public static void GenerateSslCertificate(PfxData pfx, Org.BouncyCastle.Security.SecureRandom random)
{
string curveName = "curve25519"; curveName = "secp256k1";
// IIS does not support Elliptic Curve...
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateEcKeyPair(curveName, random);
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateRsaKeyPair(2048, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateDsaKeyPair(1024, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateDHKeyPair(1024, random);
// Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair certKeyPair = KeyGenerator.GenerateGostKeyPair(4096, random);
Org.BouncyCastle.X509.X509Certificate sslCertificate = SelfSignSslCertificate(random, pfx.Certificate, certKeyPair.Public, pfx.PrivateKey);
bool val = CerGenerator.ValidateSelfSignedCert(sslCertificate, pfx.Certificate.GetPublicKey());
// SSL
(string Private, string Public)certKeys = KeyPairToPem(certKeyPair);
PfxFile.Create(@"obelix.pfx", sslCertificate, certKeyPair.Private, "");
WriteCerAndCrt(sslCertificate, @"obelix");
System.IO.File.WriteAllText(@"obelix_private.key", certKeys.Private, System.Text.Encoding.ASCII);
// System.IO.File.WriteAllText(@"obelix_public.key", certKeys.Public, System.Text.Encoding.ASCII);
string pemCert = ToPem(sslCertificate);
System.IO.File.WriteAllText(@"obelix.pem", pemCert, System.Text.Encoding.ASCII);
} // End Sub GenerateSslCertificate
public static void CreateSignature(System.Security.Cryptography.X509Certificates.X509Certificate2 mycert)
{
// https://www.programcreek.com/java-api-examples/?api=org.bouncycastle.x509.X509V3CertificateGenerator
// https://forums.asp.net/t/2154987.aspx?Create+Self+Signed+Certificate+programatically+uisng+C+
// System.Security.Cryptography.X509Certificates.X509Certificate2.CreateFromCertFile()
// https://overcoder.net/q/429916/bouncycastle-privatekey-to-x509%D1%81%D0%B5%D1%80%D1%82%D0%B8%D1%84%D0%B8%D0%BA%D0%B0%D1%822-privatekey
// https://www.csharpcodi.com/csharp-examples/Org.BouncyCastle.X509.X509Certificate.GetPublicKey()/
Org.BouncyCastle.Crypto.AsymmetricKeyParameter Akp = Org.BouncyCastle.Security.DotNetUtilities.GetKeyPair(mycert.PrivateKey).Private;
// if(mycert.HasPrivateKey)
Org.BouncyCastle.Crypto.AsymmetricKeyParameter bouncyCastlePrivateKey = TransformRSAPrivateKey(mycert.PrivateKey);
Org.BouncyCastle.X509.X509CertificateParser certParser = new Org.BouncyCastle.X509.X509CertificateParser();
Org.BouncyCastle.X509.X509Certificate bouncyCertificate = certParser.ReadCertificate(mycert.GetRawCertData());
Org.BouncyCastle.Crypto.AsymmetricKeyParameter pubKey = bouncyCertificate.GetPublicKey();
Org.BouncyCastle.Crypto.IDigest algorithm = Org.BouncyCastle.Security.DigestUtilities.GetDigest(bouncyCertificate.SigAlgOid);
// X509Certificate2Signature signature = new X509Certificate2Signature(mycert, algorithm);
// https://github.com/kusl/itextsharp/blob/master/tags/iTextSharp_5_4_5/src/core/iTextSharp/text/pdf/security/X509Certificate2Signature.cs
// Sign
// PemReader pem = new PemReader();
// pem.ReadPemObject().Headers
// RSACryptoServiceProvider rsa = pem.ReadPrivateKeyFromFile("PrivateKey.pem");
}
public static XadesObject GetXadesObject(XadesInfo xadesInfo, string signatureid)
{
XadesObject xadesObject = new XadesObject();
xadesObject.QualifyingProperties.Target = String.Format("#{0}", signatureid);
xadesObject.QualifyingProperties.SignedProperties.Id = String.Format("{0}-signedprops", signatureid);
SignedSignatureProperties signedSignatureProperties = xadesObject.QualifyingProperties.SignedProperties.SignedSignatureProperties;
var x509CertificateParser = new Org.BouncyCastle.X509.X509CertificateParser();
X509Certificate bouncyCert = x509CertificateParser.ReadCertificate(Convert.FromBase64String(xadesInfo.RawPK));
var cert = new Cert
{
IssuerSerial =
{
X509IssuerName = GetOidRepresentation(bouncyCert.IssuerDN.ToString()),
X509SerialNumber = bouncyCert.SerialNumber.ToString()
}
};
cert.CertDigest.DigestMethod.Algorithm = CPSignedXml.XmlDsigGost3411UrlObsolete;
var rawCertData = Convert.FromBase64String(xadesInfo.RawPK);
var pkHash = HashAlgorithm.Create("GOST3411");
var hashValue = pkHash.ComputeHash(rawCertData);
cert.CertDigest.DigestValue = hashValue;
signedSignatureProperties.SigningCertificate.CertCollection.Add(cert);
signedSignatureProperties.SigningTime = GetSigningTimeOffset(xadesInfo.SigningDateTimeUTC, xadesInfo.TimeZoneOffsetMinutes);
return(xadesObject);
}
public static void Sign(IExternalSignature externalSignature, X509Certificate2 rawCertificate, string sourcePdfPath, string destinationPdfPath)
