public static X509Certificate2 genCert()
{
var gen = new X509V3CertificateGenerator();
var keypairgen = new RsaKeyPairGenerator();
keypairgen.Init(new KeyGenerationParameters(new SecureRandom(new CryptoApiRandomGenerator()), 4096));
var keypair = keypairgen.GenerateKeyPair();
var random = new Random();
random.Next(); random.Next(); random.Next(); random.Next(); random.Next(); random.Next(); random.Next();
var CN = new X509Name("CN=IRCLib");
var SN = BigInteger.ProbablePrime(120, random);
gen.SetSerialNumber(SN);
gen.SetIssuerDN(CN);
gen.SetSubjectDN(CN);
gen.SetNotBefore(DateTime.UtcNow.Subtract(new TimeSpan(5, 0, 0)));
gen.SetNotAfter(DateTime.UtcNow.AddYears(5));
gen.SetPublicKey(keypair.Public);
var gcert = gen.Generate(new Asn1SignatureFactory("MD5WithRSA", keypair.Private));
Console.WriteLine($"Keypair results: Public: {keypair.Public}\nPrivate: {keypair.Private}");
var cert = new X509Certificate2(gcert.GetEncoded(), "irclib", X509KeyStorageFlags.Exportable);
Console.WriteLine($"Public Key: {cert.PublicKey}\nPrivate Key present: {cert.HasPrivateKey} at creation time.");
return(cert);
}
public object GetResult()
{
// Org.BouncyCastle.Crypto.Tls.TlsContext
// https://github.com/bcgit/bc-csharp/blob/master/crypto/src/crypto/tls/Chacha20Poly1305.cs
// var ccp = new Org.BouncyCastle.Crypto.Tls.Chacha20Poly1305(null);
Org.BouncyCastle.Asn1.DerObjectIdentifier cc = Org.BouncyCastle.Asn1.X509.X509Name.CountryOfCitizenship;
Org.BouncyCastle.Asn1.DerObjectIdentifier cr = Org.BouncyCastle.Asn1.X509.X509Name.CountryOfResidence;
Org.BouncyCastle.Asn1.DerObjectIdentifier coi = Org.BouncyCastle.Asn1.X509.X509Name.OrganizationIdentifier;
// https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
// https://dzone.com/articles/creating-self-signed-certificate
// https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
// https://www.akadia.com/services/ssh_test_certificate.html
// https://coderanch.com/how-to/javadoc/itext-2.1.7/com/lowagie/text/pdf/PdfPKCS7.X509Name.html#CN
var oc = Org.BouncyCastle.Asn1.X509.X509Name.C; // Country code
var oST = Org.BouncyCastle.Asn1.X509.X509Name.ST; // State or Province
var ol = Org.BouncyCastle.Asn1.X509.X509Name.L; // Locality
var oo = Org.BouncyCastle.Asn1.X509.X509Name.O; // Organization name
var ou = Org.BouncyCastle.Asn1.X509.X509Name.OU; // Organizational Unit Name
var ocn = Org.BouncyCastle.Asn1.X509.X509Name.CN; // Common name
var oce = Org.BouncyCastle.Asn1.X509.X509Name.E; // email address in Verisign certificates
var ocee = Org.BouncyCastle.Asn1.X509.X509Name.EmailAddress; // Email address (RSA PKCS#9 extension) - IA5String
Org.BouncyCastle.Asn1.X509.X509Name a = new Org.BouncyCastle.Asn1.X509.X509Name("ou");
throw new System.NotImplementedException();
}
} // End Sub ReadCertificationRequest
// https://stackoverflow.com/questions/21912390/decode-read-a-csr-certificate-signing-request-using-java-or-bouncycastle
private static string GetX509Field(string asn1ObjectIdentifier, Org.BouncyCastle.Asn1.X509.X509Name x500Name)
{
string retVal = null;
System.Collections.IList rdnArray = x500Name.GetValueList(
new Org.BouncyCastle.Asn1.DerObjectIdentifier(asn1ObjectIdentifier)
);
System.Collections.IList oids = x500Name.GetOidList();
System.Collections.IList foo = x500Name.GetValueList();
System.Console.WriteLine(oids);
System.Console.WriteLine(foo);
foreach (Org.BouncyCastle.Asn1.DerObjectIdentifier thisOID in oids)
{
string oidName = System.Convert.ToString(Org.BouncyCastle.Asn1.X509.X509Name.DefaultSymbols[thisOID]);
System.Console.WriteLine(oidName);
System.Collections.IList values = x500Name.GetValueList(thisOID);
System.Console.WriteLine(values);
} // Next thisOID
foreach (object x in rdnArray)
{
// System.Console.WriteLine(x);
retVal = System.Convert.ToString(x);
return(retVal);
} // Next x
return(retVal);
} // End Function GetX509Field
/// <summary>
/// Temporäres Zertifikat für Verschlüsselung und Signatur erstellen.
