/// <summary>
/// Add the Subject Key Identifier.
/// </summary>
/// <param name="certificateGenerator">cert generator</param>
/// <param name="subjectKeyPair">subject key pair</param>
private static void AddSubjectKeyIdentifier(
X509V3CertificateGenerator certificateGenerator,
AsymmetricCipherKeyPair subjectKeyPair)
{
var subjectKeyIdentifierExtension =
new SubjectKeyIdentifier(
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(subjectKeyPair.Public));
certificateGenerator.AddExtension(
X509Extensions.SubjectKeyIdentifier.Id, false, subjectKeyIdentifierExtension);
}
/// <summary>
/// Add the "Subject Alternative Names" extension. Note that you have to repeat
/// the value from the "Subject Name" property.
/// </summary>
/// <param name="certificateGenerator"></param>
/// <param name="subjectAlternativeNames"></param>
public static void AddSubjectAlternativeNames(X509V3CertificateGenerator certificateGenerator,
IEnumerable <string> subjectAlternativeNames)
{
var subjectAlternativeNamesExtension =
new DerSequence(
subjectAlternativeNames.Select(name => new GeneralName(GeneralName.DnsName, name))
.ToArray <Asn1Encodable>());
certificateGenerator.AddExtension(
X509Extensions.SubjectAlternativeName.Id, false, subjectAlternativeNamesExtension);
}
public X509Certificate2 Sign(Pkcs10CertificationRequestDelaySigned inputCSR, X509Name issuerName, AsymmetricKeyParameter issuerPrivKey, AsymmetricCipherKeyPair pair)
{
const int keyStrength = 2048;
// Generating Random Numbers
CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
SecureRandom random = new SecureRandom(randomGenerator);
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerPrivKey, random);
// The Certificate Generator
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage.Id, true, new ExtendedKeyUsage(KeyPurposeID.IdKPServerAuth));
// Serial Number
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Issuer and Subject Name
var csrInfo = inputCSR.GetCertificationRequestInfo();
certificateGenerator.SetIssuerDN(issuerName);
certificateGenerator.SetSubjectDN(csrInfo.Subject);
// Valid For
DateTime notBefore = DateTime.UtcNow.Date;
DateTime notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// Subject Public Key
AsymmetricCipherKeyPair subjectKeyPair;
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// selfsign certificate
Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(signatureFactory);
//var dotNetPrivateKey = ToDotNetKey((RsaPrivateCrtKeyParameters)subjectKeyPair.Private);
// merge into X509Certificate2
X509Certificate2 x509 = new X509Certificate2(DotNetUtilities.ToX509Certificate(certificate));
//x509.PrivateKey = dotNetPrivateKey;
//x509.FriendlyName = csrInfo.Subject;
return(x509);
}
public static X509Certificate2 CreateX509Certificate2(AsymmetricCipherKeyPair kp)
{
var random = new SecureRandom();
var sf = new Asn1SignatureFactory(HashAlg.SHA256withRSA.ToString(), kp.Private, random);
var gen = new X509V3CertificateGenerator();
gen.SetSerialNumber(BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random));
var subject = new X509Name("CN=" + "ebics.org");
gen.SetSubjectDN(subject);
gen.SetIssuerDN(subject);
var notBefore = DateTime.UtcNow.Date;
var notAfter = notBefore.AddYears(10);
gen.SetNotBefore(notBefore);
gen.SetNotAfter(notAfter);
gen.SetPublicKey(kp.Public);
var bouncyCert = gen.Generate(sf);
var authorityKeyIdentifier = new AuthorityKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(kp.Public), new GeneralNames(new GeneralName(subject)), bouncyCert.SerialNumber);
gen.AddExtension(X509Extensions.AuthorityKeyIdentifier.Id, false, authorityKeyIdentifier);
var subjectKeyIdentifier = new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(kp.Public));
gen.AddExtension(X509Extensions.SubjectKeyIdentifier.Id, false, subjectKeyIdentifier);
gen.AddExtension(X509Extensions.BasicConstraints.Id, true, new BasicConstraints(false));
