private X509ExtensionsGenerator GetExtensionsGenerator(string[] altnames)
{
X509ExtensionsGenerator extGenerator = new X509ExtensionsGenerator();
var(basicConstrainsCritical, basicConstraintsExt) = GetBasicConstraints();
var(keyUsageCritical, keyUsageExt) = GetKeyUsage();
var(extKeyUsageCritical, extKeyUsageExt) = GetExtendedUsage();
var(altNamesCritical, altNamesExt) = GetSubjectAltName(altnames);
if (basicConstraintsExt != null)
{
extGenerator.AddExtension(X509Extensions.BasicConstraints, basicConstrainsCritical, basicConstraintsExt);
}
if (keyUsageExt != null)
{
extGenerator.AddExtension(X509Extensions.KeyUsage, keyUsageCritical, keyUsageExt);
}
if (extKeyUsageExt != null)
{
extGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, extKeyUsageCritical, extKeyUsageExt);
}
if (altNamesExt != null)
{
extGenerator.AddExtension(X509Extensions.SubjectAlternativeName, altNamesCritical, altNamesExt);
}
return(extGenerator);
}
/// <summary>
/// Get an X509Extensions object containing all extensions from the request
/// </summary>
/// <returns>List of extension (or null)</returns>
private X509Extensions getExtensions()
{
if (Attributes == null)
{
return(null);
}
DerObjectIdentifier ExtensionsOid = new DerObjectIdentifier("1.2.840.113549.1.9.14");
if (attributes.ContainsKey(ExtensionsOid))
{
X509ExtensionsGenerator gen = new X509ExtensionsGenerator();
bool critical;
foreach (DerSequence outer in attributes[ExtensionsOid])
{
foreach (DerSequence inner in outer)
{
// Note that the extension value is wrapped in an OctetString, but the generator expects an unwrapped value
if (inner.Count == 3) // Critical flag set
{
critical = isTrue((DerBoolean)inner[1]); // Just in case it is false
gen.AddExtension((DerObjectIdentifier)inner[0], critical, ((DerOctetString)inner[2]).GetOctets());
}
else // Count==2; Critical flag not set
{
gen.AddExtension((DerObjectIdentifier)inner[0], false, ((DerOctetString)inner[1]).GetOctets());
}
}
}
return(gen.Generate());
}
return(null);
}
public void Read_WithExtensions_ReturnsInstance()
{
var extensionsGenerator = new X509ExtensionsGenerator();
extensionsGenerator.AddExtension(
new DerObjectIdentifier("1.2.3.4.5.1"), critical: true, extValue: new byte[1] {
1
});
extensionsGenerator.AddExtension(
new DerObjectIdentifier("1.2.3.4.5.2"), critical: false, extValue: new byte[1] {
2
});
var extensions = extensionsGenerator.Generate();
var test = new Test()
{
Extensions = extensions
};
var bcTstInfo = test.CreateBcTstInfo();
var tstInfo = TstInfo.Read(bcTstInfo.GetDerEncoded());
Verify(test, tstInfo);
Verify(bcTstInfo, tstInfo);
}
/// <summary>
/// Gets the <see cref="OcspResp"/> for the <see cref="OcspReq"/>
/// </summary>
/// <param name="ocspRequest"></param>
/// <param name="issuerCertificate"></param>
/// <returns></returns>
private async Task <OcspResp> GetOcspDefinitiveResponse(OcspReq ocspRequest, X509Certificate issuerCertificate)
{
var basicResponseGenerator = new BasicOcspRespGenerator(
new RespID(
await OcspResponderRepository.GetResponderPublicKey(issuerCertificate)));
var extensionsGenerator = new X509ExtensionsGenerator();
var nextUpdate = await OcspResponderRepository.GetNextUpdate();
foreach (var request in ocspRequest.GetRequestList())
{
var certificateId = request.GetCertID();
var serialNumber = certificateId.SerialNumber;
CertificateStatus certificateStatus;
CaCompromisedStatus caCompromisedStatus = await OcspResponderRepository.IsCaCompromised(issuerCertificate);
if (caCompromisedStatus.IsCompromised)
{
// See section 2.7 of RFC 6960
