private static X509Certificate SignCertificateFromRequest(Pkcs10CertificationRequest request, ISignatureFactory signer) { X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); DateTime now = DateTime.Now; certGen.SetIssuerDN(request.GetCertificationRequestInfo().Subject); certGen.SetSubjectDN(request.GetCertificationRequestInfo().Subject); certGen.SetNotAfter(now.AddDays(7)); certGen.SetNotBefore(now.AddMinutes(-10)); certGen.SetSerialNumber(new Org.BouncyCastle.Math.BigInteger(80, new Random())); certGen.SetPublicKey(request.GetPublicKey()); return(certGen.Generate(signer)); }
/// <summary> /// Call to request a certificate /// </summary> /// <param name="csr">Certificate signing request</param> /// <param name="effectiveDate">Effective date of certificate</param> /// <param name="expirationDate">Expiration date of certificate</param> /// <param name="ca">Signing authority</param> /// <param name="asn1Set">Extensions</param> /// <exception cref="InvalidParameterException">Thrown if <paramref name="ca"/> is null</exception> /// <returns>Certificate signed by <paramref name="ca"/></returns> public static X509Certificate2 RequestCertificate(Pkcs10CertificationRequest csr, DateTime effectiveDate, DateTime expirationDate, X509Certificate2 ca, Asn1Set asn1Set) { AsymmetricKeyParameter keyParameter = null; if (ca == null) { throw new InvalidParameterException("ca can not be null"); } keyParameter = TransformRSAPrivateKey((RSACryptoServiceProvider)ca.PrivateKey); X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.SetSerialNumber(CreateSerialNumber()); certGen.SetIssuerDN(new X509Name(ca.Subject)); certGen.SetNotBefore(effectiveDate.ToUniversalTime()); certGen.SetNotAfter(expirationDate.ToUniversalTime()); certGen.SetSubjectDN(csr.GetCertificationRequestInfo().Subject); certGen.SetPublicKey(csr.GetPublicKey()); certGen.SetSignatureAlgorithm(SIGNATURE_ALGORITHM); CertificationRequestInfo info = csr.GetCertificationRequestInfo(); if (asn1Set != null) { // Iterate through each extension and add it to the certificate for (int i = 0; i < asn1Set.Count; i++) { AttributePkcs attr = AttributePkcs.GetInstance(asn1Set[i]); if (attr != null && attr.AttrType.Equals(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest)) { X509Extensions extensions = X509Extensions.GetInstance(attr.AttrValues[0]); foreach (DerObjectIdentifier extOid in extensions.ExtensionOids) { Org.BouncyCastle.Asn1.X509.X509Extension ext = extensions.GetExtension(extOid); certGen.AddExtension(extOid, ext.IsCritical, ext.GetParsedValue()); } } } } Org.BouncyCastle.X509.X509Certificate bcCert = certGen.Generate(keyParameter); return(new X509Certificate2(bcCert.GetEncoded())); }
private void createPssTest( string algorithm) { // RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec( RsaKeyParameters pubKey = new RsaKeyParameters(false, new BigInteger("a56e4a0e701017589a5187dc7ea841d156f2ec0e36ad52a44dfeb1e61f7ad991d8c51056ffedb162b4c0f283a12a88a394dff526ab7291cbb307ceabfce0b1dfd5cd9508096d5b2b8b6df5d671ef6377c0921cb23c270a70e2598e6ff89d19f105acc2d3f0cb35f29280e1386b6f64c4ef22e1e1f20d0ce8cffb2249bd9a2137", 16), new BigInteger("010001", 16)); // RSAPrivateCrtKeySpec privKeySpec = new RSAPrivateCrtKeySpec( RsaPrivateCrtKeyParameters privKey = new RsaPrivateCrtKeyParameters( new BigInteger("a56e4a0e701017589a5187dc7ea841d156f2ec0e36ad52a44dfeb1e61f7ad991d8c51056ffedb162b4c0f283a12a88a394dff526ab7291cbb307ceabfce0b1dfd5cd9508096d5b2b8b6df5d671ef6377c0921cb23c270a70e2598e6ff89d19f105acc2d3f0cb35f29280e1386b6f64c4ef22e1e1f20d0ce8cffb2249bd9a2137", 16), new BigInteger("010001", 16), new BigInteger("33a5042a90b27d4f5451ca9bbbd0b44771a101af884340aef9885f2a4bbe92e894a724ac3c568c8f97853ad07c0266c8c6a3ca0929f1e8f11231884429fc4d9ae55fee896a10ce707c3ed7e734e44727a39574501a532683109c2abacaba283c31b4bd2f53c3ee37e352cee34f9e503bd80c0622ad79c6dcee883547c6a3b325", 16), new BigInteger("e7e8942720a877517273a356053ea2a1bc0c94aa72d55c6e86296b2dfc967948c0a72cbccca7eacb35706e09a1df55a1535bd9b3cc34160b3b6dcd3eda8e6443", 16), new BigInteger("b69dca1cf7d4d7ec81e75b90fcca874abcde123fd2700180aa90479b6e48de8d67ed24f9f19d85ba275874f542cd20dc723e6963364a1f9425452b269a6799fd", 16), new BigInteger("28fa13938655be1f8a159cbaca5a72ea190c30089e19cd274a556f36c4f6e19f554b34c077790427bbdd8dd3ede2448328f385d81b30e8e43b2fffa027861979", 16), new BigInteger("1a8b38f398fa712049898d7fb79ee0a77668791299cdfa09efc0e507acb21ed74301ef5bfd48be455eaeb6e1678255827580a8e4e8e14151d1510a82a3f2e729", 16), new BigInteger("27156aba4126d24a81f3a528cbfb27f56886f840a9f6e86e17a44b94fe9319584b8e22fdde1e5a2e3bd8aa5ba8d8584194eb2190acf832b847f13a3d24a79f4d", 16)); // KeyFactory fact = KeyFactory.getInstance("RSA", "BC"); // // PrivateKey privKey = fact.generatePrivate(privKeySpec); // PublicKey pubKey = fact.generatePublic(pubKeySpec); Pkcs10CertificationRequest req = new Pkcs10CertificationRequest( algorithm, new X509Name("CN=XXX"), pubKey, null, privKey); if (!req.Verify()) { Fail("Failed verify check PSS."); } req = new Pkcs10CertificationRequest(req.GetEncoded()); if (!req.Verify()) { Fail("Failed verify check PSS encoded."); } if (!req.SignatureAlgorithm.ObjectID.Equals(PkcsObjectIdentifiers.IdRsassaPss)) { Fail("PSS oid incorrect."); } if (req.SignatureAlgorithm.Parameters == null) { Fail("PSS parameters incorrect."); } ISigner sig = SignerUtilities.GetSigner(algorithm); sig.Init(false, pubKey); byte[] encoded = req.GetCertificationRequestInfo().GetEncoded(); sig.BlockUpdate(encoded, 0, encoded.Length); if (!sig.VerifySignature(req.Signature.GetBytes())) { Fail("signature not mapped correctly."); } }
/// <summary> /// Extract certificate signing request. /// </summary> /// <param name="csr">Certificate signing request.</param> /// <param name="publicKey">Asymmetric public key.</param> /// <param name="dn">Distinct name.</param> /// <param name="extensions">Extensions.</param> /// <exception cref="Exception"/> public static void ExtractCsr(Pkcs10CertificationRequest csr, out AsymmetricKeyParameter publicKey, out X509Name dn, out X509Extensions extensions) { if (csr is null) { throw new ArgumentNullException(nameof(csr)); } publicKey = csr.GetPublicKey(); CertificationRequestInfo csrInfo = csr.GetCertificationRequestInfo(); dn = csrInfo.Subject; Dictionary <DerObjectIdentifier, X509Extension> attributes = new Dictionary <DerObjectIdentifier, X509Extension>(); if (csrInfo.Attributes != null) { foreach (AttributePkcs attribute in csrInfo.Attributes) { if (attribute.AttrType.Equals(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest)) { foreach (X509Extensions exts in attribute.AttrValues) { foreach (DerObjectIdentifier oid in exts.ExtensionOids) { X509Extension ext = exts.GetExtension(oid); attributes.Add(oid, new X509Extension(ext.IsCritical, ext.Value)); } } } } } extensions = attributes.Count > 0 ? new X509Extensions(attributes) : null; }
