public void Initialize()
{
TCPClient = new TcpClient();
TCPClient.Connect(Endpoint, Port);
NetStream = TCPClient.GetStream();
Org.BouncyCastle.Security.SecureRandom sr = new Org.BouncyCastle.Security.SecureRandom();
TlsProtocolHandler handler = new TlsProtocolHandler(NetStream, sr);
handler.Connect(new TrustAllCertificatePolicy());
Writer = new StreamWriter(NetStream);
Writer.Write(GetHeader());
Writer.Flush();
byte[] buffer = new byte[1024];
int bytesRead = NetStream.Read(buffer, 0, buffer.Length);
byte[] decompressBuffer = new byte[1024];
Zlib.DecompressData(buffer, out decompressBuffer);
string response = Encoding.ASCII.GetString(buffer, 0, bytesRead);
string responseDecompressed = Encoding.ASCII.GetString(decompressBuffer, 0, bytesRead);
Console.WriteLine("=== RESPONSE ===");
Console.WriteLine(response);
Console.WriteLine("=== DECOMPRESSED ===");
Console.WriteLine(responseDecompressed);
Bytes.ByteArrayToFile("out.raw", buffer);
byte frameByte = Convert.ToByte("10000001", 2);
}
/// <summary>
/// Create a X509Certificate2 with a private key by combining
/// a bouncy castle X509Certificate and private key parameters.
/// </summary>
private static X509Certificate2 CreateCertificateWithPrivateKey(
Org.BouncyCastle.X509.X509Certificate certificate,
string friendlyName,
Org.BouncyCastle.Crypto.AsymmetricKeyParameter privateKey,
Org.BouncyCastle.Security.SecureRandom random)
{
// create pkcs12 store for cert and private key
using (MemoryStream pfxData = new MemoryStream())
{
var builder = new Org.BouncyCastle.Pkcs.Pkcs12StoreBuilder();
builder.SetUseDerEncoding(true);
var pkcsStore = builder.Build();
var chain = new Org.BouncyCastle.Pkcs.X509CertificateEntry[1];
string passcode = Guid.NewGuid().ToString();
chain[0] = new Org.BouncyCastle.Pkcs.X509CertificateEntry(certificate);
if (string.IsNullOrEmpty(friendlyName))
{
friendlyName = GetCertificateCommonName(certificate);
}
pkcsStore.SetKeyEntry(friendlyName, new Org.BouncyCastle.Pkcs.AsymmetricKeyEntry(privateKey), chain);
pkcsStore.Save(pfxData, passcode.ToCharArray(), random);
// merge into X509Certificate2
return(CertificateFactory.CreateCertificateFromPKCS12(pfxData.ToArray(), passcode));
}
}
GenerateBadGost3410KeyPair(Org.BouncyCastle.Security.SecureRandom random, int keystrength)
{
// Org.BouncyCastle.Crypto.IAsymmetricCipherKeyPairGenerator keypairGen1 = Org.BouncyCastle.Security.GeneratorUtilities.GetKeyPairGenerator("DSA");
// NID_id_GostR3410_2001_CryptoPro_A_ParamSet
Org.BouncyCastle.Crypto.IAsymmetricCipherKeyPairGenerator keypairGen = new Org.BouncyCastle.Crypto.Generators.Gost3410KeyPairGenerator();
Org.BouncyCastle.Crypto.Generators.Gost3410ParametersGenerator pGen = new Org.BouncyCastle.Crypto.Generators.Gost3410ParametersGenerator();
pGen.Init(keystrength, 2, random); //TODO:
Org.BouncyCastle.Crypto.Parameters.Gost3410KeyGenerationParameters kgp = new Org.BouncyCastle.Crypto.Parameters.Gost3410KeyGenerationParameters(
random
// , Org.BouncyCastle.Asn1.CryptoPro.CryptoProObjectIdentifiers.GostR3410x94CryptoProA
// , Org.BouncyCastle.Asn1.CryptoPro.CryptoProObjectIdentifiers.GostR3410x2001CryptoProA
// , Org.BouncyCastle.Asn1.CryptoPro.CryptoProObjectIdentifiers.GostR3411x94WithGostR3410x94
// , Org.BouncyCastle.Asn1.CryptoPro.CryptoProObjectIdentifiers.GostR3411x94CryptoProParamSet
, Org.BouncyCastle.Asn1.CryptoPro.CryptoProObjectIdentifiers.GostR3410x2001
);
Org.BouncyCastle.Crypto.Parameters.Gost3410Parameters parameters = pGen.GenerateParameters();
Org.BouncyCastle.Crypto.Parameters.Gost3410KeyGenerationParameters genParam = new Org.BouncyCastle.Crypto.Parameters.Gost3410KeyGenerationParameters(random, parameters);
keypairGen.Init(genParam);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp = keypairGen.GenerateKeyPair();
return(kp);
}
/// <summary>
/// 加密并签名
/// 使用接受方的公钥进行加密
/// 使用发送方的私钥进行签名
/// 先压缩,再加密,再签名
/// </summary>
/// <param name="kp"></param>
/// <param name="cfg"></param>
/// <param name="inputFile"></param>
/// <param name="outputStream">普通的stream,或者Org.BouncyCastle.Bcpg.ArmoredOutputStream(如果使用加密文件使用ASCII)</param>
public static void EncryptAndSign(System.IO.FileInfo inputFile, System.IO.Stream outputStream, GpgKeyPair kp, GpgEncryptSignCfg cfg)
{
var sr = new Org.BouncyCastle.Security.SecureRandom();