certificateStatus = new RevokedStatus(caCompromisedStatus.CompromisedDate.Value.UtcDateTime, (int)RevocationReason.CACompromise);
}
else
{
// Se section 2.2 of RFC 6960
if (await OcspResponderRepository.SerialExists(serialNumber, issuerCertificate))
{
var status = await OcspResponderRepository.SerialIsRevoked(serialNumber, issuerCertificate);
certificateStatus = status.IsRevoked
? new RevokedStatus(status.RevokedInfo.Date.UtcDateTime, (int)status.RevokedInfo.Reason)
: CertificateStatus.Good;
}
else
{
certificateStatus = new RevokedStatus(new DateTime(1970, 1, 1), CrlReason.CertificateHold);
extensionsGenerator.AddExtension(OcspObjectIdentifierExtensions.PkixOcspExtendedRevoke, false, DerNull.Instance.GetDerEncoded());
}
}
basicResponseGenerator.AddResponse(certificateId, certificateStatus, DateTimeOffset.UtcNow.DateTime, nextUpdate.UtcDateTime, null);
}
SetNonceExtension(ocspRequest, extensionsGenerator);
basicResponseGenerator.SetResponseExtensions(extensionsGenerator.Generate());
// Algorithm that all clients shall accept as defined in section 4.3 of RFC 6960
const string signatureAlgorithm = "sha256WithRSAEncryption";
var basicOcspResponse = basicResponseGenerator.Generate(
signatureAlgorithm,
await OcspResponderRepository.GetResponderPrivateKey(issuerCertificate),
await OcspResponderRepository.GetChain(issuerCertificate),
nextUpdate.UtcDateTime);
var ocspResponse = OcspResponseGenerator.Generate(OcspRespStatus.Successful, basicOcspResponse);
return(ocspResponse);
}
private static void Verify(IReadOnlyList <TestExtension> testExtensions)
{
var bcExtensionsGenerator = new X509ExtensionsGenerator();
foreach (var testExtension in testExtensions)
{
bcExtensionsGenerator.AddExtension(
new DerObjectIdentifier(testExtension.Id.Value), testExtension.IsCritical, testExtension.Value);
}
var bcExtensions = bcExtensionsGenerator.Generate();
var extensions = Extensions.Read(bcExtensions.GetDerEncoded());
Assert.Equal(testExtensions.Count, extensions.ExtensionsList.Count);
var i = 0;
foreach (var extensionOid in bcExtensions.GetExtensionOids())
{
var bcExtension = bcExtensions.GetExtension(extensionOid);
var testExtension = testExtensions[i];
var extension = extensions.ExtensionsList[i];
Assert.Equal(testExtension.Id.Value, extension.Id.Value);
Assert.Equal(testExtension.IsCritical, extension.Critical);
Assert.Equal(testExtension.Value, extension.Value);
Assert.Equal(extensionOid.Id, extension.Id.Value);
Assert.Equal(bcExtension.IsCritical, extension.Critical);
Assert.Equal(bcExtension.Value.GetOctets(), extension.Value);
++i;
}
}
/// <summary>
/// Add nonce extension if it exists in the request
/// </summary>
/// <param name="ocspRequest">ocsp request</param>
/// <param name="extensionsGenerator">extensions generator</param>
private void SetNonceExtension(OcspReq ocspRequest, X509ExtensionsGenerator extensionsGenerator)
{
var nonce = ocspRequest.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce);
if (nonce != null)
{
extensionsGenerator.AddExtension(OcspObjectIdentifiers.PkixOcspNonce, false, nonce.GetOctets());
}
}
public static void CreateCert(string parentcer, string csrFile)
{
var issuer = new X509CertificateParser().ReadCertificate(File.OpenRead(parentcer));
var reader = new PemReader(File.OpenText(csrFile));
var csr = (Pkcs10CertificationRequest)(reader.ReadObject());
var csrinfo = csr.GetCertificationRequestInfo();
AlgorithmIdentifier sigAlgId = new AlgorithmIdentifier(PkcsObjectIdentifiers.Sha256WithRsaEncryption);
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
