private static X509Certificate SignCertificateFromRequest(Pkcs10CertificationRequest request, ISignatureFactory signer)
{
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
DateTime now = DateTime.Now;
certGen.SetIssuerDN(request.GetCertificationRequestInfo().Subject);
certGen.SetSubjectDN(request.GetCertificationRequestInfo().Subject);
certGen.SetNotAfter(now.AddDays(7));
certGen.SetNotBefore(now.AddMinutes(-10));
certGen.SetSerialNumber(new Org.BouncyCastle.Math.BigInteger(80, new Random()));
certGen.SetPublicKey(request.GetPublicKey());
return(certGen.Generate(signer));
}
/// <summary>
/// Call to request a certificate
/// </summary>
/// <param name="csr">Certificate signing request</param>
/// <param name="effectiveDate">Effective date of certificate</param>
/// <param name="expirationDate">Expiration date of certificate</param>
/// <param name="ca">Signing authority</param>
/// <param name="asn1Set">Extensions</param>
/// <exception cref="InvalidParameterException">Thrown if <paramref name="ca"/> is null</exception>
/// <returns>Certificate signed by <paramref name="ca"/></returns>
public static X509Certificate2 RequestCertificate(Pkcs10CertificationRequest csr, DateTime effectiveDate, DateTime expirationDate, X509Certificate2 ca, Asn1Set asn1Set)
{
AsymmetricKeyParameter keyParameter = null;
if (ca == null)
{
throw new InvalidParameterException("ca can not be null");
}
keyParameter = TransformRSAPrivateKey((RSACryptoServiceProvider)ca.PrivateKey);
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.SetSerialNumber(CreateSerialNumber());
certGen.SetIssuerDN(new X509Name(ca.Subject));
certGen.SetNotBefore(effectiveDate.ToUniversalTime());
certGen.SetNotAfter(expirationDate.ToUniversalTime());
certGen.SetSubjectDN(csr.GetCertificationRequestInfo().Subject);
certGen.SetPublicKey(csr.GetPublicKey());
certGen.SetSignatureAlgorithm(SIGNATURE_ALGORITHM);
CertificationRequestInfo info = csr.GetCertificationRequestInfo();
if (asn1Set != null)
{
// Iterate through each extension and add it to the certificate
for (int i = 0; i < asn1Set.Count; i++)
{
AttributePkcs attr = AttributePkcs.GetInstance(asn1Set[i]);
if (attr != null && attr.AttrType.Equals(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest))
{
X509Extensions extensions = X509Extensions.GetInstance(attr.AttrValues[0]);
foreach (DerObjectIdentifier extOid in extensions.ExtensionOids)
{
Org.BouncyCastle.Asn1.X509.X509Extension ext = extensions.GetExtension(extOid);
certGen.AddExtension(extOid, ext.IsCritical, ext.GetParsedValue());
}
}
}
}
Org.BouncyCastle.X509.X509Certificate bcCert = certGen.Generate(keyParameter);
return(new X509Certificate2(bcCert.GetEncoded()));
}
private void createPssTest(
string algorithm)
{
// RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec(
RsaKeyParameters pubKey = new RsaKeyParameters(false,
new BigInteger("a56e4a0e701017589a5187dc7ea841d156f2ec0e36ad52a44dfeb1e61f7ad991d8c51056ffedb162b4c0f283a12a88a394dff526ab7291cbb307ceabfce0b1dfd5cd9508096d5b2b8b6df5d671ef6377c0921cb23c270a70e2598e6ff89d19f105acc2d3f0cb35f29280e1386b6f64c4ef22e1e1f20d0ce8cffb2249bd9a2137", 16),
new BigInteger("010001", 16));
// RSAPrivateCrtKeySpec privKeySpec = new RSAPrivateCrtKeySpec(
RsaPrivateCrtKeyParameters privKey = new RsaPrivateCrtKeyParameters(
new BigInteger("a56e4a0e701017589a5187dc7ea841d156f2ec0e36ad52a44dfeb1e61f7ad991d8c51056ffedb162b4c0f283a12a88a394dff526ab7291cbb307ceabfce0b1dfd5cd9508096d5b2b8b6df5d671ef6377c0921cb23c270a70e2598e6ff89d19f105acc2d3f0cb35f29280e1386b6f64c4ef22e1e1f20d0ce8cffb2249bd9a2137", 16),
new BigInteger("010001", 16),
new BigInteger("33a5042a90b27d4f5451ca9bbbd0b44771a101af884340aef9885f2a4bbe92e894a724ac3c568c8f97853ad07c0266c8c6a3ca0929f1e8f11231884429fc4d9ae55fee896a10ce707c3ed7e734e44727a39574501a532683109c2abacaba283c31b4bd2f53c3ee37e352cee34f9e503bd80c0622ad79c6dcee883547c6a3b325", 16),
new BigInteger("e7e8942720a877517273a356053ea2a1bc0c94aa72d55c6e86296b2dfc967948c0a72cbccca7eacb35706e09a1df55a1535bd9b3cc34160b3b6dcd3eda8e6443", 16),
new BigInteger("b69dca1cf7d4d7ec81e75b90fcca874abcde123fd2700180aa90479b6e48de8d67ed24f9f19d85ba275874f542cd20dc723e6963364a1f9425452b269a6799fd", 16),
new BigInteger("28fa13938655be1f8a159cbaca5a72ea190c30089e19cd274a556f36c4f6e19f554b34c077790427bbdd8dd3ede2448328f385d81b30e8e43b2fffa027861979", 16),
new BigInteger("1a8b38f398fa712049898d7fb79ee0a77668791299cdfa09efc0e507acb21ed74301ef5bfd48be455eaeb6e1678255827580a8e4e8e14151d1510a82a3f2e729", 16),
new BigInteger("27156aba4126d24a81f3a528cbfb27f56886f840a9f6e86e17a44b94fe9319584b8e22fdde1e5a2e3bd8aa5ba8d8584194eb2190acf832b847f13a3d24a79f4d", 16));
// KeyFactory fact = KeyFactory.getInstance("RSA", "BC");
//
// PrivateKey privKey = fact.generatePrivate(privKeySpec);
// PublicKey pubKey = fact.generatePublic(pubKeySpec);
Pkcs10CertificationRequest req = new Pkcs10CertificationRequest(
algorithm, new X509Name("CN=XXX"), pubKey, null, privKey);
if (!req.Verify())
{
Fail("Failed verify check PSS.");
}
req = new Pkcs10CertificationRequest(req.GetEncoded());
if (!req.Verify())
{
Fail("Failed verify check PSS encoded.");
}
if (!req.SignatureAlgorithm.ObjectID.Equals(PkcsObjectIdentifiers.IdRsassaPss))
{
Fail("PSS oid incorrect.");
}
if (req.SignatureAlgorithm.Parameters == null)
{
Fail("PSS parameters incorrect.");
}
ISigner sig = SignerUtilities.GetSigner(algorithm);
sig.Init(false, pubKey);
byte[] encoded = req.GetCertificationRequestInfo().GetEncoded();
sig.BlockUpdate(encoded, 0, encoded.Length);
if (!sig.VerifySignature(req.Signature.GetBytes()))
{
Fail("signature not mapped correctly.");
}
}
/// <summary>
/// Extract certificate signing request.
