public CertificateResult Create(
string algorithm,
int keyLength,
string subjectName,
DateTime notBefore,
DateTime notAfter,
KeyUsage keyUsage,
KeyPurposeID[] extendedUsages,
X509Certificate caCertificate,
AsymmetricCipherKeyPair caKeyPair,
CertificateEndPoints certificateEndPoints
)
{
SecureRandom random = GenerateSecureRandom();
AsymmetricCipherKeyPair subjectKeyPair = GenerateKeyPair(random, keyLength);
BigInteger serialNumber = GenerateSerialNumber(random);
string caName = caCertificate.SubjectDN.ToString();
X509Certificate certificate = GenerateCertificate(
random,
algorithm,
subjectName,
subjectKeyPair,
serialNumber,
null,
notBefore,
notAfter,
caName,
caKeyPair,
keyUsage,
extendedUsages,
certificateEndPoints);
return(new CertificateResult(certificate, subjectKeyPair));
}
protected override void Setup(X509V3CertificateGenerator generator, CertificateEndPoints certificateEndPoints)
{
AddCertificateAuthorityBasicConstraints(generator);
if (certificateEndPoints != null)
{
AddCrlDistributionPoint(generator, certificateEndPoints.CrlDistributionEndPoint);
AddAuthorityDistributionEndPoint(generator, null, certificateEndPoints.OcspEndPoint);
}
}
public CertificateResult Create(
string algorithm,
int keyLength,
string subjectName,
DateTime notBefore,
DateTime notAfter,
KeyUsage keyUsage,
KeyPurposeID[] extendedUsages,
CertificateEndPoints certificateEndPoints
)
{
SecureRandom random = GenerateSecureRandom();
AsymmetricCipherKeyPair subjectKeyPair = GenerateKeyPair(random, keyLength);
BigInteger serialNumber = GenerateSerialNumber(random);
// É auto-assinado, então são iguais.
// Uma CA é um Self-signed certificate com a 'BasicConstraint' CA=true
string issuerName = subjectName;
AsymmetricCipherKeyPair issuerKeyPair = subjectKeyPair;
X509Certificate certificate = GenerateCertificate(
random,
algorithm,
subjectName,
subjectKeyPair,
serialNumber,
null,
notBefore,
notAfter,
issuerName,
issuerKeyPair,
keyUsage,
extendedUsages,
certificateEndPoints);
return(new CertificateResult(certificate, subjectKeyPair));
}
protected X509Certificate GenerateCertificate(
SecureRandom random,
string algorithm,
string subjectName,
AsymmetricCipherKeyPair subjectKeyPair,
BigInteger subjectSerialNumber,
string[] subjectAlternativeNames,
DateTime notBefore,
DateTime notAfter,
string issuerName,
AsymmetricCipherKeyPair issuerKeyPair,
KeyUsage keyUsage,
KeyPurposeID[] usages,
CertificateEndPoints certificateEndPoints)
{
var certificateGenerator = new X509V3CertificateGenerator();
certificateGenerator.SetSerialNumber(subjectSerialNumber);
// Key emite o certificado
X509Name issuerDN = BuildDistinguishedName(issuerName);
certificateGenerator.SetIssuerDN(issuerDN);
// Nota: Pode ser omitido se for indicado o 'subject alternative name' (SAN).
certificateGenerator.SetSubjectDN(BuildDistinguishedName(subjectName));
// CIUDADO !!!! tempo em UTC!!!!!!
certificateGenerator.SetNotBefore(notBefore);
// CIUDADO !!!! tempo em UTC!!!!!!
certificateGenerator.SetNotAfter(notAfter);
// A chave pública do emissor é incluida no certificado..
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// Secção 4.2.1.1, Authority Key Identifier pode ser omitido em CA´s.
// No nosso caso para as CA's emitidas, o KeyId será igual ao seu subjectid
AddAuthorityKeyIdentifier(certificateGenerator, issuerKeyPair);
AddSubjectKeyIdentifier(certificateGenerator, subjectKeyPair);
if (certificateEndPoints != null)
{
CertificateUrlTemplateBindModel urlTemplateBindModel = BuildUrlTemplateBindModel(
subjectName,
subjectName,
issuerName,
new SubjectKeyIdentifier(
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(subjectKeyPair.Public)),
new AuthorityKeyIdentifier(
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(issuerKeyPair.Public)),
subjectSerialNumber,
notBefore,
notAfter
);
certificateEndPoints.CaDistributionEndPoint = EvaluateUrl(urlTemplateBindModel,
certificateEndPoints.CaDistributionEndPoint);
certificateEndPoints.CrlDistributionEndPoint = EvaluateUrl(urlTemplateBindModel,
certificateEndPoints.CrlDistributionEndPoint);
certificateEndPoints.OcspEndPoint = EvaluateUrl(urlTemplateBindModel,
certificateEndPoints.OcspEndPoint);
}
// VER
AddPolicies(certificateGenerator);
Setup(certificateGenerator, certificateEndPoints);
if (keyUsage != null)
{
AddKeyUsage(certificateGenerator, keyUsage);
}
if (!usages.IsNullOrEmpty())
{
AddExtendedKeyUsage(certificateGenerator, usages);
}
if (!subjectAlternativeNames.IsStringListNullOrEmpty())
{
AddSubjectAlternativeNames(certificateGenerator, subjectAlternativeNames);
}
// Assinar o certificado com a chave privada do emissor.
return(certificateGenerator.Generate(
new Asn1SignatureFactory(
algorithm,
issuerKeyPair.Private
)));
}
protected abstract void Setup(X509V3CertificateGenerator generator, CertificateEndPoints endPoints);