/** * Create an X.509 Attribute with the type given by the passed in oid and * the value represented by an ASN.1 Set containing value. * * @param oid type of the attribute * @param value value object to go into the atribute's value set. */ public X509Attribute( string oid, Asn1Encodable value) { this.attr = new AttributeX509(new DerObjectIdentifier(oid), new DerSet(value)); }
public void CheckAttributeCertificate( int id, byte[] cert) { Asn1Sequence seq = (Asn1Sequence)Asn1Object.FromByteArray(cert); string dump = Asn1Dump.DumpAsString(seq); AttributeCertificate obj = AttributeCertificate.GetInstance(seq); AttributeCertificateInfo acInfo = obj.ACInfo; // Version if (!(acInfo.Version.Equals(new DerInteger(1))) && (!(acInfo.Version.Equals(new DerInteger(2))))) { Fail("failed AC Version test for id " + id); } // Holder Holder h = acInfo.Holder; if (h == null) { Fail("failed AC Holder test, it's null, for id " + id); } // Issuer AttCertIssuer aci = acInfo.Issuer; if (aci == null) { Fail("failed AC Issuer test, it's null, for id " + id); } // Signature AlgorithmIdentifier sig = acInfo.Signature; if (sig == null) { Fail("failed AC Signature test for id " + id); } // Serial DerInteger serial = acInfo.SerialNumber; // Validity AttCertValidityPeriod validity = acInfo.AttrCertValidityPeriod; if (validity == null) { Fail("failed AC AttCertValidityPeriod test for id " + id); } // Attributes Asn1Sequence attribSeq = acInfo.Attributes; AttributeX509[] att = new AttributeX509[attribSeq.Count]; for (int i = 0; i < attribSeq.Count; i++) { att[i] = AttributeX509.GetInstance(attribSeq[i]); } // IssuerUniqueId // TODO, how to best test? // X509 Extensions X509Extensions ext = acInfo.Extensions; if (ext != null) { foreach (DerObjectIdentifier oid in ext.ExtensionOids) { X509Extension extVal = ext.GetExtension(oid); } } }
/** * @param at an object representing an attribute. */ internal X509Attribute( Asn1Encodable at) { this.attr = AttributeX509.GetInstance(at); }
/// <summary> /// Creates an ASN.1 DER-encoded PKCS#10 CertificationRequest object representing /// the current state of this CertificateRequest object. /// </summary> /// <returns>An ASN.1 DER-encoded certificate signing request.</returns> public byte[] ExportSigningRequest(PkiEncodingFormat format) { // Based on: // https://github.com/bcgit/bc-csharp/blob/master/crypto/test/src/pkcs/test/PKCS10Test.cs // https://stackoverflow.com/questions/46182659/how-to-delay-sign-the-certificate-request-using-bouncy-castle-with-ecdsa-signatu // http://www.bouncycastle.org/wiki/display/JA1/X.509+Public+Key+Certificate+and+Certification+Request+Generation: // #X.509PublicKeyCertificateandCertificationRequestGeneration-EllipticCurve(ECDSA) // #X.509PublicKeyCertificateandCertificationRequestGeneration-RSA // #X.509PublicKeyCertificateandCertificationRequestGeneration-CreatingCertificationRequests // https://stackoverflow.com/a/37563051/5428506 var x509name = new X509Name(SubjectName); var pubKey = _keyPair.PublicKey.NativeKey; var prvKey = _keyPair.PrivateKey.NativeKey; // Asn1Set attrSet = null; // if (CertificateExtensions.Count > 0) // { // var certExts = CertificateExtensions.ToDictionary( // ext => ext.Identifier, ext => ext.Value); // var csrAttrs = new[] // { // new Org.BouncyCastle.Asn1.Cms.Attribute( // PkcsObjectIdentifiers.Pkcs9AtExtensionRequest, // new DerSet(new X509Extensions(certExts))), // }; // attrSet = new DerSet(csrAttrs); // } // Based on: // http://forum.rebex.net/4284/pkcs10-certificate-request-example-provided-castle-working var extGen = new