bool GenerateSki()
{
if (!File.Exists(SignedCertificateFile))
{
_logger.Warn($"Can't generate a SKI because there is no certiface at {SignedCertificateFile}");
return(false);
}
try
{
_logger.Debug($"Resolve SKI from {SignedCertificateFile}");
var parser = new X509CertificateParser();
var cert = parser.ReadCertificate(File.ReadAllBytes(SignedCertificateFile));
var identifier = new SubjectKeyIdentifierStructure(cert.GetPublicKey());
var bytes = identifier.GetKeyIdentifier();
_ski = BytesAsHex(bytes);
_logger.Debug($"Resolved SKI '{_ski}'");
return(true);
}
catch (Exception ex)
{
_logger.Error($"Failed to get the SKI from {SignedCertificateFile}", ex);
return(false);
}
}
// previous code found to cause a NullPointerException
private void nullPointerTest()
{
IAsymmetricCipherKeyPairGenerator keyGen = GeneratorUtilities.GetKeyPairGenerator("RSA");
keyGen.Init(new KeyGenerationParameters(new SecureRandom(), 1024));
AsymmetricCipherKeyPair pair = keyGen.GenerateKeyPair();
IList oids = new ArrayList();
IList values = new ArrayList();
oids.Add(X509Extensions.BasicConstraints);
values.Add(new X509Extension(true, new DerOctetString(new BasicConstraints(true))));
oids.Add(X509Extensions.KeyUsage);
values.Add(new X509Extension(true, new DerOctetString(
new KeyUsage(KeyUsage.KeyCertSign | KeyUsage.CrlSign))));
SubjectKeyIdentifier subjectKeyIdentifier = new SubjectKeyIdentifierStructure(pair.Public);
X509Extension ski = new X509Extension(false, new DerOctetString(subjectKeyIdentifier));
oids.Add(X509Extensions.SubjectKeyIdentifier);
values.Add(ski);
AttributePkcs attribute = new AttributePkcs(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest,
new DerSet(new X509Extensions(oids, values)));
Pkcs10CertificationRequest p1 = new Pkcs10CertificationRequest(
"SHA1WithRSA", new X509Name("cn=csr"), pair.Public, new DerSet(attribute), pair.Private);
Pkcs10CertificationRequest p2 = new Pkcs10CertificationRequest(
"SHA1WithRSA", new X509Name("cn=csr"), pair.Public, new DerSet(attribute), pair.Private);
if (!p1.Equals(p2))
{
Fail("cert request comparison failed");
}
}
/// <summary>
/// Adds a subject key identifier to the certificate. This is a hash value of the public key.
/// </summary>
/// <returns></returns>
public CertificateBuilder AddSKID()
{
var skid = new SubjectKeyIdentifierStructure(keyPair.Public);
certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, skid);
logger.Debug($"[ADD SUBJECT KEY IDENTIFIER]");
return(this);
}
PrimarySignature CreateKeyVaultPrimarySignature(SignPackageRequest request, SignatureContent signatureContent, SignatureType signatureType)
{
// Get the chain
var getter = typeof(SignPackageRequest).GetProperty("Chain", BindingFlags.Instance | BindingFlags.NonPublic)
.GetGetMethod(true);
var certs = (IReadOnlyList <X509Certificate2>)getter.Invoke(request, null);
var attribs = SigningUtility.CreateSignedAttributes(request, certs);
// Convert .NET crypto attributes to Bouncy Castle
var attribTable = new AttributeTable(new Asn1EncodableVector(attribs.Cast <CryptographicAttributeObject>()
.Select(ToBcAttribute)
.ToArray()));
// SignerInfo generator setup
var signerInfoGeneratorBuilder = new SignerInfoGeneratorBuilder()
.WithSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator(attribTable));
// Subject Key Identifier (SKI) is smaller and less prone to accidental matching than issuer and serial
// number. However, to ensure cross-platform verification, SKI should only be used if the certificate
// has the SKI extension attribute.
// Try to look for the value
var bcCer = DotNetUtilities.FromX509Certificate(request.Certificate);
var ext = bcCer.GetExtensionValue(new DerObjectIdentifier(Oids.SubjectKeyIdentifier));
SignerInfoGenerator signerInfoGenerator;
if (ext != null)
{
var ski = new SubjectKeyIdentifierStructure(ext);
signerInfoGenerator = signerInfoGeneratorBuilder.Build(new RsaSignatureFactory(HashAlgorithmToBouncyCastle(request.SignatureHashAlgorithm), provider), ski.GetKeyIdentifier());
}
else
{
signerInfoGenerator = signerInfoGeneratorBuilder.Build(new RsaSignatureFactory(HashAlgorithmToBouncyCastle(request.SignatureHashAlgorithm), provider), bcCer);
}
var generator = new CmsSignedDataGenerator();
generator.AddSignerInfoGenerator(signerInfoGenerator);
// Get the chain as bc certs
generator.AddCertificates(X509StoreFactory.Create("Certificate/Collection",
new X509CollectionStoreParameters(certs.Select(DotNetUtilities.FromX509Certificate).
ToList())));
var msg = new CmsProcessableByteArray(signatureContent.GetBytes());
var data = generator.Generate(msg, true);
var encoded = data.ContentInfo.GetDerEncoded();
return(PrimarySignature.Load(encoded));
}
public async Task Create_Secp256k1()
{
var key = await _keyStoreService.CreateAsync("alice", "secp256k1", 0);
try
{
var cert = await _keyStoreService.CreateBcCertificateAsync("alice");
Assert.AreEqual($"CN={key.Id},OU=keystore,O=ipfs", cert.SubjectDN.ToString());
var ski = new SubjectKeyIdentifierStructure(
cert.GetExtensionValue(X509Extensions.SubjectKeyIdentifier));
Assert.AreEqual(key.Id.ToBase58(), ski.GetKeyIdentifier().ToBase58());
}
finally
{
await _keyStoreService.RemoveAsync("alice");
}
}
public async Task Create_Ed25519()
{
var ipfs = TestFixture.Ipfs;
var keychain = await ipfs.KeyChainAsync();
var key = await ipfs.Key.CreateAsync("alice", "ed25519", 0);
try
{
var cert = await keychain.CreateBCCertificateAsync("alice");
Assert.AreEqual($"CN={key.Id},OU=keystore,O=ipfs", cert.SubjectDN.ToString());
var ski = new SubjectKeyIdentifierStructure(cert.GetExtensionValue(X509Extensions.SubjectKeyIdentifier));
Assert.AreEqual(key.Id.ToBase58(), ski.GetKeyIdentifier().ToBase58());
}
finally
{
await ipfs.Key.RemoveAsync("alice");
}
}
/// <summary>
/// Initializes SubjectKeyIdentifier with a <see cref="AsymmetricKeyParameter"/>
/// </summary>
/// <param name="assymetricKeyParameter"><see cref="AsymmetricKeyParameter"/></param>
public SubjectKeyIdentifier(AsymmetricKeyParameter assymetricKeyParameter)
{
this.X509SubjectKeyIdentifierStructure = new SubjectKeyIdentifierStructure(assymetricKeyParameter);
}
