// From:
// http://blogs.interfacett.com/selecting-a-cryptographic-key-provider-in-windows-server-2012-ad-cs
// https://msdn.microsoft.com/en-us/library/windows/desktop/aa386983(v=vs.85).aspx
//
// Microsoft Base Smart Card Crypto Provider
// Microsoft Enhanced Cryptographic Provider v1.0
// ECDA_P256#Microsoft Smart Card Key Storage Provider
// ECDA_P521#Microsoft Smart Card Key Storage Provider
// RSA#Microsoft Software Key Storage Provider
// Microsoft Base Cryptographic Provider v1.0
// ECDA_P256#Microsoft Software Key Storage Provider
// ECDA_P521#Microsoft Software Key Storage Provider
// Microsoft Strong Cryptographic Provider
// ECDA_P384#Microsoft Software Key Storage Provider
// Microsoft Base DSS Cryptographic Provider
// RSA#Microsoft Smart Card Key Storage Provider
// DSA#Microsoft Software Key Storage Provider
// ECDA_P384#Microsoft Smart Card Key Storage Provider
public override PrivateKey GeneratePrivateKey(PrivateKeyParams pkp)
{
var rsaPkp = pkp as RsaPrivateKeyParams;
var ecPkp = pkp as EcPrivateKeyParams;
var algId = new CERTENROLLLib.CObjectId();
if (rsaPkp != null)
{
var oid = new System.Security.Cryptography.Oid("RSA");
algId.InitializeFromValue(oid.Value);
}
else if (ecPkp != null)
{
throw new NotImplementedException("EC keys not implemented YET!");
}
else
{
throw new NotSupportedException("unsupported private key parameters type");
}
var cePk = new CERTENROLLLib.CX509PrivateKey();
// MS_DEF_PROV
//cePk.ProviderName = "Microsoft Base Cryptographic Provider";
cePk.ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0";
//cePk.ProviderType = CERTENROLLLib.X509ProviderType.XCN_PROV_RSA_FULL;
cePk.Algorithm = algId;
cePk.KeySpec = CERTENROLLLib.X509KeySpec.XCN_AT_KEYEXCHANGE;
cePk.Length = rsaPkp.NumBits;
// Don't store in the machine's local cert store and allow exporting of private key
cePk.MachineContext = false;
cePk.ExportPolicy = CERTENROLLLib.X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
cePk.Create();
var pk = new CeRsaPrivateKey(rsaPkp.NumBits, null, null)
{
Exported = cePk.Export(BCRYPT_PRIVATE_KEY_BLOB),
};
return(pk);
}
public CryptographicAttributeObject(System.Security.Cryptography.Oid oid, AsnEncodedDataCollection values)
{
this.m_oid = new System.Security.Cryptography.Oid(oid);
if (values == null)
{
this.m_values = new AsnEncodedDataCollection();
}
else
{
AsnEncodedDataEnumerator enumerator = values.GetEnumerator();
while (enumerator.MoveNext())
{
if (string.Compare(enumerator.Current.Oid.Value, oid.Value, StringComparison.Ordinal) != 0)
{
throw new InvalidOperationException(SecurityResources.GetResourceString("InvalidOperation_DuplicateItemNotAllowed"));
}
}
this.m_values = values;
}
}
public CryptographicAttributeObject(System.Security.Cryptography.Oid oid, AsnEncodedDataCollection values)
{
this.m_oid = new System.Security.Cryptography.Oid(oid);
if (values == null)
{
this.m_values = new AsnEncodedDataCollection();
}
else
{
AsnEncodedDataEnumerator enumerator = values.GetEnumerator();
while (enumerator.MoveNext())
{
if (string.Compare(enumerator.Current.Oid.Value, oid.Value, StringComparison.Ordinal) != 0)
{
throw new InvalidOperationException(SecurityResources.GetResourceString("InvalidOperation_DuplicateItemNotAllowed"));
}
}
this.m_values = values;
}
}
public AsnEncodedData(System.Security.Cryptography.Oid oid, byte[] rawData)
{
}
public PublicKey(System.Security.Cryptography.Oid oid, System.Security.Cryptography.AsnEncodedData parameters, System.Security.Cryptography.AsnEncodedData keyValue)
{
}
public Pkcs9AttributeObject(System.Security.Cryptography.Oid oid, byte[] encodedData)
{
}
public CryptographicAttributeObject(System.Security.Cryptography.Oid oid)
