// Certificate Revocation Lists /** * Gets the URL of the Certificate Revocation List for a Certificate * @param certificate the Certificate * @return the String where you can check if the certificate was revoked * @throws CertificateParsingException * @throws IOException */ public static String GetCRLURL(X509Certificate certificate) { try { Asn1Object obj = GetExtensionValue(certificate, X509Extensions.CrlDistributionPoints.Id); if (obj == null) { return(null); } CrlDistPoint dist = CrlDistPoint.GetInstance(obj); DistributionPoint[] dists = dist.GetDistributionPoints(); foreach (DistributionPoint p in dists) { DistributionPointName distributionPointName = p.DistributionPointName; if (DistributionPointName.FullName != distributionPointName.PointType) { continue; } GeneralNames generalNames = (GeneralNames)distributionPointName.Name; GeneralName[] names = generalNames.GetNames(); foreach (GeneralName name in names) { if (name.TagNo != GeneralName.UniformResourceIdentifier) { continue; } DerIA5String derStr = DerIA5String.GetInstance((Asn1TaggedObject)name.ToAsn1Object(), false); return(derStr.GetString()); } } } catch { } return(null); }
internal static CertContainer IssueSignerCertificate(X509Name dnName, int keySize = DefaultKeySize) { CertContainer issuerCert = IntermediateCa; RsaKeyPairGenerator keyPairGen = new RsaKeyPairGenerator(); keyPairGen.Init(new KeyGenerationParameters(_secureRandom, keySize)); AsymmetricCipherKeyPair keyPair = keyPairGen.GenerateKeyPair(); X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.SetSerialNumber(BigInteger.One); certGen.SetIssuerDN(issuerCert.Certificate.SubjectDN); certGen.SetNotBefore(DateTime.Now); certGen.SetNotAfter(DateTime.Now.AddYears(1)); certGen.SetSubjectDN(dnName); certGen.SetPublicKey(keyPair.Public); certGen.SetSignatureAlgorithm("SHA256withRSA"); certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(issuerCert.Certificate.GetPublicKey())); certGen.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certGen.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(X509KeyUsage.NonRepudiation | X509KeyUsage.DigitalSignature)); certGen.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(keyPair.Public)); certGen.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeID.IdKPClientAuth)); // Add CRL endpoint Uri currentBaseUri = new Uri("https://localhost/"); Uri crlUri = new Uri(currentBaseUri, IntermediateCrlPath); GeneralName generalName = new GeneralName(GeneralName.UniformResourceIdentifier, crlUri.ToString()); GeneralNames generalNames = new GeneralNames(generalName); DistributionPointName distPointName = new DistributionPointName(generalNames); DistributionPoint distPoint = new DistributionPoint(distPointName, null, null); certGen.AddExtension(X509Extensions.CrlDistributionPoints, false, new CrlDistPoint(new DistributionPoint[] { distPoint })); // Add OCSP endpoint Uri ocspUri = new Uri(currentBaseUri, OcspPath); AccessDescription ocsp = new AccessDescription(AccessDescription.IdADOcsp, new GeneralName(GeneralName.UniformResourceIdentifier, ocspUri.ToString())); Asn1EncodableVector aiaASN = new Asn1EncodableVector(); aiaASN.Add(ocsp); certGen.AddExtension(X509Extensions.AuthorityInfoAccess, false, new DerSequence(aiaASN)); X509Certificate generatedCert = certGen.Generate(issuerCert.PrivateKey); Pkcs12StoreBuilder pfxBuilder = new Pkcs12StoreBuilder(); Pkcs12Store pfxStore = pfxBuilder.Build(); X509CertificateEntry certEntry = new X509CertificateEntry(generatedCert); pfxStore.SetCertificateEntry(generatedCert.SubjectDN.ToString(), certEntry); pfxStore.SetKeyEntry(generatedCert.SubjectDN + "_key", new AsymmetricKeyEntry(keyPair.Private), new X509CertificateEntry[] { certEntry }); return(new CertContainer(pfxStore, issuerCert.GetIssuerChain(true))); }
private static CrlDistPoint CreateCrlDistributionPoint(string uri) { var gn = new GeneralName(GeneralName.UniformResourceIdentifier, uri); var distributionPointname = new DistributionPointName(DistributionPointName.FullName, gn); var distributionPoint = new DistributionPoint(distributionPointname, null, null); return(new CrlDistPoint(new[] { distributionPoint })); }
