private CX500DistinguishedName GetEncodedSubject(CertificateSubject subject)
{
CX500DistinguishedName certDn = new CX500DistinguishedName();
certDn.Encode(subject.ToString(), X500NameFlags.XCN_CERT_NAME_STR_NONE);
return(certDn);
}
/// <summary>
/// Creates a self signed certificate given the parameters.
/// </summary>
/// <param name="subject"></param>
/// <param name="cipher"></param>
/// <param name="keysize"></param>
/// <param name="api"></param>
/// <returns></returns>
public X509Certificate2 CreateSelfSignedCertificate(CertificateSubject subject, CipherAlgorithm cipher, int keysize, WindowsApi api)
{
CX509PrivateKey privateKey = CreatePrivateKey(cipher, keysize);
CX509CertificateRequestCertificate pkcs10 = NewCertificateRequestCrc(subject, privateKey);
pkcs10.Issuer = pkcs10.Subject;
pkcs10.NotBefore = DateTime.Now.AddDays(-1);
pkcs10.NotAfter = DateTime.Now.AddYears(20);
var sigoid = new CObjectId();
var alg = new Oid("SHA256");
sigoid.InitializeFromValue(alg.Value);
pkcs10.SignatureInformation.HashAlgorithm = sigoid;
pkcs10.Encode();
CX509Enrollment enrollment = new CX509Enrollment();
enrollment.InitializeFromRequest(pkcs10);
string csr = enrollment.CreateRequest(EncodingType.XCN_CRYPT_STRING_BASE64);
InstallResponseRestrictionFlags restrictionFlags = InstallResponseRestrictionFlags.AllowUntrustedCertificate;
enrollment.InstallResponse(restrictionFlags, csr, EncodingType.XCN_CRYPT_STRING_BASE64, string.Empty);
string pwd = secret.NewSecret(16);
string pfx = enrollment.CreatePFX(pwd, PFXExportOptions.PFXExportChainWithRoot, EncodingType.XCN_CRYPT_STRING_BASE64);
return(new X509Certificate2(Convert.FromBase64String(pfx), pwd));
}
private CertificateSubject BuildSubject(CX500DistinguishedName subject)
{
if (subject == null)
{
throw new CryptographicException("Win32CertificateProvider.BuildSubject - Subject from a decoded request cannot be null");
}
return(CertificateSubject.CreateFromDistinguishedName(subject.Name));
}
private CertificateRequest DecodeCmc(string csr)
{
IX509CertificateRequestCertificate cmc = (IX509CertificateRequestCertificate)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509CertificateRequestCertificate"));
cmc.InitializeDecode(csr, EncodingType.XCN_CRYPT_STRING_BASE64_ANY);
CertificateSubject subject = BuildSubject(cmc.Subject);
return(ImproveDeserializedCsrFidelity(new CertificateRequest(subject, SigningRequestProtocol.Pkcs10, false), cmc.PublicKey));
}
public CertificateRequest
(
CertificateSubject subject,
SigningRequestProtocol csrProtocol,
bool managedPrivateKey
)
{
this.Subject = subject;
this.SigningRequestProtocol = csrProtocol;
this.ManagedPrivateKey = managedPrivateKey;
}
/// <summary>
/// Creates a new public and private key pair and the encoded csr is returned back in the CertificateRequest object.
/// For security reasons, the private key is kept on the machine that this method is invoked on.
/// The next step is to have a certificate authority sign the csr and the result should be provided to the InstallIssuedCertificate method.
/// </summary>
/// <param name="subject"></param>
/// <param name="cipher"></param>
/// <param name="keysize"></param>
/// <param name="api"></param>
/// <param name="protocol"></param>
/// <returns></returns>
public CertificateRequest CreateCsrKeyPair(CertificateSubject subject, CipherAlgorithm cipher, int keysize, WindowsApi api, SigningRequestProtocol protocol)
{
if (!requestValidation.IsValidWindowsApiForCipherAlgorithm(cipher, api))
{
throw new AlgorithmNotSupportedByProviderException("The cryptography provider specified does not support the specified cipher algorithm");
}
CX509PrivateKey privateKey = CreatePrivateKey(cipher, keysize, api);
return(CreateCsrFromPrivateKey(subject, cipher, keysize, privateKey));
}
private CertificateRequest CreateCsrFromPrivateKey(CertificateSubject subject, CipherAlgorithm cipher, int keysize, CX509PrivateKey privateKey)
{
CertificateRequest csr = new CertificateRequest(subject, cipher, keysize);
CX509CertificateRequestPkcs10 pkcs10 = NewCertificateRequestPkcs10(csr.Subject, privateKey);
csr.SubjectKeyIdentifier = GetSubjectKeyIdentifier(pkcs10);
csr.EncodedCsr = BuildEncodedCsr(pkcs10);
return(csr);
}
public static CertificateSubject CreateFromDistinguishedName(string dn)
{
if (String.IsNullOrWhiteSpace(dn))
{
throw new ArgumentNullException(nameof(dn));
}
if (!IsValidDistinguishedNameLength(dn))
{
throw new ArgumentOutOfRangeException(nameof(dn));
}
CertificateSubject subject = new CertificateSubject();
foreach (string item in dn.Split(','))
{
if (subject.IsCommonNameComponent(item))
{
subject.CommonName = subject.GetCommonName(item);
}
if (subject.IsDepartmentComponent(item))
{
subject.Department = subject.GetDepartment(item);
}
if (subject.IsOrganizationComponent(item))
{
subject.Organization = subject.GetOrganization(item);
}
if (subject.IsCityComponent(item))
{
subject.City = subject.GetCity(item);
}
if (subject.IsStateComponent(item))
{
subject.State = subject.GetState(item);
}
if (subject.IsCountryComponent(item))
{
subject.Country = subject.GetCountry(item);
}
}
return(subject);
}
private CX509CertificateRequestCertificate NewCertificateRequestCrc(CertificateSubject subject, CX509PrivateKey privateKey)
{
CX509CertificateRequestCertificate crc = new CX509CertificateRequestCertificate();
crc.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
crc.X509Extensions.Add(GetQualifiedSan(subject.SubjectAlternativeName));
crc.X509Extensions.Add(GetKeyUsage());
crc.Subject = GetEncodedSubject(subject);
return(crc);
}
private CX509CertificateRequestPkcs10 NewCertificateRequestPkcs10(CertificateSubject subject, CX509PrivateKey privateKey)
{
CX509CertificateRequestPkcs10 pkcs10 = new CX509CertificateRequestPkcs10();
pkcs10.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
if (subject.ContainsSubjectAlternativeName)
{
pkcs10.X509Extensions.Add(GetQualifiedSan(subject.SubjectAlternativeName));
}
pkcs10.X509Extensions.Add(GetKeyUsage());
pkcs10.Subject = GetEncodedSubject(subject);
return(pkcs10);
}
public CertificateRequest
(
CertificateSubject subject,
CipherAlgorithm cipher = CipherAlgorithm.ECDH,
int keySize = 384
)
{
CertificateRequestValidation requestValidation = new CertificateRequestValidation();
if (!requestValidation.IsValidKeySize(cipher, keySize))
{
throw new KeySizeUnsupportedException(String.Format("The keysize specified '{0}' is not supported by the specified algorithm '{1}'", keySize, cipher));
}
Subject = subject ?? throw new ArgumentNullException(nameof(subject));
CipherAlgorithm = cipher;
KeySize = keySize;
ManagedPrivateKey = true;
SigningRequestProtocol = SigningRequestProtocol.Pkcs10;
}