/// </summary>
/// <param name="name">Name</param>
/// <param name="email">Email</param>
/// <param name="producerId">Hersteller-ID</param>
/// <param name="producerVersion">Hersteller-Version</param>
/// <param name="locality">Ort</param>
/// <param name="country">Land</param>
/// <returns>Zertifikat</returns>
public static SystemX509.X509Certificate2 CreateTemporaryCertificate(
string name,
string email,
string producerId,
string producerVersion,
string locality,
string country)
{
var rsaCrypto = new System.Security.Cryptography.RSACryptoServiceProvider(2048);
var keyPair = GetRsaKeyPair(rsaCrypto);
var certGen = new Org.BouncyCastle.X509.X509V3CertificateGenerator();
var now = DateTime.Now;
certGen.SetNotAfter(new DateTime(now.Year + 1, 12, 31, 23, 59, 59));
var notBefore = new DateTime(now.Year, 1, 1);
certGen.SetNotBefore(notBefore);
certGen.SetSerialNumber(new Org.BouncyCastle.Math.BigInteger(string.Format("{0:yyyyMMdd}", notBefore)));
var certName = new Org.BouncyCastle.Asn1.X509.X509Name(
string.Format("CN={0}, O={1}, OU={2}, L={3}, C={4}", name, producerId, producerVersion, locality, country));
certGen.SetSubjectDN(certName);
certGen.SetIssuerDN(certName);
certGen.SetPublicKey(keyPair.Public);
var bcCert = certGen.Generate(new Asn1SignatureFactory("SHA256WITHRSA", keyPair.Private));
var cert = new SystemX509.X509Certificate2(bcCert.GetEncoded());
cert = LinkPrivateKeyToCert(cert, rsaCrypto, null);
return(cert);
}
} // End Sub BuildAlternativeNameNetCoreVariant
// https://codereview.stackexchange.com/questions/84752/net-bouncycastle-csr-and-private-key-generation
public static Org.BouncyCastle.Asn1.X509.X509Name CreateSubject(
string countryIso2Characters
, string stateOrProvince
, string localityOrCity
, string companyName
, string division
, string domainName
, string email)
{
// https://people.eecs.berkeley.edu/~jonah/bc/org/bouncycastle/asn1/x509/X509Name.html
KeyValuePairList <Org.BouncyCastle.Asn1.DerObjectIdentifier, string> attrs =
new KeyValuePairList <Org.BouncyCastle.Asn1.DerObjectIdentifier, string>();
if (!string.IsNullOrEmpty(countryIso2Characters) && countryIso2Characters.Trim() != string.Empty)
{
attrs.Add(Org.BouncyCastle.Asn1.X509.X509Name.C, countryIso2Characters);
}
if (!string.IsNullOrEmpty(stateOrProvince) && stateOrProvince.Trim() != string.Empty)
{
attrs.Add(Org.BouncyCastle.Asn1.X509.X509Name.ST, stateOrProvince);
}
if (!string.IsNullOrEmpty(localityOrCity) && localityOrCity.Trim() != string.Empty)
{
attrs.Add(Org.BouncyCastle.Asn1.X509.X509Name.L, localityOrCity);
}
if (!string.IsNullOrEmpty(companyName) && companyName.Trim() != string.Empty)
{
attrs.Add(Org.BouncyCastle.Asn1.X509.X509Name.O, companyName);
}
if (!string.IsNullOrEmpty(division) && division.Trim() != string.Empty)
{
attrs.Add(Org.BouncyCastle.Asn1.X509.X509Name.OU, division);
}
// Must have ?
if (!string.IsNullOrEmpty(domainName) && domainName.Trim() != string.Empty)
{
attrs.Add(Org.BouncyCastle.Asn1.X509.X509Name.CN, domainName);
}
if (!string.IsNullOrEmpty(email) && email.Trim() != string.Empty)
{
//attrs.Add(Org.BouncyCastle.Asn1.X509.X509Name.E, email); // email address in Verisign certificates
attrs.Add(Org.BouncyCastle.Asn1.X509.X509Name.EmailAddress, email); // Email address (RSA PKCS#9 extension)
}
Org.BouncyCastle.Asn1.X509.X509Name subject =
new Org.BouncyCastle.Asn1.X509.X509Name(attrs.Keys, attrs.Values);
return(subject);
} // End Function CreateSubject
/// <summary>
/// Formata o assunto no padrão codificar
/// </summary>
/// <param name="subject"></param>
/// <returns></returns>
private static Subject getSubject(BCA.X509.X509Name subject)
{
/**
* Codificar Signature Sample
* C=BR,
* O=ICP-Brasil,
* ST=MG,
* L=Belo Horizonte,
* OU=Secretaria da Receita Federal do Brasil - RFB,
* OU=RFB e-CNPJ A3,
* OU=Autenticado por PRODEMGE,
* CN=CODIFICAR SISTEMAS TECNOLOGICOS LTDA ME:05957264000151
**/
/*List<Tuple<SubjectType, BCA.DerObjectIdentifier>> listSubject = new List<Tuple<SubjectType, BCA.DerObjectIdentifier>>
* {
* new Tuple<SubjectType, BCA.DerObjectIdentifier>(SubjectType.Country, iTextSharp.text.pdf.security.CertificateInfo.X509Name.C),
* new Tuple<SubjectType, BCA.DerObjectIdentifier>(SubjectType.Organization, iTextSharp.text.pdf.security.CertificateInfo.X509Name.O),
* new Tuple<SubjectType, BCA.DerObjectIdentifier>(SubjectType.State, iTextSharp.text.pdf.security.CertificateInfo.X509Name.ST),
* new Tuple<SubjectType, BCA.DerObjectIdentifier>(SubjectType.Locality, iTextSharp.text.pdf.security.CertificateInfo.X509Name.L),
* new Tuple<SubjectType, BCA.DerObjectIdentifier>(SubjectType.OrganizationalUnit, iTextSharp.text.pdf.security.CertificateInfo.X509Name.OU),
* new Tuple<SubjectType, BCA.DerObjectIdentifier>(SubjectType.CommonName, iTextSharp.text.pdf.security.CertificateInfo.X509Name.CN),
* };
*
* Subject sub = new Subject();
*
* foreach (Tuple<SubjectType, BCA.DerObjectIdentifier> item in listSubject)
* foreach (string obj in subject.GetValueList(item.Item2))
* sub.Add(new SubjectDetail(item.Item1, obj));
*
* return sub;*/
Dictionary <SubjectType, BCA.DerObjectIdentifier> listSubject = new Dictionary <SubjectType, BCA.DerObjectIdentifier>();
listSubject.Add(SubjectType.Country, iTextSharp.text.pdf.security.CertificateInfo.X509Name.C);
listSubject.Add(SubjectType.Organization, iTextSharp.text.pdf.security.CertificateInfo.X509Name.O);
listSubject.Add(SubjectType.State, iTextSharp.text.pdf.security.CertificateInfo.X509Name.ST);
listSubject.Add(SubjectType.Locality, iTextSharp.text.pdf.security.CertificateInfo.X509Name.L);
listSubject.Add(SubjectType.OrganizationalUnit, iTextSharp.text.pdf.security.CertificateInfo.X509Name.OU);