BigInteger serial = new BigInteger(128, new SecureRandom());
DateTime from = new DateTime(DateTime.Now.Year, DateTime.Now.Month, DateTime.Now.Day);
DateTime to = from.AddYears(5);
V3TbsCertificateGenerator tbsGen = new V3TbsCertificateGenerator();
tbsGen.SetIssuer(issuer.SubjectDN);
tbsGen.SetSerialNumber(new DerInteger(serial));
tbsGen.SetStartDate(new Time(from));
tbsGen.SetEndDate(new Time(to));
tbsGen.SetSubjectPublicKeyInfo(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(csr.GetPublicKey()));
tbsGen.SetSubject(csrinfo.Subject);
// add certificate purposes
Asn1EncodableVector vector = new Asn1EncodableVector();
vector.Add(new DerObjectIdentifier("1.3.6.1.5.5.7.3.2"));
vector.Add(new DerObjectIdentifier("1.3.6.1.4.1.311.20.2.2"));
vector.Add(new DerObjectIdentifier("1.3.6.1.4.1.311.10.3.12"));
vector.Add(new DerObjectIdentifier("1.3.6.1.5.5.7.3.4"));
DerSequence seq = new DerSequence(vector);
X509ExtensionsGenerator extGenerator = new X509ExtensionsGenerator();
extGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, false, seq);
tbsGen.SetExtensions(extGenerator.Generate());
tbsGen.SetSignature(sigAlgId);
TbsCertificateStructure tbsCert = tbsGen.GenerateTbsCertificate();
// save the TBS
System.IO.File.WriteAllBytes("tbs.cer", tbsCert.GetDerEncoded());
Console.WriteLine("generate the signature (SHA->DER->ENCRYPT) for tbs.cer and call it tbs.sig");
Console.WriteLine("And then press enter");
Console.ReadLine();
var t1 = GenerateJcaObject(tbsCert, sigAlgId, System.IO.File.ReadAllBytes("tbs.sig").Take(256).ToArray());
System.IO.File.WriteAllBytes("cert.cer", t1.GetEncoded());
Console.WriteLine("saved as cert.cer");
}
MakePartialCert(X509KeyUsage keyUsage, AlgorithmIdentifier algID = null,
string issuer = null, string subject = null,
DateTime?notBefore = null, DateTime?notAfter = null)
{
X509ExtensionsGenerator g = new X509ExtensionsGenerator();
g.AddExtension(X509Extensions.KeyUsage, true, keyUsage);
return(new PartialCertificate()
{
Issuer = new X509Name(issuer ?? "CN=TPM Test Issuer,O=TPM Test Suite"),
NotBefore = notBefore ?? new DateTime(2000, 1, 1),
NotAfter = notAfter ?? new DateTime(2999, 12, 31),
Subject = new X509Name(subject ?? "CN=TPM X509 CA,O=MSFT"),
SigAlgID = algID,
Extensions = g.Generate()
});
}
private static TbsCertificateStructure CreateTbsForVerification(X509Certificate2 preCertificate, IssuerInformation issuerInformation)
{
if (preCertificate.Version < 3)
{
throw new InvalidOperationException("PreCertificate version must be 3 or higher!");
}
var asn1Obj = Asn1Object.FromByteArray(preCertificate.GetTbsCertificateRaw());
var tbsCert = TbsCertificateStructure.GetInstance(asn1Obj);
var hasX509AuthorityKeyIdentifier = tbsCert.Extensions.GetExtension(new DerObjectIdentifier(Constants.X509AuthorityKeyIdentifier)) != null;
if (hasX509AuthorityKeyIdentifier &&
issuerInformation.IssuedByPreCertificateSigningCert &&
issuerInformation.X509AuthorityKeyIdentifier == null)
{
throw new InvalidOperationException("PreCertificate was not signed by a PreCertificate signing cert");
}
var orderedExtensions = GetExtensionsWithoutPoisonAndSct(tbsCert.Extensions, issuerInformation.X509AuthorityKeyIdentifier);
var generator = new V3TbsCertificateGenerator();
generator.SetSerialNumber(tbsCert.SerialNumber);
generator.SetSignature(tbsCert.Signature);
generator.SetIssuer(issuerInformation.Name ?? tbsCert.Issuer);
generator.SetStartDate(tbsCert.StartDate);
generator.SetEndDate(tbsCert.EndDate);
generator.SetSubject(tbsCert.Subject);
generator.SetSubjectPublicKeyInfo(tbsCert.SubjectPublicKeyInfo);
