public override void ExportArchive(PrivateKey pk, IEnumerable <Crt> certs, ArchiveFormat fmt, Stream target, string password) { var rsaPk = pk as RsaPrivateKey; if (rsaPk == null) { throw new NotSupportedException("unsupported private key type"); } if (fmt == ArchiveFormat.PKCS12) { var bcCerts = certs.Select(x => new X509CertificateEntry(FromCertPem(x.Pem))).ToArray(); var bcPk = FromPrivatePem(rsaPk.Pem); var pfx = new Pkcs12Store(); pfx.SetCertificateEntry(bcCerts[0].Certificate.ToString(), bcCerts[0]); pfx.SetKeyEntry(bcCerts[0].Certificate.ToString(), new AsymmetricKeyEntry(bcPk.Private), new[] { bcCerts[0] }); for (int i = 1; i < bcCerts.Length; ++i) { pfx.SetCertificateEntry(bcCerts[i].Certificate.SubjectDN.ToString(), bcCerts[i]); } pfx.Save(target, password?.ToCharArray(), new SecureRandom()); } else { throw new NotSupportedException("unsupported archive format"); } }
public static void ExportArchive(CertPrivateKey pk, IEnumerable <BcCertificate> certs, ArchiveFormat fmt, Stream target, string password = null) { if (fmt == ArchiveFormat.PKCS12) { var bcCerts = certs.Select(x => new X509CertificateEntry(x)).ToArray(); var pfx = new Pkcs12Store(); pfx.SetCertificateEntry(bcCerts[0].Certificate.SubjectDN.ToString(), bcCerts[0]); pfx.SetKeyEntry(bcCerts[0].Certificate.SubjectDN.ToString(), new AsymmetricKeyEntry(pk.KeyPair.Private), new[] { bcCerts[0] }); for (int i = 1; i < bcCerts.Length; ++i) { //pfx.SetCertificateEntry(bcCerts[i].Certificate.SubjectDN.ToString(), pfx.SetCertificateEntry(i.ToString(), bcCerts[i]); } // It used to be pretty straight forward to export this... pfx.Save(target, password?.ToCharArray(), new SecureRandom()); } else { throw new NotSupportedException("unsupported archive format"); } }
public override void ExportArchive(PrivateKey pk, IEnumerable <Crt> certs, ArchiveFormat fmt, Stream target, string password) { var rsaPk = pk as RsaPrivateKey; if (rsaPk == null) { throw new NotSupportedException("unsupported private key type"); } if (fmt == ArchiveFormat.PKCS12) { var bcCerts = certs.Select(x => new X509CertificateEntry(FromCertPem(x.Pem))).ToArray(); var bcPk = FromPrivatePem(rsaPk.Pem); var pfx = new Pkcs12Store(); //pfx.SetCertificateEntry(bcCerts[0].Certificate.ToString(), bcCerts[0]); //pfx.SetKeyEntry(bcCerts[0].Certificate.ToString(), pfx.SetCertificateEntry(string.Empty, bcCerts[0]); pfx.SetKeyEntry(string.Empty, new AsymmetricKeyEntry(bcPk.Private), new[] { bcCerts[0] }); for (int i = 1; i < bcCerts.Length; ++i) { //pfx.SetCertificateEntry(bcCerts[i].Certificate.SubjectDN.ToString(), pfx.SetCertificateEntry(i.ToString(), bcCerts[i]); } // It used to be pretty straight forward to export this... //pfx.Save(target, password?.ToCharArray(), new SecureRandom()); // ...unfortunately, BC won't let us export the Pkcs12 archive // without assigning a FriendlyName, so we have to export and // then re-import it, clear the FriendlyName, then return that // YUCK! using (var tmp = new MemoryStream()) { pfx.Save(tmp, null, new SecureRandom()); var c = new System.Security.Cryptography.X509Certificates.X509Certificate2(); c.Import(tmp.ToArray(), string.Empty, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.PersistKeySet | System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable); // Clear the FriendlyName c.FriendlyName = null; var bytes = c.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Pkcs12, password); target.Write(bytes, 0, bytes.Length); } } else { throw new NotSupportedException("unsupported archive format"); } }
/// <summary> /// Gets the .NET certificate from the bouncy castle certificate. /// </summary> /// <param name="cert">The certificate.</param> /// <param name="friendlyName">The friendly name.</param> /// <param name="keyPair">The key pair.</param> /// <param name="random">A random number generator.</param> /// <returns></returns> protected X509Certificate2 GetWindowsCertFromGenerated(Org.BouncyCastle.X509.X509Certificate cert, string friendlyName, AsymmetricKeyParameter privateKey, SecureRandom random) { // Create a PKS store. var store = new Pkcs12Store(); // Generate a cert entry var certificateEntry = new X509CertificateEntry(cert); // Add it into the in-memory store. store.SetCertificateEntry(friendlyName, certificateEntry); // Add the key. store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(privateKey), new[] { certificateEntry }); var stream = new MemoryStream(); // Save the store to a stream.. store.Save(stream, STOREPASSWORD.ToCharArray(), random); // Now load that same certificate. var convertedCertificate = new X509Certificate2( stream.ToArray(), STOREPASSWORD, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable); return(convertedCertificate); }