listSubject.Add(SubjectType.CommonName, iTextSharp.text.pdf.security.CertificateInfo.X509Name.CN);
Subject sub = new Subject();
foreach (KeyValuePair <SubjectType, BCA.DerObjectIdentifier> pair in listSubject)
{
foreach (string obj in subject.GetValueList(pair.Value))
{
sub.Add(new SubjectDetail(pair.Key, obj));
}
}
return(sub);
}
// https://stackoverflow.com/questions/6128541/bouncycastle-privatekey-to-x509certificate2-privatekey
public static Org.BouncyCastle.X509.X509Certificate CreateX509Cert(string certName)
{
var keypairgen = new Org.BouncyCastle.Crypto.Generators.RsaKeyPairGenerator();
keypairgen.Init(new Org.BouncyCastle.Crypto.KeyGenerationParameters(
new Org.BouncyCastle.Security.SecureRandom(
new Org.BouncyCastle.Crypto.Prng.CryptoApiRandomGenerator()
)
, 1024
)
);
var keypair = keypairgen.GenerateKeyPair();
var gen = new Org.BouncyCastle.X509.X509V3CertificateGenerator();
var CN = new Org.BouncyCastle.Asn1.X509.X509Name("CN=" + certName);
var SN = Org.BouncyCastle.Math.BigInteger.ProbablePrime(120, new Random());
gen.SetSerialNumber(SN);
gen.SetSubjectDN(CN);
gen.SetIssuerDN(CN);
gen.SetNotAfter(DateTime.Now.AddYears(1));
gen.SetNotBefore(DateTime.Now.Subtract(new TimeSpan(7, 0, 0, 0)));
gen.SetSignatureAlgorithm("MD5WithRSA");
gen.SetPublicKey(keypair.Public);
gen.AddExtension(
Org.BouncyCastle.Asn1.X509.X509Extensions.AuthorityKeyIdentifier.Id,
false,
new Org.BouncyCastle.Asn1.X509.AuthorityKeyIdentifier(
Org.BouncyCastle.X509.SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(keypair.Public),
new Org.BouncyCastle.Asn1.X509.GeneralNames(new Org.BouncyCastle.Asn1.X509.GeneralName(CN)),
SN
));
gen.AddExtension(
Org.BouncyCastle.Asn1.X509.X509Extensions.ExtendedKeyUsage.Id,
false,
new Org.BouncyCastle.Asn1.X509.ExtendedKeyUsage(new ArrayList()
{
new Org.BouncyCastle.Asn1.DerObjectIdentifier("1.3.6.1.5.5.7.3.1")
}));
Org.BouncyCastle.X509.X509Certificate newCert = gen.Generate(keypair.Private);
return(newCert);
}
public static byte[] CreatePfxBytes(
Org.BouncyCastle.X509.X509Certificate certificate
, Org.BouncyCastle.Crypto.AsymmetricKeyParameter privateKey
, string password = "")
{
byte[] pfxBytes = null;
// create certificate entry
Org.BouncyCastle.Pkcs.X509CertificateEntry certEntry =
new Org.BouncyCastle.Pkcs.X509CertificateEntry(certificate);
Org.BouncyCastle.Asn1.X509.X509Name name = new Org.BouncyCastle.Asn1.X509.X509Name(certificate.SubjectDN.ToString());
string friendlyName = (string)name.GetValueList(Org.BouncyCastle.Asn1.X509.X509Name.O)[0];
if (System.StringComparer.InvariantCultureIgnoreCase.Equals("Skynet Earth Inc.", friendlyName))
{
friendlyName = "Skynet Certification Authority";
}
Org.BouncyCastle.Pkcs.Pkcs12StoreBuilder builder = new Org.BouncyCastle.Pkcs.Pkcs12StoreBuilder();
builder.SetUseDerEncoding(true);
Org.BouncyCastle.Pkcs.Pkcs12Store store = builder.Build();
store.SetCertificateEntry(friendlyName, certEntry);
// create store entry
store.SetKeyEntry(
friendlyName
, new Org.BouncyCastle.Pkcs.AsymmetricKeyEntry(privateKey)
, new Org.BouncyCastle.Pkcs.X509CertificateEntry[] { certEntry }
);
using (System.IO.MemoryStream stream = new System.IO.MemoryStream())
{
// Cert is contained in store
// null: no password, "": an empty passwords
// note: Linux needs empty password on null...
store.Save(stream, password == null ? "".ToCharArray() : password.ToCharArray(), new Org.BouncyCastle.Security.SecureRandom());
// stream.Position = 0;
pfxBytes = Org.BouncyCastle.Pkcs.Pkcs12Utilities.ConvertToDefiniteLength(stream.ToArray());
} // End Using stream
return(pfxBytes);
} // End Function CreatePfxBytes
// DumpPfx(ee25519Cert, subject, caKey25519);
public static void DumpPfx(
Org.BouncyCastle.X509.X509Certificate bouncyCert
, Org.BouncyCastle.Asn1.X509.X509Name subject
, Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair pair)
{
Org.BouncyCastle.Pkcs.Pkcs12Store store = new Org.BouncyCastle.Pkcs.Pkcs12Store();
Org.BouncyCastle.Pkcs.X509CertificateEntry certificateEntry =
new Org.BouncyCastle.Pkcs.X509CertificateEntry(bouncyCert);
store.SetCertificateEntry(subject.ToString(), certificateEntry);
store.SetKeyEntry(subject.ToString(),
new Org.BouncyCastle.Pkcs.AsymmetricKeyEntry(pair.Private)
, new[] { certificateEntry }
);
Org.BouncyCastle.Security.SecureRandom random =
new Org.BouncyCastle.Security.SecureRandom(
new Org.BouncyCastle.Crypto.Prng.CryptoApiRandomGenerator()
);
using (System.IO.MemoryStream stream = new System.IO.MemoryStream())
{
string tempPassword = "******";
store.Save(stream, tempPassword.ToCharArray(), random);
using (System.Security.Cryptography.X509Certificates.X509Certificate2 cert =
new System.Security.Cryptography.X509Certificates.X509Certificate2(
stream.ToArray()
, tempPassword
, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.PersistKeySet
| System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable)
)
{
System.Text.StringBuilder builder = new System.Text.StringBuilder();
builder.AppendLine("-----BEGIN CERTIFICATE-----");
builder.AppendLine(System.Convert.ToBase64String(
cert.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Cert)
, System.Base64FormattingOptions.InsertLineBreaks)
);
builder.AppendLine("-----END CERTIFICATE-----");
// PFX
//builder.ToString().Dump("Self-signed Certificate");
} // End Using cert
} // End Using stream
} // End Sub DumpPfx
// Using BouncyCastle API, how do I sign a Certificate Signing Request (CSR) using my own CA?
// https://stackoverflow.com/questions/44440974/bouncy-castle-decode-csr-c-sharp
// You will have to add some code to read the subject's public key info
// from the CSR and then generate a version 3 certificate as shown in the example.