generator.SetIssuerUniqueID(tbsCert.IssuerUniqueID);
generator.SetSubjectUniqueID(tbsCert.SubjectUniqueID);
var extensionsGenerator = new X509ExtensionsGenerator();
foreach (var e in orderedExtensions)
{
extensionsGenerator.AddExtension(e.Key, e.Value.IsCritical, e.Value.GetParsedValue());
}
generator.SetExtensions(extensionsGenerator.Generate());
return(generator.GenerateTbsCertificate());
}
/// <summary>
/// Makes a minimal partial certificate for a signing key
/// </summary>
/// <returns></returns>
internal static PartialCertificate MakeExemplarPartialCert()
{
X509ExtensionsGenerator g = new X509ExtensionsGenerator();
g.AddExtension(X509Extensions.KeyUsage, true, new X509KeyUsage(X509KeyUsage.KeyCertSign));
var tt = new X509KeyUsage(X509KeyUsage.KeyCertSign);
var yy = tt.GetDerEncoded();
return(new PartialCertificate()
{
Issuer = new X509Name("CN=TPM Test Issuer,O=TPM Test Suite"),
NotBefore = new DateTime(2000, 1, 1),
NotAfter = new DateTime(2999, 12, 31),
Subject = new X509Name("CN=TPM X509 CA,O=MSFT"),
// IssuerUniqueId = new byte[32],
// SubjectUniqueId = new byte[32],
Extensions = g.Generate()
});
}
/// <summary>
/// Get an X509Extensions object containing all extensions from the request
/// </summary>
/// <returns>List of extension (or null)</returns>
private X509Extensions getExtensions()
{
if (Attributes == null)
{
return(null);
}
DerObjectIdentifier ExtensionsOid = new DerObjectIdentifier("1.2.840.113549.1.9.14");
// Iterate over the Attributes
foreach (object entry in Attributes)
{
AttributePkcs attrib = AttributePkcs.GetInstance(entry);
// Find the Attribute entry that has extensions in it
if (ExtensionsOid.Equals(attrib.AttrType))
{
X509ExtensionsGenerator gen = new X509ExtensionsGenerator();
bool critical;
foreach (DerSequence outer in attrib.AttrValues)
{
foreach (DerSequence inner in outer)
{
// Note that the extension value is wrapped in an OctetString, but the generator expects an unwrapped value
if (inner.Count == 3) // Critical flag set
{
critical = isTrue((DerBoolean)inner[1]); // Just in case it is false
gen.AddExtension((DerObjectIdentifier)inner[0], critical, ((DerOctetString)inner[2]).GetOctets());
}
else // Count==2; Critical flag not set
{
gen.AddExtension((DerObjectIdentifier)inner[0], false, ((DerOctetString)inner[1]).GetOctets());
}
}
}
return(gen.Generate());
}
}
return(null);
}
private void additionalExtensionTest(AsymmetricKeyParameter privateKey, X509Certificate cert, IX509Store certs)
{
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
privateKey, cert, TspAlgorithms.Sha1, "1.2");
tsTokenGen.SetCertificates(certs);
tsTokenGen.SetTsa(new Asn1.X509.GeneralName(new X509Name("CN=Test")));
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
TimeStampRequest request = reqGen.Generate(TspAlgorithms.Sha1, new byte[20], BigInteger.ValueOf(100));
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed);
X509ExtensionsGenerator extensionsGenerator = new X509ExtensionsGenerator();
extensionsGenerator.AddExtension(X509Extensions.AuditIdentity, false, new DerUtf8String("Test"));
TimeStampResponse tsResp = tsRespGen.GenerateGrantedResponse(request, new BigInteger("23"), new DateTimeObject(DateTime.UtcNow), "Okay", extensionsGenerator.Generate());
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampToken tsToken = tsResp.TimeStampToken;
tsToken.Validate(cert);
Asn1.Cms.AttributeTable table = tsToken.SignedAttributes;
Assert.NotNull(table[PkcsObjectIdentifiers.IdAASigningCertificate], "no signingCertificate attribute found");
X509Extensions ext = tsToken.TimeStampInfo.TstInfo.Extensions;