var store = new Pkcs12Store();
var certificateEntry = new X509CertificateEntry(bouncyCert);
store.SetCertificateEntry(bouncyCert.SubjectDN.ToString(), certificateEntry);
store.SetKeyEntry(bouncyCert.SubjectDN.ToString(), new AsymmetricKeyEntry(kp.Private), new[] { certificateEntry });
const string pwd = "password";
var stream = new MemoryStream();
store.Save(stream, pwd.ToCharArray(), random);
var msCert = new X509Certificate2(stream.ToArray(), pwd, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
return(msCert);
}
/// <summary>
/// Generate single certificate
/// </summary>
/// <param name="hash"></param>
/// <param name="san"></param>
/// <returns></returns>
private X509Certificate2 GenerateCertificate(string hash, out string san)
{
CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
SecureRandom random = new SecureRandom(randomGenerator);
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
certificateGenerator.SetSerialNumber(serialNumber);
certificateGenerator.SetNotBefore(DateTime.UtcNow);
certificateGenerator.SetNotAfter(DateTime.UtcNow.AddHours(1));
san = string.Format("{0}.{1}.acme.invalid", hash.Substring(0, 32), hash.Substring(32));
X509Name subjectDN = new X509Name(string.Format("CN={0}", san));
X509Name issuerDN = subjectDN;
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false,
new DerSequence(new Asn1Encodable[] { new GeneralName(GeneralName.DnsName, san) }));
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, false,
new ExtendedKeyUsage(new KeyPurposeID[] { KeyPurposeID.IdKPServerAuth, KeyPurposeID.IdKPClientAuth }));
certificateGenerator.AddExtension(X509Extensions.KeyUsage, true,
new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyEncipherment));
KeyGenerationParameters keyGenerationParameters = new KeyGenerationParameters(random, 2048);
RsaKeyPairGenerator keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
AsymmetricCipherKeyPair keyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(keyPair.Public);
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", keyPair.Private, random);
Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(signatureFactory);
var flags = X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet;
var x509 = new X509Certificate2(certificate.GetEncoded(), (string)null, flags);
x509.FriendlyName = san;
x509.PrivateKey = ToDotNetKey((RsaPrivateCrtKeyParameters)keyPair.Private);
return(x509);
}
/// <summary>
/// Add the Authority Key Identifier. According to http://www.alvestrand.no/objectid/2.5.29.35.html, this
/// identifies the public key to be used to verify the signature on this certificate.
/// In a certificate chain, this corresponds to the "Subject Key Identifier" on the *issuer* certificate.
/// The Bouncy Castle documentation, at http://www.bouncycastle.org/wiki/display/JA1/X.509+Public+Key+Certificate+and+Certification+Request+Generation,
/// shows how to create this from the issuing certificate. Since we're creating a self-signed certificate, we have to do this slightly differently.
/// </summary>
/// <param name="certificateGenerator"></param>
/// <param name="issuerDN"></param>
/// <param name="issuerKeyPair"></param>
/// <param name="issuerSerialNumber"></param>
private static void AddAuthorityKeyIdentifier(X509V3CertificateGenerator certificateGenerator,
X509Name issuerDN,
AsymmetricCipherKeyPair issuerKeyPair,
BigInteger issuerSerialNumber)
{
var authorityKeyIdentifierExtension = new AuthorityKeyIdentifier(
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(issuerKeyPair.Public),
new GeneralNames(new GeneralName(issuerDN)),
issuerSerialNumber);
certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier.Id, false, authorityKeyIdentifierExtension);
}
protected override void AddSubjectAlternativeNames(X509V3CertificateGenerator certificateGenerator,
IEnumerable <string> subjectAlternativeNames)
{
// Para ver... emails?
