|
public Save ( Stream stream, char password, |
||
| stream | Stream | |
| password | char | |
| random | ||
| Résultat | void | |
public static X509Certificate2 GenerateSelfSigned(TimeSpan lifetime)
{
Guid guid = Guid.NewGuid();
DateTime now = DateTime.UtcNow;
SecureRandom rand = new SecureRandom();
//Generate a key pair
RsaKeyPairGenerator keyGen = new RsaKeyPairGenerator();
keyGen.Init(new Org.BouncyCastle.Crypto.KeyGenerationParameters(rand, 1024));
AsymmetricCipherKeyPair key = keyGen.GenerateKeyPair();
//Generate a certificate
X509Name dn = new X509Name("CN=" + guid.ToString());
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.SetIssuerDN(dn);
certGen.SetSerialNumber(new BigInteger(1, guid.ToByteArray()));
certGen.SetSignatureAlgorithm("SHA1WITHRSA");
certGen.SetSubjectDN(dn);
certGen.SetPublicKey(key.Public);
certGen.SetNotBefore(now);
certGen.SetNotAfter(now.Add(lifetime));
Org.BouncyCastle.X509.X509Certificate bcCert = certGen.Generate(key.Private);
//Save it as pkcs12
MemoryStream p12Stream = new MemoryStream();
Pkcs12Store p12 = new Pkcs12Store();
p12.SetKeyEntry("sts", new AsymmetricKeyEntry(key.Private), new X509CertificateEntry[] { new X509CertificateEntry(bcCert) });
p12.Save(p12Stream, p12TmpPwd.ToCharArray(), rand);
//Load the pkcs12 as .Net Certificate
return new X509Certificate2(p12Stream.ToArray(), p12TmpPwd, X509KeyStorageFlags.DefaultKeySet);
}
public static void ExportPKCS12(String path, String alias, AsymmetricKeyParameter privKey, char[] password,
params X509Certificate[] certs)
{
var keyStore = new Pkcs12Store();
keyStore.SetKeyEntry(alias, new AsymmetricKeyEntry(privKey), WrapX509Certificates(certs));
using (var fs = new FileStream(path, FileMode.Create))
{
keyStore.Save(fs, password, Repository.Srand);
}
}
public static void WritePkcs12(RsaPrivateCrtKeyParameters privKey,
Org.BouncyCastle.X509.X509Certificate certificate,
string password, Stream stream)
{
Pkcs12Store store = new Pkcs12Store();
X509CertificateEntry[] chain = new X509CertificateEntry[1];
chain[0] = new X509CertificateEntry(certificate);
store.SetKeyEntry("privateKey", new AsymmetricKeyEntry(privKey), chain);
store.Save(stream, password.ToCharArray(), new SecureRandom());
}
public static X509Certificate2 GenerateNewCertificate(string name)
{
var kpGen = new RsaKeyPairGenerator();
kpGen.Init(new KeyGenerationParameters(new SecureRandom(new CryptoApiRandomGenerator()), 1024));
AsymmetricCipherKeyPair keyPair = kpGen.GenerateKeyPair();
var gen = new X509V3CertificateGenerator();
var certificateName = new X509Name("CN=" + name);
BigInteger serialNumber = BigInteger.ProbablePrime(120, new Random());
gen.SetSerialNumber(serialNumber);
gen.SetSubjectDN(certificateName);
gen.SetIssuerDN(certificateName);
gen.SetNotAfter(DateTime.Now.AddYears(100));
gen.SetNotBefore(DateTime.Now.AddDays(-1));
gen.SetSignatureAlgorithm("SHA256WithRSAEncryption");
gen.SetPublicKey(keyPair.Public);
gen.AddExtension(X509Extensions.AuthorityKeyIdentifier.Id, false,
new AuthorityKeyIdentifier(
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(keyPair.Public),
new GeneralNames(new GeneralName(certificateName)), serialNumber));
X509Certificate newCert = gen.Generate(keyPair.Private);
var newStore = new Pkcs12Store();
var certEntry = new X509CertificateEntry(newCert);
newStore.SetCertificateEntry(
Environment.MachineName,
certEntry
);
newStore.SetKeyEntry(
Environment.MachineName,
new AsymmetricKeyEntry(keyPair.Private),
new[] {certEntry}
);
var memoryStream = new MemoryStream();
newStore.Save(
memoryStream,
new char[0],
new SecureRandom(new CryptoApiRandomGenerator())
);
return new X509Certificate2(memoryStream.ToArray());
}
/// <summary>
/// Static method used to create a certificate and return as a .net object
/// </summary>
public static X509Certificate2 Create(string name, DateTime start, DateTime end, string userPassword,