var pgpEncryptedDataGenerator = new Org.BouncyCastle.Bcpg.OpenPgp.PgpEncryptedDataGenerator(cfg.SymmetricKeyAlgorithmTag, cfg.IntegrityProtected, sr);
pgpEncryptedDataGenerator.AddMethod(kp.PublickKey);
var pgpCompressedDataGenerator = new Org.BouncyCastle.Bcpg.OpenPgp.PgpCompressedDataGenerator(cfg.CompressionAlgorithmTag);
var pgpLiteralDataGenerator = new Org.BouncyCastle.Bcpg.OpenPgp.PgpLiteralDataGenerator();
using (var fs = inputFile.OpenRead())
using (var outputStreamEncrypted = pgpEncryptedDataGenerator.Open(outputStream, new byte[cfg.BufferSize]))
using (var outputStreamEncryptedCompressed = pgpCompressedDataGenerator.Open(outputStreamEncrypted))
using (var outputStreamEncryptedCompressedLiteral = pgpLiteralDataGenerator.Open(outputStreamEncryptedCompressed,
Org.BouncyCastle.Bcpg.OpenPgp.PgpLiteralData.Binary, inputFile.Name, inputFile.Length, inputFile.LastWriteTime))
{
var pgpSignatureGenerator = new Org.BouncyCastle.Bcpg.OpenPgp.PgpSignatureGenerator(kp.PrivateKeySecreted.PublicKey.Algorithm,
Org.BouncyCastle.Bcpg.HashAlgorithmTag.Sha256);
pgpSignatureGenerator.InitSign(Org.BouncyCastle.Bcpg.OpenPgp.PgpSignature.BinaryDocument, kp.PrivateKey);
var userId = kp.PrivateKeySecreted.PublicKey.GetUserIds().Cast <string>().First();
var pgpSignatureSubpacketGenerator = new Org.BouncyCastle.Bcpg.OpenPgp.PgpSignatureSubpacketGenerator();
pgpSignatureSubpacketGenerator.SetSignerUserId(cfg.IsCritical, userId);
pgpSignatureGenerator.SetHashedSubpackets(pgpSignatureSubpacketGenerator.Generate());
pgpSignatureGenerator.GenerateOnePassVersion(cfg.IsNested).Encode(outputStreamEncryptedCompressedLiteral);
int dataLenght = 0;
var buffer = new byte[cfg.BufferSize];
while ((dataLenght = fs.Read(buffer, 0, buffer.Length)) > 0)
{
outputStreamEncryptedCompressedLiteral.Write(buffer, 0, dataLenght);
pgpSignatureGenerator.Update(buffer, 0, dataLenght);
}
pgpSignatureGenerator.Generate().Encode(outputStreamEncryptedCompressedLiteral);
}
}
} // End Function VerifySignature
// https://stackoverflow.com/questions/18244630/elliptic-curve-with-digital-signature-algorithm-ecdsa-implementation-on-bouncy
public static Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair GenerateEcdsaKeyPair()
{
Org.BouncyCastle.Crypto.Generators.ECKeyPairGenerator gen =
new Org.BouncyCastle.Crypto.Generators.ECKeyPairGenerator();
Org.BouncyCastle.Security.SecureRandom secureRandom =
new Org.BouncyCastle.Security.SecureRandom();
// https://github.com/bcgit/bc-csharp/blob/master/crypto/src/asn1/sec/SECNamedCurves.cs#LC1096
Org.BouncyCastle.Asn1.X9.X9ECParameters ps =
Org.BouncyCastle.Asn1.Sec.SecNamedCurves.GetByName("secp256k1");
Org.BouncyCastle.Crypto.Parameters.ECDomainParameters ecParams =
new Org.BouncyCastle.Crypto.Parameters.ECDomainParameters(ps.Curve, ps.G, ps.N, ps.H);
Org.BouncyCastle.Crypto.Parameters.ECKeyGenerationParameters keyGenParam =
new Org.BouncyCastle.Crypto.Parameters.ECKeyGenerationParameters(ecParams, secureRandom);
gen.Init(keyGenParam);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp = gen.GenerateKeyPair();
// Org.BouncyCastle.Crypto.Parameters.ECPrivateKeyParameters priv =
// (Org.BouncyCastle.Crypto.Parameters.ECPrivateKeyParameters)kp.Private;
return(kp);
} // End Function GenerateEcdsaKeyPair
public ECDiffieHellmanBc(Int32 keySize)
{
Org.BouncyCastle.Asn1.X9.X9ECParameters ecParams;
switch (keySize) {
case 256:
ecParams = Org.BouncyCastle.Asn1.Sec.SecNamedCurves.GetByName("secp256r1");
break;
case 384:
ecParams = Org.BouncyCastle.Asn1.Sec.SecNamedCurves.GetByName("secp384r1");
break;
case 521:
ecParams = Org.BouncyCastle.Asn1.Sec.SecNamedCurves.GetByName("secp521r1");
break;
default:
throw new ArgumentException("ECDiffieHellman key size " + keySize + " not supported");
}
_keySize = keySize;
_domainParameters = new ECDomainParameters(ecParams.Curve, ecParams.G, ecParams.N, ecParams.H, ecParams.GetSeed());
// Initialize key generation parameters with new SecureRandom
Org.BouncyCastle.Security.SecureRandom secureRandom = new Org.BouncyCastle.Security.SecureRandom();
ECKeyGenerationParameters keyGenParams = new ECKeyGenerationParameters(_domainParameters, secureRandom);
// Generate key pair from domain parameters
Org.BouncyCastle.Crypto.Generators.ECKeyPairGenerator generator = new Org.BouncyCastle.Crypto.Generators.ECKeyPairGenerator();