/// </summary>
/// <param name="csr">Certificate signing request.</param>
/// <param name="publicKey">Asymmetric public key.</param>
/// <param name="dn">Distinct name.</param>
/// <param name="extensions">Extensions.</param>
/// <exception cref="Exception"/>
public static void ExtractCsr(Pkcs10CertificationRequest csr, out AsymmetricKeyParameter publicKey, out X509Name dn, out X509Extensions extensions)
{
if (csr is null)
{
throw new ArgumentNullException(nameof(csr));
}
publicKey = csr.GetPublicKey();
CertificationRequestInfo csrInfo = csr.GetCertificationRequestInfo();
dn = csrInfo.Subject;
Dictionary <DerObjectIdentifier, X509Extension> attributes = new Dictionary <DerObjectIdentifier, X509Extension>();
if (csrInfo.Attributes != null)
{
foreach (AttributePkcs attribute in csrInfo.Attributes)
{
if (attribute.AttrType.Equals(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest))
{
foreach (X509Extensions exts in attribute.AttrValues)
{
foreach (DerObjectIdentifier oid in exts.ExtensionOids)
{
X509Extension ext = exts.GetExtension(oid);
attributes.Add(oid, new X509Extension(ext.IsCritical, ext.Value));
}
}
}
}
}
extensions = attributes.Count > 0 ? new X509Extensions(attributes) : null;
}
public virtual async Task <X509Certificate2> SigningRequestAsync(
ApplicationRecordDataType application,
string[] domainNames,
byte[] certificateRequest)
{
Pkcs10CertificationRequest pkcs10CertificationRequest = new Pkcs10CertificationRequest(certificateRequest);
CertificationRequestInfo info = pkcs10CertificationRequest.GetCertificationRequestInfo();
DateTime yesterday = DateTime.UtcNow.AddDays(-1);
return(CertificateFactory.CreateCertificate(
null,
null,
null,
application.ApplicationUri ?? "urn:ApplicationURI",
application.ApplicationNames.Count > 0 ? application.ApplicationNames[0].Text : "ApplicationName",
info.Subject.ToString(),
domainNames,
Configuration.DefaultCertificateKeySize,
yesterday,
Configuration.DefaultCertificateLifetime,
Configuration.DefaultCertificateHashSize,
false,
await LoadSigningKeyAsync(Certificate, string.Empty),
info.SubjectPublicKeyInfo.GetEncoded()));
}
/// <summary>
/// Signs a cert request with the server CA certificate and returns
/// a signed x509 certificate.
/// </summary>
/// <param name="serializedCsr">Is the serialized cert request (csr).</param>
/// <returns>Signed x509 certificate.</returns>
/// <exception cref="CertificateIOException">Thrown when the
/// <see cref="serializedCsr"/> is either null or zero length.</exception>
public X509Certificate SignCsr(byte[] serializedCsr)
{
if (serializedCsr == null || serializedCsr.Length == 0)
{
throw new Exception();
}
X509Certificate issuer = GetCACert();
Pkcs10CertificationRequest pkcsr = DeserializeCsr(serializedCsr);
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
TimeSpan ts = DateTime.Now.Subtract(_serialNumStart);
certGen.SetSerialNumber(BigInteger.ValueOf(ts.Ticks));
certGen.SetIssuerDN(issuer.SubjectDN);
certGen.SetNotBefore(DateTime.Today);
certGen.SetNotAfter(DateTime.Today.AddDays(_certValidity));
certGen.SetSubjectDN(pkcsr.GetCertificationRequestInfo().Subject);
certGen.SetPublicKey(pkcsr.GetPublicKey());
certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false,
new AuthorityKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(pkcsr.GetPublicKey())));
certGen.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(
KeyUsage.DigitalSignature | KeyUsage.KeyEncipherment));
ISignatureFactory signatureFactory =
new Asn1SignatureFactory(HASH_ENCRYPTION_ALGORITHM, GetCAPrivKey(), new SecureRandom());
return(certGen.Generate(signatureFactory));
}
/// <summary>
/// Creates a KeyVault signed certficate from signing request.
/// </summary>
internal async Task <X509Certificate2> SigningRequestAsync(byte[] certificateRequest, string issuerCertificateName)
{
var pkcs10CertificationRequest = new Pkcs10CertificationRequest(certificateRequest);
if (!pkcs10CertificationRequest.Verify())
{
throw new ArgumentException("CSR signature invalid.");
}
var info = pkcs10CertificationRequest.GetCertificationRequestInfo();
var notBefore = DateTime.UtcNow.AddDays(-1);
var certBundle = await _keyVaultServiceClient.GetCertificateAsync(issuerCertificateName).ConfigureAwait(false);
var signingCert = new X509Certificate2(certBundle.Cer);
var publicKey = KeyVaultCertFactory.GetRSAPublicKey(info.SubjectPublicKeyInfo);
return(await KeyVaultCertFactory.CreateSignedCertificate(
info.Subject.ToString(),
2048,
notBefore,
notBefore.AddMonths(12),
256,
signingCert,
publicKey,
new KeyVaultSignatureGenerator(_keyVaultServiceClient, certBundle.KeyIdentifier.Identifier, signingCert)
));
}
/// <summary>
/// append password to CSR: csrWithPassword = (csr, password)
/// </summary>
/// <param name="csr"></param>
/// <param name="password"></param>
/// <returns>CSR that contains password</returns>
public byte[] AppendPassword(byte[] csr, string password)
{
if (csr == null)
{
throw new ArgumentNullException(nameof(csr));
}
if (string.IsNullOrEmpty(password))
{
throw new ArgumentNullException(nameof(password));
}
var originalCsr = new Pkcs10CertificationRequest(csr);
CertificationRequestInfo cri = originalCsr.GetCertificationRequestInfo();
DerSet attributesSet = AddPasswordAttribute(password, cri.Attributes);
AsymmetricKeyParameter publicKey = PublicKeyFactory.CreateKey(cri.SubjectPublicKeyInfo);
string signatureAlgorithm = originalCsr.SignatureAlgorithm.Algorithm.Id;
// build new CSR from original + password attribute
var csrWithPassword =
new Pkcs10CertificationRequestDelaySigned(signatureAlgorithm, cri.Subject, publicKey, attributesSet);
// this signing key is not used for signing but here only to suppress exception thrown in ctor
csrWithPassword.SignRequest(new byte[] { });
var csrWithPasswordBytes = csrWithPassword.GetDerEncoded();
return(csrWithPasswordBytes);
}
private byte[] MakeCertificateFromCSR(string CSR, AsymmetricCipherKeyPair rootKeyPair, X509Name rootSubject)
{
byte[] encoded;
try
{
Pkcs10CertificationRequest pkcs10CertificationRequest = (Pkcs10CertificationRequest)(new PemReader(new StringReader(CSR))).ReadObject();
AsymmetricKeyParameter @private = rootKeyPair.Private;
AsymmetricKeyParameter @public = rootKeyPair.Public;
X509V3CertificateGenerator x509V3CertificateGenerator = new X509V3CertificateGenerator();
x509V3CertificateGenerator.Reset();
if (this.SerialNumber != -9223372036854775808L)
{
x509V3CertificateGenerator.SetSerialNumber(new BigInteger(this.SerialNumber.ToString()));
}
else
{
DateTime now = DateTime.Now;
x509V3CertificateGenerator.SetSerialNumber(new BigInteger(128, new Random(now.Millisecond + Environment.TickCount)));
}
x509V3CertificateGenerator.SetIssuerDN(rootSubject);
x509V3CertificateGenerator.SetNotBefore(this.ValidFrom.ToUniversalTime());
x509V3CertificateGenerator.SetNotAfter(this.ValidTo.ToUniversalTime());
x509V3CertificateGenerator.SetSubjectDN(pkcs10CertificationRequest.GetCertificationRequestInfo().Subject);
x509V3CertificateGenerator.SetPublicKey(pkcs10CertificationRequest.GetPublicKey());
x509V3CertificateGenerator.SetSignatureAlgorithm(string.Concat(this.SignatureAlgorithm.ToString(), "Encryption"));
x509V3CertificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(pkcs10CertificationRequest.GetPublicKey())));
x509V3CertificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(@public)));
int extensionType = 0;
Asn1EncodableVector asn1EncodableVectors = new Asn1EncodableVector(new Asn1Encodable[0]);
foreach (ExtensionInfo extension in this.Extensions.extensionInfo)
{
if (!extension.ExtendedKeyUsage)
{
extensionType |= (int)extension.ExtensionType;
}
if (!extension.ExtendedKeyUsage)
{
continue;
}
asn1EncodableVectors.Add(new Asn1Encodable[] { (Asn1Encodable)extension.ExtensionType });
}
if (extensionType != 0)
{
x509V3CertificateGenerator.AddExtension(X509Extensions.KeyUsage, this.Extensions.KeyUsageIsCritical, new KeyUsage(extensionType));
}
if (asn1EncodableVectors.Count > 0)
{
x509V3CertificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, this.Extensions.EnhancedKeyUsageIsCritical, ExtendedKeyUsage.GetInstance(new DerSequence(asn1EncodableVectors)));
}
X509Certificate x509Certificate = x509V3CertificateGenerator.Generate(@private, this.GetSecureRandom());
x509Certificate.Verify(@public);
encoded = x509Certificate.GetEncoded();
}
catch
{
throw;
}
return(encoded);
}
/// <summary>
/// Gets the X509 subject attribute values from a certificate signing request.
