// https://stackoverflow.com/questions/18244630/elliptic-curve-with-digital-signature-algorithm-ecdsa-implementation-on-bouncy public static Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair GenerateEcdsaKeyPair() { Org.BouncyCastle.Crypto.Generators.ECKeyPairGenerator gen = new Org.BouncyCastle.Crypto.Generators.ECKeyPairGenerator(); Org.BouncyCastle.Security.SecureRandom secureRandom = new Org.BouncyCastle.Security.SecureRandom( NonBackdooredPrng.Create() ); // https://github.com/bcgit/bc-csharp/blob/master/crypto/src/asn1/sec/SECNamedCurves.cs#LC1096 Org.BouncyCastle.Asn1.X9.X9ECParameters ps = //Org.BouncyCastle.Asn1.Sec.SecNamedCurves.GetByName("secp256k1"); Org.BouncyCastle.Asn1.Sec.SecNamedCurves.GetByName("secp521r1"); Org.BouncyCastle.Crypto.Parameters.ECDomainParameters ecParams = new Org.BouncyCastle.Crypto.Parameters.ECDomainParameters(ps.Curve, ps.G, ps.N, ps.H); Org.BouncyCastle.Crypto.Parameters.ECKeyGenerationParameters keyGenParam = new Org.BouncyCastle.Crypto.Parameters.ECKeyGenerationParameters(ecParams, secureRandom); gen.Init(keyGenParam); Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp = gen.GenerateKeyPair(); // Org.BouncyCastle.Crypto.Parameters.ECPrivateKeyParameters priv = // (Org.BouncyCastle.Crypto.Parameters.ECPrivateKeyParameters)kp.Private; return(kp); } // End Function GenerateEcdsaKeyPair
} // End Function SetupOidMap // GenerateRsaKeyPair(1024) public static Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair GenerateRsaKeyPair(int strength) { Org.BouncyCastle.Crypto.Generators.RsaKeyPairGenerator gen = new Org.BouncyCastle.Crypto.Generators.RsaKeyPairGenerator(); // new Org.BouncyCastle.Crypto.Parameters.RsaKeyGenerationParameters() Org.BouncyCastle.Security.SecureRandom secureRandom = new Org.BouncyCastle.Security.SecureRandom( NonBackdooredPrng.Create() ); Org.BouncyCastle.Crypto.KeyGenerationParameters keyGenParam = new Org.BouncyCastle.Crypto.KeyGenerationParameters(secureRandom, strength); gen.Init(keyGenParam); Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp = gen.GenerateKeyPair(); return(kp); } // End Sub GenerateRsaKeyPair
} // End Sub Main public static void Test() { // https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04 // Many times nginx -s reload does not work as expected. // On many systems(Debian, etc.), you would need to use /etc/init.d/nginx reload. Org.BouncyCastle.Security.SecureRandom random = new Org.BouncyCastle.Security.SecureRandom(NonBackdooredPrng.Create()); Org.BouncyCastle.X509.X509Certificate rootCertificate = GenerateRootCertificate(); PrivatePublicPemKeyPair kpk = new PrivatePublicPemKeyPair(); kpk.PrivateKey = @"issuer_priv.pem"; kpk.PrivateKey = System.IO.File.ReadAllText(kpk.PrivateKey); // SelfSignSslCertificate(random, rootCertificate, kpk); System.Security.Cryptography.X509Certificates.X509Certificate2 c0 = new System.Security.Cryptography.X509Certificates.X509Certificate2("obelix.pfx", ""); // c0.PrivateKey // c0.PublicKey; System.Security.Cryptography.X509Certificates.X509Certificate2 c1 = System.Security.Cryptography.X509Certificates.X509Certificate2.CreateFromPemFile(@"obelix.crt", @"obelix_priv.pem"); // System.Security.Cryptography.X509Certificates.X509Certificate2 c1 = System.Security.Cryptography.X509Certificates.X509Certificate2.CreateFromPemFile(@"obelix.cer", @"obelix_priv.pem"); // Wrong! Doesn't work // https://stackoverflow.com/questions/50227580/create-x509certificate2-from-pem-file-in-net-core // https://stackoverflow.com/questions/48905438/digital-signature-in-c-sharp-without-using-bouncycastle // Org.BouncyCastle.X509.X509Certificate // Org.BouncyCastle.Security.DotNetUtilities.ToX509Certificate(cert); // Org.BouncyCastle.X509.X509CertificateParser x509 = new Org.BouncyCastle.X509.X509CertificateParser(); // x509.ReadCertificate() // https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.createfrompem?view=net-5.0 // https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.createfrompemfile?view=net-5.0 // https://github.com/dotnet/runtime/issues/19581 } // End Sub Test