/// <summary> /// Read a DistributionPoint list /// </summary> /// <param name="dps">DistributionPoint list</param> protected void decode(DistributionPoint[] dps) { foreach (DistributionPoint dp in dps) { DistributionPointName dpn = dp.DistributionPointName; OSCAGeneralName ogn = new OSCAGeneralName() { Name = dpn.Name.ToString(), Type = (GenName)dpn.PointType }; distPoints.Add(ogn); } }
/// <summary> /// Create a Distribution Point list /// </summary> /// <returns>Distribution Point list</returns> protected virtual DistributionPoint[] encode() { DistributionPoint[] dplist = new DistributionPoint[distPoints.Count()]; int i = 0; foreach (OSCAGeneralName cdp in distPoints) { GeneralNames gn = generalNames.createGeneralNames(cdp.Type.ToString(), cdp.Name); DistributionPointName dpn = new DistributionPointName(gn); DistributionPoint dp = new DistributionPoint(dpn, null, null); dplist[i] = dp; i++; } return(dplist); }
/// <summary> /// Adds the CRL URLs to the CRL Distribution Points extension /// </summary> /// <param name="certGen"><see cref="X509V3CertificateGenerator"/></param> /// <param name="crlUrls">List of <seealso cref="Uri"/></param> public static void AddCrlDistributionPoints(this X509V3CertificateGenerator certGen, List <Uri> crlUrls) { if (crlUrls != null) { List <DistributionPoint> distributionPoints = new List <DistributionPoint>(); foreach (Uri url in crlUrls) { GeneralName gn = new GeneralName(GeneralName.UniformResourceIdentifier, url.ToString()); DistributionPointName distributionPointname = new DistributionPointName(DistributionPointName.FullName, gn); distributionPoints.Add(new DistributionPoint(distributionPointname, null, null)); } certGen.AddExtension(X509Extensions.CrlDistributionPoints, true, new CrlDistPoint(distributionPoints.ToArray())); } }
/// <summary> /// Attaches multiple distribution points to the certificate currently in the chain. /// </summary> /// <param name="urls">A list of http CRL locations</param> /// <returns></returns> public CertificateBuilder AddCRLDistributionPoints(string[] urls) { var dps = new DistributionPoint[urls.Length]; for (int i = 0; i < urls.Length; i++) { string url = urls[i]; var name = new GeneralName(GeneralName.UniformResourceIdentifier, url.Trim()); var dpName = new DistributionPointName(DistributionPointName.FullName, name); dps[i] = new DistributionPoint(dpName, null, null); logger.Debug($"[ADD DISTRIBUTION POINT] => {url}"); } certificateGenerator.AddExtension(X509Extensions.CrlDistributionPoints, false, new CrlDistPoint(dps)); return(this); }
public void AddCrlDistributionPoints() { var distributionPoints = new List <Asn1Encodable>(); foreach (var endpoint in CrlEndpoints) { var generalName = new GeneralName(GeneralName.UniformResourceIdentifier, new DerIA5String(endpoint)); var gns = new GeneralNames(generalName); var dpn = new DistributionPointName(gns); var distp = new DistributionPoint(dpn, null, null); distributionPoints.Add(distp); } var seq = new DerSequence(distributionPoints.ToArray()); certificateGenerator.AddExtension(X509Extensions.CrlDistributionPoints, false, seq); }
static Asn1Encodable ExtractGeneralName(CrlDistPoint distributionPointsExtension, int tagNumber) { foreach (var distributionPoint in distributionPointsExtension.GetDistributionPoints()) { DistributionPointName dpn = distributionPoint.DistributionPointName; if (dpn.PointType == DistributionPointName.FullName) { foreach (var generalName in GeneralNames.GetInstance(dpn.Name).GetNames()) { if (generalName.TagNo == tagNumber) { return generalName.Name; } } } } return null; }
internal static void AddAdditionalStoresFromCrlDistributionPoint( CrlDistPoint crldp, PkixParameters pkixParams) { if (crldp != null) { DistributionPoint[] dps = null; try { dps = crldp.GetDistributionPoints(); } catch (Exception e) { throw new Exception( "Distribution points could not be read.", e); } for (int i = 0; i < dps.Length; i++) { DistributionPointName dpn = dps[i].DistributionPointName; // look for URIs in fullName if (dpn != null) { if (dpn.PointType == DistributionPointName.FullName) { GeneralName[] genNames = GeneralNames.GetInstance( dpn.Name).GetNames(); // look for an URI for (int j = 0; j < genNames.Length; j++) { if (genNames[j].TagNo == GeneralName.UniformResourceIdentifier) { string location = DerIA5String.GetInstance( genNames[j].Name).GetString(); PkixCertPathValidatorUtilities.AddAdditionalStoreFromLocation( location, pkixParams); } } } } } } }