X509ExtensionsGenerator(); foreach (var ext in CertificateExtensions) { extGen.AddExtension(ext.Identifier, ext.IsCritical, ext.Value); } var attr = new AttributeX509(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest, new DerSet(extGen.Generate())); var sigFactory = ComputeSignatureAlgorithm(prvKey); var pkcs10 = new Pkcs10CertificationRequest(sigFactory, x509name, pubKey, new DerSet(attr), prvKey); switch (format) { case PkiEncodingFormat.Pem: using (var sw = new StringWriter()) { var pemWriter = new PemWriter(sw); pemWriter.WriteObject(pkcs10); return(Encoding.UTF8.GetBytes(sw.GetStringBuilder().ToString())); } case PkiEncodingFormat.Der: return(pkcs10.GetDerEncoded()); default: throw new NotSupportedException(); } }
public void AddAttribute(AttributeX509 attribute) { attributes.Add(attribute); }
/// <summary>Add an attribute.</summary> public void AddAttribute( X509Attribute attribute) { acInfoGen.AddAttribute(AttributeX509.GetInstance(attribute.ToAsn1Object())); }
static void Main(string[] args) { Console.WriteLine("Please select option 1/2"); string option = Console.ReadLine(); if (option == "1") { Certificate cert = new Certificate(2048); Console.WriteLine("---------------------------- AS2805.6.5.3 Option 1--------------------------------------------------------"); Console.WriteLine("---------------Manufacturer’s key pair (PKman, SKman)---------------"); Certificate man = new Certificate(2048); byte[] PKman = man.GetPublicKey(); byte[] SKman = man.GetPrivateKey(); Console.WriteLine("------------------Terminal cryptographic unit’s key pair (PKtcu, SKtcu)-------------------"); Certificate tcu = new Certificate(2048); byte[] PKtcu = tcu.GetPublicKey(); byte[] SKtcu = tcu.GetPrivateKey(); Console.WriteLine("----------------Sponsor’s key pair (PKsp, SKsp)------------------------"); Certificate sp = new Certificate(2048); byte[] PKsp = sp.GetPublicKey(); byte[] SKsp = sp.GetPrivateKey(); Console.WriteLine("--------------Getting RNsp, tcuid and user data -------------- "); Random rnd = new Random(); string RNsp = rnd.Next(222222, 999999).ToString(); byte[] RNsp_bytes = Encoding.ASCII.GetBytes(RNsp); Console.WriteLine("RNsp: \t" + RNsp); string user_data = "OPTIONAL USER DATA THAT CAN BE ANY LENGTH"; byte[] user_data_bytes = Encoding.ASCII.GetBytes(user_data); Console.WriteLine("User Data: \t" + user_data); string tcuid = "MN044712H"; byte[] tcuid_bytes = Encoding.ASCII.GetBytes(tcuid); Console.WriteLine("TCUID: \t" + tcuid); string AIIC = "0000045127823121"; byte[] AIIC_bytes = Encoding.ASCII.GetBytes(AIIC); Console.WriteLine("AIIC: \t" + AIIC); SecureRandom random = new SecureRandom(); DesEdeKeyGenerator keyGen = new DesEdeKeyGenerator(); keyGen.Init(new KeyGenerationParameters(random, 128)); byte[] KI_bytes = keyGen.GenerateKey(); string KI = BitConverter.ToString(KI_bytes).Replace("-", string.Empty); Console.WriteLine("KI: \t" + KI); byte[] KIA_bytes = keyGen.GenerateKey(); string KIA = BitConverter.ToString(KIA_bytes).Replace("-", string.Empty); Console.WriteLine("KIA: \t" + KIA); byte[] KCA_bytes = keyGen.GenerateKey(); string KCA = BitConverter.ToString(KCA_bytes).Replace("-", string.Empty); Console.WriteLine("KCA: \t" + KCA); DateTime today = DateTime.Now.Date; byte[] today_bytes = Encoding.ASCII.GetBytes(today.ToString("yyyyMMdd HH:mm:ss")); Console.WriteLine("DTS: \t" + today.ToString("yyyyMMdd HH:mm:ss")); Console.WriteLine("-----------------------------------------------------------------------"); Console.WriteLine("--------------------------Sponsor