private void init(ISignatureFactory signatureCalculator, X509Name subject, AsymmetricKeyParameter publicKey, Asn1Set attributes, AsymmetricKeyParameter signingKey)
{
sigAlgId = (AlgorithmIdentifier)signatureCalculator.AlgorithmDetails;
SubjectPublicKeyInfo pkInfo = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(publicKey);
reqInfo = new CertificationRequestInfo(subject, pkInfo, attributes);
IStreamCalculator streamCalculator = signatureCalculator.CreateCalculator();
byte[] derEncoded = reqInfo.GetDerEncoded();
streamCalculator.Stream.Write(derEncoded, 0, derEncoded.Length);
Platform.Dispose(streamCalculator.Stream);
sigBits = new DerBitString(((IBlockResult)streamCalculator.GetResult()).Collect());
}
internal PKCS10CertificationRequest(ASN1Sequence seq)
{
try
{
this.reqInfo = CertificationRequestInfo.getInstance(seq.getObjectAt(0));
this.sigAlgId = AlgorithmIdentifier.getInstance(seq.getObjectAt(1));
this.sigBits = (DERBitString)seq.getObjectAt(2);
}
catch (Exception ex)
{
throw new ArgumentException("Create From ASN1Sequence: " + ex.Message);
}
}
/// <summary>
/// Get the common name
/// </summary>
/// <param name="info"></param>
/// <returns></returns>
private Identifier ParseCn(CertificationRequestInfo info)
{
var subject = info.Subject;
var cnValue = subject.GetValueList(new DerObjectIdentifier("2.5.4.3"));
if (cnValue.Count > 0)
{
var name = cnValue.Cast <string>().ElementAt(0);
return(new DnsIdentifier(name).Unicode(true));
}
else
{
throw new Exception("Unable to parse common name");
}
}
public Pkcs10CertificationRequestDelaySigned(string signatureAlgorithm, X509Name subject, AsymmetricKeyParameter publicKey, Asn1Set attributes)
{
if (signatureAlgorithm == null)
{
throw new ArgumentNullException("signatureAlgorithm");
}
if (subject == null)
{
throw new ArgumentNullException("subject");
}
if (publicKey == null)
{
throw new ArgumentNullException("publicKey");
}
if (publicKey.IsPrivate)
{
throw new ArgumentException("expected public key", "publicKey");
}
string text = Platform.ToUpperInvariant(signatureAlgorithm);
DerObjectIdentifier derObjectIdentifier = (DerObjectIdentifier)Pkcs10CertificationRequest.algorithms[text];
if (derObjectIdentifier == null)
{
try
{
derObjectIdentifier = new DerObjectIdentifier(text);
}
catch (Exception innerException)
{
throw new ArgumentException("Unknown signature type requested", innerException);
}
}
if (Pkcs10CertificationRequest.noParams.Contains(derObjectIdentifier))
{
sigAlgId = new AlgorithmIdentifier(derObjectIdentifier);
}
else if (Pkcs10CertificationRequest.exParams.Contains(text))
{
sigAlgId = new AlgorithmIdentifier(derObjectIdentifier, (Asn1Encodable)Pkcs10CertificationRequest.exParams[text]);
}
else
{
sigAlgId = new AlgorithmIdentifier(derObjectIdentifier, DerNull.Instance);
}
SubjectPublicKeyInfo pkInfo = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(publicKey);
reqInfo = new CertificationRequestInfo(subject, pkInfo, attributes);
}
/// <summary>
/// Call to request a certificate
/// </summary>
/// <param name="csr">Certificate signing request</param>
/// <param name="effectiveDate">Effective date of certificate</param>
/// <param name="expirationDate">Expiration date of certificate</param>
/// <param name="ca">Signing authority</param>
/// <param name="asn1Set">Extensions</param>
/// <exception cref="InvalidParameterException">Thrown if <paramref name="ca"/> is null</exception>
/// <returns>Certificate signed by <paramref name="ca"/></returns>
public static X509Certificate2 RequestCertificate(Pkcs10CertificationRequest csr, DateTime effectiveDate, DateTime expirationDate, X509Certificate2 ca, Asn1Set asn1Set)
{
AsymmetricKeyParameter keyParameter = null;
if (ca == null)
{
throw new InvalidParameterException("ca can not be null");
}
keyParameter = TransformRSAPrivateKey((RSACryptoServiceProvider)ca.PrivateKey);
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.SetSerialNumber(CreateSerialNumber());
certGen.SetIssuerDN(new X509Name(ca.Subject));
certGen.SetNotBefore(effectiveDate.ToUniversalTime());
certGen.SetNotAfter(expirationDate.ToUniversalTime());
certGen.SetSubjectDN(csr.GetCertificationRequestInfo().Subject);
certGen.SetPublicKey(csr.GetPublicKey());
certGen.SetSignatureAlgorithm(SIGNATURE_ALGORITHM);
CertificationRequestInfo info = csr.GetCertificationRequestInfo();
if (asn1Set != null)
{
// Iterate through each extension and add it to the certificate
for (int i = 0; i < asn1Set.Count; i++)
{
AttributePkcs attr = AttributePkcs.GetInstance(asn1Set[i]);
if (attr != null && attr.AttrType.Equals(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest))
{
X509Extensions extensions = X509Extensions.GetInstance(attr.AttrValues[0]);
foreach (DerObjectIdentifier extOid in extensions.ExtensionOids)
{
Org.BouncyCastle.Asn1.X509.X509Extension ext = extensions.GetExtension(extOid);
certGen.AddExtension(extOid, ext.IsCritical, ext.GetParsedValue());
}
}
}
}
Org.BouncyCastle.X509.X509Certificate bcCert = certGen.Generate(keyParameter);
return(new X509Certificate2(bcCert.GetEncoded()));
}
/// <summary>
/// Generate an PKCS#10 request based on the past in signer.