{
}
public AlgorithmIdentifier(System.Security.Cryptography.Oid oid, int keyLength)
{
}
public static System.Security.Cryptography.ECCurve CreateFromOid(System.Security.Cryptography.Oid curveOid)
{
throw null;
}
public Pkcs12CertBag(System.Security.Cryptography.Oid certificateType, System.ReadOnlyMemory <byte> encodedCertificate) : base(default(string), default(System.ReadOnlyMemory <byte>), default(bool))
{
}
public override Csr GenerateCsr(CsrParams csrParams, PrivateKey pk, Crt.MessageDigest md)
{
var rsaPk = pk as CeRsaPrivateKey;
if (rsaPk != null)
{
var cePk = new CERTENROLLLib.CX509PrivateKey();
// MS_DEF_PROV
//cePk.ProviderName = "Microsoft Base Cryptographic Provider";
cePk.ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0";
// Don't store in the machine's local cert store and allow exporting of private key
cePk.MachineContext = false;
cePk.ExportPolicy = CERTENROLLLib.X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG;
cePk.Import(BCRYPT_PRIVATE_KEY_BLOB, rsaPk.Exported);
var ceReq = new CERTENROLLLib.CX509CertificateRequestCertificate();
ceReq.InitializeFromPrivateKey(
CERTENROLLLib.X509CertificateEnrollmentContext.ContextUser,
cePk, "");
// CN=Test Cert, OU=Sandbox
var subjParts = new[]
{
new { name = "C", value = csrParams?.Details?.Country },
new { name = "ST", value = csrParams?.Details?.StateOrProvince },
new { name = "L", value = csrParams?.Details?.Locality },
new { name = "O", value = csrParams?.Details?.Organization },
new { name = "OU", value = csrParams?.Details?.OrganizationUnit },
new { name = "CN", value = csrParams?.Details?.CommonName },
new { name = "E", value = csrParams?.Details?.Email },
};
// Escape any non-standard character
var re = new Regex("[^A-Za-z0-9\\._-]");
var subj = "";
foreach (var sp in subjParts)
{
if (!string.IsNullOrEmpty(sp.value))
{
var spVal = re.Replace(sp.value, "\\$0");
subj += $",{sp.name}={spVal}";
}
}
if (string.IsNullOrEmpty(subj))
{
throw new InvalidOperationException("invalid CSR details");
}
subj = subj.Substring(1); // Skip over the first comma
// http://msdn.microsoft.com/en-us/library/aa377051(VS.85).aspx
var subjDN = new CERTENROLLLib.CX500DistinguishedName();
subjDN.Encode(subj);
ceReq.Subject = subjDN;
if (csrParams.NotBefore != null)
{
ceReq.NotBefore = csrParams.NotBefore.Value;
}
if (csrParams.NotAfter != null)
{
ceReq.NotAfter = csrParams.NotAfter.Value;
}
var mdVal = Enum.GetName(typeof(Crt.MessageDigest), md);
var mdOid = new System.Security.Cryptography.Oid(mdVal);
var mdAlg = new CERTENROLLLib.CObjectId();
mdAlg.InitializeFromValue(mdOid.Value);
ceReq.SignatureInformation.HashAlgorithm = mdAlg;
ceReq.Encode();
var csr = new Csr(ceReq.RawData);
return(csr);
}
else
{
throw new NotSupportedException("unsuppored private key type");
}
}
private void Reset(System.Security.Cryptography.Oid oid, byte[] rawData)
{
this.Oid = oid;
this.RawData = rawData;
}
public AsnEncodedData(System.Security.Cryptography.Oid oid, byte[] rawData)
{
this.Reset(oid, rawData);
}
internal AsnEncodedData(System.Security.Cryptography.Oid oid, CAPIBase.CRYPTOAPI_BLOB encodedBlob) : this(oid, CAPI.BlobToByteArray(encodedBlob))
{
}
internal AsnEncodedData(System.Security.Cryptography.Oid oid)
{
this.m_oid = oid;
}
public void Decode(byte[] test, ref int bi)
{
TagType tagType = (TagType)((test[bi] & 0xc0) >> 6);
bool constructed = ((test[bi] & 0x20) == 0x20);
int tagNum = (test[bi] & 0x1f);
// move on past the tag byte
bi++;
// test bits 7&8 of the first byte are zero - universal tag known from above enum
if (tagType == TagType.Universal)
{
if (tagNum == 0)
{
Console.WriteLine("[0]");
if (constructed)
{