var subjectAlternativeNamesExtension =
new DerSequence(
subjectAlternativeNames.Select(name => new GeneralName(GeneralName.Rfc822Name, name))
.ToArray <Asn1Encodable>());
certificateGenerator.AddExtension(
X509Extensions.SubjectAlternativeName.Id, false, subjectAlternativeNamesExtension);
}
public static void GenerateCertificate(GenerateCertificateOptions options)
{
//generate random numbers
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
var keyGenerator = GeneratorUtilities.GetKeyPairGenerator(options.Algorithm);
keyGenerator.Init(new KeyGenerationParameters(new SecureRandom(), options.KeyStrength));
var keyPair = keyGenerator.GenerateKeyPair();
//the certificate generator
var certificateGenerator = new X509V3CertificateGenerator();
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage.Id, true, new ExtendedKeyUsage(KeyPurposeID.IdKPServerAuth));
//serial number
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Issuer and Subject Name
certificateGenerator.SetIssuerDN(options.Issuer);
certificateGenerator.SetSubjectDN(options.Subject);
//valid For
certificateGenerator.SetNotBefore(options.NotBefore);
certificateGenerator.SetNotAfter(options.NotAfter);
certificateGenerator.SetPublicKey(keyPair.Public);
ISignatureFactory signatureFactory = new Asn1SignatureFactory(options.SignatureAlgorithm, keyPair.Private);
//certificate
var certificate = certificateGenerator.Generate(signatureFactory);
certificate.CheckValidity(); //检查当前日期是否在证书的有效期内
certificate.Verify(keyPair.Public); //使用公钥验证证书的签名
var certEntry = new X509CertificateEntry(certificate);
var store = new Pkcs12StoreBuilder().Build();
store.SetCertificateEntry(options.FriendlyName, certEntry); //设置证书
var chain = new X509CertificateEntry[1];
chain[0] = certEntry;
store.SetKeyEntry(options.FriendlyName, new AsymmetricKeyEntry(keyPair.Private), chain); //设置私钥
using (var fs = File.Create(options.Path))
{
store.Save(fs, options.Password.ToCharArray(), new SecureRandom()); //保存
}
}
private static bool CreateRootCert()
{
const int ROOT_KEY_LENGTH = 2048;
const string OU = "Tsanie Lily";
const string O = "tsanie.org";
const string CN = "Cacher";
const int YEARS_VALID = 10;
const string SIGNATURE_ALG = "SHA1withRSA";
var generator = new RsaKeyPairGenerator();
generator.Init(new KeyGenerationParameters(new SecureRandom(new CryptoApiRandomGenerator()), ROOT_KEY_LENGTH));
var pair = generator.GenerateKeyPair();
var generator2 = new X509V3CertificateGenerator();
var serialNumber = BigInteger.ProbablePrime(120, new Random());
generator2.SetSerialNumber(serialNumber);
var issuer = new X509Name(string.Format("OU={0}, O={1}, CN={2}", OU, O, CN));
generator2.SetIssuerDN(issuer);
generator2.SetSubjectDN(issuer);
generator2.SetNotBefore(DateTime.Today.AddDays(-7.0));
generator2.SetNotAfter(DateTime.Now.AddYears(YEARS_VALID));
generator2.SetPublicKey(pair.Public);
generator2.SetSignatureAlgorithm(SIGNATURE_ALG);
generator2.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(0));
generator2.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(4));
generator2.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(pair.Public));
var oCACert = generator2.Generate(pair.Private);
var oCAKey = pair.Private;
var encoded = oCACert.GetEncoded();
FiddlerApplication.Prefs.SetStringPref("fiddler.certmaker.bc.cert", Convert.ToBase64String(encoded));
var derEncoded = PrivateKeyInfoFactory.CreatePrivateKeyInfo(oCAKey).ToAsn1Object().GetDerEncoded();
FiddlerApplication.Prefs.SetStringPref("fiddler.certmaker.bc.key", Convert.ToBase64String(derEncoded));
return(CertMaker.rootCertExists());
}
public static byte[] GenerateCertificate(CertificateSubject subject, CertificateInfo issuer, DateTime startDate, DateTime expiryDate, SignatureHashAlgorithm signatureAlgorithm, TCertificateFormat certificateFormat)
{
byte[] result = null;
AsymmetricKeyParameter privateKey = issuer.PrivateKey as AsymmetricKeyParameter;
if (privateKey != null)
{
CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
SecureRandom random = new SecureRandom(randomGenerator);
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