} // End Sub SelfSignSslCertificate // https://stackoverflow.com/questions/51703109/nginx-the-ssl-directive-is-deprecated-use-the-listen-ssl public static Org.BouncyCastle.X509.X509Certificate GenerateRootCertificate() { string countryIso2Characters = "EA"; string stateOrProvince = "Europe"; string localityOrCity = "NeutralZone"; string companyName = "Skynet Earth Inc."; string division = "Skynet mbH"; string domainName = "Skynet"; string email = "*****@*****.**"; Org.BouncyCastle.Security.SecureRandom sr = new Org.BouncyCastle.Security.SecureRandom(NonBackdooredPrng.Create()); Org.BouncyCastle.X509.X509Certificate caRoot = null; Org.BouncyCastle.X509.X509Certificate caSsl = null; // string curveName = "curve25519"; curveName = "secp256k1"; CertificateInfo caCertInfo = new CertificateInfo( countryIso2Characters, stateOrProvince , localityOrCity, companyName , division, domainName, email , System.DateTime.UtcNow , System.DateTime.UtcNow.AddYears(5) ); // Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateEcKeyPair(curveName, sr); Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateRsaKeyPair(2048, sr); // Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateDsaKeyPair(1024, sr); // Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateDHKeyPair(1024, sr); // kp1 = KeyGenerator.GenerateGhostKeyPair(4096, s_secureRandom.Value); caCertInfo.SubjectKeyPair = KeyImportExport.GetPemKeyPair(kp1); caCertInfo.IssuerKeyPair = KeyImportExport.GetPemKeyPair(kp1); caRoot = CerGenerator.GenerateRootCertificate(caCertInfo, sr); PfxGenerator.CreatePfxFile(@"ca.pfx", caRoot, kp1.Private, null); CerGenerator.WritePrivatePublicKey("issuer", caCertInfo.IssuerKeyPair); return(caRoot); } // End Sub GenerateRootCertificate
public static byte[] CreateSelfSignedCertificate(string[] alternativeNames, string password) { string pemKey = SecretManager.GetSecret <string>("skynet_key"); string pemCert = SecretManager.GetSecret <string>("skynet_cert"); Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair rootKey = ReadAsymmetricKeyParameter(pemKey); Org.BouncyCastle.X509.X509Certificate rootCert = PemStringToX509(pemCert); Org.BouncyCastle.Security.SecureRandom random = new Org.BouncyCastle.Security.SecureRandom(NonBackdooredPrng.Create()); Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateRsaKeyPair(2048, random); Org.BouncyCastle.X509.X509Certificate sslCertificate = SelfSignSslCertificate( random , rootCert , certKeyPair.Public , rootKey.Private , alternativeNames ); bool val = CerGenerator.ValidateSelfSignedCert(sslCertificate, rootCert.GetPublicKey()); if (val == false) { throw new System.InvalidOperationException("SSL certificate does NOT validate successfully."); } byte[] pfx = CreatePfxBytes(sslCertificate, certKeyPair.Private, password); return(pfx); } // End Function CreateSelfSignedCertificate
} // End Sub SetRegistry public static void CreateSslCertificate() { Org.BouncyCastle.Security.SecureRandom random = new Org.BouncyCastle.Security.SecureRandom(NonBackdooredPrng.Create()); // 1. Root certificate to pfx // 2. Read root certificate // 3. Sign SSL certificate // chrome://settings/certificates?search=certifi PfxData pfx = GenerateRootCertificate(random); // PfxData pfx = PfxFile.Read("skynet.pfx"); GenerateSslCertificate(pfx, random); }
// https://twitter.com/HackerNewsOnion/status/740228588520247296?lang=en // Announcing Let’s Decrypt, A SSL Certificate Authority Backed By The NSA // Talk about throwing a skunk in the jury pool! I feel like now we need proof this is fiction! // ok this activated my paranoia. // Announcing Let’s Decrypt, A SSL Certificate Authority Backed By The NSA < It’s totes secure. Promise. public static async System.Threading.Tasks.Task Main(string[] args) { // CreateSslCertificate(); // SetRegistry(); // SelfSignedCertificateGenerator.Test.MonitoringTest.TestMonitorChanges(); string pemKey = SecretManager.GetSecret <string>("skynet_key"); string pemCert = SecretManager.GetSecret <string>("skynet_cert"); Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair rootKey = ReadAsymmetricKeyParameter(pemKey); System.Console.WriteLine(rootKey.Private); Org.BouncyCastle.X509.X509Certificate rootCert = PemStringToX509(pemCert); System.Console.WriteLine(rootCert); Org.BouncyCastle.Security.SecureRandom random = new Org.BouncyCastle.Security.SecureRandom(NonBackdooredPrng.Create()); Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateRsaKeyPair(2048, random); Org.BouncyCastle.X509.X509Certificate sslCertificate = SelfSignSslCertificate( random , rootCert , certKeyPair.Public , rootKey.Private ); bool val = CerGenerator.ValidateSelfSignedCert(sslCertificate, rootCert.GetPublicKey()); if (val == false) { throw new System.InvalidOperationException("SSL certificate does NOT validate successfully."); } CreatePfxBytes(sslCertificate, certKeyPair.Private, ""); System.Console.WriteLine(" --- Press any key to continue --- "); System.Console.ReadKey(); await System.Threading.Tasks.Task.CompletedTask; }