public static byte[] GenerateDsaCertificateAsPkcs12(
            string friendlyName,
            string subjectName,
            string country,
            DateTime validStartDate,
            DateTime validEndDate,
            string password,
            Org.BouncyCastle.X509.X509Certificate caCert,
            AsymmetricKeyParameter caPrivateKey)
        {
            var keys = GenerateDsaKeys();

            #region build certificate
            var certGen = new X509V3CertificateGenerator();

            // build name attributes
            var nameOids = new ArrayList();
            nameOids.Add(Org.BouncyCastle.Asn1.X509.X509Name.CN);
            nameOids.Add(X509Name.O);
            nameOids.Add(X509Name.C);

            var nameValues = new ArrayList();
            nameValues.Add(friendlyName);
            nameValues.Add(subjectName);
            nameValues.Add(country);
            var subjectDN = new X509Name(nameOids, nameValues);

            // certificate fields
            certGen.SetSerialNumber(BigInteger.ValueOf(1));
            certGen.SetIssuerDN(caCert.SubjectDN);
            certGen.SetNotBefore(validStartDate);
            certGen.SetNotAfter(validEndDate);
            certGen.SetSubjectDN(subjectDN);
            certGen.SetPublicKey(keys.Public);
            certGen.SetSignatureAlgorithm("SHA1withDSA");

            // extended information
            certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert.GetPublicKey()));
            certGen.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(keys.Public));
            #endregion

            // generate x509 certificate
            var cert = certGen.Generate(caPrivateKey);
            //ert.Verify(caCert.GetPublicKey());

            var chain = new Dictionary<string, Org.BouncyCastle.X509.X509Certificate>();
            //chain.Add("CertiFirmas CA", caCert);
            var caCn = caCert.SubjectDN.GetValues(X509Name.CN)[0].ToString();
            chain.Add(caCn, caCert);

            // store the file
            return GeneratePkcs12(keys, cert, friendlyName, password, chain);
        }
예제 #2
0
        public static CertificateSecurityInformation VerifyEnc(Org.BouncyCastle.X509.X509Certificate encCert, Org.BouncyCastle.X509.X509Certificate authCert, DateTime date, IX509Store certs, bool checkRevocation)
        {
            CertificateSecurityInformation result = new CertificateSecurityInformation();

            result.Certificate = new X509Certificate2(encCert.GetEncoded());

            //check validity
            try
            {
                encCert.CheckValidity(date);
            }
            catch (CertificateExpiredException)
            {
                result.securityViolations.Add(CertSecurityViolation.NotTimeValid);
            }
            catch (CertificateNotYetValidException)
            {
                result.securityViolations.Add(CertSecurityViolation.NotTimeValid);
            }

            //check key usage
            int[] keyUsageIndexes = new int[] { 2, 3 };
            foreach (int i in keyUsageIndexes)
            {
                if (!encCert.GetKeyUsage()[i])
                {
                    result.securityViolations.Add(CertSecurityViolation.NotValidForUsage);
                    trace.TraceEvent(TraceEventType.Warning, 0, "The key usage did not have the correct usage flag set");
                }
            }

            //check issuer/subject
            if (!encCert.IssuerDN.Equivalent(encCert.SubjectDN, false)) result.securityViolations.Add(CertSecurityViolation.HasNotPermittedNameConstraint);

            //check key size
            if (!VerifyKeySize(encCert.GetPublicKey(), EteeActiveConfig.Unseal.MinimumEncryptionKeySize.AsymmerticRecipientKey)) result.securityViolations.Add(CertSecurityViolation.NotValidKeySize);

            //check key type
            if (!(encCert.GetPublicKey() is RsaKeyParameters)) result.securityViolations.Add(CertSecurityViolation.NotValidKeyType);

            if (authCert != null)
            {
                //check signature
                try
                {
                    encCert.Verify(authCert.GetPublicKey());
                }
                catch (InvalidKeyException)
                {
                    result.securityViolations.Add(CertSecurityViolation.NotSignatureValid);
                }

