public void Oid2FindByValueTest()
{
// First lookup using all groups
Oid2 sha1 = Oid2.FindByValue("1.3.14.3.2.26");
Assert.AreEqual("sha1", sha1.FriendlyName);
Assert.AreEqual("1.3.14.3.2.26", sha1.Value);
Assert.AreEqual(OidGroup.HashAlgorithm, sha1.Group);
if (Environment.OSVersion.Version.Major >= 6)
{
Assert.AreEqual(CngAlgorithm.Sha1, sha1.CngAlgorithm);
Assert.IsNull(sha1.CngExtraAlgorithm);
}
else
{
Assert.IsNull(sha1.CngAlgorithm);
Assert.IsNull(sha1.CngExtraAlgorithm);
}
// Make sure it also works for search within a specific group
sha1 = Oid2.FindByValue("1.3.14.3.2.26", OidGroup.HashAlgorithm);
Assert.AreEqual("sha1", sha1.FriendlyName);
Assert.AreEqual("1.3.14.3.2.26", sha1.Value);
Assert.AreEqual(OidGroup.HashAlgorithm, sha1.Group);
if (Environment.OSVersion.Version.Major >= 6)
{
Assert.AreEqual(CngAlgorithm.Sha1, sha1.CngAlgorithm);
Assert.IsNull(sha1.CngExtraAlgorithm);
}
else
{
Assert.IsNull(sha1.CngAlgorithm);
Assert.IsNull(sha1.CngExtraAlgorithm);
}
}
static Boolean verifySignature(PublicKey publicKey, Byte[] message, Byte[] signature, Oid hashalgorithm)
{
Oid2 oid = new Oid2(hashalgorithm.Value, OidGroupEnum.SignatureAlgorithm, true);
if (String.IsNullOrEmpty(oid.FriendlyName))
{
throw new ArgumentException("Specified signature algorithm is not supported.");
}
switch (publicKey.Oid.Value)
{
// RSA
case "1.2.840.113549.1.1.1":
return(verifyRSA(publicKey, message, signature, hashalgorithm));
// DSA
case "1.2.840.10040.4.1":
return(verifyDSA(publicKey, message, signature));
// ECC
case "1.2.840.10045.2.1":
ECDsaCng key = bindPublicKey(publicKey);
return(verifyECC(key, message, signature, hashalgorithm.Value));
default:
return(false);
}
}
/// <summary>
/// Initializes a new instance of the <strong>MessageSigner</strong> class from signer certificate and
/// client-provided hash algorithm.
/// </summary>
/// <param name="signer">Signer certificate with associated private key.</param>
/// <param name="hashAlgorithm">
/// Hash algorithm that is used to calculate the hash during signing or signature verification
/// processes.
/// </param>
/// <exception cref="ArgumentException">
/// <strong>hashAlgorithm</strong> parameter contains invalid hash algorithm identifier.
/// </exception>
/// <exception cref="UninitializedObjectException">Signer certificate is not initialized.</exception>
/// <exception cref="ArgumentNullException">
/// <strong>signer</strong> and/or <strong>hashAlgorithm</strong> parameter is null.
/// </exception>
/// <remarks>
/// Currently the following hash algorithms are supported:
/// <list type="bullet">
/// <item>MD5</item>
/// <item>SHA1</item>
/// <item>SHA256</item>
/// <item>SHA384</item>
/// <item>SHA512</item>
/// </list>
/// Hash algorithm is ignored for DSA keys and is automatically set to 'SHA1'.