Assert.True(1 == ext.GetExtensionOids().Length);
X509Extension left = new X509Extension(DerBoolean.False, new DerOctetString(new DerUtf8String("Test").GetEncoded()));
Assert.True(left.Equals(ext.GetExtension(X509Extensions.AuditIdentity)));
}
public TimeStampToken Generate(
TimeStampRequest request,
BigInteger serialNumber,
DateTime genTime, X509Extensions additionalExtensions)
{
DerObjectIdentifier digestAlgOID = new DerObjectIdentifier(request.MessageImprintAlgOid);
AlgorithmIdentifier algID = new AlgorithmIdentifier(digestAlgOID, DerNull.Instance);
MessageImprint messageImprint = new MessageImprint(algID, request.GetMessageImprintDigest());
Accuracy accuracy = null;
if (accuracySeconds > 0 || accuracyMillis > 0 || accuracyMicros > 0)
{
DerInteger seconds = null;
if (accuracySeconds > 0)
{
seconds = new DerInteger(accuracySeconds);
}
DerInteger millis = null;
if (accuracyMillis > 0)
{
millis = new DerInteger(accuracyMillis);
}
DerInteger micros = null;
if (accuracyMicros > 0)
{
micros = new DerInteger(accuracyMicros);
}
accuracy = new Accuracy(seconds, millis, micros);
}
DerBoolean derOrdering = null;
if (ordering)
{
derOrdering = DerBoolean.GetInstance(ordering);
}
DerInteger nonce = null;
if (request.Nonce != null)
{
nonce = new DerInteger(request.Nonce);
}
DerObjectIdentifier tsaPolicy = new DerObjectIdentifier(tsaPolicyOID);
if (request.ReqPolicy != null)
{
tsaPolicy = new DerObjectIdentifier(request.ReqPolicy);
}
X509Extensions respExtensions = request.Extensions;
if (additionalExtensions != null)
{
X509ExtensionsGenerator extGen = new X509ExtensionsGenerator();
if (respExtensions != null)
{
foreach (object oid in respExtensions.ExtensionOids)
{
DerObjectIdentifier id = DerObjectIdentifier.GetInstance(oid);
extGen.AddExtension(id, respExtensions.GetExtension(DerObjectIdentifier.GetInstance(id)));
}
}
foreach (object oid in additionalExtensions.ExtensionOids)
{
DerObjectIdentifier id = DerObjectIdentifier.GetInstance(oid);
extGen.AddExtension(id, additionalExtensions.GetExtension(DerObjectIdentifier.GetInstance(id)));
}
respExtensions = extGen.Generate();
}
DerGeneralizedTime generalizedTime;
if (resolution != Resolution.R_SECONDS)
{
generalizedTime = new DerGeneralizedTime(createGeneralizedTime(genTime));
}
else
{
generalizedTime = new DerGeneralizedTime(genTime);
}
TstInfo tstInfo = new TstInfo(tsaPolicy, messageImprint,
new DerInteger(serialNumber), generalizedTime, accuracy,
derOrdering, nonce, tsa, respExtensions);
try
{
CmsSignedDataGenerator signedDataGenerator = new CmsSignedDataGenerator();
byte[] derEncodedTstInfo = tstInfo.GetDerEncoded();
if (request.CertReq)
{
signedDataGenerator.AddCertificates(x509Certs);
}
signedDataGenerator.AddCrls(x509Crls);
signedDataGenerator.AddSignerInfoGenerator(signerInfoGenerator);
CmsSignedData signedData = signedDataGenerator.Generate(
PkcsObjectIdentifiers.IdCTTstInfo.Id,
new CmsProcessableByteArray(derEncodedTstInfo),
true);
return(new TimeStampToken(signedData));
}
catch (CmsException cmsEx)
{
throw new TspException("Error generating time-stamp token", cmsEx);
}
catch (IOException e)
{
throw new TspException("Exception encoding info", e);
}
catch (X509StoreException e)
{
throw new TspException("Exception handling CertStore", e);
}
// catch (InvalidAlgorithmParameterException e)
// {
// throw new TspException("Exception handling CertStore CRLs", e);
// }
}
/// <summary>
/// Creates an ASN.1 DER-encoded PKCS#10 CertificationRequest object representing
/// the current state of this CertificateRequest object.