// The OpenSSL equivalent for this is
// openssl ca –in <CSR> -cert <CA-cert-file> -out <signed-cert>
public static void ReadCertificationRequest(string csr)
{
Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest decodedCsr = null;
using (System.IO.TextReader sr = new System.IO.StringReader(csr))
{
Org.BouncyCastle.OpenSsl.PemReader pr = new Org.BouncyCastle.OpenSsl.PemReader(sr);
object obj = pr.ReadObject();
decodedCsr = (Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest)obj;
} // End Using sr
Org.BouncyCastle.Asn1.Pkcs.CertificationRequestInfo csri = decodedCsr.GetCertificationRequestInfo();
GetX509ExtensionsFromCsr(csri);
Org.BouncyCastle.Asn1.X509.X509Name subj = csri.Subject;
// decodedCsr.Signature
// decodedCsr.SignatureAlgorithm
GetX509Field(Org.BouncyCastle.Asn1.X509.X509Name.EmailAddress.Id, subj);
System.Console.WriteLine(csri.Subject);
// csri.SubjectPublicKeyInfo
// csri.Version
// csri.Attributes
//Org.BouncyCastle.Asn1.Asn1Set attributes =
// new Org.BouncyCastle.Asn1.DerSet(
// new Org.BouncyCastle.Asn1.Pkcs.AttributePkcs(
// Org.BouncyCastle.Asn1.Pkcs.PkcsObjectIdentifiers.Pkcs9AtExtensionRequest
// , new Org.BouncyCastle.Asn1.DerSet(new Org.BouncyCastle.Asn1.X509.X509Extensions(extensions))
// )
//);
} // End Sub ReadCertificationRequest
private string GetResponderName(ResponderID responderId, ref bool byKey)
{
Org.BouncyCastle.Asn1.DerTaggedObject dt = (Org.BouncyCastle.Asn1.DerTaggedObject)responderId.ToAsn1Object();
if (dt.TagNo == 1)
{
Org.BouncyCastle.Asn1.X509.X509Name name = Org.BouncyCastle.Asn1.X509.X509Name.GetInstance(dt.GetObject());
byKey = false;
return(name.ToString());
}
else if (dt.TagNo == 2)
{
Asn1TaggedObject tagger = (Asn1TaggedObject)responderId.ToAsn1Object();
Asn1OctetString pubInfo = (Asn1OctetString)tagger.GetObject();
byKey = true;
return(Convert.ToBase64String(pubInfo.GetOctets()));
}
else
{
return(null);
}
}
} // End Sub WriteCerAndCrt
public static void Test()
{
Org.BouncyCastle.Asn1.X509.X509Name caName = new Org.BouncyCastle.Asn1.X509.X509Name("CN=TestCA");
Org.BouncyCastle.Asn1.X509.X509Name eeName = new Org.BouncyCastle.Asn1.X509.X509Name("CN=TestEE");
Org.BouncyCastle.Asn1.X509.X509Name eeName25519 = new Org.BouncyCastle.Asn1.X509.X509Name("CN=TestEE25519");
string countryIso2Characters = "EA";
string stateOrProvince = "ERA";
string localityOrCity = "NeutralZone";
string companyName = "Skynet Earth Inc.";
string division = "Skynet mbH";
string domainName = "sky.net";
string email = "*****@*****.**";
Org.BouncyCastle.Asn1.X509.X509Name subj = CertificateInfo.CreateSubject(
countryIso2Characters, stateOrProvince
, localityOrCity, companyName
, division, domainName, email);
System.Console.WriteLine(subj);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair caKey25519 = KeyGenerator.GenerateEcKeyPair("curve25519", s_secureRandom.Value);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair caKey = KeyGenerator.GenerateEcKeyPair("secp256r1", s_secureRandom.Value);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair eeKey = KeyGenerator.GenerateRsaKeyPair(2048, s_secureRandom.Value);
string publicKey = null;
// id_rsa.pub
using (System.IO.TextWriter textWriter = new System.IO.StringWriter())
{
Org.BouncyCastle.OpenSsl.PemWriter pemWriter = new Org.BouncyCastle.OpenSsl.PemWriter(textWriter);
pemWriter.WriteObject(eeKey);
pemWriter.Writer.Flush();
publicKey = textWriter.ToString();
} // End Using textWriter
System.Console.WriteLine(publicKey);
// https://social.msdn.microsoft.com/Forums/vstudio/de-DE/8d49a681-22c6-417f-af3c-8daebd6f10dd/signierung-eines-hashs-mit-ellipticcurve-crypto?forum=visualcsharpde
// https://stackoverflow.com/questions/22963581/reading-elliptic-curve-private-key-from-file-with-bouncycastle/41947163
// PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(pkcs8key);
// The EC PARAMETERS block in your file is an accident of the way openssl ecparam - genkey works by default;
// it is not needed or used as part of the actual key and you can omit it by specifying - noout
// which is admittedly somewhat unobvious.
// The actual key structure('hidden' in the base64/ DER data) for EC(DSA / DH)
// does contain some parameter info which RSA doesn't but DSA does.
PrivatePublicPemKeyPair keyPair = KeyImportExport.GetPemKeyPair(caKey25519);
// PrivatePublicPemKeyPair keyPair = PrivatePublicPemKeyPair.ImportFrom("", "");
Org.BouncyCastle.X509.X509Certificate caCert = GenerateCertificate(caName, caName, caKey.Private, caKey.Public, s_secureRandom.Value);
Org.BouncyCastle.X509.X509Certificate eeCert = GenerateCertificate(caName, eeName, caKey.Private, eeKey.Public, s_secureRandom.Value);
Org.BouncyCastle.X509.X509Certificate ee25519Cert = GenerateCertificate(caName, eeName25519, caKey25519.Private, caKey25519.Public, s_secureRandom.Value);
bool caOk = ValidateSelfSignedCert(caCert, caKey.Public);
bool eeOk = ValidateSelfSignedCert(eeCert, caKey.Public);
bool ee25519 = ValidateSelfSignedCert(eeCert, caKey.Public);
PfxGenerator.CreatePfxFile("example.pfx", caCert, caKey.Private, null);
// System.IO.File.WriteAllBytes("fileName", caCert.Export(X509ContentType.Pkcs12, PfxPassword));
// https://info.ssl.com/how-to-der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-conver-them/
// The file extensions .CRT and .CER are interchangeable.
// If your server requires that you use the .CER file extension, you can change the extension
// http://www.networksolutions.com/support/what-is-the-difference-between-a-crt-and-a-cer-file/
// https://stackoverflow.com/questions/642284/apache-with-ssl-how-to-convert-cer-to-crt-certificates
// File extensions for cryptographic certificates aren't really as standardized as you'd expect.
// Windows by default treats double - clicking a.crt file as a request to import the certificate
// So, they're different in that sense, at least, that Windows has some inherent different meaning
// for what happens when you double click each type of file.