// length and value in subsequent bytes
long length = GetLength(test, ref bi);
int start = bi;
while (bi < start + length)
{
Decode(test, ref bi);
}
}
}
else if (tagNum == (int)UniversalTag.Boolean)
{
// length and value in subsequent bytes
long length = GetLength(test, ref bi);
bool value = (bool)(test[bi] != 0);
Console.WriteLine("Boolean: {0}", value);
bi++;
}
else if (tagNum == (int)UniversalTag.Integer)
{
Console.WriteLine("Integer");
// length and value in subsequent bytes
long length = GetLength(test, ref bi);
// TODO: UNFINISHED, need to get head around twos-complement and do this properly
BigInteger value = GetValue(test, ref bi, (int)length);
foreach (byte b in value.ToByteArray())
{
Console.Write("{0:X2} ", b);
}
Console.WriteLine(value);
}
else if (tagNum == (int)UniversalTag.Null)
{
bi++;
Console.WriteLine("NULL");
}
else if (tagNum == (int)UniversalTag.BitString)
{
// length and value in subsequent bytes
int length = GetLength(test, ref bi);
if (constructed)
{
int start = bi;
while (bi < start + length)
{
Decode(test, ref bi);
}
}
else
{
// first byte of a bit string denotes how many unused bits are at the end of the bit string
byte unused = test[bi];
bi++;
length--;
Console.WriteLine("Bit string, length = {0}, unused = {1}", length, unused);
byte[] raw = new byte[length];
Array.Copy(test, bi, raw, 0, length);
Console.WriteLine("Base64 encoded BitString:\r\n{0}", Convert.ToBase64String(raw));
foreach (var b in raw)
{
Console.Write(b.ToString("X2"));
}
Console.WriteLine("");
bi += (int)length;
}
}
else if (tagNum == (int)UniversalTag.OctetString)
{
// length and value in subsequent bytes
int length = GetLength(test, ref bi);
Console.WriteLine("Octet string, length = {0} bytes", length);
// TODO: some octet strings are decomposable but i think it depends on the use
//int start = bi;
//while (bi < start + length)
//{
// Decode(test, ref bi);
//}
byte[] raw = new byte[length];
Array.Copy(test, bi, raw, 0, length);
foreach (var b in raw)
{
Console.Write(b.ToString("X2"));
}
Console.WriteLine("");
bi += (int)length;
}
else if (tagNum == (int)UniversalTag.ObjectID)
{
Console.WriteLine("Object ID");
// length and value in subsequent bytes
int length = GetLength(test, ref bi);
byte[] raw = new byte[length];
Array.Copy(test, bi, raw, 0, length);
// special case, first byte
int id1 = (raw[0] / 40);
int id2 = (raw[0] % 40);
bool cont = false;
long biggun = 0;
string oid = id1.ToString() + "." + id2.ToString();
for (int i = 1; i < raw.Length; i++)
{
if ((raw[i] & 0x80) == 0x80)
{
cont = true;
biggun <<= 7;
biggun += raw[i] & 0x7f;
}
else
{
if (cont)
{
biggun <<= 7;
biggun += raw[i] & 0x7f;
oid += "." + biggun.ToString();
cont = false;
biggun = 0;
}
else
{
oid += "." + raw[i].ToString();
}
}
}
System.Security.Cryptography.Oid o = new System.Security.Cryptography.Oid(oid);
Console.WriteLine(oid);
Console.WriteLine(o.FriendlyName);
bi += (int)length;
}
else if (tagNum == (int)UniversalTag.UTF8String)
{
Console.WriteLine("UTF8 String");
// length and value in subsequent bytes
int length = GetLength(test, ref bi);
byte[] raw = new byte[length];
Array.Copy(test, bi, raw, 0, length);
string decoded = System.Text.Encoding.UTF8.GetString(raw);
Console.WriteLine(decoded);
bi += (int)length;
}
else if (tagNum == (int)UniversalTag.Sequence)
{
long length = GetLength(test, ref bi);
Console.WriteLine("Sequence contained in {0} bytes", (int)length);
// because sequence is a constructed type we can recurse into this function
if (constructed)
{
int start = bi;
while (bi < start + length)
{
Decode(test, ref bi);
}
}
}
else if (tagNum == (int)UniversalTag.Set)
{
long length = GetLength(test, ref bi);