generator.Init(keyGenParams);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair keyPair = generator.GenerateKeyPair();
// Save the private and public key parameters
_privateKeyParameters = (ECPrivateKeyParameters) keyPair.Private;
_publicKeyParameters = (ECPublicKeyParameters) keyPair.Public;
_kdf = ECDiffieHellmanKeyDerivationFunction.Hash;
_hashAlgorithm = CngAlgorithm.Sha256;
}
public static byte[] CreateSelfSignedCertificate(string[] alternativeNames, string password)
{
string pemKey = SecretManager.GetSecret <string>("skynet_key");
string pemCert = SecretManager.GetSecret <string>("skynet_cert");
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair rootKey = ReadAsymmetricKeyParameter(pemKey);
Org.BouncyCastle.X509.X509Certificate rootCert = PemStringToX509(pemCert);
Org.BouncyCastle.Security.SecureRandom random = new Org.BouncyCastle.Security.SecureRandom(NonBackdooredPrng.Create());
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateRsaKeyPair(2048, random);
Org.BouncyCastle.X509.X509Certificate sslCertificate = SelfSignSslCertificate(
random
, rootCert
, certKeyPair.Public
, rootKey.Private
, alternativeNames
);
bool val = CerGenerator.ValidateSelfSignedCert(sslCertificate, rootCert.GetPublicKey());
if (val == false)
{
throw new System.InvalidOperationException("SSL certificate does NOT validate successfully.");
}
byte[] pfx = CreatePfxBytes(sslCertificate, certKeyPair.Private, password);
return(pfx);
} // End Function CreateSelfSignedCertificate
public SecureRandom(Org.BouncyCastle.Security.SecureRandom secureRandom = null)
{
if (secureRandom != null)
{
SecureRandomInstance = secureRandom;
}
}
} // End Function GenerateElGamalKeyPair
public static Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair GenerateDHKeyPair(
int length
, Org.BouncyCastle.Security.SecureRandom secureRandom
)
{
// Org.BouncyCastle.Math.BigInteger p = new BigInteger("123", 10);
// Org.BouncyCastle.Math.BigInteger g = new BigInteger("456", 10);
// Org.BouncyCastle.Crypto.Parameters.DHParameters dhParams =
// new Org.BouncyCastle.Crypto.Parameters.DHParameters(p, g);
Org.BouncyCastle.Crypto.Generators.DHParametersGenerator pg =
new Org.BouncyCastle.Crypto.Generators.DHParametersGenerator();
pg.Init(length, 100, secureRandom);
Org.BouncyCastle.Crypto.Parameters.DHParameters dhp = pg.GenerateParameters();
Org.BouncyCastle.Crypto.Parameters.DHKeyGenerationParameters pars =
new Org.BouncyCastle.Crypto.Parameters.DHKeyGenerationParameters(secureRandom, dhp);
Org.BouncyCastle.Crypto.Generators.DHKeyPairGenerator keyGenerator =
new Org.BouncyCastle.Crypto.Generators.DHKeyPairGenerator();
keyGenerator.Init(pars);
return(keyGenerator.GenerateKeyPair());
} // End Function GenerateDHKeyPair
public static X509Certificate2 ConvertCertificate(this X509Certificate certificate,
AsymmetricCipherKeyPair subjectKeyPair,
Org.BouncyCastle.Security.SecureRandom random)
{
// Now to convert the Bouncy Castle certificate to a .NET certificate.
// See http://web.archive.org/web/20100504192226/http://www.fkollmann.de/v2/post/Creating-certificates-using-BouncyCastle.aspx
// ...but, basically, we create a PKCS12 store (a .PFX file) in memory, and add the public and private key to that.
var store = new Pkcs12Store();
// What Bouncy Castle calls "alias" is the same as what Windows terms the "friendly name".
string friendlyName = certificate.SubjectDN.ToString();
// Add the certificate.
var certificateEntry = new X509CertificateEntry(certificate);
store.SetCertificateEntry(friendlyName, certificateEntry);
// Add the private key.
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry });
// ConvertToEnvironmentType it to an X509Certificate2 object by saving/loading it from a MemoryStream.
// It needs a password. Since we'll remove this later, it doesn't particularly matter what we use.
const string password = "******";
var stream = new MemoryStream();
store.Save(stream, password.ToCharArray(), random);
var convertedCertificate =
new X509Certificate2(stream.ToArray(),
password,
X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
return(convertedCertificate);
}
public static void GenerateSslCertificate(PfxData pfx, Org.BouncyCastle.Security.SecureRandom random)
{
string curveName = "curve25519"; curveName = "secp256k1";
// IIS does not support Elliptic Curve...
