// 自己署名証明書の作成
public Certificate(PrivKey selfSignKey, CertificateOptions options)
{
X509Name name = options.GenerateName();
X509V3CertificateGenerator gen = new X509V3CertificateGenerator();
gen.SetSerialNumber(new BigInteger(options.Serial.ToArray()));
gen.SetIssuerDN(name);
gen.SetSubjectDN(name);
gen.SetNotBefore(DateTime.Now.AddDays(-1));
gen.SetNotAfter(options.Expires.UtcDateTime);
gen.SetPublicKey(selfSignKey.PublicKey.PublicKeyData);
X509Extension extConst = new X509Extension(true, new DerOctetString(new BasicConstraints(true)));
gen.AddExtension(X509Extensions.BasicConstraints, true, extConst.GetParsedValue());
X509Extension extBasicUsage = new X509Extension(false, new DerOctetString(new KeyUsage(options.KeyUsages)));
gen.AddExtension(X509Extensions.KeyUsage, false, extBasicUsage.GetParsedValue());
X509Extension extExtendedUsage = new X509Extension(false, new DerOctetString(new ExtendedKeyUsage(options.ExtendedKeyUsages)));
gen.AddExtension(X509Extensions.ExtendedKeyUsage, false, extExtendedUsage.GetParsedValue());
X509Extension altName = new X509Extension(false, new DerOctetString(options.GenerateAltNames()));
gen.AddExtension(X509Extensions.SubjectAlternativeName, false, altName.GetParsedValue());
this.CertData = gen.Generate(new Asn1SignatureFactory(options.GetSignatureAlgorithmOid(), selfSignKey.PrivateKeyData.Private, PkiUtil.NewSecureRandom()));
InitFields();
}
private static X509Certificate GenerateCert(string signatureAlgorithmName,
AsymmetricKeyParameter issuerPrivateKey,
X509Name issuerDN,
AsymmetricKeyParameter subjectPublicKey,
X509Name subjectDN,
X509Extensions subjectExtensions,
DateTime start,
int days)
{
ISignatureFactory signatureFactory = new Asn1SignatureFactory(signatureAlgorithmName, issuerPrivateKey, Common.ThreadSecureRandom.Value);
BigInteger sn = new BigInteger(128, Common.ThreadSecureRandom.Value);
X509V3CertificateGenerator generator = new X509V3CertificateGenerator();
generator.SetSerialNumber(sn);
generator.SetIssuerDN(issuerDN);
generator.SetPublicKey(subjectPublicKey);
generator.SetSubjectDN(subjectDN);
if (subjectExtensions != null)
{
foreach (DerObjectIdentifier oid in subjectExtensions.ExtensionOids)
{
X509Extension extension = subjectExtensions.GetExtension(oid);
generator.AddExtension(oid, extension.IsCritical, extension.GetParsedValue());
}
}
generator.SetNotBefore(start);
generator.SetNotAfter(start.AddDays(days));
return(generator.Generate(signatureFactory));
}
/// <summary>
/// Checks Certificate Policies for policy : "1.2.300.0.110001.1.7.1.1.1" which indicate a hard certificate
/// </summary>
/// <param name="certificate"></param>
/// <returns>true/false</returns>
private static bool isHardCertificatePolicyOidt(X509Certificate certificate)
{
X509Extension certPolicies =
certificate.CertificateStructure.TbsCertificate.Extensions.GetExtension(X509Extensions.CertificatePolicies);
DerSequence seq = certPolicies.GetParsedValue() as DerSequence;
foreach (Asn1Encodable seqItem in seq)
{
DerSequence subSeq = seqItem as DerSequence;
if (subSeq == null)
{
continue;
}
foreach (Asn1Encodable subSeqItem in subSeq)
{
DerObjectIdentifier oid = subSeqItem as DerObjectIdentifier;
if (oid == null)
{
continue;
}
if (oid.Id == HARD_CERTIFICATE_POLICY_ID)
{
return(true);
}
}
return(false);
}
return(false);
}
/// <summary>
/// Create SubjectAltName extension from an X509Extension
/// </summary>
/// <param name="Extension">X509 extension</param>
/// <remarks>
/// Sub classses must provide an implementation to decode their values
/// </remarks>
public subjectAltName(X509Extension Extension) : base(Extension.IsCritical)
{
base.oid = X509Extensions.SubjectAlternativeName;
base.name = "SubjectAlternativeName";
base.displayName = "Subject Alternative Name";
decode(GeneralNames.GetInstance((Asn1Sequence)Extension.GetParsedValue()));
}
/// <summary>
/// Create InhibitAnyPolicy extension from X509Extension
/// </summary>
/// <param name="Extension">X509Extension</param>
public inhibitAnyPolicy(X509Extension Extension) : base(Extension)
{
base.oid = X509Extensions.InhibitAnyPolicy;
base.name = "InhibitAnyPolicy";
base.displayName = "Inhibit AnyPolicy";
DerInteger skp = (DerInteger)Extension.GetParsedValue();
this.skip = skp.Value.IntValue;
}
/// <summary>
/// Get a GeneralNames object containing the SubjectAltNames
/// </summary>
/// <returns>Subject Alt Names (or null)</returns>
private GeneralNames getSubjectAltNames()
{
if (Extensions == null)
{
return(null);
}
// Retrieve the SAN extension from the Extensions list
X509Extension san = Extensions.GetExtension(X509Extensions.SubjectAlternativeName);
if (san == null)
{
return(null);
}
// Create a new GeneralNames object that includes the sequence of names