Console.WriteLine("Set contained in {0} bytes", (int)length);
// because sequence is a constructed type we can recurse into this function
if (constructed)
{
int start = bi;
while (bi < start + length)
{
Decode(test, ref bi);
}
}
}
else if (tagNum == (int)UniversalTag.PrintableString)
{
Console.WriteLine("Printable String");
// length and value in subsequent bytes
int length = GetLength(test, ref bi);
byte[] raw = new byte[length];
Array.Copy(test, bi, raw, 0, length);
string decoded = System.Text.Encoding.ASCII.GetString(raw);
Console.WriteLine(decoded);
bi += (int)length;
}
else if (tagNum == (int)UniversalTag.T61String)
{
Console.WriteLine("T61 String");
// length and value in subsequent bytes
int length = GetLength(test, ref bi);
byte[] raw = new byte[length];
Array.Copy(test, bi, raw, 0, length);
string decoded = System.Text.Encoding.UTF8.GetString(raw);
Console.WriteLine(decoded);
bi += (int)length;
}
else if (tagNum == (int)UniversalTag.IA5String)
{
Console.WriteLine("IA5 String");
// length and value in subsequent bytes
int length = GetLength(test, ref bi);
byte[] raw = new byte[(int)length];
Array.Copy(test, bi, raw, 0, (int)length);
string decoded = System.Text.Encoding.ASCII.GetString(raw);
Console.WriteLine(decoded);
bi += (int)length;
}
else if (tagNum == (int)UniversalTag.UTCTime)
{
Console.WriteLine("UTC Time");
long length = GetLength(test, ref bi);
byte[] raw = new byte[(int)length];
Array.Copy(test, bi, raw, 0, (int)length);
string decoded = System.Text.Encoding.ASCII.GetString(raw);
int offsetIndex = decoded.IndexOfAny(new char[] { '+', '-', 'Z' });
DateTime date = DateTime.ParseExact(decoded.Substring(0, 6), "yyMMdd", CultureInfo.CurrentCulture);
string timeString = decoded.Substring(6, offsetIndex - 6);
TimeSpan time = TimeSpan.MinValue;
if (timeString.Length == 4)
{
time = TimeSpan.ParseExact(timeString, "hhmm", CultureInfo.CurrentCulture);
}
else if (timeString.Length == 6)
{
time = TimeSpan.ParseExact(timeString, "hhmmss", CultureInfo.CurrentCulture);
}
else
{
throw new FormatException();
}
date = date.Add(time);
if (decoded.Substring(offsetIndex + 1).Length > 0)
{
TimeSpan offset = TimeSpan.ParseExact(decoded.Substring(offsetIndex + 1), "hhmm", CultureInfo.CurrentCulture);
date = date.Add(offset);
}
Console.WriteLine(date);
bi += (int)length;
}
else if (tagNum == (int)UniversalTag.GeneralisedTime)
{
Console.WriteLine("Generalised Time");
long length = GetLength(test, ref bi);
byte[] raw = new byte[(int)length];
Array.Copy(test, bi, raw, 0, (int)length);
string decoded = System.Text.Encoding.ASCII.GetString(raw);
int offsetIndex = decoded.IndexOfAny(new char[] { '+', '-', 'Z' });
DateTime date = DateTime.ParseExact(decoded.Substring(0, 8), "yyyyMMdd", CultureInfo.CurrentCulture);
string timeString = decoded.Substring(8, offsetIndex - 8);
TimeSpan time = TimeSpan.MinValue;
if (timeString.Length == 4)
{
time = TimeSpan.ParseExact(timeString, "hhmm", CultureInfo.CurrentCulture);
}
else if (timeString.Length == 6)
{
time = TimeSpan.ParseExact(timeString, "hhmmss", CultureInfo.CurrentCulture);
}
else
{
throw new FormatException();
}
date = date.Add(time);
if (decoded.Substring(offsetIndex + 1).Length > 0)
{
TimeSpan offset = TimeSpan.ParseExact(decoded.Substring(offsetIndex + 1), "hhmm", CultureInfo.CurrentCulture);
date = date.Add(offset);
}
Console.WriteLine(date);
bi += (int)length;
}
else if (tagNum == (int)UniversalTag.BMPString)
{
int length = GetLength(test, ref bi);
byte[] raw = new byte[length];
Array.Copy(test, bi, raw, 0, length);
string decoded = System.Text.Encoding.Unicode.GetString(raw);
Console.WriteLine("BMPString ({1}): {0}", decoded, length);
}
else
{