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateEcKeyPair(curveName, random);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateRsaKeyPair(2048, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateDsaKeyPair(1024, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateDHKeyPair(1024, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateGostKeyPair(4096, random);
Org.BouncyCastle.X509.X509Certificate sslCertificate = SelfSignSslCertificate(random, pfx.Certificate, certKeyPair.Public, pfx.PrivateKey);
bool val = CerGenerator.ValidateSelfSignedCert(sslCertificate, pfx.Certificate.GetPublicKey());
// SSL
(string Private, string Public)certKeys = KeyPairToPem(certKeyPair);
PfxFile.Create(@"obelix.pfx", sslCertificate, certKeyPair.Private, "");
WriteCerAndCrt(sslCertificate, @"obelix");
System.IO.File.WriteAllText(@"obelix_private.key", certKeys.Private, System.Text.Encoding.ASCII);
// System.IO.File.WriteAllText(@"obelix_public.key", certKeys.Public, System.Text.Encoding.ASCII);
string pemCert = ToPem(sslCertificate);
System.IO.File.WriteAllText(@"obelix.pem", pemCert, System.Text.Encoding.ASCII);
} // End Sub GenerateSslCertificate
/// <summary>
/// Generates secure random byte array of set length
/// </summary>
/// <param name="len">length of return byte array</param>
/// <returns>secure random byte array of set length</returns>
private static byte[] GenSecRandomBytes(int len)
{
var rand = new Org.BouncyCastle.Security.SecureRandom();
var bytes = new byte[len];
rand.NextBytes(bytes);
return(bytes);
}
public static byte[] AESGenerateIV(int vectorSize)
{
var ivBytes = new byte[vectorSize];
var secRandom = new Org.BouncyCastle.Security.SecureRandom();
secRandom.NextBytes(ivBytes);
return(ivBytes);
}
} // End Sub GenerateRootCertificate
public static Org.BouncyCastle.X509.X509Certificate SelfSignSslCertificate(
Org.BouncyCastle.Security.SecureRandom random
, Org.BouncyCastle.X509.X509Certificate caRoot
, Org.BouncyCastle.Crypto.AsymmetricKeyParameter subjectPublicKey
, Org.BouncyCastle.Crypto.AsymmetricKeyParameter rootCertPrivateKey
) // PrivatePublicPemKeyPair subjectKeyPair)
{
Org.BouncyCastle.X509.X509Certificate caSsl = null;
string countryIso2Characters = "GA";
string stateOrProvince = "Aremorica";
string localityOrCity = "Erquy, Bretagne";
string companyName = "Coopérative Ménhir Obelix Gmbh & Co. KGaA";
string division = "Neanderthal Technology Group (NT)";
string domainName = "localhost";
domainName = "*.sql.guru";
domainName = "localhost";
string email = "webmaster@localhost";
CertificateInfo ci = new CertificateInfo(
countryIso2Characters, stateOrProvince
, localityOrCity, companyName
, division, domainName, email
, System.DateTime.UtcNow
, System.DateTime.UtcNow.AddYears(5)
);
ci.AddAlternativeNames("localhost", System.Environment.MachineName, "127.0.0.1",
"sql.guru", "*.sql.guru", "example.int", "foo.int", "bar.int", "foobar.int", "*.com");
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateEcKeyPair(curveName, random);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateRsaKeyPair(2048, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateDsaKeyPair(1024, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateDHKeyPair(1024, random);
caSsl = CerGenerator.GenerateSslCertificate(
ci
, subjectPublicKey
, rootCertPrivateKey
, caRoot
, random
);
/*
* PfxGenerator.CreatePfxFile(@"obelix.pfx", caSsl, kp1.Private, "");
* CerGenerator.WritePrivatePublicKey("obelix", ci.SubjectKeyPair);
*
*
* CerGenerator.WriteCerAndCrt(@"ca", caRoot);
* CerGenerator.WriteCerAndCrt(@"obelix", caSsl);
*/
return(caSsl);
} // End Sub SelfSignSslCertificate
// GenerateRsaKeyPair(1024)
public static Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair GenerateRsaKeyPair(int strength)
{
Org.BouncyCastle.Crypto.Generators.RsaKeyPairGenerator gen = new Org.BouncyCastle.Crypto.Generators.RsaKeyPairGenerator();
Org.BouncyCastle.Security.SecureRandom secureRandom = new Org.BouncyCastle.Security.SecureRandom(new Org.BouncyCastle.Crypto.Prng.CryptoApiRandomGenerator());
Org.BouncyCastle.Crypto.KeyGenerationParameters keyGenParam = new Org.BouncyCastle.Crypto.KeyGenerationParameters(secureRandom, strength);
gen.Init(keyGenParam);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp = gen.GenerateKeyPair();
return(kp);
} // End Function GenerateRsaKeyPair
/// <summary>
/// Create a X509Certificate2 with a private key by combining
/// the new certificate with a private key from an RSA key.