public static X509Certificate2 ConvertCertificate(Org.BouncyCastle.X509.X509Certificate certificate, AsymmetricCipherKeyPair subjectKeyPair, SecureRandom random) { // Now to convert the Bouncy Castle certificate to a .NET certificate. // See http://web.archive.org/web/20100504192226/http://www.fkollmann.de/v2/post/Creating-certificates-using-BouncyCastle.aspx // ...but, basically, we create a PKCS12 store (a .PFX file) in memory, and add the public and private key to that. var store = new Pkcs12Store(); // What Bouncy Castle calls "alias" is the same as what Windows terms the "friendly name". string friendlyName = certificate.SubjectDN.ToString(); // Add the certificate. var certificateEntry = new X509CertificateEntry(certificate); store.SetCertificateEntry(friendlyName, certificateEntry); // Add the private key. store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry }); // Convert it to an X509Certificate2 object by saving/loading it from a MemoryStream. // It needs a password. Since we'll remove this later, it doesn't particularly matter what we use. const string password = "******"; var stream = new MemoryStream(); store.Save(stream, password.ToCharArray(), random); var convertedCertificate = new X509Certificate2(stream.ToArray(), password, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable); return(convertedCertificate); }
/// <remarks>Plagarised from https://github.com/CryptLink/CertBuilder/blob/master/CertBuilder.cs. /// NOTE: netstandard2.1+ and netcoreapp3.1+ have x509.CopyWithPrivateKey which will avoid the need to /// use the serialize/deserialize from pfx to get from bouncy castle to .NET Core X509 certificates.</remarks> public static X509Certificate2 ConvertBouncyCert(Org.BouncyCastle.X509.X509Certificate bouncyCert, AsymmetricCipherKeyPair keyPair) { var pkcs12Store = new Pkcs12Store(); var certEntry = new X509CertificateEntry(bouncyCert); pkcs12Store.SetCertificateEntry(bouncyCert.SerialNumber.ToString(), certEntry); pkcs12Store.SetKeyEntry(bouncyCert.SerialNumber.ToString(), new AsymmetricKeyEntry(keyPair.Private), new[] { certEntry }); X509Certificate2 keyedCert; using (MemoryStream pfxStream = new MemoryStream()) { pkcs12Store.Save(pfxStream, new char[] { }, new SecureRandom()); pfxStream.Seek(0, SeekOrigin.Begin); keyedCert = new X509Certificate2(pfxStream.ToArray(), string.Empty, X509KeyStorageFlags.Exportable); } return(keyedCert); //var info = Org.BouncyCastle.Pkcs.PrivateKeyInfoFactory.CreatePrivateKeyInfo(keyPair.Private); //// merge into X509Certificate2 //var x509 = new X509Certificate2(bouncyCert.GetEncoded()); //var seq = (Asn1Sequence)Asn1Object.FromByteArray(info.ParsePrivateKey().GetDerEncoded()); //if (seq.Count != 9) //{ // throw new Org.BouncyCastle.OpenSsl.PemException("malformed sequence in RSA private key"); //} //var rsa = RsaPrivateKeyStructure.GetInstance(seq); //new RsaPrivateKeyStructure(seq); //var rsaparams = new RsaPrivateCrtKeyParameters( // rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient); //return x509.CopyWithPrivateKey(ToRSA(rsaparams)); //X509Certificate2 x509 = null; //using (MemoryStream ms = new MemoryStream()) //{ // using (StreamWriter tw = new StreamWriter(ms)) // { // PemWriter pw = new PemWriter(tw); // //PemObject po = new PemObject("CERTIFICATE", bouncyCert.GetEncoded()); // PemObject po = new PemObject("CERTIFICATE", bouncyCert.GetEncoded()); // pw.WriteObject(po); // logger.LogDebug(Encoding.UTF8.GetString(ms.GetBuffer())); // StreamWriter sw2 = new StreamWriter("test.cer"); // sw2.Write(ms.GetBuffer()); // sw2.Close(); // x509 = new X509Certificate2(bouncyCert.GetEncoded()); // } //} //return x509; }
public void Export(Container container, Stream output) { var rawCert = container.GetRawCertificate(); var privateKey = container.GetPrivateKey(); var cert = new X509CertificateParser().ReadCertificate(rawCert); var certEntry = new X509CertificateEntry(cert); string friendlyName = "alias"; var store = new Pkcs12Store(); store.SetCertificateEntry(friendlyName, certEntry); store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(privateKey), new[] { certEntry }); var password = _password.ToCharArray(); using (var ms = new MemoryStream()) { store.Save(ms, password, new SecureRandom()); // Save дописывает в конец какой-то мусор ms.Position = 0; var asn1 = new Asn1InputStream(ms); var result = asn1.ReadObject(); byte[] buf = Pkcs12Utilities.ConvertToDefiniteLength(result.GetEncoded(), password); output.Write(buf, 0, buf.Length); } }
private async Task AddToWinCertStore() { Pkcs12Store store = new Pkcs12Store(); string friendlyName = "Limelight-Client"; var certEntry = new X509CertificateEntry(cert); store.SetCertificateEntry(friendlyName, certEntry); var keyEntry = new AsymmetricKeyEntry(keyPair.Private); store.SetKeyEntry(friendlyName, keyEntry, new[] { certEntry }); // Copy the Pkcs12Store to a stream using an arbitrary password const string password = "******"; var stream = new MemoryStream(); store.Save(stream, password.ToCharArray(), new SecureRandom()); // Write to .PFX string byte[] arr = stream.ToArray(); IBuffer buf = arr.AsBuffer(); string pfx = CryptographicBuffer.EncodeToBase64String(buf); await CertificateEnrollmentManager.ImportPfxDataAsync(pfx, password, ExportOption.NotExportable, KeyProtectionLevel.NoConsent, InstallOptions.None, friendlyName); }