public virtual async Task <X509Certificate2> SigningRequestAsync( ApplicationRecordDataType application, string[] domainNames, byte[] certificateRequest) { Pkcs10CertificationRequest pkcs10CertificationRequest = new Pkcs10CertificationRequest(certificateRequest); CertificationRequestInfo info = pkcs10CertificationRequest.GetCertificationRequestInfo(); DateTime yesterday = DateTime.UtcNow.AddDays(-1); return(CertificateFactory.CreateCertificate( null, null, null, application.ApplicationUri ?? "urn:ApplicationURI", application.ApplicationNames.Count > 0 ? application.ApplicationNames[0].Text : "ApplicationName", info.Subject.ToString(), domainNames, Configuration.DefaultCertificateKeySize, yesterday, Configuration.DefaultCertificateLifetime, Configuration.DefaultCertificateHashSize, false, await LoadSigningKeyAsync(Certificate, string.Empty), info.SubjectPublicKeyInfo.GetEncoded())); }
/// <summary> /// Signs a cert request with the server CA certificate and returns /// a signed x509 certificate. /// </summary> /// <param name="serializedCsr">Is the serialized cert request (csr).</param> /// <returns>Signed x509 certificate.</returns> /// <exception cref="CertificateIOException">Thrown when the /// <see cref="serializedCsr"/> is either null or zero length.</exception> public X509Certificate SignCsr(byte[] serializedCsr) { if (serializedCsr == null || serializedCsr.Length == 0) { throw new Exception(); } X509Certificate issuer = GetCACert(); Pkcs10CertificationRequest pkcsr = DeserializeCsr(serializedCsr); X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); TimeSpan ts = DateTime.Now.Subtract(_serialNumStart); certGen.SetSerialNumber(BigInteger.ValueOf(ts.Ticks)); certGen.SetIssuerDN(issuer.SubjectDN); certGen.SetNotBefore(DateTime.Today); certGen.SetNotAfter(DateTime.Today.AddDays(_certValidity)); certGen.SetSubjectDN(pkcsr.GetCertificationRequestInfo().Subject); certGen.SetPublicKey(pkcsr.GetPublicKey()); certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(pkcsr.GetPublicKey()))); certGen.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage( KeyUsage.DigitalSignature | KeyUsage.KeyEncipherment)); ISignatureFactory signatureFactory = new Asn1SignatureFactory(HASH_ENCRYPTION_ALGORITHM, GetCAPrivKey(), new SecureRandom()); return(certGen.Generate(signatureFactory)); }
/// <summary> /// Creates a KeyVault signed certficate from signing request. /// </summary> internal async Task <X509Certificate2> SigningRequestAsync(byte[] certificateRequest, string issuerCertificateName) { var pkcs10CertificationRequest = new Pkcs10CertificationRequest(certificateRequest); if (!pkcs10CertificationRequest.Verify()) { throw new ArgumentException("CSR signature invalid."); } var info = pkcs10CertificationRequest.GetCertificationRequestInfo(); var notBefore = DateTime.UtcNow.AddDays(-1); var certBundle = await _keyVaultServiceClient.GetCertificateAsync(issuerCertificateName).ConfigureAwait(false); var signingCert = new X509Certificate2(certBundle.Cer); var publicKey = KeyVaultCertFactory.GetRSAPublicKey(info.SubjectPublicKeyInfo); return(await KeyVaultCertFactory.CreateSignedCertificate( info.Subject.ToString(), 2048, notBefore, notBefore.AddMonths(12), 256, signingCert, publicKey, new KeyVaultSignatureGenerator(_keyVaultServiceClient, certBundle.KeyIdentifier.Identifier, signingCert) )); }
/// <summary> /// append password to CSR: csrWithPassword = (csr, password) /// </summary> /// <param name="csr"></param> /// <param name="password"></param> /// <returns>CSR that contains password</returns> public byte[] AppendPassword(byte[] csr, string password) { if (csr == null) { throw new ArgumentNullException(nameof(csr)); } if (string.IsNullOrEmpty(password)) { throw new ArgumentNullException(nameof(password)); } var originalCsr = new Pkcs10CertificationRequest(csr); CertificationRequestInfo cri = originalCsr.GetCertificationRequestInfo(); DerSet attributesSet = AddPasswordAttribute(password, cri.Attributes); AsymmetricKeyParameter publicKey = PublicKeyFactory.CreateKey(cri.SubjectPublicKeyInfo); string signatureAlgorithm = originalCsr.SignatureAlgorithm.Algorithm.Id; // build new CSR from original + password attribute var csrWithPassword = new Pkcs10CertificationRequestDelaySigned(signatureAlgorithm, cri.Subject, publicKey, attributesSet); // this signing key is not used for signing but here only to suppress exception thrown in ctor csrWithPassword.SignRequest(new byte[] { }); var csrWithPasswordBytes = csrWithPassword.GetDerEncoded(); return(csrWithPasswordBytes); }
private byte[] MakeCertificateFromCSR(string CSR, AsymmetricCipherKeyPair rootKeyPair, X509Name rootSubject) { byte[] encoded; try { Pkcs10CertificationRequest pkcs10CertificationRequest = (Pkcs10CertificationRequest)(new PemReader(new StringReader(CSR))).ReadObject(); AsymmetricKeyParameter @private = rootKeyPair.Private; AsymmetricKeyParameter @public = rootKeyPair.Public; X509V3CertificateGenerator x509V3CertificateGenerator = new X509V3CertificateGenerator(); x509V3CertificateGenerator.Reset(); if (this.SerialNumber != -9223372036854775808L) { x509V3CertificateGenerator.SetSerialNumber(new BigInteger(this.SerialNumber.ToString())); } else { DateTime now = DateTime.Now; x509V3CertificateGenerator.SetSerialNumber(new BigInteger(128, new Random(now.Millisecond + Environment.TickCount))); } x509V3CertificateGenerator.SetIssuerDN(rootSubject); x509V3CertificateGenerator.SetNotBefore(this.ValidFrom.ToUniversalTime()); x509V3CertificateGenerator.SetNotAfter(this.ValidTo.ToUniversalTime()); x509V3CertificateGenerator.SetSubjectDN(pkcs10CertificationRequest.GetCertificationRequestInfo().Subject); x509V3CertificateGenerator.SetPublicKey(pkcs10CertificationRequest.GetPublicKey()); x509V3CertificateGenerator.SetSignatureAlgorithm(string.Concat(this.SignatureAlgorithm.ToString(), "Encryption")); x509V3CertificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(pkcs10CertificationRequest.GetPublicKey()))); x509V3CertificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(@public))); int extensionType = 0; Asn1EncodableVector asn1EncodableVectors = new Asn1EncodableVector(new Asn1Encodable[0]); foreach (ExtensionInfo extension in this.Extensions.extensionInfo) { if (!extension.ExtendedKeyUsage) { extensionType |= (int)extension.ExtensionType; } if (!extension.ExtendedKeyUsage) { continue; } asn1EncodableVectors.Add(new Asn1Encodable[] { (Asn1Encodable)extension.ExtensionType }); } if (extensionType != 0) { x509V3CertificateGenerator.AddExtension(X509Extensions.KeyUsage, this.Extensions.KeyUsageIsCritical, new KeyUsage(extensionType)); } if (asn1EncodableVectors.Count > 0) { x509V3CertificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, this.Extensions.EnhancedKeyUsageIsCritical, ExtendedKeyUsage.GetInstance(new DerSequence(asn1EncodableVectors))); } X509Certificate x509Certificate = x509V3CertificateGenerator.Generate(@private, this.GetSecureRandom()); x509Certificate.Verify(@public); encoded = x509Certificate.GetEncoded(); } catch { throw; } return(encoded); }
