/**
* generate a signature for the message we've been loaded with using
* the key we were initialised with.
*/
public byte[] generateSignature()
{
if (forSigning)
{
MemoryStream bOut = new MemoryStream();
DEROutputStream dOut = new DEROutputStream(bOut);
ASN1EncodableVector v = new ASN1EncodableVector();
byte[] dig = new byte[digest.getDigestSize()];
digest.doFinal(dig, 0);
BigInteger[] sig = dsaSigner.generateSignature(dig);
v.add(new DERInteger(sig[0]));
v.add(new DERInteger(sig[1]));
dOut.writeObject(new DERSequence(v));
dOut.Flush();
byte[] output = bOut.ToArray();
dOut.Close();
return(output);
}
throw new Exception("DSADigestSigner initialised for verification..");
}
/// <summary>
/// Return the DER encoded TBSCertificate data.
/// This is the certificate component less the signature.
/// To get the whole certificate call the getEncoded() member.
/// </summary>
/// <returns>A byte array containing the DER encoded Certificate component.</returns>
public byte[] getTBSCertificate()
{
MemoryStream bOut = new MemoryStream();
DEROutputStream dOut = new DEROutputStream(bOut);
dOut.writeObject(xStruct.getTBSCertificate());
return(bOut.ToArray());
}
/// <summary>
/// Get the DER Encoded PKCS10 Certification Request.
/// </summary>
/// <returns>A byte array.</returns>
public byte[] getEncoded()
{
MemoryStream mStr = new MemoryStream();
DEROutputStream derOut = new DEROutputStream(mStr);
derOut.writeObject(new CertificationRequest(reqInfo, sigAlgId, sigBits));
derOut.Flush();
byte[] _out = mStr.ToArray();
mStr.Close();
return(_out);
}
/// <summary>
/// Instanciate a PKCS10CertificationRequest object with the necessary credentials.
/// </summary>
///<param name="signatureAlgorithm">Name of Sig Alg.</param>
/// <param name="subject">X509Name of subject eg OU="My unit." O="My Organisatioin" C="au" </param>
/// <param name="key">Public Key to be included in cert reqest.</param>
/// <param name="attributes">ASN1Set of Attributes.</param>
/// <param name="signingKey">Matching Private key for nominated (above) public key to be used to sign the request.</param>
public PKCS10CertificationRequest(String signatureAlgorithm,
X509Name subject,
AsymmetricKeyParameter key,
ASN1Set attributes,
AsymmetricKeyParameter signingKey)
{
DERObjectIdentifier sigOID = SignerUtil.getObjectIdentifier(signatureAlgorithm.ToUpper());
if (sigOID == null)
{
throw new ArgumentException("Unknown signature type requested");
}
if (subject == null)
{
throw new ArgumentException("subject must not be null");
}
if (key == null)
{
throw new ArgumentException("public key must not be null");
}
this.sigAlgId = new AlgorithmIdentifier(sigOID, null);
SubjectPublicKeyInfo pubInfo = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(key);
this.reqInfo = new CertificationRequestInfo(subject, pubInfo, attributes);
Signer sig = null;
// Create appropriate Signature.
sig = SignerUtil.getSigner(sigAlgId.getObjectId());
sig.init(true, signingKey);
// Encode.
MemoryStream mStr = new MemoryStream();
DEROutputStream derOut = new DEROutputStream(mStr);
derOut.writeObject(reqInfo);
// Sign
byte[] b = mStr.ToArray();
sig.update(b, 0, b.Length);
// Generate Signature.
sigBits = new DERBitString(sig.generateSignature());
}
private byte[] derEncode(
byte[] hash)
{
MemoryStream bOut = new MemoryStream();
DEROutputStream dOut = new DEROutputStream(bOut);
DigestInfo dInfo = new DigestInfo(algId, hash);
dOut.writeObject(dInfo);
dOut.Flush();
return(bOut.ToArray());
}
internal override void encode(
DEROutputStream derOut)
{
if (derOut is ASN1OutputStream || derOut is BEROutputStream)
{
derOut.WriteByte((byte)ASN1Tags.NULL);
}
else
{
base.encode(derOut);
}
}
/// <summary>
/// Return a DER encoded version of this certificate.