private static X509Certificate2 ConvertCertificate(Org.BouncyCastle.X509.X509Certificate certificate, AsymmetricCipherKeyPair subjectKeyPair, SecureRandom random) { // Now to convert the Bouncy Castle certificate to a .NET certificate. Basically, we create a PKCS12 store (a .PFX file) in memory, // and add the public and private key to that. var store = new Pkcs12Store(); // What Bouncy Castle calls "alias" is the same as what Windows terms the "friendly name". string friendlyName = certificate.SubjectDN.ToString(); // Add the certificate. var certificateEntry = new X509CertificateEntry(certificate); store.SetCertificateEntry(friendlyName, certificateEntry); // Add the private key. var keyEntry = new AsymmetricKeyEntry(subjectKeyPair.Private); store.SetKeyEntry(friendlyName, keyEntry, new[] { certificateEntry }); // Convert it to an X509Certificate2 object by saving/loading it from a MemoryStream. // It needs a password. Since we'll remove this when the certificate is loaded as a X509Certificate2, // it doesn't particularly matter what we use. var stream = new MemoryStream(); var passwordString = "temp"; var passwordChars = passwordString.ToCharArray(); store.Save(stream, passwordChars, random); var convertedCertificate = new X509Certificate2(stream.ToArray(), passwordString, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet); return(convertedCertificate); }
public static X509Certificate2 AddPrivateKey(this Org.BouncyCastle.X509.X509Certificate cert, AsymmetricKeyParameter privateKey) { var keyInfo = PrivateKeyInfoFactory.CreatePrivateKeyInfo(privateKey); var seq = Asn1Object.FromByteArray(keyInfo.ParsePrivateKey().GetDerEncoded()) as Asn1Sequence; if (seq.Count != 9) { throw new PemException("malformed sequence in RSA private key"); } var rsa = RsaPrivateKeyStructure.GetInstance(seq); var rsaParams = new RsaPrivateKeyStructure( rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient); var store = new Pkcs12Store(); var certEntry = new X509CertificateEntry(cert); store.SetCertificateEntry(cert.SubjectDN.ToString(), certEntry); store.SetKeyEntry(cert.SubjectDN.ToString(), new AsymmetricKeyEntry(privateKey), new[] { certEntry }); using (var stream = new MemoryStream()) { store.Save(stream, privateKeyPassword.ToCharArray(), new SecureRandom(new CryptoApiRandomGenerator())); return(new X509Certificate2(stream.ToArray(), privateKeyPassword, X509KeyStorageFlags.Exportable)); } }
/// <summary> /// Windows TLS needs the Alias public + private key in a PFX file /// </summary> /// <param name="certFile"></param> /// <param name="keyFile"></param> internal static void MakePFXFile(string certFile, string keyFile, string outputPfxFile, string password) { CryptoApiRandomGenerator rg = new CryptoApiRandomGenerator(); var rng = new SecureRandom(rg); // get the cert var parser = new X509CertificateParser(); var cert = parser.ReadCertificate(File.ReadAllBytes(certFile)); // get the key Org.BouncyCastle.OpenSsl.PemReader pemReader = new Org.BouncyCastle.OpenSsl.PemReader(new StringReader(File.ReadAllText(keyFile))); AsymmetricCipherKeyPair kp = pemReader.ReadObject() as AsymmetricCipherKeyPair; // Put the key and cert in an PKCS12 store so that the WIndows TLS stack can use it var store = new Pkcs12Store(); string friendlyName = cert.SubjectDN.ToString(); var certificateEntry = new X509CertificateEntry(cert); store.SetCertificateEntry(friendlyName, certificateEntry); store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(kp.Private), new[] { certificateEntry }); var stream = new MemoryStream(); var pwd = password == null ? null : password.ToCharArray(); store.Save(stream, pwd, rng); File.WriteAllBytes(outputPfxFile, stream.ToArray()); return; }
public static X509Certificate2 ToCertificateWithPrivateKey( Guid ownIdentity, Org.BouncyCastle.X509.X509Certificate certificate, AsymmetricCipherKeyPair keyPair, string password, SecureRandom random) { var ownCertificateStore = new FileInfo(GetStorePath(ownIdentity)); var newStore = new Pkcs12Store(); var certEntry = new X509CertificateEntry(certificate); newStore.SetCertificateEntry( ownIdentity.ToString(), certEntry); newStore.SetKeyEntry( ownIdentity.ToString(), new AsymmetricKeyEntry(keyPair.Private), new[] { certEntry }); if (ownCertificateStore.Exists) { ownCertificateStore.Delete(); } using (var file = ownCertificateStore.OpenWrite()) { newStore.Save( file, password.ToCharArray(), random); } return(new X509Certificate2(ownCertificateStore.FullName, password)); }
public static X509Certificate2 ToX509Certificate2( Org.BouncyCastle.X509.X509Certificate BouncyCert, SecureRandom RandomProvider, AsymmetricCipherKeyPair KeyPair) { var store = new Pkcs12Store(); var certificateEntry = new X509CertificateEntry(BouncyCert); string friendlyName = BouncyCert.SubjectDN.ToString(); store.SetCertificateEntry(friendlyName, certificateEntry); store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(KeyPair.Private), new[] { certificateEntry }); var stream = new MemoryStream(); var password = KeyPair.Private.GetHashCode().ToString(); store.Save(stream, password.ToCharArray(), RandomProvider); //convert from stream var convertedCertificate = new X509Certificate2( stream.ToArray(), password, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable); return(convertedCertificate); }