/// <summary> /// Gets the X509 subject attribute values from a certificate signing request. /// </summary> /// <param name="csr">The certificate signing request.</param> /// <returns> /// The X509 subject attribute values indexed by the kind of subject attribute. /// </returns> /// <exception cref="ArgumentNullException"><paramref name="csr"/> is null.</exception> public static IReadOnlyDictionary <X509SubjectAttributeKind, string> GetX509SubjectAttributes( this Pkcs10CertificationRequest csr) { new { csr }.Must().NotBeNull(); var subject = csr.GetCertificationRequestInfo().Subject; var result = subject.GetX509SubjectAttributes(); return(result); }
public static List <string> DecodeCsrSubjects(byte[] csrBytes) { // based on https://stackoverflow.com/a/45424266 by https://stackoverflow.com/users/814735/cyril-durand var pem = new PemObject("CSR", csrBytes); var request = new Pkcs10CertificationRequest(pem.Content); var requestInfo = request.GetCertificationRequestInfo(); // an Attribute is a collection of Sequence which contains a collection of Asn1Object // let's find the sequence that contains a DerObjectIdentifier with Id of "1.2.840.113549.1.9.14" var extensionSequence = requestInfo.Attributes.OfType <DerSequence>() .FirstOrDefault(o => o.OfType <DerObjectIdentifier>() .Any(oo => oo.Id == PkcsObjectIdentifiers.Pkcs9AtExtensionRequest.Id)); // pkcs-9/extensionRequest, "1.2.840.113549.1.9.14" // let's get the set of value for this sequence var extensionSet = extensionSequence?.OfType <DerSet>().First(); var str = extensionSet != null? GetAsn1ObjectRecursive <DerOctetString>(extensionSet.OfType <DerSequence>().First(), X509Extensions.SubjectAlternativeName.Id) : null; if (str != null) { //subject alternative names var names = GeneralNames.GetInstance(Asn1Object.FromByteArray(str.GetOctets())); return(names .GetNames() .Select(n => n.Name.ToString()) .ToList()); } else { var oids = requestInfo.Subject.GetOidList(); string subjectName = ""; foreach (DerObjectIdentifier o in oids) { if (o.Id == X509ObjectIdentifiers.CommonName.Id) { subjectName = requestInfo.Subject.GetValueList()[oids.IndexOf(o)].ToString(); break; } } // we just have a single subject return(new List <string> { subjectName }); } }
private void createECGostRequest() { string algorithm = "GOST3411withECGOST3410"; IAsymmetricCipherKeyPairGenerator ecGostKpg = GeneratorUtilities.GetKeyPairGenerator("ECGOST3410"); ecGostKpg.Init( new ECKeyGenerationParameters( CryptoProObjectIdentifiers.GostR3410x2001CryptoProA, new SecureRandom())); // // set up the keys // AsymmetricCipherKeyPair pair = ecGostKpg.GenerateKeyPair(); AsymmetricKeyParameter privKey = pair.Private; AsymmetricKeyParameter pubKey = pair.Public; Pkcs10CertificationRequest req = new Pkcs10CertificationRequest( algorithm, new X509Name("CN=XXX"), pubKey, null, privKey); if (!req.Verify()) { Fail("Failed Verify check EC."); } req = new Pkcs10CertificationRequest(req.GetEncoded()); if (!req.Verify()) { Fail("Failed Verify check EC encoded."); } if (!req.SignatureAlgorithm.ObjectID.Equals(CryptoProObjectIdentifiers.GostR3411x94WithGostR3410x2001)) { Fail("ECGOST oid incorrect."); } if (req.SignatureAlgorithm.Parameters != null) { Fail("ECGOST parameters incorrect."); } ISigner sig = SignerUtilities.GetSigner(algorithm); sig.Init(false, pubKey); byte[] b = req.GetCertificationRequestInfo().GetEncoded(); sig.BlockUpdate(b, 0, b.Length); if (!sig.VerifySignature(req.Signature.GetBytes())) { Fail("signature not mapped correctly."); } }
public override void Build( X509V3CertificateGenerator certGen, Pkcs10CertificationRequest request, X509Certificate caCert) { var requestInfo = request.GetCertificationRequestInfo(); var extensionSequence = requestInfo .Attributes.OfType <DerSequence>() .First(o => o.OfType <DerObjectIdentifier>().Any(oo => oo.Id == "1.2.840.113549.1.9.14")); var extensionSet = extensionSequence.OfType <DerSet>().First().OfType <DerSequence>().First(); var exts = X509Extensions.GetInstance(extensionSet); var extOIDs = exts.GetExtensionOids(); foreach (var x509ExtOid in extOIDs) { var ext = exts.GetExtension(x509ExtOid); if (x509ExtOid.Id == "2.5.29.37") //extKeyUsage sequence { Asn1OctetString oct = ext.Value; Asn1Sequence seq = Asn1Sequence.GetInstance(oct.GetOctets()); foreach (DerObjectIdentifier obj in seq) { if (threeYearsValidExtKeyId == obj.Id) { var startDate = DateTime.Now; certGen.SetNotBefore(startDate); certGen.SetNotAfter(startDate.AddYears(3)); break; } } } certGen.AddExtension( x509ExtOid, ext.IsCritical, ext.GetParsedValue() ); } ApplyCrlExtension(certGen, _crlLink); ApplyAuthorityInfoAccess(certGen, _rootCertLink); }
private byte[] gen() { TextReader textReader = new StreamReader("certificaterequest.pkcs10"); PemReader pemReader = new PemReader(textReader); Pkcs10CertificationRequest certificationRequest = (Pkcs10CertificationRequest)pemReader.ReadObject(); CertificationRequestInfo certificationRequestInfo = certificationRequest.GetCertificationRequestInfo(); SubjectPublicKeyInfo publicKeyInfo = certificationRequestInfo.SubjectPublicKeyInfo; RsaPublicKeyStructure publicKeyStructure = RsaPublicKeyStructure.GetInstance(publicKeyInfo.GetPublicKey()); RsaKeyParameters publicKey = new RsaKeyParameters(false, publicKeyStructure.Modulus, publicKeyStructure.PublicExponent); bool certIsOK = certificationRequest.Verify(publicKey); // public key is OK here... // get the server certificate Org.BouncyCastle.X509.X509Certificate serverCertificate = DotNetUtilities.FromX509Certificate(System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile("servermastercertificate.cer")); // get the server private key byte[] privateKeyBytes = File.ReadAllBytes("serverprivate.key"); AsymmetricKeyParameter serverPrivateKey = PrivateKeyFactory.CreateKey(privateKeyBytes); // generate the client certificate X509V3CertificateGenerator generator = new X509V3CertificateGenerator(); generator.SetSerialNumber(BigInteger.ProbablePrime(120, new Random())); generator.SetIssuerDN(serverCertificate.SubjectDN); generator.SetNotBefore(DateTime.Now); generator.SetNotAfter(DateTime.Now.AddYears(5)); generator.SetSubjectDN(certificationRequestInfo.Subject); generator.SetPublicKey(publicKey); generator.SetSignatureAlgorithm("SHA512withRSA"); generator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(serverCertificate)); generator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(publicKey)); var newClientCert = generator.Generate(serverPrivateKey); newClientCert.Verify(publicKey); // <-- this blows up return(DotNetUtilities.ToX509Certificate(newClientCert).Export(System.Security.Cryptography.X509Certificates.X509ContentType.Pkcs12, "user password")); }