Pre-Compute--------------------------"); HashMAC hash = new HashMAC(new Sha256Digest()); byte[] H_PKman_userdata = hash.Hash_Data(PKman.Concat(user_data_bytes).ToArray()); Console.WriteLine("SHA256 Hash of PKman + user data : \n" + Utils.HexDump(H_PKman_userdata)); byte[] H_PKsp_RNsp_userdata = hash.Hash_Data(PKsp.Concat(RNsp_bytes).Concat(user_data_bytes).ToArray()); //Console.WriteLine("SHA256 Hash of PKsp + user data : \n" + Utils.HexDump(H_PKman_userdata)); Console.WriteLine("----------------------------------------------------------------------------------"); Signature sign = new Signature(); byte[] sSKman_H_PKman_userdata = sign.SignData(H_PKman_userdata, man.get_Private_Params()); Console.WriteLine("Sponsor Verifies Manufacturer Signature of sSKman(H(PKman + user data)) : \n" + Utils.HexDump(sSKman_H_PKman_userdata)); byte[] sSKman_H_PKsp_RNsp_userdata = sign.SignData(H_PKsp_RNsp_userdata, man.get_Private_Params()); //Console.WriteLine("Signature of sSKman(H(PKsp + user data)) : \n" + Utils.HexDump(sSKman_H_PKsp_userdata)); byte[] H_PKsp = hash.Hash_Data(PKsp); //Console.WriteLine("SHA256 Hash of PKsp : \n" + Utils.HexDump(H_PKsp)); byte[] sSKman_H_PKsp = sign.SignData(H_PKsp, man.get_Private_Params()); //Console.WriteLine("Signature of sSKman(H(PKsp))) : \n" + Utils.HexDump(sSKman_H_PKsp)); //Console.WriteLine("--------------------------TCU Pre-Compute--------------------------"); byte[] H_PKtcu = hash.Hash_Data(PKtcu); //Console.WriteLine("SHA256 Hash of PKtcu : \n" + Utils.HexDump(H_PKtcu)); //Pad pad = new Pad(); //var padHash = pad.Pad_Data(H_PKtcu, 128); //Console.WriteLine("SHA256 Hash of PKtcu and PKCS v1.5 padding : \n" + Utils.HexDump(padHash)); Console.WriteLine("----------------------------------------------------------------------------------"); byte[] sSKman_H_PKtcu_ = sign.SignData(H_PKtcu, man.get_Private_Params()); Console.WriteLine("Termninal Verifies Manufacturer Signature of PKtcu sSKman(H(PKtcu)) :\n" + Utils.HexDump(sSKman_H_PKtcu_)); Console.WriteLine("----------------------------------------------------------------------------------"); byte[] sSKman_H_PKtcu_TCUID_userdata = sign.SignData(H_PKtcu.Concat(tcuid_bytes).Concat(user_data_bytes).ToArray(), man.get_Private_Params()); //Console.WriteLine("Signature of sSKman(H(PKtcu)|TCUID|user data) : \n" + Utils.HexDump(sSKman_H_PKtcu)); //Console.ReadLine(); Console.WriteLine("-------------------------- OPTION 1 --------------------------"); Console.WriteLine("--------------------------SIGN ON REQUEST 1--------------------------\n\n"); Console.WriteLine("----------------------------------------------------------------------------------"); Console.WriteLine("TCU -> Sending:..."); Console.WriteLine("----------------------------------------------------------------------------------"); Console.WriteLine("User Data: " + user_data + "\n" + Utils.HexDump(user_data_bytes)); Console.WriteLine("----------------------------------------------------------------------------------"); Console.WriteLine("TCUID: " + tcuid + " \n" + Utils.HexDump(tcuid_bytes)); Console.WriteLine("----------------------------------------------------------------------------------"); Console.WriteLine("H(PKtcu) \n" + Utils.HexDump(H_PKtcu)); Console.WriteLine("----------------------------------------------------------------------------------"); Console.WriteLine("sSKman(H(PKtcu)|TCUID|user data) \n" + Utils.HexDump(sSKman_H_PKtcu_TCUID_userdata)); Console.WriteLine("----------------------------------------------------------------------------------"); Console.WriteLine("------------------------SIGN