/// </summary>
/// <param name="csr">The certificate signing request.</param>
/// <returns>
/// The X509 subject attribute values indexed by the kind of subject attribute.
/// </returns>
/// <exception cref="ArgumentNullException"><paramref name="csr"/> is null.</exception>
public static IReadOnlyDictionary <X509SubjectAttributeKind, string> GetX509SubjectAttributes(
this Pkcs10CertificationRequest csr)
{
new { csr }.Must().NotBeNull();
var subject = csr.GetCertificationRequestInfo().Subject;
var result = subject.GetX509SubjectAttributes();
return(result);
}
public static List <string> DecodeCsrSubjects(byte[] csrBytes)
{
// based on https://stackoverflow.com/a/45424266 by https://stackoverflow.com/users/814735/cyril-durand
var pem = new PemObject("CSR", csrBytes);
var request = new Pkcs10CertificationRequest(pem.Content);
var requestInfo = request.GetCertificationRequestInfo();
// an Attribute is a collection of Sequence which contains a collection of Asn1Object
// let's find the sequence that contains a DerObjectIdentifier with Id of "1.2.840.113549.1.9.14"
var extensionSequence = requestInfo.Attributes.OfType <DerSequence>()
.FirstOrDefault(o => o.OfType <DerObjectIdentifier>()
.Any(oo => oo.Id == PkcsObjectIdentifiers.Pkcs9AtExtensionRequest.Id)); // pkcs-9/extensionRequest, "1.2.840.113549.1.9.14"
// let's get the set of value for this sequence
var extensionSet = extensionSequence?.OfType <DerSet>().First();
var str = extensionSet != null?
GetAsn1ObjectRecursive <DerOctetString>(extensionSet.OfType <DerSequence>().First(), X509Extensions.SubjectAlternativeName.Id)
: null;
if (str != null)
{
//subject alternative names
var names = GeneralNames.GetInstance(Asn1Object.FromByteArray(str.GetOctets()));
return(names
.GetNames()
.Select(n => n.Name.ToString())
.ToList());
}
else
{
var oids = requestInfo.Subject.GetOidList();
string subjectName = "";
foreach (DerObjectIdentifier o in oids)
{
if (o.Id == X509ObjectIdentifiers.CommonName.Id)
{
subjectName = requestInfo.Subject.GetValueList()[oids.IndexOf(o)].ToString();
break;
}
}
// we just have a single subject
return(new List <string>
{
subjectName
});
}
}
private void createECGostRequest()
{
string algorithm = "GOST3411withECGOST3410";
IAsymmetricCipherKeyPairGenerator ecGostKpg = GeneratorUtilities.GetKeyPairGenerator("ECGOST3410");
ecGostKpg.Init(
new ECKeyGenerationParameters(
CryptoProObjectIdentifiers.GostR3410x2001CryptoProA,
new SecureRandom()));
//
// set up the keys
//
AsymmetricCipherKeyPair pair = ecGostKpg.GenerateKeyPair();
AsymmetricKeyParameter privKey = pair.Private;
AsymmetricKeyParameter pubKey = pair.Public;
Pkcs10CertificationRequest req = new Pkcs10CertificationRequest(
algorithm, new X509Name("CN=XXX"), pubKey, null, privKey);
if (!req.Verify())
{
Fail("Failed Verify check EC.");
}
req = new Pkcs10CertificationRequest(req.GetEncoded());
if (!req.Verify())
{
Fail("Failed Verify check EC encoded.");
}
if (!req.SignatureAlgorithm.ObjectID.Equals(CryptoProObjectIdentifiers.GostR3411x94WithGostR3410x2001))
{
Fail("ECGOST oid incorrect.");
}
if (req.SignatureAlgorithm.Parameters != null)
{
Fail("ECGOST parameters incorrect.");
}
ISigner sig = SignerUtilities.GetSigner(algorithm);
sig.Init(false, pubKey);
byte[] b = req.GetCertificationRequestInfo().GetEncoded();
sig.BlockUpdate(b, 0, b.Length);
if (!sig.VerifySignature(req.Signature.GetBytes()))
{
Fail("signature not mapped correctly.");
}
}
public override void Build(
X509V3CertificateGenerator certGen,
Pkcs10CertificationRequest request,
X509Certificate caCert)
{
var requestInfo = request.GetCertificationRequestInfo();
var extensionSequence =
requestInfo
.Attributes.OfType <DerSequence>()
.First(o => o.OfType <DerObjectIdentifier>().Any(oo => oo.Id == "1.2.840.113549.1.9.14"));
var extensionSet = extensionSequence.OfType <DerSet>().First().OfType <DerSequence>().First();
var exts = X509Extensions.GetInstance(extensionSet);
var extOIDs = exts.GetExtensionOids();
foreach (var x509ExtOid in extOIDs)
{
var ext = exts.GetExtension(x509ExtOid);
if (x509ExtOid.Id == "2.5.29.37") //extKeyUsage sequence
{
Asn1OctetString oct = ext.Value;
Asn1Sequence seq = Asn1Sequence.GetInstance(oct.GetOctets());
foreach (DerObjectIdentifier obj in seq)
{
if (threeYearsValidExtKeyId == obj.Id)
{
var startDate = DateTime.Now;
certGen.SetNotBefore(startDate);
certGen.SetNotAfter(startDate.AddYears(3));
break;
}
}
}
certGen.AddExtension(
x509ExtOid,
ext.IsCritical,
ext.GetParsedValue()
);
}
ApplyCrlExtension(certGen, _crlLink);
ApplyAuthorityInfoAccess(certGen, _rootCertLink);
}
private byte[] gen()
{
TextReader textReader = new StreamReader("certificaterequest.pkcs10");
PemReader pemReader = new PemReader(textReader);
Pkcs10CertificationRequest certificationRequest = (Pkcs10CertificationRequest)pemReader.ReadObject();
CertificationRequestInfo certificationRequestInfo = certificationRequest.GetCertificationRequestInfo();
SubjectPublicKeyInfo publicKeyInfo = certificationRequestInfo.SubjectPublicKeyInfo;
RsaPublicKeyStructure publicKeyStructure = RsaPublicKeyStructure.GetInstance(publicKeyInfo.GetPublicKey());
RsaKeyParameters publicKey = new RsaKeyParameters(false, publicKeyStructure.Modulus, publicKeyStructure.PublicExponent);
bool certIsOK = certificationRequest.Verify(publicKey);
// public key is OK here...
// get the server certificate
Org.BouncyCastle.X509.X509Certificate serverCertificate = DotNetUtilities.FromX509Certificate(System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile("servermastercertificate.cer"));
// get the server private key
byte[] privateKeyBytes = File.ReadAllBytes("serverprivate.key");
AsymmetricKeyParameter serverPrivateKey = PrivateKeyFactory.CreateKey(privateKeyBytes);
// generate the client certificate
X509V3CertificateGenerator generator = new X509V3CertificateGenerator();
generator.SetSerialNumber(BigInteger.ProbablePrime(120, new Random()));
generator.SetIssuerDN(serverCertificate.SubjectDN);
generator.SetNotBefore(DateTime.Now);
generator.SetNotAfter(DateTime.Now.AddYears(5));
generator.SetSubjectDN(certificationRequestInfo.Subject);
generator.SetPublicKey(publicKey);
generator.SetSignatureAlgorithm("SHA512withRSA");
generator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(serverCertificate));
generator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(publicKey));
var newClientCert = generator.Generate(serverPrivateKey);
newClientCert.Verify(publicKey); // <-- this blows up
return(DotNetUtilities.ToX509Certificate(newClientCert).Export(System.Security.Cryptography.X509Certificates.X509ContentType.Pkcs12, "user password"));
}
/// <summary>
/// Generates client certificate by certificate signing request.