/// </summary>
/// <returns>A byte array.</returns>
public byte[] getEncoded()
{
MemoryStream bOut = new MemoryStream();
DEROutputStream dOut = new DEROutputStream(bOut);
try
{
dOut.writeObject(xStruct);
return(bOut.ToArray());
}
catch (IOException e)
{
throw new Exception(e.Message);
}
}
private byte[] derEncode(
BigInteger r,
BigInteger s)
{
MemoryStream bOut = new MemoryStream();
DEROutputStream dOut = new DEROutputStream(bOut);
ASN1EncodableVector v = new ASN1EncodableVector();
v.add(new DERInteger(r));
v.add(new DERInteger(s));
dOut.writeObject(new DERSequence(v));
return(bOut.ToArray());
}
/// <summary>
/// Generate a new X509Certificate specifying a SecureRandom instance that you would like to use.
/// </summary>
/// <param name="privateKey">The private key of the issuer used to sign this certificate.</param>
/// <param name="random">The Secure Random you want to use.</param>
/// <returns></returns>
public X509CertificateStructure generateX509Certificate(
AsymmetricKeyParameter privateKey,
SecureRandom random)
{
Signer sig = null;
try {
sig = SignerUtil.getSigner(sigOID);
}
catch (Exception ex)
{
throw new Exception("exception creating signature: " + ex.Message);
}
if (random != null)
{
sig.init(true, privateKey);
}
else
{
sig.init(true, new ParametersWithRandom(privateKey, random));
}
TBSCertificateStructure tbsCert = tbsGen.generateTBSCertificate();
try
{
MemoryStream mStr = new MemoryStream();
DEROutputStream dOut = new DEROutputStream(mStr);
dOut.writeObject(tbsCert);
mStr.Flush();
byte[] b = mStr.ToArray();
sig.update(b, 0, b.Length);
}
catch (Exception e)
{
throw new Exception("exception encoding TBS cert - " + e);
}
ASN1EncodableVector v = new ASN1EncodableVector();
v.add(tbsCert);
v.add(sigAlgId);
v.add(new DERBitString(sig.generateSignature()));
return(new X509CertificateStructure(new DERSequence(v)));
}
/// <summary>
/// Add an extension to this certificate.
/// </summary>
/// <param name="OID">Its Object identifier.</param>
/// <param name="critical">Is it crtical.</param>
/// <param name="value">The value.</param>
public void addExtension(DERObjectIdentifier OID, bool critical, ASN1Encodable value)
{
MemoryStream mStr = new MemoryStream();
DEROutputStream dOut = new DEROutputStream(mStr);
try
{
dOut.writeObject(value);
}
catch (IOException e)
{
throw new Exception("error encoding value: " + e);
}
this.addExtension(OID, critical, mStr.ToArray());
}
/// <summary>
/// Verify PKCS10 Cert Reqest is valid.