public static X509Certificate2 GenerateSelfSignedCert() { var randomGenerator = new CryptoApiRandomGenerator(); var random = new SecureRandom(randomGenerator); var certificateGenerator = new X509V3CertificateGenerator(); var serialNumber = BigIntegers.CreateRandomInRange( BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random); certificateGenerator.SetSerialNumber(serialNumber); const string signatureAlgorithm = "SHA1WithRSA"; certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm); var subjectDN = new X509Name("CN=simpletorrent"); var issuerDN = subjectDN; certificateGenerator.SetIssuerDN(issuerDN); certificateGenerator.SetSubjectDN(subjectDN); var notBefore = DateTime.UtcNow.Date.AddHours(-24); var notAfter = notBefore.AddYears(1000); certificateGenerator.SetNotBefore(notBefore); certificateGenerator.SetNotAfter(notAfter); const int strength = 4096; var keyGenerationParameters = new KeyGenerationParameters(random, strength); var keyPairGenerator = new RsaKeyPairGenerator(); keyPairGenerator.Init(keyGenerationParameters); var subjectKeyPair = keyPairGenerator.GenerateKeyPair(); certificateGenerator.SetPublicKey(subjectKeyPair.Public); var issuerKeyPair = subjectKeyPair; var certificate = certificateGenerator.Generate(issuerKeyPair.Private, random); var store = new Pkcs12Store(); string friendlyName = certificate.SubjectDN.ToString(); var certificateEntry = new X509CertificateEntry(certificate); store.SetCertificateEntry(friendlyName, certificateEntry); store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry }); string password = "******"; var stream = new MemoryStream(); store.Save(stream, password.ToCharArray(), random); //mono bug #1660 fix -> convert to definite-length encoding byte[] pfx = Pkcs12Utilities.ConvertToDefiniteLength(stream.ToArray(), password.ToCharArray()); var convertedCertificate = new X509Certificate2( pfx, password, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable); return(convertedCertificate); }
public static X509Certificates.X509Certificate2 ToX509Certificate2( this X509Certificate certificate, AsymmetricCipherKeyPair subjectKeyPair, SecureRandom random) { var store = new Pkcs12Store(); var friendlyName = certificate.SubjectDN.ToString(); // Add the certificate. var certificateEntry = new X509CertificateEntry(certificate); store.SetCertificateEntry(friendlyName, certificateEntry); // Add the private key. store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry }); // Convert it to an X509Certificate2 object by saving/loading it from a MemoryStream. // It needs a password. Since we'll remove this later, it doesn't particularly matter what we use. const string password = "******"; X509Certificates.X509Certificate2 convertedCertificate; using (var stream = new MemoryStream()) { store.Save(stream, password.ToCharArray(), random); convertedCertificate = new X509Certificates.X509Certificate2(stream.ToArray(), password, // X509Certificates.X509KeyStorageFlags.DefaultKeySet); X509Certificates.X509KeyStorageFlags.MachineKeySet | X509Certificates.X509KeyStorageFlags.PersistKeySet | X509Certificates.X509KeyStorageFlags.Exportable); } return(convertedCertificate); }
private static X509Certificate2 ConvertCertificate( X509Certificate certificate, AsymmetricCipherKeyPair subjectKeyPair, SecureRandom random) { var store = new Pkcs12Store(); string friendlyName = certificate.SubjectDN.ToString(); var certificateEntry = new X509CertificateEntry(certificate); store.SetCertificateEntry(friendlyName, certificateEntry); store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry }); const string password = "******"; var stream = new MemoryStream(); store.Save(stream, password.ToCharArray(), random); return(new X509Certificate2( stream.ToArray(), password, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable)); }
internal static CertContainer IssueSignerCertificate(X509Name dnName, int keySize = DefaultKeySize) { CertContainer issuerCert = IntermediateCa; RsaKeyPairGenerator keyPairGen = new RsaKeyPairGenerator(); keyPairGen.Init(new KeyGenerationParameters(_secureRandom, keySize)); AsymmetricCipherKeyPair keyPair = keyPairGen.GenerateKeyPair(); X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.SetSerialNumber(BigInteger.One); certGen.SetIssuerDN(issuerCert.Certificate.SubjectDN); certGen.SetNotBefore(DateTime.Now); certGen.SetNotAfter(DateTime.Now.AddYears(1)); certGen.SetSubjectDN(dnName); certGen.SetPublicKey(keyPair.Public); certGen.SetSignatureAlgorithm("SHA256withRSA"); certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(issuerCert.Certificate.GetPublicKey())); certGen.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certGen.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(X509KeyUsage.NonRepudiation | X509KeyUsage.DigitalSignature)); certGen.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(keyPair.Public)); certGen.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeID.IdKPClientAuth)); // Add CRL endpoint Uri currentBaseUri = new Uri("https://localhost/"); Uri crlUri = new Uri(currentBaseUri, IntermediateCrlPath); GeneralName generalName = new GeneralName(GeneralName.UniformResourceIdentifier, crlUri.ToString()); GeneralNames generalNames = new GeneralNames(generalName); DistributionPointName distPointName = new DistributionPointName(generalNames); DistributionPoint distPoint = new DistributionPoint(distPointName, null, null); certGen.AddExtension(X509Extensions.CrlDistributionPoints, false, new CrlDistPoint(new DistributionPoint[] { distPoint })); // Add OCSP endpoint Uri ocspUri = new Uri(currentBaseUri, OcspPath); AccessDescription ocsp = new AccessDescription(AccessDescription.IdADOcsp, new GeneralName(GeneralName.UniformResourceIdentifier, ocspUri.ToString())); Asn1EncodableVector aiaASN = new Asn1EncodableVector(); aiaASN.Add(ocsp); certGen.AddExtension(X509Extensions.AuthorityInfoAccess, false, new DerSequence(aiaASN)); X509Certificate generatedCert = certGen.Generate(issuerCert.PrivateKey); Pkcs12StoreBuilder pfxBuilder = new Pkcs12StoreBuilder(); Pkcs12Store pfxStore = pfxBuilder.Build(); X509CertificateEntry certEntry = new X509CertificateEntry(generatedCert); pfxStore.SetCertificateEntry(generatedCert.SubjectDN.ToString(), certEntry); pfxStore.SetKeyEntry(generatedCert.SubjectDN + "_key", new AsymmetricKeyEntry(keyPair.Private), new X509CertificateEntry[] { certEntry }); return(new CertContainer(pfxStore, issuerCert.GetIssuerChain(true))); }