/// <summary> /// Generates client certificate by certificate signing request. /// </summary> /// <param name="csrBytes">CSR as bytes array</param> /// <param name="commonName">Common name of certificate</param> /// <exception cref="InvalidCastException">Invalid format of CSR</exception> /// <returns></returns> public static X509Certificate2 SignRequest(byte[] csrBytes, string commonName) { if (string.IsNullOrEmpty(commonName)) { throw new ArgumentNullException("commonName"); } var certificationRequest = new Pkcs10CertificationRequest(csrBytes); CertificationRequestInfo csrInfo = certificationRequest.GetCertificationRequestInfo(); SubjectPublicKeyInfo pki = csrInfo.SubjectPublicKeyInfo; AsymmetricKeyParameter publicKey = PublicKeyFactory.CreateKey(pki); // Version1 (No Extensions) Certificate DateTime startDate = DateTime.UtcNow; DateTime expiryDate = startDate.AddYears(100); var serialNumber = new BigInteger(32, new Random()); var certGen = new X509V1CertificateGenerator(); var x509ServerCertificate = ServerCertificate; var caCert = DotNetUtilities.FromX509Certificate(x509ServerCertificate); certGen.SetSerialNumber(serialNumber); certGen.SetIssuerDN(caCert.SubjectDN); certGen.SetNotBefore(startDate); certGen.SetNotAfter(expiryDate); certGen.SetSubjectDN(CreateSubject(commonName)); certGen.SetSignatureAlgorithm("SHA256withRSA"); certGen.SetPublicKey(publicKey); var keyPath = string.Format(@"{0}\App_Data\server.key", AppDomain.CurrentDomain.BaseDirectory); AsymmetricCipherKeyPair keyPair; using (var reader = File.OpenText(keyPath)) { keyPair = (AsymmetricCipherKeyPair) new PemReader(reader, new PasswordFinder()).ReadObject(); } Org.BouncyCastle.X509.X509Certificate cert = certGen.Generate(keyPair.Private); return(new X509Certificate2(DotNetUtilities.ToX509Certificate(cert))); }
internal X509Certificate GenerateTemporarySelfSignedCertificate(AsymmetricCipherKeyPair asymmetricCipherKeyPair, Pkcs10CertificationRequest certificationRequest, BigInteger enrollmentID, int numberOfYear) { X509Name x509NameSubject = certificationRequest.GetCertificationRequestInfo().Subject; X509V3CertificateGenerator x509V3CertificateGenerator = new X509V3CertificateGenerator(); DateTime fromDate = DateTime.Today; DateTime toDate = fromDate.AddYears(numberOfYear); x509V3CertificateGenerator.SetIssuerDN(x509NameSubject); x509V3CertificateGenerator.SetNotBefore(fromDate); x509V3CertificateGenerator.SetNotAfter(toDate); x509V3CertificateGenerator.SetPublicKey(asymmetricCipherKeyPair.Public); x509V3CertificateGenerator.SetSerialNumber(enrollmentID); x509V3CertificateGenerator.SetSignatureAlgorithm(Constants.Algorithm.SIGNING); x509V3CertificateGenerator.SetSubjectDN(x509NameSubject); X509Certificate x509Certificate = x509V3CertificateGenerator.Generate(asymmetricCipherKeyPair.Private); return(x509Certificate); }
public X509Certificate IssueCertificate( Pkcs10CertificationRequest request, ExtensionBuilder extensionBuilder, string customDN = null ) { var caCert = GetRootCert(); var caKey = GetRootKey(); var startDate = DateTime.Now; var expiryDate = DateTime.Now.AddYears(1); var serialNumber = BigIntegers.CreateRandomInRange( BigInteger.ValueOf(2).Pow(63), BigInteger.ValueOf(2).Pow(64), new SecureRandom() ); var certGen = new X509V3CertificateGenerator(); certGen.SetSerialNumber(serialNumber); certGen.SetIssuerDN(caCert.SubjectDN); certGen.SetNotBefore(startDate); certGen.SetNotAfter(expiryDate); certGen.SetPublicKey(request.GetPublicKey()); if (!string.IsNullOrEmpty(customDN)) { certGen.SetSubjectDN(new X509Name(customDN)); } else { certGen.SetSubjectDN(request.GetCertificationRequestInfo().Subject); } extensionBuilder.Build(certGen, request, caCert); var x509Certificate = GenerateCertificate(caKey, certGen); return(x509Certificate); }
public MSX509.X509Certificate2 SignRequest(string csrFile, Usage usage, int validity, MSX509.StoreName storeName) { Pkcs10CertificationRequest request = ReadPkcs10(csrFile); var info = request.GetCertificationRequestInfo(); SubjectPublicKeyInfo publicKeyInfo = info.SubjectPublicKeyInfo; RsaPublicKeyStructure publicKeyStructure = RsaPublicKeyStructure.GetInstance(publicKeyInfo.GetPublicKey()); RsaKeyParameters publicKey = new RsaKeyParameters(false, publicKeyStructure.Modulus, publicKeyStructure.PublicExponent); if (!request.Verify(publicKey)) { throw new ApplicationException("The CSR is not valid: verification failed"); } MSX509.X509Certificate2 root = GetRootCertificate(); if (root == null) { throw new ApplicationException("Root certificate not found"); } return(InternalGenerateCertificate(info.Subject, usage, validity, storeName, publicKey, null, DotNetUtilities.GetKeyPair(root.PrivateKey).Private)); }
/// <summary> /// Sign a certificate /// </summary> /// <param name="signingCert">Issuer X509Certificate2</param> /// <param name="csrData">CSR Data</param> /// <returns>X509Certificate2 Certificate</returns> private X509Certificate2 SignCertificate(X509Certificate2 signingCert, byte[] csrData) { //Get CSR and retrieve public key Pkcs10CertificationRequest certRequest = new Pkcs10CertificationRequest(csrData); CertificationRequestInfo certInfo = certRequest.GetCertificationRequestInfo(); SubjectPublicKeyInfo certPublicKeyInfo = certInfo.SubjectPublicKeyInfo; AsymmetricKeyParameter certPublicKey = PublicKeyFactory.CreateKey(certPublicKeyInfo); if (!certRequest.Verify(certPublicKey)) { throw new ApplicationException("The CSR is not valid: verification failed"); } //Get private key of intermediate issuer, to be used to sign the certificate var issuer = DotNetUtilities.FromX509Certificate(signingCert); AsymmetricCipherKeyPair keyPrivate = DotNetUtilities.GetRsaKeyPair(signingCert.GetRSAPrivateKey()); //Get the serial number of the issuer var issuerSerialNumber = new BigInteger(signingCert.GetSerialNumber()); //Generate a signed certificate return(GenerateCertificate(certInfo.Subject, certPublicKey, certPublicKeyInfo, issuer.SubjectDN, issuer.GetPublicKey(), keyPrivate.Private, issuerSerialNumber)); }
private void readRequest() { // Perform POP on the request if (!request.Verify()) { throw new SignatureException("Invalid signature on PKCS#10 request"); } // Contents info = request.GetCertificationRequestInfo(); // Extensions in OSCA format foreach (DerObjectIdentifier oid in Extensions.ExtensionOids) { oscaExtensions.Add(ProfileExtensionFactory.GetExtension(oid, Extensions.GetExtension(oid))); } // Attributes foreach (object entry in Attributes) { AttributePkcs attrib = AttributePkcs.GetInstance(entry); attributes.Add(attrib.AttrType, attrib.AttrValues); } }