/// </summary>
/// <returns>true = valid.</returns>
public bool verify()
{
Signer sig = null;
sig = SignerUtil.getSigner(sigAlgId.getObjectId());
sig.init(false, getPublicKey());
MemoryStream mStr = new MemoryStream();
DEROutputStream derOut = new DEROutputStream(mStr);
derOut.writeObject(reqInfo);
derOut.Flush();
byte[] b = mStr.ToArray();
sig.update(b, 0, b.Length);
mStr.Close();
return(sig.verifySignature(sigBits.getBytes()));
}
/// <summary>
/// Get the signature algorithms parameters. (EG DSA Parameters)
/// </summary>
/// <returns>A byte array containing the DER encoded version of the parameters or null if there are none.</returns>
public byte[] getSigAlgParams()
{
MemoryStream bOut = new MemoryStream();
if (xStruct.getSignatureAlgorithm().getParameters() != null)
{
try
{
DEROutputStream dOut = new DEROutputStream(bOut);
dOut.writeObject(xStruct.getSignatureAlgorithm().getParameters());
}
catch (Exception e)
{
throw new Exception("exception getting sig parameters " + e);
}
return(bOut.ToArray());
}
else
{
return(null);
}
}
public void addCRLEntry(DERInteger userCertificate, Time revocationDate, int reason)
{
ASN1EncodableVector v = new ASN1EncodableVector();
v.add(userCertificate);
v.add(revocationDate);
if (reason != 0)
{
CRLReason rf = new CRLReason(reason);
MemoryStream bOut = new MemoryStream();
DEROutputStream dOut = new DEROutputStream(bOut);
try
{
dOut.writeObject(rf);
}
catch (IOException e)
{
throw new ArgumentException("error encoding value: " + e);
}
byte[] value = bOut.ToArray();
ASN1EncodableVector v1 = new ASN1EncodableVector();
v1.add(X509Extensions.ReasonCode);
v1.add(new DEROctetString(value));
X509Extensions ex = new X509Extensions(new DERSequence(
new DERSequence(v1)));
v.add(ex);
}
if (crlentries == null)
{
crlentries = new ArrayList();
}
crlentries.Add(new DERSequence(v));
}
internal override void encode(
DEROutputStream derOut)
{
derOut.writeEncoded(ASN1Tags.OCTET_STRING, str);
}
public void save(Stream stream, char[] password, SecureRandom random)
{
if (password == null)
{
throw new ArgumentException("No password supplied for PKCS12Store.");
}
ContentInfo[] c = new ContentInfo[2];
//
// handle the key
//
ASN1EncodableVector keyS = new ASN1EncodableVector();
IEnumerator ks = keys.Keys.GetEnumerator();
while (ks.MoveNext())
{
byte[] kSalt = new byte[saltSize];
random.nextBytes(kSalt);
String name = (String)ks.Current;
AsymmetricKeyEntry privKey = (AsymmetricKeyEntry)keys[name];
EncryptedPrivateKeyInfo kInfo = EncryptedPrivateKeyInfoFactory.createEncryptedPrivateKeyInfo(keyAlgorithm, password, kSalt, minIterations, privKey.getKey());
ASN1EncodableVector kName = new ASN1EncodableVector();
IEnumerator e = privKey.getBagAttributeKeys();
while (e.MoveNext())
{
String oid = (String)e.Current;
ASN1EncodableVector kSeq = new ASN1EncodableVector();
kSeq.add(new DERObjectIdentifier(oid));
kSeq.add(new DERSet(privKey.getBagAttribute(new DERObjectIdentifier(oid))));
kName.add(new DERSequence(kSeq));
}
//
// make sure we have a local key-id
//
if (privKey.getBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId) == null)
{
ASN1EncodableVector kSeq = new ASN1EncodableVector();
X509CertificateEntry ct = getCertificate(name);
kSeq.add(PKCSObjectIdentifiers.pkcs_9_at_localKeyId);
kSeq.add(new DERSet(new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(ct.getCertificate().getPublicKey()))));
kName.add(new DERSequence(kSeq));
}
//
// make sure we are using the local alias on store
