public IStreamCalculator CreateCalculator() { ISigner signer = SignerUtilities.GetSigner(X509Utilities.GetSignatureName(algID)); signer.Init(forSigning: false, publicKey); return(new VerifierCalculator(signer)); }
/// <summary> /// Generate an X509Certificate. /// </summary> /// <param name="privateKey">The private key of the issuer that is signing this certificate.</param> /// <param name="Extensions">Set of extensions to include in the certificate.</param> /// <returns> /// An X509Certificate. /// </returns> /// <exception cref="PolicyEnforcementException">CA policy violation</exception> /// <exception cref="CertificateEncodingException"> /// Exception encoding TBS cert /// or /// Exception producing certificate object /// </exception> public virtual X509Certificate Generate(AsymmetricKeyParameter privateKey, X509Extensions Extensions) { TbsCertificateStructure tbsCert = GenerateTbsCert(Extensions); // Check this complies with policy if (policy != null) { TestAgainstPolicy test = new TestAgainstPolicy(policy); if (!test.report(tbsCert)) { throw new PolicyEnforcementException(test.status.ToString()); } } byte[] signature; try { signature = X509Utilities.GetSignatureForObject( sigOid, signatureAlgorithm, privateKey, null, tbsCert); } catch (Exception e) { throw new CertificateEncodingException("Exception encoding TBS cert", e); } try { return(new X509Certificate(new X509CertificateStructure(tbsCert, sigAlgId, new DerBitString(signature)))); } catch (CertificateParsingException e) { throw new CertificateEncodingException("Exception producing certificate object", e); } }
public Asn1VerifierFactory(string algorithm, AsymmetricKeyParameter publicKey) { DerObjectIdentifier algorithmOid = X509Utilities.GetAlgorithmOid(algorithm); this.publicKey = publicKey; algID = X509Utilities.GetSigAlgID(algorithmOid, algorithm); }
/// <summary> /// Generate a new X509Certificate specifying a SecureRandom instance that you would like to use. /// </summary> /// <param name="privateKey">The private key of the issuer used to sign this certificate.</param> /// <param name="random">The Secure Random you want to use.</param> /// <returns>An X509Certificate.</returns> private X509Certificate generate(SecureRandom random, AsymmetricKeyParameter privateKey) { TbsCertificateStructure tbsCert = tbsGen.GenerateTbsCertificate(); byte[] signature; try { signature = X509Utilities.GetSignatureForObject( sigOID, signatureAlgorithm, (AsymmetricKeyParameter)privateKey, random, tbsCert); } catch (Exception e) { throw new CertificateEncodingException("Exception encoding TBS cert", e); } try { return(GenerateJcaObject(tbsCert, signature)); } catch (CertificateParsingException e) { throw new CertificateEncodingException("Exception producing certificate object", e); } }
public Asn1SignatureFactory(string algorithm, AsymmetricKeyParameter privateKey, SecureRandom random) { DerObjectIdentifier algorithmOid = X509Utilities.GetAlgorithmOid(algorithm); this.algorithm = algorithm; this.privateKey = privateKey; this.random = random; algID = X509Utilities.GetSigAlgID(algorithmOid, algorithm); }
/// <summary> /// Set the signature algorithm that will be used to sign this certificate. /// </summary> /// <param name="signatureAlgorithm">Name of the signature algorithm</param> public void SetSignatureAlgorithm(string signatureAlgorithm) { this.signatureAlgorithm = signatureAlgorithm; try { sigOid = X509Utilities.GetAlgorithmOid(signatureAlgorithm); } catch (Exception) { throw new ArgumentException("Unknown signature type requested: " + signatureAlgorithm); } sigAlgId = X509Utilities.GetSigAlgID(sigOid, signatureAlgorithm); tbsGen.SetSignature(sigAlgId); }