/// </remarks>
public MessageSigner(X509Certificate2 signer, Oid2 hashAlgorithm)
{
if (signer == null)
{
throw new ArgumentNullException(nameof(signer));
}
if (hashAlgorithm == null)
{
throw new ArgumentNullException(nameof(hashAlgorithm));
}
if (IntPtr.Zero.Equals(signer.Handle))
{
throw new UninitializedObjectException();
}
if (hashAlgorithm.OidGroup == OidGroupEnum.SignatureAlgorithm)
{
mapSignatureAlgorithmToHashAlgorithm(hashAlgorithm.Value, null);
}
else
{
HashingAlgorithm = hashAlgorithm;
}
SignerCertificate = signer;
switch (SignerCertificate.PublicKey.Oid.Value)
{
case AlgorithmOids.RSA:
switch (hashAlgorithm.Value)
{
case AlgorithmOids.MD5: // md5
PssSaltByteCount = 16;
break;
case AlgorithmOids.SHA1: // sha1
PssSaltByteCount = 20;
break;
case AlgorithmOids.SHA256: // sha256
PssSaltByteCount = 32;
break;
case AlgorithmOids.SHA384: // sha384
PssSaltByteCount = 48;
break;
case AlgorithmOids.SHA512: // sha512
PssSaltByteCount = 64;
break;
}
break;
case AlgorithmOids.DSA:
// force SHA1 for DSA keys
HashingAlgorithm = new Oid2(AlgorithmOids.SHA1, false);
break;
}
acquirePublicKey(SignerCertificate.PublicKey);
}
public void Oid2ToOidTest()
{
Oid2 oid2 = new Oid2("2.16.840.1.101.3.4.2.1", "sha256", OidGroup.HashAlgorithm, 0x800c, CngAlgorithm.Sha256, CngAlgorithm.Sha512);
Oid oid = oid2.ToOid();
Assert.AreEqual(oid2.Value, oid.Value);
Assert.AreEqual(oid2.FriendlyName, oid.FriendlyName);
}
/// <summary>
/// Create an alternate name for the given blob
/// </summary>
/// <param name="blob">raw alternate name blob</param>
/// <param name="oid">OID describing the type of alternate name</param>
/// <exception cref="ArgumentNullException">
/// if <paramref name="blob"/> or <paramref name="oid"/> are null
/// </exception>
public X509AlternateNameOther(byte[] blob, Oid2 oid)
: base(AlternateNameType.OtherName, blob)
{
if (oid == null)
{
throw new ArgumentNullException("oid");
}
m_oid = oid;
}
/// <summary>
/// Computes the hash value of the specified byte array using the specified hash algorithm, and signs the resulting hash value.
/// </summary>
/// <param name="certificate">An <see cref="X509Certificate2"/> object of the signer certificate.</param>
/// <param name="message">Message to be signed.</param>
/// <param name="hashAlgorithm">The name of the hash algorithm to use in the signature.</param>
/// <returns>The signature for the specified data.</returns>
public static Byte[] SignMessage(X509Certificate2 certificate, Byte[] message, Oid hashAlgorithm)
{
IntPtr phCryptProv = IntPtr.Zero;
UInt32 pdwKeySpec = 0;
Boolean pfCallerFreeProv = false;
if (!Crypt32.CryptAcquireCertificatePrivateKey(certificate.Handle, 0x00010000, IntPtr.Zero, ref phCryptProv, ref pdwKeySpec, ref pfCallerFreeProv))
{
throw new CryptographicException(Marshal.GetLastWin32Error());
}
Oid2 hashalgorithm = new Oid2(
hashAlgorithm.FriendlyName.ToLower()
.Replace("rsa", null)
.Replace("ecdsa", null),
OidGroupEnum.HashAlgorithm, true);
String hashAlg;
// true -> CNG, false -> legacy
if (pdwKeySpec == UInt32.MaxValue)
{
Byte[] hashBytes = calculateHash(message, hashalgorithm, false, out hashAlg);
try {
UInt32 pcbResult;
Int32 hresult = nCrypt.NCryptSignHash(phCryptProv, IntPtr.Zero, hashBytes, (UInt32)hashBytes.Length, null, 0, out pcbResult, 0);
if (hresult != 0)
{
throw new CryptographicException(hresult);
}
Byte[] pbSignature = new byte[pcbResult];
hresult = nCrypt.NCryptSignHash(phCryptProv, IntPtr.Zero, hashBytes, (UInt32)hashBytes.Length, pbSignature, (UInt32)pbSignature.Length, out pcbResult, 0);
if (hresult != 0)
{
throw new CryptographicException(hresult);
}
return(pbSignature);
} finally {
if (pfCallerFreeProv)
{
nCrypt.NCryptFreeObject(phCryptProv);
}
}
}
if (pfCallerFreeProv)
{
AdvAPI.CryptReleaseContext(phCryptProv, 0);
}
calculateHash(message, hashalgorithm, false, out hashAlg);
RSACryptoServiceProvider key = (RSACryptoServiceProvider)certificate.PrivateKey;
return(key.SignData(message, hashAlg));
}
internal static X509AlternateName FromAltNameEntry(X509Native.CERT_ALT_NAME_ENTRY altNameEntry)