/// </summary>
/// <param name="signerFactory">the content signer to be used to generate the signature validating the certificate.</param>
/// <returns>a holder containing the resulting PKCS#10 certification request.</returns>
public Pkcs10CertificationRequest Build(
ISignatureFactory <AlgorithmIdentifier> signerFactory)
{
CertificationRequestInfo info;
if (attributes.Count == 0)
{
if (leaveOffEmpty)
{
info = new CertificationRequestInfo(subject, publicKeyInfo, null);
}
else
{
info = new CertificationRequestInfo(subject, publicKeyInfo, new DerSet());
}
}
else
{
Asn1EncodableVector v = new Asn1EncodableVector();
for (int i = 0; i != attributes.Count; i++)
{
v.Add(AttributePkcs.GetInstance(attributes[i]));
}
info = new CertificationRequestInfo(subject, publicKeyInfo, new DerSet(v));
}
try
{
IStreamCalculator <IBlockResult> signer = signerFactory.CreateCalculator();
Stream sOut = signer.Stream;
byte[] data = info.GetEncoded(Asn1Encodable.Der);
sOut.Write(data, 0, data.Length);
sOut.Close();
return(new Pkcs10CertificationRequest(new CertificationRequest(info, signerFactory.AlgorithmDetails, new DerBitString(signer.GetResult().Collect()))));
}
catch (IOException e)
{
throw new InvalidOperationException("cannot produce certification request signature: " + e.Message, e);
}
}
private byte[] gen()
{
TextReader textReader = new StreamReader("certificaterequest.pkcs10");
PemReader pemReader = new PemReader(textReader);
Pkcs10CertificationRequest certificationRequest = (Pkcs10CertificationRequest)pemReader.ReadObject();
CertificationRequestInfo certificationRequestInfo = certificationRequest.GetCertificationRequestInfo();
SubjectPublicKeyInfo publicKeyInfo = certificationRequestInfo.SubjectPublicKeyInfo;
RsaPublicKeyStructure publicKeyStructure = RsaPublicKeyStructure.GetInstance(publicKeyInfo.GetPublicKey());
RsaKeyParameters publicKey = new RsaKeyParameters(false, publicKeyStructure.Modulus, publicKeyStructure.PublicExponent);
bool certIsOK = certificationRequest.Verify(publicKey);
// public key is OK here...
// get the server certificate
Org.BouncyCastle.X509.X509Certificate serverCertificate = DotNetUtilities.FromX509Certificate(System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile("servermastercertificate.cer"));
// get the server private key
byte[] privateKeyBytes = File.ReadAllBytes("serverprivate.key");
AsymmetricKeyParameter serverPrivateKey = PrivateKeyFactory.CreateKey(privateKeyBytes);
// generate the client certificate
X509V3CertificateGenerator generator = new X509V3CertificateGenerator();
generator.SetSerialNumber(BigInteger.ProbablePrime(120, new Random()));
generator.SetIssuerDN(serverCertificate.SubjectDN);
generator.SetNotBefore(DateTime.Now);
generator.SetNotAfter(DateTime.Now.AddYears(5));
generator.SetSubjectDN(certificationRequestInfo.Subject);
generator.SetPublicKey(publicKey);
generator.SetSignatureAlgorithm("SHA512withRSA");
generator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(serverCertificate));
generator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(publicKey));
var newClientCert = generator.Generate(serverPrivateKey);
newClientCert.Verify(publicKey); // <-- this blows up
return(DotNetUtilities.ToX509Certificate(newClientCert).Export(System.Security.Cryptography.X509Certificates.X509ContentType.Pkcs12, "user password"));
}
/// <summary>
/// Generates client certificate by certificate signing request.
