeyInfo(new AlgorithmIdentifier(PkcsObjectIdentifiers.RsaEncryption, DerNull.Instance), asn1Sequence));
var tbsCert = tbsCertGen.GenerateTbsCertificate();
// Per RFC 3280, the layout of an X.509 v3 certificate looks like:
// Certificate ::= SEQUENCE {
// tbsCertificate TBSCertificate,
// signatureAlgorithm AlgorithmIdentifier,
// signatureValue BIT STRING
// }
// Since we don't have access to the private key, we cannot create
// a signature for the TBS. However, a valid certificate requires
// a bit string for the signature value, so we use a 0-byte array
// in its place.
Asn1EncodableVector v = new Asn1EncodableVector();
v.Add(tbsCert);
v.Add(signatureAlgId);
v.Add(new DerBitString(new byte[0]));
var derSequence = new DerSequence(v);
// Output the DER-encoded X509 certificate.
var sb = new StringBuilder();
using (var writer = new StringWriter(sb, CultureInfo.InvariantCulture))
{
var pemWriter = new PemWriter(writer);
pemWriter.WriteObject(new PemObject("CERTIFICATE", derSequence.GetEncoded()));
}
return(sb.ToString());
}
public static void CreateCert(string parentcer, string csrFile)
{
var issuer = new X509CertificateParser().ReadCertificate(File.OpenRead(parentcer));
var reader = new PemReader(File.OpenText(csrFile));
var csr = (Pkcs10CertificationRequest)(reader.ReadObject());
var csrinfo = csr.GetCertificationRequestInfo();
AlgorithmIdentifier sigAlgId = new AlgorithmIdentifier(PkcsObjectIdentifiers.Sha256WithRsaEncryption);
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
BigInteger serial = new BigInteger(128, new SecureRandom());
DateTime from = new DateTime(DateTime.Now.Year, DateTime.Now.Month, DateTime.Now.Day);
DateTime to = from.AddYears(5);
V3TbsCertificateGenerator tbsGen = new V3TbsCertificateGenerator();
tbsGen.SetIssuer(issuer.SubjectDN);
tbsGen.SetSerialNumber(new DerInteger(serial));
tbsGen.SetStartDate(new Time(from));
tbsGen.SetEndDate(new Time(to));
tbsGen.SetSubjectPublicKeyInfo(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(csr.GetPublicKey()));
tbsGen.SetSubject(csrinfo.Subject);
// add certificate purposes
Asn1EncodableVector vector = new Asn1EncodableVector();
vector.Add(new DerObjectIdentifier("1.3.6.1.5.5.7.3.2"));
vector.Add(new DerObjectIdentifier("1.3.6.1.4.1.311.20.2.2"));
vector.Add(new DerObjectIdentifier("1.3.6.1.4.1.311.10.3.12"));
vector.Add(new DerObjectIdentifier("1.3.6.1.5.5.7.3.4"));
DerSequence seq = new DerSequence(vector);
X509ExtensionsGenerator extGenerator = new X509ExtensionsGenerator();
extGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, false, seq);
tbsGen.SetExtensions(extGenerator.Generate());
tbsGen.SetSignature(sigAlgId);
TbsCertificateStructure tbsCert = tbsGen.GenerateTbsCertificate();
// save the TBS
System.IO.File.WriteAllBytes("tbs.cer", tbsCert.GetDerEncoded());
Console.WriteLine("generate the signature (SHA->DER->ENCRYPT) for tbs.cer and call it tbs.sig");
Console.WriteLine("And then press enter");
Console.ReadLine();
var t1 = GenerateJcaObject(tbsCert, sigAlgId, System.IO.File.ReadAllBytes("tbs.sig").Take(256).ToArray());
System.IO.File.WriteAllBytes("cert.cer", t1.GetEncoded());
Console.WriteLine("saved as cert.cer");
}
private static TbsCertificateStructure CreateTbsForVerification(X509Certificate2 preCertificate, IssuerInformation issuerInformation)
{
if (preCertificate.Version < 3)
{
throw new InvalidOperationException("PreCertificate version must be 3 or higher!");
}
var asn1Obj = Asn1Object.FromByteArray(preCertificate.GetTbsCertificateRaw());
