public static X509Certificate2 GenerateCert(string certificateName, RSA key)
{
byte[] sn = GenerateSerialNumber();
string subject = string.Format("CN={0}", certificateName);
DateTime notBefore = DateTime.Now;
DateTime notAfter = DateTime.Now.AddYears(20);
string hashName = "SHA512";
X509CertificateBuilder cb = new X509CertificateBuilder(3);
cb.SerialNumber = sn;
cb.IssuerName = subject;
cb.NotBefore = notBefore;
cb.NotAfter = notAfter;
cb.SubjectName = subject;
cb.SubjectPublicKey = key;
cb.Hash = hashName;
byte[] rawcert = cb.Sign(key);
PKCS12 p12 = new PKCS12();
Hashtable attributes = GetAttributes();
p12.AddCertificate(new Mono.Security.X509.X509Certificate(rawcert), attributes);
p12.AddPkcs8ShroudedKeyBag(key, attributes);
rawcert = p12.GetBytes();
return new X509Certificate2(rawcert, "", X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
}
//adapted from https://github.com/mono/mono/blob/master/mcs/tools/security/makecert.cs
public static byte[] GeneratePfx(string certificateName, string password) {
byte[] sn = GenerateSerialNumber();
string subject = string.Format("CN={0}", certificateName);
DateTime notBefore = DateTime.Now;
DateTime notAfter = DateTime.Now.AddYears(20);
RSA subjectKey = new RSACryptoServiceProvider(2048);
string hashName = "SHA256";
X509CertificateBuilder cb = new X509CertificateBuilder(3);
cb.SerialNumber = sn;
cb.IssuerName = subject;
cb.NotBefore = notBefore;
cb.NotAfter = notAfter;
cb.SubjectName = subject;
cb.SubjectPublicKey = subjectKey;
cb.Hash = hashName;
byte[] rawcert = cb.Sign (subjectKey);
PKCS12 p12 = new PKCS12 ();
p12.Password = password;
Hashtable attributes = GetAttributes();
p12.AddCertificate (new X509Certificate (rawcert), attributes);
p12.AddPkcs8ShroudedKeyBag (subjectKey, attributes);
return p12.GetBytes();
}
//adapted from https://github.com/mono/mono/blob/master/mcs/tools/security/makecert.cs
static byte[] GeneratePfx(string certificateName, string password)
{
var sn = GenerateSerialNumber();
var subject = string.Format("CN={0}", certificateName);
var notBefore = DateTime.Now;
var notAfter = DateTime.Now.AddYears(20);
var subjectKey = new RSACryptoServiceProvider(2048);
var hashName = "SHA256";
var cb = new MonoX509.X509CertificateBuilder(3);
cb.SerialNumber = sn;
cb.IssuerName = subject;
cb.NotBefore = notBefore;
cb.NotAfter = notAfter;
cb.SubjectName = subject;
cb.SubjectPublicKey = subjectKey;
cb.Hash = hashName;
var rawcert = cb.Sign(subjectKey);
var p12 = new MonoX509.PKCS12();
p12.Password = password;
Hashtable attributes = GetAttributes();
p12.AddCertificate(new MonoX509.X509Certificate(rawcert), attributes);
p12.AddPkcs8ShroudedKeyBag(subjectKey, attributes);
return(p12.GetBytes());
}
byte[] ExportPkcs12(string password)
{
var pfx = new MX.PKCS12();
try {
if (password != null)
{
pfx.Password = password;
}
pfx.AddCertificate(_cert);
var privateKey = PrivateKey;
if (privateKey != null)
{
pfx.AddPkcs8ShroudedKeyBag(privateKey);
}
return(pfx.GetBytes());
} finally {
pfx.Password = null;
}
}
private static byte[] CreateRawCert(string certName, string password)
{
if (String.IsNullOrEmpty(certName)) {
Log.To.Listener.E(Tag, "An empty certName was received in CreateRawCert, throwing...");
throw new ArgumentException("Must contain a non-empty name", "certName");
}
if (String.IsNullOrEmpty(password)) {
Log.To.Listener.E(Tag, "An empty password was received in CreateRawCert, throwing...");
throw new ArgumentException("Must contain a non-empty password", "password");
}
byte[] sn = GenerateSerialNumber();
string subject = string.Format("CN={0}", certName);
DateTime notBefore = DateTime.Now;
DateTime notAfter = DateTime.Now.AddYears(20);
string hashName = "SHA512";
var key = new RSACryptoServiceProvider(2048);
X509CertificateBuilder cb = new X509CertificateBuilder(3);
cb.SerialNumber = sn;
cb.IssuerName = subject;
cb.NotBefore = notBefore;
cb.NotAfter = notAfter;
cb.SubjectName = subject;
cb.SubjectPublicKey = key;
cb.Hash = hashName;