AddStandardCertificateInfo(certificateGenerator, random, subject, issuer.Subject, startDate, expiryDate);
AsymmetricCipherKeyPair subjectKeyPair = GenerateKeys(certificateGenerator, random, signatureAlgorithm);
string algorithm = GetAlgorithm(signatureAlgorithm);
certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyEncipherment));
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(new KeyPurposeID[] { KeyPurposeID.IdKPServerAuth, KeyPurposeID.IdKPClientAuth }));
byte[] subjectKeyID = new byte[20];
random.NextBytes(subjectKeyID, 0, 20);
certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(subjectKeyID));
if (issuer.SubjectKeyID != null)
{
certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(issuer.SubjectKeyID));
}
//if ((subject.AlternativeNames != null) && (subject.AlternativeNames.Count > 0))
//{
// certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, true, new SubjectAlternativeNames(false));
// //SubjectAlternativeName
// //GeneralName.DirectoryName
// //GeneralName.IPAddress
//}
Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(new Asn1SignatureFactory(algorithm, privateKey, random));
result = ExportCertificate(certificate, subjectKeyPair, certificateFormat);
}
return(result);
}
public static X509Certificate2 CreateCertificate(string certName, X509Certificate2 ca, int keyStrength)
{
var caCert = DotNetUtilities.FromX509Certificate(ca);
var random = new SecureRandom(new CryptoApiRandomGenerator());
var keyPairGen = new RsaKeyPairGenerator();
keyPairGen.Init(new KeyGenerationParameters(random, keyStrength));
AsymmetricCipherKeyPair keyPair = keyPairGen.GenerateKeyPair();
var certificateGenerator = new X509V3CertificateGenerator();
var CN = new X509Name("CN=" + certName);
var SN = BigInteger.ProbablePrime(120, random);
certificateGenerator.SetSerialNumber(SN);
certificateGenerator.SetSubjectDN(CN);
certificateGenerator.SetIssuerDN(caCert.IssuerDN);
certificateGenerator.SetNotAfter(DateTime.MaxValue);
certificateGenerator.SetNotBefore(DateTime.UtcNow.Subtract(new TimeSpan(1, 0, 0, 0)));
certificateGenerator.SetPublicKey(keyPair.Public);
certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(keyPair.Public));
certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert.GetPublicKey()));
var caKeyPair = DotNetUtilities.GetKeyPair(ca.PrivateKey);
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", caKeyPair.Private, random);
var certificate = certificateGenerator.Generate(signatureFactory);
certificate.Verify(caCert.GetPublicKey());
byte[] pkcs12Bytes = DotNetUtilities.ToX509Certificate(certificate).Export(X509ContentType.Pkcs12, Settings.CertificatePassword);
var certificate2 = new X509Certificate2(pkcs12Bytes, Settings.CertificatePassword);
certificate2.PrivateKey = DotNetUtilities.ToRSA(keyPair.Private as RsaPrivateCrtKeyParameters);
return(certificate2);
}
/// <summary>
/// Generates the certificate for <see cref="ChallengeTypes.TlsAlpn01" /> validation.
/// </summary>
/// <param name="key">The key.</param>
/// <param name="token">The <see cref="ChallengeTypes.TlsAlpn01" /> token.</param>
/// <param name="subjectName">Name of the subject.</param>
/// <param name="certificateKey">The certificate key pair.</param>
/// <returns>The tls-alpn-01 certificate in PEM.</returns>
public static string TlsAlpnCertificate(this IKey key, string token, string subjectName, IKey certificateKey)
{
var keyAuthz = key.KeyAuthorization(token);
var hashed = DigestUtilities.CalculateDigest("SHA256", Encoding.UTF8.GetBytes(keyAuthz));
var(_, keyPair) = signatureAlgorithmProvider.GetKeyPair(certificateKey.ToDer());
var signatureFactory = new Asn1SignatureFactory(certificateKey.Algorithm.ToPkcsObjectId(), keyPair.Private, new SecureRandom());
var gen = new X509V3CertificateGenerator();
var certName = new X509Name($"CN={subjectName}");
var serialNo = BigInteger.ProbablePrime(120, new SecureRandom());
gen.SetSerialNumber(serialNo);
gen.SetSubjectDN(certName);
gen.SetIssuerDN(certName);
gen.SetNotBefore(DateTime.UtcNow);
gen.SetNotAfter(DateTime.UtcNow.AddDays(7));
gen.SetPublicKey(keyPair.Public);
// SAN for validation