bool addtoStore = false)
{
// generate a key pair using RSA
var generator = new RsaKeyPairGenerator();
// keys have to be a minimum of 2048 bits for Azure
generator.Init(new KeyGenerationParameters(new SecureRandom(new CryptoApiRandomGenerator()), 2048));
AsymmetricCipherKeyPair cerKp = generator.GenerateKeyPair();
// get a copy of the private key
AsymmetricKeyParameter privateKey = cerKp.Private;
// create the CN using the name passed in and create a unique serial number for the cert
var certName = new X509Name("CN=" + name);
BigInteger serialNo = BigInteger.ProbablePrime(120, new Random());
// start the generator and set CN/DN and serial number and valid period
var x509Generator = new X509V3CertificateGenerator();
x509Generator.SetSerialNumber(serialNo);
x509Generator.SetSubjectDN(certName);
x509Generator.SetIssuerDN(certName);
x509Generator.SetNotBefore(start);
x509Generator.SetNotAfter(end);
// add the server authentication key usage
var keyUsage = new KeyUsage(KeyUsage.KeyEncipherment);
x509Generator.AddExtension(X509Extensions.KeyUsage, false, keyUsage.ToAsn1Object());
var extendedKeyUsage = new ExtendedKeyUsage(new[] {KeyPurposeID.IdKPServerAuth});
x509Generator.AddExtension(X509Extensions.ExtendedKeyUsage, true, extendedKeyUsage.ToAsn1Object());
// algorithm can only be SHA1 ??
x509Generator.SetSignatureAlgorithm("sha1WithRSA");
// Set the key pair
x509Generator.SetPublicKey(cerKp.Public);
X509Certificate certificate = x509Generator.Generate(cerKp.Private);
// export the certificate bytes
byte[] certStream = DotNetUtilities.ToX509Certificate(certificate).Export(X509ContentType.Pkcs12,
userPassword);
// build the key parameter and the certificate entry
var keyEntry = new AsymmetricKeyEntry(privateKey);
var entry = new X509CertificateEntry(certificate);
// build the PKCS#12 store to encapsulate the certificate
var builder = new Pkcs12StoreBuilder();
builder.SetUseDerEncoding(true);
builder.SetCertAlgorithm(PkcsObjectIdentifiers.Sha1WithRsaEncryption);
builder.SetKeyAlgorithm(PkcsObjectIdentifiers.Sha1WithRsaEncryption);
builder.Build();
// create a memorystream to hold the output
var stream = new MemoryStream(2000);
// create the individual store and set two entries for cert and key
var store = new Pkcs12Store();
store.SetCertificateEntry("Elastacloud Test Certificate", entry);
store.SetKeyEntry("Elastacloud Test Certificate", keyEntry, new[] {entry});
store.Save(stream, userPassword.ToCharArray(), new SecureRandom());
// Create the equivalent C# representation
var cert = new X509Certificate2(stream.GetBuffer(), userPassword, X509KeyStorageFlags.Exportable);
// if specified then this add this certificate to the store
if (addtoStore)
AddToMyStore(cert);
return cert;
}
private async Task AddToWinCertStore()
{
Pkcs12Store store = new Pkcs12Store();
string friendlyName = "Limelight-Client";
var certEntry = new X509CertificateEntry(cert);
store.SetCertificateEntry(friendlyName, certEntry);
var keyEntry = new AsymmetricKeyEntry(keyPair.Private);
store.SetKeyEntry(friendlyName, keyEntry, new[] { certEntry });
// Copy the Pkcs12Store to a stream using an arbitrary password
const string password = "******";
var stream = new MemoryStream();
store.Save(stream, password.ToCharArray(), new SecureRandom());
// Write to .PFX string
byte[] arr = stream.ToArray();
IBuffer buf = arr.AsBuffer();
string pfx = CryptographicBuffer.EncodeToBase64String(buf);
await CertificateEnrollmentManager.ImportPfxDataAsync(pfx, password, ExportOption.NotExportable, KeyProtectionLevel.NoConsent, InstallOptions.None, friendlyName);
}
/// <summary>
/// Generates and saves a new certificate to the default CommandServer plx path
/// </summary>
public void Generate() {
RsaKeyPairGenerator rsaKeyPairGenerator = new RsaKeyPairGenerator();