{
switch (altNameEntry.dwAltNameChoice)
{
case AlternateNameType.DirectoryName:
return(new X509AlternateNameBlob(altNameEntry.dwAltNameChoice,
CapiNative.ReadBlob(altNameEntry.altName.DirectoryName)));
case AlternateNameType.DnsName:
return(new X509AlternateNameString(altNameEntry.dwAltNameChoice,
Marshal.PtrToStringUni(altNameEntry.altName.pwszDNSName)));
case AlternateNameType.EdiPartyName:
return(new X509AlternateNameString(altNameEntry.dwAltNameChoice,
Marshal.PtrToStringUni(altNameEntry.altName.pEdiPartyName)));
case AlternateNameType.IPAddress:
IPAddress ipAddress = new IPAddress(CapiNative.ReadBlob(altNameEntry.altName.IPAddress));
return(new X509AlternateNameIPAddress(altNameEntry.dwAltNameChoice,
ipAddress));
case AlternateNameType.OtherName:
X509Native.CERT_OTHER_NAME otherName =
(X509Native.CERT_OTHER_NAME)Marshal.PtrToStructure(altNameEntry.altName.pOtherName, typeof(X509Native.CERT_OTHER_NAME));
Oid2 otherNameOid = Oid2.FindByValue(otherName.pszObjId);
return(new X509AlternateNameOther(CapiNative.ReadBlob(otherName.Value), otherNameOid));
case AlternateNameType.RegisteredId:
return(new X509AlternateNameString(altNameEntry.dwAltNameChoice,
Marshal.PtrToStringAnsi(altNameEntry.altName.pszRegisteredID)));
case AlternateNameType.Rfc822Name:
return(new X509AlternateNameString(altNameEntry.dwAltNameChoice,
Marshal.PtrToStringUni(altNameEntry.altName.pwszRfc822Name)));
case AlternateNameType.Url:
return(new X509AlternateNameString(altNameEntry.dwAltNameChoice,
Marshal.PtrToStringUni(altNameEntry.altName.pwszURL)));
case AlternateNameType.X400Address:
return(new X509AlternateNameBlob(altNameEntry.dwAltNameChoice,
CapiNative.ReadBlob(altNameEntry.altName.x400Address)));
default:
return(new X509AlternateName(altNameEntry.dwAltNameChoice));
}
}
public static IEnumerable <X509AlternateName> GetSubjectAlternateNames(this X509Certificate certificate)
{
List <X509AlternateName> alternateNames = new List <X509AlternateName>();
Oid2 extensionOid = Oid2.FindByValue(CapiNative.WellKnownOids.SubjectAlternateName,
OidGroup.ExtensionOrAttribute);
alternateNames.AddRange(certificate.GetAlternateNames(extensionOid));
Oid2 extensionOid2 = Oid2.FindByValue(CapiNative.WellKnownOids.SubjectAlternateName2,
OidGroup.ExtensionOrAttribute);
alternateNames.AddRange(certificate.GetAlternateNames(extensionOid2));
return(alternateNames);
}
public void Oid2EnumerateOidGroupTest()
{
// More specific testing here is difficult since the OIDs registered on each machine can and
// will be different, so we won't check for specific OIDs but just that all returned OIDs are in
// the group that we asked for.
foreach (Oid2 oid in Oid2.EnumerateOidInformation(OidGroup.HashAlgorithm))
{
Assert.AreEqual(OidGroup.HashAlgorithm, oid.Group);
}
foreach (Oid2 oid in Oid2.EnumerateOidInformation(OidGroup.EncryptionAlgorithm))
{
Assert.AreEqual(OidGroup.EncryptionAlgorithm, oid.Group);
}
}
/// <summary>
/// Initializes a new instance of the <strong>MessageSigner</strong> class from signer certificate and
/// client-provided hash algorithm.
/// </summary>
/// <param name="signer">Signer certificate with associated private key.</param>
/// <param name="hashAlgorithm">
/// Hash algorithm that is used to calculate the hash during signing or signature verification
/// processes.
/// </param>
/// <exception cref="ArgumentException">
/// <strong>hashAlgorithm</strong> parameter contains invalid hash algorithm identifier.
/// </exception>
/// <exception cref="UninitializedObjectException">Signer certificate is not initialized.</exception>
/// <exception cref="ArgumentNullException">
/// <strong>signer</strong> and/or <strong>hashAlgorithm</strong> parameter is null.
/// </exception>
/// <remarks>
/// Currently the following hash algorithms are supported:
/// <list type="bullet">
/// <item>MD5</item>
/// <item>SHA1</item>
/// <item>SHA256</item>
/// <item>SHA384</item>
/// <item>SHA512</item>
/// </list>
/// Hash algorithm is ignored for DSA keys and is automatically set to 'SHA1'.