//
DERBMPString nm = (DERBMPString)privKey.getBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName);
if (nm == null || !nm.getString().Equals(name))
{
ASN1EncodableVector kSeq = new ASN1EncodableVector();
kSeq.add(PKCSObjectIdentifiers.pkcs_9_at_friendlyName);
kSeq.add(new DERSet(new DERBMPString(name)));
kName.add(new DERSequence(kSeq));
}
SafeBag kBag = new SafeBag(PKCSObjectIdentifiers.pkcs8ShroudedKeyBag, kInfo.toASN1Object(), new DERSet(kName));
keyS.add(kBag);
}
MemoryStream bOut = new MemoryStream();
DEROutputStream dOut = new DEROutputStream(bOut);
dOut.writeObject(new DERSequence(keyS));
BEROctetString keyString = new BEROctetString(bOut.ToArray());
//
// certficate processing
//
byte[] cSalt = new byte[saltSize];
random.nextBytes(cSalt);
ASN1EncodableVector certSeq = new ASN1EncodableVector();
PKCS12PBEParams cParams = new PKCS12PBEParams(cSalt, minIterations);
AlgorithmIdentifier cAlgId = new AlgorithmIdentifier(certAlgorithm, cParams.toASN1Object());
Hashtable doneCerts = new Hashtable();
IEnumerator cs = keys.Keys.GetEnumerator();
while (cs.MoveNext())
{
try
{
String name = (String)cs.Current;
X509CertificateEntry cert = getCertificate(name);
CertBag cBag = new CertBag(
PKCSObjectIdentifiers.x509certType,
new DEROctetString(cert.getCertificate().getEncoded()));
ASN1EncodableVector fName = new ASN1EncodableVector();
IEnumerator e = cert.getBagAttributeKeys();
while (e.MoveNext())
{
String oid = (String)e.Current;
ASN1EncodableVector fSeq = new ASN1EncodableVector();
fSeq.add(new DERObjectIdentifier(oid));
fSeq.add(new DERSet(cert.getBagAttribute(new DERObjectIdentifier(oid))));
fName.add(new DERSequence(fSeq));
}
//
// make sure we are using the local alias on store
//
DERBMPString nm = (DERBMPString)cert.getBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName);
if (nm == null || !nm.getString().Equals(name))
{
ASN1EncodableVector fSeq = new ASN1EncodableVector();
fSeq.add(PKCSObjectIdentifiers.pkcs_9_at_friendlyName);
fSeq.add(new DERSet(new DERBMPString(name)));
fName.add(new DERSequence(fSeq));
}
//
// make sure we have a local key-id
//
if (cert.getBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId) == null)
{
ASN1EncodableVector fSeq = new ASN1EncodableVector();
fSeq.add(PKCSObjectIdentifiers.pkcs_9_at_localKeyId);
fSeq.add(new DERSet(new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(cert.getCertificate().getPublicKey()))));
fName.add(new DERSequence(fSeq));
}
SafeBag sBag = new SafeBag(PKCSObjectIdentifiers.certBag, cBag.toASN1Object(), new DERSet(fName));
certSeq.add(sBag);
doneCerts.Add(cert, cert);
}
catch (Exception e)
{
throw new Exception("Error encoding certificate: " + e.Message);
}
}
cs = certs.Keys.GetEnumerator();
while (cs.MoveNext())
{
try
{
String certId = (String)cs.Current;
X509CertificateEntry cert = (X509CertificateEntry)certs[certId];
if (keys[certId] != null)
{
continue;
}
CertBag cBag = new CertBag(
PKCSObjectIdentifiers.x509certType,
new DEROctetString(cert.getCertificate().getEncoded()));
ASN1EncodableVector fName = new ASN1EncodableVector();
IEnumerator e = cert.getBagAttributeKeys();
while (e.MoveNext())
{
String oid = (String)e.Current;
ASN1EncodableVector fSeq = new ASN1EncodableVector();
fSeq.add(new DERObjectIdentifier(oid));
fSeq.add(new DERSet(cert.getBagAttribute(new DERObjectIdentifier(oid))));
fName.add(new DERSequence(fSeq));
}
//
// make sure we are using the local alias on store
//