/// </summary>
/// <returns>An ASN.1 DER-encoded certificate signing request.</returns>
public byte[] ExportSigningRequest(PkiEncodingFormat format)
{
if (!HasPrivateKey)
{
throw new InvalidOperationException("cannot export CSR without a private key");
}
// Based on:
// https://github.com/bcgit/bc-csharp/blob/master/crypto/test/src/pkcs/test/PKCS10Test.cs
// https://stackoverflow.com/questions/46182659/how-to-delay-sign-the-certificate-request-using-bouncy-castle-with-ecdsa-signatu
// http://www.bouncycastle.org/wiki/display/JA1/X.509+Public+Key+Certificate+and+Certification+Request+Generation:
// #X.509PublicKeyCertificateandCertificationRequestGeneration-EllipticCurve(ECDSA)
// #X.509PublicKeyCertificateandCertificationRequestGeneration-RSA
// #X.509PublicKeyCertificateandCertificationRequestGeneration-CreatingCertificationRequests
// https://stackoverflow.com/a/37563051/5428506
var x509name = new X509Name(SubjectName);
var pubKey = _keyPair.PublicKey.NativeKey;
var prvKey = _keyPair.PrivateKey.NativeKey;
// Asn1Set attrSet = null;
// if (CertificateExtensions.Count > 0)
// {
// var certExts = CertificateExtensions.ToDictionary(
// ext => ext.Identifier, ext => ext.Value);
// var csrAttrs = new[]
// {
// new Org.BouncyCastle.Asn1.Cms.Attribute(
// PkcsObjectIdentifiers.Pkcs9AtExtensionRequest,
// new DerSet(new X509Extensions(certExts))),
// };
// attrSet = new DerSet(csrAttrs);
// }
// Based on:
// http://forum.rebex.net/4284/pkcs10-certificate-request-example-provided-castle-working
var extGen = new X509ExtensionsGenerator();
foreach (var ext in CertificateExtensions)
{
extGen.AddExtension(ext.Identifier, ext.IsCritical, ext.Value);
}
var attr = new AttributeX509(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest,
new DerSet(extGen.Generate()));
var sigFactory = ComputeSignatureAlgorithm(prvKey);
var pkcs10 = new Pkcs10CertificationRequest(sigFactory, x509name,
pubKey, new DerSet(attr), prvKey);
switch (format)
{
case PkiEncodingFormat.Pem:
using (var sw = new StringWriter())
{
var pemWriter = new PemWriter(sw);
pemWriter.WriteObject(pkcs10);
return(Encoding.UTF8.GetBytes(sw.GetStringBuilder().ToString()));
}
case PkiEncodingFormat.Der:
return(pkcs10.GetDerEncoded());
default:
throw new NotSupportedException();
}
}
public override void PerformTest()
{
X509ExtensionsGenerator gen = new X509ExtensionsGenerator();
gen.AddExtension(Oid1, true, new byte[20]);
gen.AddExtension(Oid2, true, new byte[20]);
X509Extensions ext1 = gen.Generate();
X509Extensions ext2 = gen.Generate();
if (!ext1.Equals(ext2))
{
Fail("Equals test failed");
}
gen.Reset();
gen.AddExtension(Oid2, true, new byte[20]);
gen.AddExtension(Oid1, true, new byte[20]);
ext2 = gen.Generate();
if (ext1.Equals(ext2))
{
Fail("inequality test failed");
}
if (!ext1.Equivalent(ext2))
{
Fail("equivalence true failed");
}
gen.Reset();
gen.AddExtension(Oid1, true, new byte[22]);
gen.AddExtension(Oid2, true, new byte[20]);
ext2 = gen.Generate();
if (ext1.Equals(ext2))
{
Fail("inequality 1 failed");
}
if (ext1.Equivalent(ext2))
{
Fail("non-equivalence 1 failed");
}
gen.Reset();
gen.AddExtension(Oid3, true, new byte[20]);
gen.AddExtension(Oid2, true, new byte[20]);
ext2 = gen.Generate();
if (ext1.Equals(ext2))
{
Fail("inequality 2 failed");
}
if (ext1.Equivalent(ext2))
{
Fail("non-equivalence 2 failed");
}
try
{
gen.AddExtension(Oid2, true, new byte[20]);
Fail("repeated oid");
}
catch (ArgumentException e)
{
if (!e.Message.Equals("extension 1.2.2 already added"))
{
Fail("wrong exception on repeated oid: " + e.Message);
}
}
}
private async Task ProcessCsrGeneration(ThingToGenerate toGenerate)
{
SetStatusAndProgress("Generating...");
var(keyGenerator, signerFactoryFactory) = await CsrGetKeyGeneratorAsync();
