/// <summary>
/// append password to CSR: csrWithPassword = (csr, password)
/// </summary>
/// <param name="csr"></param>
/// <param name="password"></param>
/// <returns>CSR that contains password</returns>
public byte[] AppendPassword(byte[] csr, string password)
{
if (csr == null)
{
throw new ArgumentNullException(nameof(csr));
}
if (string.IsNullOrEmpty(password))
{
throw new ArgumentNullException(nameof(password));
}
var originalCsr = new Pkcs10CertificationRequest(csr);
CertificationRequestInfo cri = originalCsr.GetCertificationRequestInfo();
DerSet attributesSet = AddPasswordAttribute(password, cri.Attributes);
AsymmetricKeyParameter publicKey = PublicKeyFactory.CreateKey(cri.SubjectPublicKeyInfo);
string signatureAlgorithm = originalCsr.SignatureAlgorithm.Algorithm.Id;
// build new CSR from original + password attribute
var csrWithPassword =
new Pkcs10CertificationRequestDelaySigned(signatureAlgorithm, cri.Subject, publicKey, attributesSet);
// this signing key is not used for signing but here only to suppress exception thrown in ctor
csrWithPassword.SignRequest(new byte[] { });
var csrWithPasswordBytes = csrWithPassword.GetDerEncoded();
return(csrWithPasswordBytes);
}
public void GenerateCsr(Pkcs11KeyInfo privKeyInfo, Pkcs11KeyInfo pubKeyInfo, DnEntry[] dnEntries, HashAlgorithm hashAlgorithm, out string fileName, out byte[] fileContent)
{
string signatureAlgorithmOid = hashAlgorithm.SignatureAlgorithmOid[(CKK)privKeyInfo.CkaKeyType];
X509Name x509Name = Utils.CreateX509Name(dnEntries);
AsymmetricKeyParameter publicKeyParameters = GetPubKeyParams(privKeyInfo, pubKeyInfo);
if (signatureAlgorithmOid.Length == 0)
{
signatureAlgorithmOid = "SHA256withECDSA";
}
Pkcs10CertificationRequestDelaySigned pkcs10 = new Pkcs10CertificationRequestDelaySigned(signatureAlgorithmOid, x509Name, publicKeyParameters, null);
byte[] dataToSign = pkcs10.GetDataToSign();
byte[] digest = hashAlgorithm.ComputeDigest(dataToSign);
byte[] digestInfo = digest;
CKM mecha = CKM.CKM_ECDSA;
if ((CKK)privKeyInfo.CkaKeyType == CKK.CKK_RSA)
{
digestInfo = Utils.CreateDigestInfo(digest, hashAlgorithm.Oid);
mecha = CKM.CKM_RSA_PKCS;
}
byte[] signature = null;
using (ISession session = _slot.OpenSession(SessionType.ReadWrite))
using (IMechanism mechanism = session.Factories.MechanismFactory.Create(mecha))
signature = session.Sign(mechanism, privKeyInfo.ObjectHandle, digestInfo);
pkcs10.SignRequest(new DerBitString(signature));
byte[] csr = pkcs10.GetDerEncoded();
fileName = (!string.IsNullOrEmpty(privKeyInfo.CkaLabel)) ? Utils.NormalizeFileName(privKeyInfo.CkaLabel + ".csr") : "pkcs10.csr";
fileContent = csr;
}
public bool GenerarCsr(ref authTokenType token, string privateKeyalias, string publicKeyAlias, string subject, string fileName, string challenge)
{
LunaXml.xmCryptoService client = new xmCryptoService();
try
{
byte[] modulus = new byte[] {};
byte [] exponent = new byte[] {};
this.Extraer(ref token, publicKeyAlias, ref modulus, ref exponent);
RsaKeyParameters param = new RsaKeyParameters(false, new BigInteger(modulus), new BigInteger(exponent));
DerSet derset = null;
if (challenge != null)
{