// One is a "binary" X.509 encoding, and the other is a "text" base64 encoding that usually starts with "-----BEGIN CERTIFICATE-----".
// into the Windows Root Certificate store, but treats a.cer file as a request just to view the certificate.
// CER is an X.509 certificate in binary form, DER encoded
// CRT is a binary X.509 certificate, encapsulated in text (base-64) encoding
// Most systems accept both formats, but if you need to you can convert one to the other via openssl
// Certificate file should be PEM-encoded X.509 Certificate file:
// openssl x509 -inform DER -in certificate.cer -out certificate.pem
using (System.IO.Stream f = System.IO.File.Open("ca.cer", System.IO.FileMode.Create))
{
byte[] buf = caCert.GetEncoded();
f.Write(buf, 0, buf.Length);
f.Flush();
}
using (System.IO.Stream fs = System.IO.File.Open("ee.cer", System.IO.FileMode.Create))
{
byte[] buf = eeCert.GetEncoded();
fs.Write(buf, 0, buf.Length);
fs.Flush();
} // End Using fs
using (System.IO.Stream fs = System.IO.File.Open("ee25519.cer", System.IO.FileMode.Create))
{
byte[] buf = ee25519Cert.GetEncoded();
fs.Write(buf, 0, buf.Length);
fs.Flush();
} // End Using fs
// new System.Text.ASCIIEncoding(false)
// new System.Text.UTF8Encoding(false)
using (System.IO.Stream fs = System.IO.File.Open("ee.crt", System.IO.FileMode.Create))
{
using (System.IO.StreamWriter sw = new System.IO.StreamWriter(fs, System.Text.Encoding.ASCII))
{
byte[] buf = eeCert.GetEncoded();
string pem = ToPem(buf);
sw.Write(pem);
} // End Using sw
} // End Using fs
using (System.IO.Stream fs = System.IO.File.Open("ee25519.crt", System.IO.FileMode.Create))
{
using (System.IO.StreamWriter sw = new System.IO.StreamWriter(fs, System.Text.Encoding.ASCII))
{
byte[] buf = ee25519Cert.GetEncoded();
string pem = ToPem(buf);
sw.Write(pem);
} // End Using sw
} // End Using fs
Org.BouncyCastle.Asn1.X509.X509Name subject = eeName25519;
} // End Sub Test
} // End Function GenerateRootCertificate
// SHA512WITHRSA
// SHA512WITHRSAANDMGF1
// RIPEMD256WITHRSA
// SHA512WITHDSA
// SHA512WITHECDSA
// GOST3411WITHECGOST3410
private static Org.BouncyCastle.X509.X509Certificate GenerateCertificate(
Org.BouncyCastle.Asn1.X509.X509Name issuer,
Org.BouncyCastle.Asn1.X509.X509Name subject,
Org.BouncyCastle.Crypto.AsymmetricKeyParameter issuerPrivate,
Org.BouncyCastle.Crypto.AsymmetricKeyParameter subjectPublic,
Org.BouncyCastle.Security.SecureRandom secureRandom
)
{
Org.BouncyCastle.Crypto.ISignatureFactory signatureFactory;
if (issuerPrivate is Org.BouncyCastle.Crypto.Parameters.ECPrivateKeyParameters)
{
// System.Collections.IEnumerable names = Org.BouncyCastle.Crypto.Operators.Asn1SignatureFactory.SignatureAlgNames;
// System.Console.WriteLine(names);
// string x9 = Org.BouncyCastle.Asn1.X9.X9ObjectIdentifiers.ECDsaWithSha256.ToString();
// System.Console.WriteLine(x9);
// Org.BouncyCastle.Asn1.X9.X9ObjectIdentifiers.ECDsaWithSha512
signatureFactory = new Org.BouncyCastle.Crypto.Operators.Asn1SignatureFactory(
Org.BouncyCastle.Asn1.X9.X9ObjectIdentifiers.ECDsaWithSha256.ToString(),
issuerPrivate);
}
else
{
// Org.BouncyCastle.Asn1.Pkcs.PkcsObjectIdentifiers.Sha512WithRsaEncryption
signatureFactory = new Org.BouncyCastle.Crypto.Operators.Asn1SignatureFactory(
Org.BouncyCastle.Asn1.Pkcs.PkcsObjectIdentifiers.Sha256WithRsaEncryption.ToString(),
issuerPrivate);
}
Org.BouncyCastle.Math.BigInteger serialNumber =
Org.BouncyCastle.Utilities.BigIntegers.CreateRandomInRange(
Org.BouncyCastle.Math.BigInteger.One,
Org.BouncyCastle.Math.BigInteger.ValueOf(System.Int64.MaxValue), secureRandom
);
// Org.BouncyCastle.Asn1.X509.X509Name subjectDN = new Org.BouncyCastle.Asn1.X509.X509Name("CN=" + commonNameValue);
Org.BouncyCastle.X509.X509V3CertificateGenerator certGenerator =
new Org.BouncyCastle.X509.X509V3CertificateGenerator();
certGenerator.SetIssuerDN(issuer);
certGenerator.SetSubjectDN(subject);
// The certificate needs a serial number.
// This is used for revocation, and usually should be an incrementing index
// (which makes it easier to revoke a range of certificates).
// Since we don’t have anywhere to store the incrementing index, we can just use a random number.