rsaKeyPairGenerator.Init(new KeyGenerationParameters(new SecureRandom(new CryptoApiRandomGenerator()), 2048));
AsymmetricCipherKeyPair asymmetricCipherKeyPair = rsaKeyPairGenerator.GenerateKeyPair();
X509Name certificateName = new X509Name("CN=" + Environment.MachineName);
BigInteger serialNumber = BigInteger.ProbablePrime(120, new SecureRandom());
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
certificateGenerator.SetSerialNumber(serialNumber);
certificateGenerator.SetSubjectDN(certificateName);
certificateGenerator.SetIssuerDN(certificateName);
certificateGenerator.SetNotAfter(DateTime.Now.AddYears(1));
certificateGenerator.SetNotBefore(DateTime.Now.Subtract(new TimeSpan(7, 0, 0, 0)));
certificateGenerator.SetSignatureAlgorithm("Sha1WithRSA");
certificateGenerator.SetPublicKey(asymmetricCipherKeyPair.Public);
certificateGenerator.AddExtension(
X509Extensions.AuthorityKeyIdentifier.Id,
false,
new AuthorityKeyIdentifier(
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(asymmetricCipherKeyPair.Public),
new GeneralNames(new GeneralName(certificateName)),
serialNumber
)
);
certificateGenerator.AddExtension(
X509Extensions.ExtendedKeyUsage.Id,
false,
new ExtendedKeyUsage(KeyPurposeID.IdKPServerAuth)
);
X509CertificateEntry certificateEntry = new X509CertificateEntry(certificateGenerator.Generate(asymmetricCipherKeyPair.Private));
Pkcs12Store store = new Pkcs12Store();
store.SetCertificateEntry(certificateName.ToString(), certificateEntry);
store.SetKeyEntry(certificateName.ToString(), new AsymmetricKeyEntry(asymmetricCipherKeyPair.Private), new[] {
certificateEntry
});
// Save to the file system
using (var filestream = new FileStream(Defines.CertificatesDirectoryCommandServerPfx.FullName, FileMode.Create, FileAccess.ReadWrite)) {
store.Save(filestream, this.Password.ToCharArray(), new SecureRandom());
}
}
public X509Certificate2 CreateSelfSignedCertificate(string subjectName, string issuerName)
{
// Generating Random Numbers
CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
SecureRandom random = new SecureRandom(randomGenerator);
// The Certificate Generator
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
// Serial Number
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Signature Algorithm
const string signatureAlgorithm = "SHA512withRSA";
certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm);
// Issuer and Subject Name
X509Name subjectDN = new X509Name("CN=" + subjectName);
X509Name issuerDN = new X509Name("CN=" + issuerName);
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
// Valid For
var date = DateTime.Now;
DateTime notBefore = date.AddDays(-1);
DateTime notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// Subject Public Key
const int keyStrength = 2048;
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// Selfsign certificate
Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(subjectKeyPair.Private, random);
// Convert to .NET cert // http://blog.differentpla.net/post/20/how-do-i-convert-a-bouncy-castle-certificate-to-a-net-certificate-
var store = new Pkcs12Store();
string friendlyName = certificate.SubjectDN.ToString();
var certificateEntry = new X509CertificateEntry(certificate);
store.SetCertificateEntry(friendlyName, certificateEntry);
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry });
const string password = "******"; // required to export
byte[] certBytes;
using (var stream = new MemoryStream())
{
store.Save(stream, password.ToCharArray(), random);
certBytes = stream.ToArray();
}
var convertedCertificate =
new X509Certificate2(certBytes, password, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
return convertedCertificate;
}
private static X509Certificate2 ConvertCertificate(X509Certificate certificate,
AsymmetricCipherKeyPair subjectKeyPair,
SecureRandom random)
{
// Now to convert the Bouncy Castle certificate to a .NET certificate.