{
if (externalSignature == null)
{
throw new ArgumentNullException(nameof(externalSignature));
}
if (rawCertificate == null)
{
throw new ArgumentNullException(nameof(rawCertificate));
}
if (sourcePdfPath == null)
{
throw new ArgumentNullException(nameof(sourcePdfPath));
}
if (destinationPdfPath == null)
{
throw new ArgumentNullException(nameof(destinationPdfPath));
}
using PdfReader reader = new PdfReader(sourcePdfPath);
Org.BouncyCastle.X509.X509Certificate bCert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(rawCertificate);
Org.BouncyCastle.X509.X509Certificate[] chain = new Org.BouncyCastle.X509.X509Certificate[] { bCert };
using FileStream stream = new FileStream(destinationPdfPath, FileMode.OpenOrCreate);
PdfSigner signer = new PdfSigner(reader, stream, new StampingProperties());
signer.SetSignatureEvent(new SignatureEvent());
signer.SignDetached(externalSignature, chain, null, null, null, 0, PdfSigner.CryptoStandard.CADES);
}
private void SignManigestFile(PassGeneratorRequest request)
{
X509Certificate2 card = GetCertificate(request);
if (card == null)
{
throw new FileNotFoundException("Certificate could not be found. Please ensure the thumbprint and cert location values are correct.");
}
Org.BouncyCastle.X509.X509Certificate cert = DotNetUtilities.FromX509Certificate(card);
Org.BouncyCastle.Crypto.AsymmetricKeyParameter privateKey = DotNetUtilities.GetKeyPair(card.PrivateKey).Private;
X509Certificate2 appleCA = GetAppleCertificate(request);
Org.BouncyCastle.X509.X509Certificate appleCert = DotNetUtilities.FromX509Certificate(appleCA);
ArrayList intermediateCerts = new ArrayList();
intermediateCerts.Add(appleCert);
intermediateCerts.Add(cert);
Org.BouncyCastle.X509.Store.X509CollectionStoreParameters PP = new Org.BouncyCastle.X509.Store.X509CollectionStoreParameters(intermediateCerts);
Org.BouncyCastle.X509.Store.IX509Store st1 = Org.BouncyCastle.X509.Store.X509StoreFactory.Create("CERTIFICATE/COLLECTION", PP);
CmsSignedDataGenerator generator = new CmsSignedDataGenerator();
generator.AddSigner(privateKey, cert, CmsSignedDataGenerator.DigestSha1);
generator.AddCertificates(st1);
CmsProcessable content = new CmsProcessableByteArray(manifestFile);
CmsSignedData signedData = generator.Generate(content, false);
signatureFile = signedData.GetEncoded();
}
public ValidationResponse ValidateCertificate(X509Certificate2 certificate, X509Certificate2 issuer)
{
Org.BouncyCastle.X509.X509Certificate certificateBC = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(certificate);
try
{
Asn1Object derAiaExtension = Asn1Object.FromByteArray(certificateBC.GetExtensionValue(new DerObjectIdentifier("1.3.6.1.5.5.7.1.1")).GetOctets());
Asn1InputStream asn1Stream = new Asn1InputStream(derAiaExtension.GetDerEncoded());
Asn1Sequence asn1Sequence = (Asn1Sequence)asn1Stream.ReadObject();
foreach (Asn1Encodable entry in asn1Sequence)
{
AccessDescription aiaEntry = AccessDescription.GetInstance(entry.ToAsn1Object());
if (aiaEntry.AccessMethod.Id == AccessDescription.IdADOcsp.Id)
{
Console.Out.WriteLine(aiaEntry.AccessLocation.ToString());
GeneralName gn = (GeneralName)aiaEntry.AccessLocation;
ValidationResponse validationResponse = ValidateCertificate(certificate, issuer, gn.Name.ToString());
if ((validationResponse.status == ValidationExtensions.Enums.CertificateStatus.VALID) ||
(validationResponse.status == ValidationExtensions.Enums.CertificateStatus.REVOKED))
{
return(validationResponse);
}
}
}
}
catch (NullReferenceException)
{
// No Access Information Exception
}
return(new ValidationResponse(ValidationExtensions.Enums.CertificateStatus.UNKNOWN));
}
public static X509Certificate2 ToX509Certificate2(
Org.BouncyCastle.X509.X509Certificate BouncyCert,
SecureRandom RandomProvider,
AsymmetricCipherKeyPair KeyPair)
{
var store = new Pkcs12Store();
var certificateEntry = new X509CertificateEntry(BouncyCert);
string friendlyName = BouncyCert.SubjectDN.ToString();
store.SetCertificateEntry(friendlyName, certificateEntry);
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(KeyPair.Private), new[] { certificateEntry });
var stream = new MemoryStream();
var password = KeyPair.Private.GetHashCode().ToString();
store.Save(stream, password.ToCharArray(), RandomProvider);
//convert from stream
var convertedCertificate =
new X509Certificate2(
stream.ToArray(), password,
X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
return(convertedCertificate);
}
/// <summary>
/// Create a X509Certificate2 with a private key by combining
/// a bouncy castle X509Certificate and private key parameters.