// Certificate Revocation Lists /** * Gets the URL of the Certificate Revocation List for a Certificate * @param certificate the Certificate * @return the String where you can check if the certificate was revoked * @throws CertificateParsingException * @throws IOException */ public static String GetCRLURL(X509Certificate certificate) { try { Asn1Object obj = GetExtensionValue(certificate, X509Extensions.CrlDistributionPoints.Id); if (obj == null) { return(null); } CrlDistPoint dist = CrlDistPoint.GetInstance(obj); DistributionPoint[] dists = dist.GetDistributionPoints(); foreach (DistributionPoint p in dists) { DistributionPointName distributionPointName = p.DistributionPointName; if (DistributionPointName.FullName != distributionPointName.PointType) { continue; } GeneralNames generalNames = (GeneralNames)distributionPointName.Name; GeneralName[] names = generalNames.GetNames(); foreach (GeneralName name in names) { if (name.TagNo != GeneralName.UniformResourceIdentifier) { continue; } DerIA5String derStr = DerIA5String.GetInstance((Asn1TaggedObject)name.ToAsn1Object(), false); //return derStr.GetString(); //jbonilla - El URL del CRL para el BCE está en la tercera posición y solo se puede acceder desde HTTP. string urlCrl = derStr.GetString(); if (urlCrl.ToUpperInvariant().StartsWith("HTTP") && urlCrl.ToUpperInvariant().Contains("CRL")) { return(derStr.GetString()); } } } } catch { } return(null); }
private void checkValues( IssuingDistributionPoint point, DistributionPointName distributionPoint, bool onlyContainsUserCerts, bool onlyContainsCACerts, ReasonFlags onlySomeReasons, bool indirectCRL, bool onlyContainsAttributeCerts) { if (point.OnlyContainsUserCerts != onlyContainsUserCerts) { Fail("mismatch on onlyContainsUserCerts"); } if (point.OnlyContainsCACerts != onlyContainsCACerts) { Fail("mismatch on onlyContainsCACerts"); } if (point.IsIndirectCrl != indirectCRL) { Fail("mismatch on indirectCRL"); } if (point.OnlyContainsAttributeCerts != onlyContainsAttributeCerts) { Fail("mismatch on onlyContainsAttributeCerts"); } if (!isEquiv(onlySomeReasons, point.OnlySomeReasons)) { Fail("mismatch on onlySomeReasons"); } if (!isEquiv(distributionPoint, point.DistributionPoint)) { Fail("mismatch on distributionPoint"); } }
public override void PerformTest() { DistributionPointName name = new DistributionPointName( new GeneralNames(new GeneralName(new X509Name("cn=test")))); ReasonFlags reasonFlags = new ReasonFlags(ReasonFlags.CACompromise); checkPoint(6, name, true, true, reasonFlags, true, true); checkPoint(2, name, false, false, reasonFlags, false, false); checkPoint(0, null, false, false, null, false, false); try { IssuingDistributionPoint.GetInstance(new object()); Fail("GetInstance() failed to detect bad object."); } catch (ArgumentException) { // expected } }
private IssuingDistributionPoint(Asn1Sequence seq) { this.seq = seq; for (int i = 0; i != seq.Count; i++) { Asn1TaggedObject instance = Asn1TaggedObject.GetInstance(seq[i]); switch (instance.TagNo) { case 0: _distributionPoint = DistributionPointName.GetInstance(instance, explicitly: true); break; case 1: _onlyContainsUserCerts = DerBoolean.GetInstance(instance, isExplicit: false).IsTrue; break; case 2: _onlyContainsCACerts = DerBoolean.GetInstance(instance, isExplicit: false).IsTrue; break; case 3: _onlySomeReasons = new ReasonFlags(DerBitString.GetInstance(instance, isExplicit: false)); break; case 4: _indirectCRL = DerBoolean.GetInstance(instance, isExplicit: false).IsTrue; break; case 5: _onlyContainsAttributeCerts = DerBoolean.GetInstance(instance, isExplicit: false).IsTrue; break; default: throw new ArgumentException("unknown tag in IssuingDistributionPoint"); } } }
