public void Oid2FindByValueTest() { // First lookup using all groups Oid2 sha1 = Oid2.FindByValue("1.3.14.3.2.26"); Assert.AreEqual("sha1", sha1.FriendlyName); Assert.AreEqual("1.3.14.3.2.26", sha1.Value); Assert.AreEqual(OidGroup.HashAlgorithm, sha1.Group); if (Environment.OSVersion.Version.Major >= 6) { Assert.AreEqual(CngAlgorithm.Sha1, sha1.CngAlgorithm); Assert.IsNull(sha1.CngExtraAlgorithm); } else { Assert.IsNull(sha1.CngAlgorithm); Assert.IsNull(sha1.CngExtraAlgorithm); } // Make sure it also works for search within a specific group sha1 = Oid2.FindByValue("1.3.14.3.2.26", OidGroup.HashAlgorithm); Assert.AreEqual("sha1", sha1.FriendlyName); Assert.AreEqual("1.3.14.3.2.26", sha1.Value); Assert.AreEqual(OidGroup.HashAlgorithm, sha1.Group); if (Environment.OSVersion.Version.Major >= 6) { Assert.AreEqual(CngAlgorithm.Sha1, sha1.CngAlgorithm); Assert.IsNull(sha1.CngExtraAlgorithm); } else { Assert.IsNull(sha1.CngAlgorithm); Assert.IsNull(sha1.CngExtraAlgorithm); } }
static Boolean verifySignature(PublicKey publicKey, Byte[] message, Byte[] signature, Oid hashalgorithm) { Oid2 oid = new Oid2(hashalgorithm.Value, OidGroupEnum.SignatureAlgorithm, true); if (String.IsNullOrEmpty(oid.FriendlyName)) { throw new ArgumentException("Specified signature algorithm is not supported."); } switch (publicKey.Oid.Value) { // RSA case "1.2.840.113549.1.1.1": return(verifyRSA(publicKey, message, signature, hashalgorithm)); // DSA case "1.2.840.10040.4.1": return(verifyDSA(publicKey, message, signature)); // ECC case "1.2.840.10045.2.1": ECDsaCng key = bindPublicKey(publicKey); return(verifyECC(key, message, signature, hashalgorithm.Value)); default: return(false); } }
/// <summary> /// Initializes a new instance of the <strong>MessageSigner</strong> class from signer certificate and /// client-provided hash algorithm. /// </summary> /// <param name="signer">Signer certificate with associated private key.</param> /// <param name="hashAlgorithm"> /// Hash algorithm that is used to calculate the hash during signing or signature verification /// processes. /// </param> /// <exception cref="ArgumentException"> /// <strong>hashAlgorithm</strong> parameter contains invalid hash algorithm identifier. /// </exception> /// <exception cref="UninitializedObjectException">Signer certificate is not initialized.</exception> /// <exception cref="ArgumentNullException"> /// <strong>signer</strong> and/or <strong>hashAlgorithm</strong> parameter is null. /// </exception> /// <remarks> /// Currently the following hash algorithms are supported: /// <list type="bullet"> /// <item>MD5</item> /// <item>SHA1</item> /// <item>SHA256</item> /// <item>SHA384</item> /// <item>SHA512</item> /// </list> /// Hash algorithm is ignored for DSA keys and is automatically set to 'SHA1'. /// </remarks> public MessageSigner(X509Certificate2 signer, Oid2 hashAlgorithm) { if (signer == null) { throw new ArgumentNullException(nameof(signer)); } if (hashAlgorithm == null) { throw new ArgumentNullException(nameof(hashAlgorithm)); } if (IntPtr.Zero.Equals(signer.Handle)) { throw new UninitializedObjectException(); } if (hashAlgorithm.OidGroup == OidGroupEnum.SignatureAlgorithm) { mapSignatureAlgorithmToHashAlgorithm(hashAlgorithm.Value, null); } else { HashingAlgorithm = hashAlgorithm; } SignerCertificate = signer; switch (SignerCertificate.PublicKey.Oid.Value) { case AlgorithmOids.RSA: switch (hashAlgorithm.Value) { case AlgorithmOids.MD5: // md5 PssSaltByteCount = 16; break; case AlgorithmOids.SHA1: // sha1 PssSaltByteCount = 20; break; case AlgorithmOids.SHA256: // sha256 PssSaltByteCount = 32; break; case AlgorithmOids.SHA384: // sha384 PssSaltByteCount = 48; break; case AlgorithmOids.SHA512: // sha512 PssSaltByteCount = 64; break; } break; case AlgorithmOids.DSA: // force SHA1 for DSA keys HashingAlgorithm = new Oid2(AlgorithmOids.SHA1, false); break; } acquirePublicKey(SignerCertificate.PublicKey); }