/// </summary>
private static X509Certificate2 CreateCertificateWithPrivateKey(
Org.BouncyCastle.X509.X509Certificate certificate,
string friendlyName,
Org.BouncyCastle.Crypto.AsymmetricKeyParameter privateKey,
Org.BouncyCastle.Security.SecureRandom random)
{
// create pkcs12 store for cert and private key
using (MemoryStream pfxData = new MemoryStream())
{
var builder = new Org.BouncyCastle.Pkcs.Pkcs12StoreBuilder();
builder.SetUseDerEncoding(true);
var pkcsStore = builder.Build();
var chain = new Org.BouncyCastle.Pkcs.X509CertificateEntry[1];
string passcode = Guid.NewGuid().ToString();
chain[0] = new Org.BouncyCastle.Pkcs.X509CertificateEntry(certificate);
if (string.IsNullOrEmpty(friendlyName))
{
friendlyName = GetCertificateCommonName(certificate);
}
pkcsStore.SetKeyEntry(friendlyName, new Org.BouncyCastle.Pkcs.AsymmetricKeyEntry(privateKey), chain);
pkcsStore.Save(pfxData, passcode.ToCharArray(), random);
// merge into X509Certificate2
return(CertificateFactory.CreateCertificateFromPKCS12(pfxData.ToArray(), passcode));
}
}
private void sign(X509Certificate2 cert, String imput, String output)
{
string SourcePdfFileName = imput;
string DestPdfFileName = output;
string requerente = "";
Org.BouncyCastle.X509.X509CertificateParser cp = new Org.BouncyCastle.X509.X509CertificateParser();
Org.BouncyCastle.X509.X509Certificate[] chain = new Org.BouncyCastle.X509.X509Certificate[] { cp.ReadCertificate(cert.RawData) };
IExternalSignature externalSignature = new X509Certificate2Signature(cert, "SHA-1");
PdfReader pdfReader = new PdfReader(SourcePdfFileName);
FileStream signedPdf = new FileStream(DestPdfFileName, FileMode.Create); //the output pdf file
PdfStamper pdfStamper = PdfStamper.CreateSignature(pdfReader, signedPdf, '\0');
PdfSignatureAppearance signatureAppearance = pdfStamper.SignatureAppearance;
requerente = cert.Subject.Replace("CN=", "").Replace("OU=", "").Replace("DC=", "").Replace("O=", "").Replace("C=", "");
signatureAppearance.SetVisibleSignature(new iTextSharp.text.Rectangle(250, 30, 550, 80), 1, "Signature");
signatureAppearance.Layer2Text = "Assinado de forma digital por " + requerente + Environment.NewLine + "Dados:" + DateTime.Now;
string pathImage = Path.Combine(Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location), "assinatura.png");
var image = iTextSharp.text.Image.GetInstance(pathImage);
signatureAppearance.SignatureGraphic = image;
//signatureAppearance.SignatureRenderingMode = PdfSignatureAppearance.RenderingMode.DESCRIPTION;
signatureAppearance.SignatureRenderingMode = PdfSignatureAppearance.RenderingMode.GRAPHIC_AND_DESCRIPTION;
//signatureAppearance.SignatureRenderingMode = PdfSignatureAppearance.RenderingMode.DESCRIPTION;
MakeSignature.SignDetached(signatureAppearance, externalSignature, chain, null, null, null, 0, CryptoStandard.CMS);
}
private static byte[] GeneratePkcs1Signature(Session session, RsaKeyParameters rsaPubKeyParams,
X509Certificate bcSigningCertificate, byte[] pkcs1DigestInfo)
{
//Correlate with HSM
var privKeySearchTemplate = new List <ObjectAttribute>
{
new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_PRIVATE_KEY),
new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_RSA),
new ObjectAttribute(CKA.CKA_MODULUS, rsaPubKeyParams.Modulus.ToByteArrayUnsigned()),
new ObjectAttribute(CKA.CKA_PUBLIC_EXPONENT, rsaPubKeyParams.Exponent.ToByteArrayUnsigned())
};
var privateKeyHandles = session.FindAllObjects(privKeySearchTemplate);
if (privateKeyHandles.Count != 1)
{
throw new HsmObjectNotFoundException(
string.Format(
"Private key correlation failed for signing cert \r\n{0} \r\n CKA_MODULUS: {1} \r\n CKA_PUBLIC_EXPONENT {2},",
bcSigningCertificate,
rsaPubKeyParams.Modulus,
rsaPubKeyParams.Exponent));
}
byte[] pkcs1Signature;
using (var mechanism = new Mechanism(CKM.CKM_RSA_PKCS))
{
pkcs1Signature = session.Sign(mechanism, privateKeyHandles.Single(), pkcs1DigestInfo);
}
return(pkcs1Signature);
}
private void SignManigestFile(PassGeneratorRequest request, string manifestFileAndPath)
{
byte[] dataToSign = File.ReadAllBytes(manifestFileAndPath);
X509Certificate2 card = GetCertificate(request);
Org.BouncyCastle.X509.X509Certificate cert = DotNetUtilities.FromX509Certificate(card);
Org.BouncyCastle.Crypto.AsymmetricKeyParameter privateKey = DotNetUtilities.GetKeyPair(card.PrivateKey).Private;
X509Certificate2 appleCA = GetAppleCertificate();
Org.BouncyCastle.X509.X509Certificate appleCert = DotNetUtilities.FromX509Certificate(appleCA);
ArrayList intermediateCerts = new ArrayList();
intermediateCerts.Add(appleCert);
intermediateCerts.Add(cert);
Org.BouncyCastle.X509.Store.X509CollectionStoreParameters PP = new Org.BouncyCastle.X509.Store.X509CollectionStoreParameters(intermediateCerts);
Org.BouncyCastle.X509.Store.IX509Store st1 = Org.BouncyCastle.X509.Store.X509StoreFactory.Create("CERTIFICATE/COLLECTION", PP);
CmsSignedDataGenerator generator = new CmsSignedDataGenerator();
generator.AddSigner(privateKey, cert, CmsSignedDataGenerator.DigestSha1);
generator.AddCertificates(st1);
CmsProcessable content = new CmsProcessableByteArray(dataToSign);
CmsSignedData signedData = generator.Generate(content, false);
string outputDirectory = Path.GetDirectoryName(manifestFileAndPath);
string signatureFileAndPath = Path.Combine(outputDirectory, "signature");
File.WriteAllBytes(signatureFileAndPath, signedData.GetEncoded());
}
/// <summary>
/// Gets the .NET certificate from the bouncy castle certificate.