// See http://web.archive.org/web/20100504192226/http://www.fkollmann.de/v2/post/Creating-certificates-using-BouncyCastle.aspx
// ...but, basically, we create a PKCS12 store (a .PFX file) in memory, and add the public and private key to that.
var store = new Pkcs12Store();
// What Bouncy Castle calls "alias" is the same as what Windows terms the "friendly name".
string friendlyName = certificate.SubjectDN.ToString();
// Add the certificate.
var certificateEntry = new X509CertificateEntry(certificate);
store.SetCertificateEntry(friendlyName, certificateEntry);
// Add the private key.
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] {certificateEntry});
// Convert it to an X509Certificate2 object by saving/loading it from a MemoryStream.
// It needs a password. Since we'll remove this later, it doesn't particularly matter what we use.
const string password = "******";
var stream = new MemoryStream();
store.Save(stream, password.ToCharArray(), random);
var convertedCertificate =
new X509Certificate2(stream.ToArray(),
password,
X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
return convertedCertificate;
}
/// <summary>
/// Creates new certificate
/// </summary>
/// <returns></returns>
public static void CreateSelfSignedCertificate(string subjectDirName, DateTime startDate, DateTime endDate, int signatureBits, int keyStrength, string password, string fileName)
{
string signatureAlgorithm;
switch (signatureBits)
{
case 160:
signatureAlgorithm = "SHA1withRSA";
break;
case 224:
signatureAlgorithm = "SHA224withRSA";
break;
case 256:
signatureAlgorithm = "SHA256withRSA";
break;
case 384:
signatureAlgorithm = "SHA384withRSA";
break;
case 512:
signatureAlgorithm = "SHA512withRSA";
break;
default:
throw new ArgumentException("Invalid signature bit size.", "signatureBits");
}
// Generating Random Numbers
CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
SecureRandom random = new SecureRandom(randomGenerator);
// Generate public/private keys.
AsymmetricCipherKeyPair encryptionKeys;
KeyGenerationParameters keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
RsaKeyPairGenerator keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
encryptionKeys = keyPairGenerator.GenerateKeyPair();
// The Certificate Generator
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
certificateGenerator.SetSerialNumber(BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random));
certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm);
certificateGenerator.SetIssuerDN(new X509Name(subjectDirName));
certificateGenerator.SetSubjectDN(new X509Name(subjectDirName));
certificateGenerator.SetNotBefore(startDate);
certificateGenerator.SetNotAfter(endDate);
certificateGenerator.SetPublicKey(encryptionKeys.Public);
// self-sign certificate
Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(encryptionKeys.Private, random);
var store = new Pkcs12Store();
string friendlyName = certificate.SubjectDN.ToString();
var certificateEntry = new X509CertificateEntry(certificate);
store.SetCertificateEntry(friendlyName, certificateEntry);
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(encryptionKeys.Private), new[] { certificateEntry });
var stream = new MemoryStream();
store.Save(stream, password.ToCharArray(), random);
//Verify that the certificate is valid.
var convertedCertificate = new X509Certificate2(stream.ToArray(), password, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
//Write the file.