/// </summary>
public static X509Certificate2 CreateCertificateWithPrivateKey(
X509Certificate2 certificate,
RSA privatekey)
{
using (var cfrg = new CertificateFactoryRandomGenerator())
{
var random = new Org.BouncyCastle.Security.SecureRandom(cfrg);
Org.BouncyCastle.X509.X509Certificate x509 = new Org.BouncyCastle.X509.X509CertificateParser().ReadCertificate(certificate.RawData);
return(CreateCertificateWithPrivateKey(x509, certificate.FriendlyName, GetPrivateKeyParameter(privatekey), random));
}
}
GenerateGost3410KeyPair(Org.BouncyCastle.Security.SecureRandom random, int keystrength)
{
Org.BouncyCastle.Crypto.Parameters.ECDomainParameters gostEcDomainParameters =
Org.BouncyCastle.Asn1.CryptoPro.ECGost3410NamedCurves.GetByOid(
Org.BouncyCastle.Asn1.CryptoPro.CryptoProObjectIdentifiers.GostR3410x2001CryptoProA);
Org.BouncyCastle.Crypto.IAsymmetricCipherKeyPairGenerator gostKeyGen = new Org.BouncyCastle.Crypto.Generators.ECKeyPairGenerator();
Org.BouncyCastle.Crypto.KeyGenerationParameters genParam = new Org.BouncyCastle.Crypto.Parameters.ECKeyGenerationParameters(gostEcDomainParameters, random);
gostKeyGen.Init(genParam);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp = gostKeyGen.GenerateKeyPair();
return(kp);
}
GenerateDsaKeyPair(Org.BouncyCastle.Security.SecureRandom random, int keystrength)
{
Org.BouncyCastle.Crypto.IAsymmetricCipherKeyPairGenerator keypairGen = new Org.BouncyCastle.Crypto.Generators.DsaKeyPairGenerator();
Org.BouncyCastle.Crypto.Generators.DsaParametersGenerator pGen = new Org.BouncyCastle.Crypto.Generators.DsaParametersGenerator();
pGen.Init(keystrength, 80, random); //TODO:
Org.BouncyCastle.Crypto.Parameters.DsaParameters parameters = pGen.GenerateParameters();
Org.BouncyCastle.Crypto.Parameters.DsaKeyGenerationParameters genParam = new Org.BouncyCastle.Crypto.Parameters.DsaKeyGenerationParameters(random, parameters);
keypairGen.Init(genParam);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp = keypairGen.GenerateKeyPair();
return(kp);
}
public static Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair GenerateGostKeyPair(
int length
, Org.BouncyCastle.Security.SecureRandom secureRandom
)
{
Org.BouncyCastle.Crypto.KeyGenerationParameters keygenParam =
new Org.BouncyCastle.Crypto.KeyGenerationParameters(secureRandom, length);
Org.BouncyCastle.Crypto.Generators.Gost3410KeyPairGenerator keyGenerator =
new Org.BouncyCastle.Crypto.Generators.Gost3410KeyPairGenerator();
keyGenerator.Init(keygenParam);
return(keyGenerator.GenerateKeyPair());
} // End Function GenerateGostKeyPair
} // End Sub AddExtensions
public static Org.BouncyCastle.X509.X509Certificate GenerateSslCertificate(
CertificateInfo certificateInfo
, Org.BouncyCastle.Security.SecureRandom secureRandom
, Org.BouncyCastle.X509.X509Certificate rootCertificate
)
{
Org.BouncyCastle.Crypto.AsymmetricKeyParameter subjectPublicKey =
KeyImportExport.ReadPublicKey(certificateInfo.SubjectKeyPair.PublicKey);
Org.BouncyCastle.Crypto.AsymmetricKeyParameter issuerPrivateKey =
KeyImportExport.ReadPrivateKey(certificateInfo.IssuerKeyPair.PrivateKey);
return GenerateSslCertificate(certificateInfo, subjectPublicKey, issuerPrivateKey, rootCertificate, secureRandom);
}
} // End Function GenerateEcKeyPair
public static Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair GenerateEcKeyPair(
string curveName
, Org.BouncyCastle.Security.SecureRandom secureRandom
)
{
Org.BouncyCastle.Asn1.X9.X9ECParameters ecParam = Org.BouncyCastle.Asn1.Sec.SecNamedCurves.GetByName(curveName);
if (ecParam == null)
{
ecParam = Org.BouncyCastle.Crypto.EC.CustomNamedCurves.GetByName(curveName);
}
return(GenerateEcKeyPair(ecParam, secureRandom));
} // End Function GenerateEcKeyPair
static public Org.BouncyCastle.Math.BigInteger GenerateBigIntegerPrimes(int bits)
{
Org.BouncyCastle.Security.SecureRandom ran = new Org.BouncyCastle.Security.SecureRandom();
Org.BouncyCastle.Math.BigInteger c = new Org.BouncyCastle.Math.BigInteger(bits, ran);
for (; ;)
{
if (c.IsProbablePrime(100) == true)
{
break;
}
c = c.Subtract(new Org.BouncyCastle.Math.BigInteger("1"));
}
return(c);
}
public void RsaFuzzTest()
{
// Create many RSA keys, encode them in PKCS8, verify the Pkcs8 class can decode them correctly.
// This test does take a few (possibly 10s of) seconds, longer than most unit tests.
for (int i = 0; i < 1000; i++)
{
// This SecureRandom constructor is deprecated,
// but is the easiest way to create a deterministic SecureRandom.
#pragma warning disable CS0618
var rnd = new Org.BouncyCastle.Security.SecureRandom(new byte[] { (byte)(i & 0xff), (byte)((i >> 8) & 0xff) });
#pragma warning restore CS0618
var rsa = new Org.BouncyCastle.Crypto.Generators.RsaKeyPairGenerator();
// 384 is the shortest valid key length. Use this for speed.
rsa.Init(new Org.BouncyCastle.Crypto.KeyGenerationParameters(rnd, 384));
var keys = rsa.GenerateKeyPair();
var pkcs8Generator = new Org.BouncyCastle.OpenSsl.Pkcs8Generator(keys.Private);
var pem = pkcs8Generator.Generate();
var ms = new System.IO.MemoryStream();
var stWriter = new System.IO.StreamWriter(ms);
var pemWriter = new Org.BouncyCastle.OpenSsl.PemWriter(stWriter);
pemWriter.WriteObject(pem);
stWriter.Close();
var pkcs8 = System.Text.Encoding.ASCII.GetString(ms.ToArray());
var rsaParameters = Pkcs8.DecodeRsaParameters(pkcs8);
var key = RSA.Create();
try
{
// Test that the parameters can be imported.
