// https://stackoverflow.com/questions/18244630/elliptic-curve-with-digital-signature-algorithm-ecdsa-implementation-on-bouncy
public static Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair GenerateEcdsaKeyPair()
{
Org.BouncyCastle.Crypto.Generators.ECKeyPairGenerator gen =
new Org.BouncyCastle.Crypto.Generators.ECKeyPairGenerator();
Org.BouncyCastle.Security.SecureRandom secureRandom =
new Org.BouncyCastle.Security.SecureRandom(
NonBackdooredPrng.Create()
);
// https://github.com/bcgit/bc-csharp/blob/master/crypto/src/asn1/sec/SECNamedCurves.cs#LC1096
Org.BouncyCastle.Asn1.X9.X9ECParameters ps =
//Org.BouncyCastle.Asn1.Sec.SecNamedCurves.GetByName("secp256k1");
Org.BouncyCastle.Asn1.Sec.SecNamedCurves.GetByName("secp521r1");
Org.BouncyCastle.Crypto.Parameters.ECDomainParameters ecParams =
new Org.BouncyCastle.Crypto.Parameters.ECDomainParameters(ps.Curve, ps.G, ps.N, ps.H);
Org.BouncyCastle.Crypto.Parameters.ECKeyGenerationParameters keyGenParam =
new Org.BouncyCastle.Crypto.Parameters.ECKeyGenerationParameters(ecParams, secureRandom);
gen.Init(keyGenParam);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp = gen.GenerateKeyPair();
// Org.BouncyCastle.Crypto.Parameters.ECPrivateKeyParameters priv =
// (Org.BouncyCastle.Crypto.Parameters.ECPrivateKeyParameters)kp.Private;
return(kp);
} // End Function GenerateEcdsaKeyPair
} // End Function SetupOidMap
// GenerateRsaKeyPair(1024)
public static Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair GenerateRsaKeyPair(int strength)
{
Org.BouncyCastle.Crypto.Generators.RsaKeyPairGenerator gen =
new Org.BouncyCastle.Crypto.Generators.RsaKeyPairGenerator();
// new Org.BouncyCastle.Crypto.Parameters.RsaKeyGenerationParameters()
Org.BouncyCastle.Security.SecureRandom secureRandom =
new Org.BouncyCastle.Security.SecureRandom(
NonBackdooredPrng.Create()
);
Org.BouncyCastle.Crypto.KeyGenerationParameters keyGenParam =
new Org.BouncyCastle.Crypto.KeyGenerationParameters(secureRandom, strength);
gen.Init(keyGenParam);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp = gen.GenerateKeyPair();
return(kp);
} // End Sub GenerateRsaKeyPair
} // End Sub Main
public static void Test()
{
// https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
// Many times nginx -s reload does not work as expected.
// On many systems(Debian, etc.), you would need to use /etc/init.d/nginx reload.
Org.BouncyCastle.Security.SecureRandom random = new Org.BouncyCastle.Security.SecureRandom(NonBackdooredPrng.Create());
Org.BouncyCastle.X509.X509Certificate rootCertificate = GenerateRootCertificate();
PrivatePublicPemKeyPair kpk = new PrivatePublicPemKeyPair();
kpk.PrivateKey = @"issuer_priv.pem";
kpk.PrivateKey = System.IO.File.ReadAllText(kpk.PrivateKey);
// SelfSignSslCertificate(random, rootCertificate, kpk);
System.Security.Cryptography.X509Certificates.X509Certificate2 c0 = new System.Security.Cryptography.X509Certificates.X509Certificate2("obelix.pfx", "");
// c0.PrivateKey
// c0.PublicKey;
System.Security.Cryptography.X509Certificates.X509Certificate2 c1 = System.Security.Cryptography.X509Certificates.X509Certificate2.CreateFromPemFile(@"obelix.crt", @"obelix_priv.pem");
// System.Security.Cryptography.X509Certificates.X509Certificate2 c1 = System.Security.Cryptography.X509Certificates.X509Certificate2.CreateFromPemFile(@"obelix.cer", @"obelix_priv.pem"); // Wrong! Doesn't work
// https://stackoverflow.com/questions/50227580/create-x509certificate2-from-pem-file-in-net-core
// https://stackoverflow.com/questions/48905438/digital-signature-in-c-sharp-without-using-bouncycastle
// Org.BouncyCastle.X509.X509Certificate
// Org.BouncyCastle.Security.DotNetUtilities.ToX509Certificate(cert);
// Org.BouncyCastle.X509.X509CertificateParser x509 = new Org.BouncyCastle.X509.X509CertificateParser();
// x509.ReadCertificate()
// https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.createfrompem?view=net-5.0
// https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.createfrompemfile?view=net-5.0
// https://github.com/dotnet/runtime/issues/19581
} // End Sub Test
} // End Sub SelfSignSslCertificate
// https://stackoverflow.com/questions/51703109/nginx-the-ssl-directive-is-deprecated-use-the-listen-ssl
public static Org.BouncyCastle.X509.X509Certificate GenerateRootCertificate()
{
string countryIso2Characters = "EA";
string stateOrProvince = "Europe";
string localityOrCity = "NeutralZone";
string companyName = "Skynet Earth Inc.";
string division = "Skynet mbH";
string domainName = "Skynet";
string email = "*****@*****.**";