/// <summary> /// Issues the certificate. /// </summary> /// <param name="request">The request.</param> /// <param name="profile">The profile</param> /// <param name="notBefore">The not before.</param> /// <param name="notAfter">The not after.</param> /// <returns> /// Certificate /// </returns> /// <exception cref="System.ArgumentException">Invalid signature algorithm in request</exception> /// <exception cref="System.ArgumentOutOfRangeException">Invalid lifetime units in ValidityPeriod</exception> private X509Certificate issueCertificate(Pkcs10CertificationRequest request, Profile.Profile profile, DateTime notBefore, DateTime notAfter) { X509Certificate newCert; string profileName = ""; // Parse the request Pkcs10Parser p10 = new Pkcs10Parser(request); // Check that correct sig algorithm has been used DerObjectIdentifier sigAlgOid = X509Utilities.GetAlgorithmOid(signatureAlgorithm); if (!p10.SignatureAlgorithm.Equals(sigAlgOid)) { logEvent(LogEvent.EventType.Error, "Invalid signature algorithm in request: " + p10.SignatureAlgorithm.ToString()); throw new ArgumentException("Invalid signature algorithm in request", p10.SignatureAlgorithm.ToString()); } // Create a Cert Generator according to the FIPS 140 policy and CA Type ICertGen certGen; if ((fips140) && (type == CA_Type.dhTA.ToString())) { certGen = new SysV1CertGen(); } else if ((fips140) && (type != CA_Type.dhTA.ToString())) { certGen = new SysV3CertGen(policyEnforcement); } else { certGen = new BcV3CertGen(policyEnforcement); } // Setup the certificate certGen.SetSerialNumber(nextCertSerial()); certGen.SetIssuerDN(caCertificate.SubjectDN); certGen.SetSubjectDN(p10.Subject); certGen.SetPublicKey(p10.PublicKey); certGen.SetSignatureAlgorithm(signatureAlgorithm); if (certGen.GetVersion() == X509ver.V3) { ((V3CertGen)certGen).AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCertificate.GetPublicKey())); ((V3CertGen)certGen).AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(p10.PublicKey)); } // Add further extensions either from profile or request attributes // If a profile is specified ignore all attributes apart from SubjAltName if (profile != null) { // Add in SubjAltName if there is one if ((p10.SubjectAltNames != null) && (certGen.GetVersion() == X509ver.V3)) { bool critical = p10.IsCritical(X509Extensions.SubjectAlternativeName); ((V3CertGen)certGen).AddExtension(X509Extensions.SubjectAlternativeName, critical, p10.SubjectAltNames); } // Capture the profile name for database profileName = profile.Name; // cut the cert newCert = generate(certGen, profile, notBefore, notAfter); } else // No profile { // Set the validity period certGen.SetNotBefore(notBefore.ToUniversalTime()); certGen.SetNotAfter(notAfter.ToUniversalTime()); // Do what it says in the request newCert = generate(certGen, p10.Extensions); } // Add certificate to the CA DB Database.AddCertificate(newCert, request.GetDerEncoded(), profileName, dbFileLocation, caCertificate, cspParam); logEvent(LogEvent.EventType.DBAddCert, "DB: Certificate added: " + newCert.SerialNumber.ToString()); return(newCert); }
// This method gets called by the runtime. Use this method to add services to the container. public void ConfigureServices(IServiceCollection services) { services.Configure <CookiePolicyOptions>(options => { // This lambda determines whether user consent for non-essential cookies is needed for a given request. options.CheckConsentNeeded = context => true; options.MinimumSameSitePolicy = SameSiteMode.None; }); Config.Version = Configuration.GetSection("Misc").GetSection("Version").Value; services.AddMvc(options => { options.EnableEndpointRouting = false; }); /* * Identity Server 4 * http://docs.identityserver.io * * Used for client credentials and authorisation access * * OpenID/oAuth2 based for ASP.net */ //START =-=-= DO NOT MODIFY UNLESS DISCUSSED USER AUTH IS HERE =-=-= START X509Certificate2 signingCert; if (File.Exists(Configuration.GetSection("X509Details").GetSection("PathToFile").Value)) { signingCert = new