// Throws CryptographicException if the rsaParameters is invalid
key.ImportParameters(rsaParameters);
}
catch (CryptographicException e)
{
// Fails in iteration 8 without the Pkcs8 fix in PR#937
Assert.True(false, $"Failed in iteration {i}: {e}");
}
// Check that all the parameters exported are equal to the originally created parameters
var exportedParams = key.ExportParameters(true);
var privateKey = (Org.BouncyCastle.Crypto.Parameters.RsaPrivateCrtKeyParameters)keys.Private;
Assert.Equal(privateKey.P.ToByteArrayUnsigned(), Pkcs8.TrimLeadingZeroes(exportedParams.P, false));
Assert.Equal(privateKey.Q.ToByteArrayUnsigned(), Pkcs8.TrimLeadingZeroes(exportedParams.Q, false));
Assert.Equal(privateKey.DP.ToByteArrayUnsigned(), Pkcs8.TrimLeadingZeroes(exportedParams.DP, false));
Assert.Equal(privateKey.DQ.ToByteArrayUnsigned(), Pkcs8.TrimLeadingZeroes(exportedParams.DQ, false));
var publicKey = (Org.BouncyCastle.Crypto.Parameters.RsaKeyParameters)keys.Public;
Assert.Equal(publicKey.Exponent.ToByteArrayUnsigned(), Pkcs8.TrimLeadingZeroes(exportedParams.Exponent, false));
Assert.Equal(publicKey.Modulus.ToByteArrayUnsigned(), Pkcs8.TrimLeadingZeroes(exportedParams.Modulus, false));
}
}
} // End Sub SetRegistry
public static void CreateSslCertificate()
{
Org.BouncyCastle.Security.SecureRandom random = new Org.BouncyCastle.Security.SecureRandom(NonBackdooredPrng.Create());
// 1. Root certificate to pfx
// 2. Read root certificate
// 3. Sign SSL certificate
// chrome://settings/certificates?search=certifi
PfxData pfx = GenerateRootCertificate(random);
// PfxData pfx = PfxFile.Read("skynet.pfx");
GenerateSslCertificate(pfx, random);
}
public void CompareSecp256k1KeyGenerationRuntimes()
{
int num_runs = 100;
long openecc_time_sum = 0L;
long bc_time_sum = 0L;
for (int i = 0; i < num_runs; i++)
{
///
/// OpenECC
///
var openecc_curve = CurveFactory.secp256k1;
var openecc_keygen_timer = Stopwatch.StartNew();
var openecc_encoder = new ProbabilisticWeierstrassMessageEncoder(openecc_curve, new BigInteger(7));
var openecc_encryptor = new ElGamalEncryptor(openecc_curve, openecc_encoder);
var openecc_keys = openecc_encryptor.GenerateKeyPair();
openecc_keygen_timer.Stop();
openecc_time_sum += openecc_keygen_timer.Elapsed.Milliseconds;
}
for (int i = 0; i < num_runs; i++)
{
///
///Bouncy Castle
///
var bc_stuff = Org.BouncyCastle.Asn1.Sec.SecNamedCurves.GetByName("secp256k1");
var bc_keygen_timer = Stopwatch.StartNew();
var bc_keygen = new Org.BouncyCastle.Crypto.Generators.ECKeyPairGenerator();
var bc_domain_params = new Org.BouncyCastle.Crypto.Parameters.ECDomainParameters(bc_stuff.Curve, bc_stuff.G, bc_stuff.N);
var bc_random = new Org.BouncyCastle.Security.SecureRandom();
var bc_keygen_params = new Org.BouncyCastle.Crypto.Parameters.ECKeyGenerationParameters(bc_domain_params, bc_random);
bc_keygen.Init(bc_keygen_params);
var bc_keys = bc_keygen.GenerateKeyPair();
bc_keygen_timer.Stop();
bc_time_sum += bc_keygen_timer.Elapsed.Milliseconds;
}
throw new NotImplementedException("BC: " + (bc_time_sum/(double)num_runs) + "; OpenECC: " + (openecc_time_sum/(double)num_runs));
//RuntimeAssert.LessThan(bc_time_sum / (double)num_runs, openecc_time_sum / (double)num_runs);
}
// DumpPfx(ee25519Cert, subject, caKey25519);
public static void DumpPfx(
Org.BouncyCastle.X509.X509Certificate bouncyCert
, Org.BouncyCastle.Asn1.X509.X509Name subject
, Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair pair)
{
Org.BouncyCastle.Pkcs.Pkcs12Store store = new Org.BouncyCastle.Pkcs.Pkcs12Store();
Org.BouncyCastle.Pkcs.X509CertificateEntry certificateEntry =
new Org.BouncyCastle.Pkcs.X509CertificateEntry(bouncyCert);
store.SetCertificateEntry(subject.ToString(), certificateEntry);
store.SetKeyEntry(subject.ToString(),
new Org.BouncyCastle.Pkcs.AsymmetricKeyEntry(pair.Private)
, new[] { certificateEntry }
);
Org.BouncyCastle.Security.SecureRandom random =
new Org.BouncyCastle.Security.SecureRandom(
new Org.BouncyCastle.Crypto.Prng.CryptoApiRandomGenerator()
);
using (System.IO.MemoryStream stream = new System.IO.MemoryStream())
{
string tempPassword = "******";
store.Save(stream, tempPassword.ToCharArray(), random);
using (System.Security.Cryptography.X509Certificates.X509Certificate2 cert =
new System.Security.Cryptography.X509Certificates.X509Certificate2(
stream.ToArray()
, tempPassword
, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.PersistKeySet
| System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable)
)
{
System.Text.StringBuilder builder = new System.Text.StringBuilder();
builder.AppendLine("-----BEGIN CERTIFICATE-----");
builder.AppendLine(System.Convert.ToBase64String(
cert.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Cert)
, System.Base64FormattingOptions.InsertLineBreaks)
);
builder.AppendLine("-----END CERTIFICATE-----");
// PFX
//builder.ToString().Dump("Self-signed Certificate");
} // End Using cert
} // End Using stream
} // End Sub DumpPfx