// certGenerator.SetSerialNumber(serialNumber);
certGenerator.SetSerialNumber(Org.BouncyCastle.Math.BigInteger.ValueOf(1));
certGenerator.SetNotAfter(System.DateTime.UtcNow.AddHours(1));
certGenerator.SetNotBefore(System.DateTime.UtcNow);
certGenerator.SetPublicKey(subjectPublic);
// https://www.programcreek.com/java-api-examples/?class=org.bouncycastle.x509.X509V3CertificateGenerator&method=setSubjectDN
// certGenerator.AddExtension(Org.BouncyCastle.Asn1.X509.X509Name.C.Id, true, new X509Name("CH"));
// https://en.wikipedia.org/wiki/Subject_Alternative_Name
// byte[] subjectAltName = new GeneralNames(new GeneralName(GeneralName.DnsName, "localhost")).GetDerEncoded();
// certGenerator.AddExtension(Org.BouncyCastle.Asn1.X509.X509Extensions.SubjectAlternativeName, false, subjectAltName);
/*
* // https://www.programcreek.com/java-api-examples/?api=org.bouncycastle.cert.X509v3CertificateBuilder
* Org.BouncyCastle.Asn1.DerSequence subjectAlternativeNames =
* new Org.BouncyCastle.Asn1.DerSequence(
* new Org.BouncyCastle.Asn1.Asn1Encodable[] {
* new Org.BouncyCastle.Asn1.X509.GeneralName(Org.BouncyCastle.Asn1.X509.GeneralName.DnsName, "localhost"),
* new Org.BouncyCastle.Asn1.X509.GeneralName(Org.BouncyCastle.Asn1.X509.GeneralName.DnsName, System.Environment.MachineName),
* new Org.BouncyCastle.Asn1.X509.GeneralName(Org.BouncyCastle.Asn1.X509.GeneralName.DnsName, "127.0.0.1")
* });
*
*
* certGenerator.AddExtension(
* Org.BouncyCastle.Asn1.X509.X509Extensions.SubjectAlternativeName
* , false
* , subjectAlternativeNames
* );
*/
// https://security.stackexchange.com/questions/169217/certificate-chain-is-broken
// certGenerator.AddExtension(Org.BouncyCastle.Asn1.X509.X509Extensions.BasicConstraints.Id, true, new Org.BouncyCastle.Asn1.X509.BasicConstraints(3));
// Key Usage
certGenerator.AddExtension(Org.BouncyCastle.Asn1.X509.X509Extensions.KeyUsage, true
, new Org.BouncyCastle.Asn1.X509.KeyUsage(
Org.BouncyCastle.Asn1.X509.KeyUsage.DigitalSignature
| Org.BouncyCastle.Asn1.X509.KeyUsage.KeyEncipherment
| Org.BouncyCastle.Asn1.X509.KeyUsage.DataEncipherment
| Org.BouncyCastle.Asn1.X509.KeyUsage.KeyCertSign
| Org.BouncyCastle.Asn1.X509.KeyUsage.KeyAgreement
| Org.BouncyCastle.Asn1.X509.KeyUsage.NonRepudiation
| Org.BouncyCastle.Asn1.X509.KeyUsage.CrlSign
)
);
certGenerator.AddExtension(Org.BouncyCastle.Asn1.X509.X509Extensions.ExtendedKeyUsage.Id, true
, new Org.BouncyCastle.Asn1.X509.ExtendedKeyUsage(new[] {
Org.BouncyCastle.Asn1.X509.KeyPurposeID.IdKPClientAuth
, Org.BouncyCastle.Asn1.X509.KeyPurposeID.IdKPServerAuth
})
);
return(certGenerator.Generate(signatureFactory));
} // End Function GenerateCertificate
// https://gist.github.com/Venomed/5337717aadfb61b09e58
// https://www.powershellgallery.com/packages/Posh-ACME/2.2.0/Content/Private%5CNew-Csr.ps1
public static string CreateSignatureRequest(
Org.BouncyCastle.Asn1.X509.X509Name subject
, Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair caKey25519
, Org.BouncyCastle.Security.SecureRandom secureRandom)
{
Org.BouncyCastle.Crypto.ISignatureFactory signatureFactory;
Org.BouncyCastle.Crypto.AsymmetricKeyParameter publicKey = caKey25519.Public;
Org.BouncyCastle.Crypto.AsymmetricKeyParameter signingKey = caKey25519.Private;
if (signingKey is Org.BouncyCastle.Crypto.Parameters.ECPrivateKeyParameters)
{
signatureFactory = new Org.BouncyCastle.Crypto.Operators.Asn1SignatureFactory(
Org.BouncyCastle.Asn1.X9.X9ObjectIdentifiers.ECDsaWithSha256.ToString(),
signingKey);
}
else
{
signatureFactory = new Org.BouncyCastle.Crypto.Operators.Asn1SignatureFactory(
Org.BouncyCastle.Asn1.Pkcs.PkcsObjectIdentifiers.Sha256WithRsaEncryption.ToString(),
signingKey);
}
System.Collections.Generic.Dictionary <Org.BouncyCastle.Asn1.DerObjectIdentifier, Org.BouncyCastle.Asn1.X509.X509Extension> extensions =
new System.Collections.Generic.Dictionary <Org.BouncyCastle.Asn1.DerObjectIdentifier, Org.BouncyCastle.Asn1.X509.X509Extension>()
{
{
Org.BouncyCastle.Asn1.X509.X509Extensions.BasicConstraints,
new Org.BouncyCastle.Asn1.X509.X509Extension(
true
, new Org.BouncyCastle.Asn1.DerOctetString(new Org.BouncyCastle.Asn1.X509.BasicConstraints(false))
)
},
{
Org.BouncyCastle.Asn1.X509.X509Extensions.KeyUsage,
new Org.BouncyCastle.Asn1.X509.X509Extension(true,
new Org.BouncyCastle.Asn1.DerOctetString(
new Org.BouncyCastle.Asn1.X509.KeyUsage(
Org.BouncyCastle.Asn1.X509.KeyUsage.DigitalSignature
| Org.BouncyCastle.Asn1.X509.KeyUsage.KeyEncipherment
| Org.BouncyCastle.Asn1.X509.KeyUsage.DataEncipherment
| Org.BouncyCastle.Asn1.X509.KeyUsage.NonRepudiation
)
)
)
},
{
Org.BouncyCastle.Asn1.X509.X509Extensions.ExtendedKeyUsage,
new Org.BouncyCastle.Asn1.X509.X509Extension(false,
new Org.BouncyCastle.Asn1.DerOctetString(
new Org.BouncyCastle.Asn1.X509.ExtendedKeyUsage(
Org.BouncyCastle.Asn1.X509.KeyPurposeID.IdKPServerAuth,
Org.BouncyCastle.Asn1.X509.KeyPurposeID.IdKPClientAuth
)
)
)
},
};
// Asn1Set attributes = null;
Org.BouncyCastle.Asn1.Asn1Set attributes =
new Org.BouncyCastle.Asn1.DerSet(
new Org.BouncyCastle.Asn1.Pkcs.AttributePkcs(
Org.BouncyCastle.Asn1.Pkcs.PkcsObjectIdentifiers.Pkcs9AtExtensionRequest
, new Org.BouncyCastle.Asn1.DerSet(new Org.BouncyCastle.Asn1.X509.X509Extensions(extensions))
)
);
Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest csr =
new Org.BouncyCastle.Pkcs.Pkcs10CertificationRequest(
signatureFactory,
subject,
publicKey,
attributes,
signingKey
);
System.Text.StringBuilder csrPem = new System.Text.StringBuilder();
Org.BouncyCastle.OpenSsl.PemWriter csrPemWriter =
new Org.BouncyCastle.OpenSsl.PemWriter(new System.IO.StringWriter(csrPem));
csrPemWriter.WriteObject(csr);
csrPemWriter.Writer.Flush();
string signingRequest = csrPem.ToString();
csrPem.Clear();
csrPem = null;
// System.IO.File.WriteAllText("request.csr", signingRequest, System.Text.Encoding.ASCII);
CertificationRequestReader.ReadCertificationRequest(signingRequest);
// csr.GetDerEncoded();
System.Console.WriteLine(signingRequest);
return(signingRequest);
} // End Sub CreateSignatureRequest
// http://stackoverflow.com/questions/36942094/how-can-i-generate-a-self-signed-cert-without-using-obsolete-bouncycastle-1-7-0
public static System.Security.Cryptography.X509Certificates.X509Certificate2 CreateX509Cert2(string certName)
{
var keypairgen = new Org.BouncyCastle.Crypto.Generators.RsaKeyPairGenerator();
keypairgen.Init(new Org.BouncyCastle.Crypto.KeyGenerationParameters(
new Org.BouncyCastle.Security.SecureRandom(
new Org.BouncyCastle.Crypto.Prng.CryptoApiRandomGenerator()
)
, 1024
)
);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair keypair = keypairgen.GenerateKeyPair();
// --- Until here we generate a keypair
var random = new Org.BouncyCastle.Security.SecureRandom(
new Org.BouncyCastle.Crypto.Prng.CryptoApiRandomGenerator()
);
// SHA1WITHRSA
// SHA256WITHRSA
// SHA384WITHRSA
// SHA512WITHRSA
// SHA1WITHECDSA
// SHA224WITHECDSA
// SHA256WITHECDSA
// SHA384WITHECDSA
// SHA512WITHECDSA
Org.BouncyCastle.Crypto.ISignatureFactory signatureFactory =
new Org.BouncyCastle.Crypto.Operators.Asn1SignatureFactory("SHA512WITHRSA", keypair.Private, random)
;
var gen = new Org.BouncyCastle.X509.X509V3CertificateGenerator();
var CN = new Org.BouncyCastle.Asn1.X509.X509Name("CN=" + certName);
var SN = Org.BouncyCastle.Math.BigInteger.ProbablePrime(120, new Random());
gen.SetSerialNumber(SN);
gen.SetSubjectDN(CN);
gen.SetIssuerDN(CN);
gen.SetNotAfter(DateTime.Now.AddYears(1));
gen.SetNotBefore(DateTime.Now.Subtract(new TimeSpan(7, 0, 0, 0)));
gen.SetPublicKey(keypair.Public);
// -- Are these necessary ?
// public static readonly DerObjectIdentifier AuthorityKeyIdentifier = new DerObjectIdentifier("2.5.29.35");
// OID value: 2.5.29.35
// OID description: id-ce-authorityKeyIdentifier
// This extension may be used either as a certificate or CRL extension.
// It identifies the public key to be used to verify the signature on this certificate or CRL.
// It enables distinct keys used by the same CA to be distinguished (e.g., as key updating occurs).
// http://stackoverflow.com/questions/14930381/generating-x509-certificate-using-bouncy-castle-java
gen.AddExtension(
Org.BouncyCastle.Asn1.X509.X509Extensions.AuthorityKeyIdentifier.Id,
false,
new Org.BouncyCastle.Asn1.X509.AuthorityKeyIdentifier(
Org.BouncyCastle.X509.SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(keypair.Public),
new Org.BouncyCastle.Asn1.X509.GeneralNames(new Org.BouncyCastle.Asn1.X509.GeneralName(CN)),
SN
));
// OID value: 1.3.6.1.5.5.7.3.1
// OID description: Indicates that a certificate can be used as an SSL server certificate.
gen.AddExtension(
Org.BouncyCastle.Asn1.X509.X509Extensions.ExtendedKeyUsage.Id,
false,
new Org.BouncyCastle.Asn1.X509.ExtendedKeyUsage(new ArrayList()
{
new Org.BouncyCastle.Asn1.DerObjectIdentifier("1.3.6.1.5.5.7.3.1")
}));
// -- End are these necessary ?
Org.BouncyCastle.X509.X509Certificate bouncyCert = gen.Generate(signatureFactory);
byte[] ba = bouncyCert.GetEncoded();
System.Security.Cryptography.X509Certificates.X509Certificate2 msCert = new System.Security.Cryptography.X509Certificates.X509Certificate2(ba);
return(msCert);
}
// System.Security.Cryptography.X509Certificates.X509Certificate2.Import (string fileName);
// https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.import?view=netframework-4.7.2
// https://gist.github.com/yutopio/a217a4af63cf6bcf0a530c14c074cf8f
// https://gist.githubusercontent.com/yutopio/a217a4af63cf6bcf0a530c14c074cf8f/raw/42b2f8cb27f6d22b7e22d65da5bbd0f1ce9b2fff/cert.cs
// https://stackoverflow.com/questions/44755155/store-pkcs12-container-pfx-with-bouncycastle
// https://github.com/Worlaf/RSADemo/blob/328692e28e48db92340d55563480c8724d916384/RSADemo_WinForms/frmRsaDemo.cs
public static void Create(
string fileName
, Org.BouncyCastle.X509.X509Certificate certificate
, Org.BouncyCastle.Crypto.AsymmetricKeyParameter privateKey
, string password = "")
{
// create certificate entry
Org.BouncyCastle.Pkcs.X509CertificateEntry certEntry =
new Org.BouncyCastle.Pkcs.X509CertificateEntry(certificate);
Org.BouncyCastle.Asn1.X509.X509Name name = new Org.BouncyCastle.Asn1.X509.X509Name(certificate.SubjectDN.ToString());
string friendlyName = name
.GetValueList(Org.BouncyCastle.Asn1.X509.X509Name.O)
.OfType <string>()
.FirstOrDefault();
if (System.StringComparer.InvariantCultureIgnoreCase.Equals("Skynet Earth Inc.", friendlyName))
{
friendlyName = "Skynet Certification Authority";
}
// get bytes of private key.