Log.To.Listener.I(Tag, "Generating X509 certificate, this is expensive...");
var sw = System.Diagnostics.Stopwatch.StartNew();
byte[] rawcert = cb.Sign(key);
sw.Stop();
Log.To.Listener.I(Tag, "Finished generating X509 certificate; took {0} sec", sw.ElapsedMilliseconds / 1000.0);
PKCS12 p12 = new PKCS12();
if (!String.IsNullOrEmpty(password)) {
p12.Password = password;
}
Hashtable attributes = GetAttributes();
p12.AddCertificate(new Mono.Security.X509.X509Certificate(rawcert), attributes);
p12.AddPkcs8ShroudedKeyBag(key, attributes);
return p12.GetBytes();
}
public static byte[] CreateServerCert(string subjectName, byte[] rootKey, byte[] rootCert)
{
if (!subjectName.StartsWith("CN="))
subjectName = "CN=" + subjectName;
// Copy the root key since the PrivateKey constructor will blow away the data
byte[] rootKeyCopy = new byte[rootKey.Length];
Buffer.BlockCopy(rootKey, 0, rootKeyCopy, 0, rootKey.Length);
// Load the server's private key and certificate
PrivateKey pvk = new PrivateKey(rootKeyCopy, null);
RSA issuerKey = pvk.RSA;
X509Certificate issuerCert = new X509Certificate(rootCert);
// Serial number MUST be positive
byte[] sn = Guid.NewGuid().ToByteArray();
if ((sn[0] & 0x80) == 0x80)
sn[0] -= 0x80;
ExtendedKeyUsageExtension eku = new ExtendedKeyUsageExtension();
eku.KeyPurpose.Add("1.3.6.1.5.5.7.3.1"); // Indicates the cert is intended for server auth
// Generate a server certificate signed by the server root CA
X509CertificateBuilder cb = new X509CertificateBuilder(3);
cb.SerialNumber = sn;
cb.IssuerName = issuerCert.IssuerName;
cb.NotBefore = DateTime.Now;
cb.NotAfter = new DateTime(643445675990000000); // 12/31/2039 23:59:59Z
cb.SubjectName = subjectName;
cb.SubjectPublicKey = issuerKey;
cb.Hash = "SHA1";
cb.Extensions.Add(eku);
byte[] serverCert = cb.Sign(issuerKey);
// Generate a PKCS#12 file for the server containing the private key and certificate
PKCS12 p12 = new PKCS12();
p12.Password = null;
ArrayList list = new ArrayList(4);
// We use a fixed array to avoid endianess issues
// (in case some tools requires the ID to be 1).
list.Add(new byte[] { 1, 0, 0, 0 });
Hashtable attributes = new Hashtable(1);
attributes.Add(PKCS9.localKeyId, list);
p12.AddCertificate(new X509Certificate(serverCert), attributes);
p12.AddCertificate(issuerCert);
p12.AddPkcs8ShroudedKeyBag(issuerKey, attributes);
return p12.GetBytes();
}
public static X509Certificate2 GetOrCreateClientCert()
{
string dirname = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
string path = Path.Combine(dirname, ".couchbase");
Directory.CreateDirectory(path);
path = Path.Combine(path, "client.pfx");
if (File.Exists(path)) {
return new X509Certificate2(path);
}
byte[] sn = GenerateSerialNumber();
string subject = string.Format("CN=CouchbaseClient");
DateTime notBefore = DateTime.Now;
DateTime notAfter = DateTime.Now.AddYears(20);
RSA subjectKey = new RSACryptoServiceProvider(2048);
PrivateKey privKey = new PrivateKey();
privKey.RSA = subjectKey;
string hashName = "SHA512";
X509CertificateBuilder cb = new X509CertificateBuilder(3);
cb.SerialNumber = sn;
cb.IssuerName = subject;
cb.NotBefore = notBefore;
cb.NotAfter = notAfter;
cb.SubjectName = subject;
cb.SubjectPublicKey = subjectKey;
cb.Hash = hashName;
byte[] rawcert = cb.Sign(subjectKey);
PKCS12 p12 = new PKCS12();
Hashtable attributes = GetAttributes();
p12.AddCertificate(new Mono.Security.X509.X509Certificate(rawcert),attributes);
p12.AddPkcs8ShroudedKeyBag(subjectKey,attributes);
rawcert = p12.GetBytes();
WriteCertificate(path, rawcert);
return new X509Certificate2(rawcert);
}
public void SecretBagImportExport_Test1 ()
{
PKCS12 p12_1 = new PKCS12 ();
p12_1.AddSecretBag (secret);
Assert.AreEqual (1, p12_1.Secrets.Count, "SBIE1.1");
byte[] buf = p12_1.GetBytes ();
PKCS12 p12_2 = new PKCS12 (buf);
Assert.AreEqual (1, p12_2.Secrets.Count, "SBIE1.2");
Assert.AreEqual (p12_2.Secrets [0] as byte[], secret, "SBIE1.3");
}
/// <summary>
/// Generates an X509 certificate using the Mono.Security assembly.
