public static byte[] GenerateDsaCertificateAsPkcs12(
string friendlyName,
string subjectName,
string country,
DateTime validStartDate,
DateTime validEndDate,
string password,
Org.BouncyCastle.X509.X509Certificate caCert,
AsymmetricKeyParameter caPrivateKey)
{
var keys = GenerateDsaKeys();
#region build certificate
var certGen = new X509V3CertificateGenerator();
// build name attributes
var nameOids = new ArrayList();
nameOids.Add(Org.BouncyCastle.Asn1.X509.X509Name.CN);
nameOids.Add(X509Name.O);
nameOids.Add(X509Name.C);
var nameValues = new ArrayList();
nameValues.Add(friendlyName);
nameValues.Add(subjectName);
nameValues.Add(country);
var subjectDN = new X509Name(nameOids, nameValues);
// certificate fields
certGen.SetSerialNumber(BigInteger.ValueOf(1));
certGen.SetIssuerDN(caCert.SubjectDN);
certGen.SetNotBefore(validStartDate);
certGen.SetNotAfter(validEndDate);
certGen.SetSubjectDN(subjectDN);
certGen.SetPublicKey(keys.Public);
certGen.SetSignatureAlgorithm("SHA1withDSA");
// extended information
certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert.GetPublicKey()));
certGen.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(keys.Public));
#endregion
// generate x509 certificate
var cert = certGen.Generate(caPrivateKey);
//ert.Verify(caCert.GetPublicKey());
var chain = new Dictionary<string, Org.BouncyCastle.X509.X509Certificate>();
//chain.Add("CertiFirmas CA", caCert);
var caCn = caCert.SubjectDN.GetValues(X509Name.CN)[0].ToString();
chain.Add(caCn, caCert);
// store the file
return GeneratePkcs12(keys, cert, friendlyName, password, chain);
}
public static CertificateSecurityInformation VerifyEnc(Org.BouncyCastle.X509.X509Certificate encCert, Org.BouncyCastle.X509.X509Certificate authCert, DateTime date, IX509Store certs, bool checkRevocation)
{
CertificateSecurityInformation result = new CertificateSecurityInformation();
result.Certificate = new X509Certificate2(encCert.GetEncoded());
//check validity
try
{
encCert.CheckValidity(date);
}
catch (CertificateExpiredException)
{
result.securityViolations.Add(CertSecurityViolation.NotTimeValid);
}
catch (CertificateNotYetValidException)
{
result.securityViolations.Add(CertSecurityViolation.NotTimeValid);
}
//check key usage
int[] keyUsageIndexes = new int[] { 2, 3 };
foreach (int i in keyUsageIndexes)
{
if (!encCert.GetKeyUsage()[i])
{
result.securityViolations.Add(CertSecurityViolation.NotValidForUsage);
trace.TraceEvent(TraceEventType.Warning, 0, "The key usage did not have the correct usage flag set");
}
}
//check issuer/subject
if (!encCert.IssuerDN.Equivalent(encCert.SubjectDN, false)) result.securityViolations.Add(CertSecurityViolation.HasNotPermittedNameConstraint);
//check key size
if (!VerifyKeySize(encCert.GetPublicKey(), EteeActiveConfig.Unseal.MinimumEncryptionKeySize.AsymmerticRecipientKey)) result.securityViolations.Add(CertSecurityViolation.NotValidKeySize);
//check key type
if (!(encCert.GetPublicKey() is RsaKeyParameters)) result.securityViolations.Add(CertSecurityViolation.NotValidKeyType);
if (authCert != null)
{
//check signature
try
{
encCert.Verify(authCert.GetPublicKey());
}
catch (InvalidKeyException)
{
result.securityViolations.Add(CertSecurityViolation.NotSignatureValid);
}
//Validate
result.IssuerInfo = VerifyBoth(authCert, date, certs, new List<CertificateList>(0), new List<BasicOcspResponse>(0), checkRevocation, false);
}
else
{
//We assume that we have the authCert in case it's of a 3rd person, we don't care if its or own encryption cert (we only care for the validity)
}
return result;
}
/// <summary>
///
/// </summary>
public static bool CheckRequestSignature(
byte[] serializedSpeechletRequest, string expectedSignature, Org.BouncyCastle.X509.X509Certificate cert) {
var publicKey = (Org.BouncyCastle.Crypto.Parameters.RsaKeyParameters)cert.GetPublicKey();
var expectedSig = Convert.FromBase64String(expectedSignature);
var signer = Org.BouncyCastle.Security.SignerUtilities.GetSigner(Sdk.SIGNATURE_ALGORITHM);
signer.Init(false, publicKey);
signer.BlockUpdate(serializedSpeechletRequest, 0, serializedSpeechletRequest.Length);
return signer.VerifySignature(expectedSig);
}
private static CertificateSecurityInformation Verify(Org.BouncyCastle.X509.X509Certificate cert, DateTime date, IX509Store certs, IList<CertificateList> crls, IList<BasicOcspResponse> ocsps, bool checkRevocation, bool checkTime)
{
CertificateSecurityInformation result = new CertificateSecurityInformation();
AsymmetricKeyParameter key = cert.GetPublicKey();
//check key type
if (!(key is RsaKeyParameters))
{
result.securityViolations.Add(CertSecurityViolation.NotValidKeyType);
trace.TraceEvent(TraceEventType.Warning, 0, "The key should be RSA but was {0}", key.GetType());
}
//check key size
if (!VerifyKeySize(key, EteeActiveConfig.Unseal.MinimumSignatureKeySize))
{
result.securityViolations.Add(CertSecurityViolation.NotValidKeySize);
trace.TraceEvent(TraceEventType.Warning, 0, "The key was smaller then {0}", EteeActiveConfig.Unseal.MinimumSignatureKeySize);
}
X509Certificate2Collection extraStore = new X509Certificate2Collection();
foreach (Org.BouncyCastle.X509.X509Certificate obj in certs.GetMatches(null))
{
extraStore.Add(new X509Certificate2(obj.GetEncoded()));
}
Chain chain;
if (checkRevocation)
chain = new X509Certificate2(cert.GetEncoded()).BuildChain(date, extraStore, ref crls, ref ocsps, checkTime ? DateTime.UtcNow : date);
else
chain = new X509Certificate2(cert.GetEncoded()).BuildBasicChain(date, extraStore);
CertificateSecurityInformation dest = null;
foreach (ChainElement ce in chain.ChainElements)
{
if (dest == null) {
dest = result;
}
else
{
dest.IssuerInfo = new CertificateSecurityInformation();
dest = dest.IssuerInfo;
}
dest.Certificate = ce.Certificate;
foreach (X509ChainStatus status in ce.ChainElementStatus.Where(x => x.Status != X509ChainStatusFlags.NoError))
{
dest.securityViolations.Add((CertSecurityViolation)Enum.Parse(typeof(CertSecurityViolation), Enum.GetName(typeof(X509ChainStatusFlags), status.Status)));
}
}
if (chain.ChainStatus.Count(x => x.Status == X509ChainStatusFlags.PartialChain) > 0)
{
result.securityViolations.Add(CertSecurityViolation.IssuerTrustUnknown);
}
trace.TraceEvent(TraceEventType.Verbose, 0, "Verified certificate {0} for date {1}", cert.SubjectDN.ToString(), date);
return result;
}