Org.BouncyCastle.Asn1.Pkcs.PrivateKeyInfo keyInfo = Org.BouncyCastle.Pkcs.PrivateKeyInfoFactory.CreatePrivateKeyInfo(privateKey);
//byte[] keyBytes = keyInfo.ToAsn1Object().GetEncoded();
Org.BouncyCastle.Pkcs.Pkcs12StoreBuilder builder = new Org.BouncyCastle.Pkcs.Pkcs12StoreBuilder();
builder.SetUseDerEncoding(true);
Org.BouncyCastle.Pkcs.Pkcs12Store store = builder.Build();
store.SetCertificateEntry(friendlyName, certEntry);
// create store entry
store.SetKeyEntry(
//keyFriendlyName
friendlyName
, new Org.BouncyCastle.Pkcs.AsymmetricKeyEntry(privateKey)
, new Org.BouncyCastle.Pkcs.X509CertificateEntry[] { certEntry }
);
byte[] pfxBytes = null;
using (System.IO.MemoryStream stream = new System.IO.MemoryStream())
{
// Cert is contained in store
// null: no password, "": an empty passwords
// note: Linux needs empty password on null...
store.Save(stream, password == null ? "".ToCharArray() : password.ToCharArray(), new Org.BouncyCastle.Security.SecureRandom());
// stream.Position = 0;
pfxBytes = stream.ToArray();
} // End Using stream
#if WITH_MS_PFX
WithMsPfx(pfxBytes, fileName, password);
#else
byte[] result = Org.BouncyCastle.Pkcs.Pkcs12Utilities.ConvertToDefiniteLength(pfxBytes);
// this.StoreCertificate(System.Convert.ToBase64String(result));
using (System.IO.BinaryWriter writer = new System.IO.BinaryWriter(System.IO.File.Open(fileName, System.IO.FileMode.Create)))
{
writer.Write(result);
} // End Using writer
#endif
} // End Sub Create
} // End Function GenerateSslCertificate
public static Org.BouncyCastle.X509.X509Certificate GenerateRootCertificate(
CertificateInfo certificateInfo
, Org.BouncyCastle.Security.SecureRandom secureRandom
)
{
// The Certificate Generator
Org.BouncyCastle.X509.X509V3CertificateGenerator certificateGenerator =
new Org.BouncyCastle.X509.X509V3CertificateGenerator();
Org.BouncyCastle.Asn1.X509.X509Name subjectDn = certificateInfo.Subject;
Org.BouncyCastle.Asn1.X509.X509Name issuerDn = certificateInfo.Subject;
certificateGenerator.SetSubjectDN(issuerDn);
certificateGenerator.SetIssuerDN(issuerDn);
certificateGenerator.SetNotBefore(certificateInfo.ValidFrom);
certificateGenerator.SetNotAfter(certificateInfo.ValidTo);
Org.BouncyCastle.Crypto.AsymmetricKeyParameter publicKey =
KeyImportExport.ReadPublicKey(certificateInfo.SubjectKeyPair.PublicKey);
Org.BouncyCastle.Crypto.AsymmetricKeyParameter privateKey =
KeyImportExport.ReadPrivateKey(certificateInfo.SubjectKeyPair.PrivateKey);
AddExtensions(certificateGenerator, certificateInfo);
Org.BouncyCastle.Crypto.ISignatureFactory signatureFactory = CreateSignatureFactory(privateKey);
certificateGenerator.SetPublicKey(publicKey);
// Serial Number
Org.BouncyCastle.Math.BigInteger serialNumber =
Org.BouncyCastle.Utilities.BigIntegers.CreateRandomInRange(
Org.BouncyCastle.Math.BigInteger.One
, Org.BouncyCastle.Math.BigInteger.ValueOf(long.MaxValue)
, secureRandom
);
certificateGenerator.SetSerialNumber(serialNumber);
certificateGenerator.AddExtension(Org.BouncyCastle.Asn1.X509.X509Extensions.KeyUsage, true
, new Org.BouncyCastle.Asn1.X509.KeyUsage(
Org.BouncyCastle.Asn1.X509.KeyUsage.DigitalSignature
| Org.BouncyCastle.Asn1.X509.KeyUsage.KeyCertSign
| Org.BouncyCastle.Asn1.X509.KeyUsage.CrlSign
| Org.BouncyCastle.Asn1.X509.KeyUsage.KeyEncipherment
| Org.BouncyCastle.Asn1.X509.KeyUsage.DataEncipherment
| Org.BouncyCastle.Asn1.X509.KeyUsage.KeyAgreement
| Org.BouncyCastle.Asn1.X509.KeyUsage.NonRepudiation
)
);
Org.BouncyCastle.Asn1.X509.AuthorityKeyIdentifier authorityKeyIdentifierExtension =
new Org.BouncyCastle.Asn1.X509.AuthorityKeyIdentifier(
Org.BouncyCastle.X509.SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(publicKey)
);
Org.BouncyCastle.Asn1.X509.SubjectKeyIdentifier subjectKeyIdentifierExtension =
new Org.BouncyCastle.Asn1.X509.SubjectKeyIdentifier(
Org.BouncyCastle.X509.SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(publicKey)
);
certificateGenerator.AddExtension(
Org.BouncyCastle.Asn1.X509.X509Extensions.SubjectKeyIdentifier.Id
, false
, subjectKeyIdentifierExtension
);
certificateGenerator.AddExtension(
Org.BouncyCastle.Asn1.X509.X509Extensions.AuthorityKeyIdentifier.Id
, false
, authorityKeyIdentifierExtension
);
// Set certificate intended purposes to only Server Authentication
//certificateGenerator.AddExtension(Org.BouncyCastle.Asn1.X509.X509Extensions.ExtendedKeyUsage.Id
// , true
// , new Org.BouncyCastle.Asn1.X509.ExtendedKeyUsage(Org.BouncyCastle.Asn1.X509.KeyPurposeID.IdKPServerAuth)
//);
certificateGenerator.AddExtension(Org.BouncyCastle.Asn1.X509.X509Extensions.ExtendedKeyUsage.Id, true
, new Org.BouncyCastle.Asn1.X509.ExtendedKeyUsage(new[] {
Org.BouncyCastle.Asn1.X509.KeyPurposeID.IdKPClientAuth,
Org.BouncyCastle.Asn1.X509.KeyPurposeID.IdKPServerAuth
})
);
// Only if we generate a root-Certificate
certificateGenerator.AddExtension(Org.BouncyCastle.Asn1.X509.X509Extensions.BasicConstraints.Id
, true
, new Org.BouncyCastle.Asn1.X509.BasicConstraints(true)
);
return(certificateGenerator.Generate(signatureFactory));
} // End Function GenerateRootCertificate
