public ExtendedKeyUsage(params KeyPurposeID[] usages)
{
this.seq = new DerSequence(usages);
for (int i = 0; i < usages.Length; i++)
{
KeyPurposeID keyPurposeID = usages[i];
this.usageTable[keyPurposeID] = keyPurposeID;
}
}
public ExtendedKeyUsage(
IEnumerable usages)
{
Asn1EncodableVector v = new Asn1EncodableVector();
foreach (object usage in usages)
{
Asn1Encodable o = KeyPurposeID.GetInstance(usage);
v.Add(o);
this.usageTable[o] = o;
}
this.seq = new DerSequence(v);
}
public bool HasKeyPurposeId(
KeyPurposeID keyPurposeId)
{
return usageTable[keyPurposeId] != null;
}
public bool HasKeyPurposeId(
KeyPurposeID keyPurposeId)
{
return(usageTable.Contains(keyPurposeId));
}
public bool HasKeyPurposeId(
KeyPurposeID keyPurposeId)
{
return(usageTable[keyPurposeId] != null);
}
public bool HasKeyPurposeId(
KeyPurposeID keyPurposeId)
{
return usageTable.Contains(keyPurposeId);
}
/*
* creates a certificate and a private key and installs into windows registry
*/
public static void CreateCertificateKey(
string subjectName,
string issuerName,
string signatureAlgorithm,
int strength,
DateTime begin,
DateTime end,
string subjectCountryCode,
string subjectOrganization,
string subjectTitle,
string issuerCountryCode,
string issuerOrganization,
string issuerTitle,
string subjectCommonName,
string issuerCommonName)
{
// creating key pair
RsaKeyPairGenerator keyPairGenerator = new RsaKeyPairGenerator();
SecureRandom secureRandom = new SecureRandom(new CryptoApiRandomGenerator());
keyPairGenerator.Init(new KeyGenerationParameters(secureRandom, strength));
AsymmetricCipherKeyPair asCipherKeyPair = keyPairGenerator.GenerateKeyPair();
AsymmetricKeyParameter publicKey = asCipherKeyPair.Public;
RsaPrivateCrtKeyParameters privateKey = (RsaPrivateCrtKeyParameters)asCipherKeyPair.Private;
// initializing certificate generator
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), secureRandom);
certificateGenerator.SetSerialNumber(serialNumber);
// setting subject name
string subjectNameString = "E=" + subjectName;
if (subjectCommonName != null)
subjectNameString += ", CN=" + subjectCommonName;
if (subjectCountryCode != null)
subjectNameString += ", C=" + subjectCountryCode;
if (subjectOrganization != null)
subjectNameString += ", O=" + subjectOrganization;
if (subjectTitle != null)
subjectNameString += ", T=" + subjectTitle;
certificateGenerator.SetSubjectDN(new X509Name(subjectNameString));
// setting issuer name
string issuerNameString = "E=" + issuerName;
if (issuerCommonName != null)
issuerNameString += ", CN=" + issuerCommonName;
if (issuerCountryCode != null)
issuerNameString += ", C=" + issuerCountryCode;
if (issuerOrganization != null)
issuerNameString += ", O=" + issuerOrganization;
if (issuerTitle != null)
issuerNameString += ", T=" + issuerTitle;
certificateGenerator.SetIssuerDN(new X509Name(issuerNameString));
// setting other properties of certificate
certificateGenerator.SetNotBefore(begin);
certificateGenerator.SetNotAfter(end);
certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm);
certificateGenerator.SetPublicKey(publicKey);
// setting key usage
KeyPurposeID[] usages = new KeyPurposeID[] { KeyPurposeID.IdKPEmailProtection };
certificateGenerator.AddExtension(
X509Extensions.ExtendedKeyUsage.Id,
false,
new ExtendedKeyUsage(usages));
// creating certificate and installing into certificate/key database
X509Certificate certificate = certificateGenerator.Generate(privateKey);
sys.X509Certificate2 windowsCertificate = new sys.X509Certificate2(DotNetUtilities.ToX509Certificate(certificate));
windowsCertificate.PrivateKey = ConvertToSystemKey(privateKey);
InstallIntoRegistry(windowsCertificate);
}
/// <summary>
/// Add the "Extended Key Usage" extension, specifying (for example) "server authentication".