/// <summary> /// Enroll certificate file base on request /// </summary> /// <param name="cerRequest"></param> /// <param name="rootCert"></param> /// <param name="issuerKeyPair"></param> /// <param name="startDate"></param> /// <param name="endDate"></param> /// <returns></returns> private Org.BouncyCastle.X509.X509Certificate GenerateSignedCertificate( Pkcs10CertificationRequest cerRequest, Org.BouncyCastle.X509.X509Certificate rootCert, AsymmetricCipherKeyPair issuerKeyPair, DateTime startDate, DateTime endDate) { X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.SetSerialNumber(BigInteger.One); certGen.SetIssuerDN(rootCert.SubjectDN); certGen.SetNotBefore(startDate); certGen.SetNotAfter(endDate); CertificationRequestInfo info = cerRequest.GetCertificationRequestInfo(); certGen.SetSubjectDN(info.Subject); certGen.SetPublicKey(cerRequest.GetPublicKey()); AlgorithmIdentifier sigAlg = cerRequest.SignatureAlgorithm; string algName = GetAlgorithmName(sigAlg.Algorithm.Id); certGen.SetSignatureAlgorithm(algName); // Add certificate extensions Asn1Set attributes = cerRequest.GetCertificationRequestInfo().Attributes; if (attributes != null) { for (int i = 0; i != attributes.Count; i++) { AttributePkcs attr = AttributePkcs.GetInstance(attributes[i]); if (attr.AttrType.Equals(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest)) { X509Extensions extensions1 = X509Extensions.GetInstance(attr.AttrValues[0]); foreach (DerObjectIdentifier oid in extensions1.ExtensionOids) { Org.BouncyCastle.Asn1.X509.X509Extension ext = extensions1.GetExtension(oid); certGen.AddExtension(oid, ext.IsCritical, ext.GetParsedValue()); } } } } Org.BouncyCastle.X509.X509Certificate issuedCert = null; try { issuedCert = certGen.Generate(issuerKeyPair.Private); tbOutputMessageBox.Text += "Certificate file sucessfully generated." + "\n"; Application.Current.Dispatcher.Invoke(new Action(() => { tbOutputMessageBox.Inlines.Add(new Run { Text = "Certificate file sucessfully generated." + "\n", Foreground = System.Windows.Media.Brushes.Green }); })); } catch (Exception ex) { Application.Current.Dispatcher.Invoke(new Action(() => { tbOutputMessageBox.Inlines.Add(new Run { Text = "Error, generate certificate file." + "\n" + "ERROR: " + ex.GetHashCode().ToString() + " " + ex.Message + "\n", Foreground = System.Windows.Media.Brushes.Red }); })); } try { Application.Current.Dispatcher.Invoke(new Action(() => { tbOutputMessageBox.Inlines.Add(new Run { Text = "Check if generated certificate file is valid, plase wait ..." + "\n", Foreground = System.Windows.Media.Brushes.Black }); })); issuedCert.CheckValidity(DateTime.UtcNow); Application.Current.Dispatcher.Invoke(new Action(() => { tbOutputMessageBox.Inlines.Add(new Run { Text = "Generate certificate file is valid." + "\n", Foreground = System.Windows.Media.Brushes.Black }); })); } catch (Exception ex) { Application.Current.Dispatcher.Invoke(new Action(() => { tbOutputMessageBox.Inlines.Add(new Run { Text = "Error, generated certificate file is INVALID." + "\n" + "ERROR: " + ex.GetHashCode().ToString() + " " + ex.Message + "\n", Foreground = System.Windows.Media.Brushes.Red }); })); } try { tbOutputMessageBox.Inlines.Add(new Run { Text = "Verify generated certificate file, plase wait ..." + "\n", Foreground = System.Windows.Media.Brushes.Black }); issuedCert.Verify(issuerKeyPair.Public); Application.Current.Dispatcher.Invoke(new Action(() => { tbOutputMessageBox.Inlines.Add(new Run { Text = "Generate certificate file verification is OK." + "\n", Foreground = System.Windows.Media.Brushes.Green }); })); } catch (Exception ex) { Application.Current.Dispatcher.Invoke(new Action(() => { tbOutputMessageBox.Inlines.Add(new Run { Text = "Error, generated certificate file verification is INVALID." + "\n" + "ERROR: " + ex.GetHashCode().ToString() + " " + ex.Message + "\n", Foreground = System.Windows.Media.Brushes.Red }); })); } return(issuedCert); }
/* * we generate a self signed certificate for the sake of testing - SHA224withECDSA */ private void createECRequest( string algorithm, DerObjectIdentifier algOid) { FpCurve curve = new FpCurve( new BigInteger("6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151"), // q (or p) new BigInteger("01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC", 16), // a new BigInteger("0051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00", 16)); // b ECDomainParameters spec = new ECDomainParameters( curve, // curve.DecodePoint(Hex.Decode("02C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66")), // G curve.DecodePoint(Hex.Decode("0200C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66")), // G new BigInteger("01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409", 16)); // n ECPrivateKeyParameters privKey = new ECPrivateKeyParameters( new BigInteger("5769183828869504557786041598510887460263120754767955773309066354712783118202294874205844512909370791582896372147797293913785865682804434049019366394746072023"), // d spec); ECPublicKeyParameters pubKey = new ECPublicKeyParameters( // curve.DecodePoint(Hex.Decode("026BFDD2C9278B63C92D6624F151C9D7A822CC75BD983B17D25D74C26740380022D3D8FAF304781E416175EADF4ED6E2B47142D2454A7AC7801DD803CF44A4D1F0AC")), // Q curve.DecodePoint(Hex.Decode("02006BFDD2C9278B63C92D6624F151C9D7A822CC75BD983B17D25D74C26740380022D3D8FAF304781E416175EADF4ED6E2B47142D2454A7AC7801DD803CF44A4D1F0AC")), // Q spec); // // // // set up the keys // // // AsymmetricKeyParameter privKey; // AsymmetricKeyParameter pubKey; // // KeyFactory fact = KeyFactory.getInstance("ECDSA"); // // privKey = fact.generatePrivate(privKeySpec); // pubKey = fact.generatePublic(pubKeySpec); Pkcs10CertificationRequest req = new Pkcs10CertificationRequest( algorithm, new X509Name("CN=XXX"), pubKey, null, privKey); if (!req.Verify()) { Fail("Failed Verify check EC."); } req = new Pkcs10CertificationRequest(req.GetEncoded()); if (!req.Verify()) { Fail("Failed Verify check EC encoded."); } // // try with point compression turned off // // ((ECPointEncoder)pubKey).setPointFormat("UNCOMPRESSED"); FpPoint q = (FpPoint)pubKey.Q; pubKey = new ECPublicKeyParameters( pubKey.AlgorithmName, new FpPoint(q.Curve, q.X, q.Y, false), pubKey.Parameters); req = new Pkcs10CertificationRequest( algorithm, new X509Name("CN=XXX"), pubKey, null, privKey); if (!req.Verify()) { Fail("Failed Verify check EC uncompressed."); } req = new Pkcs10CertificationRequest(req.GetEncoded()); if (!req.Verify()) { Fail("Failed Verify check EC uncompressed encoded."); } if (!req.SignatureAlgorithm.ObjectID.Equals(algOid)) { Fail("ECDSA oid incorrect."); } if (req.SignatureAlgorithm.Parameters != null) { Fail("ECDSA parameters incorrect."); } ISigner sig = SignerUtilities.GetSigner(algorithm); sig.Init(false, pubKey); byte[] b = req.GetCertificationRequestInfo().GetEncoded(); sig.BlockUpdate(b, 0, b.Length); if (!sig.VerifySignature(req.Signature.GetBytes())) { Fail("signature not mapped correctly."); } }