/// </summary>
/// <param name="cert">The certificate.</param>
/// <param name="friendlyName">The friendly name.</param>
/// <param name="keyPair">The key pair.</param>
/// <param name="random">A random number generator.</param>
/// <returns></returns>
protected X509Certificate2 GetWindowsCertFromGenerated(Org.BouncyCastle.X509.X509Certificate cert,
string friendlyName, AsymmetricKeyParameter privateKey, SecureRandom random)
{
// Create a PKS store.
var store = new Pkcs12Store();
// Generate a cert entry
var certificateEntry = new X509CertificateEntry(cert);
// Add it into the in-memory store.
store.SetCertificateEntry(friendlyName, certificateEntry);
// Add the key.
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(privateKey), new[] { certificateEntry });
var stream = new MemoryStream();
// Save the store to a stream..
store.Save(stream, STOREPASSWORD.ToCharArray(), random);
// Now load that same certificate.
var convertedCertificate =
new X509Certificate2(
stream.ToArray(), STOREPASSWORD,
X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
return(convertedCertificate);
}
public byte[] Sign(byte[] cmsData)
{
IList certs = new List <X509Certificate>();
byte[] signBytes = File.ReadAllBytes(GetFile());
X509Certificate2 signCert = new X509Certificate2(signBytes, Key, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable);
certs.Add(DotNetUtilities.FromX509Certificate(signCert));
IX509Store x509Certs = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(certs));
CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
AsymmetricCipherKeyPair pair = DotNetUtilities.GetKeyPair(signCert.PrivateKey);
X509Certificate bX509Certificate = DotNetUtilities.FromX509Certificate(signCert);
gen.AddSigner(pair.Private, bX509Certificate, CmsSignedGenerator.DigestSha1);
gen.AddSigner(pair.Private, bX509Certificate, CmsSignedGenerator.DigestSha256);
CmsSignedData unsignedData = new CmsSignedData(cmsData);
gen.AddCertificates(x509Certs);
CmsProcessable msg = new CmsProcessableByteArray(unsignedData.GetEncoded());
CmsSignedData cmsSignedData = gen.Generate(CmsSignedGenerator.Data, msg, true);
byte[] p7MData = cmsSignedData.GetEncoded();
return(p7MData);
}
// https://git.itextsupport.com/projects/I5N/repos/itextsharp/browse/src/core/iTextSharp/text/pdf/security
public static void Test(System.Security.Cryptography.X509Certificates.X509Certificate2 cert)
{
Org.BouncyCastle.X509.X509CertificateParser parser = new Org.BouncyCastle.X509.X509CertificateParser();
Org.BouncyCastle.X509.X509Certificate bouncyCertificate = parser.ReadCertificate(cert.RawData);
string algorithm = DigestAlgorithms.GetDigest(bouncyCertificate.SigAlgOid);
X509Certificate2Signature signature = new X509Certificate2Signature(cert, algorithm);
}
protected static byte[] GenerateSignature(byte[] manifest, X509Certificate2 appleCert, X509Certificate2 passCert)
{
X509Certificate apple = DotNetUtilities.FromX509Certificate(appleCert);
X509Certificate cert = DotNetUtilities.FromX509Certificate(passCert);
var privateKey = DotNetUtilities.GetKeyPair(passCert.PrivateKey).Private;
var generator = new CmsSignedDataGenerator();
generator.AddSigner(privateKey, cert, CmsSignedGenerator.DigestSha1);
var list = new List <X509Certificate>();
list.Add(cert);
list.Add(apple);
X509CollectionStoreParameters storeParameters = new X509CollectionStoreParameters(list);
IX509Store store509 = X509StoreFactory.Create("CERTIFICATE/COLLECTION", storeParameters);
generator.AddCertificates(store509);
var content = new CmsProcessableByteArray(manifest);
var signature = generator.Generate(content, false).GetEncoded();
return(signature);
}
internal Boolean ValidateServerCertificate(
Object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors
)
{
log.Info("Validating certificate");
var foundPins = new List <String>();
foreach (X509ChainElement c in chain.ChainElements)
{
var certParser = new Org.BouncyCastle.X509.X509CertificateParser();
Org.BouncyCastle.X509.X509Certificate cert = certParser.ReadCertificate(c.Certificate.RawData);
Org.BouncyCastle.Asn1.X509.X509CertificateStructure certStruct = cert.CertificateStructure;
String peerPin = Fingerprint(certStruct);
log.Info("Peer pin: " + peerPin);
foundPins.Add(peerPin);
if (this.Matches(peerPin))
{
return(true);
}
}
return(false);
}
public void Sign(string inputPath, string outPath, string imagePath, bool visible = true)
{
X509Store store = new X509Store(StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection sel = X509Certificate2UI.SelectFromCollection(store.Certificates, null, null, X509SelectionFlag.SingleSelection);