public void Oid2ToOidTest() { Oid2 oid2 = new Oid2("2.16.840.1.101.3.4.2.1", "sha256", OidGroup.HashAlgorithm, 0x800c, CngAlgorithm.Sha256, CngAlgorithm.Sha512); Oid oid = oid2.ToOid(); Assert.AreEqual(oid2.Value, oid.Value); Assert.AreEqual(oid2.FriendlyName, oid.FriendlyName); }
/// <summary> /// Create an alternate name for the given blob /// </summary> /// <param name="blob">raw alternate name blob</param> /// <param name="oid">OID describing the type of alternate name</param> /// <exception cref="ArgumentNullException"> /// if <paramref name="blob"/> or <paramref name="oid"/> are null /// </exception> public X509AlternateNameOther(byte[] blob, Oid2 oid) : base(AlternateNameType.OtherName, blob) { if (oid == null) { throw new ArgumentNullException("oid"); } m_oid = oid; }
/// <summary> /// Computes the hash value of the specified byte array using the specified hash algorithm, and signs the resulting hash value. /// </summary> /// <param name="certificate">An <see cref="X509Certificate2"/> object of the signer certificate.</param> /// <param name="message">Message to be signed.</param> /// <param name="hashAlgorithm">The name of the hash algorithm to use in the signature.</param> /// <returns>The signature for the specified data.</returns> public static Byte[] SignMessage(X509Certificate2 certificate, Byte[] message, Oid hashAlgorithm) { IntPtr phCryptProv = IntPtr.Zero; UInt32 pdwKeySpec = 0; Boolean pfCallerFreeProv = false; if (!Crypt32.CryptAcquireCertificatePrivateKey(certificate.Handle, 0x00010000, IntPtr.Zero, ref phCryptProv, ref pdwKeySpec, ref pfCallerFreeProv)) { throw new CryptographicException(Marshal.GetLastWin32Error()); } Oid2 hashalgorithm = new Oid2( hashAlgorithm.FriendlyName.ToLower() .Replace("rsa", null) .Replace("ecdsa", null), OidGroupEnum.HashAlgorithm, true); String hashAlg; // true -> CNG, false -> legacy if (pdwKeySpec == UInt32.MaxValue) { Byte[] hashBytes = calculateHash(message, hashalgorithm, false, out hashAlg); try { UInt32 pcbResult; Int32 hresult = nCrypt.NCryptSignHash(phCryptProv, IntPtr.Zero, hashBytes, (UInt32)hashBytes.Length, null, 0, out pcbResult, 0); if (hresult != 0) { throw new CryptographicException(hresult); } Byte[] pbSignature = new byte[pcbResult]; hresult = nCrypt.NCryptSignHash(phCryptProv, IntPtr.Zero, hashBytes, (UInt32)hashBytes.Length, pbSignature, (UInt32)pbSignature.Length, out pcbResult, 0); if (hresult != 0) { throw new CryptographicException(hresult); } return(pbSignature); } finally { if (pfCallerFreeProv) { nCrypt.NCryptFreeObject(phCryptProv); } } } if (pfCallerFreeProv) { AdvAPI.CryptReleaseContext(phCryptProv, 0); } calculateHash(message, hashalgorithm, false, out hashAlg); RSACryptoServiceProvider key = (RSACryptoServiceProvider)certificate.PrivateKey; return(key.SignData(message, hashAlg)); }
