예제 #1
0
        /// <summary>
        /// Create a new Subordinate CA certificate request using the setup parameters from a CAConfig object
        /// </summary>
        /// <remarks>Only System cryptography supported</remarks>
        /// <param name="Config">CAConfig object</param>
        /// <returns>PKCS#10 certificate request</returns>
        public static Pkcs10CertificationRequest CreateSubCA(CAConfig Config)
        {
            if (Config.profile != CA_Profile.SubCA)
            {
                throw new ArgumentException("Invalid profile specified", Config.profile.ToString());
            }

            if (!Config.FIPS140)
            {
                throw new InvalidParameterException("Only FIPS mode supported");
            }

            // Serial number
            BigInteger serialNumber = new BigInteger(1, BitConverter.GetBytes(DateTime.Now.Ticks));

            // Key material
            CspParameters cspParam = SysKeyManager.Create(Config.pkSize, Config.pkAlgo, Config.name);

            // PKCS#10 Request
            Pkcs10CertificationRequestDelaySigned p10 = new Pkcs10CertificationRequestDelaySigned(
                Config.sigAlgo,
                Config.DN,
                SysKeyManager.getPublicKey(cspParam, Config.pkAlgo),
                null);

            // Signature
            byte[] buffer    = p10.GetDataToSign();
            byte[] signature = SysSigner.Sign(buffer, cspParam, Config.sigAlgo);
            p10.SignRequest(signature);

            if (!p10.Verify())
            {
                throw new SignatureException("Cannot validate POP signature");
            }

            // Create the CA Config file
            createPendingCAConfig(Config, serialNumber, p10, "");

            return(p10);
        }
예제 #2
0
        /// <summary>
        /// Create a new Subordinate CA using the setup parameters from a CAConfig object
        /// The Issuing CA must be available to create and sign a certificate
        /// </summary>
        /// <param name="Config">CAConfig object</param>
        /// <param name="IssuingCA">Object reference for issuing CA</param>
        /// <returns>Full pathname of CA config file</returns>
        public static string CreateSubCA(CAConfig Config, ICA IssuingCA)
        {
            if (Config.profile != CA_Profile.SubCA)
            {
                throw new ArgumentException("Invalid profile specified", Config.profile.ToString());
            }

            // Serial number
            BigInteger serialNumber = new BigInteger(1, BitConverter.GetBytes(DateTime.Now.Ticks));


            // Key material
            Pkcs10CertificationRequest p10;

            if (Config.FIPS140)
            {
                privateKeyCapi = SysKeyManager.Create(Config.pkSize, Config.pkAlgo, Config.name);

                // PKCS#10 Request
                p10 = new Pkcs10CertificationRequestDelaySigned(
                    Config.sigAlgo,
                    Config.DN,
                    SysKeyManager.getPublicKey(privateKeyCapi, Config.pkAlgo),
                    null);
                // Signature
                byte[] buffer    = ((Pkcs10CertificationRequestDelaySigned)p10).GetDataToSign();
                byte[] signature = SysSigner.Sign(buffer, privateKeyCapi, Config.sigAlgo);
                ((Pkcs10CertificationRequestDelaySigned)p10).SignRequest(signature);
            }
            else
            {
                keyPair = BcKeyManager.Create(Config.pkSize, Config.pkAlgo);
                // Create a system CspParameters entry for use by XmlSigner
                privateKeyCapi = SysKeyManager.LoadCsp(keyPair.Private);

                // PKCS#10 Request
                p10 = new Pkcs10CertificationRequest(
                    Config.sigAlgo,
                    Config.DN,
                    keyPair.Public,
                    null,
                    keyPair.Private);
            }
            // Test the signature
            if (!p10.Verify())
            {
                throw new SignatureException("Cannot validate POP signature");
            }

            // Request cert from issuing CA
            X509Certificate cert = IssuingCA.IssueCertificate(p10, new Profile.Profile(Config.profileFile));

            string configFile;

            if (Config.FIPS140)
            {
                // Create the CA Config file
                configFile = createFinalCAConfig(Config, serialNumber, cert, null);
                LogEvent.WriteEvent(eventLog, LogEvent.EventType.CreateCA, "Subordinate CA (FIPS) Created: " + configFile);
            }
            else
            {
                // Store key material in a PKCS#12 file
                MemoryStream stream = BcKeyManager.SaveP12(keyPair.Private, cert, Config.password, Config.name);
                string       caKey  = Convert.ToBase64String(stream.ToArray());

                // Create the CA Config file
                configFile = createFinalCAConfig(Config, serialNumber, null, caKey);
                LogEvent.WriteEvent(eventLog, LogEvent.EventType.CreateCA, "Root CA (BC) Created: " + configFile);
            }
            // Create CA database
            Database.CreateDB(Config, cert, privateKeyCapi);

            return(configFile);
        }