X509Certificate2 cert = sel[0];
Org.BouncyCastle.X509.X509CertificateParser cp = new Org.BouncyCastle.X509.X509CertificateParser();
Org.BouncyCastle.X509.X509Certificate[] chain = new Org.BouncyCastle.X509.X509Certificate[] {
cp.ReadCertificate(cert.RawData)
};
IExternalSignature externalSignature = new X509Certificate2Signature(cert, "SHA-1");
PdfReader pdfReader = new PdfReader(inputPath);
var signedPdf = new FileStream(outPath, FileMode.Create);
var pdfStamper = PdfStamper.CreateSignature(pdfReader, signedPdf, '\0');
PdfSignatureAppearance signatureAppearance = pdfStamper.SignatureAppearance;
if (imagePath != null && imagePath != string.Empty)
{
signatureAppearance.SignatureGraphic = Image.GetInstance(imagePath);
}
signatureAppearance.SetVisibleSignature(new Rectangle(100, 100, 250, 150), pdfReader.NumberOfPages, "Signature");
signatureAppearance.SignatureRenderingMode = PdfSignatureAppearance.RenderingMode.GRAPHIC_AND_DESCRIPTION;
MakeSignature.SignDetached(signatureAppearance, externalSignature, chain, null, null, null, 0, CryptoStandard.CMS);
Process.Start(outPath);
}
/// <inheritdoc />
public async Task <AsymmetricKeyParameter> GetResponderPublicKey(X509Certificate caCertificate)
{
var dotNetCertificate = new X509Certificate2(caCertificate.GetEncoded());
var privateKey = await OcspResponderRepository.GetResponderPrivateKey(dotNetCertificate);
return(DotNetUtilities.GetKeyPair(privateKey).Public);
}
public void setKeyStore(X509Certificate2 cert, string hashAlgorithm) //Getkey
{
/*GET Certificate chain from Cert and translate info x509 Bouncycastle List*/
Org.BouncyCastle.X509.X509Certificate bcCert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(cert); // ไม่ได้เก็ต ของผู้ออก Certificate Chain มาด้วย
chain = new List <Org.BouncyCastle.X509.X509Certificate> {
bcCert
};
// Initial .netx509 certchain and build chain
X509Chain cert_chain = new X509Chain();
cert_chain.Build(cert);
int i = 0;
//Add chain into bouncyCastle.chain
foreach (X509ChainElement entry in cert_chain.ChainElements)
{
if (i != 0)//Skip first certchain due to cert_chain.Build provided first chain(entry.chain.[0])
{
this.chain.Add(Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(entry.Certificate));
}
i++;
}
this.signature = new RSAProviderPrivateKey(cert, hashAlgorithm);
}
/// <param name="issuerCertificate"></param>
/// <inheritdoc />
public async Task <X509Certificate[]> GetChain(X509Certificate issuerCertificate)
{
var dotNetCertificate = new X509Certificate2(issuerCertificate.GetEncoded());
var certificates = await OcspResponderRepository.GetChain(dotNetCertificate);
return(certificates.Select(DotNetUtilities.FromX509Certificate).ToArray());
}
public async Task SaveCertificateAsync(string orderUrl, X509Certificate certificate)
{
FileSystemCertCollectionFormat collectionFormat = await GetFileSystemCertCollectionFormat();
if (collectionFormat.Certs.Count > 64)
{
_logger.LogInformation("Too many saved certs, culling old records");
IEnumerable <KeyValuePair <string, FileSystemCertFormat> > oldRecords =
collectionFormat.Certs.ToArray().OrderBy(i => i.Value.NotAfter).Take(32);
foreach (var oldRecord in oldRecords)
{
_logger.LogInformation($"Remove cert {oldRecord.Key}");
collectionFormat.Certs.Remove(oldRecord.Key);
}
}
byte[] serialized = _certCodec.Encode(certificate);
string serializedStr = Convert.ToBase64String(serialized);
collectionFormat.Certs[orderUrl] = new FileSystemCertFormat
{
NotAfter = new DateTimeOffset(certificate.NotAfter).ToUnixTimeMilliseconds(),
NotBefore = new DateTimeOffset(certificate.NotBefore).ToUnixTimeMilliseconds(),
Val = serializedStr
};
await SaveFileSystemCertCollectionFormat(collectionFormat);
}
public static X509Certificate2 GetCertificateWithPrivateKey(X509Certificate bcCertificate, AsymmetricCipherKeyPair keyPair)
{
Assert.IsType <RsaPrivateCrtKeyParameters>(keyPair.Private);
var privateKeyParameters = (RsaPrivateCrtKeyParameters)keyPair.Private;
#if IS_DESKTOP
RSA privateKey = DotNetUtilities.ToRSA(privateKeyParameters);
var certificate = new X509Certificate2(bcCertificate.GetEncoded());
certificate.PrivateKey = privateKey;
#else
RSAParameters rsaParameters = DotNetUtilities.ToRSAParameters(privateKeyParameters);
var privateKey = new RSACryptoServiceProvider();
privateKey.ImportParameters(rsaParameters);
X509Certificate2 certificate;
using (var certificateTmp = new X509Certificate2(bcCertificate.GetEncoded()))
{
certificate = RSACertificateExtensions.CopyWithPrivateKey(certificateTmp, privateKey);
