public static byte[] GenerateRootCACertificate(CertificateSubject subject, DateTime startDate, DateTime expiryDate, SignatureHashAlgorithm signatureAlgorithm, TCertificateFormat certificateFormat) { if (subject == null) { throw new ArgumentNullException(nameof(subject)); } if (signatureAlgorithm == null) { throw new ArgumentNullException(nameof(signatureAlgorithm)); } var randomGenerator = new CryptoApiRandomGenerator(); var random = new SecureRandom(randomGenerator); var certificateGenerator = new X509V3CertificateGenerator(); AddStandardCertificateInfo(certificateGenerator, random, subject, subject, startDate, expiryDate); var subjectKeyPair = GenerateKeys(certificateGenerator, random, signatureAlgorithm); certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true)); certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyCertSign)); var subjectKeyID = new byte[20]; random.NextBytes(subjectKeyID, 0, 20); certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(subjectKeyID)); certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(subjectKeyID)); var algorithm = GetAlgorithm(signatureAlgorithm); // selfsign certificate var certificate = certificateGenerator.Generate(new Asn1SignatureFactory(algorithm, subjectKeyPair.Private, random)); return(ExportCertificate(certificate, subjectKeyPair, certificateFormat)); }
public static byte[] GenerateCertificate(CertificateSubject subject, CertificateInfo issuer, DateTime startDate, DateTime expiryDate, SignatureHashAlgorithm signatureAlgorithm, TCertificateFormat certificateFormat) { if (subject == null) { throw new ArgumentNullException(nameof(subject)); } if (issuer == null) { throw new ArgumentNullException(nameof(issuer)); } if (signatureAlgorithm == null) { throw new ArgumentNullException(nameof(issuer)); } if (!(issuer.PrivateKey is AsymmetricKeyParameter privateKey)) { return(null); } var randomGenerator = new CryptoApiRandomGenerator(); var random = new SecureRandom(randomGenerator); var certificateGenerator = new X509V3CertificateGenerator(); AddStandardCertificateInfo(certificateGenerator, random, subject, issuer.Subject, startDate, expiryDate); var subjectKeyPair = GenerateKeys(certificateGenerator, random, signatureAlgorithm); var algorithm = GetAlgorithm(signatureAlgorithm); certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyEncipherment)); certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(new KeyPurposeID[] { KeyPurposeID.IdKPServerAuth, KeyPurposeID.IdKPClientAuth })); var subjectKeyID = new byte[20]; random.NextBytes(subjectKeyID, 0, 20); certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(subjectKeyID)); if (issuer.SubjectKeyID != null) { certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(issuer.SubjectKeyID)); } //if ((subject.AlternativeNames != null) && (subject.AlternativeNames.Count > 0)) //{ // certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, true, new SubjectAlternativeNames(false)); // //SubjectAlternativeName // //GeneralName.DirectoryName // //GeneralName.IPAddress //} var certificate = certificateGenerator.Generate(new Asn1SignatureFactory(algorithm, privateKey, random)); return(ExportCertificate(certificate, subjectKeyPair, certificateFormat)); }
private static string GetAlgorithm(SignatureHashAlgorithm signatureAlgorithm) { // eg "SHA256WithRSA", "SHA224WithECDSA",; StringBuilder result = new StringBuilder(); result.Append(signatureAlgorithm.Hash.ToString()); result.Append("With"); result.Append(signatureAlgorithm.Signature.ToString()); return(result.ToString()); }