internal static X509AlternateName FromAltNameEntry(X509Native.CERT_ALT_NAME_ENTRY altNameEntry) { switch (altNameEntry.dwAltNameChoice) { case AlternateNameType.DirectoryName: return(new X509AlternateNameBlob(altNameEntry.dwAltNameChoice, CapiNative.ReadBlob(altNameEntry.altName.DirectoryName))); case AlternateNameType.DnsName: return(new X509AlternateNameString(altNameEntry.dwAltNameChoice, Marshal.PtrToStringUni(altNameEntry.altName.pwszDNSName))); case AlternateNameType.EdiPartyName: return(new X509AlternateNameString(altNameEntry.dwAltNameChoice, Marshal.PtrToStringUni(altNameEntry.altName.pEdiPartyName))); case AlternateNameType.IPAddress: IPAddress ipAddress = new IPAddress(CapiNative.ReadBlob(altNameEntry.altName.IPAddress)); return(new X509AlternateNameIPAddress(altNameEntry.dwAltNameChoice, ipAddress)); case AlternateNameType.OtherName: X509Native.CERT_OTHER_NAME otherName = (X509Native.CERT_OTHER_NAME)Marshal.PtrToStructure(altNameEntry.altName.pOtherName, typeof(X509Native.CERT_OTHER_NAME)); Oid2 otherNameOid = Oid2.FindByValue(otherName.pszObjId); return(new X509AlternateNameOther(CapiNative.ReadBlob(otherName.Value), otherNameOid)); case AlternateNameType.RegisteredId: return(new X509AlternateNameString(altNameEntry.dwAltNameChoice, Marshal.PtrToStringAnsi(altNameEntry.altName.pszRegisteredID))); case AlternateNameType.Rfc822Name: return(new X509AlternateNameString(altNameEntry.dwAltNameChoice, Marshal.PtrToStringUni(altNameEntry.altName.pwszRfc822Name))); case AlternateNameType.Url: return(new X509AlternateNameString(altNameEntry.dwAltNameChoice, Marshal.PtrToStringUni(altNameEntry.altName.pwszURL))); case AlternateNameType.X400Address: return(new X509AlternateNameBlob(altNameEntry.dwAltNameChoice, CapiNative.ReadBlob(altNameEntry.altName.x400Address))); default: return(new X509AlternateName(altNameEntry.dwAltNameChoice)); } }
public static IEnumerable <X509AlternateName> GetSubjectAlternateNames(this X509Certificate certificate) { List <X509AlternateName> alternateNames = new List <X509AlternateName>(); Oid2 extensionOid = Oid2.FindByValue(CapiNative.WellKnownOids.SubjectAlternateName, OidGroup.ExtensionOrAttribute); alternateNames.AddRange(certificate.GetAlternateNames(extensionOid)); Oid2 extensionOid2 = Oid2.FindByValue(CapiNative.WellKnownOids.SubjectAlternateName2, OidGroup.ExtensionOrAttribute); alternateNames.AddRange(certificate.GetAlternateNames(extensionOid2)); return(alternateNames); }
public void Oid2EnumerateOidGroupTest() { // More specific testing here is difficult since the OIDs registered on each machine can and // will be different, so we won't check for specific OIDs but just that all returned OIDs are in // the group that we asked for. foreach (Oid2 oid in Oid2.EnumerateOidInformation(OidGroup.HashAlgorithm)) { Assert.AreEqual(OidGroup.HashAlgorithm, oid.Group); } foreach (Oid2 oid in Oid2.EnumerateOidInformation(OidGroup.EncryptionAlgorithm)) { Assert.AreEqual(OidGroup.EncryptionAlgorithm, oid.Group); } }
/// <summary> /// Initializes a new instance of the <strong>MessageSigner</strong> class from signer certificate and /// client-provided hash algorithm. /// </summary> /// <param name="signer">Signer certificate with associated private key.</param> /// <param name="hashAlgorithm"> /// Hash algorithm that is used to calculate the hash during signing or signature verification /// processes. /// </param> /// <exception cref="ArgumentException"> /// <strong>hashAlgorithm</strong> parameter contains invalid hash algorithm identifier. /// </exception> /// <exception cref="UninitializedObjectException">Signer certificate is not initialized.