public async Task ValidateMergeCertificate() { string serverCertificateName = Recording.GenerateId(); // Generate the request. CertificatePolicy policy = new CertificatePolicy(WellKnownIssuerNames.Unknown, "CN=Azure SDK") { CertificateTransparency = false, ContentType = CertificateContentType.Pkcs12, }; CertificateOperation operation = await Client.StartCreateCertificateAsync(serverCertificateName, policy); RegisterForCleanup(serverCertificateName); await using IAsyncDisposable disposableOperation = EnsureDeleted(operation); // Read the CA. byte[] caCertificateBytes = Convert.FromBase64String(CaPublicKeyBase64); X509Certificate2 caCertificate = new X509Certificate2(caCertificateBytes); // Read CA private key since getting it from caCertificate above throws. AsymmetricCipherKeyPair caPrivateKey; using (StringReader caPrivateKeyReader = new StringReader(CaPrivateKeyPem)) { Org.BouncyCastle.OpenSsl.PemReader reader = new Org.BouncyCastle.OpenSsl.PemReader(caPrivateKeyReader); caPrivateKey = (AsymmetricCipherKeyPair)reader.ReadObject(); } // Read the CSR. Pkcs10CertificationRequest csr = new Pkcs10CertificationRequest(operation.Properties.Csr); CertificationRequestInfo csrInfo = csr.GetCertificationRequestInfo(); // Parse the issuer subject name. Hashtable oidLookup = new Hashtable(X509Name.DefaultLookup) { { "s", new DerObjectIdentifier("2.5.4.8") }, }; X509Name issuerName = new X509Name(true, oidLookup, caCertificate.Subject); // Sign the request. X509V3CertificateGenerator generator = new X509V3CertificateGenerator(); generator.SetIssuerDN(issuerName); generator.SetSerialNumber(BigInteger.One); generator.SetNotBefore(DateTime.Now); generator.SetNotAfter(DateTime.Now.AddDays(1)); generator.SetSubjectDN(csrInfo.Subject); generator.SetPublicKey(csr.GetPublicKey()); Asn1SignatureFactory signatureFactory = new Asn1SignatureFactory("SHA256WITHRSA", caPrivateKey.Private); X509Certificate serverSignedPublicKey = generator.Generate(signatureFactory); // Merge the certificate chain. MergeCertificateOptions options = new MergeCertificateOptions(serverCertificateName, new[] { serverSignedPublicKey.GetEncoded(), caCertificateBytes }); KeyVaultCertificateWithPolicy mergedServerCertificate = await Client.MergeCertificateAsync(options); X509Certificate2 serverCertificate = new X509Certificate2(mergedServerCertificate.Cer); Assert.AreEqual(csrInfo.Subject.ToString(), serverCertificate.Subject); Assert.AreEqual(serverCertificateName, mergedServerCertificate.Name); KeyVaultCertificateWithPolicy completedServerCertificate = await operation.WaitForCompletionAsync(DefaultCertificateOperationPollingInterval, default); Assert.AreEqual(mergedServerCertificate.Name, completedServerCertificate.Name); CollectionAssert.AreEqual(mergedServerCertificate.Cer, completedServerCertificate.Cer); }
static void Main(string[] args) { var serviceProvider = new ServiceCollection() .AddCertificateManager() .BuildServiceProvider(); var createCertificates = serviceProvider.GetService <CreateCertificates>(); var certificateUtility = serviceProvider.GetService <CertificateUtility>(); string password = "******"; var signingCertificate = new X509Certificate2("root.cert.pfx", password); var enhancedKeyUsages = new OidCollection { OidLookup.ClientAuthentication, OidLookup.ServerAuthentication }; var basicConstraints = new CertificateManager.Models.BasicConstraints { CertificateAuthority = false, HasPathLengthConstraint = true, PathLengthConstraint = 3, Critical = true }; var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.NonRepudiation; // Read in CSR data from a file Pkcs10CertificationRequest decodedCsr = (Pkcs10CertificationRequest) new PemReader(new StringReader(File.ReadAllText(args[0]))).ReadObject(); // Get Common Name (CN) from CSR Subject CertificationRequestInfo csrData = decodedCsr.GetCertificationRequestInfo(); var subjectKeyPairs = csrData.Subject.ToString().Split(',') .Select(x => x.Split('=')) .Where(x => x.Length == 2) .ToDictionary(x => x.First(), x => x.Last()); var commonName = subjectKeyPairs["CN"]; var subjectAlternativeName = new SubjectAlternativeName { DnsName = new List <string> { commonName, } }; // Get Public key data from CSR and create RSA data based on that RsaKeyParameters rsaKeyParams = (RsaKeyParameters)decodedCsr.GetPublicKey(); var rsaParams = new RSAParameters(); rsaParams.Modulus = rsaKeyParams.Modulus.ToByteArray(); rsaParams.Exponent = rsaKeyParams.Exponent.ToByteArray(); var rsa = RSA.Create(); rsa.ImportParameters(rsaParams); // Create Certificate Request with the data extracted from csr file earlier var rsaConfiguration = new RsaConfiguration(); var request = new CertificateRequest( certificateUtility.CreateIssuerOrSubject(new DistinguishedName { CommonName = commonName }), rsa, rsaConfiguration.HashAlgorithmName, rsaConfiguration.RSASignaturePadding); // Sign the csr var device1Certificate = createCertificates.NewRsaChainedCertificate( basicConstraints, new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(1) }, subjectAlternativeName, signingCertificate, enhancedKeyUsages, x509KeyUsageFlags, request, null); // Export content of certificates into files var importExportCertificate = serviceProvider.GetService <ImportExportCertificate>(); var deviceCertificatePem = importExportCertificate.PemExportPublicKeyCertificate(device1Certificate); var signingCertificatePem = importExportCertificate.PemExportPublicKeyCertificate(signingCertificate); File.WriteAllText("device1.cert.pem", deviceCertificatePem); File.WriteAllText("device1-full-chain.cert.pem", String.Concat(deviceCertificatePem, signingCertificatePem)); Console.WriteLine("Certificates exported to pem files"); }
/// <summary> /// Enroll certificate file base on request /// </summary> /// <param name="csr"></param> /// <param name="rootCert"></param> /// <param name="issuerKeyPair"></param> /// <param name="startDate"></param> /// <param name="endDate"></param> /// <returns></returns> private Org.BouncyCastle.X509.X509Certificate GenerateSignedCertificate( Pkcs10CertificationRequest csr, Org.BouncyCastle.X509.X509Certificate rootCert, AsymmetricCipherKeyPair issuerKeyPair, DateTime startDate, DateTime endDate) { X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); //List<ExtensionsItem> extensions = null; certGen.SetSerialNumber(BigInteger.One); certGen.SetIssuerDN(rootCert.SubjectDN); certGen.SetNotBefore(startDate); certGen.SetNotAfter(endDate); CertificationRequestInfo info = csr.GetCertificationRequestInfo(); certGen.SetSubjectDN(info.Subject); certGen.SetPublicKey(csr.GetPublicKey()); var sigAlg = csr.Signature; var sigAlg1 = csr.SignatureAlgorithm; certGen.SetSignatureAlgorithm("SHA1WithRSAEncryption"); // Add certificate extensions Asn1Set attributes = csr.GetCertificationRequestInfo().Attributes; if (attributes != null) { for (int i = 0; i != attributes.Count; i++) { AttributePkcs attr = AttributePkcs.GetInstance(attributes[i]); if (attr.AttrType.Equals(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest)) { X509Extensions extensions1 = X509Extensions.GetInstance(attr.AttrValues[0]); foreach (DerObjectIdentifier oid in extensions1.ExtensionOids) { Org.BouncyCastle.Asn1.X509.X509Extension ext = extensions1.GetExtension(oid); // !!! NOT working !!! //certGen.AddExtension(oid, ext.IsCritical, ext.Value); //OK certGen.AddExtension(oid, ext.IsCritical, ext.Value, true); } } } } Org.BouncyCastle.X509.X509Certificate issuedCert = null; try { issuedCert = certGen.Generate(issuerKeyPair.Private); tbOutputMessageBox.Text += "Certificate file sucessfully generated." + "\n"; } catch (Exception ex) { Brush bckForeground = tbOutputMessageBox.Foreground; tbOutputMessageBox.Foreground = new SolidColorBrush(Colors.Red); tbOutputMessageBox.Text += "Error, generate certificate file." + "\n" + "ERROR: " + ex.GetHashCode().ToString() + " " + ex.Message + "\n"; tbOutputMessageBox.Foreground = bckForeground; } try { tbOutputMessageBox.Text += "Check if generated certificate file is valid, plase wait ..." + "\n"; issuedCert.CheckValidity(DateTime.UtcNow); tbOutputMessageBox.Text += "Generate certificate file is valid." + "\n"; } catch (Exception ex) { Brush bckForeground = tbOutputMessageBox.Foreground; tbOutputMessageBox.Foreground = new SolidColorBrush(Colors.Red); tbOutputMessageBox.Text += "Error, generated certificate file is INVALID." + "\n" + "ERROR: " + ex.GetHashCode().ToString() + " " + ex.Message + "\n"; tbOutputMessageBox.Foreground = bckForeground; } try { tbOutputMessageBox.Text += "Verify generated certificate file, plase wait ..." + "\n"; issuedCert.Verify(issuerKeyPair.Public); tbOutputMessageBox.Text += "Generate certificate file verification is OK." + "\n"; } catch (Exception ex) { Brush bckForeground = tbOutputMessageBox.Foreground; tbOutputMessageBox.Foreground = new SolidColorBrush(Colors.Red); tbOutputMessageBox.Text += "Error, generated certificate file verification is INVALID." + "\n" + "ERROR: " + ex.GetHashCode().ToString() + " " + ex.Message + "\n"; tbOutputMessageBox.Foreground = bckForeground; } return(issuedCert); }
public PkiCertificateSigningRequest(PkiEncodingFormat format, byte[] encoded, PkiHashAlgorithm hashAlgorithm) { Pkcs10CertificationRequest pkcs10; switch (format) { case PkiEncodingFormat.Pem: var encodedString = Encoding.UTF8.GetString(encoded); using (var sr = new StringReader(encodedString)) { var pemReader = new PemReader(sr); pkcs10 = pemReader.ReadObject() as Pkcs10CertificationRequest; if (pkcs10 == null) { throw new Exception("invalid PEM object is not PKCS#10 archive"); } } break; case PkiEncodingFormat.Der: pkcs10 = new Pkcs10CertificationRequest(encoded); break; default: throw new NotSupportedException(); } var info = pkcs10.GetCertificationRequestInfo(); var nativePublicKey = pkcs10.GetPublicKey(); var rsaKey = nativePublicKey as RsaKeyParameters; var ecdsaKey = nativePublicKey as ECPublicKeyParameters; if (rsaKey != null) { PublicKey = new PkiKey(nativePublicKey, PkiAsymmetricAlgorithm.Rsa); } else if (ecdsaKey != null) { PublicKey = new PkiKey(nativePublicKey, PkiAsymmetricAlgorithm.Ecdsa); } else { throw new NotSupportedException("unsupported asymmetric algorithm key"); } SubjectName = info.Subject.ToString(); HashAlgorithm = hashAlgorithm; // // // Based on: // // // http://forum.rebex.net/4284/pkcs10-certificate-request-example-provided-castle-working // // var extGen = new X509ExtensionsGenerator(); // // foreach (var ext in CertificateExtensions) // // { // // extGen.AddExtension(ext.Identifier, ext.IsCritical, ext.Value); // // } // // var attr = new AttributeX509(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest, // // new DerSet(extGen.Generate())); // Based on: // http://unitstep.net/blog/2008/10/27/extracting-x509-extensions-from-a-csr-using-the-bouncy-castle-apis/ // https://stackoverflow.com/q/24448909/5428506 foreach (var attr in info.Attributes.ToArray()) { if (attr is DerSequence derSeq && derSeq.Count == 2) { var attrX509 = AttributeX509.GetInstance(attr); if (object.Equals(attrX509.AttrType, PkcsObjectIdentifiers.Pkcs9AtExtensionRequest)) { // The `Extension Request` attribute is present. // The X509Extensions are contained as a value of the ASN.1 Set. // Assume that it is the first value of the set. if (attrX509.AttrValues.Count >= 1) { var csrExts = X509Extensions.GetInstance(attrX509.AttrValues[0]); foreach (var extOid in csrExts.GetExtensionOids()) { if (object.Equals(extOid, X509Extensions.SubjectAlternativeName)) { var ext = csrExts.GetExtension(extOid); var extVal = ext.Value; var der = extVal.GetDerEncoded(); // The ext value, which is an ASN.1 Octet String, **MIGHT** be tagged with // a leading indicator that it's an Octet String and its length, so we want // to remove it if that's the case to extract the GeneralNames collection if (der.Length > 2 && der[0] == 4 && der[1] == der.Length - 2) { der = der.Skip(2).ToArray(); } var asn1obj = Asn1Object.FromByteArray(der); var gnames = GeneralNames.GetInstance(asn1obj); CertificateExtensions.Add(new PkiCertificateExtension { Identifier = extOid, IsCritical = ext.IsCritical, Value = gnames, }); } } // No need to search any more. break; } } } } }
public static async Task <IActionResult> Run( [HttpTrigger(AuthorizationLevel.Function, "post", Route = null)] HttpRequest req, ILogger log, ExecutionContext context) { log.LogInformation("Certificate trigger function processed a request."); try { await ReadAppSettings(context, log); string requestBody = await new StreamReader(req.Body).ReadToEndAsync(); Certificate_Request request = JsonConvert.DeserializeObject <Certificate_Request>(requestBody); // Validate payload if (string.IsNullOrEmpty(request.RegistrationId) || string.IsNullOrEmpty(request.Csr)) { return(new BadRequestResult()); } // Check if the device is authorized to request a certificate bool isAuthorized = CheckIfAuthorized(request.RegistrationId); if (isAuthorized) { log.LogInformation($"{request.RegistrationId} is authorized."); Pkcs10CertificationRequest decodedCsr = null; RsaKeyParameters publicKey = null; CertificationRequestInfo info = null; // Get the signing certificate from a location X509Certificate serverCertificate = ReadCertificate(cert, location, log); if (serverCertificate == null) { throw new System.Exception("ReadCertificate() was unable to retrieve the signing certificate."); } // Get signing cert private key from a location. AsymmetricKeyParameter serverPrivateKey = ReadPrivateKey(key, location, log); if (serverPrivateKey == null) { throw new System.Exception("ReadPrivateKey() was unable to retrieve