private static string GetAlgorithm(SignatureHashAlgorithm signatureAlgorithm) { if (signatureAlgorithm == null) { throw new ArgumentNullException(nameof(signatureAlgorithm)); } // eg "SHA256WithRSA", "SHA224WithECDSA",; var result = new StringBuilder(); result.Append(signatureAlgorithm.Hash.ToString()); result.Append("With"); result.Append(signatureAlgorithm.Signature.ToString()); return(result.ToString()); }
private static AsymmetricCipherKeyPair GenerateKeys(X509V3CertificateGenerator certificateGenerator, SecureRandom random, SignatureHashAlgorithm signatureAlgorithm) { AsymmetricCipherKeyPair result = null; switch (signatureAlgorithm.Signature) { case TSignatureAlgorithm.Anonymous: break; case TSignatureAlgorithm.RSA: KeyGenerationParameters keyGenerationParameters = new KeyGenerationParameters(random, 2048); RsaKeyPairGenerator rsaKeyPairGenerator = new RsaKeyPairGenerator(); rsaKeyPairGenerator.Init(keyGenerationParameters); result = rsaKeyPairGenerator.GenerateKeyPair(); break; case TSignatureAlgorithm.DSA: break; case TSignatureAlgorithm.ECDSA: //ECDomainParameters ellipticCurveParameters = EllipticCurveFactory.GetEllipticCurveParameters(TEllipticCurve.secp256r1); ECKeyPairGenerator keyPairGenerator = new ECKeyPairGenerator(); //keyPairGenerator.Init(new ECKeyGenerationParameters(ellipticCurveParameters, random)); keyPairGenerator.Init(new ECKeyGenerationParameters(Org.BouncyCastle.Asn1.Sec.SecObjectIdentifiers.SecP256r1, random)); result = keyPairGenerator.GenerateKeyPair(); //certificateGenerator.AddExtension(X509Extensions.SubjectPublicKeyInfo) //PrivateKey = (ECPrivateKeyParameters)keys.Private; //PublicKey = (ECPublicKeyParameters)keys.Public; break; default: break; } certificateGenerator.SetPublicKey(result.Public); return result; }
public static byte[] GenerateRootCACertificate(CertificateSubject subject, DateTime startDate, DateTime expiryDate, SignatureHashAlgorithm signatureAlgorithm, TCertificateFormat certificateFormat) { byte[] result = null; SecureRandom random = Porthelp.CreateSecureRandom(); X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator(); AddStandardCertificateInfo(certificateGenerator, random, subject, subject, startDate, expiryDate); AsymmetricCipherKeyPair subjectKeyPair = GenerateKeys(certificateGenerator, random, signatureAlgorithm); certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true)); certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyCertSign)); byte[] subjectKeyID = new byte[20]; random.NextBytes(subjectKeyID, 0, 20); certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(subjectKeyID)); certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(subjectKeyID)); string algorithm = GetAlgorithm(signatureAlgorithm); // selfsign certificate Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(new Asn1SignatureFactory(algorithm, subjectKeyPair.Private, random)); result = ExportCertificate(certificate, subjectKeyPair, certificateFormat); return(result); }
public static byte[] GenerateCertificate(CertificateSubject subject, CertificateInfo issuer, DateTime startDate, DateTime expiryDate, SignatureHashAlgorithm signatureAlgorithm, TCertificateFormat certificateFormat) { byte[] result = null; AsymmetricKeyParameter privateKey = issuer.PrivateKey as AsymmetricKeyParameter; if (privateKey != null) { SecureRandom random = Porthelp.CreateSecureRandom(); X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator(); AddStandardCertificateInfo(certificateGenerator, random, subject, issuer.Subject, startDate, expiryDate); AsymmetricCipherKeyPair subjectKeyPair = GenerateKeys(certificateGenerator, random, signatureAlgorithm); string algorithm = GetAlgorithm(signatureAlgorithm); certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyEncipherment)); certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(new