return(new GeneralNames((Asn1Sequence)san.GetParsedValue()));
}
EsitoVerifica controllaCrlCert(X509Certificate cert, string cachePath, bool force = false)
{
//usiamo l'ev solo per i dati di revoca
EsitoVerifica ev = new EsitoVerifica();
string CN = cert.SubjectDN.GetValues(X509Name.CN).Cast <string>().FirstOrDefault();
string SN = cert.SubjectDN.GetValues(X509Name.SerialNumber).Cast <string>().FirstOrDefault();
X509Extensions ex = X509Extensions.GetInstance(cert.CertificateStructure.TbsCertificate.Extensions);
X509Extension e = ex.GetExtension(X509Extensions.CrlDistributionPoints);
if (e == null)
{
string msg = "CRL distribution points NOT PRESENT in certificate structure";
logger.Debug(msg);
ev.status = EsitoVerificaStatus.ErroreGenerico;
ev.errorCode = "1411";//nonposso scaricare la CRL
ev.message = msg;
return(ev);
}
var crldp = CrlDistPoint.GetInstance(e.GetParsedValue());
List <String> certDpUrlLst = GetCrlDistribtionPoints(crldp);
ev.status = EsitoVerificaStatus.Valid;
ev.SubjectCN = CN;
ev.SubjectDN = SN;
int downloadsTrials = 0;
List <String> errorLst = new List <string>();
foreach (string url in certDpUrlLst)
{
try
{
Uri tryUri = new Uri(url);
}
catch
{
logger.ErrorFormat("Unable to download/process CRL URL : {0}", url);
continue;
}
try
{
X509Crl rootCrl = retreiveCrlUrl(url, cachePath, force);
downloadsTrials++;
if (rootCrl.IsRevoked(cert))
{
X509CrlEntry entry = rootCrl.GetRevokedCertificate(cert.CertificateStructure.SerialNumber.Value);
ev.dataRevocaCertificato = entry.RevocationDate;
logger.DebugFormat("Certificate {0} : {1} with serial {2} is Revoked on {3}", CN, SN, BitConverter.ToString(entry.SerialNumber.ToByteArray()), ev.dataRevocaCertificato);
ev.content = entry.SerialNumber.ToByteArray();
ev.errorCode = "1408";
ev.status = EsitoVerificaStatus.Revoked;
break;
}
}
catch (Exception exc)
{
logger.ErrorFormat("Unable to download/process CRL message {0} stack {1} on Download Trial {2}", exc.Message, exc.StackTrace, downloadsTrials);
errorLst.Add(exc.Message);
}
}
string ErrorMessage = string.Empty;
if ((errorLst.Count > 0) && downloadsTrials == 0)
{
foreach (string s in errorLst)
{
ErrorMessage += s + " | ";
}
}
if (!string.IsNullOrEmpty(ErrorMessage))
{
ev.status = EsitoVerificaStatus.ErroreGenerico;
ev.errorCode = "1411";//nonposso scaricare la CRL
ev.message = "Unable to download/process CRL message:" + ErrorMessage;
}
return(ev);
}
/// <summary>
///
/// </summary>
/// <param name="domains"></param>
/// <param name="subjectPublic"></param>
/// <param name="validFrom"></param>
/// <param name="validTo"></param>
/// <param name="issuerName"></param>
/// <param name="issuerPublic"></param>
/// <param name="issuerPrivate"></param>
/// <param name="CA_PathLengthConstraint">If non-null, the certificate will be marked as a certificate authority with the specified path length constraint (0 to allow no child certificate authorities, 1 to allow 1, etc).</param>
/// <returns></returns>
private static X509Certificate GenerateCertificate(string[] domains, AsymmetricKeyParameter subjectPublic, DateTime validFrom, DateTime validTo, string issuerName, AsymmetricKeyParameter issuerPublic, AsymmetricKeyParameter issuerPrivate, int?CA_PathLengthConstraint)
{
ISignatureFactory signatureFactory;
if (issuerPrivate is ECPrivateKeyParameters)
{
signatureFactory = new Asn1SignatureFactory(
X9ObjectIdentifiers.ECDsaWithSha256.ToString(),
issuerPrivate);
}
else
{
signatureFactory = new Asn1SignatureFactory(
PkcsObjectIdentifiers.Sha256WithRsaEncryption.ToString(),
issuerPrivate);
}
X509V3CertificateGenerator certGenerator = new X509V3CertificateGenerator();
certGenerator.SetIssuerDN(new X509Name("CN=" + issuerName));
certGenerator.SetSubjectDN(new X509Name("CN=" + domains[0]));
certGenerator.SetSerialNumber(BigInteger.ProbablePrime(120, new Random()));
certGenerator.SetNotBefore(validFrom);
certGenerator.SetNotAfter(validTo);
certGenerator.SetPublicKey(subjectPublic);
if (issuerPublic != null)
{
AuthorityKeyIdentifierStructure akis = new AuthorityKeyIdentifierStructure(issuerPublic);
certGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, akis);
}
if (CA_PathLengthConstraint != null && CA_PathLengthConstraint >= 0)
{
X509Extension extension = new X509Extension(true, new DerOctetString(new BasicConstraints(CA_PathLengthConstraint.Value)));
certGenerator.AddExtension(X509Extensions.BasicConstraints, extension.IsCritical, extension.GetParsedValue());
}
// Add SANs (Subject Alternative Names)
GeneralName[] names = domains.Select(domain => new GeneralName(GeneralName.DnsName, domain)).ToArray();
GeneralNames subjectAltName = new GeneralNames(names);
certGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName);
return(certGenerator.Generate(signatureFactory));
}