/// <summary> /// Create a self signed certificate in the specified file. /// </summary> /// <param name="subjectName">The subject of the certificate to create.</param> /// <param name="fileName">The file name to write the certificate to.</param> /// <param name="signatureAlgorithm">The signature algorithm to use</param> /// <param name="password">True if there is a password, false otherwise. Note that if there is a password, PFX format is assumed.</param> public static void CreateSelfSignedInFile(string subjectName, string fileName, string signatureAlgorithm, string password = "") { byte[] serialNumber = GenerateSerialNumber(); string subject = string.Format("CN={0}", subjectName); var subjectDN = new X509Name(subject); var issuerDN = subjectDN; const int keyStrength = 2048; var randomGenerator = new CryptoApiRandomGenerator(); var random = new SecureRandom(randomGenerator); var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength); var keyPairGenerator = new RsaKeyPairGenerator(); keyPairGenerator.Init(keyGenerationParameters); var subjectKeyPair = keyPairGenerator.GenerateKeyPair(); var issuerKeyPair = subjectKeyPair; ISignatureFactory signatureFactory = new Asn1SignatureFactory(signatureAlgorithm, issuerKeyPair.Private, random); var certificateGenerator = new X509V3CertificateGenerator(); certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage.Id, true, new ExtendedKeyUsage(KeyPurposeID.IdKPServerAuth)); certificateGenerator.SetSerialNumber(new BigInteger(serialNumber.Concat(new Byte[] { 0 }).ToArray())); certificateGenerator.SetIssuerDN(issuerDN); certificateGenerator.SetSubjectDN(subjectDN); certificateGenerator.SetNotBefore(DateTime.Now); certificateGenerator.SetNotAfter(DateTime.Now); certificateGenerator.SetPublicKey(subjectKeyPair.Public); var certificate = certificateGenerator.Generate(signatureFactory); var store = new Pkcs12Store(); string friendlyName = certificate.SubjectDN.ToString(); var certificateEntry = new X509CertificateEntry(certificate); store.SetCertificateEntry(friendlyName, certificateEntry); store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry }); var stream = new MemoryStream(); store.Save(stream, password.ToCharArray(), random); var convertedCertificate = new X509Certificate2(stream.ToArray(), password, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable); //If password is not empty, generate a PKCS#12 formatted file if (!string.IsNullOrEmpty(password)) { File.WriteAllBytes(fileName, stream.ToArray()); } //If password is empty generate a DER formatted file else { File.WriteAllBytes(fileName, convertedCertificate.RawData); } }
/// <summary> /// Creates X509 v3 certificate in PKCS12 file format. /// </summary> /// <param name="cn">Common name "CN" value.</param> /// <param name="password">Private key password.</param> /// <returns>Returns new X509 v3 certificate in PKCS12 file(.p12 or .pfx) format.</returns> /// <exception cref="ArgumentNullException">Is raised when <b>cn</b> or <b>password</b> is null reference.</exception> public static byte[] CreateCertificate(string cn, string password) { if (cn == null) { throw new ArgumentNullException("cn"); } if (password == null) { throw new ArgumentNullException("password"); } RsaKeyPairGenerator kpgen = new RsaKeyPairGenerator(); kpgen.Init(new KeyGenerationParameters(new SecureRandom(new CryptoApiRandomGenerator()), 1024)); AsymmetricCipherKeyPair kp = kpgen.GenerateKeyPair(); BigInteger serial = BigInteger.ProbablePrime(120, new Random()); X509Name certName = new X509Name("CN=" + cn); X509V3CertificateGenerator gen = new X509V3CertificateGenerator(); gen.SetSerialNumber(serial); gen.SetSubjectDN(certName); gen.SetIssuerDN(certName); gen.SetNotBefore(DateTime.UtcNow.AddDays(-2)); gen.SetNotAfter(DateTime.UtcNow.AddYears(5)); gen.SetSignatureAlgorithm("MD5WithRSAEncryption"); gen.SetPublicKey(kp.Public); /* * gen.AddExtension( * X509Extensions.AuthorityKeyIdentifier.Id, * false, * new AuthorityKeyIdentifier( * SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(kp.Public), * new GeneralNames(new GeneralName(certName)), * serial * ));*/ gen.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeID.IdKPServerAuth, KeyPurposeID.AnyExtendedKeyUsage)); X509Certificate cert = gen.Generate(kp.Private); X509CertificateEntry certEntry = new X509CertificateEntry(cert); Pkcs12Store newStore = new Pkcs12Store(); newStore.SetCertificateEntry(cn, certEntry); newStore.SetKeyEntry(cn, new AsymmetricKeyEntry(kp.Private), new[] { new X509CertificateEntry(cert) }); MemoryStream retVal = new MemoryStream(); newStore.Save(retVal, password.ToCharArray(), new SecureRandom(new CryptoApiRandomGenerator())); return(retVal.ToArray()); }
