public static CertificateAuthority Create(Uri sharedUri, IssueCertificateOptions options = null) { if (sharedUri == null) { throw new ArgumentNullException(nameof(sharedUri)); } if (!sharedUri.AbsoluteUri.EndsWith("/")) { sharedUri = new Uri($"{sharedUri.AbsoluteUri}/"); } options = options ?? IssueCertificateOptions.CreateDefaultForRootCertificateAuthority(); Action <X509V3CertificateGenerator> customizeCertificate = generator => { generator.AddExtension( X509Extensions.SubjectKeyIdentifier, critical: false, extensionValue: new SubjectKeyIdentifierStructure(options.KeyPair.Public)); generator.AddExtension( X509Extensions.BasicConstraints, critical: true, extensionValue: new BasicConstraints(cA: true)); generator.AddExtension( X509Extensions.KeyUsage, critical: true, extensionValue: new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyCertSign | KeyUsage.CrlSign)); }; var signatureFactory = new Asn1SignatureFactory(options.SignatureAlgorithmName, options.IssuerPrivateKey); var certificate = CreateCertificate( options.KeyPair.Public, signatureFactory, BigInteger.One, options.SubjectName, options.SubjectName, options.NotBefore, options.NotAfter, options.CustomizeCertificate ?? customizeCertificate); return(new CertificateAuthority(certificate, options.KeyPair, sharedUri, parentCa: null)); }
private X509Certificate IssueCaCertificate( AsymmetricKeyParameter publicKey, Action <X509V3CertificateGenerator> customizeCertificate = null) { var id = Guid.NewGuid().ToString(); var subjectName = new X509Name($"C=US,ST=WA,L=Redmond,O=NuGet,CN=NuGet Test Intermediate Certificate Authority ({id})"); if (customizeCertificate == null) { customizeCertificate = generator => { generator.AddExtension( X509Extensions.AuthorityInfoAccess, critical: false, extensionValue: new DerSequence( new AccessDescription(AccessDescription.IdADOcsp, new GeneralName(GeneralName.UniformResourceIdentifier, OcspResponderUri.OriginalString)), new AccessDescription(AccessDescription.IdADCAIssuers, new GeneralName(GeneralName.UniformResourceIdentifier, CertificateUri.OriginalString)))); generator.AddExtension( X509Extensions.AuthorityKeyIdentifier, critical: false, extensionValue: new AuthorityKeyIdentifierStructure(Certificate)); generator.AddExtension( X509Extensions.SubjectKeyIdentifier, critical: false, extensionValue: new SubjectKeyIdentifierStructure(publicKey)); generator.AddExtension( X509Extensions.BasicConstraints, critical: true, extensionValue: new BasicConstraints(cA: true)); }; } var options = new IssueCertificateOptions(publicKey) { SubjectName = subjectName, CustomizeCertificate = customizeCertificate }; return(IssueCertificate(options)); }
public static TimestampService Create( CertificateAuthority certificateAuthority, TimestampServiceOptions serviceOptions = null, IssueCertificateOptions issueCertificateOptions = null) { if (certificateAuthority == null) { throw new ArgumentNullException(nameof(certificateAuthority)); } serviceOptions = serviceOptions ?? new TimestampServiceOptions(); if (issueCertificateOptions == null) { issueCertificateOptions = IssueCertificateOptions.CreateDefaultForTimestampService(); } void customizeCertificate(X509V3CertificateGenerator generator) { generator.AddExtension( X509Extensions.AuthorityInfoAccess, critical: false, extensionValue: new DerSequence( new AccessDescription(AccessDescription.IdADOcsp, new GeneralName(GeneralName.UniformResourceIdentifier, certificateAuthority.OcspResponderUri.OriginalString)), new AccessDescription(AccessDescription.IdADCAIssuers, new GeneralName(GeneralName.UniformResourceIdentifier, certificateAuthority.CertificateUri.OriginalString)))); generator.AddExtension( X509Extensions.AuthorityKeyIdentifier, critical: false, extensionValue: new AuthorityKeyIdentifierStructure(certificateAuthority.Certificate)); generator.AddExtension( X509Extensions.SubjectKeyIdentifier, critical: false, extensionValue: new SubjectKeyIdentifierStructure(issueCertificateOptions.KeyPair.Public)); generator.AddExtension( X509Extensions.BasicConstraints, critical: true, extensionValue: new BasicConstraints(cA: false)); generator.AddExtension( X509Extensions.KeyUsage, critical: true, extensionValue: new KeyUsage(KeyUsage.DigitalSignature)); generator.AddExtension( X509Extensions.ExtendedKeyUsage, critical: true, extensionValue: ExtendedKeyUsage.GetInstance(new DerSequence(KeyPurposeID.IdKPTimeStamping))); } if (issueCertificateOptions.CustomizeCertificate == null) { issueCertificateOptions.CustomizeCertificate = customizeCertificate; } if (serviceOptions.IssuedCertificateNotBefore.HasValue) { issueCertificateOptions.NotBefore = serviceOptions.IssuedCertificateNotBefore.Value; } if (serviceOptions.IssuedCertificateNotAfter.HasValue) { issueCertificateOptions.NotAfter = serviceOptions.IssuedCertificateNotAfter.Value; } var certificate = certificateAuthority.IssueCertificate(issueCertificateOptions); var uri = certificateAuthority.GenerateRandomUri(); return(new TimestampService(certificateAuthority, certificate, issueCertificateOptions.KeyPair, uri, serviceOptions)); }