ON RESPONSE 1--------------------------------------"); Console.WriteLine("Veryfying Signature of sSKman(H(PKtcu)|TCUID|user data)"); Console.WriteLine("----------------------------------------------------------------------------------"); Console.WriteLine("User Data: " + user_data + "\n" + Utils.HexDump(user_data_bytes)); Console.WriteLine("----------------------------------------------------------------------------------"); Console.WriteLine("RNsp: " + RNsp + "\n" + Utils.HexDump(RNsp_bytes)); Console.WriteLine("----------------------------------------------------------------------------------"); Console.WriteLine("H(PKsp|RNsp|userdata) \n" + Utils.HexDump(H_PKsp_RNsp_userdata)); Console.WriteLine("----------------------------------------------------------------------------------"); Console.WriteLine("Sign: sSKman(H(PKsp|RNsp|user data)):\n" + Utils.HexDump(sSKman_H_PKsp_RNsp_userdata)); Console.WriteLine("----------------------------------------------------------------------------------"); Console.WriteLine("-------------------------- SIGN ON REQUEST 2--------------------------\n\n"); //Construct cryptogram encrypted by PKsp Console.WriteLine("Constructing the KI KeyBlock cryptogram (KI, TCUID, RNsp, DTS, user dat)----------"); Asn1 asn = new Asn1(); byte[] KI_KeyBlock_bytes = asn.KI_KeyBlock(KI_bytes, tcuid_bytes, today_bytes, RNsp_bytes, user_data_bytes); Console.WriteLine("----------------------------------------------------------------------------------"); Console.WriteLine(Utils.HexDump(KI_KeyBlock_bytes)); Console.WriteLine("----------------------------------------------------------------------------------"); Console.WriteLine("Encrypt: ePKsp(KI, TCUID, RNsp, DTS, user data): \n"); byte[] PKsp_KI_TCUID_RNsp_DTS_user_data = sp.Encrypt(KI_KeyBlock_bytes); Console.WriteLine(Utils.HexDump(PKsp_KI_TCUID_RNsp_DTS_user_data)); Console.WriteLine("----------------------------------------------------------------------------------"); Console.WriteLine("Hash: H(ePKsp(KI, TCUID, RNsp, DTS, user data)): \n"); byte[] H_PKsp_KI_TCUID_RNsp_DTS_user_data = hash.Hash_Data(PKsp_KI_TCUID_RNsp_DTS_user_data); Console.WriteLine(Utils.HexDump(H_PKsp_KI_TCUID_RNsp_DTS_user_data)); Console.WriteLine("----------------------------------------------------------------------------------"); Console.WriteLine("Sign: sSKtcu(H(ePKsp(KI, TCUID, RNsp, DTS, user data))): \n"); byte[] sSKtcu_H_PKsp_KI_TCUID_RNsp_DTS_user_data = sign.SignData(H_PKsp_KI_TCUID_RNsp_DTS_user_data, tcu.get_Private_Params()); Console.WriteLine(Utils.HexDump(sSKtcu_H_PKsp_KI_TCUID_RNsp_DTS_user_data)); Console.WriteLine("----------------------------------------------------------------------------------"); Console.WriteLine("Send Signature and Encryption to Sponsor so that KI can be extracted \n"); Console.WriteLine("----------------------------------------------------------------------------------"); Console.WriteLine("Verify: sSKtcu(H(ePKsp(KI, TCUID, RNsp, DTS, user data))): \n"); bool sSKtcuV = sign.VerifySignature(tcu.get_Public_Params(), sSKtcu_H_PKsp_KI_TCUID_RNsp_DTS_user_data, H_PKsp_KI_TCUID_RNsp_DTS_user_data); Console.WriteLine("Verified: " + sSKtcuV); Console.WriteLine("----------------------------------------------------------------------------------"); Console.WriteLine("Decrypt: ePKsp(KI, TCUID, RNsp, DTS, user data): \n"); Console.WriteLine("Decrypted:\n" + Utils.HexDump(sp.Decrypt(PKsp_KI_TCUID_RNsp_DTS_user_data))); Console.WriteLine("----------------------------------------------------------------------------------\n\n"); Console.WriteLine("-------------------------- SIGN