public static Pkcs12Store ToPkcs12(X509Certificate certificate, AsymmetricKeyParameter privateKey) { var pkcs12Store = new Pkcs12Store(); var certificateEntry = new X509CertificateEntry(certificate); var certificateAlias = certificate.SubjectDN.ToString(); pkcs12Store.SetCertificateEntry(certificateAlias, certificateEntry); pkcs12Store.SetKeyEntry(certificate.SubjectDN.ToString(), new AsymmetricKeyEntry(privateKey), new[] { certificateEntry }); return(pkcs12Store); }
//TODO change to functors public static X509Certificate CreateX509Certificate2(AsymmetricCipherKeyPair kp, string issuer, DateTime notBefore, DateTime notAfter, KeyType keyUsage, string filename, string password) { var random = new SecureRandom(); var sf = new Asn1SignatureFactory(HashAlg.SHA256withRSA.ToString(), kp.Private, random); var gen = new X509V3CertificateGenerator(); var serial = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random); gen.SetSerialNumber(serial); var subject = new X509Name(issuer); gen.SetIssuerDN(subject); gen.SetSubjectDN(subject); gen.SetNotBefore(notBefore); gen.SetNotAfter(notAfter); gen.SetPublicKey(kp.Public); gen.AddExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(true)); var subjectKeyIdentifier = new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(kp.Public)); gen.AddExtension(X509Extensions.SubjectKeyIdentifier, false, subjectKeyIdentifier); var authorityKeyIdentifier = new AuthorityKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(kp.Public), new GeneralNames(new GeneralName(subject)), serial); gen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, authorityKeyIdentifier); ////gen.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeID.IdKPEmailProtection)); switch (keyUsage) { case KeyType.Signature: //signature gen.AddExtension(X509Extensions.KeyUsage, false, new KeyUsage(X509KeyUsage.NonRepudiation)); break; case KeyType.Authentication: //authentication gen.AddExtension(X509Extensions.KeyUsage, false, new KeyUsage(X509KeyUsage.DigitalSignature)); break; case KeyType.Encryption: //encryption gen.AddExtension(X509Extensions.KeyUsage, false, new KeyUsage(X509KeyUsage.KeyEncipherment | X509KeyUsage.KeyAgreement)); break; default: gen.AddExtension(X509Extensions.KeyUsage, false, new KeyUsage(X509KeyUsage.KeyEncipherment | X509KeyUsage.DigitalSignature)); break; } var bouncyCert = gen.Generate(sf); bouncyCert.CheckValidity(); bouncyCert.Verify(kp.Public); var store = new Pkcs12Store(); var certificateEntry = new X509CertificateEntry(bouncyCert); store.SetCertificateEntry(bouncyCert.SubjectDN.ToString(), certificateEntry); store.SetKeyEntry(bouncyCert.SubjectDN.ToString(), new AsymmetricKeyEntry(kp.Private), new[] { certificateEntry }); using (var sw = File.Create(filename)) store.Save(sw, password.ToCharArray(), random); return(bouncyCert); }
/// <summary> /// Convert DER encoded private key data and certificate data into a PKCS12 container. /// </summary> /// <param name="password">The password to encrypt the container with, or null for no encryption.</param> /// <param name="privateKeyData">The private key data that will be stored in the container.</param> /// <param name="certificateData">The list of certificates that will be stored in the container.</param> /// <returns>A PKCS12 byte array.</returns> static public byte[] GetPkcs12Certificate(string password, byte[] privateKeyData, ICollection <byte[]> certificateData) { var certPrivateKey = PrivateKeyFactory.CreateKey(privateKeyData); List <X509CertificateEntry> certificates = new List <X509CertificateEntry>(); var x509Parser = new X509CertificateParser(); var pkStore = new Pkcs12Store(); // // Load all the certificates from the raw data. // foreach (var certdata in certificateData) { certificates.Add(new X509CertificateEntry(x509Parser.ReadCertificate(certdata))); } // // Set the primary certificate and key. // var keyEntry = new AsymmetricKeyEntry(certPrivateKey); pkStore.SetCertificateEntry(string.Empty, certificates[0]); pkStore.SetKeyEntry(string.Empty, new AsymmetricKeyEntry(certPrivateKey), new[] { certificates[0] }); // // Add in any additional chain certificates. // for (int i = 1; i < certificates.Count; i++) { pkStore.SetCertificateEntry(i.ToString(), certificates[i]); } // // Do a final conversion of the certificate data into a PKCS12 blob and add it to the store. // using (var ms = new MemoryStream()) { pkStore.Save(ms, password?.ToArray(), new SecureRandom()); return(ms.ToArray()); } }
public CertificationResult Certify(byte[][] publicKey) { var randomGenerator = new CryptoApiRandomGenerator(); var random = new SecureRandom(randomGenerator); var certificateGenerator = new X509V3CertificateGenerator(); BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random); certificateGenerator.SetSerialNumber(serialNumber); DateTime notBefore = DateTime.UtcNow.Date; DateTime notAfter = notBefore.AddDays(10); var subjectDN = new X509Name("CN=fritzenUpload.Client"); var issuerDN = new X509Name("CN=fritzenUpload"); certificateGenerator.SetIssuerDN(issuerDN); certificateGenerator.SetSubjectDN(subjectDN); certificateGenerator.SetNotBefore(notBefore); certificateGenerator.SetNotAfter(notAfter); var subjectPublic = new RsaKeyParameters(false, new BigInteger(publicKey[1]), new BigInteger(publicKey[0])); certificateGenerator.SetPublicKey(subjectPublic); // Selfsign certificate Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(currentCert.GetFactory(random)); string serial = string.Concat(serialNumber.ToByteArray().Select(b => b.ToString("X2"))); TextWriter textWriter = new StringWriter(); PemWriter writer = new(textWriter); writer.WriteObject(certificate); textWriter.Flush(); byte[] data = Encoding.UTF8.GetBytes(textWriter.ToString()); var store = new Pkcs12Store(); var certificateEntry = new X509CertificateEntry(certificate); string friendlyName = certificate.SubjectDN.ToString(); store.SetCertificateEntry(friendlyName, certificateEntry); //TODO change encoding from pfx to something more efficient var stream = new MemoryStream(); store.Save(stream, "".ToCharArray(), random); return(new CertificationResult() { Rawdata = stream.ToArray(), SerialNumber = serial, ValidUntil = notAfter }); }