/// </remarks>
public MessageSigner(X509Certificate2 signer, Oid2 hashAlgorithm) : this(hashAlgorithm, signer.PublicKey)
{
if (signer == null)
{
throw new ArgumentNullException(nameof(signer));
}
if (hashAlgorithm == null)
{
throw new ArgumentNullException(nameof(hashAlgorithm));
}
if (IntPtr.Zero.Equals(signer.Handle))
{
throw new UninitializedObjectException();
}
SignerCertificate = signer;
}
MessageSigner(Oid2 hashAlgorithm, PublicKey pubKey)
{
PublicKeyAlgorithm = pubKey.Oid;
acquirePublicKey(pubKey);
if (hashAlgorithm.OidGroup == OidGroupEnum.SignatureAlgorithm)
{
mapSignatureAlgorithmToHashAlgorithm(hashAlgorithm.Value, null);
}
else
{
HashingAlgorithm = hashAlgorithm;
}
switch (PublicKeyAlgorithm.Value)
{
case AlgorithmOids.RSA:
switch (hashAlgorithm.Value)
{
case AlgorithmOids.MD5: // md5
PssSaltByteCount = 16;
break;
case AlgorithmOids.SHA1: // sha1
PssSaltByteCount = 20;
break;
case AlgorithmOids.SHA256: // sha256
PssSaltByteCount = 32;
break;
case AlgorithmOids.SHA384: // sha384
PssSaltByteCount = 48;
break;
case AlgorithmOids.SHA512: // sha512
PssSaltByteCount = 64;
break;
}
break;
case AlgorithmOids.DSA:
// force SHA1 for DSA keys
HashingAlgorithm = new Oid2(AlgorithmOids.SHA1, false);
break;
}
}
static Byte[] calculateHash(Byte[] message, Oid2 hashalg, Boolean skip, out String algName)
{
HashAlgorithm hasher;
if (hashalg.FriendlyName.ToLower().Contains("md5"))
{
hasher = HashAlgorithm.Create("MD5");
algName = "MD5";
}
else if (hashalg.FriendlyName.ToLower().Contains("sha1"))
{
hasher = HashAlgorithm.Create("SHA1");
algName = "SHA1";
}
else if (hashalg.FriendlyName.ToLower().Contains("sha256"))
{
hasher = HashAlgorithm.Create("SHA256");
algName = "SHA256";
}
else if (hashalg.FriendlyName.ToLower().Contains("sha384"))
{
hasher = HashAlgorithm.Create("SHA384");
algName = "SHA384";
}
else if (hashalg.FriendlyName.ToLower().Contains("sha512"))
{
hasher = HashAlgorithm.Create("SHA512");
algName = "SHA512";
}
else
{
throw new ArgumentException("Invalid hashing algorithm is specified");
}
using (hasher) {
if (!skip)
{
Debug.Assert(hasher != null, "hasher != null");
return(hasher.ComputeHash(message));
}
}
return(null);
}
public void Oid2ConstructionTest()
{
// OIDs created with the value/name .ctor should only have a friendly name and value, no specific
// group, and no algorithm
Oid2 oid = new Oid2("2.16.840.1.101.3.4.2.1", "sha256");
Assert.AreEqual("2.16.840.1.101.3.4.2.1", oid.Value);
Assert.AreEqual("sha256", oid.FriendlyName);
Assert.AreEqual(OidGroup.AllGroups, oid.Group);
Assert.IsFalse(oid.HasAlgorithmId);
Assert.IsNull(oid.CngAlgorithm);
Assert.IsNull(oid.CngExtraAlgorithm);
// OIDs created with the value/name/group .ctor should only have a friendly name, value and group,
// but no associated algorithms.