</exception> /// <exception cref="ArgumentNullException"> /// <strong>signer</strong> and/or <strong>hashAlgorithm</strong> parameter is null. /// </exception> /// <remarks> /// Currently the following hash algorithms are supported: /// <list type="bullet"> /// <item>MD5</item> /// <item>SHA1</item> /// <item>SHA256</item> /// <item>SHA384</item> /// <item>SHA512</item> /// </list> /// Hash algorithm is ignored for DSA keys and is automatically set to 'SHA1'. /// </remarks> public MessageSigner(X509Certificate2 signer, Oid2 hashAlgorithm) : this(hashAlgorithm, signer.PublicKey) { if (signer == null) { throw new ArgumentNullException(nameof(signer)); } if (hashAlgorithm == null) { throw new ArgumentNullException(nameof(hashAlgorithm)); } if (IntPtr.Zero.Equals(signer.Handle)) { throw new UninitializedObjectException(); } SignerCertificate = signer; }
MessageSigner(Oid2 hashAlgorithm, PublicKey pubKey) { PublicKeyAlgorithm = pubKey.Oid; acquirePublicKey(pubKey); if (hashAlgorithm.OidGroup == OidGroupEnum.SignatureAlgorithm) { mapSignatureAlgorithmToHashAlgorithm(hashAlgorithm.Value, null); } else { HashingAlgorithm = hashAlgorithm; } switch (PublicKeyAlgorithm.Value) { case AlgorithmOids.RSA: switch (hashAlgorithm.Value) { case AlgorithmOids.MD5: // md5 PssSaltByteCount = 16; break; case AlgorithmOids.SHA1: // sha1 PssSaltByteCount = 20; break; case AlgorithmOids.SHA256: // sha256 PssSaltByteCount = 32; break; case AlgorithmOids.SHA384: // sha384 PssSaltByteCount = 48; break; case AlgorithmOids.SHA512: // sha512 PssSaltByteCount = 64; break; } break; case AlgorithmOids.DSA: // force SHA1 for DSA keys HashingAlgorithm = new Oid2(AlgorithmOids.SHA1, false); break; } }
static Byte[] calculateHash(Byte[] message, Oid2 hashalg, Boolean skip, out String algName) { HashAlgorithm hasher; if (hashalg.FriendlyName.ToLower().Contains("md5")) { hasher = HashAlgorithm.Create("MD5"); algName = "MD5"; } else if (hashalg.FriendlyName.ToLower().Contains("sha1")) { hasher = HashAlgorithm.Create("SHA1"); algName = "SHA1"; } else if (hashalg.FriendlyName.ToLower().Contains("sha256")) { hasher = HashAlgorithm.Create("SHA256"); algName = "SHA256"; } else if (hashalg.FriendlyName.ToLower().Contains("sha384")) { hasher = HashAlgorithm.Create("SHA384"); algName = "SHA384"; } else if (hashalg.FriendlyName.ToLower().Contains("sha512")) { hasher = HashAlgorithm.Create("SHA512"); algName = "SHA512"; } else { throw new ArgumentException("Invalid hashing algorithm is specified"); } using (hasher) { if (!skip) { Debug.Assert(hasher != null, "hasher != null"); return(hasher.ComputeHash(message)); } } return(null); }
public void Oid2ConstructionTest() { // OIDs created with the value/name .ctor should only have a friendly name and value, no specific // group, and no algorithm Oid2 oid = new Oid2("2.16.840.1.101.3.4.2.1", "sha256"); Assert.AreEqual("2.16.840.1.101.3.4.2.1", oid.Value); Assert.AreEqual("sha256", oid.FriendlyName); Assert.AreEqual(OidGroup.AllGroups, oid.Group); Assert.IsFalse(oid.HasAlgorithmId); Assert.IsNull(oid.CngAlgorithm); Assert.IsNull(oid.CngExtraAlgorithm); // OIDs created with the value/name/group .ctor should only have a friendly name, value and group, // but no associated algorithms. oid = new Oid2("2.16.840.1.101.3.4.2.1", "sha256", OidGroup.HashAlgorithm); Assert.AreEqual("2.16.840.1.101.3.4.2.1", oid.Value); Assert.AreEqual("sha256", oid.FriendlyName); Assert.AreEqual(OidGroup.HashAlgorithm, oid.Group); Assert.IsFalse(oid.HasAlgorithmId); Assert.IsNull(oid.CngAlgorithm); Assert.IsNull(oid.CngExtraAlgorithm); // OIDs created with the CNG algorithm constructor should have all properties but CAPI algorithm