var lines = txtCsrDomains.Text
.Split('\r')
.Select(x => x.Trim())
.Where(x => !string.IsNullOrEmpty(x))
.Select(x => x.Split(';', ',').Select(y => y.Trim()).Where(y => !string.IsNullOrEmpty(y)).ToArray())
.Where(x => x.Length >= 1)
.ToArray();
string dnO = txtCsrSubjO.Text.Trim();
string dnOU = txtCsrSubjOU.Text.Trim();
string dnC = txtCsrSubjC.Text.Trim();
string dnST = txtCsrSubjST.Text.Trim();
string dnL = txtCsrSubjL.Text.Trim();
string dnEmail = txtCsrSubjEmail.Text.Trim();
var dnOrdering = new List <DerObjectIdentifier>();
var dnValues = new List <string>();
dnOrdering.Add(X509Name.CN);
dnValues.Add("<placeholder>");
if (!string.IsNullOrEmpty(dnO))
{
dnOrdering.Add(X509Name.O); dnValues.Add(dnO);
}
if (!string.IsNullOrEmpty(dnOU))
{
dnOrdering.Add(X509Name.OU); dnValues.Add(dnOU);
}
if (!string.IsNullOrEmpty(dnC))
{
dnOrdering.Add(X509Name.C); dnValues.Add(dnC);
}
if (!string.IsNullOrEmpty(dnST))
{
dnOrdering.Add(X509Name.ST); dnValues.Add(dnST);
}
if (!string.IsNullOrEmpty(dnL))
{
dnOrdering.Add(X509Name.L); dnValues.Add(dnL);
}
if (!string.IsNullOrEmpty(dnEmail))
{
dnOrdering.Add(X509Name.EmailAddress); dnValues.Add(dnEmail);
}
int cnt = 0;
foreach (var line in lines)
{
SetStatusAndProgress("Generating...", (double)cnt++ / lines.Length);
string cn = line[0];
string[] altnames = line;
var dnValuesThese = dnValues.ToArray();
dnValuesThese[0] = cn;
var keyPath = Path.Combine(CurrentWorkingDirectory, FixFilename($"{cn}.key"));
AsymmetricCipherKeyPair key = null;
if (rdCsrUseExistingKey.Checked && File.Exists(keyPath))
{
try
{
PemReader pr = new PemReader(File.OpenText(keyPath));
key = pr.ReadObject() as AsymmetricCipherKeyPair;
}
catch { key = null; }
}
if (key == null)
{
key = await Task.Factory.StartNew(() => keyGenerator.GenerateKeyPair());
WriteToPemFile(keyPath, key);
}
X509Name subject = new X509Name(dnOrdering, dnValuesThese);
if ((toGenerate | ThingToGenerate.Csr) == ThingToGenerate.Csr)
{
X509ExtensionsGenerator extGenerator = GetExtensionsGenerator(altnames);
var exts = extGenerator.Generate();
Asn1Set attrs = new DerSet(new DerSequence(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest, new DerSet(exts)));
var req = new Pkcs10CertificationRequest(
signerFactoryFactory(key.Private),
subject,
key.Public,
attrs,
key.Private);
if (!req.Verify())
{
throw new InvalidOperationException("Generated an invalid CSR.");
}
WriteToPemFile(Path.Combine(CurrentWorkingDirectory, FixFilename($"{cn}.csr")), req);
}
if ((toGenerate | ThingToGenerate.SelfSignedCert) == ThingToGenerate.SelfSignedCert)
{
SecureRandom sr = new SecureRandom();
X509V3CertificateGenerator certgen = new X509V3CertificateGenerator();
certgen.SetSerialNumber(new BigInteger(128, sr));
certgen.SetIssuerDN(subject);
certgen.SetSubjectDN(subject);
certgen.SetNotBefore(DateTime.Today.Subtract(new TimeSpan(1, 0, 0, 0)));
certgen.SetNotAfter(DateTime.Today.AddYears(30));
certgen.SetPublicKey(key.Public);
foreach (var ext in GetExtensions(altnames))
{
certgen.AddExtension(ext.oid, ext.isCritical, ext.section);
}
ISignatureFactory signer;
if (key.Private is ECPrivateKeyParameters)
{
signer = new Asn1SignatureFactory("SHA256WITHECDSA", key.Private, sr);
}
else
{
signer = new Asn1SignatureFactory("SHA256WITHRSA", key.Private, sr);
}
var cert = certgen.Generate(signer);
cert.CheckValidity();
cert.Verify(key.Public);
WriteToPemFile(Path.Combine(CurrentWorkingDirectory, FixFilename($"{cn}.cer")), cert);
}
}
SetStatusAndProgress("Generating CSRs", 1);
}
public CertificateRequestMessageBuilder(BigInteger certReqId)
{
this._certReqId = certReqId;
this._extGenerator = new X509ExtensionsGenerator();
this._templateBuilder = new CertTemplateBuilder();
}
