public SimpleCA(string countryCode, string organization, string orgunit, string commonName)
{
var distinguishedName = $"C={countryCode};O={organization};OU={orgunit};CN={commonName}";
//var distinguishedName = "C=US;O=Microsoft;OU=WGA;CN=TedSt";
//CN={commonName}/OU={organizationUnit}/O={organization}/DC={domain}/STREET={address}/L={locality}/ST={state}/C={country}/DC={domainComponent}"
var dn = new System.Security.Cryptography.X509Certificates.X500DistinguishedName(
distinguishedName
);
var key = System.Security.Cryptography.RSA.Create();
key.KeySize = 4096;
var hash = System.Security.Cryptography.HashAlgorithmName.SHA512;
var req = new System.Security.Cryptography.X509Certificates.CertificateRequest(dn, key, hash, RSASignaturePadding.Pss);
var q = Oid.FromFriendlyName("", OidGroup.EnhancedKeyUsage);
Oid.FromOidValue("", OidGroup.EnhancedKeyUsage);
var r = new OidCollection();
r.Add(q);
var v = new X509EnhancedKeyUsageExtension(r, false);
req.CertificateExtensions.Add(SetEnhancedKeyUsage(keyCertSign: true));
req.CertificateExtensions.Add(SetBasicConstraints(true));
req.CertificateExtensions.Add(v);
var now = DateTimeOffset.UtcNow;
var startDate = now - TimeSpan.FromMinutes(5);
var endDate = DateTimeOffset.UtcNow + TimeSpan.FromDays(365.25 * 10);
rootCert = req.CreateSelfSigned(startDate, endDate);
rootKey = key;
var rootKeyChain = rootCert.Export(X509ContentType.Pkcs12);
}
public void GenerateHierrachyUsingNetClass()
{
using (RSA parent = RSA.Create(4096))
using (RSA rsa = RSA.Create(2048))
{
System.Security.Cryptography.X509Certificates.CertificateRequest parentReq = new System.Security.Cryptography.X509Certificates.CertificateRequest(
"CN=Experimental Issuing Authority",
parent,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
parentReq.CertificateExtensions.Add(
new X509BasicConstraintsExtension(true, false, 0, true));
parentReq.CertificateExtensions.Add(
new X509SubjectKeyIdentifierExtension(parentReq.PublicKey, false));
//var csr = parentReq.CreateSigningRequest();
using (X509Certificate2 parentCert = parentReq.CreateSelfSigned(
DateTimeOffset.UtcNow.AddDays(-45),
DateTimeOffset.UtcNow.AddDays(365)))
{
CertificateRequest req = new CertificateRequest(
"CN=Valid-Looking Timestamp Authority",
rsa,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
req.CertificateExtensions.Add(
new X509BasicConstraintsExtension(true, false, 0, false));
req.CertificateExtensions.Add(
new X509KeyUsageExtension(
X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.NonRepudiation,
false));
//https://pkisolutions.com/object-identifiers-oid-in-pki/
//https://docs.microsoft.com/en-us/windows/desktop/seccertenroll/supported-extensions
req.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection
{
new Oid("1.3.6.1.5.5.7.3.8")
},
true));
req.CertificateExtensions.Add(
new X509SubjectKeyIdentifierExtension(req.PublicKey, false));
req.CreateSigningRequest();
using (X509Certificate2 cert = req.Create(
parentCert,
DateTimeOffset.UtcNow.AddDays(-1),
DateTimeOffset.UtcNow.AddDays(90),
new byte[] { 1, 2, 3, 4 }))
{
// Do something with these certs, like export them to PFX,
// or add them to an X509Store, or whatever.
}
using (X509Certificate2 cert = req.Create(
parentCert,
DateTimeOffset.UtcNow.AddDays(-1),
DateTimeOffset.UtcNow.AddDays(90),
new byte[] { 1, 2, 3, 4 }))
{
// Do something with these certs, like export them to PFX,
// or add them to an X509Store, or whatever.
}
}
}
}
public static void HybridCertificateRequestTest()
{
const string TestCN = "CN=Test";
const string LeafCN = "CN=Leaf";
var serialNumber = new byte[20];
var rand = new Random();
rand.NextBytes(serialNumber);
serialNumber[0] = 0x80;
using (var rsa1 = RSA.Create())
using (var ecdsa2 = ECDsa.Create()) {
var request1 = new CertificateRequest(TestCN, rsa1, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request1.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, false, 0, false));
Assert.NotNull(request1.PublicKey);
Assert.NotNull(request1.CertificateExtensions);
Assert.NotEmpty(request1.CertificateExtensions);
Assert.Equal(TestCN, request1.SubjectName.Name);
var ca = request1.CreateSelfSigned(DateTimeOffset.UtcNow,
DateTimeOffset.UtcNow + TimeSpan.FromDays(1));
Assert.Equal(ca.Subject, TestCN);
var request2 = new CertificateRequest(LeafCN, ecdsa2, HashAlgorithmName.SHA512);
request2.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, false));
Assert.NotNull(request2.PublicKey);
Assert.NotNull(request2.CertificateExtensions);
Assert.NotEmpty(request2.CertificateExtensions);
Assert.Equal(LeafCN, request2.SubjectName.Name);
var signer = X509SignatureGenerator.CreateForRSA(rsa1, RSASignaturePadding.Pkcs1);
var leaf = request2.Create(ca.SubjectName, signer, DateTimeOffset.UtcNow,
DateTimeOffset.UtcNow + TimeSpan.FromHours(1), serialNumber);
Assert.Equal(leaf.Subject, LeafCN);
Assert.Equal(new SerialNumber(serialNumber).ToString(), leaf.SerialNumber);
Assert.NotNull(leaf.Extensions);
Assert.Single(leaf.Extensions);
Assert.NotNull(leaf.GetBasicConstraintsExtension());
var buffer = request2.CreateSigningRequest();
var info = buffer.ToCertificationRequestInfo();
Assert.True(info.GetPublicKey().SameAs(ecdsa2.ToPublicKey()));
Assert.Equal(LeafCN, new X500DistinguishedName(info.Subject.GetEncoded()).Name);
var csr = buffer.ToCertificateRequest(SignatureType.PS256);
// var pubk = csr.PublicKey.Key;
// Assert.True(pubk.ToPublicKey().SameAs(rsa2.ToPublicKey()));
Assert.Equal(LeafCN, csr.SubjectName.Name);
var leaf2 = csr.Create(ca.SubjectName, signer, DateTimeOffset.UtcNow,
DateTimeOffset.UtcNow + TimeSpan.FromHours(1), serialNumber);
Assert.True(leaf2.GetECDsaPublicKey().ToPublicKey().SameAs(ecdsa2.ToPublicKey()));
Assert.NotNull(leaf2.PublicKey);
Assert.NotNull(leaf2.Extensions);
Assert.Single(leaf2.Extensions);
Assert.NotNull(leaf2.GetBasicConstraintsExtension());
Assert.Equal(leaf.Subject, leaf2.Subject);
Assert.Equal(leaf.SerialNumber, leaf2.SerialNumber);
}
}