ON RESPONSE 2-------------------------\n\n"); /* * The KCA shall be used to derive a unique KIA_n per acquirer. The sponsor shall be responsible for providing the KIA_n to each acquirer through a secure channel. * Each acquirer shall use its unique KIAn to download or derive the initial key(s) required for the appropriate key management scheme * * * The AIIC is right justified and left zero filled in a 128-bit data field. * KMACI_n = (OWF(KIA_n,D)) * KCA = */ DESAES desaes = new DESAES(); Console.WriteLine("-------------------------Calculate KMACI_n = HMAC(KIA_n,AIIC) -------------------------\n"); Console.WriteLine("-------------------------OWF = SHA256 HMAC -------------------------"); byte[] H_KIA_n_AIIC = hash.HMAC(AIIC_bytes, KIA_bytes); Console.WriteLine("KMAC = \n" + Utils.HexDump(H_KIA_n_AIIC)); Console.WriteLine("----------------------------------------------------------------------------------"); Console.WriteLine("KCA = \n" + Utils.HexDump(KCA_bytes)); Console.WriteLine("------------------------------ENCRYPT---------------------------------------------"); var E_KMAC = desaes.EncryptDES3(H_KIA_n_AIIC, KI_bytes); Console.WriteLine("e(KMAC) = \n" + Utils.HexDump(E_KMAC)); Console.WriteLine("----------------------------------------------------------------------------------"); var E_KCA = desaes.EncryptDES3(KCA_bytes, KI_bytes); Console.WriteLine("e(KCA) = \n" + Utils.HexDump(E_KCA)); Console.WriteLine("----------------------------------------------------------------------------------"); Console.WriteLine("------------------------------DECRYPT---------------------------------------------"); var D_KCA = desaes.DecryptDES3(E_KCA, KI_bytes); Console.WriteLine("d(KCA) = \n" + Utils.HexDump(D_KCA)); Console.WriteLine("----------------------------------------------------------------------------------"); var D_KMAC = desaes.DecryptDES3(E_KMAC, KI_bytes); Console.WriteLine("d(KMAC) = \n" + Utils.HexDump(D_KMAC)); Console.WriteLine("----------------------------------------------------------------------------------"); Console.WriteLine("**------------------------------DONE--------------------------------------------**"); } else { bool ForEncryption = true; //Requested Certificate Name and things X509Name name = new X509Name("C=Commonwealth Bank of Australia, O=CBA, OU=Cryptographical Services, CN=TID25124548"); //Key generation 2048bits var rkpg = new RsaKeyPairGenerator(); rkpg.Init(new KeyGenerationParameters(new SecureRandom(), 2048)); AsymmetricCipherKeyPair ackp = rkpg.GenerateKeyPair(); //BAPI.EncryptionKey; //if (!ForEncryption) ackp = BAPI.SignKey; //Key Usage Extension var ku = new KeyUsage(ForEncryption ? KeyUsage.KeyEncipherment : KeyUsage.DigitalSignature); var extgen = new Org.BouncyCastle.Asn1.X509.X509ExtensionsGenerator(); extgen.AddExtension(X509Extensions.KeyUsage, true, ku); var attribute = new AttributeX509(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest, new DerSet(extgen.Generate())); //PKCS #10 Certificate Signing Request Pkcs10CertificationRequest csr = new Pkcs10CertificationRequest("SHA1WITHRSA", name, ackp.Public, new DerSet(attribute), ackp.Private); //new DerSet(new DerOctetString(ku)) var csrbytedata = csr.GetDerEncoded(); var asn1Csr = csr.ToAsn1Object(); ////// Console.WriteLine(asn1Csr.GetDerEncoded().ToString()); Console.WriteLine(Utils.HexDump(csrbytedata)); string pwd = "password"; var suppliers = new[] { "CN=*.cba.com.au" }; var CA_issuer = new X509(suppliers, "CN=CBA RootCA, OU=Cryptographical Services, O=Commonwealth Bank of Australia, L=SYDNEY, C=AU", CertStrength.bits_2048); X509Certificate2 GeneratedCert = CA_issuer.MakeCertificate(pwd, "CN=TID25124548.cba.com.au, OU=Commonwealth Bank of Australia, OU=CBA Business System Hosting, O=Commonwealth Bank of Australia, C=AU", 2); Console.WriteLine(GeneratedCert.ToString()); Console.WriteLine(Utils.HexDump(GeneratedCert.Export(X509ContentType.Pkcs12, pwd))); Console.ReadLine(); } }