} // End Sub SelfSignSslCertificate
// https://stackoverflow.com/questions/51703109/nginx-the-ssl-directive-is-deprecated-use-the-listen-ssl
public static Org.BouncyCastle.X509.X509Certificate GenerateRootCertificate()
{
string countryIso2Characters = "EA";
string stateOrProvince = "Europe";
string localityOrCity = "NeutralZone";
string companyName = "Skynet Earth Inc.";
string division = "Skynet mbH";
string domainName = "Skynet";
string email = "*****@*****.**";
Org.BouncyCastle.Security.SecureRandom sr = new Org.BouncyCastle.Security.SecureRandom(NonBackdooredPrng.Create());
Org.BouncyCastle.X509.X509Certificate caRoot = null;
Org.BouncyCastle.X509.X509Certificate caSsl = null;
// string curveName = "curve25519"; curveName = "secp256k1";
CertificateInfo caCertInfo = new CertificateInfo(
countryIso2Characters, stateOrProvince
, localityOrCity, companyName
, division, domainName, email
, System.DateTime.UtcNow
, System.DateTime.UtcNow.AddYears(5)
);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateEcKeyPair(curveName, sr);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateRsaKeyPair(2048, sr);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateDsaKeyPair(1024, sr);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateDHKeyPair(1024, sr);
// kp1 = KeyGenerator.GenerateGhostKeyPair(4096, s_secureRandom.Value);
caCertInfo.SubjectKeyPair = KeyImportExport.GetPemKeyPair(kp1);
caCertInfo.IssuerKeyPair = KeyImportExport.GetPemKeyPair(kp1);
caRoot = CerGenerator.GenerateRootCertificate(caCertInfo, sr);
PfxGenerator.CreatePfxFile(@"ca.pfx", caRoot, kp1.Private, null);
CerGenerator.WritePrivatePublicKey("issuer", caCertInfo.IssuerKeyPair);
return(caRoot);
} // End Sub GenerateRootCertificate
} // End Function GenerateRsaKeyPair
public static Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair GenerateDsaKeyPair(
int length
, Org.BouncyCastle.Security.SecureRandom secureRandom
)
{
Org.BouncyCastle.Crypto.Generators.DsaParametersGenerator paramgen =
new Org.BouncyCastle.Crypto.Generators.DsaParametersGenerator();
paramgen.Init(length, 100, secureRandom);
Org.BouncyCastle.Crypto.Parameters.DsaKeyGenerationParameters param = new Org.BouncyCastle.Crypto.Parameters.DsaKeyGenerationParameters(secureRandom, paramgen.GenerateParameters());
Org.BouncyCastle.Crypto.Generators.DsaKeyPairGenerator keyGenerator =
new Org.BouncyCastle.Crypto.Generators.DsaKeyPairGenerator();
keyGenerator.Init(param);
return(keyGenerator.GenerateKeyPair());
} // End Function GenerateDsaKeyPair
private static Org.BouncyCastle.X509.X509Certificate SelfSignSslCertificate(
Org.BouncyCastle.Security.SecureRandom random
, Org.BouncyCastle.X509.X509Certificate caRoot
, Org.BouncyCastle.Crypto.AsymmetricKeyParameter subjectPublicKey
, Org.BouncyCastle.Crypto.AsymmetricKeyParameter rootCertPrivateKey
, string[] alternativeNames
)
{
Org.BouncyCastle.X509.X509Certificate caSsl = null;
string countryIso2Characters = "GA";
string stateOrProvince = "Aremorica";
string localityOrCity = "Erquy, Bretagne";
string companyName = "Coopérative Ménhir Obelix Gmbh & Co. KGaA";
string division = "Neanderthal Technology Group (NT)";
string domainName = "localhost";
string email = "webmaster@localhost";
CertificateInfo ci = new CertificateInfo(
countryIso2Characters, stateOrProvince
, localityOrCity, companyName
, division, domainName, email
, System.DateTime.UtcNow
, System.DateTime.UtcNow.AddYears(50)
);
ci.AddAlternativeNames(alternativeNames);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateEcKeyPair(curveName, random);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateRsaKeyPair(2048, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateDsaKeyPair(1024, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair kp1 = KeyGenerator.GenerateDHKeyPair(1024, random);
caSsl = CerGenerator.GenerateSslCertificate(
ci
, subjectPublicKey
, rootCertPrivateKey
, caRoot
, random
);
return(caSsl);
} // End Sub SelfSignSslCertificate
} // End Function GenerateDHKeyPair
public static Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair GenerateEcKeyPair(
Org.BouncyCastle.Asn1.X9.X9ECParameters ecParam
, Org.BouncyCastle.Security.SecureRandom secureRandom
)
{
Org.BouncyCastle.Crypto.Parameters.ECDomainParameters ecDomain =
new Org.BouncyCastle.Crypto.Parameters.ECDomainParameters(ecParam.Curve, ecParam.G, ecParam.N);
Org.BouncyCastle.Crypto.Parameters.ECKeyGenerationParameters keygenParam =
new Org.BouncyCastle.Crypto.Parameters.ECKeyGenerationParameters(ecDomain, secureRandom);
Org.BouncyCastle.Crypto.Generators.ECKeyPairGenerator keyGenerator =
new Org.BouncyCastle.Crypto.Generators.ECKeyPairGenerator();
keyGenerator.Init(keygenParam);
return(keyGenerator.GenerateKeyPair());
} // End Function GenerateEcKeyPair
} // End Sub Main
public static void Test()
{
// https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
// Many times nginx -s reload does not work as expected.