File.WriteAllBytes(fileName, stream.ToArray());
File.WriteAllBytes(Path.ChangeExtension(fileName, ".cer"), certificate.GetEncoded());
}
/// <summary>
/// Create the actual certificate
/// </summary>
public static bool CreateCertificate(ICertificateSettings settings, Action<string> log, out string thumbprint, out string errorMessage)
{
errorMessage = string.Empty;
thumbprint = string.Empty;
try
{
var keyStore = new Pkcs12Store();
log(Strings.GeneratingKeys);
var pGen = new RsaKeyPairGenerator();
var genParam = new
RsaKeyGenerationParameters(
BigInteger.ValueOf(0x10001),
new SecureRandom(),
1024,
10);
pGen.Init(genParam);
var keyPair = pGen.GenerateKeyPair();
log(Strings.GeneratingCertificate);
var attrs = new Dictionary<DerObjectIdentifier, string>();
var oids = new List<DerObjectIdentifier> { X509Name.O, X509Name.L, X509Name.C, X509Name.CN, X509Name.EmailAddress, X509Name.OU, X509Name.ST };
oids.Reverse();
if (!string.IsNullOrEmpty(settings.OrgName)) attrs.Add(X509Name.O, settings.OrgName); else oids.Remove(X509Name.O);
if (!string.IsNullOrEmpty(settings.OrgUnit)) attrs.Add(X509Name.OU, settings.OrgUnit); else oids.Remove(X509Name.OU);
if (!string.IsNullOrEmpty(settings.City)) attrs.Add(X509Name.L, settings.City); else oids.Remove(X509Name.L);
if (!string.IsNullOrEmpty(settings.CountryCode)) attrs.Add(X509Name.C, settings.CountryCode); else oids.Remove(X509Name.C);
if (!string.IsNullOrEmpty(settings.State)) attrs.Add(X509Name.ST, settings.State); else oids.Remove(X509Name.ST);
if (!string.IsNullOrEmpty(settings.Email)) attrs.Add(X509Name.EmailAddress, settings.Email); else oids.Remove(X509Name.EmailAddress);
if (!string.IsNullOrEmpty(settings.UserName)) attrs.Add(X509Name.CN, settings.UserName); else oids.Remove(X509Name.CN);
var certGen = new X509V3CertificateGenerator();
var random = new SecureRandom();
certGen.SetSerialNumber(BigInteger.ValueOf(Math.Abs(random.NextInt())));
certGen.SetIssuerDN(new X509Name(oids, attrs));
certGen.SetNotBefore(DateTime.Today.Subtract(new TimeSpan(1, 0, 0, 0)));
var years = Math.Min(settings.MaxYears, 50);
certGen.SetNotAfter(DateTime.Today.AddYears(years));
certGen.SetSubjectDN(new X509Name(oids, attrs));
certGen.SetPublicKey(keyPair.Public);
certGen.SetSignatureAlgorithm("SHA1WithRSAEncryption");
var cert = certGen.Generate(keyPair.Private);
// Save
log(Strings.SavingCertificate);
var keyEntry = new AsymmetricKeyEntry(keyPair.Private);
var certEntry = new X509CertificateEntry(cert);
const string alias = "alias";
keyStore.SetKeyEntry(alias, keyEntry, new[] { certEntry });
var password = settings.Password;
var memoryStream = new MemoryStream();
keyStore.Save(memoryStream, password.ToCharArray(), random);
memoryStream.Position = 0;
// Save certificate
var path = settings.Path;
var folder = Path.GetDirectoryName(path);
if (!string.IsNullOrEmpty(folder))
Directory.CreateDirectory(folder);
// Set path in finished page.