oid = new Oid2("2.16.840.1.101.3.4.2.1", "sha256", OidGroup.HashAlgorithm);
Assert.AreEqual("2.16.840.1.101.3.4.2.1", oid.Value);
Assert.AreEqual("sha256", oid.FriendlyName);
Assert.AreEqual(OidGroup.HashAlgorithm, oid.Group);
Assert.IsFalse(oid.HasAlgorithmId);
Assert.IsNull(oid.CngAlgorithm);
Assert.IsNull(oid.CngExtraAlgorithm);
// OIDs created with the CNG algorithm constructor should have all properties but CAPI algorithm set
oid = new Oid2("2.16.840.1.101.3.4.2.1", "sha256", OidGroup.HashAlgorithm, CngAlgorithm.Sha256, CngAlgorithm.Sha512);
Assert.AreEqual("2.16.840.1.101.3.4.2.1", oid.Value);
Assert.AreEqual("sha256", oid.FriendlyName);
Assert.AreEqual(OidGroup.HashAlgorithm, oid.Group);
Assert.IsFalse(oid.HasAlgorithmId);
Assert.AreEqual(CngAlgorithm.Sha256, oid.CngAlgorithm);
Assert.AreEqual(CngAlgorithm.Sha512, oid.CngExtraAlgorithm);
// OIDs created with the full constructor have all properties set
oid = new Oid2("2.16.840.1.101.3.4.2.1", "sha256", OidGroup.HashAlgorithm, 0x800c, CngAlgorithm.Sha256, CngAlgorithm.Sha512);
Assert.AreEqual("2.16.840.1.101.3.4.2.1", oid.Value);
Assert.AreEqual("sha256", oid.FriendlyName);
Assert.AreEqual(OidGroup.HashAlgorithm, oid.Group);
Assert.IsTrue(oid.HasAlgorithmId);
Assert.AreEqual(0x800c, oid.AlgorithmId);
Assert.AreEqual(CngAlgorithm.Sha256, oid.CngAlgorithm);
Assert.AreEqual(CngAlgorithm.Sha512, oid.CngExtraAlgorithm);
}
/// <summary>
/// Hashes current blob in <see cref="ToBeSignedData"/> member, constructs algorithm identifier
/// (usually, with "NoSign" suffix) and attaches hash value in the signature section.
/// </summary>
/// <param name="hashAlgorithm">Hash algorithm to use for hashing.</param>
/// <exception cref="ArgumentException">
/// Hash algorithm is not valid or cannot be mapped to respective signature algorithm.
/// </exception>
/// <exception cref="ArgumentNullException">
/// <strong>hashAlgorithm</strong> parameter is null.
/// </exception>
public void Hash(Oid2 hashAlgorithm)
{
if (hashAlgorithm == null)
{
throw new ArgumentNullException(nameof(hashAlgorithm));
}
Oid2 transofrmedOid = Oid2.MapHashToSignatureOid(hashAlgorithm);
using (var hasher = HashAlgorithm.Create(hashAlgorithm.FriendlyName)) {
if (hasher == null)
{
throw new ArgumentException("Specified hash algorithm is not valid hashing algorithm");
}
List <Byte> signature = hasher.ComputeHash(ToBeSignedData).ToList();
signature.Insert(0, 0);
Signature = new Asn1BitString(Asn1Utils.Encode(signature.ToArray(), (Byte)Asn1Type.BIT_STRING));
}
SignatureAlgorithm = new AlgorithmIdentifier(transofrmedOid.ToOid(), Asn1Utils.EncodeNull());
BlobType = ContentBlobType.SignedBlob;
}
public static IList <X509AlternateName> GetAlternateNames(this X509Certificate certificate,
Oid2 alternateNameExtensionOid)
{
if (alternateNameExtensionOid == null)
{
throw new ArgumentNullException("alternateNameExtensionOid");
}
List <X509AlternateName> alternateNames = new List <X509AlternateName>();
using (SafeCertContextHandle certContext = certificate.GetCertificateContext())
{
// Make sure we have the extension requested
if (X509Native.HasExtension(certContext, alternateNameExtensionOid.Value))
{
// If so, get it from the certificate, and decode it into a buffer
X509Native.CERT_EXTENSION alternateNameExtension =
X509Native.FindExtension(certContext, alternateNameExtensionOid.Value);
using (SafeLocalAllocHandle decodedBuffer = X509Native.DecodeExtension(alternateNameExtension))
{
// This buffer contains CERT_ALT_NAME_INFO which points us at the alternate names we
// were looking for
X509Native.CERT_ALT_NAME_INFO altNameInfo = decodedBuffer.Read <X509Native.CERT_ALT_NAME_INFO>(0);
