public static X509Crl CreateCrl( X509Certificate caCert, IAsymmetricKeyParameter caKey, IBigInteger serialNumber) { X509V2CrlGenerator crlGen = new X509V2CrlGenerator(); DateTime now = DateTime.UtcNow; // BigInteger revokedSerialNumber = BigInteger.Two; crlGen.SetIssuerDN(PrincipalUtilities.GetSubjectX509Principal(caCert)); crlGen.SetThisUpdate(now); crlGen.SetNextUpdate(now.AddSeconds(100)); crlGen.SetSignatureAlgorithm("SHA256WithRSAEncryption"); crlGen.AddCrlEntry(serialNumber, now, CrlReason.PrivilegeWithdrawn); crlGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert)); crlGen.AddExtension(X509Extensions.CrlNumber, false, new CrlNumber(BigInteger.One)); return crlGen.Generate(caKey); }
private void checkCrlCreation3() { IAsymmetricCipherKeyPairGenerator kpGen = GeneratorUtilities.GetKeyPairGenerator("RSA"); kpGen.Init( new RsaKeyGenerationParameters( BigInteger.ValueOf(0x10001), new SecureRandom(), 768, 25)); X509V2CrlGenerator crlGen = new X509V2CrlGenerator(); DateTime now = DateTime.UtcNow; AsymmetricCipherKeyPair pair = kpGen.GenerateKeyPair(); crlGen.SetIssuerDN(new X509Name("CN=Test CA")); crlGen.SetThisUpdate(now); crlGen.SetNextUpdate(now.AddSeconds(100)); crlGen.SetSignatureAlgorithm("SHA256WithRSAEncryption"); IList extOids = new ArrayList(); IList extValues = new ArrayList(); CrlReason crlReason = new CrlReason(CrlReason.PrivilegeWithdrawn); try { extOids.Add(X509Extensions.ReasonCode); extValues.Add(new X509Extension(false, new DerOctetString(crlReason.GetEncoded()))); } catch (IOException e) { throw new ArgumentException("error encoding reason: " + e); } X509Extensions entryExtensions = new X509Extensions(extOids, extValues); crlGen.AddCrlEntry(BigInteger.One, now, entryExtensions); crlGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(pair.Public)); X509Crl crl = crlGen.Generate(pair.Private); if (!crl.IssuerDN.Equivalent(new X509Name("CN=Test CA"), true)) { Fail("failed CRL issuer test"); } Asn1OctetString authExt = crl.GetExtensionValue(X509Extensions.AuthorityKeyIdentifier); if (authExt == null) { Fail("failed to find CRL extension"); } AuthorityKeyIdentifier authId = new AuthorityKeyIdentifierStructure(authExt); X509CrlEntry entry = crl.GetRevokedCertificate(BigInteger.One); if (entry == null) { Fail("failed to find CRL entry"); } if (!entry.SerialNumber.Equals(BigInteger.One)) { Fail("CRL cert serial number does not match"); } if (!entry.HasExtensions) { Fail("CRL entry extension not found"); } Asn1OctetString ext = entry.GetExtensionValue(X509Extensions.ReasonCode); if (ext != null) { DerEnumerated reasonCode = (DerEnumerated)X509ExtensionUtilities.FromExtensionValue(ext); if (reasonCode.Value.IntValue != CrlReason.PrivilegeWithdrawn) { Fail("CRL entry reasonCode wrong"); } } else { Fail("CRL entry reasonCode not found"); } // // check loading of existing CRL // crlGen = new X509V2CrlGenerator(); now = DateTime.UtcNow; crlGen.SetIssuerDN(new X509Name("CN=Test CA")); crlGen.SetThisUpdate(now); crlGen.SetNextUpdate(now.AddSeconds(100)); crlGen.SetSignatureAlgorithm("SHA256WithRSAEncryption"); crlGen.AddCrl(crl); crlGen.AddCrlEntry(BigInteger.Two, now, entryExtensions); crlGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(pair.Public)); X509Crl newCrl = crlGen.Generate(pair.Private); int count = 0; bool oneFound = false; bool twoFound = false; foreach (X509CrlEntry crlEnt in newCrl.GetRevokedCertificates()) { if (crlEnt.SerialNumber.IntValue == 1) { oneFound = true; } else if (crlEnt.SerialNumber.IntValue == 2) { twoFound = true; } count++; } if (count != 2) { Fail("wrong number of CRLs found"); } if (!oneFound || !twoFound) { Fail("wrong CRLs found in copied list"); } // // check factory read back // X509Crl readCrl = new X509CrlParser().ReadCrl(newCrl.GetEncoded()); if (readCrl == null) { Fail("crl not returned!"); } // ICollection col = cFact.generateCRLs(new ByteArrayInputStream(newCrl.getEncoded())); ICollection col = new X509CrlParser().ReadCrls(newCrl.GetEncoded()); if (col.Count != 1) { Fail("wrong number of CRLs found in collection"); } }
