/// <summary>
/// Import the specified certificate.
/// </summary>
/// <remarks>
/// Import the specified certificate.
/// </remarks>
/// <param name="certificate">The certificate.</param>
/// <exception cref="System.ArgumentNullException">
/// <paramref name="certificate"/> is <c>null</c>.
/// </exception>
public override void Import (Org.BouncyCastle.X509.X509Certificate certificate)
{
if (certificate == null)
throw new ArgumentNullException ("certificate");
var store = new X509Store (StoreName.AddressBook, StoreLocation);
store.Open (OpenFlags.ReadWrite);
store.Add (new X509Certificate2 (certificate.GetEncoded ()));
store.Close ();
}
private static byte[] GeneratePkcs12(AsymmetricCipherKeyPair keys, Org.BouncyCastle.X509.X509Certificate cert, string friendlyName, string password,
Dictionary<string, Org.BouncyCastle.X509.X509Certificate> chain)
{
var chainCerts = new List<X509CertificateEntry>();
// Create the PKCS12 store
Pkcs12Store store = new Pkcs12StoreBuilder().Build();
// Add a Certificate entry
X509CertificateEntry certEntry = new X509CertificateEntry(cert);
store.SetCertificateEntry(friendlyName, certEntry); // use DN as the Alias.
//chainCerts.Add(certEntry);
// Add chain entries
var additionalCertsAsBytes = new List<byte[]>();
if (chain != null && chain.Count > 0)
{
foreach (var additionalCert in chain)
{
additionalCertsAsBytes.Add(additionalCert.Value.GetEncoded());
}
}
if (chain != null && chain.Count > 0)
{
var addicionalCertsAsX09Chain = BuildCertificateChainBC(cert.GetEncoded(), additionalCertsAsBytes);
foreach (var addCertAsX09 in addicionalCertsAsX09Chain)
{
chainCerts.Add(new X509CertificateEntry(addCertAsX09));
}
}
// Add a key entry
AsymmetricKeyEntry keyEntry = new AsymmetricKeyEntry(keys.Private);
// no chain
store.SetKeyEntry(friendlyName, keyEntry, new X509CertificateEntry[] { certEntry });
using (var memoryStream = new MemoryStream())
{
store.Save(memoryStream, password.ToCharArray(), new SecureRandom());
return memoryStream.ToArray();
}
}
/// <summary>
/// Import the specified certificate.
/// </summary>
/// <param name="certificate">The certificate.</param>
/// <exception cref="System.ArgumentNullException">
/// <paramref name="certificate"/> is <c>null</c>.
/// </exception>
public override void Import(Org.BouncyCastle.X509.X509Certificate certificate)
{
var store = new X509Store (StoreName.AddressBook, StoreLocation);
store.Open (OpenFlags.ReadWrite);
store.Add (new X509Certificate2 (certificate.GetEncoded ()));
store.Close ();
}
public static CertificateSecurityInformation VerifyEnc(Org.BouncyCastle.X509.X509Certificate encCert, Org.BouncyCastle.X509.X509Certificate authCert, DateTime date, IX509Store certs, bool checkRevocation)
{
CertificateSecurityInformation result = new CertificateSecurityInformation();
result.Certificate = new X509Certificate2(encCert.GetEncoded());
//check validity
try
{
encCert.CheckValidity(date);
}
catch (CertificateExpiredException)
{
result.securityViolations.Add(CertSecurityViolation.NotTimeValid);
}
catch (CertificateNotYetValidException)
{
result.securityViolations.Add(CertSecurityViolation.NotTimeValid);
}
//check key usage
int[] keyUsageIndexes = new int[] { 2, 3 };
foreach (int i in keyUsageIndexes)
{
if (!encCert.GetKeyUsage()[i])
{
result.securityViolations.Add(CertSecurityViolation.NotValidForUsage);
trace.TraceEvent(TraceEventType.Warning, 0, "The key usage did not have the correct usage flag set");