// On many systems(Debian, etc.), you would need to use /etc/init.d/nginx reload.
Org.BouncyCastle.Security.SecureRandom random = new Org.BouncyCastle.Security.SecureRandom(NonBackdooredPrng.Create());
Org.BouncyCastle.X509.X509Certificate rootCertificate = GenerateRootCertificate();
PrivatePublicPemKeyPair kpk = new PrivatePublicPemKeyPair();
kpk.PrivateKey = @"issuer_priv.pem";
kpk.PrivateKey = System.IO.File.ReadAllText(kpk.PrivateKey);
// SelfSignSslCertificate(random, rootCertificate, kpk);
System.Security.Cryptography.X509Certificates.X509Certificate2 c0 = new System.Security.Cryptography.X509Certificates.X509Certificate2("obelix.pfx", "");
// c0.PrivateKey
// c0.PublicKey;
System.Security.Cryptography.X509Certificates.X509Certificate2 c1 = System.Security.Cryptography.X509Certificates.X509Certificate2.CreateFromPemFile(@"obelix.crt", @"obelix_priv.pem");
// System.Security.Cryptography.X509Certificates.X509Certificate2 c1 = System.Security.Cryptography.X509Certificates.X509Certificate2.CreateFromPemFile(@"obelix.cer", @"obelix_priv.pem"); // Wrong! Doesn't work
// https://stackoverflow.com/questions/50227580/create-x509certificate2-from-pem-file-in-net-core
// https://stackoverflow.com/questions/48905438/digital-signature-in-c-sharp-without-using-bouncycastle
// Org.BouncyCastle.X509.X509Certificate
// Org.BouncyCastle.Security.DotNetUtilities.ToX509Certificate(cert);
// Org.BouncyCastle.X509.X509CertificateParser x509 = new Org.BouncyCastle.X509.X509CertificateParser();
// x509.ReadCertificate()
// https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.createfrompem?view=net-5.0
// https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.createfrompemfile?view=net-5.0
// https://github.com/dotnet/runtime/issues/19581
} // End Sub Test
public static void GenerateKeypair(DnsSecAlgorithm algo, out byte[] privateKey, out byte[] publicKey)
{
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair keyPair = null;
Org.BouncyCastle.Security.SecureRandom random =
new Org.BouncyCastle.Security.SecureRandom(new Org.BouncyCastle.Crypto.Prng.CryptoApiRandomGenerator());
switch (algo)
{
case DnsSecAlgorithm.RsaMd5:
case DnsSecAlgorithm.RsaSha1:
case DnsSecAlgorithm.RsaSha256:
case DnsSecAlgorithm.RsaSha512:
case DnsSecAlgorithm.RsaSha1Nsec3Sha1:
keyPair = GenerateRsaKeyPair(random, 4096);
break;
case DnsSecAlgorithm.DiffieHellman:
keyPair = GenerateDiffieHellmanKeyPair(random, 256);
break;
case DnsSecAlgorithm.Dsa:
case DnsSecAlgorithm.DsaNsec3Sha1:
keyPair = GenerateDsaKeyPair(random, 1024); // size must be from 512 - 1024 and a multiple of 64
break;
case DnsSecAlgorithm.EcDsaP256Sha256:
case DnsSecAlgorithm.EcDsaP384Sha384:
keyPair = GenerateEcdsaKeyPair(random); // TODO: Pass curve
break;
case DnsSecAlgorithm.EccGost:
keyPair = GenerateGost3410KeyPair(random, 512); // 512 or 1024
break;
case DnsSecAlgorithm.Indirect:
case DnsSecAlgorithm.PrivateDns:
case DnsSecAlgorithm.PrivateOid:
throw new System.NotImplementedException("Indirect | PrivateDns | PrivateOid");
}
publicKey = Org.BouncyCastle.X509.SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(keyPair.Public).GetEncoded();
privateKey = Org.BouncyCastle.Pkcs.PrivateKeyInfoFactory.CreatePrivateKeyInfo(keyPair.Private).GetEncoded();
}
/// <summary>
/// Generates secure random byte array of set length
/// </summary>
/// <param name="len">length of return byte array</param>
/// <returns>secure random byte array of set length</returns>
private static byte[] GenSecRandomBytes(int len)
{
var rand = new Org.BouncyCastle.Security.SecureRandom();
var bytes = new byte[len];
rand.NextBytes(bytes);
return bytes;
}