public IssuingDistributionPoint(DistributionPointName distributionPoint, bool onlyContainsUserCerts, bool onlyContainsCACerts, ReasonFlags onlySomeReasons, bool indirectCRL, bool onlyContainsAttributeCerts) { _distributionPoint = distributionPoint; _indirectCRL = indirectCRL; _onlyContainsAttributeCerts = onlyContainsAttributeCerts; _onlyContainsCACerts = onlyContainsCACerts; _onlyContainsUserCerts = onlyContainsUserCerts; _onlySomeReasons = onlySomeReasons; Asn1EncodableVector asn1EncodableVector = new Asn1EncodableVector(); if (distributionPoint != null) { asn1EncodableVector.Add(new DerTaggedObject(explicitly: true, 0, distributionPoint)); } if (onlyContainsUserCerts) { asn1EncodableVector.Add(new DerTaggedObject(explicitly: false, 1, DerBoolean.True)); } if (onlyContainsCACerts) { asn1EncodableVector.Add(new DerTaggedObject(explicitly: false, 2, DerBoolean.True)); } if (onlySomeReasons != null) { asn1EncodableVector.Add(new DerTaggedObject(explicitly: false, 3, onlySomeReasons)); } if (indirectCRL) { asn1EncodableVector.Add(new DerTaggedObject(explicitly: false, 4, DerBoolean.True)); } if (onlyContainsAttributeCerts) { asn1EncodableVector.Add(new DerTaggedObject(explicitly: false, 5, DerBoolean.True)); } seq = new DerSequence(asn1EncodableVector); }
private void checkPoint( int size, DistributionPointName distributionPoint, bool onlyContainsUserCerts, bool onlyContainsCACerts, ReasonFlags onlySomeReasons, bool indirectCRL, bool onlyContainsAttributeCerts) { IssuingDistributionPoint point = new IssuingDistributionPoint(distributionPoint, onlyContainsUserCerts, onlyContainsCACerts, onlySomeReasons, indirectCRL, onlyContainsAttributeCerts); checkValues(point, distributionPoint, onlyContainsUserCerts, onlyContainsCACerts, onlySomeReasons, indirectCRL, onlyContainsAttributeCerts); Asn1Sequence seq = Asn1Sequence.GetInstance(Asn1Object.FromByteArray(point.GetEncoded())); if (seq.Count != size) { Fail("size mismatch"); } point = IssuingDistributionPoint.GetInstance(seq); checkValues(point, distributionPoint, onlyContainsUserCerts, onlyContainsCACerts, onlySomeReasons, indirectCRL, onlyContainsAttributeCerts); }
protected void ApplyCrlExtension( X509V3CertificateGenerator certGen, string crlLink ) { if (string.IsNullOrEmpty(crlLink)) { return; } var distPointOne = new DistributionPointName( new GeneralNames(new GeneralName(GeneralName.UniformResourceIdentifier, crlLink))); var distPoints = new DistributionPoint[1]; distPoints[0] = new DistributionPoint(distPointOne, null, null); certGen.AddExtension( X509Extensions.CrlDistributionPoints, false, new CrlDistPoint(distPoints) ); }
private static X509Certificate2 GenerateCertificate( string subjectName, Action <TestCertificateGenerator> modifyGenerator, RSA rsa, NuGet.Common.HashAlgorithmName hashAlgorithm, RSASignaturePaddingMode paddingMode, ChainCertificateRequest chainCertificateRequest) { if (string.IsNullOrEmpty(subjectName)) { subjectName = "NuGetTest"; } // Create cert var subjectDN = $"CN={subjectName}"; var certGen = new TestCertificateGenerator(); var isSelfSigned = true; X509Certificate2 issuer = null; DateTimeOffset? notAfter = null; var keyUsage = X509KeyUsageFlags.DigitalSignature; if (chainCertificateRequest == null) { // Self-signed certificates should have this flag set. keyUsage |= X509KeyUsageFlags.KeyCertSign; } else { if (chainCertificateRequest.Issuer != null) { isSelfSigned = false; // for a certificate with an issuer assign Authority Key Identifier issuer = chainCertificateRequest?.Issuer; notAfter = issuer.NotAfter.Subtract(TimeSpan.FromMinutes(5)); var publicKey = DotNetUtilities.GetRsaPublicKey(issuer.GetRSAPublicKey()); certGen.Extensions.Add( new X509Extension( Oids.AuthorityKeyIdentifier, new AuthorityKeyIdentifierStructure(publicKey).GetEncoded(), critical: false)); } if (chainCertificateRequest.ConfigureCrl) { // for a certificate in a chain create CRL distribution point extension var issuerDN = chainCertificateRequest?.Issuer?.Subject ?? subjectDN; var crlServerUri = $"{chainCertificateRequest.CrlServerBaseUri}{issuerDN}.crl"; var generalName = new Org.BouncyCastle.Asn1.X509.GeneralName(Org.BouncyCastle.Asn1.X509.GeneralName.UniformResourceIdentifier, new DerIA5String(crlServerUri)); var distPointName = new DistributionPointName(new GeneralNames(generalName)); var distPoint = new DistributionPoint(distPointName, null, null); certGen.Extensions.Add( new