/// </summary>
/// <param name="csrBytes">CSR as bytes array</param>
/// <param name="commonName">Common name of certificate</param>
/// <exception cref="InvalidCastException">Invalid format of CSR</exception>
/// <returns></returns>
public static X509Certificate2 SignRequest(byte[] csrBytes, string commonName)
{
if (string.IsNullOrEmpty(commonName))
{
throw new ArgumentNullException("commonName");
}
var certificationRequest = new Pkcs10CertificationRequest(csrBytes);
CertificationRequestInfo csrInfo = certificationRequest.GetCertificationRequestInfo();
SubjectPublicKeyInfo pki = csrInfo.SubjectPublicKeyInfo;
AsymmetricKeyParameter publicKey = PublicKeyFactory.CreateKey(pki);
// Version1 (No Extensions) Certificate
DateTime startDate = DateTime.UtcNow;
DateTime expiryDate = startDate.AddYears(100);
var serialNumber = new BigInteger(32, new Random());
var certGen = new X509V1CertificateGenerator();
var x509ServerCertificate = ServerCertificate;
var caCert = DotNetUtilities.FromX509Certificate(x509ServerCertificate);
certGen.SetSerialNumber(serialNumber);
certGen.SetIssuerDN(caCert.SubjectDN);
certGen.SetNotBefore(startDate);
certGen.SetNotAfter(expiryDate);
certGen.SetSubjectDN(CreateSubject(commonName));
certGen.SetSignatureAlgorithm("SHA256withRSA");
certGen.SetPublicKey(publicKey);
var keyPath = string.Format(@"{0}\App_Data\server.key", AppDomain.CurrentDomain.BaseDirectory);
AsymmetricCipherKeyPair keyPair;
using (var reader = File.OpenText(keyPath))
{
keyPair = (AsymmetricCipherKeyPair) new PemReader(reader, new PasswordFinder()).ReadObject();
}
Org.BouncyCastle.X509.X509Certificate cert = certGen.Generate(keyPair.Private);
return(new X509Certificate2(DotNetUtilities.ToX509Certificate(cert)));
}
internal X509Certificate GenerateTemporarySelfSignedCertificate(AsymmetricCipherKeyPair asymmetricCipherKeyPair, Pkcs10CertificationRequest certificationRequest, BigInteger enrollmentID, int numberOfYear)
{
X509Name x509NameSubject = certificationRequest.GetCertificationRequestInfo().Subject;
X509V3CertificateGenerator x509V3CertificateGenerator = new X509V3CertificateGenerator();
DateTime fromDate = DateTime.Today;
DateTime toDate = fromDate.AddYears(numberOfYear);
x509V3CertificateGenerator.SetIssuerDN(x509NameSubject);
x509V3CertificateGenerator.SetNotBefore(fromDate);
x509V3CertificateGenerator.SetNotAfter(toDate);
x509V3CertificateGenerator.SetPublicKey(asymmetricCipherKeyPair.Public);
x509V3CertificateGenerator.SetSerialNumber(enrollmentID);
x509V3CertificateGenerator.SetSignatureAlgorithm(Constants.Algorithm.SIGNING);
x509V3CertificateGenerator.SetSubjectDN(x509NameSubject);
X509Certificate x509Certificate = x509V3CertificateGenerator.Generate(asymmetricCipherKeyPair.Private);
return(x509Certificate);
}
public X509Certificate IssueCertificate(
Pkcs10CertificationRequest request,
ExtensionBuilder extensionBuilder,
string customDN = null
)
{
var caCert = GetRootCert();
var caKey = GetRootKey();
var startDate = DateTime.Now;
var expiryDate = DateTime.Now.AddYears(1);
var serialNumber = BigIntegers.CreateRandomInRange(
BigInteger.ValueOf(2).Pow(63),
BigInteger.ValueOf(2).Pow(64),
new SecureRandom()
);
var certGen = new X509V3CertificateGenerator();
certGen.SetSerialNumber(serialNumber);
certGen.SetIssuerDN(caCert.SubjectDN);
certGen.SetNotBefore(startDate);
certGen.SetNotAfter(expiryDate);
certGen.SetPublicKey(request.GetPublicKey());
if (!string.IsNullOrEmpty(customDN))
{
certGen.SetSubjectDN(new X509Name(customDN));
}
else
{
certGen.SetSubjectDN(request.GetCertificationRequestInfo().Subject);
}
extensionBuilder.Build(certGen, request, caCert);
var x509Certificate = GenerateCertificate(caKey, certGen);
return(x509Certificate);
}
public MSX509.X509Certificate2 SignRequest(string csrFile, Usage usage, int validity, MSX509.StoreName storeName)
{
Pkcs10CertificationRequest request = ReadPkcs10(csrFile);
var info = request.GetCertificationRequestInfo();
SubjectPublicKeyInfo publicKeyInfo = info.SubjectPublicKeyInfo;
RsaPublicKeyStructure publicKeyStructure = RsaPublicKeyStructure.GetInstance(publicKeyInfo.GetPublicKey());
RsaKeyParameters publicKey = new RsaKeyParameters(false, publicKeyStructure.Modulus, publicKeyStructure.PublicExponent);
if (!request.Verify(publicKey))
{
throw new ApplicationException("The CSR is not valid: verification failed");
}
MSX509.X509Certificate2 root = GetRootCertificate();
if (root == null)
{
throw new ApplicationException("Root certificate not found");
}
return(InternalGenerateCertificate(info.Subject, usage, validity, storeName, publicKey, null, DotNetUtilities.GetKeyPair(root.PrivateKey).Private));
}
/// <summary>
/// Sign a certificate
/// </summary>
/// <param name="signingCert">Issuer X509Certificate2</param>
/// <param name="csrData">CSR Data</param>
/// <returns>X509Certificate2 Certificate</returns>
private X509Certificate2 SignCertificate(X509Certificate2 signingCert, byte[] csrData)
{
//Get CSR and retrieve public key
Pkcs10CertificationRequest certRequest = new Pkcs10CertificationRequest(csrData);
CertificationRequestInfo certInfo = certRequest.GetCertificationRequestInfo();
SubjectPublicKeyInfo certPublicKeyInfo = certInfo.SubjectPublicKeyInfo;
AsymmetricKeyParameter certPublicKey = PublicKeyFactory.CreateKey(certPublicKeyInfo);
if (!certRequest.Verify(certPublicKey))
{
throw new ApplicationException("The CSR is not valid: verification failed");
}
//Get private key of intermediate issuer, to be used to sign the certificate
var issuer = DotNetUtilities.FromX509Certificate(signingCert);
AsymmetricCipherKeyPair keyPrivate = DotNetUtilities.GetRsaKeyPair(signingCert.GetRSAPrivateKey());
//Get the serial number of the issuer
var issuerSerialNumber = new BigInteger(signingCert.GetSerialNumber());
//Generate a signed certificate
return(GenerateCertificate(certInfo.Subject, certPublicKey, certPublicKeyInfo,
issuer.SubjectDN, issuer.GetPublicKey(), keyPrivate.Private, issuerSerialNumber));
}
private void readRequest()
{
// Perform POP on the request
if (!request.Verify())
{
throw new SignatureException("Invalid signature on PKCS#10 request");
}
// Contents
info = request.GetCertificationRequestInfo();
// Extensions in OSCA format
foreach (DerObjectIdentifier oid in Extensions.ExtensionOids)
{
oscaExtensions.Add(ProfileExtensionFactory.GetExtension(oid, Extensions.GetExtension(oid)));
}
// Attributes
foreach (object entry in Attributes)
{
AttributePkcs attrib = AttributePkcs.GetInstance(entry);
attributes.Add(attrib.AttrType, attrib.AttrValues);
}
}
/// <summary>
/// Enroll certificate file base on request
/// </summary>
/// <param name="cerRequest"></param>
/// <param name="rootCert"></param>
/// <param name="issuerKeyPair"></param>
/// <param name="startDate"></param>
/// <param name="endDate"></param>
/// <returns></returns>