}
#endif
return(certificate);
}
public void sign(X509Certificate2 cert, String filename, String imageName, String output)
{
Org.BouncyCastle.X509.X509CertificateParser cp = new Org.BouncyCastle.X509.X509CertificateParser();
Org.BouncyCastle.X509.X509Certificate[] chain = new Org.BouncyCastle.X509.X509Certificate[] {
cp.ReadCertificate(cert.RawData)
};
IExternalSignature externalSignature = new X509Certificate2Signature(cert, "SHA-1");
PdfReader pdfReader = new PdfReader(filename);
FileStream signedPdf = new FileStream(output, FileMode.Create);
PdfStamper pdfStamper = PdfStamper.CreateSignature(pdfReader, signedPdf, '\0');
PdfSignatureAppearance signatureAppearance = pdfStamper.SignatureAppearance;
Image img = Image.GetInstance(imageName);
img.Alignment = iTextSharp.text.Image.UNDERLYING;
signatureAppearance.SignatureGraphic = img;
signatureAppearance.Acro6Layers = true;
int x = Convert.ToInt32(xTextBox.Text);
int y = Convert.ToInt32(yTextBox.Text);
int w = Convert.ToInt32(widthTextBox.Text);
int h = Convert.ToInt32(heightTextBox.Text);
signatureAppearance.SetVisibleSignature(new iTextSharp.text.Rectangle(x, y, w, h), pdfReader.NumberOfPages, "Signature");
signatureAppearance.SignatureRenderingMode = PdfSignatureAppearance.RenderingMode.GRAPHIC_AND_DESCRIPTION;
MakeSignature.SignDetached(signatureAppearance, externalSignature, chain, null, null, null, 0, CryptoStandard.CMS);
}
} // End Sub WritePrivatePublicKey
public static void WriteCerAndCrt(
string fileName
, Org.BouncyCastle.X509.X509Certificate certificate
)
{
using (System.IO.Stream fs = System.IO.File.Open(fileName + ".cer", System.IO.FileMode.Create))
{
byte[] buf = certificate.GetEncoded();
fs.Write(buf, 0, buf.Length);
fs.Flush();
} // End Using fs
// new System.Text.ASCIIEncoding(false)
// new System.Text.UTF8Encoding(false)
using (System.IO.Stream fs = System.IO.File.Open(fileName + ".crt", System.IO.FileMode.Create))
{
using (System.IO.StreamWriter sw = new System.IO.StreamWriter(fs, System.Text.Encoding.ASCII))
{
byte[] buf = certificate.GetEncoded();
string pem = ToPem(buf);
sw.Write(pem);
sw.Flush();
fs.Flush();
} // End Using sw
} // End Using fs
} // End Sub WriteCerAndCrt
// https://www.csharpcodi.com/csharp-examples/Org.BouncyCastle.X509.X509Certificate.GetPublicKey()/
public static bool CheckRequestSignature(
byte[] serializedSpeechletRequest
, string expectedSignature
, Org.BouncyCastle.X509.X509Certificate cert)
{
byte[] expectedSig = null;
try
{
expectedSig = System.Convert.FromBase64String(expectedSignature);
}
catch (System.FormatException)
{
return(false);
}
Org.BouncyCastle.Crypto.Parameters.RsaKeyParameters publicKey =
(Org.BouncyCastle.Crypto.Parameters.RsaKeyParameters)cert.GetPublicKey();
Org.BouncyCastle.Crypto.ISigner signer =
Org.BouncyCastle.Security.SignerUtilities.GetSigner("Sdk.SIGNATURE_ALGORITHM");
signer.Init(false, publicKey);
signer.BlockUpdate(serializedSpeechletRequest, 0, serializedSpeechletRequest.Length);
return(signer.VerifySignature(expectedSig));
}
} // End Sub GenerateSslCertificate
public static void Test(
Org.BouncyCastle.X509.X509Certificate sslCertificate,
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair sslCertificateKeyPair
)
{
string pemCert = ToPem(sslCertificate);
// SSL
(string Private, string Public)certKeys = KeyPairToPem(sslCertificateKeyPair);
System.ReadOnlySpan <char> certSpan = System.MemoryExtensions.AsSpan(pemCert);
System.ReadOnlySpan <char> keySpan = System.MemoryExtensions.AsSpan(certKeys.Private);
System.Security.Cryptography.X509Certificates.X509Certificate2 certSslLoaded = System.Security.Cryptography.X509Certificates.X509Certificate2.CreateFromPem(certSpan, keySpan);
System.Console.WriteLine(sslCertificate);
System.Console.WriteLine(certSslLoaded);
Org.BouncyCastle.X509.X509Certificate certly = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(certSslLoaded);
// bool b = certly.Equals(rootCertificate);
// System.Console.WriteLine(b);
// certly.GetPublicKey()
Org.BouncyCastle.X509.X509Certificate cert = ReadCertificate("obelix.pem");
System.Console.WriteLine(cert);
} // End Sub Test
public static string GetOidValue(Org.BouncyCastle.X509.X509Certificate certificate, string oidKey)
{
var oidValue = default(string);
if (certificate.GetSubjectAlternativeNames() != null)
{
var alternativeNames = certificate
.GetSubjectAlternativeNames()
.Cast <ArrayList>()
.Where(o => o.Count == 2 && o[0].GetType() == typeof(int));
var oidKeys = alternativeNames
.Where(o => o[1] != null)
.Select(o => o[1].ToString());