KeyPurposeID[] { KeyPurposeID.IdKPServerAuth, KeyPurposeID.IdKPClientAuth })); byte[] subjectKeyID = new byte[20]; random.NextBytes(subjectKeyID, 0, 20); certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(subjectKeyID)); if (issuer.SubjectKeyID != null) { certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(issuer.SubjectKeyID)); } //if ((subject.AlternativeNames != null) && (subject.AlternativeNames.Count > 0)) //{ // certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, true, new SubjectAlternativeNames(false)); // //SubjectAlternativeName // //GeneralName.DirectoryName // //GeneralName.IPAddress //} Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(new Asn1SignatureFactory(algorithm, privateKey, random)); result = ExportCertificate(certificate, subjectKeyPair, certificateFormat); } return(result); }
private static AsymmetricCipherKeyPair GenerateKeys(X509V3CertificateGenerator certificateGenerator, SecureRandom random, SignatureHashAlgorithm signatureAlgorithm) { AsymmetricCipherKeyPair result = null; switch (signatureAlgorithm.Signature) { case TSignatureAlgorithm.Anonymous: break; case TSignatureAlgorithm.RSA: KeyGenerationParameters keyGenerationParameters = new KeyGenerationParameters(random, 2048); RsaKeyPairGenerator rsaKeyPairGenerator = new RsaKeyPairGenerator(); rsaKeyPairGenerator.Init(keyGenerationParameters); result = rsaKeyPairGenerator.GenerateKeyPair(); break; case TSignatureAlgorithm.DSA: break; case TSignatureAlgorithm.ECDSA: //ECDomainParameters ellipticCurveParameters = EllipticCurveFactory.GetEllipticCurveParameters(TEllipticCurve.secp256r1); ECKeyPairGenerator keyPairGenerator = new ECKeyPairGenerator(); //keyPairGenerator.Init(new ECKeyGenerationParameters(ellipticCurveParameters, random)); keyPairGenerator.Init(new ECKeyGenerationParameters(Org.BouncyCastle.Asn1.Sec.SecObjectIdentifiers.SecP256r1, random)); result = keyPairGenerator.GenerateKeyPair(); //certificateGenerator.AddExtension(X509Extensions.SubjectPublicKeyInfo) //PrivateKey = (ECPrivateKeyParameters)keys.Private; //PublicKey = (ECPublicKeyParameters)keys.Public; break; default: break; } certificateGenerator.SetPublicKey(result.Public); return(result); }
private async Task _ProcessHandshakeAsync(DTLSRecord record) { if (record == null) { throw new ArgumentNullException(nameof(record)); } var data = record.Fragment; if (this._EncyptedServerEpoch == record.Epoch) { var count = 0; while ((this._Cipher == null) && (count < 500)) { await Task.Delay(10).ConfigureAwait(false); count++; } if (this._Cipher == null) { throw new Exception("Need Cipher for Encrypted Session"); } var sequenceNumber = ((long)record.Epoch << 48) + record.SequenceNumber; data = this._Cipher.DecodeCiphertext(sequenceNumber, (byte)TRecordType.Handshake, record.Fragment, 0, record.Fragment.Length); } using (var tempStream = new MemoryStream(data)) { var handshakeRec = HandshakeRecord.Deserialise(tempStream); if (handshakeRec.Length > (handshakeRec.FragmentLength + handshakeRec.FragmentOffset)) { this._IsFragment = true; this._FragmentedRecordList.Add(data); return; } else if (this._IsFragment) { this._FragmentedRecordList.Add(data); data = new byte[0]; foreach (var rec in this._FragmentedRecordList) { data = data.Concat(rec.Skip(HandshakeRecord.RECORD_OVERHEAD)).ToArray(); } var tempHandshakeRec = new HandshakeRecord() { Length = handshakeRec.Length, MessageSeq = handshakeRec.MessageSeq, MessageType = handshakeRec.MessageType, FragmentLength = handshakeRec.Length, FragmentOffset = 0 }; var tempHandshakeBytes = new