ChallengePassword chpass = new ChallengePassword(challenge);
derset = new DerSet(chpass);
//IList oid = new ArrayList();
//IList values = new ArrayList();
//oid.Add(PkcsObjectIdentifiers.Pkcs9AtChallengePassword);
//var pass = new DerPrintableString(challenge);
////Asn1OctetString oct = pass.ToAsn1Object(); //new DerOctetString(pass);//Encoding.ASCII.GetBytes(Convert.ToBase64String(Encoding.UTF8.GetBytes("AABBccc22"))));
//X509Extension ext = new X509Extension(false,new DerOctetString(pass.GetEncoded()));
//values.Add(pass);
//X509Extensions extensions = new X509Extensions(oid, values);
//derset = new DerSet(extensions.ToAsn1Object());
}
else
{
derset = new DerSet();
}
//string sub =
//"2.5.4.45=SAT970701NN3 / GATF730321GG5, SERIALNUMBER= / GATF730321HJCRRR01, O=SERVICIO DE ADMINISTRACION TRIBUTARIA, OU=PACNLC091211KC657202";
//+ ", 1.2.840.113549.1.9.7= NtLink2012"
X509Name sub = new X509Name(subject, new ConverterSidetec());
Pkcs10CertificationRequestDelaySigned ds = new Pkcs10CertificationRequestDelaySigned("SHA1WITHRSA", sub, param, derset);
string pafirmar = Convert.ToBase64String(ds.GetDataToSign());
string firmados = Firmar(ref token, pafirmar, privateKeyalias, SignatureModeType.SHA1withRSA);
byte[] bytes = Convert.FromBase64String(firmados);
ds.SignRequest(bytes);
File.WriteAllBytes(fileName, ds.GetDerEncoded());
return(true);
}
catch (Exception ex)
{
Log.Error(ex);
return(false);
}
finally
{
client.Dispose();
}
}
/// <summary>
/// Creates new csr from given CSR + signature
/// </summary>
/// <param name="csr">CSR to be used for appending signature</param>
/// <param name="signature">signature to be appended to CSR</param>
/// <returns>new CSR with signature appended inside</returns>
public byte[] AppendSignature(byte[] csr, byte[] signature)
{
if (csr == null)
{
throw new ArgumentNullException(nameof(csr));
}
var originalCsr = new Pkcs10CertificationRequestDelaySigned(csr);
originalCsr.SignRequest(signature);
byte[] csrBytes = originalCsr.GetDerEncoded();
return(csrBytes);
}
/// <summary>
/// Create a new Subordinate CA certificate request using the setup parameters from a CAConfig object
/// </summary>
/// <remarks>Only System cryptography supported</remarks>
/// <param name="Config">CAConfig object</param>
/// <returns>PKCS#10 certificate request</returns>
public static Pkcs10CertificationRequest CreateSubCA(CAConfig Config)
{
if (Config.profile != CA_Profile.SubCA)
{
throw new ArgumentException("Invalid profile specified", Config.profile.ToString());
}
if (!Config.FIPS140)
{
throw new InvalidParameterException("Only FIPS mode supported");
}
// Serial number
BigInteger serialNumber = new BigInteger(1, BitConverter.GetBytes(DateTime.Now.Ticks));
// Key material
CspParameters cspParam = SysKeyManager.Create(Config.pkSize, Config.pkAlgo, Config.name);
// PKCS#10 Request
Pkcs10CertificationRequestDelaySigned p10 = new Pkcs10CertificationRequestDelaySigned(
Config.sigAlgo,
Config.DN,
SysKeyManager.getPublicKey(cspParam, Config.pkAlgo),
null);
// Signature
byte[] buffer = p10.GetDataToSign();
byte[] signature = SysSigner.Sign(buffer, cspParam, Config.sigAlgo);
p10.SignRequest(signature);