for (int i = 0; i < altNameInfo.cAltEntry; ++i)
{
unsafe
{
X509Native.CERT_ALT_NAME_ENTRY *pAltNameEntry = (X509Native.CERT_ALT_NAME_ENTRY *)altNameInfo.rgAltEntry;
alternateNames.Add(X509AlternateName.FromAltNameEntry(pAltNameEntry[i]));
}
}
}
}
}
return(alternateNames);
}
static void Main()
{
Oid2.RegisterSha2OidInformationForRsa();
}
void decodeEcdsaSpecified(Asn1Reader asn)
{
HashingAlgorithm = new Oid2(new AlgorithmIdentifier(asn.GetTagRawData()).AlgorithmId, false);
}
void mapSignatureAlgorithmToHashAlgorithm(String signatureOid, Asn1Reader asn)
{
switch (signatureOid)
{
// md5
case AlgorithmOids.MD5:
nullSigned = true;
HashingAlgorithm = new Oid2(signatureOid, false);
break;
case AlgorithmOids.MD5_RSA:
HashingAlgorithm = new Oid2(AlgorithmOids.MD5, false);
break;
// sha1
case AlgorithmOids.SHA1:
nullSigned = true;
HashingAlgorithm = new Oid2(signatureOid, false);
break;
case AlgorithmOids.SHA1_ECDSA:
case AlgorithmOids.SHA1_RSA:
case AlgorithmOids.SHA1_DSA:
HashingAlgorithm = new Oid2(AlgorithmOids.SHA1, false);
break;
// sha256
case AlgorithmOids.SHA256:
nullSigned = true;
HashingAlgorithm = new Oid2(signatureOid, false);
break;
case AlgorithmOids.SHA256_ECDSA:
case AlgorithmOids.SHA256_RSA:
HashingAlgorithm = new Oid2(AlgorithmOids.SHA256, false);
break;
// sha384
case AlgorithmOids.SHA384:
nullSigned = true;
HashingAlgorithm = new Oid2(signatureOid, false);
break;
case AlgorithmOids.SHA384_ECDSA:
case AlgorithmOids.SHA384_RSA:
HashingAlgorithm = new Oid2(AlgorithmOids.SHA384, false);
break;
// sha512
case AlgorithmOids.SHA512:
nullSigned = true;
HashingAlgorithm = new Oid2(signatureOid, false);
break;
case AlgorithmOids.SHA512_ECDSA:
case AlgorithmOids.SHA512_RSA:
HashingAlgorithm = new Oid2(AlgorithmOids.SHA512, false);
break;
case AlgorithmOids.ECDSA_SPECIFIED:
decodeEcdsaSpecified(asn);
break;
case AlgorithmOids.RSA_PSS:
decodeRsaPss(asn);
break;
default:
throw new ArgumentException("Invalid signature algorithm");
}
}
void readExtensions()
{
schemaVersion = (Int32)_entry[DsUtils.PropPkiSchemaVersion];
foreach (String oid in new[] {
X509ExtensionOid.KeyUsage,
X509ExtensionOid.EnhancedKeyUsage,
X509ExtensionOid.CertificatePolicies,
X509ExtensionOid.CertTemplateInfoV2,
X509ExtensionOid.BasicConstraints,
X509ExtensionOid.OcspRevNoCheck
})
{
switch (oid)
{
case X509ExtensionOid.KeyUsage:
_extensions.Add(new X509KeyUsageExtension(Cryptography.KeyUsage, isExtensionCritical(X509ExtensionOid.KeyUsage)));
break;
case X509ExtensionOid.EnhancedKeyUsage:
if (_ekuList.Count == 0)
{
break;
}
_extensions.Add(new X509EnhancedKeyUsageExtension(EnhancedKeyUsage, isExtensionCritical(X509ExtensionOid.EnhancedKeyUsage)));
_extensions.Add(new X509ApplicationPoliciesExtension(EnhancedKeyUsage, isExtensionCritical(X509ExtensionOid.ApplicationPolicies)));
break;
case X509ExtensionOid.CertificatePolicies:
if (_certPolicies.Count > 0)
{
var policies = new X509CertificatePolicyCollection();
foreach (Oid policyOid in _certPolicies)
{
var oid2 = new Oid2(policyOid.Value, OidGroupEnum.IssuancePolicy, true);
X509CertificatePolicy policy = new X509CertificatePolicy(policyOid.Value);
try {
policy.Add(new X509PolicyQualifier(oid2.GetCPSLinks()[0]));
} catch { }
policies.Add(policy);
}
_extensions.Add(new X509CertificatePoliciesExtension(policies, isExtensionCritical(
X509ExtensionOid.CertificatePolicies)));
}
break;
case X509ExtensionOid.CertTemplateInfoV2:
Boolean isCritical = isExtensionCritical(X509ExtensionOid.CertTemplateInfoV2);
if (schemaVersion == 1)
{
_extensions.Add(new X509Extension(new Oid(X509ExtensionOid.CertificateTemplate), Asn1Utils.EncodeBMPString((String)_entry[DsUtils.PropCN]), isCritical));