X509Extension( TestOids.CrlDistributionPoints, new DerSequence(distPoint).GetDerEncoded(), critical: false)); } if (chainCertificateRequest.IsCA) { // update key usage with CA cert sign and crl sign attributes keyUsage |= X509KeyUsageFlags.CrlSign | X509KeyUsageFlags.KeyCertSign; } } var padding = paddingMode.ToPadding(); var request = new CertificateRequest(subjectDN, rsa, hashAlgorithm.ConvertToSystemSecurityHashAlgorithmName(), padding); bool isCa = isSelfSigned ? true : (chainCertificateRequest?.IsCA ?? false); certGen.NotAfter = notAfter ?? DateTime.UtcNow.Add(TimeSpan.FromMinutes(30)); certGen.NotBefore = DateTime.UtcNow.Subtract(TimeSpan.FromMinutes(30)); var random = new Random(); var serial = random.Next(); var serialNumber = BitConverter.GetBytes(serial); Array.Reverse(serialNumber); certGen.SetSerialNumber(serialNumber); certGen.Extensions.Add( new X509SubjectKeyIdentifierExtension(request.PublicKey, critical: false)); certGen.Extensions.Add( new X509KeyUsageExtension(keyUsage, critical: false)); certGen.Extensions.Add( new X509BasicConstraintsExtension(certificateAuthority: isCa, hasPathLengthConstraint: false, pathLengthConstraint: 0, critical: true)); // Allow changes modifyGenerator?.Invoke(certGen); foreach (var extension in certGen.Extensions) { request.CertificateExtensions.Add(extension); } X509Certificate2 certResult; if (isSelfSigned) { certResult = request.CreateSelfSigned(certGen.NotBefore, certGen.NotAfter); } else { using (var temp = request.Create(issuer, certGen.NotBefore, certGen.NotAfter, certGen.SerialNumber)) { certResult = temp.CopyWithPrivateKey(rsa); } } return(new X509Certificate2(certResult.Export(X509ContentType.Pkcs12), password: (string)null, keyStorageFlags: X509KeyStorageFlags.Exportable)); }
/// <summary>Gives back the CRL URI meta-data found within the given X509 certificate. /// </summary> /// <remarks>Gives back the CRL URI meta-data found within the given X509 certificate. /// </remarks> /// <param name="certificate">the X509 certificate.</param> /// <returns>the CRL URI, or <code>null</code> if the extension is not present.</returns> /// <exception cref="System.UriFormatException">System.UriFormatException</exception> public virtual string GetCrlUri(X509Certificate certificate) { //byte[] crlDistributionPointsValue = certificate.GetExtensionValue(X509Extensions. // CrlDistributionPoints); Asn1OctetString crlDistributionPointsValue = certificate.GetExtensionValue(X509Extensions. CrlDistributionPoints); if (null == crlDistributionPointsValue) { return(null); } Asn1Sequence seq; try { DerOctetString oct; //oct = (DEROctetString)(new ASN1InputStream(new ByteArrayInputStream(crlDistributionPointsValue // )).ReadObject()); oct = (DerOctetString)crlDistributionPointsValue; seq = (Asn1Sequence) new Asn1InputStream(oct.GetOctets()).ReadObject(); } catch (IOException e) { throw new RuntimeException("IO error: " + e.Message, e); } CrlDistPoint distPoint = CrlDistPoint.GetInstance(seq); DistributionPoint[] distributionPoints = distPoint.GetDistributionPoints(); foreach (DistributionPoint distributionPoint in distributionPoints) { DistributionPointName distributionPointName = distributionPoint.DistributionPointName; if (DistributionPointName.FullName != distributionPointName.PointType) { continue; } GeneralNames generalNames = (GeneralNames)distributionPointName.Name; GeneralName[] names = generalNames.GetNames(); foreach (GeneralName name in names) { if (name.TagNo != GeneralName.UniformResourceIdentifier) { LOG.Info("not a uniform resource identifier"); continue; } string str = null; if (name.ToAsn1Object() is DerTaggedObject) { DerTaggedObject taggedObject = (DerTaggedObject)name.ToAsn1Object(); DerIA5String derStr = DerIA5String.GetInstance(taggedObject.GetObject()); str = derStr.GetString(); } else { DerIA5String derStr = DerIA5String.GetInstance(name.ToAsn1Object()); str = derStr.GetString(); } if (str != null && (str.StartsWith("http://") || str.StartsWith("https://")) && str.ToUpperInvariant().Contains("CRL")) //jbonilla - El URL del CRL para el BCE está en la tercera posición y solo se puede acceder desde HTTP. { return(str); } else { LOG.Info("Supports only http:// and https:// protocol for CRL"); } } } //jbonilla #region BCE if (certificate.SubjectDN.ToString() .Contains("AC BANCO CENTRAL DEL ECUADOR")) { return(this.IntermediateAcUrl); } #endregion return(null); }