/// </summary>
/// <param name="csrBytes">CSR as bytes array</param>
/// <param name="commonName">Common name of certificate</param>
/// <exception cref="InvalidCastException">Invalid format of CSR</exception>
/// <returns></returns>
public static X509Certificate2 SignRequest(byte[] csrBytes, string commonName)
{
if (string.IsNullOrEmpty(commonName))
{
throw new ArgumentNullException("commonName");
}
var certificationRequest = new Pkcs10CertificationRequest(csrBytes);
CertificationRequestInfo csrInfo = certificationRequest.GetCertificationRequestInfo();
SubjectPublicKeyInfo pki = csrInfo.SubjectPublicKeyInfo;
AsymmetricKeyParameter publicKey = PublicKeyFactory.CreateKey(pki);
// Version1 (No Extensions) Certificate
DateTime startDate = DateTime.UtcNow;
DateTime expiryDate = startDate.AddYears(100);
var serialNumber = new BigInteger(32, new Random());
var certGen = new X509V1CertificateGenerator();
var x509ServerCertificate = ServerCertificate;
var caCert = DotNetUtilities.FromX509Certificate(x509ServerCertificate);
certGen.SetSerialNumber(serialNumber);
certGen.SetIssuerDN(caCert.SubjectDN);
certGen.SetNotBefore(startDate);
certGen.SetNotAfter(expiryDate);
certGen.SetSubjectDN(CreateSubject(commonName));
certGen.SetSignatureAlgorithm("SHA256withRSA");
certGen.SetPublicKey(publicKey);
var keyPath = string.Format(@"{0}\App_Data\server.key", AppDomain.CurrentDomain.BaseDirectory);
AsymmetricCipherKeyPair keyPair;
using (var reader = File.OpenText(keyPath))
{
keyPair = (AsymmetricCipherKeyPair) new PemReader(reader, new PasswordFinder()).ReadObject();
}
Org.BouncyCastle.X509.X509Certificate cert = certGen.Generate(keyPair.Private);
return(new X509Certificate2(DotNetUtilities.ToX509Certificate(cert)));
}
/// <summary>
/// Parse the SAN names.
/// Based on https://stackoverflow.com/questions/44824897/getting-subject-alternate-names-with-pkcs10certificationrequest
/// </summary>
/// <param name="info"></param>
/// <returns></returns>
private IEnumerable <Identifier> ParseSan(CertificationRequestInfo info)
{
var ret = new List <Identifier>();
var extensionSequence = info.Attributes.OfType <DerSequence>()
.Where(o => o.OfType <DerObjectIdentifier>().Any(oo => oo.Id == "1.2.840.113549.1.9.14"))
.FirstOrDefault();
if (extensionSequence == null)
{
return(ret);
}
var extensionSet = extensionSequence.OfType <DerSet>().FirstOrDefault();
if (extensionSet == null)
{
return(ret);
}
var sequence = extensionSet.OfType <DerSequence>().FirstOrDefault();
if (sequence == null)
{
return(ret);
}
var derOctetString = GetAsn1ObjectRecursive <DerOctetString>(sequence, "2.5.29.17");
if (derOctetString == null)
{
return(ret);
}
var asn1object = Asn1Object.FromByteArray(derOctetString.GetOctets());
var names = Org.BouncyCastle.Asn1.X509.GeneralNames.GetInstance(asn1object);
return(names.GetNames().Select(x => x.TagNo switch {
1 => new EmailIdentifier(x.Name.ToString() !),
2 => new DnsIdentifier(x.Name.ToString() !).Unicode(true),
7 => new IpIdentifier(x.Name.ToString() !),
_ => new UnknownIdentifier(x.Name.ToString() !)