public PkiCertificateSigningRequest(PkiEncodingFormat format, byte[] encoded, PkiHashAlgorithm hashAlgorithm) { Pkcs10CertificationRequest pkcs10; switch (format) { case PkiEncodingFormat.Pem: var encodedString = Encoding.UTF8.GetString(encoded); using (var sr = new StringReader(encodedString)) { var pemReader = new PemReader(sr); pkcs10 = pemReader.ReadObject() as Pkcs10CertificationRequest; if (pkcs10 == null) { throw new Exception("invalid PEM object is not PKCS#10 archive"); } } break; case PkiEncodingFormat.Der: pkcs10 = new Pkcs10CertificationRequest(encoded); break; default: throw new NotSupportedException(); } var info = pkcs10.GetCertificationRequestInfo(); var nativePublicKey = pkcs10.GetPublicKey(); var rsaKey = nativePublicKey as RsaKeyParameters; var ecdsaKey = nativePublicKey as ECPublicKeyParameters; if (rsaKey != null) { PublicKey = new PkiKey(nativePublicKey, PkiAsymmetricAlgorithm.Rsa); } else if (ecdsaKey != null) { PublicKey = new PkiKey(nativePublicKey, PkiAsymmetricAlgorithm.Ecdsa); } else { throw new NotSupportedException("unsupported asymmetric algorithm key"); } SubjectName = info.Subject.ToString(); HashAlgorithm = hashAlgorithm; // // // Based on: // // // http://forum.rebex.net/4284/pkcs10-certificate-request-example-provided-castle-working // // var extGen = new X509ExtensionsGenerator(); // // foreach (var ext in CertificateExtensions) // // { // // extGen.AddExtension(ext.Identifier, ext.IsCritical, ext.Value); // // } // // var attr = new AttributeX509(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest, // // new DerSet(extGen.Generate())); // Based on: // http://unitstep.net/blog/2008/10/27/extracting-x509-extensions-from-a-csr-using-the-bouncy-castle-apis/ // https://stackoverflow.com/q/24448909/5428506 foreach (var attr in info.Attributes.ToArray()) { if (attr is DerSequence derSeq && derSeq.Count == 2) { var attrX509 = AttributeX509.GetInstance(attr); if (object.Equals(attrX509.AttrType, PkcsObjectIdentifiers.Pkcs9AtExtensionRequest)) { // The `Extension Request` attribute is present. // The X509Extensions are contained as a value of the ASN.1 Set. // Assume that it is the first value of the set. if (attrX509.AttrValues.Count >= 1) { var csrExts = X509Extensions.GetInstance(attrX509.AttrValues[0]); foreach (var extOid in csrExts.GetExtensionOids()) { if (object.Equals(extOid, X509Extensions.SubjectAlternativeName)) { var ext = csrExts.GetExtension(extOid); var extVal = ext.Value; var der = extVal.GetDerEncoded(); // The ext value, which is an ASN.1 Octet String, **MIGHT** be tagged with // a leading indicator that it's an Octet String and its length, so we want // to remove it if that's the case to extract the GeneralNames collection if (der.Length > 2 && der[0] == 4 && der[1] == der.Length - 2) { der = der.Skip(2).ToArray(); } var asn1obj = Asn1Object.FromByteArray(der); var gnames = GeneralNames.GetInstance(asn1obj); CertificateExtensions.Add(new PkiCertificateExtension { Identifier = extOid, IsCritical = ext.IsCritical, Value = gnames, }); } } // No need to search any more. break; } } } } }