public Signature(Stream data, string hashAlgo, Certificate signingCert, AsymmetricCryptoKey privateKey)
{
_signedHash = privateKey.Sign(data, hashAlgo);
_hashAlgo = hashAlgo;
_signAlgo = privateKey.Algorithm;
_signingCert = signingCert;
}
public RevocationCertificate(Certificate certToRevoke, string hashAlgo, AsymmetricCryptoKey privateKey)
{
_serialNumber = certToRevoke.SerialNumber;
_revokedOnUTC = DateTime.UtcNow;
_signature = privateKey.Sign(GetHash(hashAlgo, _serialNumber, _revokedOnUTC), hashAlgo);
_hashAlgo = hashAlgo;
}
public bool Verify(byte[] hash, Certificate[] trustedRootCAs)
{
if (AsymmetricCryptoKey.Verify(hash, _signedHash, _hashAlgo, _signingCert))
{
_signingCert.Verify(trustedRootCAs);
return(true);
}
else
{
return(false);
}
}
public static AsymmetricCryptoKey CreateUsing(RSAParameters parameters)
{
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();
rsa.PersistKeyInCsp = false;
rsa.ImportParameters(parameters);
AsymmetricCryptoKey obj = new AsymmetricCryptoKey();
obj._asymAlgo = rsa;
obj._cryptoAlgo = AsymmetricEncryptionAlgorithm.RSA;
return(obj);
}
private static bool IsValid(Certificate certToCheck, DateTime revokedOnUTC, byte[] signature, string hashAlgo)
{
Certificate signingCert;
if (certToCheck.Type == CertificateType.RootCA)
{
signingCert = certToCheck;
}
else
{
signingCert = certToCheck.IssuerSignature.SigningCertificate;
}
return(AsymmetricCryptoKey.Verify(GetHash(hashAlgo, certToCheck.SerialNumber, revokedOnUTC), signature, hashAlgo, signingCert));
}
public void Sign(string hashAlgo, Certificate signingCert, AsymmetricCryptoKey privateKey, Uri revocationUri)
{
switch (_type)
{
case CertificateType.RootCA:
throw new CryptoException("Cannot sign a root certificate with any other certificate. Root certificate must be self signed.");
case CertificateType.CA:
switch (signingCert._type)
{
case CertificateType.CA:
case CertificateType.RootCA:
if (signingCert._capability != CertificateCapability.SignCACertificate)
{
throw new CryptoException("Signing certificate must have certificate authority (CA) signing capability.");
}
break;
default:
throw new CryptoException("Signing certificate must be root certificate or a certificate authority (CA).");
}
break;
default:
switch (signingCert._capability)
{
case CertificateCapability.SignAnyUserCertificate:
break;
case CertificateCapability.SignDomainUserCertificate:
//check if issuer email domain matches with user email domain
if (!_issuedTo.FieldExists(CertificateProfileFlags.EmailAddress) || !signingCert.IssuedTo.EmailAddress.Host.Equals(_issuedTo.EmailAddress.Host, StringComparison.OrdinalIgnoreCase))
{
throw new CryptoException("Signing certificate domain must match with user certificate email address domain.");
}
break;
default:
throw new CryptoException("Signing certificate must have user certificate signing capability.");
}
break;
}
_revocationUri = revocationUri;
_issuerSignature = new Signature(GetHash(hashAlgo), hashAlgo, signingCert, privateKey);
}
protected override void ReadPlainTextFrom(Stream s)
{
byte[] format = new byte[2];
s.Read(format, 0, 2);
if (Encoding.ASCII.GetString(format) != "CS")
{
throw new InvalidCryptoContainerException("Invalid CertificateStore format.");
}
switch (s.ReadByte()) //version
{
case 1:
_cert = new Certificate(s);
_privateKey = new AsymmetricCryptoKey(s);
break;
case -1:
throw new EndOfStreamException();
default:
throw new CryptoException("CertificateStore format version not supported.");
}
}
public bool Verify(byte[] hash, Certificate signingCert)
{
return(AsymmetricCryptoKey.Verify(hash, _signedHash, _hashAlgo, signingCert));
}
public void SelfSign(string hashAlgo, AsymmetricCryptoKey privateKey, Uri revocationUri)
{
_revocationUri = revocationUri;
_issuerSignature = new Signature(GetHash(hashAlgo), hashAlgo, null, privateKey);
}
public CertificateStore(Certificate cert, AsymmetricCryptoKey privateKey, string password)
: base(SymmetricEncryptionAlgorithm.Rijndael, 256, password)
{
_cert = cert;
_privateKey = privateKey;
}
public CertificateStore(Certificate cert, AsymmetricCryptoKey privateKey)
{
_cert = cert;
_privateKey = privateKey;
}