using (var fileStream = new FileStream(path, FileMode.Create, FileAccess.Write))
{
memoryStream.WriteTo(fileStream);
}
if (settings.ImportInCertificateStore)
{
log("Importing certificate in My Certificates store");
var certificate = new X509Certificate2(path, password,
X509KeyStorageFlags.Exportable |
X509KeyStorageFlags.PersistKeySet);
thumbprint = certificate.Thumbprint;
var x509Store2 = new X509Store(StoreName.My, StoreLocation.CurrentUser);
try
{
x509Store2.Open(OpenFlags.ReadWrite);
x509Store2.Add(certificate);
x509Store2.Close();
}
catch (Exception ex)
{
errorMessage = string.Format("Failed to import certificate because: {0}", ex.Message);
return false;
}
}
if (years < 30)
{
log("Certificate is intended for evaluation purposes. It cannot be used to deploy to the market.");
}
return true;
}
catch (Exception ex)
{
ErrorLog.DumpError(ex);
errorMessage = string.Format("Failed to create certificate because {0}.", ex.Message);
return false;
}
}
/// <summary>
/// Creates X509 v3 certificate in PKCS12 file format.
/// </summary>
/// <param name="cn">Common name "CN" value.</param>
/// <param name="password">Private key password.</param>
/// <returns>Returns new X509 v3 certificate in PKCS12 file(.p12 or .pfx) format.</returns>
/// <exception cref="ArgumentNullException">Is raised when <b>cn</b> or <b>password</b> is null reference.</exception>
public static byte[] CreateCertificate(string cn,string password)
{
if(cn == null){
throw new ArgumentNullException("cn");
}
if(password == null){
throw new ArgumentNullException("password");
}
RsaKeyPairGenerator kpgen = new RsaKeyPairGenerator();
kpgen.Init(new KeyGenerationParameters(new SecureRandom(new CryptoApiRandomGenerator()),1024));
AsymmetricCipherKeyPair kp = kpgen.GenerateKeyPair();
BigInteger serial = BigInteger.ProbablePrime(120,new Random());
X509Name certName = new X509Name("CN=" + cn);
X509V3CertificateGenerator gen = new X509V3CertificateGenerator();
gen.SetSerialNumber(serial);
gen.SetSubjectDN(certName);
gen.SetIssuerDN(certName);
gen.SetNotBefore(DateTime.UtcNow.AddDays(-2));
gen.SetNotAfter(DateTime.UtcNow.AddYears(5));
gen.SetSignatureAlgorithm("MD5WithRSAEncryption");
gen.SetPublicKey(kp.Public);
/*
gen.AddExtension(
X509Extensions.AuthorityKeyIdentifier.Id,
false,
new AuthorityKeyIdentifier(
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(kp.Public),
new GeneralNames(new GeneralName(certName)),
serial
));*/
gen.AddExtension(X509Extensions.ExtendedKeyUsage,false,new ExtendedKeyUsage(KeyPurposeID.IdKPServerAuth,KeyPurposeID.AnyExtendedKeyUsage));
X509Certificate cert = gen.Generate(kp.Private);
X509CertificateEntry certEntry = new X509CertificateEntry(cert);
Pkcs12Store newStore = new Pkcs12Store();
newStore.SetCertificateEntry(cn,certEntry);
newStore.SetKeyEntry(cn,new AsymmetricKeyEntry(kp.Private),new[]{new X509CertificateEntry(cert)});
MemoryStream retVal = new MemoryStream();
newStore.Save(retVal,password.ToCharArray(),new SecureRandom(new CryptoApiRandomGenerator()));
return retVal.ToArray();
}
private static X509Certificate2 ConvertToCertificate2(Pkcs12Store store)
{
var senderCertStream = new MemoryStream();
store.Save(senderCertStream, new char[0], new SecureRandom());
return new X509Certificate2(senderCertStream.ToArray());
}
/// <summary>
/// Static method used to create a certificate and return as a .net object
/// </summary>
public static X509Certificate2 Create(string name, DateTime start, DateTime end, string userPassword, bool addtoStore = false, string exportDirectory = null)
{
// generate a key pair using RSA
var generator = new RsaKeyPairGenerator();
// keys have to be a minimum of 2048 bits for Azure
generator.Init(new KeyGenerationParameters(new SecureRandom(new CryptoApiRandomGenerator()), 2048));
AsymmetricCipherKeyPair cerKp = generator.GenerateKeyPair();
// get a copy of the private key
AsymmetricKeyParameter privateKey = cerKp.Private;