var oidValues = oidKeys
.Where(o => o.Contains('['))
.Where(o => o.Substring(1, o.IndexOf(',') - 1) == oidKey);
oidValue = oidValues
.FirstOrDefault();
}
return(FormatOidValue(oidValue));
}
private void init(string aPfxFilePath, string aPassword)
{
FileStream fin = new FileStream(aPfxFilePath, FileMode.Open, FileAccess.Read);
Pkcs12StoreBuilder storeBuilder = new Pkcs12StoreBuilder();
Pkcs12Store pkcs12Store = storeBuilder.Build();
pkcs12Store.Load(fin, aPassword.ToCharArray());
fin.Close();
IEnumerable aliases = pkcs12Store.Aliases;
IEnumerator aliasesEnumerator = aliases.GetEnumerator();
while (aliasesEnumerator.MoveNext())
{
string alias = (string)aliasesEnumerator.Current;
signingBouncyCert = pkcs12Store.GetCertificate(alias);
X509Certificate x509Certificate = signingBouncyCert.Certificate;
ECertificate cert = new ECertificate(x509Certificate.GetEncoded());
EKeyUsage eKeyUsage = cert.getExtensions().getKeyUsage();
bool isDigitalSignature = eKeyUsage.isDigitalSignature();
if (isDigitalSignature)
{
signingBouncyKeyEntry = pkcs12Store.GetKey(alias);
signingCertificate = cert;
break;
}
}
}
public static string X509Certificate2ToPEM(X509Certificate2 cert)
{
try
{
if (cert.HasPrivateKey)
{
byte[] pkcsarray = cert.Export(X509ContentType.Pkcs12);
if (pkcsarray.Length == 0)
{
throw new CryptoException("Empty PKCS12 Array");
}
X509Certificate certout = null;
AsymmetricKeyParameter priv = null;
using (MemoryStream ms = new MemoryStream(pkcsarray))
{
Pkcs12Store pkstore = new Pkcs12Store();
pkstore.Load(ms, new char[] { });
foreach (string s in pkstore.Aliases.Cast <string>())
{
X509CertificateEntry entry = pkstore.GetCertificate(s);
if (entry != null)
{
certout = entry.Certificate;
}
AsymmetricKeyEntry kentry = pkstore.GetKey(s);
if (kentry != null)
{
priv = kentry.Key;
}
}
if (certout == null)
{
throw new CryptoException("Certificate not found");
}
}
using (StringWriter sw = new StringWriter())
{
PemWriter pemWriter = new PemWriter(sw);
pemWriter.WriteObject(certout);
if (priv != null)
{
pemWriter.WriteObject(priv);
}
sw.Flush();
return(sw.ToString());
}
}
X509Certificate c = DotNetUtilities.FromX509Certificate(cert);
return(DumpOnePEM(c, null));
// return cert.Export(X509ContentType.SerializedCert).ToUTF8String();
}
catch (Exception e)
{
throw new CryptoException($"Unable to open pkcs12, wrong password?. {e.Message}", e);
}
}
/// <summary>
/// Initialisiert eine neue Instanz der <see cref="Pkcs7EncryptionHandler"/> Klasse.
/// </summary>
/// <param name="senderCertificate">Das X509-Zertifikat des Absenders (PKCS#12)</param>
/// <param name="receiverCertificate">Das X509-Zertifikat des Empfängers</param>
/// <param name="oldSenderCertificates">Die abgelaufenen X509-Zertifikate des Absenders</param>
public Pkcs7EncryptionHandler(Pkcs12Store senderCertificate, X509Certificate receiverCertificate, IEnumerable <Pkcs12Store> oldSenderCertificates = null)
{
#if SUPPORTS_PKCS_SIGNING
_encryptionHandler = new NativePkcs7EncryptionHandler(senderCertificate, receiverCertificate, oldSenderCertificates);
#else
_encryptionHandler = new BouncyCastlePkcs7EncryptionHandler(senderCertificate, receiverCertificate, oldSenderCertificates);
#endif
}
/// <summary>
/// Initialisiert eine neue Instanz der <see cref="Pkcs7EncryptionHandler"/> Klasse.
/// </summary>
/// <param name="senderCertificate">Das X509-Zertifikat des Absenders (PKCS#12)</param>
/// <param name="receiverCertificate">Das X509-Zertifikat des Empfängers</param>
/// <param name="oldSenderCertificates">Die abgelaufenen X509-Zertifikate des Absenders</param>
public Pkcs7EncryptionHandler(Pkcs12Store senderCertificate, X509Certificate receiverCertificate, IEnumerable<Pkcs12Store> oldSenderCertificates = null)
{
#if NET45
var senderCert = ConvertToCertificate2(senderCertificate);
var recCert = ConvertToCertificate2(receiverCertificate);
var oldSenderCerts = oldSenderCertificates?.Select(ConvertToCertificate2);
_encryptionHandler = new NativePkcs7EncryptionHandler(senderCert, recCert, oldSenderCerts);
#else
_encryptionHandler = new BouncyCastlePkcs7EncryptionHandler(senderCertificate, receiverCertificate, oldSenderCertificates);
#endif
}
private static byte[] GenerateOcspRequest(BigInteger subjectSerialNumber, X509Certificate issuerCert)
{
// We need a request generator.
var generator = new OcspReqGenerator();
// Then we add the certificate we're asking about to it.
generator.AddRequest(new CertificateID(CertificateID.HashSha1, issuerCert, subjectSerialNumber));
// Then we generate the DER-encoded request.
