// 自己署名証明書の作成 public Certificate(PrivKey selfSignKey, CertificateOptions options) { X509Name name = options.GenerateName(); X509V3CertificateGenerator gen = new X509V3CertificateGenerator(); gen.SetSerialNumber(new BigInteger(options.Serial.ToArray())); gen.SetIssuerDN(name); gen.SetSubjectDN(name); gen.SetNotBefore(DateTime.Now.AddDays(-1)); gen.SetNotAfter(options.Expires.UtcDateTime); gen.SetPublicKey(selfSignKey.PublicKey.PublicKeyData); X509Extension extConst = new X509Extension(true, new DerOctetString(new BasicConstraints(true))); gen.AddExtension(X509Extensions.BasicConstraints, true, extConst.GetParsedValue()); X509Extension extBasicUsage = new X509Extension(false, new DerOctetString(new KeyUsage(options.KeyUsages))); gen.AddExtension(X509Extensions.KeyUsage, false, extBasicUsage.GetParsedValue()); X509Extension extExtendedUsage = new X509Extension(false, new DerOctetString(new ExtendedKeyUsage(options.ExtendedKeyUsages))); gen.AddExtension(X509Extensions.ExtendedKeyUsage, false, extExtendedUsage.GetParsedValue()); X509Extension altName = new X509Extension(false, new DerOctetString(options.GenerateAltNames())); gen.AddExtension(X509Extensions.SubjectAlternativeName, false, altName.GetParsedValue()); this.CertData = gen.Generate(new Asn1SignatureFactory(options.GetSignatureAlgorithmOid(), selfSignKey.PrivateKeyData.Private, PkiUtil.NewSecureRandom())); InitFields(); }
private static X509Certificate GenerateCert(string signatureAlgorithmName, AsymmetricKeyParameter issuerPrivateKey, X509Name issuerDN, AsymmetricKeyParameter subjectPublicKey, X509Name subjectDN, X509Extensions subjectExtensions, DateTime start, int days) { ISignatureFactory signatureFactory = new Asn1SignatureFactory(signatureAlgorithmName, issuerPrivateKey, Common.ThreadSecureRandom.Value); BigInteger sn = new BigInteger(128, Common.ThreadSecureRandom.Value); X509V3CertificateGenerator generator = new X509V3CertificateGenerator(); generator.SetSerialNumber(sn); generator.SetIssuerDN(issuerDN); generator.SetPublicKey(subjectPublicKey); generator.SetSubjectDN(subjectDN); if (subjectExtensions != null) { foreach (DerObjectIdentifier oid in subjectExtensions.ExtensionOids) { X509Extension extension = subjectExtensions.GetExtension(oid); generator.AddExtension(oid, extension.IsCritical, extension.GetParsedValue()); } } generator.SetNotBefore(start); generator.SetNotAfter(start.AddDays(days)); return(generator.Generate(signatureFactory)); }
/// <summary> /// Checks Certificate Policies for policy : "1.2.300.0.110001.1.7.1.1.1" which indicate a hard certificate /// </summary> /// <param name="certificate"></param> /// <returns>true/false</returns> private static bool isHardCertificatePolicyOidt(X509Certificate certificate) { X509Extension certPolicies = certificate.CertificateStructure.TbsCertificate.Extensions.GetExtension(X509Extensions.CertificatePolicies); DerSequence seq = certPolicies.GetParsedValue() as DerSequence; foreach (Asn1Encodable seqItem in seq) { DerSequence subSeq = seqItem as DerSequence; if (subSeq == null) { continue; } foreach (Asn1Encodable subSeqItem in subSeq) { DerObjectIdentifier oid = subSeqItem as DerObjectIdentifier; if (oid == null) { continue; } if (oid.Id == HARD_CERTIFICATE_POLICY_ID) { return(true); } } return(false); } return(false); }
/// <summary> /// Create SubjectAltName extension from an X509Extension /// </summary> /// <param name="Extension">X509 extension</param> /// <remarks> /// Sub classses must provide an implementation to decode their values /// </remarks> public subjectAltName(X509Extension Extension) : base(Extension.IsCritical) { base.oid = X509Extensions.SubjectAlternativeName; base.name = "SubjectAlternativeName"; base.displayName = "Subject Alternative Name"; decode(GeneralNames.GetInstance((Asn1Sequence)Extension.GetParsedValue())); }
/// <summary> /// Create InhibitAnyPolicy extension from X509Extension /// </summary> /// <param name="Extension">X509Extension</param> public inhibitAnyPolicy(X509Extension Extension) : base(Extension) { base.oid = X509Extensions.InhibitAnyPolicy; base.name = "InhibitAnyPolicy"; base.displayName = "Inhibit AnyPolicy"; DerInteger skp = (DerInteger)Extension.GetParsedValue(); this.skip = skp.Value.IntValue; }
/// <summary> /// Get a GeneralNames object containing the SubjectAltNames /// </summary> /// <returns>Subject Alt Names (or null)</returns> private GeneralNames getSubjectAltNames() { if (Extensions == null) { return(null); } // Retrieve the SAN extension from the Extensions list X509Extension san = Extensions.GetExtension(X509Extensions.SubjectAlternativeName); if (san == null) { return(null); } // Create a new GeneralNames object that includes the sequence of names return(new GeneralNames((Asn1Sequence)san.GetParsedValue())); }