}));
/// <summary>
/// Sign a certificate
/// </summary>
/// <param name="signingCert">Issuer X509Certificate2</param>
/// <param name="csrData">CSR Data</param>
/// <returns>X509Certificate2 Certificate</returns>
private X509Certificate2 SignCertificate(X509Certificate2 signingCert, byte[] csrData)
{
//Get CSR and retrieve public key
Pkcs10CertificationRequest certRequest = new Pkcs10CertificationRequest(csrData);
CertificationRequestInfo certInfo = certRequest.GetCertificationRequestInfo();
SubjectPublicKeyInfo certPublicKeyInfo = certInfo.SubjectPublicKeyInfo;
AsymmetricKeyParameter certPublicKey = PublicKeyFactory.CreateKey(certPublicKeyInfo);
if (!certRequest.Verify(certPublicKey))
{
throw new ApplicationException("The CSR is not valid: verification failed");
}
//Get private key of intermediate issuer, to be used to sign the certificate
var issuer = DotNetUtilities.FromX509Certificate(signingCert);
AsymmetricCipherKeyPair keyPrivate = DotNetUtilities.GetRsaKeyPair(signingCert.GetRSAPrivateKey());
//Get the serial number of the issuer
var issuerSerialNumber = new BigInteger(signingCert.GetSerialNumber());
//Generate a signed certificate
return(GenerateCertificate(certInfo.Subject, certPublicKey, certPublicKeyInfo,
issuer.SubjectDN, issuer.GetPublicKey(), keyPrivate.Private, issuerSerialNumber));
}
private void readRequest(bool verify)
{
// Perform POP on the request
if ((verify) && (!Request.Verify()))
{
throw new SignatureException("Invalid signature on PKCS#10 request");
}
// Contents
info = Request.GetCertificationRequestInfo();
// Attributes - if there are no attributes in the request then info.Attributes will be null and cause an
// exception in the following foreach; attributes should be null if there aren't any.
if (info.Attributes != null)
{
attributes = new Dictionary <DerObjectIdentifier, Asn1Set>();
foreach (object entry in info.Attributes)
{
AttributePkcs attrib = AttributePkcs.GetInstance(entry);
attributes.Add(attrib.AttrType, attrib.AttrValues);
}
}
else
{
attributes = null;
}
// Extensions in OSCA format
// Make sure there are some extensions first
if (Extensions != null)
{
foreach (DerObjectIdentifier oid in Extensions.ExtensionOids)
{
oscaExtensions.Add(ProfileExtensionFactory.GetExtension(oid, Extensions.GetExtension(oid)));
}
}
}
private void readRequest()
{
// Perform POP on the request
if (!request.Verify())
{
throw new SignatureException("Invalid signature on PKCS#10 request");
}
// Contents
info = request.GetCertificationRequestInfo();
// Extensions in OSCA format
foreach (DerObjectIdentifier oid in Extensions.ExtensionOids)
{
oscaExtensions.Add(ProfileExtensionFactory.GetExtension(oid, Extensions.GetExtension(oid)));
}
// Attributes
foreach (object entry in Attributes)
{
AttributePkcs attrib = AttributePkcs.GetInstance(entry);
attributes.Add(attrib.AttrType, attrib.AttrValues);
}
}
/// <summary>
/// get sm2 csr
/// </summary>
/// <param name="issuerName"></param>
/// <returns></returns>
public static Tuple <string, AsymmetricKeyParameter> GetSMCsr(string issuerName)
{
//generate KeyPair
var keyGenerator = new ECKeyPairGenerator();
ECKeyGenerationParameters pa = new ECKeyGenerationParameters(GMObjectIdentifiers.sm2p256v1, new SecureRandom());
keyGenerator.Init(pa);
var keypair = keyGenerator.GenerateKeyPair();
//domain name of CSR file
X509Name principal = new X509Name(string.Format("CN={0},OU=client,O=BSN", string.IsNullOrEmpty(issuerName) ? "test02@app0001202004161020152918451" : issuerName));
//load public key
SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(keypair.Public);
CertificationRequestInfo info = new CertificationRequestInfo(principal, subjectPublicKeyInfo, new DerSet());
//signature
byte[] bs = SM2.SM2Utils.Sign(info.GetEncoded(Asn1Encodable.Der), keypair.Private);
//ECDSAHelper.CsrSignData(info.GetEncoded(Asn1Encodable.Der), keypair.Private, pa.DomainParameters.N);
//generate csr object
Pkcs10CertificationRequest p10 = new Pkcs10CertificationRequest(new CertificationRequest
(info, new AlgorithmIdentifier(GMObjectIdentifiers.sm2sign_with_sm3),
new DerBitString(bs)).GetEncoded());
//generate csr string
Org.BouncyCastle.Utilities.IO.Pem.PemObject pemCSR = new Org.BouncyCastle.Utilities.IO.Pem.PemObject("CERTIFICATE REQUEST", p10.GetEncoded());
StringWriter str = new StringWriter();
Org.BouncyCastle.Utilities.IO.Pem.PemWriter pemCsr = new Org.BouncyCastle.Utilities.IO.Pem.PemWriter(str);
pemCsr.WriteObject(pemCSR);
pemCsr.Writer.Flush();
return(new Tuple <string, AsymmetricKeyParameter>(str.ToString(), keypair.Private));
}
public async Task ValidateMergeCertificate()
{
string serverCertificateName = Recording.GenerateId();
// Generate the request.