private Org.BouncyCastle.X509.X509Certificate GenerateSignedCertificate(
Pkcs10CertificationRequest cerRequest,
Org.BouncyCastle.X509.X509Certificate rootCert,
AsymmetricCipherKeyPair issuerKeyPair,
DateTime startDate, DateTime endDate)
{
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.SetSerialNumber(BigInteger.One);
certGen.SetIssuerDN(rootCert.SubjectDN);
certGen.SetNotBefore(startDate);
certGen.SetNotAfter(endDate);
CertificationRequestInfo info = cerRequest.GetCertificationRequestInfo();
certGen.SetSubjectDN(info.Subject);
certGen.SetPublicKey(cerRequest.GetPublicKey());
AlgorithmIdentifier sigAlg = cerRequest.SignatureAlgorithm;
string algName = GetAlgorithmName(sigAlg.Algorithm.Id);
certGen.SetSignatureAlgorithm(algName);
// Add certificate extensions
Asn1Set attributes = cerRequest.GetCertificationRequestInfo().Attributes;
if (attributes != null)
{
for (int i = 0; i != attributes.Count; i++)
{
AttributePkcs attr = AttributePkcs.GetInstance(attributes[i]);
if (attr.AttrType.Equals(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest))
{
X509Extensions extensions1 = X509Extensions.GetInstance(attr.AttrValues[0]);
foreach (DerObjectIdentifier oid in extensions1.ExtensionOids)
{
Org.BouncyCastle.Asn1.X509.X509Extension ext = extensions1.GetExtension(oid);
certGen.AddExtension(oid, ext.IsCritical, ext.GetParsedValue());
}
}
}
}
Org.BouncyCastle.X509.X509Certificate issuedCert = null;
try
{
issuedCert = certGen.Generate(issuerKeyPair.Private);
tbOutputMessageBox.Text += "Certificate file sucessfully generated." + "\n";
Application.Current.Dispatcher.Invoke(new Action(() =>
{
tbOutputMessageBox.Inlines.Add(new Run
{
Text = "Certificate file sucessfully generated." + "\n",
Foreground = System.Windows.Media.Brushes.Green
});
}));
}
catch (Exception ex)
{
Application.Current.Dispatcher.Invoke(new Action(() =>
{
tbOutputMessageBox.Inlines.Add(new Run
{
Text = "Error, generate certificate file." + "\n" + "ERROR: " + ex.GetHashCode().ToString() + " " + ex.Message + "\n",
Foreground = System.Windows.Media.Brushes.Red
});
}));
}
try
{
Application.Current.Dispatcher.Invoke(new Action(() =>
{
tbOutputMessageBox.Inlines.Add(new Run
{
Text = "Check if generated certificate file is valid, plase wait ..." + "\n",
Foreground = System.Windows.Media.Brushes.Black
});
}));
issuedCert.CheckValidity(DateTime.UtcNow);
Application.Current.Dispatcher.Invoke(new Action(() =>
{
tbOutputMessageBox.Inlines.Add(new Run
{
Text = "Generate certificate file is valid." + "\n",
Foreground = System.Windows.Media.Brushes.Black
});
}));
}
catch (Exception ex)
{
Application.Current.Dispatcher.Invoke(new Action(() =>
{
tbOutputMessageBox.Inlines.Add(new Run
{
Text = "Error, generated certificate file is INVALID." + "\n" + "ERROR: " + ex.GetHashCode().ToString() + " " + ex.Message + "\n",
Foreground = System.Windows.Media.Brushes.Red
});
}));
}
try
{
tbOutputMessageBox.Inlines.Add(new Run
{
Text = "Verify generated certificate file, plase wait ..." + "\n",
Foreground = System.Windows.Media.Brushes.Black
});
issuedCert.Verify(issuerKeyPair.Public);
Application.Current.Dispatcher.Invoke(new Action(() =>
{
tbOutputMessageBox.Inlines.Add(new Run
{
Text = "Generate certificate file verification is OK." + "\n",
Foreground = System.Windows.Media.Brushes.Green
});
}));
}
catch (Exception ex)
{
Application.Current.Dispatcher.Invoke(new Action(() =>
{
tbOutputMessageBox.Inlines.Add(new Run
{
Text = "Error, generated certificate file verification is INVALID." + "\n" + "ERROR: " + ex.GetHashCode().ToString() + " " + ex.Message + "\n",
Foreground = System.Windows.Media.Brushes.Red
});
}));
}
return(issuedCert);
}
/*
* we generate a self signed certificate for the sake of testing - SHA224withECDSA
*/
private void createECRequest(
string algorithm,
DerObjectIdentifier algOid)
{
FpCurve curve = new FpCurve(
new BigInteger("6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151"), // q (or p)
new BigInteger("01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC", 16), // a
new BigInteger("0051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00", 16)); // b
ECDomainParameters spec = new ECDomainParameters(
curve,
// curve.DecodePoint(Hex.Decode("02C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66")), // G
curve.DecodePoint(Hex.Decode("0200C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66")), // G
new BigInteger("01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409", 16)); // n
ECPrivateKeyParameters privKey = new ECPrivateKeyParameters(
new BigInteger("5769183828869504557786041598510887460263120754767955773309066354712783118202294874205844512909370791582896372147797293913785865682804434049019366394746072023"), // d
spec);
ECPublicKeyParameters pubKey = new ECPublicKeyParameters(
// curve.DecodePoint(Hex.Decode("026BFDD2C9278B63C92D6624F151C9D7A822CC75BD983B17D25D74C26740380022D3D8FAF304781E416175EADF4ED6E2B47142D2454A7AC7801DD803CF44A4D1F0AC")), // Q
curve.DecodePoint(Hex.Decode("02006BFDD2C9278B63C92D6624F151C9D7A822CC75BD983B17D25D74C26740380022D3D8FAF304781E416175EADF4ED6E2B47142D2454A7AC7801DD803CF44A4D1F0AC")), // Q
spec);
// //
// // set up the keys
// //
// AsymmetricKeyParameter privKey;
// AsymmetricKeyParameter pubKey;
//
// KeyFactory fact = KeyFactory.getInstance("ECDSA");
//
// privKey = fact.generatePrivate(privKeySpec);
// pubKey = fact.generatePublic(pubKeySpec);
Pkcs10CertificationRequest req = new Pkcs10CertificationRequest(
algorithm, new X509Name("CN=XXX"), pubKey, null, privKey);
if (!req.Verify())
{
Fail("Failed Verify check EC.");
}
req = new Pkcs10CertificationRequest(req.GetEncoded());
if (!req.Verify())
{
Fail("Failed Verify check EC encoded.");
}
//
// try with point compression turned off
//
// ((ECPointEncoder)pubKey).setPointFormat("UNCOMPRESSED");
FpPoint q = (FpPoint)pubKey.Q;
pubKey = new ECPublicKeyParameters(
pubKey.AlgorithmName,
new FpPoint(q.Curve, q.X, q.Y, false),
pubKey.Parameters);
req = new Pkcs10CertificationRequest(
algorithm, new X509Name("CN=XXX"), pubKey, null, privKey);
if (!req.Verify())
{
Fail("Failed Verify check EC uncompressed.");
}
req = new Pkcs10CertificationRequest(req.GetEncoded());
if (!req.Verify())
{
Fail("Failed Verify check EC uncompressed encoded.");
}
if (!req.SignatureAlgorithm.ObjectID.Equals(algOid))
{
Fail("ECDSA oid incorrect.");
}
if (req.SignatureAlgorithm.Parameters != null)
{
Fail("ECDSA parameters incorrect.");
}
ISigner sig = SignerUtilities.GetSigner(algorithm);
sig.Init(false, pubKey);
byte[] b = req.GetCertificationRequestInfo().GetEncoded();
sig.BlockUpdate(b, 0, b.Length);
if (!sig.VerifySignature(req.Signature.GetBytes()))
{
Fail("signature not mapped correctly.");
}
}
public async Task ValidateMergeCertificate()
{
string serverCertificateName = Recording.GenerateId();
// Generate the request.