set oid = new Oid2("2.16.840.1.101.3.4.2.1", "sha256", OidGroup.HashAlgorithm, CngAlgorithm.Sha256, CngAlgorithm.Sha512); Assert.AreEqual("2.16.840.1.101.3.4.2.1", oid.Value); Assert.AreEqual("sha256", oid.FriendlyName); Assert.AreEqual(OidGroup.HashAlgorithm, oid.Group); Assert.IsFalse(oid.HasAlgorithmId); Assert.AreEqual(CngAlgorithm.Sha256, oid.CngAlgorithm); Assert.AreEqual(CngAlgorithm.Sha512, oid.CngExtraAlgorithm); // OIDs created with the full constructor have all properties set oid = new Oid2("2.16.840.1.101.3.4.2.1", "sha256", OidGroup.HashAlgorithm, 0x800c, CngAlgorithm.Sha256, CngAlgorithm.Sha512); Assert.AreEqual("2.16.840.1.101.3.4.2.1", oid.Value); Assert.AreEqual("sha256", oid.FriendlyName); Assert.AreEqual(OidGroup.HashAlgorithm, oid.Group); Assert.IsTrue(oid.HasAlgorithmId); Assert.AreEqual(0x800c, oid.AlgorithmId); Assert.AreEqual(CngAlgorithm.Sha256, oid.CngAlgorithm); Assert.AreEqual(CngAlgorithm.Sha512, oid.CngExtraAlgorithm); }
/// <summary> /// Hashes current blob in <see cref="ToBeSignedData"/> member, constructs algorithm identifier /// (usually, with "NoSign" suffix) and attaches hash value in the signature section. /// </summary> /// <param name="hashAlgorithm">Hash algorithm to use for hashing.</param> /// <exception cref="ArgumentException"> /// Hash algorithm is not valid or cannot be mapped to respective signature algorithm. /// </exception> /// <exception cref="ArgumentNullException"> /// <strong>hashAlgorithm</strong> parameter is null. /// </exception> public void Hash(Oid2 hashAlgorithm) { if (hashAlgorithm == null) { throw new ArgumentNullException(nameof(hashAlgorithm)); } Oid2 transofrmedOid = Oid2.MapHashToSignatureOid(hashAlgorithm); using (var hasher = HashAlgorithm.Create(hashAlgorithm.FriendlyName)) { if (hasher == null) { throw new ArgumentException("Specified hash algorithm is not valid hashing algorithm"); } List <Byte> signature = hasher.ComputeHash(ToBeSignedData).ToList(); signature.Insert(0, 0); Signature = new Asn1BitString(Asn1Utils.Encode(signature.ToArray(), (Byte)Asn1Type.BIT_STRING)); } SignatureAlgorithm = new AlgorithmIdentifier(transofrmedOid.ToOid(), Asn1Utils.EncodeNull()); BlobType = ContentBlobType.SignedBlob; }
public static IList <X509AlternateName> GetAlternateNames(this X509Certificate certificate, Oid2 alternateNameExtensionOid) { if (alternateNameExtensionOid == null) { throw new ArgumentNullException("alternateNameExtensionOid"); } List <X509AlternateName> alternateNames = new List <X509AlternateName>(); using (SafeCertContextHandle certContext = certificate.GetCertificateContext()) { // Make sure we have the extension requested if (X509Native.HasExtension(certContext, alternateNameExtensionOid.Value)) { // If so, get it from the certificate, and decode it into a buffer X509Native.CERT_EXTENSION alternateNameExtension = X509Native.FindExtension(certContext, alternateNameExtensionOid.Value); using (SafeLocalAllocHandle decodedBuffer = X509Native.DecodeExtension(alternateNameExtension)) { // This buffer contains CERT_ALT_NAME_INFO which points us at the alternate names we // were looking for X509Native.CERT_ALT_NAME_INFO altNameInfo = decodedBuffer.Read <X509Native.CERT_ALT_NAME_INFO>(0); for (int i = 0; i < altNameInfo.cAltEntry; ++i) { unsafe { X509Native.CERT_ALT_NAME_ENTRY *pAltNameEntry = (X509Native.CERT_ALT_NAME_ENTRY *)altNameInfo.rgAltEntry; alternateNames.Add(X509AlternateName.FromAltNameEntry(pAltNameEntry[i])); } } } } } return(alternateNames); }