CertificatePolicy policy = new CertificatePolicy(WellKnownIssuerNames.Unknown, "CN=Azure SDK")
{
CertificateTransparency = false,
ContentType = CertificateContentType.Pkcs12,
};
CertificateOperation operation = await Client.StartCreateCertificateAsync(serverCertificateName, policy);
RegisterForCleanup(serverCertificateName);
await using IAsyncDisposable disposableOperation = EnsureDeleted(operation);
// Read the CA.
byte[] caCertificateBytes = Convert.FromBase64String(CaPublicKeyBase64);
X509Certificate2 caCertificate = new X509Certificate2(caCertificateBytes);
// Read CA private key since getting it from caCertificate above throws.
AsymmetricCipherKeyPair caPrivateKey;
using (StringReader caPrivateKeyReader = new StringReader(CaPrivateKeyPem))
{
Org.BouncyCastle.OpenSsl.PemReader reader = new Org.BouncyCastle.OpenSsl.PemReader(caPrivateKeyReader);
caPrivateKey = (AsymmetricCipherKeyPair)reader.ReadObject();
}
// Read the CSR.
Pkcs10CertificationRequest csr = new Pkcs10CertificationRequest(operation.Properties.Csr);
CertificationRequestInfo csrInfo = csr.GetCertificationRequestInfo();
// Parse the issuer subject name.
Hashtable oidLookup = new Hashtable(X509Name.DefaultLookup)
{
{ "s", new DerObjectIdentifier("2.5.4.8") },
};
X509Name issuerName = new X509Name(true, oidLookup, caCertificate.Subject);
// Sign the request.
X509V3CertificateGenerator generator = new X509V3CertificateGenerator();
generator.SetIssuerDN(issuerName);
generator.SetSerialNumber(BigInteger.One);
generator.SetNotBefore(DateTime.Now);
generator.SetNotAfter(DateTime.Now.AddDays(1));
generator.SetSubjectDN(csrInfo.Subject);
generator.SetPublicKey(csr.GetPublicKey());
Asn1SignatureFactory signatureFactory = new Asn1SignatureFactory("SHA256WITHRSA", caPrivateKey.Private);
X509Certificate serverSignedPublicKey = generator.Generate(signatureFactory);
// Merge the certificate chain.
MergeCertificateOptions options = new MergeCertificateOptions(serverCertificateName, new[] { serverSignedPublicKey.GetEncoded(), caCertificateBytes });
KeyVaultCertificateWithPolicy mergedServerCertificate = await Client.MergeCertificateAsync(options);
X509Certificate2 serverCertificate = new X509Certificate2(mergedServerCertificate.Cer);
Assert.AreEqual(csrInfo.Subject.ToString(), serverCertificate.Subject);
Assert.AreEqual(serverCertificateName, mergedServerCertificate.Name);
KeyVaultCertificateWithPolicy completedServerCertificate = await operation.WaitForCompletionAsync(DefaultCertificateOperationPollingInterval, default);
Assert.AreEqual(mergedServerCertificate.Name, completedServerCertificate.Name);
CollectionAssert.AreEqual(mergedServerCertificate.Cer, completedServerCertificate.Cer);
}
static void Main(string[] args)
{
var serviceProvider = new ServiceCollection()
.AddCertificateManager()
.BuildServiceProvider();
var createCertificates = serviceProvider.GetService <CreateCertificates>();
var certificateUtility = serviceProvider.GetService <CertificateUtility>();
string password = "******";
var signingCertificate = new X509Certificate2("root.cert.pfx", password);
var enhancedKeyUsages = new OidCollection {
OidLookup.ClientAuthentication,
OidLookup.ServerAuthentication
};
var basicConstraints = new CertificateManager.Models.BasicConstraints
{
CertificateAuthority = false,
HasPathLengthConstraint = true,
PathLengthConstraint = 3,
Critical = true
};
var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature
| X509KeyUsageFlags.KeyEncipherment
| X509KeyUsageFlags.NonRepudiation;
// Read in CSR data from a file
Pkcs10CertificationRequest decodedCsr = (Pkcs10CertificationRequest) new PemReader(new StringReader(File.ReadAllText(args[0]))).ReadObject();
// Get Common Name (CN) from CSR Subject
CertificationRequestInfo csrData = decodedCsr.GetCertificationRequestInfo();