byte[HandshakeRecord.RECORD_OVERHEAD]; using (var updateStream = new MemoryStream(tempHandshakeBytes)) { tempHandshakeRec.Serialise(updateStream); } data = tempHandshakeBytes.Concat(data).ToArray(); } } using (var stream = new MemoryStream(data)) { var handshakeRecord = HandshakeRecord.Deserialise(stream); switch (handshakeRecord.MessageType) { case THandshakeType.HelloRequest: { break; } case THandshakeType.ClientHello: { break; } case THandshakeType.ServerHello: { var serverHello = ServerHello.Deserialise(stream); this._HandshakeInfo.UpdateHandshakeHash(data); this._ServerEpoch = record.Epoch; this._HandshakeInfo.CipherSuite = (TCipherSuite)serverHello.CipherSuite; this._HandshakeInfo.ServerRandom = serverHello.Random; this._Version = serverHello.ServerVersion <= this._Version ? serverHello.ServerVersion : _SupportedVersion; break; } case THandshakeType.HelloVerifyRequest: { var helloVerifyRequest = HelloVerifyRequest.Deserialise(stream); this._Version = helloVerifyRequest.ServerVersion; await this._SendHelloAsync(helloVerifyRequest.Cookie).ConfigureAwait(false); break; } case THandshakeType.Certificate: { var cert = Certificate.Deserialise(stream, TCertificateType.X509); this._HandshakeInfo.UpdateHandshakeHash(data); this.ServerCertificate = cert.Cert; break; } case THandshakeType.ServerKeyExchange: { this._HandshakeInfo.UpdateHandshakeHash(data); var keyExchangeAlgorithm = CipherSuites.GetKeyExchangeAlgorithm(this._HandshakeInfo.CipherSuite); byte[] preMasterSecret = null; IKeyExchange keyExchange = null; if (keyExchangeAlgorithm == TKeyExchangeAlgorithm.ECDHE_ECDSA) { var serverKeyExchange = ECDHEServerKeyExchange.Deserialise(stream, this._Version); var keyExchangeECDHE = new ECDHEKeyExchange { CipherSuite = this._HandshakeInfo.CipherSuite, Curve = serverKeyExchange.EllipticCurve, KeyExchangeAlgorithm = keyExchangeAlgorithm, ClientRandom = this._HandshakeInfo.ClientRandom, ServerRandom = this._HandshakeInfo.ServerRandom }; keyExchangeECDHE.GenerateEphemeralKey(); var clientKeyExchange = new ECDHEClientKeyExchange(keyExchangeECDHE.PublicKey); this._ClientKeyExchange = clientKeyExchange; preMasterSecret = keyExchangeECDHE.GetPreMasterSecret(serverKeyExchange.PublicKeyBytes); keyExchange = keyExchangeECDHE; } else if (keyExchangeAlgorithm == TKeyExchangeAlgorithm.ECDHE_PSK) { var serverKeyExchange = ECDHEPSKServerKeyExchange.Deserialise(stream); var keyExchangeECDHE = new ECDHEKeyExchange { CipherSuite = this._HandshakeInfo.CipherSuite, Curve = serverKeyExchange.EllipticCurve, KeyExchangeAlgorithm = keyExchangeAlgorithm, ClientRandom = this._HandshakeInfo.ClientRandom, ServerRandom = this._HandshakeInfo.ServerRandom }; keyExchangeECDHE.GenerateEphemeralKey(); var clientKeyExchange = new ECDHEPSKClientKeyExchange(keyExchangeECDHE.PublicKey); if (serverKeyExchange.PSKIdentityHint != null) { var key = this.PSKIdentities.GetKey(serverKeyExchange.PSKIdentityHint); if (key != null) { this._PSKIdentity = new PSKIdentity() { Identity = serverKeyExchange.PSKIdentityHint, Key = key }; } } if (this._PSKIdentity == null) { this._PSKIdentity = this.PSKIdentities.GetRandom(); } clientKeyExchange.PSKIdentity = this._PSKIdentity.Identity; this._ClientKeyExchange = clientKeyExchange; var otherSecret = keyExchangeECDHE.GetPreMasterSecret(serverKeyExchange.PublicKeyBytes); preMasterSecret = TLSUtils.GetPSKPreMasterSecret(otherSecret, this._PSKIdentity.Key); keyExchange = keyExchangeECDHE; } else if (keyExchangeAlgorithm == TKeyExchangeAlgorithm.PSK) { var serverKeyExchange = PSKServerKeyExchange.Deserialise(stream); var clientKeyExchange = new PSKClientKeyExchange(); if (serverKeyExchange.PSKIdentityHint != null) { var