// create the CN using the name passed in and create a unique serial number for the cert
var certName = new X509Name("CN=" + name);
BigInteger serialNo = BigInteger.ProbablePrime(120, new Random());
// start the generator and set CN/DN and serial number and valid period
var x509Generator = new X509V3CertificateGenerator();
x509Generator.SetSerialNumber(serialNo);
x509Generator.SetSubjectDN(certName);
x509Generator.SetIssuerDN(certName);
x509Generator.SetNotBefore(start);
x509Generator.SetNotAfter(end);
// add the server authentication key usage
var keyUsage = new KeyUsage(KeyUsage.KeyEncipherment);
x509Generator.AddExtension(X509Extensions.KeyUsage, false, keyUsage.ToAsn1Object());
var extendedKeyUsage = new ExtendedKeyUsage(new[] {KeyPurposeID.IdKPServerAuth});
x509Generator.AddExtension(X509Extensions.ExtendedKeyUsage, true, extendedKeyUsage.ToAsn1Object());
// algorithm can only be SHA1 ??
x509Generator.SetSignatureAlgorithm("sha1WithRSA");
// Set the key pair
x509Generator.SetPublicKey(cerKp.Public);
X509Certificate certificate = x509Generator.Generate(cerKp.Private);
// export the certificate bytes
byte[] certStream = DotNetUtilities.ToX509Certificate(certificate).Export(X509ContentType.Pkcs12, userPassword);
// build the key parameter and the certificate entry
var keyEntry = new AsymmetricKeyEntry(privateKey);
var entry = new X509CertificateEntry(certificate);
// build the PKCS#12 store to encapsulate the certificate
var builder = new Pkcs12StoreBuilder();
builder.SetUseDerEncoding(true);
builder.SetCertAlgorithm(PkcsObjectIdentifiers.Sha1WithRsaEncryption);
builder.SetKeyAlgorithm(PkcsObjectIdentifiers.Sha1WithRsaEncryption);
builder.Build();
// create a memorystream to hold the output
var stream = new MemoryStream(10000);
// create the individual store and set two entries for cert and key
var store = new Pkcs12Store();
store.SetCertificateEntry("Created by Fluent Management", entry);
store.SetKeyEntry("Created by Fluent Management", keyEntry, new[] { entry });
store.Save(stream, userPassword.ToCharArray(), new SecureRandom());
// Create the equivalent C# representation
var cert = new X509Certificate2(stream.GetBuffer(), userPassword, X509KeyStorageFlags.Exportable);
// set up the PEM writer too
if (exportDirectory != null)
{
var textWriter = new StringWriter();
var pemWriter = new PemWriter(textWriter);
pemWriter.WriteObject(cerKp.Private, "DESEDE", userPassword.ToCharArray(), new SecureRandom());
pemWriter.Writer.Flush();
string privateKeyPem = textWriter.ToString();
using (var writer = new StreamWriter(Path.Combine(exportDirectory, cert.Thumbprint + ".pem")))
{
writer.WriteLine(privateKeyPem);
}
// also export the certs - first the .pfx
byte[] privateKeyBytes = cert.Export(X509ContentType.Pfx, userPassword);
using (var writer = new FileStream(Path.Combine(exportDirectory, cert.Thumbprint + ".pfx"), FileMode.OpenOrCreate, FileAccess.Write))
{
writer.Write(privateKeyBytes, 0, privateKeyBytes.Length);
}
// also export the certs - then the .cer
byte[] publicKeyBytes = cert.Export(X509ContentType.Cert);
using (var writer = new FileStream(Path.Combine(exportDirectory, cert.Thumbprint + ".cer"), FileMode.OpenOrCreate, FileAccess.Write))
{
writer.Write(publicKeyBytes, 0, publicKeyBytes.Length);
}
}
// if specified then this add this certificate to the store
if (addtoStore)
AddToMyStore(cert);
return cert;
}
public static void SaveToFile(
X509Certificate newCert,
AsymmetricCipherKeyPair kp,
string FilePath,
string CertAlias,
string Password)
{
var newStore = new Pkcs12Store();
var certEntry = new X509CertificateEntry(newCert);
newStore.SetCertificateEntry(
CertAlias,
certEntry
);
newStore.SetKeyEntry(
CertAlias,
new AsymmetricKeyEntry(kp.Private),
new[] { certEntry }
);
using (var certFile = File.Create(FilePath))
{
newStore.Save(
certFile,
Password.ToCharArray(),
new SecureRandom(new CryptoApiRandomGenerator())
);
}
}
/// <summary>
/// Exports the specified stream and password to a pkcs12 encrypted file.