/// <summary> /// Exports the specified stream and password to a pkcs12 encrypted file. /// </summary> /// <remarks> /// Exports the specified stream and password to a pkcs12 encrypted file. /// </remarks> /// <param name="stream">The output stream.</param> /// <param name="password">The password to use to lock the private keys.</param> /// <exception cref="System.ArgumentNullException"> /// <para><paramref name="stream"/> is <c>null</c>.</para> /// <para>-or-</para> /// <para><paramref name="password"/> is <c>null</c>.</para> /// </exception> /// <exception cref="System.IO.IOException"> /// An error occurred while writing to the stream. /// </exception> public void Export(Stream stream, string password) { if (stream == null) { throw new ArgumentNullException(nameof(stream)); } if (password == null) { throw new ArgumentNullException(nameof(password)); } var store = new Pkcs12Store(); foreach (var certificate in certs) { if (keys.ContainsKey(certificate)) { continue; } var alias = certificate.GetCommonName(); if (alias == null) { continue; } var entry = new X509CertificateEntry(certificate); store.SetCertificateEntry(alias, entry); } foreach (var kvp in keys) { var alias = kvp.Key.GetCommonName(); if (alias == null) { continue; } var entry = new AsymmetricKeyEntry(kvp.Value); var cert = new X509CertificateEntry(kvp.Key); var chain = new List <X509CertificateEntry> (); chain.Add(cert); store.SetKeyEntry(alias, entry, chain.ToArray()); } store.Save(stream, password.ToCharArray(), new SecureRandom()); }
/// <summary> /// Generates a self signed certificate for the specified host. In the future this will used to /// test code that implements custom server certificate validation logic /// </summary> /// <param name="host"></param> /// <returns></returns> private X509Certificate2 GenerateCert(string host) { CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator(); SecureRandom random = new SecureRandom(randomGenerator); X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator(); BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random); certificateGenerator.SetSerialNumber(serialNumber); certificateGenerator.SetSignatureAlgorithm("SHA256WithRSA"); X509Name subjectDN = new X509Name("CN=wpad_audit"); X509Name issuerDN = subjectDN; certificateGenerator.SetIssuerDN(issuerDN); certificateGenerator.SetSubjectDN(subjectDN); DateTime notBefore = DateTime.UtcNow.Date; DateTime notAfter = notBefore.AddYears(2); certificateGenerator.SetNotBefore(notBefore); certificateGenerator.SetNotAfter(notAfter); KeyGenerationParameters keyGenerationParameters = new KeyGenerationParameters(random, Strength); RsaKeyPairGenerator keyPairGenerator = new RsaKeyPairGenerator(); keyPairGenerator.Init(keyGenerationParameters); AsymmetricCipherKeyPair subjectKeyPair = keyPairGenerator.GenerateKeyPair(); certificateGenerator.SetPublicKey(subjectKeyPair.Public); AsymmetricCipherKeyPair issuerKeyPair = subjectKeyPair; Org.BouncyCastle.X509.X509Certificate cert = certificateGenerator.Generate(issuerKeyPair.Private, random); Pkcs12Store store = new Pkcs12Store(); string friendlyName = cert.SubjectDN.ToString(); X509CertificateEntry certificateEntry = new X509CertificateEntry(cert); store.SetCertificateEntry(friendlyName, certificateEntry); store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry }); byte[] streamContents; using (MemoryStream stream = new MemoryStream()) { store.Save(stream, Password.ToCharArray(), random); stream.Flush(); streamContents = stream.ToArray(); } return(new X509Certificate2(streamContents, Password, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable)); }
/// <summary> /// Generates the certificate. /// </summary> /// <param name="subjectName">Name of the subject.</param> /// <returns>The generated certificate.</returns> public static X509Certificate2 GenerateCertificate(string subjectName) { var randomGenerator = new CryptoApiRandomGenerator(); var random = new SecureRandom(randomGenerator); var certificateGenerator = new X509V3CertificateGenerator(); var serialNumber = BigIntegers.CreateRandomInRange( BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random); certificateGenerator.SetSerialNumber(serialNumber); var subjectDN = new X509Name(subjectName); var issuerDN = subjectDN; certificateGenerator.SetIssuerDN(issuerDN); certificateGenerator.SetSubjectDN(subjectDN); var notBefore = DateTime.UtcNow.Date; var notAfter = notBefore.AddDays(31); certificateGenerator.SetNotBefore(notBefore); certificateGenerator.SetNotAfter(notAfter); var keyGenerationParameters = new KeyGenerationParameters(random, 2048); var keyPairGenerator = new RsaKeyPairGenerator(); keyPairGenerator.Init(keyGenerationParameters); var subjectKeyPair = keyPairGenerator.GenerateKeyPair(); certificateGenerator.SetPublicKey(subjectKeyPair.Public); var issuerKeyPair = subjectKeyPair; ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA256WithRSA", issuerKeyPair.Private, random); var certificate = certificateGenerator.Generate(signatureFactory); var store = new Pkcs12Store(); string friendlyName = certificate.SubjectDN.ToString(); var certificateEntry = new X509CertificateEntry(certificate); store.SetCertificateEntry(friendlyName, certificateEntry); store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry }); var stream = new MemoryStream(); store.Save(stream, new char[0], random); return(new X509Certificate2(stream.ToArray())); }