CertificatePolicy policy = new CertificatePolicy(WellKnownIssuerNames.Unknown, "CN=Azure SDK")
{
CertificateTransparency = false,
ContentType = CertificateContentType.Pkcs12,
};
CertificateOperation operation = await Client.StartCreateCertificateAsync(serverCertificateName, policy);
RegisterForCleanup(serverCertificateName);
await using IAsyncDisposable disposableOperation = EnsureDeleted(operation);
// Read the CA.
byte[] caCertificateBytes = Convert.FromBase64String(CaPublicKeyBase64);
X509Certificate2 caCertificate = new X509Certificate2(caCertificateBytes);
// Read CA private key since getting it from caCertificate above throws.
AsymmetricCipherKeyPair caPrivateKey;
using (StringReader caPrivateKeyReader = new StringReader(CaPrivateKeyPem))
{
Org.BouncyCastle.OpenSsl.PemReader reader = new Org.BouncyCastle.OpenSsl.PemReader(caPrivateKeyReader);
caPrivateKey = (AsymmetricCipherKeyPair)reader.ReadObject();
}
// Read the CSR.
Pkcs10CertificationRequest csr = new Pkcs10CertificationRequest(operation.Properties.Csr);
CertificationRequestInfo csrInfo = csr.GetCertificationRequestInfo();
// Parse the issuer subject name.
Hashtable oidLookup = new Hashtable(X509Name.DefaultLookup)
{
{ "s", new DerObjectIdentifier("2.5.4.8") },
};
X509Name issuerName = new X509Name(true, oidLookup, caCertificate.Subject);
// Sign the request.
X509V3CertificateGenerator generator = new X509V3CertificateGenerator();
generator.SetIssuerDN(issuerName);
generator.SetSerialNumber(BigInteger.One);
generator.SetNotBefore(DateTime.Now);
generator.SetNotAfter(DateTime.Now.AddDays(1));
generator.SetSubjectDN(csrInfo.Subject);
generator.SetPublicKey(csr.GetPublicKey());
Asn1SignatureFactory signatureFactory = new Asn1SignatureFactory("SHA256WITHRSA", caPrivateKey.Private);
X509Certificate serverSignedPublicKey = generator.Generate(signatureFactory);
// Merge the certificate chain.
MergeCertificateOptions options = new MergeCertificateOptions(serverCertificateName, new[] { serverSignedPublicKey.GetEncoded(), caCertificateBytes });
KeyVaultCertificateWithPolicy mergedServerCertificate = await Client.MergeCertificateAsync(options);
X509Certificate2 serverCertificate = new X509Certificate2(mergedServerCertificate.Cer);
Assert.AreEqual(csrInfo.Subject.ToString(), serverCertificate.Subject);
Assert.AreEqual(serverCertificateName, mergedServerCertificate.Name);
KeyVaultCertificateWithPolicy completedServerCertificate = await operation.WaitForCompletionAsync(DefaultCertificateOperationPollingInterval, default);
Assert.AreEqual(mergedServerCertificate.Name, completedServerCertificate.Name);
CollectionAssert.AreEqual(mergedServerCertificate.Cer, completedServerCertificate.Cer);
}
static void Main(string[] args)
{
var serviceProvider = new ServiceCollection()
.AddCertificateManager()
.BuildServiceProvider();
var createCertificates = serviceProvider.GetService <CreateCertificates>();
var certificateUtility = serviceProvider.GetService <CertificateUtility>();
string password = "******";
var signingCertificate = new X509Certificate2("root.cert.pfx", password);
var enhancedKeyUsages = new OidCollection {
OidLookup.ClientAuthentication,
OidLookup.ServerAuthentication
};
var basicConstraints = new CertificateManager.Models.BasicConstraints
{
CertificateAuthority = false,
HasPathLengthConstraint = true,
PathLengthConstraint = 3,
Critical = true
};
var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature
| X509KeyUsageFlags.KeyEncipherment
| X509KeyUsageFlags.NonRepudiation;
// Read in CSR data from a file
Pkcs10CertificationRequest decodedCsr = (Pkcs10CertificationRequest) new PemReader(new StringReader(File.ReadAllText(args[0]))).ReadObject();
// Get Common Name (CN) from CSR Subject
CertificationRequestInfo csrData = decodedCsr.GetCertificationRequestInfo();
var subjectKeyPairs = csrData.Subject.ToString().Split(',')
.Select(x => x.Split('='))
.Where(x => x.Length == 2)
.ToDictionary(x => x.First(), x => x.Last());
var commonName = subjectKeyPairs["CN"];
var subjectAlternativeName = new SubjectAlternativeName
{
DnsName = new List <string>
{
commonName,
}
};
// Get Public key data from CSR and create RSA data based on that
RsaKeyParameters rsaKeyParams = (RsaKeyParameters)decodedCsr.GetPublicKey();
var rsaParams = new RSAParameters();
rsaParams.Modulus = rsaKeyParams.Modulus.ToByteArray();
rsaParams.Exponent = rsaKeyParams.Exponent.ToByteArray();
var rsa = RSA.Create();
rsa.ImportParameters(rsaParams);
// Create Certificate Request with the data extracted from csr file earlier
var rsaConfiguration = new RsaConfiguration();
var request = new CertificateRequest(
certificateUtility.CreateIssuerOrSubject(new DistinguishedName {
CommonName = commonName
}),
rsa,
rsaConfiguration.HashAlgorithmName,
rsaConfiguration.RSASignaturePadding);
// Sign the csr
var device1Certificate = createCertificates.NewRsaChainedCertificate(
basicConstraints,
new ValidityPeriod {
ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(1)
},
subjectAlternativeName,
signingCertificate,
enhancedKeyUsages,
x509KeyUsageFlags,
request,
null);
// Export content of certificates into files
var importExportCertificate = serviceProvider.GetService <ImportExportCertificate>();
var deviceCertificatePem = importExportCertificate.PemExportPublicKeyCertificate(device1Certificate);
var signingCertificatePem = importExportCertificate.PemExportPublicKeyCertificate(signingCertificate);
File.WriteAllText("device1.cert.pem", deviceCertificatePem);
File.WriteAllText("device1-full-chain.cert.pem", String.Concat(deviceCertificatePem, signingCertificatePem));
Console.WriteLine("Certificates exported to pem files");
}
/// <summary>
/// Enroll certificate file base on request
/// </summary>
/// <param name="csr"></param>
/// <param name="rootCert"></param>
/// <param name="issuerKeyPair"></param>
/// <param name="startDate"></param>
/// <param name="endDate"></param>
/// <returns></returns>
private Org.BouncyCastle.X509.X509Certificate GenerateSignedCertificate(
Pkcs10CertificationRequest csr,
Org.BouncyCastle.X509.X509Certificate rootCert,
AsymmetricCipherKeyPair issuerKeyPair,
DateTime startDate, DateTime endDate)
{
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
//List<ExtensionsItem> extensions = null;
certGen.SetSerialNumber(BigInteger.One);
certGen.SetIssuerDN(rootCert.SubjectDN);
certGen.SetNotBefore(startDate);
certGen.SetNotAfter(endDate);
CertificationRequestInfo info = csr.GetCertificationRequestInfo();
certGen.SetSubjectDN(info.Subject);
certGen.SetPublicKey(csr.GetPublicKey());
var sigAlg = csr.Signature;
var sigAlg1 = csr.SignatureAlgorithm;
certGen.SetSignatureAlgorithm("SHA1WithRSAEncryption");
// Add certificate extensions
Asn1Set attributes = csr.GetCertificationRequestInfo().Attributes;
if (attributes != null)
{
for (int i = 0; i != attributes.Count; i++)
{
AttributePkcs attr = AttributePkcs.GetInstance(attributes[i]);
if (attr.AttrType.Equals(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest))
{
X509Extensions extensions1 = X509Extensions.GetInstance(attr.AttrValues[0]);
foreach (DerObjectIdentifier oid in extensions1.ExtensionOids)
{
Org.BouncyCastle.Asn1.X509.X509Extension ext = extensions1.GetExtension(oid);
// !!! NOT working !!!