/// <summary> /// Create a self signed certificate with bouncy castle. /// </summary> public static X509Certificate2 GenerateCertificate( string subjectName, Action <X509V3CertificateGenerator> modifyGenerator, string signatureAlgorithm = "SHA256WITHRSA", int publicKeyLength = 2048, ChainCertificateRequest chainCertificateRequest = null) { if (string.IsNullOrEmpty(subjectName)) { subjectName = "NuGetTest"; } var random = new SecureRandom(); var keyPair = GenerateKeyPair(publicKeyLength); // Create cert var subjectDN = $"CN={subjectName}"; var certGen = new X509V3CertificateGenerator(); certGen.SetSubjectDN(new X509Name(subjectDN)); // default to new key pair var issuerPrivateKey = keyPair.Private; var keyUsage = KeyUsage.DigitalSignature; var issuerDN = chainCertificateRequest?.IssuerDN ?? subjectDN; certGen.SetIssuerDN(new X509Name(issuerDN)); #if IS_DESKTOP if (chainCertificateRequest != null) { if (chainCertificateRequest.Issuer != null) { // for a certificate with an issuer assign Authority Key Identifier var issuer = chainCertificateRequest?.Issuer; var bcIssuer = DotNetUtilities.FromX509Certificate(issuer); var authorityKeyIdentifier = new AuthorityKeyIdentifierStructure(bcIssuer); issuerPrivateKey = DotNetUtilities.GetKeyPair(issuer.PrivateKey).Private; certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier.Id, false, authorityKeyIdentifier); } if (chainCertificateRequest.ConfigureCrl) { // for a certificate in a chain create CRL distribution point extension var crlServerUri = $"{chainCertificateRequest.CrlServerBaseUri}{issuerDN}.crl"; var generalName = new Org.BouncyCastle.Asn1.X509.GeneralName(Org.BouncyCastle.Asn1.X509.GeneralName.UniformResourceIdentifier, new DerIA5String(crlServerUri)); var distPointName = new DistributionPointName(new GeneralNames(generalName)); var distPoint = new DistributionPoint(distPointName, null, null); certGen.AddExtension(X509Extensions.CrlDistributionPoints, critical: false, extensionValue: new DerSequence(distPoint)); } if (chainCertificateRequest.IsCA) { // update key usage with CA cert sign and crl sign attributes keyUsage |= KeyUsage.CrlSign | KeyUsage.KeyCertSign; } } #endif certGen.SetNotAfter(DateTime.UtcNow.Add(TimeSpan.FromHours(1))); certGen.SetNotBefore(DateTime.UtcNow.Subtract(TimeSpan.FromHours(1))); certGen.SetPublicKey(keyPair.Public); var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random); certGen.SetSerialNumber(serialNumber); var subjectKeyIdentifier = new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(keyPair.Public)); certGen.AddExtension(X509Extensions.SubjectKeyIdentifier.Id, false, subjectKeyIdentifier); certGen.AddExtension(X509Extensions.KeyUsage.Id, false, new KeyUsage(keyUsage)); certGen.AddExtension(X509Extensions.BasicConstraints.Id, true, new BasicConstraints(chainCertificateRequest?.IsCA ?? false)); // Allow changes modifyGenerator?.Invoke(certGen); var signatureFactory = new Asn1SignatureFactory(signatureAlgorithm, issuerPrivateKey, random); var certificate = certGen.Generate(signatureFactory); var certResult = new X509Certificate2(certificate.GetEncoded()); #if IS_DESKTOP certResult.PrivateKey = DotNetUtilities.ToRSA(keyPair.Private as RsaPrivateCrtKeyParameters); #endif return(certResult); }
static void Main(string[] args) { PolicyInformation[] certPolicies = new PolicyInformation[2]; certPolicies[0] = new PolicyInformation(new DerObjectIdentifier("2.16.840.1.101.2.1.11.5")); certPolicies[1] = new PolicyInformation(new DerObjectIdentifier("2.16.840.1.101.2.1.11.18")); var randomGenerator = new CryptoApiRandomGenerator(); var random = new SecureRandom(randomGenerator); var certificateGenerator = new X509V3CertificateGenerator(); //serial var serialNumber = BigIntegers.CreateRandomInRange( BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random); certificateGenerator.SetSerialNumber(serialNumber); // sig alg const string signatureAlgorithm = "SHA1WithRSA"; certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm); // Subjects // Time x = new Time(); var subjectDN = new X509Name("CN=localhost, O=Arsslensoft, C=TN,surname=Idadi,givenname=Arsslen, uniqueidentifier=15002060,businesscategory=Production,initials=Hello, gender=male, placeofbirth=El Manar, pseudonym=Arsslinko, postaladdress=2076, countryofcitizenship=TN, countryofresidence=TN,telephonenumber=53299093"); var issuerDN = subjectDN; certificateGenerator.SetIssuerDN(issuerDN); certificateGenerator.SetSubjectDN(subjectDN); // Validity var notBefore = DateTime.UtcNow.Date.Subtract(new TimeSpan(5, 0, 0)); var notAfter = notBefore.AddYears(2); certificateGenerator.SetNotBefore(notBefore); certificateGenerator.SetNotAfter(notAfter); // PKEY const int strength = 512; var keyGenerationParameters = new KeyGenerationParameters(random, strength); // var x= new Al.Security.Crypto.Generators.DsaKeyPairGenerator(); // X9ECParameters ecP = NistNamedCurves.GetByName("B-571"); // ECDomainParameters ecSpec = new ECDomainParameters(ecP.Curve, ecP.G, ecP.N, ecP.H, ecP.GetSeed()); // ECKeyPairGenerator keyPairGenerator = new ECKeyPairGenerator("ECDSA"); // //ECPA par = new DsaParametersGenerator(); // //par.Init(2048, 100, random); // //ECKeyGenerationParameters pa = new ECKeyGenerationParameters(random, par.GenerateParameters()); //// var keyPairGenerator = new DHKeyPairGenerator(); // //DsaParametersGenerator par = new DsaParametersGenerator(); // //par.Init(2048, 100, random); // //DsaKeyGenerationParameters pa = new DsaKeyGenerationParameters(random, par.GenerateParameters()); // // keyPairGenerator.Init(pa); // keyPairGenerator.Init(new ECKeyGenerationParameters(ecSpec, new SecureRandom())); //var keyPairGenerator = new DsaKeyPairGenerator(); //DsaParametersGenerator par = new DsaParametersGenerator(); //par.Init(1024, 100, random); //DsaKeyGenerationParameters pa = new DsaKeyGenerationParameters(random, par.GenerateParameters()); //keyPairGenerator.Init(pa); // KeyPair = keyPairGenerator.GenerateKeyPair(); var keyPairGenerator = new RsaKeyPairGenerator(); keyPairGenerator.Init(keyGenerationParameters); StreamReader str = new StreamReader("D:\\test.key"); PemReader pem = new PemReader(str); AsymmetricCipherKeyPair keypair = (AsymmetricCipherKeyPair)pem.ReadObject(); var subjectKeyPair = keypair; str.Close(); certificateGenerator.SetPublicKey(subjectKeyPair.Public); // ext X509Extensions certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(subjectKeyPair.Public)); certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(subjectKeyPair.Public)); certificateGenerator.AddExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(false)); // key usage certificateGenerator.AddExtension( X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.KeyAgreement | KeyUsage.DataEncipherment | KeyUsage.DigitalSignature)); // extended key usage var usages = new[] { KeyPurposeID.IdKPServerAuth, KeyPurposeID.IdKPClientAuth }; ExtendedKeyUsage extendedKeyUsage = new ExtendedKeyUsage(usages); certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, false, extendedKeyUsage); // Test Policy DerSequence seq = CreatePolicyInformationsSequence("http://www.arsslensoft.com", "Arsslensoft", "1.3.6.1.4.1.23823.1.1.1", "Test Notice"); // certificateGenerator.AddExtension(X509Extensions.CertificatePolicies, false, new DerSequence(certPolicies)); // Authority access List <GeneralSubtree> ees = new List <GeneralSubtree>(); ees.Add(new GeneralSubtree(new GeneralName(GeneralName.UniformResourceIdentifier, "http://www.google.com"))); certificateGenerator.AddExtension(X509Extensions.NameConstraints, true, new NameConstraints(null, ees)); certificateGenerator.AddExtension(X509Extensions.NetscapeComment, true, new DerVisibleString("NS COMMENT")); certificateGenerator.AddExtension(X509Extensions.NetscapeBaseUrl, true, new DerIA5String("http://www.google.com")); certificateGenerator.AddExtension(X509Extensions.InhibitAnyPolicy, true, new DerInteger(12)); // Policy constraints byte inhibit = 12; byte explicitc = 12; // certificateGenerator.AddExtension(X509Extensions.PolicyConstraints, false, new DerOctetSequence(new byte[] { 128, 1, explicitc, 129, 1, inhibit })); certificateGenerator.AddExtension(X509Extensions.NetscapeCertUsage, false, new