public X509Certificate IssueCertificate(IssueCertificateOptions options) { if (options == null) { throw new ArgumentNullException(nameof(options)); } var serialNumber = _nextSerialNumber; var issuerName = PrincipalUtilities.GetSubjectX509Principal(Certificate); Action <X509V3CertificateGenerator> customizeCertificate; if (options.CustomizeCertificate == null) { customizeCertificate = generator => { generator.AddExtension( X509Extensions.AuthorityInfoAccess, critical: false, extensionValue: new DerSequence( new AccessDescription(AccessDescription.IdADOcsp, new GeneralName(GeneralName.UniformResourceIdentifier, OcspResponderUri.OriginalString)), new AccessDescription(AccessDescription.IdADCAIssuers, new GeneralName(GeneralName.UniformResourceIdentifier, CertificateUri.OriginalString)))); generator.AddExtension( X509Extensions.AuthorityKeyIdentifier, critical: false, extensionValue: new AuthorityKeyIdentifierStructure(Certificate)); generator.AddExtension( X509Extensions.SubjectKeyIdentifier, critical: false, extensionValue: new SubjectKeyIdentifierStructure(options.PublicKey)); generator.AddExtension( X509Extensions.BasicConstraints, critical: true, extensionValue: new BasicConstraints(cA: false)); }; } else { customizeCertificate = options.CustomizeCertificate; } var notAfter = options.NotAfter.UtcDateTime; // An issued certificate should not have a validity period beyond the issuer's validity period. if (notAfter > Certificate.NotAfter) { notAfter = Certificate.NotAfter; } var certificate = CreateCertificate( options.PublicKey, KeyPair.Private, serialNumber, issuerName, options.SubjectName, options.NotBefore.UtcDateTime, notAfter, customizeCertificate); _nextSerialNumber = _nextSerialNumber.Add(BigInteger.One); _issuedCertificates.Add(certificate.SerialNumber, certificate); return(certificate); }
public static TimestampService Create( CertificateAuthority certificateAuthority, TimestampServiceOptions serviceOptions = null) { if (certificateAuthority == null) { throw new ArgumentNullException(nameof(certificateAuthority)); } serviceOptions = serviceOptions ?? new TimestampServiceOptions(); var keyPair = CertificateUtilities.CreateKeyPair(); var id = Guid.NewGuid().ToString(); var subjectName = new X509Name($"C=US,ST=WA,L=Redmond,O=NuGet,CN=NuGet Test Timestamp Service ({id})"); void customizeCertificate(X509V3CertificateGenerator generator) { generator.AddExtension( X509Extensions.AuthorityInfoAccess, critical: false, extensionValue: new DerSequence( new AccessDescription(AccessDescription.IdADOcsp, new GeneralName(GeneralName.UniformResourceIdentifier, certificateAuthority.OcspResponderUri.OriginalString)), new AccessDescription(AccessDescription.IdADCAIssuers, new GeneralName(GeneralName.UniformResourceIdentifier, certificateAuthority.CertificateUri.OriginalString)))); generator.AddExtension( X509Extensions.AuthorityKeyIdentifier, critical: false, extensionValue: new AuthorityKeyIdentifierStructure(certificateAuthority.Certificate)); generator.AddExtension( X509Extensions.SubjectKeyIdentifier, critical: false, extensionValue: new SubjectKeyIdentifierStructure(keyPair.Public)); generator.AddExtension( X509Extensions.BasicConstraints, critical: true, extensionValue: new BasicConstraints(cA: false)); generator.AddExtension( X509Extensions.KeyUsage, critical: true, extensionValue: new KeyUsage(KeyUsage.DigitalSignature)); generator.AddExtension( X509Extensions.ExtendedKeyUsage, critical: true, extensionValue: ExtendedKeyUsage.GetInstance(new DerSequence(KeyPurposeID.IdKPTimeStamping))); } var issueOptions = new IssueCertificateOptions() { KeyPair = keyPair, SubjectName = subjectName, CustomizeCertificate = customizeCertificate }; if (serviceOptions.IssuedCertificateNotBefore.HasValue) { issueOptions.NotBefore = serviceOptions.IssuedCertificateNotBefore.Value; } if (serviceOptions.IssuedCertificateNotAfter.HasValue) { issueOptions.NotAfter = serviceOptions.IssuedCertificateNotAfter.Value; } var certificate = certificateAuthority.IssueCertificate(issueOptions); var uri = certificateAuthority.GenerateRandomUri(); return(new TimestampService(certificateAuthority, certificate, keyPair, uri, serviceOptions)); }