public static X509Crl CreateCrl(
X509Certificate caCert,
IAsymmetricKeyParameter caKey,
IBigInteger serialNumber)
{
X509V2CrlGenerator crlGen = new X509V2CrlGenerator();
DateTime now = DateTime.UtcNow;
// BigInteger revokedSerialNumber = BigInteger.Two;
crlGen.SetIssuerDN(PrincipalUtilities.GetSubjectX509Principal(caCert));
crlGen.SetThisUpdate(now);
crlGen.SetNextUpdate(now.AddSeconds(100));
crlGen.SetSignatureAlgorithm("SHA256WithRSAEncryption");
crlGen.AddCrlEntry(serialNumber, now, CrlReason.PrivilegeWithdrawn);
crlGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert));
crlGen.AddExtension(X509Extensions.CrlNumber, false, new CrlNumber(BigInteger.One));
return crlGen.Generate(caKey);
}
private void checkCrlCreation3()
{
IAsymmetricCipherKeyPairGenerator kpGen = GeneratorUtilities.GetKeyPairGenerator("RSA");
kpGen.Init(
new RsaKeyGenerationParameters(
BigInteger.ValueOf(0x10001), new SecureRandom(), 768, 25));
X509V2CrlGenerator crlGen = new X509V2CrlGenerator();
DateTime now = DateTime.UtcNow;
AsymmetricCipherKeyPair pair = kpGen.GenerateKeyPair();
crlGen.SetIssuerDN(new X509Name("CN=Test CA"));
crlGen.SetThisUpdate(now);
crlGen.SetNextUpdate(now.AddSeconds(100));
crlGen.SetSignatureAlgorithm("SHA256WithRSAEncryption");
IList extOids = new ArrayList();
IList extValues = new ArrayList();
CrlReason crlReason = new CrlReason(CrlReason.PrivilegeWithdrawn);
try
{
extOids.Add(X509Extensions.ReasonCode);
extValues.Add(new X509Extension(false, new DerOctetString(crlReason.GetEncoded())));
}
catch (IOException e)
{
throw new ArgumentException("error encoding reason: " + e);
}
X509Extensions entryExtensions = new X509Extensions(extOids, extValues);
crlGen.AddCrlEntry(BigInteger.One, now, entryExtensions);
crlGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(pair.Public));
X509Crl crl = crlGen.Generate(pair.Private);
if (!crl.IssuerDN.Equivalent(new X509Name("CN=Test CA"), true))
{
Fail("failed CRL issuer test");
}
Asn1OctetString authExt = crl.GetExtensionValue(X509Extensions.AuthorityKeyIdentifier);
if (authExt == null)
{
Fail("failed to find CRL extension");
}
AuthorityKeyIdentifier authId = new AuthorityKeyIdentifierStructure(authExt);
X509CrlEntry entry = crl.GetRevokedCertificate(BigInteger.One);
if (entry == null)
{
Fail("failed to find CRL entry");
}
if (!entry.SerialNumber.Equals(BigInteger.One))
{
Fail("CRL cert serial number does not match");
}
if (!entry.HasExtensions)
{
Fail("CRL entry extension not found");
}
Asn1OctetString ext = entry.GetExtensionValue(X509Extensions.ReasonCode);
if (ext != null)
{
DerEnumerated reasonCode = (DerEnumerated)X509ExtensionUtilities.FromExtensionValue(ext);
if (reasonCode.Value.IntValue != CrlReason.PrivilegeWithdrawn)
{
Fail("CRL entry reasonCode wrong");
}
}
else
{
Fail("CRL entry reasonCode not found");
}
//
// check loading of existing CRL
//
crlGen = new X509V2CrlGenerator();
now = DateTime.UtcNow;
crlGen.SetIssuerDN(new X509Name("CN=Test CA"));
crlGen.SetThisUpdate(now);
crlGen.SetNextUpdate(now.AddSeconds(100));
crlGen.SetSignatureAlgorithm("SHA256WithRSAEncryption");
crlGen.AddCrl(crl);
crlGen.AddCrlEntry(BigInteger.Two, now, entryExtensions);
crlGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(pair.Public));
X509Crl newCrl = crlGen.Generate(pair.Private);
int count = 0;
bool oneFound = false;
bool twoFound = false;
foreach (X509CrlEntry crlEnt in newCrl.GetRevokedCertificates())
{
if (crlEnt.SerialNumber.IntValue == 1)
{
oneFound = true;
}
else if (crlEnt.SerialNumber.IntValue == 2)
{
twoFound = true;
}
count++;
}
if (count != 2)
{
Fail("wrong number of CRLs found");
}
if (!oneFound || !twoFound)
{
Fail("wrong CRLs found in copied list");
}
//
// check factory read back
//
X509Crl readCrl = new X509CrlParser().ReadCrl(newCrl.GetEncoded());
if (readCrl == null)
{
Fail("crl not returned!");
}
// ICollection col = cFact.generateCRLs(new ByteArrayInputStream(newCrl.getEncoded()));
ICollection col = new X509CrlParser().ReadCrls(newCrl.GetEncoded());
if (col.Count != 1)
{
Fail("wrong number of CRLs found in collection");
}
}
private void checkCrlCreation2()