key = this.PSKIdentities.GetKey(serverKeyExchange.PSKIdentityHint); if (key != null) { this._PSKIdentity = new PSKIdentity() { Identity = serverKeyExchange.PSKIdentityHint, Key = key }; } } if (this._PSKIdentity == null) { this._PSKIdentity = this.PSKIdentities.GetRandom(); } var otherSecret = new byte[this._PSKIdentity.Key.Length]; clientKeyExchange.PSKIdentity = this._PSKIdentity.Identity; this._ClientKeyExchange = clientKeyExchange; preMasterSecret = TLSUtils.GetPSKPreMasterSecret(otherSecret, this._PSKIdentity.Key); } this._Cipher = TLSUtils.AssignCipher(preMasterSecret, true, this._Version, this._HandshakeInfo); break; } case THandshakeType.CertificateRequest: { this._HandshakeInfo.UpdateHandshakeHash(data); this._SendCertificate = true; break; } case THandshakeType.ServerHelloDone: { this._HandshakeInfo.UpdateHandshakeHash(data); var keyExchangeAlgorithm = CipherSuites.GetKeyExchangeAlgorithm(this._HandshakeInfo.CipherSuite); if (this._Cipher == null) { if (keyExchangeAlgorithm == TKeyExchangeAlgorithm.PSK) { var clientKeyExchange = new PSKClientKeyExchange(); this._PSKIdentity = this.PSKIdentities.GetRandom(); var otherSecret = new byte[this._PSKIdentity.Key.Length]; clientKeyExchange.PSKIdentity = this._PSKIdentity.Identity; this._ClientKeyExchange = clientKeyExchange; var preMasterSecret = TLSUtils.GetPSKPreMasterSecret(otherSecret, this._PSKIdentity.Key); this._Cipher = TLSUtils.AssignCipher(preMasterSecret, true, this._Version, this._HandshakeInfo); } else if (keyExchangeAlgorithm == TKeyExchangeAlgorithm.RSA) { var clientKeyExchange = new RSAClientKeyExchange(); this._ClientKeyExchange = clientKeyExchange; var PreMasterSecret = TLSUtils.GetRsaPreMasterSecret(this._Version); clientKeyExchange.PremasterSecret = TLSUtils.GetEncryptedRsaPreMasterSecret(this.ServerCertificate, PreMasterSecret); this._Cipher = TLSUtils.AssignCipher(PreMasterSecret, true, this._Version, this._HandshakeInfo); } else { throw new NotImplementedException($"Key Exchange Algorithm {keyExchangeAlgorithm} Not Implemented"); } } if (this._SendCertificate) { await this._SendHandshakeMessageAsync(this._Certificate, false).ConfigureAwait(false); } await this._SendHandshakeMessageAsync(this._ClientKeyExchange, false).ConfigureAwait(false); if (this._SendCertificate) { var signatureHashAlgorithm = new SignatureHashAlgorithm() { Signature = TSignatureAlgorithm.ECDSA, Hash = THashAlgorithm.SHA256 }; if (keyExchangeAlgorithm == TKeyExchangeAlgorithm.RSA) { signatureHashAlgorithm = new SignatureHashAlgorithm() { Signature = TSignatureAlgorithm.RSA, Hash = THashAlgorithm.SHA1 }; } var certVerify = new CertificateVerify { SignatureHashAlgorithm = signatureHashAlgorithm, Signature = TLSUtils.Sign(this._PrivateKey, this._PrivateKeyRsa, true, this._Version, this._HandshakeInfo, signatureHashAlgorithm, this._HandshakeInfo.GetHash(this._Version)) }; await this._SendHandshakeMessageAsync(certVerify, false).ConfigureAwait(false); } await this._SendChangeCipherSpecAsync().ConfigureAwait(false); var handshakeHash = this._HandshakeInfo.GetHash(this._Version); var finished = new Finished { VerifyData = TLSUtils.GetVerifyData(this._Version, this._HandshakeInfo, true, true, handshakeHash) }; await this._SendHandshakeMessageAsync(finished, true).ConfigureAwait(false); break; } case THandshakeType.NewSessionTicket: { this._HandshakeInfo.UpdateHandshakeHash(data); break; } case THandshakeType.CertificateVerify: { break; } case THandshakeType.ClientKeyExchange: { break; } case THandshakeType.Finished: { var serverFinished = Finished.Deserialise(stream); var handshakeHash = this._HandshakeInfo.GetHash(this._Version); var calculatedVerifyData = TLSUtils.GetVerifyData(this._Version, this._HandshakeInfo, true, false, handshakeHash); if (serverFinished.VerifyData.SequenceEqual(calculatedVerifyData)) { this._ConnectionComplete = true; } break; } default: { break; } } } this._IsFragment = false; this._FragmentedRecordList.RemoveAll(x => true); }