DERBMPString nm = (DERBMPString)cert.getBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName);
if (nm == null || !nm.getString().Equals(certId))
{
ASN1EncodableVector fSeq = new ASN1EncodableVector();
fSeq.add(PKCSObjectIdentifiers.pkcs_9_at_friendlyName);
fSeq.add(new DERSet(new DERBMPString(certId)));
fName.add(new DERSequence(fSeq));
}
SafeBag sBag = new SafeBag(PKCSObjectIdentifiers.certBag, cBag.toASN1Object(), new DERSet(fName));
certSeq.add(sBag);
doneCerts.Add(cert, cert);
}
catch (Exception e)
{
throw new Exception("Error encoding certificate: " + e.Message);
}
}
cs = chainCerts.Keys.GetEnumerator();
while (cs.MoveNext())
{
try
{
CertId certId = (CertId)cs.Current;
X509CertificateEntry cert = (X509CertificateEntry)chainCerts[certId];
if (doneCerts[cert] != null)
{
continue;
}
CertBag cBag = new CertBag(
PKCSObjectIdentifiers.x509certType,
new DEROctetString(cert.getCertificate().getEncoded()));
ASN1EncodableVector fName = new ASN1EncodableVector();
IEnumerator e = cert.getBagAttributeKeys();
while (e.MoveNext())
{
DERObjectIdentifier oid = (DERObjectIdentifier)e.Current;
ASN1EncodableVector fSeq = new ASN1EncodableVector();
fSeq.add(oid);
fSeq.add(new DERSet(cert.getBagAttribute(oid)));
fName.add(new DERSequence(fSeq));
}
SafeBag sBag = new SafeBag(PKCSObjectIdentifiers.certBag, cBag.toASN1Object(), new DERSet(fName));
certSeq.add(sBag);
}
catch (Exception e)
{
throw new Exception("Error encoding certificate: " + e.Message);
}
}
bOut = new MemoryStream();
dOut = new DEROutputStream(bOut);
dOut.writeObject(new DERSequence(certSeq));
dOut.Close();
byte[] certBytes = encryptData(new AlgorithmIdentifier(certAlgorithm, cParams), bOut.ToArray(), password);
EncryptedData cInfo = new EncryptedData(PKCSObjectIdentifiers.data, cAlgId, new BEROctetString(certBytes));
c[0] = new ContentInfo(PKCSObjectIdentifiers.data, keyString);
c[1] = new ContentInfo(PKCSObjectIdentifiers.encryptedData, cInfo.toASN1Object());
AuthenticatedSafe auth = new AuthenticatedSafe(c);
bOut = new MemoryStream();
BEROutputStream berOut = new BEROutputStream(bOut);
berOut.writeObject(auth);
byte[] pkg = bOut.ToArray();
ContentInfo mainInfo = new ContentInfo(PKCSObjectIdentifiers.data, new BEROctetString(pkg));
//
// create the mac
//
byte[] mSalt = new byte[20];
int itCount = minIterations;
random.nextBytes(mSalt);
byte[] data = ((ASN1OctetString)mainInfo.getContent()).getOctets();
MacData mData = null;
try
{
ASN1Encodable parameters = PBEUtil.generateAlgorithmParameters(OIWObjectIdentifiers.id_SHA1, mSalt, itCount);
CipherParameters keyParameters = PBEUtil.generateCipherParameters(OIWObjectIdentifiers.id_SHA1, password, parameters);
Mac mac = (Mac)PBEUtil.createEngine(OIWObjectIdentifiers.id_SHA1);
mac.init(keyParameters);
mac.update(data, 0, data.Length);
byte[] res = new byte[mac.getMacSize()];
mac.doFinal(res, 0);
AlgorithmIdentifier algId = new AlgorithmIdentifier(OIWObjectIdentifiers.id_SHA1, new DERNull());
DigestInfo dInfo = new DigestInfo(algId, res);
mData = new MacData(dInfo, mSalt, itCount);
}
catch (Exception e)
{
throw new Exception("error constructing MAC: " + e.Message);
}
//
// output the Pfx
//
Pfx pfx = new Pfx(mainInfo, mData);
berOut = new BEROutputStream(stream);
berOut.writeObject(pfx);
}
/// <summary>
///
/// </summary>
/// <param name="signingAlgorithm">The OID of the signing algorithm.</param>
/// <param name="privkey">The signing private key.</param>
/// <param name="chain">An array containing X509Certificate objects, can be null.</param>