Org.BouncyCastle.Security.SecureRandom sr = new Org.BouncyCastle.Security.SecureRandom(NonBackdooredPrng.Create());
Org.BouncyCastle.X509.X509Certificate caRoot = null;
Org.BouncyCastle.X509.X509Certificate caSsl = null;
// string curveName = "curve25519"; curveName = "secp256k1";
CertificateInfo caCertInfo = new CertificateInfo(
countryIso2Characters, stateOrProvince
, localityOrCity, companyName
, division, domainName, email
, System.DateTime.UtcNow
, System.DateTime.UtcNow.AddYears(5)
);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateEcKeyPair(curveName, sr);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateRsaKeyPair(2048, sr);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateDsaKeyPair(1024, sr);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateDHKeyPair(1024, sr);
// kp1 = KeyGenerator.GenerateGhostKeyPair(4096, s_secureRandom.Value);
caCertInfo.SubjectKeyPair = KeyImportExport.GetPemKeyPair(kp1);
caCertInfo.IssuerKeyPair = KeyImportExport.GetPemKeyPair(kp1);
caRoot = CerGenerator.GenerateRootCertificate(caCertInfo, sr);
PfxGenerator.CreatePfxFile(@"ca.pfx", caRoot, kp1.Private, null);
CerGenerator.WritePrivatePublicKey("issuer", caCertInfo.IssuerKeyPair);
return(caRoot);
} // End Sub GenerateRootCertificate
public static byte[] CreateSelfSignedCertificate(string[] alternativeNames, string password)
{
string pemKey = SecretManager.GetSecret <string>("skynet_key");
string pemCert = SecretManager.GetSecret <string>("skynet_cert");
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair rootKey = ReadAsymmetricKeyParameter(pemKey);
Org.BouncyCastle.X509.X509Certificate rootCert = PemStringToX509(pemCert);
Org.BouncyCastle.Security.SecureRandom random = new Org.BouncyCastle.Security.SecureRandom(NonBackdooredPrng.Create());
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateRsaKeyPair(2048, random);
Org.BouncyCastle.X509.X509Certificate sslCertificate = SelfSignSslCertificate(
random
, rootCert
, certKeyPair.Public
, rootKey.Private
, alternativeNames
);
bool val = CerGenerator.ValidateSelfSignedCert(sslCertificate, rootCert.GetPublicKey());
if (val == false)
{
throw new System.InvalidOperationException("SSL certificate does NOT validate successfully.");
}
byte[] pfx = CreatePfxBytes(sslCertificate, certKeyPair.Private, password);
return(pfx);
} // End Function CreateSelfSignedCertificate
} // End Sub SetRegistry
public static void CreateSslCertificate()
{
Org.BouncyCastle.Security.SecureRandom random = new Org.BouncyCastle.Security.SecureRandom(NonBackdooredPrng.Create());
// 1. Root certificate to pfx
// 2. Read root certificate
// 3. Sign SSL certificate
// chrome://settings/certificates?search=certifi
PfxData pfx = GenerateRootCertificate(random);
// PfxData pfx = PfxFile.Read("skynet.pfx");
GenerateSslCertificate(pfx, random);
}
// https://twitter.com/HackerNewsOnion/status/740228588520247296?lang=en
// Announcing Let’s Decrypt, A SSL Certificate Authority Backed By The NSA
// Talk about throwing a skunk in the jury pool! I feel like now we need proof this is fiction!
// ok this activated my paranoia.
// Announcing Let’s Decrypt, A SSL Certificate Authority Backed By The NSA < It’s totes secure. Promise.
public static async System.Threading.Tasks.Task Main(string[] args)
{
// CreateSslCertificate();
// SetRegistry();
// SelfSignedCertificateGenerator.Test.MonitoringTest.TestMonitorChanges();
string pemKey = SecretManager.GetSecret <string>("skynet_key");
string pemCert = SecretManager.GetSecret <string>("skynet_cert");
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair rootKey = ReadAsymmetricKeyParameter(pemKey);
System.Console.WriteLine(rootKey.Private);
Org.BouncyCastle.X509.X509Certificate rootCert = PemStringToX509(pemCert);
System.Console.WriteLine(rootCert);
Org.BouncyCastle.Security.SecureRandom random = new Org.BouncyCastle.Security.SecureRandom(NonBackdooredPrng.Create());
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateRsaKeyPair(2048, random);
Org.BouncyCastle.X509.X509Certificate sslCertificate = SelfSignSslCertificate(
random
, rootCert
, certKeyPair.Public
, rootKey.Private
);
bool val = CerGenerator.ValidateSelfSignedCert(sslCertificate, rootCert.GetPublicKey());
if (val == false)
{
throw new System.InvalidOperationException("SSL certificate does NOT validate successfully.");
}
CreatePfxBytes(sslCertificate, certKeyPair.Private, "");
System.Console.WriteLine(" --- Press any key to continue --- ");
System.Console.ReadKey();
await System.Threading.Tasks.Task.CompletedTask;
}