throw new InvalidOperationException("Unknown tag: " + test[bi].ToString("x2"));
}
}
else if (tagType == TagType.Context)
{
if (constructed)
{
// length and value in subsequent bytes
long length = GetLength(test, ref bi);
Console.WriteLine("Context tag: " + tagNum + " - length " + length);
int start = bi;
while (bi < start + length)
{
Decode(test, ref bi);
}
}
else
{
throw new InvalidOperationException("Primitive context specific tag, I don't know what to do with this");
}
}
else
{
throw new InvalidOperationException("Unknown tag type, I don't know what to do with this");
}
}
public Rfc3161TimestampTokenInfo(System.Security.Cryptography.Oid policyId, System.Security.Cryptography.Oid hashAlgorithmId, System.ReadOnlyMemory <byte> messageHash, System.ReadOnlyMemory <byte> serialNumber, System.DateTimeOffset timestamp, long?accuracyInMicroseconds = default(long?), bool isOrdering = false, System.ReadOnlyMemory <byte>?nonce = default(System.ReadOnlyMemory <byte>?), System.ReadOnlyMemory <byte>?timestampAuthorityName = default(System.ReadOnlyMemory <byte>?), System.Security.Cryptography.X509Certificates.X509ExtensionCollection extensions = null)
{
}
public static System.Security.Cryptography.ECCurve CreateFromOid(System.Security.Cryptography.Oid curveOid)
{
return(default(System.Security.Cryptography.ECCurve));
}
public int Add(System.Security.Cryptography.Oid oid)
{
throw null;
}
public CryptographicAttributeObject(System.Security.Cryptography.Oid oid) : this(oid, new AsnEncodedDataCollection())
{
}
public AlgorithmIdentifier(System.Security.Cryptography.Oid oid)
{
}
public bool VerifySignatureForHash(System.ReadOnlySpan <byte> hash, System.Security.Cryptography.Oid hashAlgorithmId, [System.Diagnostics.CodeAnalysis.NotNullWhenAttribute(true)] out System.Security.Cryptography.X509Certificates.X509Certificate2?signerCertificate, System.Security.Cryptography.X509Certificates.X509Certificate2Collection?extraCandidates = null)
{
throw null;
}
public ContentInfo(System.Security.Cryptography.Oid contentType, byte[] content)
{
}
public System.Security.Cryptography.Pkcs.Pkcs12SecretBag AddSecret(System.Security.Cryptography.Oid secretType, System.ReadOnlyMemory <byte> secretValue)
{
throw null;
}
public CryptographicAttributeObject(System.Security.Cryptography.Oid oid, System.Security.Cryptography.AsnEncodedDataCollection values)
{
}
public Pkcs8PrivateKeyInfo(System.Security.Cryptography.Oid algorithmId, System.ReadOnlyMemory <byte>?algorithmParameters, System.ReadOnlyMemory <byte> privateKey, bool skipCopies = false)
{
}
public X509Extension(System.Security.Cryptography.Oid oid, byte[] rawData, bool critical)
{
}
public static System.Security.Cryptography.Pkcs.Rfc3161TimestampRequest CreateFromSignerInfo(System.Security.Cryptography.Pkcs.SignerInfo signerInfo, System.Security.Cryptography.HashAlgorithmName hashAlgorithm, System.Security.Cryptography.Oid requestedPolicyId = null, System.ReadOnlyMemory <byte>?nonce = default(System.ReadOnlyMemory <byte>?), bool requestSignerCertificates = false, System.Security.Cryptography.X509Certificates.X509ExtensionCollection extensions = null)
{
throw null;
}
public Oid(System.Security.Cryptography.Oid oid)
{
}
public bool VerifySignatureForHash(System.ReadOnlySpan <byte> hash, System.Security.Cryptography.Oid hashAlgorithmId, out System.Security.Cryptography.X509Certificates.X509Certificate2 signerCertificate, System.Security.Cryptography.X509Certificates.X509Certificate2Collection extraCandidates = null)
{
throw null;
}
public int Add(System.Security.Cryptography.Oid oid)
{
return(default(int));
}
internal AsnEncodedData(System.Security.Cryptography.Oid oid)
{
this.m_oid = oid;
}