private void checkCrlCreation2() { IAsymmetricCipherKeyPairGenerator kpGen = GeneratorUtilities.GetKeyPairGenerator("RSA"); kpGen.Init( new RsaKeyGenerationParameters( BigInteger.ValueOf(0x10001), new SecureRandom(), 768, 25)); X509V2CrlGenerator crlGen = new X509V2CrlGenerator(); DateTime now = DateTime.UtcNow; AsymmetricCipherKeyPair pair = kpGen.GenerateKeyPair(); crlGen.SetIssuerDN(new X509Name("CN=Test CA")); crlGen.SetThisUpdate(now); crlGen.SetNextUpdate(now.AddSeconds(100)); crlGen.SetSignatureAlgorithm("SHA256WithRSAEncryption"); IList extOids = new ArrayList(); IList extValues = new ArrayList(); CrlReason crlReason = new CrlReason(CrlReason.PrivilegeWithdrawn); try { extOids.Add(X509Extensions.ReasonCode); extValues.Add(new X509Extension(false, new DerOctetString(crlReason.GetEncoded()))); } catch (IOException e) { throw new ArgumentException("error encoding reason: " + e); } X509Extensions entryExtensions = new X509Extensions(extOids, extValues); crlGen.AddCrlEntry(BigInteger.One, now, entryExtensions); crlGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(pair.Public)); X509Crl crl = crlGen.Generate(pair.Private); if (!crl.IssuerDN.Equivalent(new X509Name("CN=Test CA"), true)) { Fail("failed CRL issuer test"); } Asn1OctetString authExt = crl.GetExtensionValue(X509Extensions.AuthorityKeyIdentifier); if (authExt == null) { Fail("failed to find CRL extension"); } AuthorityKeyIdentifier authId = new AuthorityKeyIdentifierStructure(authExt); X509CrlEntry entry = crl.GetRevokedCertificate(BigInteger.One); if (entry == null) { Fail("failed to find CRL entry"); } if (!entry.SerialNumber.Equals(BigInteger.One)) { Fail("CRL cert serial number does not match"); } if (!entry.HasExtensions) { Fail("CRL entry extension not found"); } Asn1OctetString ext = entry.GetExtensionValue(X509Extensions.ReasonCode); if (ext != null) { DerEnumerated reasonCode = (DerEnumerated)X509ExtensionUtilities.FromExtensionValue(ext); if (reasonCode.Value.IntValue != CrlReason.PrivilegeWithdrawn) { Fail("CRL entry reasonCode wrong"); } } else { Fail("CRL entry reasonCode not found"); } }
/// <summary> /// Publishes the crl /// </summary> public void PublishCrl() { if(_revoked == null) { return; //TODO: may be show a messagebox or something? } Pkcs12Store store = LoadCAPfx(KeyStorePassword); if (!store.ContainsAlias(CaAlias) || !store.IsEntryOfType(CaAlias, typeof(AsymmetricKeyEntry))) return; AsymmetricKeyParameter key = store.GetKey(CaAlias).Key; X509Certificate caCert = store.GetCertificate(CaAlias).Certificate; var crlNumber = new BigInteger(ReadCrlSerialNumber(), SerialNumberRadix); var crlGen = new X509V2CrlGenerator(); crlGen.SetIssuerDN(caCert.SubjectDN); //crlGen.SetNextUpdate(); crlGen.SetSignatureAlgorithm(caCert.SigAlgName.Replace("-", "")); crlGen.SetThisUpdate(DateTime.UtcNow); crlGen.SetNextUpdate(DateTime.UtcNow.AddHours(CrlFrequency)); crlGen.AddExtension(X509Extensions.CrlNumber, false, new CrlNumber(crlNumber)); crlGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert)); //crlGen.AddExtension(X509Extensions.KeyUsage, false, new KeyUsage(KeyUsage.KeyAgreement | KeyUsage.CrlSign | KeyUsage.DataEncipherment | KeyUsage.DecipherOnly | KeyUsage.EncipherOnly | KeyUsage.KeyEncipherment | KeyUsage.NonRepudiation)); foreach (RevokedSerial rs in _revoked.RevokedSerialCollection) { crlGen.AddCrlEntry(new BigInteger(rs.Serial), rs.RevocationDate, rs.Reason); } X509Crl crl = crlGen.Generate(key); string crlEncoded = PemUtilities.Encode(crl); File.WriteAllText(CrlFilePath, crlEncoded); IncrementCrlSerial(); }
public static X509Crl MakeCrl( AsymmetricCipherKeyPair pair) { X509V2CrlGenerator crlGen = new X509V2CrlGenerator(); DateTime now = DateTime.UtcNow; crlGen.SetIssuerDN(new X509Name("CN=Test CA")); crlGen.SetThisUpdate(now); crlGen.SetNextUpdate(now.AddSeconds(100)); crlGen.SetSignatureAlgorithm("SHA256WithRSAEncryption"); crlGen.AddCrlEntry(BigInteger.One, now, CrlReason.PrivilegeWithdrawn); crlGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(pair.Public)); return crlGen.Generate(pair.Private); }