/// Potentially could prise out the relevant classes from the Mono
/// source code in order to reduce plgx size and complexity... one day
/// </summary>
/// <param name="subject">The subject.</param>
/// <param name="issuer">The issuer.</param>
/// <returns></returns>
public static byte[] Generate(string subject, string issuer, KeePassRPCExt KeePassRPCPlugin)
{
byte[] sn = Guid.NewGuid().ToByteArray();
DateTime notBefore = DateTime.Now;
DateTime notAfter = new DateTime(643445675990000000); // 12/31/2039 23:59:59Z
subject = "CN=" + subject;
issuer = "CN=" + issuer;
RSA subjectKey = (RSA)RSA.Create();
RSA issuerKey = (RSA)RSA.Create();
string hashName = "SHA1";
CspParameters subjectParams = new CspParameters();
CspParameters issuerParams = new CspParameters();
// serial number MUST be positive
if ((sn[0] & 0x80) == 0x80)
sn[0] -= 0x80;
//issuer = subject;
//RSA issuerKey = subjectKey;
if (subject == null)
throw new Exception("Missing Subject Name");
X509CertificateBuilder cb = new X509CertificateBuilder(3);
cb.SerialNumber = sn;
cb.IssuerName = issuer;
cb.NotBefore = notBefore;
cb.NotAfter = notAfter;
cb.SubjectName = subject;
cb.SubjectPublicKey = subjectKey;
cb.Hash = hashName;
byte[] rawcert = cb.Sign(issuerKey);
PKCS12 p12 = new PKCS12();
ArrayList list = new ArrayList();
// we use a fixed array to avoid endianess issues
// (in case some tools requires the ID to be 1).
list.Add(new byte[4] { 1, 0, 0, 0 });
Hashtable attributes = new Hashtable(1);
attributes.Add(PKCS9.localKeyId, list);
p12.AddCertificate(new X509Certificate(rawcert), attributes);
p12.AddPkcs8ShroudedKeyBag(subjectKey, attributes);
if (Type.GetType("Mono.Runtime") != null)
{
string fileName = Path.Combine(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "KeePassRPC"), "cert.p12");
if (KeePassRPCPlugin.logger != null) KeePassRPCPlugin.logger.WriteLine(fileName);
try
{
p12.SaveToFile(fileName);
}
catch (Exception)
{
if (KeePassRPCPlugin.logger != null) KeePassRPCPlugin.logger.WriteLine("Could not write to " + fileName + " security between KPRPC and clients may not be established.");
}
}
return p12.GetBytes();
}
public static void CreateRootCert(string issuer, out byte[] rootCert)
{
if (!issuer.StartsWith("CN="))
issuer = "CN=" + issuer;
// Generate a new issuer key
RSA issuerKey = (RSA)RSA.Create();
// Generate a private key
PrivateKey key = new PrivateKey();
key.RSA = issuerKey;
// Serial number MUST be positive
byte[] sn = Guid.NewGuid().ToByteArray();
if ((sn[0] & 0x80) == 0x80)
sn[0] -= 0x80;
ExtendedKeyUsageExtension eku = new ExtendedKeyUsageExtension();
eku.KeyPurpose.Add("1.3.6.1.5.5.7.3.1"); // Indicates the cert is intended for server auth
eku.KeyPurpose.Add("1.3.6.1.5.5.7.3.2"); // Indicates the cert is intended for client auth
// Generate a self-signed certificate
X509CertificateBuilder cb = new X509CertificateBuilder(3);
cb.SerialNumber = sn;
cb.IssuerName = issuer;
cb.NotBefore = DateTime.Now;
cb.NotAfter = new DateTime(643445675990000000); // 12/31/2039 23:59:59Z
cb.SubjectName = issuer;
cb.SubjectPublicKey = issuerKey;
cb.Hash = "SHA1";
cb.Extensions.Add(eku);
byte[] serverCert = cb.Sign(issuerKey);
// Generate a PKCS#12 file containing the certificate and private key
PKCS12 p12 = new PKCS12();
p12.Password = null;
ArrayList list = new ArrayList(4);
// We use a fixed array to avoid endianess issues
// (in case some tools requires the ID to be 1).
list.Add(new byte[] { 1, 0, 0, 0 });
Hashtable attributes = new Hashtable(1);
attributes.Add(PKCS9.localKeyId, list);
p12.AddCertificate(new X509Certificate(serverCert), attributes);
p12.AddPkcs8ShroudedKeyBag(issuerKey, attributes);
rootCert = p12.GetBytes();
}
byte[] ExportPkcs12 (string password)
{
var pfx = new MX.PKCS12 ();
try {
if (password != null)
pfx.Password = password;
pfx.AddCertificate (_cert);
var privateKey = PrivateKey;
if (privateKey != null)
pfx.AddPkcs8ShroudedKeyBag (privateKey);
return pfx.GetBytes ();
} finally {
pfx.Password = null;
}
}