var gns = new[] { new GeneralName(GeneralName.DnsName, subjectName) };
gen.AddExtension(X509Extensions.SubjectAlternativeName.Id, false, new GeneralNames(gns));
// ACME-TLS/1
gen.AddExtension(
acmeValidationV1Id,
true,
hashed);
var newCert = gen.Generate(signatureFactory);
using (var sr = new StringWriter())
{
var pemWriter = new PemWriter(sr);
pemWriter.WriteObject(newCert);
return(sr.ToString());
}
}
// 上位 CA によって署名されている証明書の作成
public Certificate(PrivKey thisCertPrivateKey, CertificateStore parentCertificate, CertificateOptions options, CertificateOptions?alternativeIssuerDN = null)
{
X509Name name = options.GenerateName();
X509V3CertificateGenerator gen = new X509V3CertificateGenerator();
gen.SetSerialNumber(new BigInteger(options.Serial.ToArray()));
if (alternativeIssuerDN == null)
{
gen.SetIssuerDN(parentCertificate.PrimaryCertificate.CertData.IssuerDN);
}
else
{
gen.SetIssuerDN(alternativeIssuerDN.GenerateName());
}
gen.SetSubjectDN(name);
gen.SetNotBefore(DateTime.Now.AddDays(-1));
gen.SetNotAfter(options.Expires.UtcDateTime);
gen.SetPublicKey(thisCertPrivateKey.PublicKey.PublicKeyData);
X509Extension extConst = new X509Extension(true, new DerOctetString(new BasicConstraints(false)));
gen.AddExtension(X509Extensions.BasicConstraints, true, extConst.GetParsedValue());
X509Extension extBasicUsage = new X509Extension(false, new DerOctetString(new KeyUsage(options.KeyUsages)));
gen.AddExtension(X509Extensions.KeyUsage, false, extBasicUsage.GetParsedValue());
X509Extension extExtendedUsage = new X509Extension(false, new DerOctetString(new ExtendedKeyUsage(options.ExtendedKeyUsages)));
gen.AddExtension(X509Extensions.ExtendedKeyUsage, false, extExtendedUsage.GetParsedValue());
X509Extension altName = new X509Extension(false, new DerOctetString(options.GenerateAltNames()));
gen.AddExtension(X509Extensions.SubjectAlternativeName, false, altName.GetParsedValue());
this.CertData = gen.Generate(new Asn1SignatureFactory(options.GetSignatureAlgorithmOid(), parentCertificate.PrimaryPrivateKey.PrivateKeyData.Private, PkiUtil.NewSecureRandom()));
InitFields();
}
//TODO change to functors
public static X509Certificate CreateX509Certificate2(AsymmetricCipherKeyPair kp, string issuer, DateTime notBefore, DateTime notAfter, KeyType keyUsage, string filename, string password)
{
var random = new SecureRandom();
var sf = new Asn1SignatureFactory(HashAlg.SHA256withRSA.ToString(), kp.Private, random);
var gen = new X509V3CertificateGenerator();
var serial = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
gen.SetSerialNumber(serial);
var subject = new X509Name(issuer);
gen.SetIssuerDN(subject);
gen.SetSubjectDN(subject);
gen.SetNotBefore(notBefore);
gen.SetNotAfter(notAfter);
gen.SetPublicKey(kp.Public);
gen.AddExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(true));
var subjectKeyIdentifier = new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(kp.Public));
gen.AddExtension(X509Extensions.SubjectKeyIdentifier, false, subjectKeyIdentifier);
var authorityKeyIdentifier = new AuthorityKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(kp.Public), new GeneralNames(new GeneralName(subject)), serial);
gen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, authorityKeyIdentifier);
////gen.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeID.IdKPEmailProtection));
switch (keyUsage)
{
case KeyType.Signature: //signature
gen.AddExtension(X509Extensions.KeyUsage, false, new KeyUsage(X509KeyUsage.NonRepudiation)); break;
case KeyType.Authentication: //authentication
gen.AddExtension(X509Extensions.KeyUsage, false, new KeyUsage(X509KeyUsage.DigitalSignature)); break;
case KeyType.Encryption: //encryption
gen.AddExtension(X509Extensions.KeyUsage, false, new KeyUsage(X509KeyUsage.KeyEncipherment | X509KeyUsage.KeyAgreement)); break;
default:
gen.AddExtension(X509Extensions.KeyUsage, false, new KeyUsage(X509KeyUsage.KeyEncipherment | X509KeyUsage.DigitalSignature)); break;
}
var bouncyCert = gen.Generate(sf);
bouncyCert.CheckValidity();
bouncyCert.Verify(kp.Public);
var store = new Pkcs12Store();
var certificateEntry = new X509CertificateEntry(bouncyCert);