if (!p10.Verify())
{
throw new SignatureException("Cannot validate POP signature");
}
// Create the CA Config file
createPendingCAConfig(Config, serialNumber, p10, "");
return(p10);
}
private bool saveAs(bool Signed)
{
//SaveFileDialog dialog;
mSubjectItemsOIDs.Add(X509Name.C);
mSubjectItemsOIDs.Add(X509Name.OU);
mSubjectItemsOIDs.Add(X509Name.CN);
mSubjectItemsOIDs.Add(X509Name.TelephoneNumber);
mSubjectItems.Add(CountryCodeTB.Text.Trim());
mSubjectItems.Add(OrganizationalUnitTB.Text.Trim());
mSubjectItems.Add(CommonNameTB.Text.Trim());
mSubjectItems.Add(PhoneNumberTB.Text.Trim());
mExtItemsOIDs.Add(X509Extensions.SubjectAlternativeName);
mExtItems.Add(new X509Extension(false,
new DerOctetString(new GeneralNames(new GeneralName(GeneralName.Rfc822Name, EmailTB.Text)))));
string mKeyUsageDescription = "digitalSignature, nonRepudiation";
int key_usage_bit_map = 0;
key_usage_bit_map |= KeyUsage.DigitalSignature;
key_usage_bit_map |= KeyUsage.NonRepudiation;
KeyUsage mKeyUsage = new KeyUsage(key_usage_bit_map);
mExtItemsOIDs.Add(X509Extensions.KeyUsage);
mExtItems.Add(new X509Extension(true, new DerOctetString(mKeyUsage)));
try
{
/* dialog = new SaveFileDialog();
* dialog.Filter = "CSR files (*.pem)|*.pem|All files (*.*)|*.*";
* dialog.RestoreDirectory = true;*/
//if (dialog.ShowDialog() == DialogResult.OK)
//{
X509Name subject = new X509Name(mSubjectItemsOIDs, mSubjectItems);
string signatureAlgorithm = "SHA256withECDSA";
DerSet attributes = new DerSet();
if (mExtItemsOIDs.Count > 0)
{
attributes.AddObject(new AttributePkcs(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest, new DerSet(
new X509Extensions(mExtItemsOIDs, mExtItems)))); // mExtItemsOIDs.Zip(mExtItems, (k, v) => new { Key = k, Value = v })
// .ToDictionary(x => x.Key, x => x.Value)
}
AsymmetricKeyParameter local_pub_key;
if (Signed)
{
local_pub_key = mPublicKey;
}
else
{
local_pub_key = new RsaKeyParameters(false, BigInteger.One, BigInteger.One); // DUMMY RSA public key - for templates
}
Pkcs10CertificationRequestDelaySigned csr_ds =
new Pkcs10CertificationRequestDelaySigned(signatureAlgorithm, subject, local_pub_key, attributes);
byte[] dataToSign = csr_ds.GetDataToSign();
byte[] toSave;
string header_footer;
if (Signed)
{
byte[] SignedData = uFRSigner(dataToSign);
// Rest of the input parameters needed (here accessible directly from UI):
// - digest_alg, signature_cipher, card_key_index
csr_ds.SignRequest(SignedData);
toSave = csr_ds.GetDerEncoded();
header_footer = "CERTIFICATE REQUEST";
}
else
{
toSave = dataToSign;
header_footer = "TBS CERTIFICATE REQUEST";
}
var file_extension = Path.GetExtension("CSR.pem");
if (file_extension.Equals(".pem"))
{
//var textWriter = new StreamWriter(dialog.FileName);
var textWriter = new StreamWriter("CSR.pem");
textWriter.Write(der2pem(toSave, header_footer));
textWriter.Flush();
textWriter.Close();
}
/* else
* {
* using (var fs = new FileStream(dialog.FileName, FileMode.Create, FileAccess.Write))
* {
* fs.Write(toSave, 0, toSave.Length);
* fs.Flush();
* fs.Close();
* }
* }*/
// }
//else
//return false;
}
catch (Exception ex)
{