var tbsCert = TbsCertificateStructure.GetInstance(asn1Obj);
var hasX509AuthorityKeyIdentifier = tbsCert.Extensions.GetExtension(new DerObjectIdentifier(Constants.X509AuthorityKeyIdentifier)) != null;
if (hasX509AuthorityKeyIdentifier &&
issuerInformation.IssuedByPreCertificateSigningCert &&
issuerInformation.X509AuthorityKeyIdentifier == null)
{
throw new InvalidOperationException("PreCertificate was not signed by a PreCertificate signing cert");
}
var orderedExtensions = GetExtensionsWithoutPoisonAndSct(tbsCert.Extensions, issuerInformation.X509AuthorityKeyIdentifier);
var generator = new V3TbsCertificateGenerator();
generator.SetSerialNumber(tbsCert.SerialNumber);
generator.SetSignature(tbsCert.Signature);
generator.SetIssuer(issuerInformation.Name ?? tbsCert.Issuer);
generator.SetStartDate(tbsCert.StartDate);
generator.SetEndDate(tbsCert.EndDate);
generator.SetSubject(tbsCert.Subject);
generator.SetSubjectPublicKeyInfo(tbsCert.SubjectPublicKeyInfo);
generator.SetIssuerUniqueID(tbsCert.IssuerUniqueID);
generator.SetSubjectUniqueID(tbsCert.SubjectUniqueID);
var extensionsGenerator = new X509ExtensionsGenerator();
foreach (var e in orderedExtensions)
{
extensionsGenerator.AddExtension(e.Key, e.Value.IsCritical, e.Value.GetParsedValue());
}
generator.SetExtensions(extensionsGenerator.Generate());
return(generator.GenerateTbsCertificate());
}
/// <summary>
/// Reset the Generator.
/// </summary>
public void Reset()
{
tbsGen = new V3TbsCertificateGenerator();
extGenerator.Reset();
}
public X509V3CertificateGenerator()
{
tbsGen = new V3TbsCertificateGenerator();
}
private void TbsV3CertGenWithNullSubject()
{
V3TbsCertificateGenerator gen = new V3TbsCertificateGenerator();
DateTime startDate = MakeUtcDateTime(1970, 1, 1, 0, 0, 1);
DateTime endDate = MakeUtcDateTime(1970, 1, 1, 0, 0, 2);
gen.SetSerialNumber(new DerInteger(2));
gen.SetStartDate(new Time(startDate));
gen.SetEndDate(new Time(endDate));
gen.SetIssuer(new X509Name("CN=AU,O=Bouncy Castle"));
gen.SetSignature(new AlgorithmIdentifier(PkcsObjectIdentifiers.MD5WithRsaEncryption, DerNull.Instance));
SubjectPublicKeyInfo info = new SubjectPublicKeyInfo(
new AlgorithmIdentifier(OiwObjectIdentifiers.ElGamalAlgorithm,
new ElGamalParameter(BigInteger.One, BigInteger.Two)),
new DerInteger(3));
gen.SetSubjectPublicKeyInfo(info);
try
{
gen.GenerateTbsCertificate();
Fail("null subject not caught!");
}
catch (InvalidOperationException e)
{
if (!e.Message.Equals("not all mandatory fields set in V3 TBScertificate generator"))
{
Fail("unexpected exception", e);
}
}
//
// add extensions
//
IList order = new ArrayList();
IDictionary extensions = new Hashtable();
order.Add(X509Extensions.SubjectAlternativeName);
extensions.Add(
X509Extensions.SubjectAlternativeName,
new X509Extension(
true,
new DerOctetString(
new GeneralNames(
new GeneralName(
new X509Name("CN=AU,O=Bouncy Castle,OU=Test 2"))))));
X509Extensions ex = new X509Extensions(order, extensions);
gen.SetExtensions(ex);
TbsCertificateStructure tbs = gen.GenerateTbsCertificate();
if (!Arrays.AreEqual(tbs.GetEncoded(), v3CertNullSubject))
{
Fail("failed v3 null sub cert generation");
}
//
// read back test
//
Asn1Object o = Asn1Object.FromByteArray(v3CertNullSubject);
if (!Arrays.AreEqual(o.GetEncoded(), v3CertNullSubject))
{
Fail("failed v3 null sub cert read back test");
}
}
/// <summary>
/// Called by derived classes to initializes a new instance.
/// </summary>
public V3CertGen()
{
tbsGen = new V3TbsCertificateGenerator();
}