}
else
{
Int32 major = (Int32)_entry[DsUtils.PropPkiTemplateMajorVersion];
Int32 minor = (Int32)_entry[DsUtils.PropPkiTemplateMinorVersion];
var templateOid = new Oid((String)_entry[DsUtils.PropCertTemplateOid]);
var extension = new X509CertificateTemplateExtension(templateOid, major, minor)
{
Critical = isCritical
};
_extensions.Add(extension);
}
break;
case X509ExtensionOid.BasicConstraints:
if (
SubjectType == CertTemplateSubjectType.CA ||
SubjectType == CertTemplateSubjectType.CrossCA ||
(EnrollmentOptions & CertificateTemplateEnrollmentFlags.BasicConstraintsInEndEntityCerts) > 0
)
{
Boolean isCA;
if (SubjectType == CertTemplateSubjectType.CA || SubjectType == CertTemplateSubjectType.CrossCA)
{
isCA = true;
}
else
{
isCA = false;
}
Boolean hasConstraints = GetPathLengthConstraint() != -1;
_extensions.Add(new X509BasicConstraintsExtension(isCA, hasConstraints, GetPathLengthConstraint(), isExtensionCritical(
X509ExtensionOid.BasicConstraints)));
}
break;
case X509ExtensionOid.OcspRevNoCheck:
if ((EnrollmentOptions & CertificateTemplateEnrollmentFlags.IncludeOcspRevNoCheck) > 0)
{
_extensions.Add(new X509Extension(X509ExtensionOid.OcspRevNoCheck, new Byte[] { 5, 0 }, isExtensionCritical(
X509ExtensionOid.OcspRevNoCheck)));
}
break;
}
}
}
void get_extensions()
{
schemaVersion = (Int32)_entry[ActiveDirectory.PropPkiSchemaVersion];
foreach (String oid in new [] {
X509CertExtensions.X509KeyUsage,
X509CertExtensions.X509EnhancedKeyUsage,
X509CertExtensions.X509CertificatePolicies,
X509CertExtensions.X509CertTemplateInfoV2,
X509CertExtensions.X509BasicConstraints,
X509CertExtensions.X509OcspRevNoCheck
})
{
switch (oid)
{
case X509CertExtensions.X509KeyUsage:
_exts.Add(new X509KeyUsageExtension(Cryptography.KeyUsage, test_critical(X509CertExtensions.X509KeyUsage)));
break;
case X509CertExtensions.X509EnhancedKeyUsage:
if (_ekus.Count == 0)
{
break;
}
_exts.Add(new X509EnhancedKeyUsageExtension(_ekus, test_critical(X509CertExtensions.X509EnhancedKeyUsage)));
_exts.Add(new X509ApplicationPoliciesExtension(_ekus, test_critical(X509CertExtensions.X509ApplicationPolicies)));
break;
case X509CertExtensions.X509CertificatePolicies:
if (CertificatePolicies.Count > 0)
{
X509CertificatePolicyCollection policies = new X509CertificatePolicyCollection();
foreach (Oid poloid in CertificatePolicies)
{
Oid2 oid2 = new Oid2(poloid.Value, OidGroupEnum.IssuancePolicy, true);
X509CertificatePolicy policy = new X509CertificatePolicy(poloid.Value);
try {
policy.Add(new X509PolicyQualifier(oid2.GetCPSLinks()[0]));
} catch { }
policies.Add(policy);
}
_exts.Add(new X509CertificatePoliciesExtension(policies, test_critical(
X509CertExtensions.X509CertificatePolicies)));
}
break;
case X509CertExtensions.X509CertTemplateInfoV2:
if (schemaVersion == 1)
{
_exts.Add(new X509Extension(new Oid(X509CertExtensions.X509CertTemplateInfoV2), Asn1Utils.EncodeBMPString((String)_entry[ActiveDirectory.PropCN]), test_critical(
X509CertExtensions.X509CertTemplateInfoV2)));
}
else
{
Int32 major = (Int32)_entry[ActiveDirectory.PropPkiTemplateMajorVersion];
Int32 minor = (Int32)_entry[ActiveDirectory.PropPkiTemplateMinorVersion];
Oid tempoid = new Oid((String)_entry[ActiveDirectory.PropCertTemplateOid]);
_exts.Add(new X509CertificateTemplateExtension(tempoid, major, minor));
_exts[_exts.Count - 1].Critical = test_critical(X509CertExtensions.X509CertificateTemplate);
}
break;
case X509CertExtensions.X509BasicConstraints:
if (
SubjectType == CertTemplateSubjectType.CA ||
SubjectType == CertTemplateSubjectType.CrossCA ||