{
IAsymmetricCipherKeyPairGenerator kpGen = GeneratorUtilities.GetKeyPairGenerator("RSA");
kpGen.Init(
new RsaKeyGenerationParameters(
BigInteger.ValueOf(0x10001), new SecureRandom(), 768, 25));
X509V2CrlGenerator crlGen = new X509V2CrlGenerator();
DateTime now = DateTime.UtcNow;
AsymmetricCipherKeyPair pair = kpGen.GenerateKeyPair();
crlGen.SetIssuerDN(new X509Name("CN=Test CA"));
crlGen.SetThisUpdate(now);
crlGen.SetNextUpdate(now.AddSeconds(100));
crlGen.SetSignatureAlgorithm("SHA256WithRSAEncryption");
IList extOids = new ArrayList();
IList extValues = new ArrayList();
CrlReason crlReason = new CrlReason(CrlReason.PrivilegeWithdrawn);
try
{
extOids.Add(X509Extensions.ReasonCode);
extValues.Add(new X509Extension(false, new DerOctetString(crlReason.GetEncoded())));
}
catch (IOException e)
{
throw new ArgumentException("error encoding reason: " + e);
}
X509Extensions entryExtensions = new X509Extensions(extOids, extValues);
crlGen.AddCrlEntry(BigInteger.One, now, entryExtensions);
crlGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(pair.Public));
X509Crl crl = crlGen.Generate(pair.Private);
if (!crl.IssuerDN.Equivalent(new X509Name("CN=Test CA"), true))
{
Fail("failed CRL issuer test");
}
Asn1OctetString authExt = crl.GetExtensionValue(X509Extensions.AuthorityKeyIdentifier);
if (authExt == null)
{
Fail("failed to find CRL extension");
}
AuthorityKeyIdentifier authId = new AuthorityKeyIdentifierStructure(authExt);
X509CrlEntry entry = crl.GetRevokedCertificate(BigInteger.One);
if (entry == null)
{
Fail("failed to find CRL entry");
}
if (!entry.SerialNumber.Equals(BigInteger.One))
{
Fail("CRL cert serial number does not match");
}
if (!entry.HasExtensions)
{
Fail("CRL entry extension not found");
}
Asn1OctetString ext = entry.GetExtensionValue(X509Extensions.ReasonCode);
if (ext != null)
{
DerEnumerated reasonCode = (DerEnumerated)X509ExtensionUtilities.FromExtensionValue(ext);
if (reasonCode.Value.IntValue != CrlReason.PrivilegeWithdrawn)
{
Fail("CRL entry reasonCode wrong");
}
}
else
{
Fail("CRL entry reasonCode not found");
}
}
/// <summary>
/// Publishes the crl
/// </summary>
public void PublishCrl()
{
if(_revoked == null)
{
return;
//TODO: may be show a messagebox or something?
}
Pkcs12Store store = LoadCAPfx(KeyStorePassword);
if (!store.ContainsAlias(CaAlias) || !store.IsEntryOfType(CaAlias, typeof(AsymmetricKeyEntry))) return;
AsymmetricKeyParameter key = store.GetKey(CaAlias).Key;
X509Certificate caCert = store.GetCertificate(CaAlias).Certificate;
var crlNumber = new BigInteger(ReadCrlSerialNumber(), SerialNumberRadix);
var crlGen = new X509V2CrlGenerator();
crlGen.SetIssuerDN(caCert.SubjectDN);
//crlGen.SetNextUpdate();
crlGen.SetSignatureAlgorithm(caCert.SigAlgName.Replace("-", ""));
crlGen.SetThisUpdate(DateTime.UtcNow);
crlGen.SetNextUpdate(DateTime.UtcNow.AddHours(CrlFrequency));
crlGen.AddExtension(X509Extensions.CrlNumber, false, new CrlNumber(crlNumber));
crlGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false,
new AuthorityKeyIdentifierStructure(caCert));
//crlGen.AddExtension(X509Extensions.KeyUsage, false, new KeyUsage(KeyUsage.KeyAgreement | KeyUsage.CrlSign | KeyUsage.DataEncipherment | KeyUsage.DecipherOnly | KeyUsage.EncipherOnly | KeyUsage.KeyEncipherment | KeyUsage.NonRepudiation));
foreach (RevokedSerial rs in _revoked.RevokedSerialCollection)
{
crlGen.AddCrlEntry(new BigInteger(rs.Serial), rs.RevocationDate, rs.Reason);
}
X509Crl crl = crlGen.Generate(key);
string crlEncoded = PemUtilities.Encode(crl);
File.WriteAllText(CrlFilePath, crlEncoded);
IncrementCrlSerial();
}
public static X509Crl MakeCrl(
AsymmetricCipherKeyPair pair)
{
X509V2CrlGenerator crlGen = new X509V2CrlGenerator();
DateTime now = DateTime.UtcNow;
crlGen.SetIssuerDN(new X509Name("CN=Test CA"));
crlGen.SetThisUpdate(now);
crlGen.SetNextUpdate(now.AddSeconds(100));
crlGen.SetSignatureAlgorithm("SHA256WithRSAEncryption");
crlGen.AddCrlEntry(BigInteger.One, now, CrlReason.PrivilegeWithdrawn);
crlGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(pair.Public));
return crlGen.Generate(pair.Private);
}