var subjectKeyPairs = csrData.Subject.ToString().Split(',')
.Select(x => x.Split('='))
.Where(x => x.Length == 2)
.ToDictionary(x => x.First(), x => x.Last());
var commonName = subjectKeyPairs["CN"];
var subjectAlternativeName = new SubjectAlternativeName
{
DnsName = new List <string>
{
commonName,
}
};
// Get Public key data from CSR and create RSA data based on that
RsaKeyParameters rsaKeyParams = (RsaKeyParameters)decodedCsr.GetPublicKey();
var rsaParams = new RSAParameters();
rsaParams.Modulus = rsaKeyParams.Modulus.ToByteArray();
rsaParams.Exponent = rsaKeyParams.Exponent.ToByteArray();
var rsa = RSA.Create();
rsa.ImportParameters(rsaParams);
// Create Certificate Request with the data extracted from csr file earlier
var rsaConfiguration = new RsaConfiguration();
var request = new CertificateRequest(
certificateUtility.CreateIssuerOrSubject(new DistinguishedName {
CommonName = commonName
}),
rsa,
rsaConfiguration.HashAlgorithmName,
rsaConfiguration.RSASignaturePadding);
// Sign the csr
var device1Certificate = createCertificates.NewRsaChainedCertificate(
basicConstraints,
new ValidityPeriod {
ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(1)
},
subjectAlternativeName,
signingCertificate,
enhancedKeyUsages,
x509KeyUsageFlags,
request,
null);
// Export content of certificates into files
var importExportCertificate = serviceProvider.GetService <ImportExportCertificate>();
var deviceCertificatePem = importExportCertificate.PemExportPublicKeyCertificate(device1Certificate);
var signingCertificatePem = importExportCertificate.PemExportPublicKeyCertificate(signingCertificate);
File.WriteAllText("device1.cert.pem", deviceCertificatePem);
File.WriteAllText("device1-full-chain.cert.pem", String.Concat(deviceCertificatePem, signingCertificatePem));
Console.WriteLine("Certificates exported to pem files");
}
/// <summary>
/// Enroll certificate file base on request
/// </summary>
/// <param name="cerRequest"></param>
/// <param name="rootCert"></param>
/// <param name="issuerKeyPair"></param>
/// <param name="startDate"></param>
/// <param name="endDate"></param>
/// <returns></returns>
private Org.BouncyCastle.X509.X509Certificate GenerateSignedCertificate(
Pkcs10CertificationRequest cerRequest,
Org.BouncyCastle.X509.X509Certificate rootCert,
AsymmetricCipherKeyPair issuerKeyPair,
DateTime startDate, DateTime endDate)
{
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.SetSerialNumber(BigInteger.One);
certGen.SetIssuerDN(rootCert.SubjectDN);
certGen.SetNotBefore(startDate);
certGen.SetNotAfter(endDate);
CertificationRequestInfo info = cerRequest.GetCertificationRequestInfo();
certGen.SetSubjectDN(info.Subject);
certGen.SetPublicKey(cerRequest.GetPublicKey());
AlgorithmIdentifier sigAlg = cerRequest.SignatureAlgorithm;
string algName = GetAlgorithmName(sigAlg.Algorithm.Id);
certGen.SetSignatureAlgorithm(algName);
// Add certificate extensions
Asn1Set attributes = cerRequest.GetCertificationRequestInfo().Attributes;
if (attributes != null)
{
for (int i = 0; i != attributes.Count; i++)
{
AttributePkcs attr = AttributePkcs.GetInstance(attributes[i]);
if (attr.AttrType.Equals(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest))
{
X509Extensions extensions1 = X509Extensions.GetInstance(attr.AttrValues[0]);
foreach (DerObjectIdentifier oid in extensions1.ExtensionOids)
{
Org.BouncyCastle.Asn1.X509.X509Extension ext = extensions1.GetExtension(oid);
certGen.AddExtension(oid, ext.IsCritical, ext.GetParsedValue());
}
}
}
}
Org.BouncyCastle.X509.X509Certificate issuedCert = null;
try
{
issuedCert = certGen.Generate(issuerKeyPair.Private);
tbOutputMessageBox.Text += "Certificate file sucessfully generated." + "\n";
Application.Current.Dispatcher.Invoke(new Action(() =>
{
tbOutputMessageBox.Inlines.Add(new Run
