/// <summary> /// Create an instance of a generic System Crypto CA /// </summary> /// <param name="ConfigFile">Full pathname to config file</param> /// <exception cref="InvalidParameterException">Invalid FIPS140 flag for this CA instance</exception> public cngCA(string ConfigFile) : base(ConfigFile) { // Make sure the CA_Type is correct if (!fips140) { throw new InvalidParameterException("Invalid FIPS140 flag for this CA instance"); } // Get a reference to the key container for the signing key privateKey = CngKeyManager.getKeyRef(name); X509CertificateParser cp = new X509CertificateParser(); caCertificate = cp.ReadCertificate(Convert.FromBase64String(ca.Element("caCert").Value)); // Setup CA policy if (ca.Element("policyEnforcement") != null) { policyEnforcement = PolicyEnforcementFactory.initialise(caCertificate, ca.Element("policyEnforcement")); } // Setup the logger // !Important - there is no key to sign logs with yet! cspParam = null; startLogging(); // Expire any old certificates Database.ExpireCertificate(dbFileLocation, caCertificate, cspParam); }
/// <summary> /// Backup the CA key material to a PKCS#12 file /// </summary> /// <param name="Password">Strong password used for encryption</param> /// <param name="OutputFile">Full pathname to the PKCS#12 output file</param> /// <exception cref="System.ApplicationException">Failed Key Backup</exception> public override void Backup(string Password, string OutputFile) { try { CngKeyManager.ExportToP12(privateKey, caCertificate, OutputFile, Password, name); logEvent(LogEvent.EventType.BackupCAKey, "CA Key backup: " + OutputFile); } catch (Exception ex) { logEvent(LogEvent.EventType.Error, "Failed key backup: " + ex.Message); throw new ApplicationException("Failed Key Backup", ex); } }
/// <summary> /// Create a root (self-signed) CA /// </summary> /// <param name="Config">CA Config structure containing the initialisation parameters</param> /// <returns>Full pathname for the configuration file</returns> public static string CreateRootCA(CAConfig Config) { if (Config.profile != CA_Profile.rootCA) { throw new ArgumentException("Invalid profile specified", Config.profile.ToString()); } // Start/end dates DateTime startDate = DateTime.UtcNow; DateTime expiryDate; switch (Config.units) { case "Years": expiryDate = startDate.AddYears(Config.life); break; case "Months": expiryDate = startDate.AddMonths(Config.life); break; case "Days": expiryDate = startDate.AddDays(Config.life); break; default: throw new ArgumentException("Invalid lifetime unit", Config.units); } // Serial number BigInteger serialNumber = new BigInteger(1, BitConverter.GetBytes(DateTime.Now.Ticks)); // Certificate ICertGen certGen; // The OLD method was to use the Config.pkAlgo field to select a hard-coded CSP // The new approach is to have the user select a CSP //OLD method if (Config.FIPS140) { switch (Config.caType) { case CA_Type.sysCA: case CA_Type.dhTA: privateKeyCapi = SysKeyManager.Create(Config.pkSize, Config.pkAlgo, Config.name); publicKey = SysKeyManager.getPublicKey(privateKeyCapi, Config.pkAlgo); if (Config.version == X509ver.V1) { certGen = new SysV1CertGen(); } else { certGen = new SysV3CertGen(); } break; case CA_Type.cngCA: privateKeyCng = CngKeyManager.Create(CngAlgorithm.ECDsaP256, Config.name); publicKey = CngKeyManager.getPublicKey(privateKeyCng); //if (Config.version == X509ver.V1) // certGen = new CngV1CertGen(); //else certGen = new CngV3CertGen(); break; default: throw new InvalidParameterException("CA Type not compatible with Fips140 flag: " + Config.caType.ToString()); } } else { keyPair = BcKeyManager.Create(Config.pkSize, Config.pkAlgo); // Create a system CspParameters entry for use by XmlSigner // Only for RSA and DSA currently until EC XML signing is sorted if (!Config.pkAlgo.Contains("EC")) { privateKeyCapi = SysKeyManager.LoadCsp(keyPair.Private); } else { privateKeyCapi = null; } publicKey = keyPair.Public; if (Config.version == X509ver.V1) { certGen = new BcV1CertGen(); } else { certGen = new BcV3CertGen(); } } //NEW method //if ((Config.FIPS140) && (Config.CSPNum > 0)) // System crypto //{ // cspParam = SysKeyManager.Create(Config.pkSize, Config.CSPName, Config.CSPNum, Config.name); //} // V1 and V3 fields certGen.SetSerialNumber(serialNumber); certGen.SetIssuerDN(Config.DN); certGen.SetNotBefore(startDate); certGen.SetNotAfter(expiryDate); certGen.SetSubjectDN(Config.DN); certGen.SetPublicKey(publicKey); certGen.SetSignatureAlgorithm(Config.sigAlgo); // V3 extensions if (Config.version == X509ver.V3) { ((V3CertGen)certGen).AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(publicKey)); ((V3CertGen)certGen).AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(publicKey)); ((V3CertGen)certGen).AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true)); ((V3CertGen)certGen).AddExtension(X509Extensions.KeyUsage, true, new X509KeyUsage(Config.keyUsage)); } X509Certificate caCert; if (Config.FIPS140) { switch (Config.caType) { case CA_Type.sysCA: case CA_Type.dhTA: caCert = ((IsysCertGen)certGen).Generate(privateKeyCapi); break; case CA_Type.cngCA: caCert = ((IcngCertGen)certGen).Generate(privateKeyCng); break; default: throw new InvalidParameterException("CA Type not compatible with Fips140 flag: " + Config.caType.ToString()); } } else { caCert = ((IbcCertGen)certGen).Generate(keyPair.Private); } caCert.Verify(caCert.GetPublicKey()); string configFile; if (Config.FIPS140) { // Create the CA Config file configFile = createFinalCAConfig(Config, serialNumber, caCert, null); LogEvent.WriteEvent(eventLog, LogEvent.EventType.CreateCA, "Root CA (FIPS) Created: " + configFile); } else { // Store key material in a PKCS#12 file MemoryStream stream = BcKeyManager.SaveP12(keyPair.Private, caCert, Config.password, Config.name); string caKey = Convert.ToBase64String(stream.ToArray()); // Create the CA Config file configFile = createFinalCAConfig(Config, serialNumber, caCert, caKey); LogEvent.WriteEvent(eventLog, LogEvent.EventType.CreateCA, "Root CA (BC) Created: " + configFile); } // Create CA database string dbFile = Database.CreateDB(Config, caCert, privateKeyCapi); // Insert Root CA certificate byte[] dummy = new byte[0]; Database.AddCertificate(caCert, dummy, "rootCA", dbFile, caCert, privateKeyCapi); return(configFile); }