}
}
//check issuer/subject
if (!encCert.IssuerDN.Equivalent(encCert.SubjectDN, false)) result.securityViolations.Add(CertSecurityViolation.HasNotPermittedNameConstraint);
//check key size
if (!VerifyKeySize(encCert.GetPublicKey(), EteeActiveConfig.Unseal.MinimumEncryptionKeySize.AsymmerticRecipientKey)) result.securityViolations.Add(CertSecurityViolation.NotValidKeySize);
//check key type
if (!(encCert.GetPublicKey() is RsaKeyParameters)) result.securityViolations.Add(CertSecurityViolation.NotValidKeyType);
if (authCert != null)
{
//check signature
try
{
encCert.Verify(authCert.GetPublicKey());
}
catch (InvalidKeyException)
{
result.securityViolations.Add(CertSecurityViolation.NotSignatureValid);
}
//Validate
result.IssuerInfo = VerifyBoth(authCert, date, certs, new List<CertificateList>(0), new List<BasicOcspResponse>(0), checkRevocation, false);
}
else
{
//We assume that we have the authCert in case it's of a 3rd person, we don't care if its or own encryption cert (we only care for the validity)
}
return result;
}
private static CertificateSecurityInformation Verify(Org.BouncyCastle.X509.X509Certificate cert, DateTime date, IX509Store certs, IList<CertificateList> crls, IList<BasicOcspResponse> ocsps, bool checkRevocation, bool checkTime)
{
CertificateSecurityInformation result = new CertificateSecurityInformation();
AsymmetricKeyParameter key = cert.GetPublicKey();
//check key type
if (!(key is RsaKeyParameters))
{
result.securityViolations.Add(CertSecurityViolation.NotValidKeyType);
trace.TraceEvent(TraceEventType.Warning, 0, "The key should be RSA but was {0}", key.GetType());
}
//check key size
if (!VerifyKeySize(key, EteeActiveConfig.Unseal.MinimumSignatureKeySize))
{
result.securityViolations.Add(CertSecurityViolation.NotValidKeySize);
trace.TraceEvent(TraceEventType.Warning, 0, "The key was smaller then {0}", EteeActiveConfig.Unseal.MinimumSignatureKeySize);
}
X509Certificate2Collection extraStore = new X509Certificate2Collection();
foreach (Org.BouncyCastle.X509.X509Certificate obj in certs.GetMatches(null))
{
extraStore.Add(new X509Certificate2(obj.GetEncoded()));
}
Chain chain;
if (checkRevocation)
chain = new X509Certificate2(cert.GetEncoded()).BuildChain(date, extraStore, ref crls, ref ocsps, checkTime ? DateTime.UtcNow : date);
else
chain = new X509Certificate2(cert.GetEncoded()).BuildBasicChain(date, extraStore);
CertificateSecurityInformation dest = null;
foreach (ChainElement ce in chain.ChainElements)
{
if (dest == null) {
dest = result;
}
else
{
dest.IssuerInfo = new CertificateSecurityInformation();
dest = dest.IssuerInfo;
}
dest.Certificate = ce.Certificate;
foreach (X509ChainStatus status in ce.ChainElementStatus.Where(x => x.Status != X509ChainStatusFlags.NoError))
{
dest.securityViolations.Add((CertSecurityViolation)Enum.Parse(typeof(CertSecurityViolation), Enum.GetName(typeof(X509ChainStatusFlags), status.Status)));
}
}
if (chain.ChainStatus.Count(x => x.Status == X509ChainStatusFlags.PartialChain) > 0)
{
result.securityViolations.Add(CertSecurityViolation.IssuerTrustUnknown);
}
trace.TraceEvent(TraceEventType.Verbose, 0, "Verified certificate {0} for date {1}", cert.SubjectDN.ToString(), date);
return result;
}
public Signature(FileFormat fileFormat, Org.BouncyCastle.X509.X509Certificate certificateBC)
{
FileFormat = fileFormat;
Certificate = new X509Certificate2(certificateBC.GetEncoded());
CertificateBouncyCastle = certificateBC;
}