public static byte[] Sign(Org.BouncyCastle.Crypto.AsymmetricKeyParameter privateKey, bool client, Version version, HandshakeInfo handshakeInfo, SignatureHashAlgorithm signatureHashAlgorithm, byte[] hash) { TlsSigner signer = null; switch (signatureHashAlgorithm.Signature) { case TSignatureAlgorithm.Anonymous: break; case TSignatureAlgorithm.RSA: signer = new TlsRsaSigner(); break; case TSignatureAlgorithm.DSA: signer = new TlsDssSigner(); break; case TSignatureAlgorithm.ECDSA: signer = new TlsECDsaSigner(); break; default: break; } DTLSContext context = new DTLSContext(client, version, handshakeInfo); Org.BouncyCastle.Crypto.Prng.CryptoApiRandomGenerator randomGenerator = new Org.BouncyCastle.Crypto.Prng.CryptoApiRandomGenerator(); context.SecureRandom = new Org.BouncyCastle.Security.SecureRandom(randomGenerator); signer.Init(context); if (TlsUtilities.IsTlsV12(context)) { SignatureAndHashAlgorithm signatureAndHashAlgorithm = new SignatureAndHashAlgorithm((byte)signatureHashAlgorithm.Hash, (byte)signatureHashAlgorithm.Signature); return signer.GenerateRawSignature(signatureAndHashAlgorithm, privateKey, hash); } else { return signer.GenerateRawSignature(privateKey, hash); } }
public static byte[] GenerateRootCACertificate(CertificateSubject subject, DateTime startDate, DateTime expiryDate, SignatureHashAlgorithm signatureAlgorithm, TCertificateFormat certificateFormat) { byte[] result = null; CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator(); SecureRandom random = new SecureRandom(randomGenerator); X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator(); AddStandardCertificateInfo(certificateGenerator, random, subject, subject, startDate, expiryDate); AsymmetricCipherKeyPair subjectKeyPair = GenerateKeys(certificateGenerator, random, signatureAlgorithm); certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true)); certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyCertSign)); byte[] subjectKeyID = new byte[20]; random.NextBytes(subjectKeyID, 0, 20); certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(subjectKeyID)); certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(subjectKeyID)); string algorithm = GetAlgorithm(signatureAlgorithm); // selfsign certificate Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(new Asn1SignatureFactory(algorithm, subjectKeyPair.Private, random)); result = ExportCertificate(certificate, subjectKeyPair, certificateFormat); return result; }
private static AsymmetricCipherKeyPair GenerateKeys(X509V3CertificateGenerator certificateGenerator, SecureRandom random, SignatureHashAlgorithm signatureAlgorithm) { if (certificateGenerator == null) { throw new ArgumentNullException(nameof(certificateGenerator)); } if (random == null) { throw new ArgumentNullException(nameof(random)); } if (signatureAlgorithm == null) { throw new ArgumentNullException(nameof(signatureAlgorithm)); } AsymmetricCipherKeyPair result = null; switch (signatureAlgorithm.Signature) { case TSignatureAlgorithm.Anonymous: { break; } case TSignatureAlgorithm.RSA: { var keyGenerationParameters = new KeyGenerationParameters(random, 2048); var rsaKeyPairGenerator = new RsaKeyPairGenerator(); rsaKeyPairGenerator.Init(keyGenerationParameters); result = rsaKeyPairGenerator.GenerateKeyPair(); break; } case TSignatureAlgorithm.DSA: { break; } case