public string GetAsnFormattedData()
{
CertificateAuthority.Models.Asn1Functions.Asn1Functions asnFnc = new CertificateAuthority.Models.Asn1Functions.Asn1Functions();
Oid oidObj = new Oid("2.5.29.31");
byte[] rawExtensionData = System.IO.File.ReadAllBytes(@"F:\DevGit\certs\csharptest\encodingusinglib\crltext-base64decode-bytes1.txt");
return(asnFnc.FormatNative(oidObj, rawExtensionData, true));
}
//public string AsnFormattedDataFromByteArray(string Oid, byte[] RawExtensionData)
public string AsnFormattedDataFromFile([FromBody] AsnEncodedFileLocation F)
{
Oid oidObj = new Oid(F.Oid);
CertificateAuthority.Models.Asn1Functions.Asn1Functions asnFnc = new CertificateAuthority.Models.Asn1Functions.Asn1Functions();
byte[] rawExtensionData = System.IO.File.ReadAllBytes($@"{F.FilePath}");
return(asnFnc.FormatNative(oidObj, rawExtensionData, true));
}
//public string AsnFormattedDataFromByteArray(string Oid, byte[] RawExtensionData)
public string AsnFormattedDataFromBase64String([FromBody] AsnEncodedDataClass A)
{
Oid oidObj = new Oid(A.Oid);
CertificateAuthority.Models.Asn1Functions.Asn1Functions asnFnc = new CertificateAuthority.Models.Asn1Functions.Asn1Functions();
byte[] rawExtensionData = System.Convert.FromBase64String(A.Base64ExtensionData);
//byte[] rawExtensionData = System.IO.File.ReadAllBytes(@"F:\DevGit\certs\csharptest\encodingusinglib\crltext-base64decode-bytes1.txt");
return(asnFnc.FormatNative(oidObj, rawExtensionData, true));
}
public X509Certificate2 CreateAndSignClientCert(string subjectName, X509Certificate2 signingCertificate,
int keySize, HashAlgorithmName hash, int validDays, bool useCrl, string[] crlUri)
{
if (signingCertificate == null)
{
throw new ArgumentNullException(nameof(signingCertificate));
}
if (!signingCertificate.HasPrivateKey)
{
throw new Exception("Signing cert must have private key");
}
if (string.IsNullOrEmpty(subjectName))
{
throw new ArgumentException($"{nameof(subjectName)} must be a valid DNS name", nameof(subjectName));
}
//if (UriHostNameType.Unknown == Uri.CheckHostName(subjectName))
//{
// throw new ArgumentException("Must be a valid DNS name", nameof(subjectName));
//}
X500DistinguishedName dn = new X500DistinguishedName($"CN={subjectName}");
RSA key = GenerateRsaKey(keySize);
CertificateRequest request = CreateRsaCertificateRequest(dn, hash, key);
//using (var ecdsa = ECDsa.Create("ECDsa"))
//{
//ecdsa.KeySize = 256;
//var request = new CertificateRequest(
// $"CN={subjectName}",
// ecdsa,
// HashAlgorithmName.SHA256);
// set basic certificate contraints
request.CertificateExtensions.Add(
new X509BasicConstraintsExtension(false, false, 0, true));
// key usage: Digital Signature and Key Encipherment
request.CertificateExtensions.Add(
new X509KeyUsageExtension(
X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment,
true));
// set the AuthorityKeyIdentifier. There is no built-in
// support, so it needs to be copied from the Subject Key
// Identifier of the signing certificate and massaged slightly.
// AuthorityKeyIdentifier is "KeyID=<subject key identifier>"
//x509
// TEMPORARILY REMOVING - PLAN TO ADD BACK
//var issuerSubjectKey = signingCertificate.Extensions["Subject Key Identifier"].RawData;
//var segment = new ArraySegment<byte>(issuerSubjectKey, 2, issuerSubjectKey.Length - 2);
//var authorityKeyIdentifer = new byte[segment.Count + 4];
//// these bytes define the "KeyID" part of the AuthorityKeyIdentifer
//authorityKeyIdentifer[0] = 0x30;
//authorityKeyIdentifer[1] = 0x16;
//authorityKeyIdentifer[2] = 0x80;
//authorityKeyIdentifer[3] = 0x14;
//segment.CopyTo(authorityKeyIdentifer, 4);
//request.CertificateExtensions.Add(new X509Extension("2.5.29.35", authorityKeyIdentifer, false));
//request.CertificateExtensions.Add(new X509Extension //X509Extension("2.5.29.31", crlUri, false));
//string crlUri = "http://dev-11.observicing.net/crl/new-auto-root-ca.crl";
// add oid for cert revocation list
if (useCrl)
{
//byte[] crlBytes = Encoding.ASCII.GetBytes(crlUri);
//byte[] oidBytes = System.IO.File.ReadAllBytes(@"F:\DevGit\certs\csharptest\crloid.txt"); // WORKS!
//byte[] oidBytes = System.IO.File.ReadAllBytes(@"F:\DevGit\certs\csharptest\crloid-modified.txt");
CertificateAuthority.Models.Asn1Functions.Asn1Functions asnFnc = new CertificateAuthority.Models.Asn1Functions.Asn1Functions();
Oid crlOid = new Oid("2.5.29.31");
byte[] oidBytes = System.Convert.FromBase64String(asnFnc.EncodeCrlExtensionData(crlUri));
AsnEncodedData enc = new AsnEncodedData(crlOid, oidBytes);
//request.CertificateExtensions.Add(new X509Extension(enc, false));
//X509CrlExtensionInputData crlExt = new X509CrlExtensionInputData();
//crlExt.CrlLocations = crlUri;
request.CertificateExtensions.Add(new X509Extension(enc, false));
}
//AsnEncodedData
// DPS samples create certs with the device name as a SAN name
// in addition to the subject name
var sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddDnsName(subjectName);
var sanExtension = sanBuilder.Build();
request.CertificateExtensions.Add(sanExtension);
// Enhanced key usages
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.2"), // TLS Client auth
new Oid("1.3.6.1.5.5.7.3.1") // TLS Server auth
},
false));
// add this subject key identifier
request.CertificateExtensions.Add(
new X509SubjectKeyIdentifierExtension(request.PublicKey, false));
// certificate expiry: Valid from Yesterday to Now+365 days
// Unless the signing cert's validity is less. It's not possible
// to create a cert with longer validity than the signing cert.
var notbefore = DateTimeOffset.UtcNow.AddDays(-1);
if (notbefore < signingCertificate.NotBefore)
{
notbefore = new DateTimeOffset(signingCertificate.NotBefore);
}
var notafter = DateTimeOffset.UtcNow.AddDays(validDays);
if (notafter > signingCertificate.NotAfter)
{
notafter = new DateTimeOffset(signingCertificate.NotAfter);
}
// cert serial is the epoch/unix timestamp
var epoch = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc);
var unixTime = Convert.ToInt64((DateTime.UtcNow - epoch).TotalSeconds);
var serial = BitConverter.GetBytes(unixTime);
// create and return the generated and signed
using (var cert = request.Create(
signingCertificate,
notbefore,
notafter,
serial))
{
return(cert.CopyWithPrivateKey(key));
}
//}
}
public string ConvertToBase64X509CrlExtensionData([FromBody] X509CrlExtensionInputData D)
{
CertificateAuthority.Models.Asn1Functions.Asn1Functions asnFnc = new CertificateAuthority.Models.Asn1Functions.Asn1Functions();
return(asnFnc.EncodeCrlExtensionData(D.CrlLocations));
}