                //Validate
                result.IssuerInfo = VerifyBoth(authCert, date, certs, new List<CertificateList>(0), new List<BasicOcspResponse>(0), checkRevocation, false);
            }
            else
            {
                //We assume that we have the authCert in case it's of a 3rd person, we don't care if its or own encryption cert (we only care for the validity)
            }

            return result;
        }
        /// <summary>
        /// 
        /// </summary>
        public static bool CheckRequestSignature(
            byte[] serializedSpeechletRequest, string expectedSignature, Org.BouncyCastle.X509.X509Certificate cert) {

            var publicKey = (Org.BouncyCastle.Crypto.Parameters.RsaKeyParameters)cert.GetPublicKey();
            var expectedSig = Convert.FromBase64String(expectedSignature);

            var signer = Org.BouncyCastle.Security.SignerUtilities.GetSigner(Sdk.SIGNATURE_ALGORITHM);
            signer.Init(false, publicKey);
            signer.BlockUpdate(serializedSpeechletRequest, 0, serializedSpeechletRequest.Length);            

            return signer.VerifySignature(expectedSig);
        }
예제 #4
0
        private static CertificateSecurityInformation Verify(Org.BouncyCastle.X509.X509Certificate cert, DateTime date, IX509Store certs, IList<CertificateList> crls, IList<BasicOcspResponse> ocsps, bool checkRevocation, bool checkTime)
        {
            CertificateSecurityInformation result = new CertificateSecurityInformation();

            AsymmetricKeyParameter key = cert.GetPublicKey();

            //check key type
            if (!(key is RsaKeyParameters))
            {
                result.securityViolations.Add(CertSecurityViolation.NotValidKeyType);
                trace.TraceEvent(TraceEventType.Warning, 0, "The key should be RSA but was {0}", key.GetType());
            }

            //check key size
            if (!VerifyKeySize(key, EteeActiveConfig.Unseal.MinimumSignatureKeySize))
            {
                result.securityViolations.Add(CertSecurityViolation.NotValidKeySize);
                trace.TraceEvent(TraceEventType.Warning, 0, "The key was smaller then {0}", EteeActiveConfig.Unseal.MinimumSignatureKeySize);
            }

            X509Certificate2Collection extraStore = new X509Certificate2Collection();
            foreach (Org.BouncyCastle.X509.X509Certificate obj in certs.GetMatches(null))
            {
                extraStore.Add(new X509Certificate2(obj.GetEncoded()));
            }
            Chain chain;
            if (checkRevocation)
                chain = new X509Certificate2(cert.GetEncoded()).BuildChain(date, extraStore, ref crls, ref ocsps, checkTime ? DateTime.UtcNow : date);
            else
                chain = new X509Certificate2(cert.GetEncoded()).BuildBasicChain(date, extraStore);

            CertificateSecurityInformation dest = null;
            foreach (ChainElement ce in chain.ChainElements)
            {
                if (dest == null) {
                    dest = result;
                }
                else
                {
                    dest.IssuerInfo = new CertificateSecurityInformation();
                    dest = dest.IssuerInfo;
                }

                dest.Certificate = ce.Certificate;
                foreach (X509ChainStatus status in ce.ChainElementStatus.Where(x => x.Status != X509ChainStatusFlags.NoError))
                {
                    dest.securityViolations.Add((CertSecurityViolation)Enum.Parse(typeof(CertSecurityViolation), Enum.GetName(typeof(X509ChainStatusFlags), status.Status)));
                }
            }
            if (chain.ChainStatus.Count(x => x.Status == X509ChainStatusFlags.PartialChain) > 0)
            {
                result.securityViolations.Add(CertSecurityViolation.IssuerTrustUnknown);
            }

            trace.TraceEvent(TraceEventType.Verbose, 0, "Verified certificate {0} for date {1}", cert.SubjectDN.ToString(), date);
            return result;
        }