the private key."); } byte[] csr = Convert.FromBase64String(request.Csr); // Decode DER decodedCsr = new Pkcs10CertificationRequest(csr); info = decodedCsr.GetCertificationRequestInfo(); SubjectPublicKeyInfo publicKeyInfo = info.SubjectPublicKeyInfo; RsaPublicKeyStructure publicKeyStructure = RsaPublicKeyStructure.GetInstance(publicKeyInfo.ParsePublicKey()); publicKey = new RsaKeyParameters(false, publicKeyStructure.Modulus, publicKeyStructure.PublicExponent); bool certIsOK = decodedCsr.Verify(publicKey); // Create the device certificate X509V3CertificateGenerator generator = new X509V3CertificateGenerator(); generator.SetSerialNumber(BigInteger.ProbablePrime(120, new Random())); generator.SetIssuerDN(serverCertificate.SubjectDN); generator.SetNotBefore(DateTime.Now); generator.SetNotAfter(DateTime.Now.AddYears(certificateLifespanInYears)); generator.SetSubjectDN(info.Subject); generator.SetPublicKey(publicKey); generator.SetSignatureAlgorithm("SHA512withRSA"); generator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(serverCertificate)); generator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(publicKey)); // Generate the device certificate var deviceCert = generator.Generate(serverPrivateKey); // Convert to DER byte[] encoded = deviceCert.GetEncoded(); // Convert byte array to Base64 string string encodedString = Convert.ToBase64String(encoded); Certificate_Response responseMessage = new Certificate_Response { Certificate = encodedString }; log.LogInformation($"Certificate issued for: {info.Subject}"); return(new OkObjectResult(responseMessage)); } else { log.LogError($"{request.RegistrationId} is NOT authorized."); return(new UnauthorizedResult()); } } catch (Exception ex) { log.LogInformation(ex.Message); } return(new BadRequestResult()); }
/* * we generate a self signed certificate for the sake of testing - SHA224withECDSA */ private void createECRequest( string algorithm, DerObjectIdentifier algOid) { X9ECParameters x9 = ECNamedCurveTable.GetByName("secp521r1"); ECCurve curve = x9.Curve; ECDomainParameters spec = new ECDomainParameters(curve, x9.G, x9.N, x9.H); ECPrivateKeyParameters privKey = new ECPrivateKeyParameters( new BigInteger("5769183828869504557786041598510887460263120754767955773309066354712783118202294874205844512909370791582896372147797293913785865682804434049019366394746072023"), // d spec); ECPublicKeyParameters pubKey = new ECPublicKeyParameters( // curve.DecodePoint(Hex.Decode("026BFDD2C9278B63C92D6624F151C9D7A822CC75BD983B17D25D74C26740380022D3D8FAF304781E416175EADF4ED6E2B47142D2454A7AC7801DD803CF44A4D1F0AC")), // Q curve.DecodePoint(Hex.Decode("02006BFDD2C9278B63C92D6624F151C9D7A822CC75BD983B17D25D74C26740380022D3D8FAF304781E416175EADF4ED6E2B47142D2454A7AC7801DD803CF44A4D1F0AC")), // Q spec); // // // // set up the keys // // // AsymmetricKeyParameter privKey; // AsymmetricKeyParameter pubKey; // // KeyFactory fact = KeyFactory.getInstance("ECDSA"); // // privKey = fact.generatePrivate(privKeySpec); // pubKey = fact.generatePublic(pubKeySpec); Pkcs10CertificationRequest req = new Pkcs10CertificationRequest( algorithm, new X509Name("CN=XXX"), pubKey, null, privKey); if (!req.Verify()) { Fail("Failed Verify check EC."); } req = new Pkcs10CertificationRequest(req.GetEncoded()); if (!req.Verify()) { Fail("Failed Verify check EC encoded."); } // // try with point compression turned off // // ((ECPointEncoder)pubKey).setPointFormat("UNCOMPRESSED"); ECPoint q = pubKey.Q.Normalize(); pubKey = new ECPublicKeyParameters( pubKey.AlgorithmName, q.Curve.CreatePoint(q.XCoord.ToBigInteger(), q.YCoord.ToBigInteger()), pubKey.Parameters); req = new Pkcs10CertificationRequest( algorithm, new X509Name("CN=XXX"), pubKey, null, privKey); if (!req.Verify()) { Fail("Failed Verify check EC uncompressed."); } req = new Pkcs10CertificationRequest(req.GetEncoded()); if (!req.Verify()) { Fail("Failed Verify check EC uncompressed encoded."); } if (!req.SignatureAlgorithm.Algorithm.Equals(algOid)) { Fail("ECDSA oid incorrect."); } if (req.SignatureAlgorithm.Parameters != null) { Fail("ECDSA parameters incorrect."); } ISigner sig = SignerUtilities.GetSigner(algorithm); sig.Init(false, pubKey); byte[] b = req.GetCertificationRequestInfo().GetEncoded(); sig.BlockUpdate(b, 0, b.Length); if (!sig.VerifySignature(req.GetSignatureOctets())) { Fail("signature not mapped correctly."); } }
internal byte[] CreatePKCS10CSRTest(ParametersValidation validationRequest, out StepType stepType, out SoapException exc, out int timeout, DistinguishedName Subject, string KeyID, CSRAttribute[] CSRAttribute, AlgorithmIdentifier SignatureAlgorithm) { int special; VoidCommand("CreatePKCS10CSR", CreatePKCS10CSR, validationRequest, true, out stepType, out exc, out timeout, out special); byte[] result; switch (special) { case 1: //Correct response var subject = ""; if (null != Subject) { var r = new StringBuilder(); if (null != Subject.CommonName) { r.Append(string.Format("CN={0},", Subject.CommonName)); } if (null != Subject.Country) { r.Append(string.Format("C={0},", Subject.Country)); } if (null != Subject.Locality) { r.Append(string.Format("L={0},", Subject.Locality)); } if (null != Subject.Organization) { r.Append(string.Format("O={0},", Subject.Organization)); } if (null != Subject.OrganizationalUnit) { r.Append(string.Format("OU={0},", Subject.OrganizationalUnit)); } if (null != Subject.StateOrProvinceName) { r.Append(string.Format("ST={0},", Subject.StateOrProvinceName)); } subject = r.ToString().TrimEnd(','); } var generator = new RsaKeyPairGenerator(); generator.Init(new KeyGenerationParameters(new SecureRandom(), 1024)); var keyPair = generator.GenerateKeyPair(); var signatureAlg = "SHA1WithRSAEncryption"; if (null != SignatureAlgorithm && !string.IsNullOrEmpty(SignatureAlgorithm.algorithm)) { signatureAlg = SignatureAlgorithm.algorithm; } var csr = new Pkcs10CertificationRequest(signatureAlg, new X509Name(subject), keyPair.Public, null, keyPair.Private); TestCommon.writeToLogInfo("Public Key: " + csr.GetCertificationRequestInfo().SubjectPublicKeyInfo.PublicKeyData.ToString()); TestCommon.writeToLogInfo("Signature: " + csr.Signature.ToString()); TestCommon.writeToLogInfo("SignatureAlgorithm: " + csr.SignatureAlgorithm.ObjectID.ToString()); TestCommon.writeToLogInfo("Subject: " + csr.GetCertificationRequestInfo().Subject.ToString()); result = csr.GetEncoded(); break; case 2: //with sign error, sign lenght 1024 result = TestCommon.ReadBinary(TestCommon.PCS10Binary3Uri); break; case 3: //without error, sign lenght 3072 result = new byte[1]; break; case 4: //without error, sign lenght 3072 result = new byte[0]; break; case 5: //without sign error, sign lenght 1024, with wrong subject result = TestCommon.ReadBinary(TestCommon.PCS10Binary2Uri); break; default: result = null; break; } return(result); }