/// <param name="producedAt">The time this response is produced at.</param>
/// <param name="random">A SecureRandom instance.</param>
/// <returns></returns>
public BasicOCSPResp generateResponse(
DERObjectIdentifier signingAlgorithm,
AsymmetricKeyParameter privkey,
X509Certificate[] chain,
DateTime producedAt,
SecureRandom random)
{
IEnumerator it = list.GetEnumerator();
ASN1EncodableVector responses = new ASN1EncodableVector();
while (it.MoveNext())
{
try
{
responses.add(((ResponseObject)it.Current).toResponse());
}
catch (Exception e)
{
throw new OCSPException("exception creating Request", e);
}
}
ResponseData tbsResp = new ResponseData(new DERInteger(0), responderID.toASN1Object(), new DERGeneralizedTime(producedAt), new DERSequence(responses), responseExtensions);
Signer sig = null;
try
{
sig = SignerUtil.getSigner(signingAlgorithm);
if (random != null)
{
sig.init(true, new ParametersWithRandom(privkey, random));
}
else
{
sig.init(true, privkey);
}
}
catch (Exception e)
{
throw new OCSPException("exception creating signature: " + e, e);
}
DERBitString bitSig = null;
try
{
MemoryStream bOut = new MemoryStream();
DEROutputStream dOut = new DEROutputStream(bOut);
dOut.writeObject(tbsResp);
byte[] b = bOut.ToArray();
sig.update(b, 0, b.Length);
bitSig = new DERBitString(sig.generateSignature());
}
catch (Exception e)
{
throw new OCSPException("exception processing TBSRequest: " + e, e);
}
AlgorithmIdentifier sigAlgId = new AlgorithmIdentifier(signingAlgorithm, new DERNull());
if (chain != null && chain.Length > 0)
{
ASN1EncodableVector v = new ASN1EncodableVector();
try
{
for (int i = 0; i != chain.Length; i++)
{
v.add(new X509CertificateStructure(
(ASN1Sequence)makeObj(chain[i].getEncoded())));
}
}
catch (IOException e)
{
throw new OCSPException("error processing certs", e);
}
return(new BasicOCSPResp(new BasicOCSPResponse(tbsResp, sigAlgId, bitSig, new DERSequence(v))));
}
else
{
return(new BasicOCSPResp(new BasicOCSPResponse(tbsResp, sigAlgId, bitSig, null)));
}
}
/// <summary>
/// Generate an X509Certificate using your own SecureRandom.
/// </summary>
/// <param name="key">The private key of the issuer that is signing this certificate.</param>
/// <param name="random">You Secure Random instance.</param>
/// <returns>An X509Certificate.</returns>
public X509Certificate generateX509Certificate(AsymmetricKeyParameter key, SecureRandom random)
{
Signer sig = null;
if (sigOID == null)
{
throw new Exception("no signature algorithm specified");
}
try
{
sig = SignerUtil.getSigner(sigOID);
}
catch
{
try
{
sig = SignerUtil.getSigner(signatureAlgorithm);
}
catch (Exception e)
{
throw new Exception("exception creating signature: " + e.Message);
}
}
if (random != null)
{
sig.init(true, new ParametersWithRandom(key, random));
}
else
{
// Console.WriteLine("**" + sig.GetType());
sig.init(true, key);
}
if (extensions != null)
{
tbsGen.setExtensions(new X509Extensions(extOrdering, extensions));
}
TBSCertificateStructure tbsCert = tbsGen.generateTBSCertificate();
try
{
MemoryStream mStr = new MemoryStream();
DEROutputStream dOut = new DEROutputStream(mStr);
dOut.writeObject(tbsCert);
byte[] b = mStr.ToArray();
sig.update(b, 0, b.Length);
}
catch (Exception e)
{
throw new Exception("exception encoding TBS cert - " + e);
}
ASN1EncodableVector v = new ASN1EncodableVector();
v.add(tbsCert);
v.add(sigAlgId);
v.add(new DERBitString(sig.generateSignature()));
return(new X509Certificate(new DERSequence(v)));
}