MessageBox.Show(ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
return(false);
}
return(true);
}
/// <summary>
/// Generates certificate request in PKCS#10 format defined by RFC 2986
/// </summary>
/// <param name="session">Read-write session with user logged in</param>
/// <param name="publicKeyHandle">Handle of existing public key</param>
/// <param name="privateKeyHandle">Handle of existing private key</param>
/// <param name="subjectDistinguishedName">Subject entity's distinguished name</param>
/// <param name="digestAlgorithm">Standard digest (hash) algorithm used for the creation of request signature</param>
/// <param name="asn1Attributes"><exception cref="Asn1Set"> representing attributes to be added to the certificate request</exception></param>
/// <returns>Certificate request in PKCS#10 format</returns>
public static byte[] GeneratePkcs10(Session session, ObjectHandle publicKeyHandle, ObjectHandle privateKeyHandle, string subjectDistinguishedName, DigestAlgorithm digestAlgorithm, Asn1Set asn1Attributes)
{
var pubKeyAttrsToRead = new List <CKA>();
pubKeyAttrsToRead.Add(CKA.CKA_KEY_TYPE);
pubKeyAttrsToRead.Add(CKA.CKA_MODULUS);
pubKeyAttrsToRead.Add(CKA.CKA_PUBLIC_EXPONENT);
// Read public key attributes
var publicKeyAttributes = session.GetAttributeValue(publicKeyHandle, pubKeyAttrsToRead);
if (CKK.CKK_RSA != (CKK)publicKeyAttributes[0].GetValueAsUlong())
{
throw new NotSupportedException("Currently only RSA keys are supported");
}
// Create instance of RsaKeyParameters class usable for BouncyCastle
var modulus = new BigInteger(1, publicKeyAttributes[1].GetValueAsByteArray());
var publicExponent = new BigInteger(1, publicKeyAttributes[2].GetValueAsByteArray());
var publicKeyParameters = new RsaKeyParameters(false, modulus, publicExponent);
// Determine algorithms
Mechanism mechanism = null;
string signatureAlgorithm;
switch (digestAlgorithm)
{
case DigestAlgorithm.SHA1:
mechanism = new Mechanism(CKM.CKM_SHA1_RSA_PKCS);
signatureAlgorithm = PkcsObjectIdentifiers.Sha1WithRsaEncryption.Id;
break;
case DigestAlgorithm.SHA256:
mechanism = new Mechanism(CKM.CKM_SHA256_RSA_PKCS);
signatureAlgorithm = PkcsObjectIdentifiers.Sha256WithRsaEncryption.Id;
break;
case DigestAlgorithm.SHA384:
mechanism = new Mechanism(CKM.CKM_SHA384_RSA_PKCS);
signatureAlgorithm = PkcsObjectIdentifiers.Sha384WithRsaEncryption.Id;
break;
case DigestAlgorithm.SHA512:
mechanism = new Mechanism(CKM.CKM_SHA512_RSA_PKCS);
signatureAlgorithm = PkcsObjectIdentifiers.Sha512WithRsaEncryption.Id;
break;
default:
throw new ArgumentOutOfRangeException(nameof(digestAlgorithm), digestAlgorithm, null);
}
// Generate and sign PKCS#10 request. See RFC 2986 4.2 CertificationRequest
var pkcs10 = new Pkcs10CertificationRequestDelaySigned(signatureAlgorithm, new X509Name(subjectDistinguishedName), publicKeyParameters, asn1Attributes);
// Use HSM to generate signature for the csr
byte[] signature = session.Sign(mechanism, privateKeyHandle, pkcs10.GetDataToSign());
// set the signature BIT STRING of the pkcs#10 request. See RFC 2986 4.2 CertificationRequest
pkcs10.SignRequest(new DerBitString(signature));
return(pkcs10.GetDerEncoded());
}