(EnrollmentOptions & (Int32)CertificateTemplateEnrollmentFlags.BasicConstraintsInEndEntityCerts) != 0
)
{
Boolean isCA;
if (SubjectType == CertTemplateSubjectType.CA || SubjectType == CertTemplateSubjectType.CrossCA)
{
isCA = true;
}
else
{
isCA = false;
}
Boolean hasConstraints = GetPathLengthConstraint() != -1;
_exts.Add(new X509BasicConstraintsExtension(isCA, hasConstraints, GetPathLengthConstraint(), test_critical(
X509CertExtensions.X509BasicConstraints)));
}
break;
case X509CertExtensions.X509OcspRevNoCheck:
if ((EnrollmentOptions & (Int32)CertificateTemplateEnrollmentFlags.IncludeOcspRevNoCheck) != 0)
{
_exts.Add(new X509Extension(X509CertExtensions.X509OcspRevNoCheck, new Byte[] { 5, 0 }, test_critical(
X509CertExtensions.X509OcspRevNoCheck)));
}
break;
}
}
}
internal MessageSigner(X509PrivateKeyBuilder keyBuilder, Oid2 hashAlgorithm)
: this(hashAlgorithm, keyBuilder.GetPublicKey())
{
_keyInfo = keyBuilder;
}
MessageSigner(Oid2 hashAlg, PublicKey pubKey)
{
PublicKeyAlgorithm = pubKey.Oid;
acquirePublicKey(pubKey);
initializeHashAlgorithm(hashAlg);
}
void get_extensions()
{
schemaVersion = (Int32)_entry.Properties["msPKI-Template-Schema-Version"].Value;
foreach (String oid in new [] { "2.5.29.15", "2.5.29.37", "2.5.29.32", "1.3.6.1.4.1.311.20.2", "2.5.29.19", "1.3.6.1.5.5.7.48.1.5" })
{
switch (oid)
{
case "2.5.29.15":
_exts.Add(new X509KeyUsageExtension(Cryptography.KeyUsage, test_critical("2.5.29.15")));
break;
case "2.5.29.37":
if (_ekus.Count == 0)
{
break;
}
_exts.Add(new X509EnhancedKeyUsageExtension(_ekus, test_critical("2.5.29.37")));
_exts.Add(new X509ApplicationPoliciesExtension(_ekus, test_critical("1.3.6.1.4.1.311.21.10")));
break;
case "2.5.29.32":
if (CertificatePolicies.Count > 0)
{
X509CertificatePolicyCollection policies = new X509CertificatePolicyCollection();
foreach (Oid poloid in CertificatePolicies)
{
Oid2 oid2 = new Oid2(poloid.Value, OidGroupEnum.IssuancePolicy, true);
X509CertificatePolicy policy = new X509CertificatePolicy(poloid.Value);
try {
policy.Add(new X509PolicyQualifier(oid2.GetCPSLinks()[0]));
} catch { }
policies.Add(policy);
}
_exts.Add(new X509CertificatePoliciesExtension(policies, test_critical("2.5.29.32")));
}
break;
case "1.3.6.1.4.1.311.20.2":
if (schemaVersion == 1)
{
_exts.Add(new X509Extension(new Oid("1.3.6.1.4.1.311.20.2"), Asn1Utils.EncodeBMPString((String)_entry.Properties["cn"].Value), test_critical("1.3.6.1.4.1.311.20.2")));
}
else
{
Int32 major = (Int32)_entry.Properties["Revision"].Value;
Int32 minor = (Int32)_entry.Properties["msPKI-Template-Minor-Revision"].Value;
Oid tempoid = new Oid((String)_entry.Properties["msPKI-Cert-Template-OID"].Value);
_exts.Add(new X509CertificateTemplateExtension(tempoid, major, minor));
_exts[_exts.Count - 1].Critical = test_critical("1.3.6.1.4.1.311.21.7");
}
break;
case "2.5.29.19":
if (
SubjectType == "Certification Authority" ||
SubjectType == "Cross Certification Authority" ||
(EnrollmentOptions & (Int32)CertificateTemplateEnrollmentFlags.BasicConstraintsInEndEntityCerts) != 0
)
{
Boolean isCA;
if (SubjectType == "Certification Authority" || SubjectType == "Cross Certification Authority")
{
isCA = true;
}
else
{
isCA = false;
}
Boolean hasConstraints = GetPathLengthConstraint() != -1;
_exts.Add(new X509BasicConstraintsExtension(isCA, hasConstraints, GetPathLengthConstraint(), test_critical("2.5.29.19")));
}
break;
case "1.3.6.1.5.5.7.48.1.5":
if ((EnrollmentOptions & (Int32)CertificateTemplateEnrollmentFlags.IncludeOcspRevNoCheck) != 0)
{
_exts.Add(new X509Extension("1.3.6.1.5.5.7.48.1.5", new Byte[] { 5, 0 }, test_critical("1.3.6.1.5.5.7.48.1.5")));
}
break;
}
}
}