{
Text = "Certificate file sucessfully generated." + "\n",
Foreground = System.Windows.Media.Brushes.Green
});
}));
}
catch (Exception ex)
{
Application.Current.Dispatcher.Invoke(new Action(() =>
{
tbOutputMessageBox.Inlines.Add(new Run
{
Text = "Error, generate certificate file." + "\n" + "ERROR: " + ex.GetHashCode().ToString() + " " + ex.Message + "\n",
Foreground = System.Windows.Media.Brushes.Red
});
}));
}
try
{
Application.Current.Dispatcher.Invoke(new Action(() =>
{
tbOutputMessageBox.Inlines.Add(new Run
{
Text = "Check if generated certificate file is valid, plase wait ..." + "\n",
Foreground = System.Windows.Media.Brushes.Black
});
}));
issuedCert.CheckValidity(DateTime.UtcNow);
Application.Current.Dispatcher.Invoke(new Action(() =>
{
tbOutputMessageBox.Inlines.Add(new Run
{
Text = "Generate certificate file is valid." + "\n",
Foreground = System.Windows.Media.Brushes.Black
});
}));
}
catch (Exception ex)
{
Application.Current.Dispatcher.Invoke(new Action(() =>
{
tbOutputMessageBox.Inlines.Add(new Run
{
Text = "Error, generated certificate file is INVALID." + "\n" + "ERROR: " + ex.GetHashCode().ToString() + " " + ex.Message + "\n",
Foreground = System.Windows.Media.Brushes.Red
});
}));
}
try
{
tbOutputMessageBox.Inlines.Add(new Run
{
Text = "Verify generated certificate file, plase wait ..." + "\n",
Foreground = System.Windows.Media.Brushes.Black
});
issuedCert.Verify(issuerKeyPair.Public);
Application.Current.Dispatcher.Invoke(new Action(() =>
{
tbOutputMessageBox.Inlines.Add(new Run
{
Text = "Generate certificate file verification is OK." + "\n",
Foreground = System.Windows.Media.Brushes.Green
});
}));
}
catch (Exception ex)
{
Application.Current.Dispatcher.Invoke(new Action(() =>
{
tbOutputMessageBox.Inlines.Add(new Run
{
Text = "Error, generated certificate file verification is INVALID." + "\n" + "ERROR: " + ex.GetHashCode().ToString() + " " + ex.Message + "\n",
Foreground = System.Windows.Media.Brushes.Red
});
}));
}
return(issuedCert);
}
public CertificationRequest(CertificationRequestInfo requestInfo, AlgorithmIdentifier algorithm, DerBitString signature)
{
reqInfo = requestInfo;
sigAlgId = algorithm;
sigBits = signature;
}
/// <summary>
/// Enroll certificate file base on request
/// </summary>
/// <param name="csr"></param>
/// <param name="rootCert"></param>
/// <param name="issuerKeyPair"></param>
/// <param name="startDate"></param>
/// <param name="endDate"></param>
/// <returns></returns>
private Org.BouncyCastle.X509.X509Certificate GenerateSignedCertificate(
Pkcs10CertificationRequest csr,
Org.BouncyCastle.X509.X509Certificate rootCert,
AsymmetricCipherKeyPair issuerKeyPair,
DateTime startDate, DateTime endDate)
{
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
//List<ExtensionsItem> extensions = null;
certGen.SetSerialNumber(BigInteger.One);
certGen.SetIssuerDN(rootCert.SubjectDN);
certGen.SetNotBefore(startDate);
certGen.SetNotAfter(endDate);
CertificationRequestInfo info = csr.GetCertificationRequestInfo();
certGen.SetSubjectDN(info.Subject);
certGen.SetPublicKey(csr.GetPublicKey());
var sigAlg = csr.Signature;
var sigAlg1 = csr.SignatureAlgorithm;
certGen.SetSignatureAlgorithm("SHA1WithRSAEncryption");
// Add certificate extensions
Asn1Set attributes = csr.GetCertificationRequestInfo().Attributes;
if (attributes != null)
{
for (int i = 0; i != attributes.Count; i++)
{
AttributePkcs attr = AttributePkcs.GetInstance(attributes[i]);
if (attr.AttrType.Equals(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest))
{
X509Extensions extensions1 = X509Extensions.GetInstance(attr.AttrValues[0]);
foreach (DerObjectIdentifier oid in extensions1.ExtensionOids)
{
Org.BouncyCastle.Asn1.X509.X509Extension ext = extensions1.GetExtension(oid);
// !!! NOT working !!!