TSignatureAlgorithm.ECDSA: { //ECDomainParameters ellipticCurveParameters = EllipticCurveFactory.GetEllipticCurveParameters(TEllipticCurve.secp256r1); var keyPairGenerator = new ECKeyPairGenerator(); //keyPairGenerator.Init(new ECKeyGenerationParameters(ellipticCurveParameters, random)); keyPairGenerator.Init(new ECKeyGenerationParameters(SecObjectIdentifiers.SecP256r1, random)); result = keyPairGenerator.GenerateKeyPair(); //certificateGenerator.AddExtension(X509Extensions.SubjectPublicKeyInfo) //PrivateKey = (ECPrivateKeyParameters)keys.Private; //PublicKey = (ECPublicKeyParameters)keys.Public; break; } default: { break; } } certificateGenerator.SetPublicKey(result.Public); return(result); }
public static byte[] GenerateCertificate(CertificateSubject subject, CertificateInfo issuer, DateTime startDate, DateTime expiryDate, SignatureHashAlgorithm signatureAlgorithm, TCertificateFormat certificateFormat) { byte[] result = null; AsymmetricKeyParameter privateKey = issuer.PrivateKey as AsymmetricKeyParameter; if (privateKey != null) { CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator(); SecureRandom random = new SecureRandom(randomGenerator); X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator(); AddStandardCertificateInfo(certificateGenerator, random, subject, issuer.Subject, startDate, expiryDate); AsymmetricCipherKeyPair subjectKeyPair = GenerateKeys(certificateGenerator, random, signatureAlgorithm); string algorithm = GetAlgorithm(signatureAlgorithm); certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyEncipherment)); certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(new KeyPurposeID[] { KeyPurposeID.IdKPServerAuth, KeyPurposeID.IdKPClientAuth })); byte[] subjectKeyID = new byte[20]; random.NextBytes(subjectKeyID, 0, 20); certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(subjectKeyID)); if (issuer.SubjectKeyID != null) certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(issuer.SubjectKeyID)); //if ((subject.AlternativeNames != null) && (subject.AlternativeNames.Count > 0)) //{ // certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, true, new SubjectAlternativeNames(false)); // //SubjectAlternativeName // //GeneralName.DirectoryName // //GeneralName.IPAddress //} Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(new Asn1SignatureFactory(algorithm, privateKey, random)); result = ExportCertificate(certificate, subjectKeyPair, certificateFormat); } return result; }
public static byte[] Sign(Org.BouncyCastle.Crypto.AsymmetricKeyParameter privateKey, bool client, Version version, HandshakeInfo handshakeInfo, SignatureHashAlgorithm signatureHashAlgorithm, byte[] hash) { TlsSigner signer = null; switch (signatureHashAlgorithm.Signature) { case TSignatureAlgorithm.Anonymous: break; case TSignatureAlgorithm.RSA: signer = new TlsRsaSigner(); break; case TSignatureAlgorithm.DSA: signer = new TlsDssSigner(); break; case TSignatureAlgorithm.ECDSA: signer = new TlsECDsaSigner(); break; default: break; } DTLSContext context = new DTLSContext(client, version, handshakeInfo); Org.BouncyCastle.Crypto.Prng.CryptoApiRandomGenerator randomGenerator = new Org.BouncyCastle.Crypto.Prng.CryptoApiRandomGenerator(); context.SecureRandom = new Org.BouncyCastle.Security.SecureRandom(randomGenerator); signer.Init(context); if (TlsUtilities.IsTlsV12(context)) { SignatureAndHashAlgorithm signatureAndHashAlgorithm = new SignatureAndHashAlgorithm((byte)signatureHashAlgorithm.Hash, (byte)signatureHashAlgorithm.Signature); return(signer.GenerateRawSignature(signatureAndHashAlgorithm, privateKey, hash)); } else { return(signer.GenerateRawSignature(privateKey, hash)); } }