static void Main() { Oid2.RegisterSha2OidInformationForRsa(); }
void decodeEcdsaSpecified(Asn1Reader asn) { HashingAlgorithm = new Oid2(new AlgorithmIdentifier(asn.GetTagRawData()).AlgorithmId, false); }
void mapSignatureAlgorithmToHashAlgorithm(String signatureOid, Asn1Reader asn) { switch (signatureOid) { // md5 case AlgorithmOids.MD5: nullSigned = true; HashingAlgorithm = new Oid2(signatureOid, false); break; case AlgorithmOids.MD5_RSA: HashingAlgorithm = new Oid2(AlgorithmOids.MD5, false); break; // sha1 case AlgorithmOids.SHA1: nullSigned = true; HashingAlgorithm = new Oid2(signatureOid, false); break; case AlgorithmOids.SHA1_ECDSA: case AlgorithmOids.SHA1_RSA: case AlgorithmOids.SHA1_DSA: HashingAlgorithm = new Oid2(AlgorithmOids.SHA1, false); break; // sha256 case AlgorithmOids.SHA256: nullSigned = true; HashingAlgorithm = new Oid2(signatureOid, false); break; case AlgorithmOids.SHA256_ECDSA: case AlgorithmOids.SHA256_RSA: HashingAlgorithm = new Oid2(AlgorithmOids.SHA256, false); break; // sha384 case AlgorithmOids.SHA384: nullSigned = true; HashingAlgorithm = new Oid2(signatureOid, false); break; case AlgorithmOids.SHA384_ECDSA: case AlgorithmOids.SHA384_RSA: HashingAlgorithm = new Oid2(AlgorithmOids.SHA384, false); break; // sha512 case AlgorithmOids.SHA512: nullSigned = true; HashingAlgorithm = new Oid2(signatureOid, false); break; case AlgorithmOids.SHA512_ECDSA: case AlgorithmOids.SHA512_RSA: HashingAlgorithm = new Oid2(AlgorithmOids.SHA512, false); break; case AlgorithmOids.ECDSA_SPECIFIED: decodeEcdsaSpecified(asn); break; case AlgorithmOids.RSA_PSS: decodeRsaPss(asn); break; default: throw new ArgumentException("Invalid signature algorithm"); } }
void readExtensions() { schemaVersion = (Int32)_entry[DsUtils.PropPkiSchemaVersion]; foreach (String oid in new[] { X509ExtensionOid.KeyUsage, X509ExtensionOid.EnhancedKeyUsage, X509ExtensionOid.CertificatePolicies, X509ExtensionOid.CertTemplateInfoV2, X509ExtensionOid.BasicConstraints, X509ExtensionOid.OcspRevNoCheck }) { switch (oid) { case X509ExtensionOid.KeyUsage: _extensions.Add(new X509KeyUsageExtension(Cryptography.KeyUsage, isExtensionCritical(X509ExtensionOid.KeyUsage))); break; case X509ExtensionOid.EnhancedKeyUsage: if (_ekuList.Count == 0) { break; } _extensions.Add(new X509EnhancedKeyUsageExtension(EnhancedKeyUsage, isExtensionCritical(X509ExtensionOid.EnhancedKeyUsage))); _extensions.Add(new X509ApplicationPoliciesExtension(EnhancedKeyUsage, isExtensionCritical(X509ExtensionOid.ApplicationPolicies))); break; case X509ExtensionOid.CertificatePolicies: if (_certPolicies.Count > 0) { var policies = new X509CertificatePolicyCollection(); foreach (Oid policyOid in _certPolicies) { var oid2 = new Oid2(policyOid.Value, OidGroupEnum.IssuancePolicy, true); X509CertificatePolicy policy = new X509CertificatePolicy(policyOid.Value); try { policy.Add(new X509PolicyQualifier(oid2.GetCPSLinks()[0])); } catch { } policies.Add(policy); } _extensions.Add(new X509CertificatePoliciesExtension(policies, isExtensionCritical( X509ExtensionOid.CertificatePolicies))); } break; case X509ExtensionOid.CertTemplateInfoV2: Boolean isCritical = isExtensionCritical(X509ExtensionOid.CertTemplateInfoV2); if (schemaVersion == 1) { _extensions.Add(new X509Extension(new Oid(X509ExtensionOid.CertificateTemplate), Asn1Utils.EncodeBMPString((String)_entry[DsUtils.PropCN]), isCritical)); } else { Int32 major = (Int32)_entry[DsUtils.PropPkiTemplateMajorVersion]; Int32 minor = (Int32)_entry[DsUtils.PropPkiTemplateMinorVersion]; var