//certGen.AddExtension(oid, ext.IsCritical, ext.Value);
//OK
certGen.AddExtension(oid, ext.IsCritical, ext.Value, true);
}
}
}
}
Org.BouncyCastle.X509.X509Certificate issuedCert = null;
try
{
issuedCert = certGen.Generate(issuerKeyPair.Private);
tbOutputMessageBox.Text += "Certificate file sucessfully generated." + "\n";
}
catch (Exception ex)
{
Brush bckForeground = tbOutputMessageBox.Foreground;
tbOutputMessageBox.Foreground = new SolidColorBrush(Colors.Red);
tbOutputMessageBox.Text += "Error, generate certificate file." + "\n" + "ERROR: " + ex.GetHashCode().ToString() + " " + ex.Message + "\n";
tbOutputMessageBox.Foreground = bckForeground;
}
try
{
tbOutputMessageBox.Text += "Check if generated certificate file is valid, plase wait ..." + "\n";
issuedCert.CheckValidity(DateTime.UtcNow);
tbOutputMessageBox.Text += "Generate certificate file is valid." + "\n";
}
catch (Exception ex)
{
Brush bckForeground = tbOutputMessageBox.Foreground;
tbOutputMessageBox.Foreground = new SolidColorBrush(Colors.Red);
tbOutputMessageBox.Text += "Error, generated certificate file is INVALID." + "\n" + "ERROR: " + ex.GetHashCode().ToString() + " " + ex.Message + "\n";
tbOutputMessageBox.Foreground = bckForeground;
}
try
{
tbOutputMessageBox.Text += "Verify generated certificate file, plase wait ..." + "\n";
issuedCert.Verify(issuerKeyPair.Public);
tbOutputMessageBox.Text += "Generate certificate file verification is OK." + "\n";
}
catch (Exception ex)
{
Brush bckForeground = tbOutputMessageBox.Foreground;
tbOutputMessageBox.Foreground = new SolidColorBrush(Colors.Red);
tbOutputMessageBox.Text += "Error, generated certificate file verification is INVALID." + "\n" + "ERROR: " + ex.GetHashCode().ToString() + " " + ex.Message + "\n";
tbOutputMessageBox.Foreground = bckForeground;
}
return(issuedCert);
}
public PkiCertificateSigningRequest(PkiEncodingFormat format, byte[] encoded,
PkiHashAlgorithm hashAlgorithm)
{
Pkcs10CertificationRequest pkcs10;
switch (format)
{
case PkiEncodingFormat.Pem:
var encodedString = Encoding.UTF8.GetString(encoded);
using (var sr = new StringReader(encodedString))
{
var pemReader = new PemReader(sr);
pkcs10 = pemReader.ReadObject() as Pkcs10CertificationRequest;
if (pkcs10 == null)
{
throw new Exception("invalid PEM object is not PKCS#10 archive");
}
}
break;
case PkiEncodingFormat.Der:
pkcs10 = new Pkcs10CertificationRequest(encoded);
break;
default:
throw new NotSupportedException();
}
var info = pkcs10.GetCertificationRequestInfo();
var nativePublicKey = pkcs10.GetPublicKey();
var rsaKey = nativePublicKey as RsaKeyParameters;
var ecdsaKey = nativePublicKey as ECPublicKeyParameters;
if (rsaKey != null)
{
PublicKey = new PkiKey(nativePublicKey, PkiAsymmetricAlgorithm.Rsa);
}
else if (ecdsaKey != null)
{
PublicKey = new PkiKey(nativePublicKey, PkiAsymmetricAlgorithm.Ecdsa);
}
else
{
throw new NotSupportedException("unsupported asymmetric algorithm key");
}
SubjectName = info.Subject.ToString();
HashAlgorithm = hashAlgorithm;
// // // Based on:
// // // http://forum.rebex.net/4284/pkcs10-certificate-request-example-provided-castle-working
// // var extGen = new X509ExtensionsGenerator();
// // foreach (var ext in CertificateExtensions)
// // {
// // extGen.AddExtension(ext.Identifier, ext.IsCritical, ext.Value);
// // }
// // var attr = new AttributeX509(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest,
// // new DerSet(extGen.Generate()));
// Based on:
// http://unitstep.net/blog/2008/10/27/extracting-x509-extensions-from-a-csr-using-the-bouncy-castle-apis/
// https://stackoverflow.com/q/24448909/5428506
foreach (var attr in info.Attributes.ToArray())
{
if (attr is DerSequence derSeq && derSeq.Count == 2)
{
var attrX509 = AttributeX509.GetInstance(attr);
if (object.Equals(attrX509.AttrType, PkcsObjectIdentifiers.Pkcs9AtExtensionRequest))
{
// The `Extension Request` attribute is present.
// The X509Extensions are contained as a value of the ASN.1 Set.
// Assume that it is the first value of the set.
if (attrX509.AttrValues.Count >= 1)
{
var csrExts = X509Extensions.GetInstance(attrX509.AttrValues[0]);
foreach (var extOid in csrExts.GetExtensionOids())
{
if (object.Equals(extOid, X509Extensions.SubjectAlternativeName))
{
var ext = csrExts.GetExtension(extOid);
var extVal = ext.Value;
var der = extVal.GetDerEncoded();
// The ext value, which is an ASN.1 Octet String, **MIGHT** be tagged with
// a leading indicator that it's an Octet String and its length, so we want
// to remove it if that's the case to extract the GeneralNames collection
if (der.Length > 2 && der[0] == 4 && der[1] == der.Length - 2)
{
der = der.Skip(2).ToArray();
}
var asn1obj = Asn1Object.FromByteArray(der);
var gnames = GeneralNames.GetInstance(asn1obj);
CertificateExtensions.Add(new PkiCertificateExtension
{
Identifier = extOid,
IsCritical = ext.IsCritical,
Value = gnames,
});
}
}
// No need to search any more.
break;
}
}
}
}
}
public static async Task <IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Function, "post", Route = null)] HttpRequest req,
ILogger log,
ExecutionContext context)
{
log.LogInformation("Certificate trigger function processed a request.");
try
{
await ReadAppSettings(context, log);
string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
Certificate_Request request = JsonConvert.DeserializeObject <Certificate_Request>(requestBody);
// Validate payload
if (string.IsNullOrEmpty(request.RegistrationId) || string.IsNullOrEmpty(request.Csr))
{
return(new BadRequestResult());
}
// Check if the device is authorized to request a certificate
bool isAuthorized = CheckIfAuthorized(request.RegistrationId);
if (isAuthorized)
{
log.LogInformation($"{request.RegistrationId} is authorized.");
Pkcs10CertificationRequest decodedCsr = null;
RsaKeyParameters publicKey = null;
CertificationRequestInfo info = null;
// Get the signing certificate from a location
X509Certificate serverCertificate = ReadCertificate(cert, location, log);
if (serverCertificate == null)
{
throw new System.Exception("ReadCertificate() was unable to retrieve the signing certificate.");
}
// Get signing cert private key from a location.