private static void WriteToP12(X509Certificate newCertificate, AsymmetricKeyParameter privateKeyParameters) { var pkcs12Store = new Pkcs12Store(); var certEntry = new X509CertificateEntry(newCertificate); pkcs12Store.SetCertificateEntry("RougeCA", certEntry); pkcs12Store.SetKeyEntry("RougeCA", new AsymmetricKeyEntry(privateKeyParameters), new[] { certEntry }); using (var fileStream = new FileStream("Rogue.p12", FileMode.Create, FileAccess.Write)) { pkcs12Store.Save(fileStream, new[] { 'T', 'e', 's', 't', '1', '2', '3', '4', }, new SecureRandom()); } }
public X509Certificate2 MakeCertificate(string password, string issuedToDomainName, int validYears) { _certificateGenerator.Reset(); _certificateGenerator.SetSignatureAlgorithm(SignatureAlgorithm); var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), _random); _certificateGenerator.SetSerialNumber(serialNumber); _certificateGenerator.SetSubjectDN(new X509Name(issuedToDomainName)); _certificateGenerator.SetIssuerDN(_issuer); var subjectAlternativeNames = new Asn1Encodable[_generalNames.Length + 1]; // first subject alternative name is the same as the subject subjectAlternativeNames[0] = new GeneralName(new X509Name(issuedToDomainName)); for (int t = 1; t <= _generalNames.Length; t++) { subjectAlternativeNames[t] = _generalNames[t - 1]; } var subjectAlternativeNamesExtension = new DerSequence(subjectAlternativeNames); _certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName.Id, false, subjectAlternativeNamesExtension); _certificateGenerator.SetNotBefore(DateTime.UtcNow.Date); _certificateGenerator.SetNotAfter(DateTime.UtcNow.Date.AddYears(validYears)); var keyGenerationParameters = new KeyGenerationParameters(_random, _strength); var keyPairGenerator = new RsaKeyPairGenerator(); keyPairGenerator.Init(keyGenerationParameters); var subjectKeyPair = keyPairGenerator.GenerateKeyPair(); _certificateGenerator.SetPublicKey(subjectKeyPair.Public); var issuerKeyPair = subjectKeyPair; var certificate = _certificateGenerator.Generate(issuerKeyPair.Private, _random); var store = new Pkcs12Store(); string friendlyName = certificate.SubjectDN.ToString(); var certificateEntry = new X509CertificateEntry(certificate); store.SetCertificateEntry(friendlyName, certificateEntry); store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry }); using (var stream = new MemoryStream()) { store.Save(stream, password.ToCharArray(), _random); return(new X509Certificate2(stream.ToArray(), password, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable)); } }
public static X509Certificate2 GenerateNewCertificate(string name) { var kpGen = new RsaKeyPairGenerator(); kpGen.Init(new KeyGenerationParameters(new SecureRandom(new CryptoApiRandomGenerator()), 1024)); AsymmetricCipherKeyPair keyPair = kpGen.GenerateKeyPair(); var gen = new X509V3CertificateGenerator(); var certificateName = new X509Name("CN=" + name); BigInteger serialNumber = BigInteger.ProbablePrime(120, new Random()); gen.SetSerialNumber(serialNumber); gen.SetSubjectDN(certificateName); gen.SetIssuerDN(certificateName); gen.SetNotAfter(DateTime.Now.AddYears(100)); gen.SetNotBefore(DateTime.Now.AddDays(-1)); gen.SetSignatureAlgorithm("SHA256WithRSAEncryption"); gen.SetPublicKey(keyPair.Public); gen.AddExtension(X509Extensions.AuthorityKeyIdentifier.Id, false, new AuthorityKeyIdentifier( SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(keyPair.Public), new GeneralNames(new GeneralName(certificateName)), serialNumber)); X509Certificate newCert = gen.Generate(keyPair.Private); var newStore = new Pkcs12Store(); var certEntry = new X509CertificateEntry(newCert); newStore.SetCertificateEntry( Environment.MachineName, certEntry ); newStore.SetKeyEntry( Environment.MachineName, new AsymmetricKeyEntry(keyPair.Private), new[] { certEntry } ); var memoryStream = new MemoryStream(); newStore.Save( memoryStream, new char[0], new SecureRandom(new CryptoApiRandomGenerator()) ); return(new X509Certificate2(memoryStream.ToArray())); }
private X509Certificate2 GetSignedCertificate(Org.BouncyCastle.X509.X509Certificate bcCertificate, RsaPrivateCrtKeyParameters privateKey) { string alias = bcCertificate.SubjectDN.ToString(); var pkcs12 = new Pkcs12Store(); var entry = new X509CertificateEntry(bcCertificate); pkcs12.SetCertificateEntry(alias, entry); pkcs12.SetKeyEntry(alias, new AsymmetricKeyEntry(privateKey), new[] { entry }); using (var pfxStream = new MemoryStream()) { pkcs12.Save(pfxStream, null, new SecureRandom()); return(new X509Certificate2(pfxStream.ToArray(), (string)null, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet)); } }