/// </summary>
/// <remarks>
/// Exports the specified stream and password to a pkcs12 encrypted file.
/// </remarks>
/// <param name="stream">The output stream.</param>
/// <param name="password">The password to use to lock the private keys.</param>
/// <exception cref="System.ArgumentNullException">
/// <para><paramref name="stream"/> is <c>null</c>.</para>
/// <para>-or-</para>
/// <para><paramref name="password"/> is <c>null</c>.</para>
/// </exception>
/// <exception cref="System.IO.IOException">
/// An error occurred while writing to the stream.
/// </exception>
public void Export (Stream stream, string password)
{
if (stream == null)
throw new ArgumentNullException ("stream");
if (password == null)
throw new ArgumentNullException ("password");
var store = new Pkcs12Store ();
foreach (var certificate in certs) {
if (keys.ContainsKey (certificate))
continue;
var alias = certificate.GetCommonName ();
if (alias == null)
continue;
var entry = new X509CertificateEntry (certificate);
store.SetCertificateEntry (alias, entry);
}
foreach (var kvp in keys) {
var alias = kvp.Key.GetCommonName ();
if (alias == null)
continue;
var entry = new AsymmetricKeyEntry (kvp.Value);
var cert = new X509CertificateEntry (kvp.Key);
var chain = new List<X509CertificateEntry> ();
chain.Add (cert);
store.SetKeyEntry (alias, entry, chain.ToArray ());
}
store.Save (stream, password.ToCharArray (), new SecureRandom ());
}
public static X509Certificate2 GenerateSelfSignedCert()
{
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
var certificateGenerator = new X509V3CertificateGenerator();
var serialNumber =
BigIntegers.CreateRandomInRange(
BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
const string signatureAlgorithm = "SHA1WithRSA";
certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm);
var subjectDN = new X509Name("CN=simpletorrent");
var issuerDN = subjectDN;
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
var notBefore = DateTime.UtcNow.Date.AddHours(-24);
var notAfter = notBefore.AddYears(1000);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
const int strength = 4096;
var keyGenerationParameters = new KeyGenerationParameters(random, strength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
var issuerKeyPair = subjectKeyPair;
var certificate = certificateGenerator.Generate(issuerKeyPair.Private, random);
var store = new Pkcs12Store();
string friendlyName = certificate.SubjectDN.ToString();
var certificateEntry = new X509CertificateEntry(certificate);
store.SetCertificateEntry(friendlyName, certificateEntry);
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry });
string password = "******";
var stream = new MemoryStream();
store.Save(stream, password.ToCharArray(), random);
//mono bug #1660 fix -> convert to definite-length encoding
byte[] pfx = Pkcs12Utilities.ConvertToDefiniteLength(stream.ToArray(), password.ToCharArray());
var convertedCertificate =
new X509Certificate2(
pfx, password,
X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
return convertedCertificate;
}