KeyUsage(KeyUsage.KeyAgreement)); certificateGenerator.AddExtension(X509Extensions.AuthorityInfoAccess, false, CreateAuthorityAccessInformationSequence("http://www.arsslensoft.com", null)); // Subhect Issuer Alternative name GeneralName altName = new GeneralName(GeneralName.DnsName, "localhost"); GeneralNames subjectAltName = new GeneralNames(altName); certificateGenerator.AddExtension(X509Extensions.IssuerAlternativeName, false, subjectAltName); certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName); // certificateGenerator.AddExtension(new DerObjectIdentifier("2.16.840.1.11730.29.53"), false, subjectAltName); // GeneralNames s; //CRL Distribution Points DistributionPointName distPointOne = new DistributionPointName(new GeneralNames( new GeneralName(GeneralName.UniformResourceIdentifier, "http://crl.somewebsite.com/master.crl"))); GeneralNames gns = new GeneralNames(new GeneralName[] { new GeneralName(GeneralName.UniformResourceIdentifier, "ldap://crl.somewebsite.com/cn%3dSecureCA%2cou%3dPKI%2co%3dCyberdyne%2cc%3dUS?certificaterevocationlist;binary"), new GeneralName(GeneralName.Rfc822Name, "Arslen") }); DistributionPointName distPointTwo = new DistributionPointName(gns); DistributionPoint[] distPoints = new DistributionPoint[2]; distPoints[0] = new DistributionPoint(distPointOne, null, null); distPoints[1] = new DistributionPoint(distPointTwo, null, gns); IssuingDistributionPoint iss = new IssuingDistributionPoint(distPointOne, false, true, null, false, false); certificateGenerator.AddExtension(X509Extensions.IssuingDistributionPoint, false, iss); certificateGenerator.AddExtension(X509Extensions.CrlDistributionPoints, false, new CrlDistPoint(distPoints)); // Biometric Asn1EncodableVector v = new Asn1EncodableVector(); BiometricData bdat = new BiometricData(new TypeOfBiometricData(TypeOfBiometricData.HandwrittenSignature), new AlgorithmIdentifier(new DerObjectIdentifier("1.3.14.3.2.26")), new DerOctetString(new byte[] { 169, 74, 143, 229, 204, 177, 155, 166, 28, 76, 8, 115, 211, 145, 233, 135, 152, 47, 187, 211 }), new DerIA5String("http://www.google.com")); v.Add(bdat); v.Add(new BiometricData(new TypeOfBiometricData(TypeOfBiometricData.HandwrittenSignature), new AlgorithmIdentifier(new DerObjectIdentifier("1.3.14.3.2.26")), new DerOctetString(new byte[] { 169, 74, 143, 229, 204, 177, 155, 166, 28, 76, 8, 115, 211, 145, 233, 135, 152, 47, 187, 211 }), new DerIA5String("http://www.google.co"))); certificateGenerator.AddExtension(X509Extensions.BiometricInfo, false, new DerSequenceOf(v)); QCStatement st = new QCStatement(Rfc3739QCObjectIdentifiers.IdQcs); certificateGenerator.AddExtension(X509Extensions.QCStatements, false, st); //Al.Security.Pkcs.Pkcs10CertificationRequest c = new Al.Security.Pkcs.Pkcs10CertificationRequest( //certificateGenerator.AddExtension(X509Extensions.ReasonCode, false, ce); // test done certificateGenerator.AddExtension(X509Extensions.SubjectInfoAccess, false, CreateAuthorityAccessInformationSequence("http://www.arsslensoft.com", null)); //// 2 //TargetInformation ti = new Al.Security.Asn1.X509.TargetInformation(new Target[] { new Target(Target.Choice.Name, new GeneralName(GeneralName.UniformResourceIdentifier, "http://www.go.com")) }); //certificateGenerator.AddExtension(X509Extensions.TargetInformation, false, new DerSequence(ti)); // 3 PrivateKeyUsagePeriod kup = new PrivateKeyUsagePeriod(DateTime.Now, DateTime.Now.AddYears(2)); certificateGenerator.AddExtension(X509Extensions.PrivateKeyUsagePeriod, false, new DerSequence(kup)); //generate var issuerKeyPair = subjectKeyPair; var certificate = certificateGenerator.Generate(issuerKeyPair.Private, random); StreamWriter wstr = new StreamWriter(Path.ChangeExtension("D:\\test.crt", ".pem"), false); PemWriter pemWriter = new PemWriter(wstr); pemWriter.WriteObject(certificate); pemWriter.WriteObject(issuerKeyPair.Private); wstr.Flush(); wstr.Close(); // System.Security.Cryptography.X509Certificates.X509Certificate x509_ = DotNetUtilities.ToX509Certificate(certificate.CertificateStructure); //File.WriteAllBytes(@"D:\\test.crt", x509_.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Pkcs12)); }