templateOid = new Oid((String)_entry[DsUtils.PropCertTemplateOid]); var extension = new X509CertificateTemplateExtension(templateOid, major, minor) { Critical = isCritical }; _extensions.Add(extension); } break; case X509ExtensionOid.BasicConstraints: if ( SubjectType == CertTemplateSubjectType.CA || SubjectType == CertTemplateSubjectType.CrossCA || (EnrollmentOptions & CertificateTemplateEnrollmentFlags.BasicConstraintsInEndEntityCerts) > 0 ) { Boolean isCA; if (SubjectType == CertTemplateSubjectType.CA || SubjectType == CertTemplateSubjectType.CrossCA) { isCA = true; } else { isCA = false; } Boolean hasConstraints = GetPathLengthConstraint() != -1; _extensions.Add(new X509BasicConstraintsExtension(isCA, hasConstraints, GetPathLengthConstraint(), isExtensionCritical( X509ExtensionOid.BasicConstraints))); } break; case X509ExtensionOid.OcspRevNoCheck: if ((EnrollmentOptions & CertificateTemplateEnrollmentFlags.IncludeOcspRevNoCheck) > 0) { _extensions.Add(new X509Extension(X509ExtensionOid.OcspRevNoCheck, new Byte[] { 5, 0 }, isExtensionCritical( X509ExtensionOid.OcspRevNoCheck))); } break; } } }
void get_extensions() { schemaVersion = (Int32)_entry[ActiveDirectory.PropPkiSchemaVersion]; foreach (String oid in new [] { X509CertExtensions.X509KeyUsage, X509CertExtensions.X509EnhancedKeyUsage, X509CertExtensions.X509CertificatePolicies, X509CertExtensions.X509CertTemplateInfoV2, X509CertExtensions.X509BasicConstraints, X509CertExtensions.X509OcspRevNoCheck }) { switch (oid) { case X509CertExtensions.X509KeyUsage: _exts.Add(new X509KeyUsageExtension(Cryptography.KeyUsage, test_critical(X509CertExtensions.X509KeyUsage))); break; case X509CertExtensions.X509EnhancedKeyUsage: if (_ekus.Count == 0) { break; } _exts.Add(new X509EnhancedKeyUsageExtension(_ekus, test_critical(X509CertExtensions.X509EnhancedKeyUsage))); _exts.Add(new X509ApplicationPoliciesExtension(_ekus, test_critical(X509CertExtensions.X509ApplicationPolicies))); break; case X509CertExtensions.X509CertificatePolicies: if (CertificatePolicies.Count > 0) { X509CertificatePolicyCollection policies = new X509CertificatePolicyCollection(); foreach (Oid poloid in CertificatePolicies) { Oid2 oid2 = new Oid2(poloid.Value, OidGroupEnum.IssuancePolicy, true); X509CertificatePolicy policy = new X509CertificatePolicy(poloid.Value); try { policy.Add(new X509PolicyQualifier(oid2.GetCPSLinks()[0])); } catch { } policies.Add(policy); } _exts.Add(new X509CertificatePoliciesExtension(policies, test_critical( X509CertExtensions.X509CertificatePolicies))); } break; case X509CertExtensions.X509CertTemplateInfoV2: if (schemaVersion == 1) { _exts.Add(new X509Extension(new Oid(X509CertExtensions.X509CertTemplateInfoV2), Asn1Utils.EncodeBMPString((String)_entry[ActiveDirectory.PropCN]), test_critical( X509CertExtensions.X509CertTemplateInfoV2))); } else { Int32 major = (Int32)_entry[ActiveDirectory.PropPkiTemplateMajorVersion]; Int32 minor = (Int32)_entry[ActiveDirectory.PropPkiTemplateMinorVersion]; Oid tempoid = new Oid((String)_entry[ActiveDirectory.PropCertTemplateOid]); _exts.Add(new X509CertificateTemplateExtension(tempoid, major, minor)); _exts[_exts.Count - 1].Critical = test_critical(X509CertExtensions.X509CertificateTemplate); } break; case X509CertExtensions.X509BasicConstraints: if ( SubjectType == CertTemplateSubjectType.CA || SubjectType == CertTemplateSubjectType.CrossCA || (EnrollmentOptions & (Int32)CertificateTemplateEnrollmentFlags.BasicConstraintsInEndEntityCerts) != 0 ) { Boolean isCA; if (SubjectType == CertTemplateSubjectType.CA || SubjectType == CertTemplateSubjectType.CrossCA) { isCA = true; } else { isCA = false; } Boolean hasConstraints = GetPathLengthConstraint() != -1; _exts.Add(new X509BasicConstraintsExtension(isCA, hasConstraints, GetPathLengthConstraint(), test_critical( X509CertExtensions.X509BasicConstraints))); } break; case X509CertExtensions.X509OcspRevNoCheck: if ((EnrollmentOptions & (Int32)CertificateTemplateEnrollmentFlags.IncludeOcspRevNoCheck) != 0) { _exts.Add(new X509Extension(X509CertExtensions.X509OcspRevNoCheck, new Byte[] { 5, 0 }, test_critical( X509CertExtensions.X509OcspRevNoCheck))); } break; } } }
internal MessageSigner(X509PrivateKeyBuilder keyBuilder, Oid2 hashAlgorithm) : this(hashAlgorithm, keyBuilder.GetPublicKey()) { _keyInfo = keyBuilder; }
MessageSigner(Oid2 hashAlg, PublicKey pubKey) { PublicKeyAlgorithm = pubKey.Oid; acquirePublicKey(pubKey); initializeHashAlgorithm(hashAlg); }
void get_extensions() { schemaVersion = (Int32)_entry.Properties["msPKI-Template-Schema-Version"].Value; foreach (String oid in new [] { "2.5.29.15", "2.5.29.37", "2.5.29.32", "1.3.6.1.4.1.311.20.2", "2.5.29.19", "1.3.6.1.5.5.7.48.1.5" }) { switch (oid) { case "2.5.29.15": _exts.Add(new X509KeyUsageExtension(Cryptography.KeyUsage, test_critical("2.5.29.15"))); break; case "2.5.29.37": if (_ekus.Count == 0) { break; } _exts.Add(new X509EnhancedKeyUsageExtension(_ekus, test_critical("2.5.29.37"))); _exts.Add(new X509ApplicationPoliciesExtension(_ekus, test_critical("1.3.6.1.4.1.311.21.10"))); break; case "2.5.29.32": if (CertificatePolicies.Count > 0) { X509CertificatePolicyCollection policies = new X509CertificatePolicyCollection(); foreach (Oid poloid in CertificatePolicies) { Oid2 oid2 = new Oid2(poloid.Value, OidGroupEnum.IssuancePolicy, true); X509CertificatePolicy policy = new X509CertificatePolicy(poloid.Value); try { policy.Add(new X509PolicyQualifier(oid2.GetCPSLinks()[0])); } catch { } policies.Add(policy); } _exts.Add(new X509CertificatePoliciesExtension(policies, test_critical("2.5.29.32"))); } break; case "1.3.6.1.4.1.311.20.2": if (schemaVersion == 1) { _exts.Add(new X509Extension(new Oid("1.3.6.1.4.1.311.20.2"), Asn1Utils.EncodeBMPString((String)_entry.Properties["cn"].Value), test_critical("1.3.6.1.4.1.311.20.2"))); } else { Int32 major = (Int32)_entry.Properties["Revision"].Value; Int32 minor = (Int32)_entry.Properties["msPKI-Template-Minor-Revision"].Value; Oid tempoid = new Oid((String)_entry.Properties["msPKI-Cert-Template-OID"].Value); _exts.Add(new X509CertificateTemplateExtension(tempoid, major, minor)); _exts[_exts.Count - 1].Critical = test_critical("1.3.6.1.4.1.311.21.7"); } break; case "2.5.29.19": if ( SubjectType == "Certification Authority" || SubjectType == "Cross Certification Authority" || (EnrollmentOptions & (Int32)CertificateTemplateEnrollmentFlags.BasicConstraintsInEndEntityCerts) != 0 ) { Boolean isCA; if (SubjectType == "Certification Authority" || SubjectType == "Cross Certification Authority") { isCA = true; } else { isCA = false; } Boolean hasConstraints = GetPathLengthConstraint() != -1; _exts.Add(new X509BasicConstraintsExtension(isCA, hasConstraints, GetPathLengthConstraint(), test_critical("2.5.29.19"))); } break; case "1.3.6.1.5.5.7.48.1.5": if ((EnrollmentOptions & (Int32)CertificateTemplateEnrollmentFlags.IncludeOcspRevNoCheck) != 0) { _exts.Add(new X509Extension("1.3.6.1.5.5.7.48.1.5", new Byte[] { 5, 0 }, test_critical("1.3.6.1.5.5.7.48.1.5"))); } break; } } }