/// </summary>
/// <param name="certificateGenerator"></param>
/// <param name="usages"></param>
private static void AddExtendedKeyUsage(X509V3CertificateGenerator certificateGenerator, KeyPurposeID[] usages)
{
certificateGenerator.AddExtension(
X509Extensions.ExtendedKeyUsage.Id, false, new ExtendedKeyUsage(usages));
}
private static X509Certificate2 IssueCertificate(string subjectName, X509Certificate2 issuerCertificate, string[] subjectAlternativeNames, KeyPurposeID[] usages)
{
// It's self-signed, so these are the same.
var issuerName = issuerCertificate.Subject;
var random = GetSecureRandom();
var subjectKeyPair = GenerateKeyPair(random, 2048);
var issuerKeyPair = DotNetUtilities.GetKeyPair(issuerCertificate.PrivateKey);
var serialNumber = GenerateSerialNumber(random);
var issuerSerialNumber = new BigInteger(issuerCertificate.GetSerialNumber());
const bool isCertificateAuthority = false;
var certificate = GenerateCertificate(random, subjectName, subjectKeyPair, serialNumber,
subjectAlternativeNames, issuerName, issuerKeyPair,
issuerSerialNumber, isCertificateAuthority,
usages);
return ConvertCertificate(certificate, subjectKeyPair, random);
}
private static X509Certificate GenerateCertificate(SecureRandom random,
string subjectName,
AsymmetricCipherKeyPair subjectKeyPair,
BigInteger subjectSerialNumber,
string[] subjectAlternativeNames,
string issuerName,
AsymmetricCipherKeyPair issuerKeyPair,
BigInteger issuerSerialNumber,
bool isCertificateAuthority,
KeyPurposeID[] usages)
{
var certificateGenerator = new X509V3CertificateGenerator();
certificateGenerator.SetSerialNumber(subjectSerialNumber);
// Set the signature algorithm. This is used to generate the thumbprint which is then signed
// with the issuer's private key. We'll use SHA-256, which is (currently) considered fairly strong.
const string signatureAlgorithm = "SHA256WithRSA";
certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm);
var issuerDN = new X509Name(issuerName);
certificateGenerator.SetIssuerDN(issuerDN);
// Note: The subject can be omitted if you specify a subject alternative name (SAN).
var subjectDN = new X509Name(subjectName);
certificateGenerator.SetSubjectDN(subjectDN);
// Our certificate needs valid from/to values.
var notBefore = DateTime.UtcNow.Date;
var notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// The subject's public key goes in the certificate.
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
AddAuthorityKeyIdentifier(certificateGenerator, issuerDN, issuerKeyPair, issuerSerialNumber);
AddSubjectKeyIdentifier(certificateGenerator, subjectKeyPair);
AddBasicConstraints(certificateGenerator, isCertificateAuthority);
if (usages != null && usages.Any())
AddExtendedKeyUsage(certificateGenerator, usages);
if (subjectAlternativeNames != null && subjectAlternativeNames.Any())
AddSubjectAlternativeNames(certificateGenerator, subjectAlternativeNames);
// The certificate is signed with the issuer's private key.
var certificate = certificateGenerator.Generate(issuerKeyPair.Private, random);
return certificate;
}
private static X509Certificate2 CreateSelfSignedCertificate(string subjectName, string[] subjectAlternativeNames, KeyPurposeID[] usages)
{
// It's self-signed, so these are the same.
var issuerName = subjectName;
var random = GetSecureRandom();
var subjectKeyPair = GenerateKeyPair(random, 2048);
// It's self-signed, so these are the same.
var issuerKeyPair = subjectKeyPair;
var serialNumber = GenerateSerialNumber(random);
var issuerSerialNumber = serialNumber; // Self-signed, so it's the same serial number.
const bool isCertificateAuthority = false;
var certificate = GenerateCertificate(random, subjectName, subjectKeyPair, serialNumber,
subjectAlternativeNames, issuerName, issuerKeyPair,
issuerSerialNumber, isCertificateAuthority,
usages);
return ConvertCertificate(certificate, subjectKeyPair, random);
}