AsymmetricKeyParameter serverPrivateKey = ReadPrivateKey(key, location, log);
if (serverPrivateKey == null)
{
throw new System.Exception("ReadPrivateKey() was unable to retrieve the private key.");
}
byte[] csr = Convert.FromBase64String(request.Csr);
// Decode DER
decodedCsr = new Pkcs10CertificationRequest(csr);
info = decodedCsr.GetCertificationRequestInfo();
SubjectPublicKeyInfo publicKeyInfo = info.SubjectPublicKeyInfo;
RsaPublicKeyStructure publicKeyStructure = RsaPublicKeyStructure.GetInstance(publicKeyInfo.ParsePublicKey());
publicKey = new RsaKeyParameters(false, publicKeyStructure.Modulus, publicKeyStructure.PublicExponent);
bool certIsOK = decodedCsr.Verify(publicKey);
// Create the device certificate
X509V3CertificateGenerator generator = new X509V3CertificateGenerator();
generator.SetSerialNumber(BigInteger.ProbablePrime(120, new Random()));
generator.SetIssuerDN(serverCertificate.SubjectDN);
generator.SetNotBefore(DateTime.Now);
generator.SetNotAfter(DateTime.Now.AddYears(certificateLifespanInYears));
generator.SetSubjectDN(info.Subject);
generator.SetPublicKey(publicKey);
generator.SetSignatureAlgorithm("SHA512withRSA");
generator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(serverCertificate));
generator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(publicKey));
// Generate the device certificate
var deviceCert = generator.Generate(serverPrivateKey);
// Convert to DER
byte[] encoded = deviceCert.GetEncoded();
// Convert byte array to Base64 string
string encodedString = Convert.ToBase64String(encoded);
Certificate_Response responseMessage = new Certificate_Response
{
Certificate = encodedString
};
log.LogInformation($"Certificate issued for: {info.Subject}");
return(new OkObjectResult(responseMessage));
}
else
{
log.LogError($"{request.RegistrationId} is NOT authorized.");
return(new UnauthorizedResult());
}
}
catch (Exception ex)
{
log.LogInformation(ex.Message);
}
return(new BadRequestResult());
}
/*
* we generate a self signed certificate for the sake of testing - SHA224withECDSA
*/
private void createECRequest(
string algorithm,
DerObjectIdentifier algOid)
{
X9ECParameters x9 = ECNamedCurveTable.GetByName("secp521r1");
ECCurve curve = x9.Curve;
ECDomainParameters spec = new ECDomainParameters(curve, x9.G, x9.N, x9.H);
ECPrivateKeyParameters privKey = new ECPrivateKeyParameters(
new BigInteger("5769183828869504557786041598510887460263120754767955773309066354712783118202294874205844512909370791582896372147797293913785865682804434049019366394746072023"), // d
spec);
ECPublicKeyParameters pubKey = new ECPublicKeyParameters(
// curve.DecodePoint(Hex.Decode("026BFDD2C9278B63C92D6624F151C9D7A822CC75BD983B17D25D74C26740380022D3D8FAF304781E416175EADF4ED6E2B47142D2454A7AC7801DD803CF44A4D1F0AC")), // Q
curve.DecodePoint(Hex.Decode("02006BFDD2C9278B63C92D6624F151C9D7A822CC75BD983B17D25D74C26740380022D3D8FAF304781E416175EADF4ED6E2B47142D2454A7AC7801DD803CF44A4D1F0AC")), // Q
spec);
// //
// // set up the keys
// //
// AsymmetricKeyParameter privKey;
// AsymmetricKeyParameter pubKey;
//
// KeyFactory fact = KeyFactory.getInstance("ECDSA");
//
// privKey = fact.generatePrivate(privKeySpec);
// pubKey = fact.generatePublic(pubKeySpec);
Pkcs10CertificationRequest req = new Pkcs10CertificationRequest(
algorithm, new X509Name("CN=XXX"), pubKey, null, privKey);
if (!req.Verify())
{
Fail("Failed Verify check EC.");
}
req = new Pkcs10CertificationRequest(req.GetEncoded());
if (!req.Verify())
{
Fail("Failed Verify check EC encoded.");
}
//
// try with point compression turned off
//
// ((ECPointEncoder)pubKey).setPointFormat("UNCOMPRESSED");
ECPoint q = pubKey.Q.Normalize();
pubKey = new ECPublicKeyParameters(
pubKey.AlgorithmName,
q.Curve.CreatePoint(q.XCoord.ToBigInteger(), q.YCoord.ToBigInteger()),
pubKey.Parameters);
req = new Pkcs10CertificationRequest(
algorithm, new X509Name("CN=XXX"), pubKey, null, privKey);
if (!req.Verify())
{
Fail("Failed Verify check EC uncompressed.");
}
req = new Pkcs10CertificationRequest(req.GetEncoded());
if (!req.Verify())
{
Fail("Failed Verify check EC uncompressed encoded.");
}
if (!req.SignatureAlgorithm.Algorithm.Equals(algOid))
{
Fail("ECDSA oid incorrect.");
}
if (req.SignatureAlgorithm.Parameters != null)
{
Fail("ECDSA parameters incorrect.");
}
ISigner sig = SignerUtilities.GetSigner(algorithm);
sig.Init(false, pubKey);
byte[] b = req.GetCertificationRequestInfo().GetEncoded();
sig.BlockUpdate(b, 0, b.Length);
if (!sig.VerifySignature(req.GetSignatureOctets()))
{
Fail("signature not mapped correctly.");
}
}
internal byte[] CreatePKCS10CSRTest(ParametersValidation validationRequest, out StepType stepType, out SoapException exc, out int timeout, DistinguishedName Subject, string KeyID, CSRAttribute[] CSRAttribute, AlgorithmIdentifier SignatureAlgorithm)
{
int special;
VoidCommand("CreatePKCS10CSR", CreatePKCS10CSR, validationRequest, true, out stepType, out exc, out timeout, out special);
byte[] result;
switch (special)
{
case 1:
//Correct response
var subject = "";
if (null != Subject)
{
var r = new StringBuilder();
if (null != Subject.CommonName)
{
r.Append(string.Format("CN={0},", Subject.CommonName));
}
if (null != Subject.Country)
{
r.Append(string.Format("C={0},", Subject.Country));
}
if (null != Subject.Locality)
{
r.Append(string.Format("L={0},", Subject.Locality));
}
if (null != Subject.Organization)
{
r.Append(string.Format("O={0},", Subject.Organization));
}
if (null != Subject.OrganizationalUnit)
{
r.Append(string.Format("OU={0},", Subject.OrganizationalUnit));
}
if (null != Subject.StateOrProvinceName)
{
r.Append(string.Format("ST={0},", Subject.StateOrProvinceName));
}
subject = r.ToString().TrimEnd(',');
}
var generator = new RsaKeyPairGenerator();
generator.Init(new KeyGenerationParameters(new SecureRandom(), 1024));
var keyPair = generator.GenerateKeyPair();
var signatureAlg = "SHA1WithRSAEncryption";
if (null != SignatureAlgorithm && !string.IsNullOrEmpty(SignatureAlgorithm.algorithm))
{
signatureAlg = SignatureAlgorithm.algorithm;
}
var csr = new Pkcs10CertificationRequest(signatureAlg, new X509Name(subject), keyPair.Public, null, keyPair.Private);
TestCommon.writeToLogInfo("Public Key: " + csr.GetCertificationRequestInfo().SubjectPublicKeyInfo.PublicKeyData.ToString());
TestCommon.writeToLogInfo("Signature: " + csr.Signature.ToString());
TestCommon.writeToLogInfo("SignatureAlgorithm: " + csr.SignatureAlgorithm.ObjectID.ToString());
TestCommon.writeToLogInfo("Subject: " + csr.GetCertificationRequestInfo().Subject.ToString());
result = csr.GetEncoded();
break;
case 2:
//with sign error, sign lenght 1024
result = TestCommon.ReadBinary(TestCommon.PCS10Binary3Uri);
break;
case 3:
//without error, sign lenght 3072
result = new byte[1];
break;
case 4:
//without error, sign lenght 3072
result = new byte[0];
break;
case 5:
//without sign error, sign lenght 1024, with wrong subject
result = TestCommon.ReadBinary(TestCommon.PCS10Binary2Uri);
break;
default:
result = null;
break;
}
return(result);
}