//certGen.AddExtension(oid, ext.IsCritical, ext.Value);
//OK
certGen.AddExtension(oid, ext.IsCritical, ext.Value, true);
}
}
}
}
Org.BouncyCastle.X509.X509Certificate issuedCert = null;
try
{
issuedCert = certGen.Generate(issuerKeyPair.Private);
tbOutputMessageBox.Text += "Certificate file sucessfully generated." + "\n";
}
catch (Exception ex)
{
Brush bckForeground = tbOutputMessageBox.Foreground;
tbOutputMessageBox.Foreground = new SolidColorBrush(Colors.Red);
tbOutputMessageBox.Text += "Error, generate certificate file." + "\n" + "ERROR: " + ex.GetHashCode().ToString() + " " + ex.Message + "\n";
tbOutputMessageBox.Foreground = bckForeground;
}
try
{
tbOutputMessageBox.Text += "Check if generated certificate file is valid, plase wait ..." + "\n";
issuedCert.CheckValidity(DateTime.UtcNow);
tbOutputMessageBox.Text += "Generate certificate file is valid." + "\n";
}
catch (Exception ex)
{
Brush bckForeground = tbOutputMessageBox.Foreground;
tbOutputMessageBox.Foreground = new SolidColorBrush(Colors.Red);
tbOutputMessageBox.Text += "Error, generated certificate file is INVALID." + "\n" + "ERROR: " + ex.GetHashCode().ToString() + " " + ex.Message + "\n";
tbOutputMessageBox.Foreground = bckForeground;
}
try
{
tbOutputMessageBox.Text += "Verify generated certificate file, plase wait ..." + "\n";
issuedCert.Verify(issuerKeyPair.Public);
tbOutputMessageBox.Text += "Generate certificate file verification is OK." + "\n";
}
catch (Exception ex)
{
Brush bckForeground = tbOutputMessageBox.Foreground;
tbOutputMessageBox.Foreground = new SolidColorBrush(Colors.Red);
tbOutputMessageBox.Text += "Error, generated certificate file verification is INVALID." + "\n" + "ERROR: " + ex.GetHashCode().ToString() + " " + ex.Message + "\n";
tbOutputMessageBox.Foreground = bckForeground;
}
return(issuedCert);
}
public static async Task <IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Function, "post", Route = null)] HttpRequest req,
ILogger log,
ExecutionContext context)
{
log.LogInformation("Certificate trigger function processed a request.");
try
{
await ReadAppSettings(context, log);
string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
Certificate_Request request = JsonConvert.DeserializeObject <Certificate_Request>(requestBody);
// Validate payload
if (string.IsNullOrEmpty(request.RegistrationId) || string.IsNullOrEmpty(request.Csr))
{
return(new BadRequestResult());
}
// Check if the device is authorized to request a certificate
bool isAuthorized = CheckIfAuthorized(request.RegistrationId);
if (isAuthorized)
{
log.LogInformation($"{request.RegistrationId} is authorized.");
Pkcs10CertificationRequest decodedCsr = null;
RsaKeyParameters publicKey = null;
CertificationRequestInfo info = null;
// Get the signing certificate from a location
X509Certificate serverCertificate = ReadCertificate(cert, location, log);
if (serverCertificate == null)
{
throw new System.Exception("ReadCertificate() was unable to retrieve the signing certificate.");
}
// Get signing cert private key from a location.
AsymmetricKeyParameter serverPrivateKey = ReadPrivateKey(key, location, log);
if (serverPrivateKey == null)
{
throw new System.Exception("ReadPrivateKey() was unable to retrieve the private key.");
}
byte[] csr = Convert.FromBase64String(request.Csr);
// Decode DER
decodedCsr = new Pkcs10CertificationRequest(csr);
info = decodedCsr.GetCertificationRequestInfo();
SubjectPublicKeyInfo publicKeyInfo = info.SubjectPublicKeyInfo;
RsaPublicKeyStructure publicKeyStructure = RsaPublicKeyStructure.GetInstance(publicKeyInfo.ParsePublicKey());
publicKey = new RsaKeyParameters(false, publicKeyStructure.Modulus, publicKeyStructure.PublicExponent);
bool certIsOK = decodedCsr.Verify(publicKey);
// Create the device certificate
X509V3CertificateGenerator generator = new X509V3CertificateGenerator();
generator.SetSerialNumber(BigInteger.ProbablePrime(120, new Random()));
generator.SetIssuerDN(serverCertificate.SubjectDN);
generator.SetNotBefore(DateTime.Now);
generator.SetNotAfter(DateTime.Now.AddYears(certificateLifespanInYears));
generator.SetSubjectDN(info.Subject);
generator.SetPublicKey(publicKey);
generator.SetSignatureAlgorithm("SHA512withRSA");
generator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(serverCertificate));
generator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(publicKey));
// Generate the device certificate
var deviceCert = generator.Generate(serverPrivateKey);
// Convert to DER
byte[] encoded = deviceCert.GetEncoded();
// Convert byte array to Base64 string
string encodedString = Convert.ToBase64String(encoded);
Certificate_Response responseMessage = new Certificate_Response
{
Certificate = encodedString
};
log.LogInformation($"Certificate issued for: {info.Subject}");
return(new OkObjectResult(responseMessage));
}
else
{
log.LogError($"{request.RegistrationId} is NOT authorized.");
return(new UnauthorizedResult());
}
}
catch (Exception ex)
{
log.LogInformation(ex.Message);
}
return(new BadRequestResult());
}