public static byte[] GenerateIntermediateCACertificate(CertificateSubject subject, CertificateInfo issuer, DateTime startDate, DateTime expiryDate, SignatureHashAlgorithm signatureAlgorithm, TCertificateFormat certificateFormat) { byte[] result = null; AsymmetricKeyParameter privateKey = issuer.PrivateKey as AsymmetricKeyParameter; if (privateKey != null) { CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator(); SecureRandom random = new SecureRandom(randomGenerator); X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator(); AddStandardCertificateInfo(certificateGenerator, random, subject, issuer.Subject, startDate, expiryDate); AsymmetricCipherKeyPair subjectKeyPair = GenerateKeys(certificateGenerator, random, signatureAlgorithm); certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(0)); certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyCertSign)); byte[] subjectKeyID = new byte[20]; random.NextBytes(subjectKeyID, 0, 20); certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(subjectKeyID)); if (issuer.SubjectKeyID != null) { certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(issuer.SubjectKeyID)); } string algorithm = GetAlgorithm(signatureAlgorithm); Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(new Asn1SignatureFactory(algorithm, privateKey, random)); result = ExportCertificate(certificate, subjectKeyPair, certificateFormat); } return(result); }
public static byte[] Sign(AsymmetricKeyParameter privateKey, RSACryptoServiceProvider rsaKey, bool client, Version version, HandshakeInfo handshakeInfo, SignatureHashAlgorithm signatureHashAlgorithm, byte[] hash) #endif { if (privateKey == null && rsaKey == null) { throw new ArgumentException("No key or Rsa CSP provided"); } if (privateKey == null) { if (signatureHashAlgorithm.Signature == TSignatureAlgorithm.RSA) { return(SignRsa(rsaKey, hash)); } throw new ArgumentException("Need private key for non-RSA Algorithms"); } if (version == null) { throw new ArgumentNullException(nameof(version)); } if (handshakeInfo == null) { throw new ArgumentNullException(nameof(handshakeInfo)); } if (signatureHashAlgorithm == null) { throw new ArgumentNullException(nameof(signatureHashAlgorithm)); } if (hash == null) { throw new ArgumentNullException(nameof(hash)); } TlsSigner signer = null; switch (signatureHashAlgorithm.Signature) { case TSignatureAlgorithm.Anonymous: break; case TSignatureAlgorithm.RSA: signer = new TlsRsaSigner(); break; case TSignatureAlgorithm.DSA: signer = new TlsDssSigner(); break; case TSignatureAlgorithm.ECDSA: signer = new TlsECDsaSigner(); break; default: break; } var context = new DTLSContext(client, version, handshakeInfo); var randomGenerator = new CryptoApiRandomGenerator(); context.SecureRandom = new SecureRandom(randomGenerator); signer.Init(context); if (TlsUtilities.IsTlsV12(context)) { var signatureAndHashAlgorithm = new SignatureAndHashAlgorithm((byte)signatureHashAlgorithm.Hash, (byte)signatureHashAlgorithm.Signature); return(signer.GenerateRawSignature(signatureAndHashAlgorithm, privateKey, hash)); } else { return(signer.GenerateRawSignature(privateKey, hash)); } }
public static byte[] Sign(AsymmetricKeyParameter privateKey, CngKey rsaKey, bool client, Version version, HandshakeInfo handshakeInfo, SignatureHashAlgorithm signatureHashAlgorithm, byte[] hash)
private static string GetAlgorithm(SignatureHashAlgorithm signatureAlgorithm) { // eg "SHA256WithRSA", "SHA224WithECDSA",; StringBuilder result = new StringBuilder(); result.Append(signatureAlgorithm.Hash.ToString()); result.Append("With"); result.Append(signatureAlgorithm.Signature.ToString()); return result.ToString(); }