var req = generator.Generate();
return req.GetEncoded();
}
virtual protected void SignWithCertificate(String src, String dest, ICipherParameters pk,
X509Certificate[] chain, String digestAlgorithm) {
// Creating the reader and the stamper
PdfReader reader = new PdfReader(src);
FileStream os = new FileStream(dest, FileMode.Create);
PdfStamper stamper = PdfStamper.createXmlSignature(reader, os);
// Creating the appearance
XmlSignatureAppearance appearance = stamper.XmlSignatureAppearance;
appearance.SetXmlLocator(new XfaXmlLocator(stamper));
// Creating the signature
IExternalSignature pks = new PrivateKeySignature(pk, digestAlgorithm);
MakeXmlSignature.SignXmlDSig(appearance, pks, chain);
}
virtual protected void SignXades(String src, String dest, ICipherParameters pk,
X509Certificate[] chain, String digestAlgorithm, bool includeSignaturePolicy) {
// Creating the reader and the stamper
PdfReader reader = new PdfReader(src);
FileStream os = new FileStream(dest, FileMode.Create);
PdfStamper stamper = PdfStamper.createXmlSignature(reader, os);
// Creating the appearance
XmlSignatureAppearance appearance = stamper.XmlSignatureAppearance;
appearance.SetXmlLocator(new XfaXmlLocator(stamper));
appearance.SetDescription("Simple xfa form");
// Creating the signature
IExternalSignature pks = new PrivateKeySignature(pk, digestAlgorithm);
MakeXmlSignature.SignXades(appearance, pks, chain, includeSignaturePolicy);
}
virtual protected void SignPackageWithCertificate(String src, String dest, XfaXpathConstructor.XdpPackage xdpPackage,
ICipherParameters pk, X509Certificate[] chain, String digestAlgorithm) {
// Creating the reader and the stamper
PdfReader reader = new PdfReader(src);
FileStream os = new FileStream(dest, FileMode.Create);
PdfStamper stamper = PdfStamper.createXmlSignature(reader, os);
// Creating the appearance
XmlSignatureAppearance appearance = stamper.XmlSignatureAppearance;
//Set XfaXmlLocator to control getting and setting Document
appearance.SetXmlLocator(new XfaXmlLocator(stamper));
// Set XpathConstructor, to construct xpath expression for signing an xdp package
appearance.SetXpathConstructor(new XfaXpathConstructor(xdpPackage));
// Creating the signature
IExternalSignature pks = new PrivateKeySignature(pk, digestAlgorithm);
MakeXmlSignature.SignXmlDSig(appearance, pks, chain);
}
public CertificateManager(CertificateCache certificateCache, AsymmetricCipherKeyPair caKeyPair, X509Certificate caCertificate)
{
_certificateCache = certificateCache;
_caKeyPair = caKeyPair;
_caCertificate = caCertificate;
}
private static void SetSigCryptoFromX509(PdfSignatureAppearance sigAppearance, X509Certificate2 card, X509Certificate[] chain)
{
sigAppearance.SetCrypto(null, chain, null, PdfSignatureAppearance.WINCER_SIGNED);
var dic = new PdfSignature(PdfName.ADOBE_PPKMS, PdfName.ADBE_PKCS7_SHA1)
{
Date = new PdfDate(sigAppearance.SignDate),
Name = PdfPKCS7.GetSubjectFields(chain[0]).GetField("CN"),
Reason = sigAppearance.Reason,
Location = sigAppearance.Location
};
sigAppearance.CryptoDictionary = dic;
const int csize = 4000;
var exc = new Dictionary<PdfName, int> { { PdfName.CONTENTS, csize * 2 + 2 } };
sigAppearance.PreClose(exc);
HashAlgorithm sha = new SHA1CryptoServiceProvider();
var s = sigAppearance.RangeStream;
int read;
var buff = new byte[8192];
while ((read = s.Read(buff, 0, 8192)) > 0)
{
sha.TransformBlock(buff, 0, read, buff, 0);
}
sha.TransformFinalBlock(buff, 0, 0);
var pk = SignMsg(sha.Hash, card, false);
var outc = new byte[csize];
var dic2 = new PdfDictionary();
Array.Copy(pk, 0, outc, 0, pk.Length);
dic2.Put(PdfName.CONTENTS, new PdfString(outc).SetHexWriting(true));
sigAppearance.Close(dic2);
}
private static void SetSigCryptoFromCipherParam(PdfSignatureAppearance sigAppearance, ICipherParameters key, X509Certificate[] chain)
{
sigAppearance.SetCrypto(key, chain, null, PdfSignatureAppearance.WINCER_SIGNED);
}
private static byte[] EncryptData(byte[] data, X509Certificate encryptionCertificate)
{
var dataGenerator = new CmsEnvelopedDataGenerator();
dataGenerator.AddKeyTransRecipient(encryptionCertificate);
var encryptedData = dataGenerator.Generate(new CmsProcessableByteArray(data), CmsEnvelopedGenerator.Aes256Cbc);
return encryptedData.GetEncoded();
}
public Signature(FileFormat fileFormat, X509Certificate2 certificate)
{
FileFormat = fileFormat;
Certificate = certificate;
CertificateBouncyCastle = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(certificate);
}
public Signature(FileFormat fileFormat, Org.BouncyCastle.X509.X509Certificate certificateBC)
{
FileFormat = fileFormat;
Certificate = new X509Certificate2(certificateBC.GetEncoded());
CertificateBouncyCastle = certificateBC;
}
private static X509Certificate2 ConvertToCertificate2(X509Certificate cert)
{
return new X509Certificate2(cert.GetEncoded());
}
private static string GetSignatureText(X509Certificate x509Certificate, PdfSignatureParameters parameters)
{
Dictionary<string, string> subjectFields = CertificateHelper.GetSubjectFields(x509Certificate);
string surName = subjectFields.Keys.Contains("SURNAME") ? subjectFields["SURNAME"] : string.Empty;
string givenName = subjectFields.Keys.Contains("GIVENNAME") ? subjectFields["GIVENNAME"] : string.Empty;
string signDate = DateTime.Now.ToString("d.M.yyyy");
return parameters.SignatureTemplate
.Replace("{lastname}", UppercaseFirst(surName))
.Replace("{firstname}", UppercaseFirst(givenName))
.Replace("{signdate}", signDate);
}