EsitoVerifica controllaCrlCert(X509Certificate cert, string cachePath, bool force = false) { //usiamo l'ev solo per i dati di revoca EsitoVerifica ev = new EsitoVerifica(); string CN = cert.SubjectDN.GetValues(X509Name.CN).Cast <string>().FirstOrDefault(); string SN = cert.SubjectDN.GetValues(X509Name.SerialNumber).Cast <string>().FirstOrDefault(); X509Extensions ex = X509Extensions.GetInstance(cert.CertificateStructure.TbsCertificate.Extensions); X509Extension e = ex.GetExtension(X509Extensions.CrlDistributionPoints); if (e == null) { string msg = "CRL distribution points NOT PRESENT in certificate structure"; logger.Debug(msg); ev.status = EsitoVerificaStatus.ErroreGenerico; ev.errorCode = "1411";//nonposso scaricare la CRL ev.message = msg; return(ev); } var crldp = CrlDistPoint.GetInstance(e.GetParsedValue()); List <String> certDpUrlLst = GetCrlDistribtionPoints(crldp); ev.status = EsitoVerificaStatus.Valid; ev.SubjectCN = CN; ev.SubjectDN = SN; int downloadsTrials = 0; List <String> errorLst = new List <string>(); foreach (string url in certDpUrlLst) { try { Uri tryUri = new Uri(url); } catch { logger.ErrorFormat("Unable to download/process CRL URL : {0}", url); continue; } try { X509Crl rootCrl = retreiveCrlUrl(url, cachePath, force); downloadsTrials++; if (rootCrl.IsRevoked(cert)) { X509CrlEntry entry = rootCrl.GetRevokedCertificate(cert.CertificateStructure.SerialNumber.Value); ev.dataRevocaCertificato = entry.RevocationDate; logger.DebugFormat("Certificate {0} : {1} with serial {2} is Revoked on {3}", CN, SN, BitConverter.ToString(entry.SerialNumber.ToByteArray()), ev.dataRevocaCertificato); ev.content = entry.SerialNumber.ToByteArray(); ev.errorCode = "1408"; ev.status = EsitoVerificaStatus.Revoked; break; } } catch (Exception exc) { logger.ErrorFormat("Unable to download/process CRL message {0} stack {1} on Download Trial {2}", exc.Message, exc.StackTrace, downloadsTrials); errorLst.Add(exc.Message); } } string ErrorMessage = string.Empty; if ((errorLst.Count > 0) && downloadsTrials == 0) { foreach (string s in errorLst) { ErrorMessage += s + " | "; } } if (!string.IsNullOrEmpty(ErrorMessage)) { ev.status = EsitoVerificaStatus.ErroreGenerico; ev.errorCode = "1411";//nonposso scaricare la CRL ev.message = "Unable to download/process CRL message:" + ErrorMessage; } return(ev); }
/// <summary> /// /// </summary> /// <param name="domains"></param> /// <param name="subjectPublic"></param> /// <param name="validFrom"></param> /// <param name="validTo"></param> /// <param name="issuerName"></param> /// <param name="issuerPublic"></param> /// <param name="issuerPrivate"></param> /// <param name="CA_PathLengthConstraint">If non-null, the certificate will be marked as a certificate authority with the specified path length constraint (0 to allow no child certificate authorities, 1 to allow 1, etc).</param> /// <returns></returns> private static X509Certificate GenerateCertificate(string[] domains, AsymmetricKeyParameter subjectPublic, DateTime validFrom, DateTime validTo, string issuerName, AsymmetricKeyParameter issuerPublic, AsymmetricKeyParameter issuerPrivate, int?CA_PathLengthConstraint) { ISignatureFactory signatureFactory; if (issuerPrivate is ECPrivateKeyParameters) { signatureFactory = new Asn1SignatureFactory( X9ObjectIdentifiers.ECDsaWithSha256.ToString(), issuerPrivate); } else { signatureFactory = new Asn1SignatureFactory( PkcsObjectIdentifiers.Sha256WithRsaEncryption.ToString(), issuerPrivate); } X509V3CertificateGenerator certGenerator = new X509V3CertificateGenerator(); certGenerator.SetIssuerDN(new X509Name("CN=" + issuerName)); certGenerator.SetSubjectDN(new X509Name("CN=" + domains[0])); certGenerator.SetSerialNumber(BigInteger.ProbablePrime(120, new Random())); certGenerator.SetNotBefore(validFrom); certGenerator.SetNotAfter(validTo); certGenerator.SetPublicKey(subjectPublic); if (issuerPublic != null) { AuthorityKeyIdentifierStructure akis = new AuthorityKeyIdentifierStructure(issuerPublic); certGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, akis); } if (CA_PathLengthConstraint != null && CA_PathLengthConstraint >= 0) { X509Extension extension = new X509Extension(true, new DerOctetString(new BasicConstraints(CA_PathLengthConstraint.Value))); certGenerator.AddExtension(X509Extensions.BasicConstraints, extension.IsCritical, extension.GetParsedValue()); } // Add SANs (Subject Alternative Names) GeneralName[] names = domains.Select(domain => new GeneralName(GeneralName.DnsName, domain)).ToArray(); GeneralNames subjectAltName = new GeneralNames(names); certGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName); return(certGenerator.Generate(signatureFactory)); }