X509Certificate2( Configuration.GetSection("X509Details").GetSection("PathToFile").Value, Configuration.GetSection("X509Details").GetSection("DecryptionPassword").Value); } else { signingCert = X509Utilities.BuildSelfSignedServerCertificate( Configuration.GetSection("X509Details").GetSection("CertificateName").Value, Configuration.GetSection("X509Details").GetSection("DecryptionPassword").Value); File.WriteAllBytes(Configuration.GetSection("X509Details").GetSection("PathToFile").Value, signingCert.Export(X509ContentType.Pkcs12, Configuration.GetSection("X509Details").GetSection("DecryptionPassword").Value)); } Console.WriteLine("ConfigureServices Start"); var appUri = Configuration.GetSection("Hosts").GetSection("APPFqdn").Value; var apiUri = Configuration.GetSection("Hosts").GetSection("APIFqdn").Value; ApplicationInfo.AppUrl = appUri; ApplicationInfo.ApiUrl = apiUri; services.AddCors(options => { options.AddDefaultPolicy( builder => { builder.WithOrigins(appUri) .AllowAnyHeader() .AllowAnyMethod() .AllowCredentials(); }); }); //Startup Autofac var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name; services.AddDbContext <ApplicationIdentityDbContext>(options => options.UseMySql(Configuration.GetConnectionString("ApplicationDatabase"), optionsBuilder => optionsBuilder.MigrationsAssembly(migrationsAssembly))); services.AddMvcCore() .AddAuthorization(); services.AddIdentity <IdentityUser, IdentityRole>() .AddEntityFrameworkStores <ApplicationIdentityDbContext>() .AddDefaultTokenProviders(); services .AddIdentityServer(options => { options.PublicOrigin = apiUri; }) .AddOperationalStore(options => { options .ConfigureDbContext = optionsBuilder => optionsBuilder .UseMySql(Configuration.GetConnectionString("ApplicationDatabase"), sqlOptions => sqlOptions.MigrationsAssembly(migrationsAssembly)); options.EnableTokenCleanup = true; options.TokenCleanupInterval = 604800; //stay logged in for 1 week }) .AddConfigurationStore(options => options .ConfigureDbContext = optionsBuilder => optionsBuilder .UseMySql(Configuration.GetConnectionString("ApplicationDatabase"), sqlOptions => sqlOptions.MigrationsAssembly(migrationsAssembly))) .AddSigningCredential(signingCert); services .AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddJwtBearer(options => { options.Authority = Configuration.GetSection("Hosts").GetSection("APIFqdn").Value; options.Audience = "carbon.api"; options.RequireHttpsMetadata = false; options.IncludeErrorDetails = true; options.Events = new JwtBearerEvents() { OnChallenge = context => { context.Response.StatusCode = 401; return(Task.CompletedTask); } }; }); //TODO this is soon to be deprecated. Find a new solution. services.AddAutoMapper(AppDomain.CurrentDomain.GetAssemblies()); // END =-=-= DO NOT MODIFY UNLESS DISCUSSED USER AUTH IS HERE =-=-= END // Register the Swagger generator, defining 1 or more Swagger documents services.AddSwaggerGen(c => { c.SwaggerDoc("v1", new OpenApiInfo { Version = "v1", Title = "CoEuS API", Description = "Carbon Event Scout", TermsOfService = new Uri(appUri + "/privacy"), Contact = new OpenApiContact { Name = "Owen Holloway", Email = string.Empty, Url = new Uri("https://zeryter.xyz"), }, License = new OpenApiLicense { Name = "Use under LICX", Url = new Uri(appUri + "/privacy"), } }); c.AddSecurityRequirement(new OpenApiSecurityRequirement { { new OpenApiSecurityScheme { Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "Bearer" } }, new string[] {} } }); c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme() { Type = SecuritySchemeType.OAuth2, Flows = new OpenApiOAuthFlows() { Implicit = new OpenApiOAuthFlow { AuthorizationUrl = new Uri($"{apiUri}/connect/authorize"), TokenUrl = new Uri($"{apiUri}/connect/token"), Scopes = new Dictionary <string, string>() { { "carbon.read", "carbon API read" }, { "carbon.write", "carbon API write" } } } } }); }); Console.WriteLine("ConfigureServices Completed"); }