store.SetCertificateEntry(bouncyCert.SubjectDN.ToString(), certificateEntry);
store.SetKeyEntry(bouncyCert.SubjectDN.ToString(), new AsymmetricKeyEntry(kp.Private), new[] { certificateEntry });
using (var sw = File.Create(filename))
store.Save(sw, password.ToCharArray(), random);
return(bouncyCert);
}
public static X509Certificate GenerateEndEntityCert(
IAsymmetricKeyParameter entityKey,
IAsymmetricKeyParameter caKey,
X509Certificate caCert)
{
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.SetSerialNumber(BigInteger.One);
certGen.SetIssuerDN(PrincipalUtilities.GetSubjectX509Principal(caCert));
certGen.SetNotBefore(DateTime.UtcNow.AddSeconds(-50));
certGen.SetNotAfter(DateTime.UtcNow.AddSeconds(50));
certGen.SetSubjectDN(new X509Name("CN=Test End Certificate"));
certGen.SetPublicKey(entityKey);
certGen.SetSignatureAlgorithm("SHA256WithRSAEncryption");
certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert));
certGen.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(entityKey));
certGen.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
certGen.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyEncipherment));
return(certGen.Generate(caKey));
}
private static Certificate CreateSelfSignedCertificate(CertType certType, KeyPair keyPair, string commonName, string signatureAlgorithm, string san)
{
X509V3CertificateGenerator certBuilder = CreateCertBuilder(keyPair, commonName);
// Basic constraints
BasicConstraints constraints = new BasicConstraints(true);
certBuilder.AddExtension(X509Extensions.BasicConstraints, true, constraints);
// Key usage
KeyUsage usage = new KeyUsage(Org.BouncyCastle.Asn1.X509.KeyUsage.KeyEncipherment | Org.BouncyCastle.Asn1.X509.KeyUsage.DigitalSignature | Org.BouncyCastle.Asn1.X509.KeyUsage.KeyCertSign);
certBuilder.AddExtension(X509Extensions.KeyUsage, false, usage);
// Extended key usage
//var usages = new[] { KeyPurposeID.IdKPServerAuth, KeyPurposeID.IdKPClientAuth };
certBuilder.AddExtension(X509Extensions.ExtendedKeyUsage, false, KeyUsage(certType));
if (san != null)
{
AddSAN(certBuilder, san);
}
ISignatureFactory signatureFactory = new Asn1SignatureFactory(signatureAlgorithm, keyPair.PrivateKey, new SecureRandom());
return(Certificate.Create(certBuilder.Generate(signatureFactory), keyPair.PrivateKey));
}
protected void AddSubjectKeyIdentifier(X509V3CertificateGenerator certificateGenerator,
AsymmetricCipherKeyPair subjectKeyPair)
{
// Subject Key Identifier, usado para facilitar a validação de certificados.
// Em CA são gerados, em geral, a partir da sua chave pública.
// Secção 4.2.1.2 do http://www.ietf.org/rfc/rfc3280.txt
var subjectKeyIdentifierExtension =
new SubjectKeyIdentifier(
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(subjectKeyPair.Public));
certificateGenerator.AddExtension(
X509Extensions.SubjectKeyIdentifier.Id, false, subjectKeyIdentifierExtension);
}
public X509Certificate2 MakeCertificate(string password, string issuedToDomainName, int validYears)
{
_certificateGenerator.Reset();
_certificateGenerator.SetSignatureAlgorithm(SignatureAlgorithm);
var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), _random);
_certificateGenerator.SetSerialNumber(serialNumber);
_certificateGenerator.SetSubjectDN(new X509Name(issuedToDomainName));
_certificateGenerator.SetIssuerDN(_issuer);
var subjectAlternativeNames = new Asn1Encodable[_generalNames.Length + 1];
// first subject alternative name is the same as the subject
subjectAlternativeNames[0] = new GeneralName(new X509Name(issuedToDomainName));
for (int t = 1; t <= _generalNames.Length; t++)
{
subjectAlternativeNames[t] = _generalNames[t - 1];
}
var subjectAlternativeNamesExtension = new DerSequence(subjectAlternativeNames);
_certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName.Id, false, subjectAlternativeNamesExtension);
_certificateGenerator.SetNotBefore(DateTime.UtcNow.Date);
_certificateGenerator.SetNotAfter(DateTime.UtcNow.Date.AddYears(validYears));
var keyGenerationParameters = new KeyGenerationParameters(_random, _strength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
var subjectKeyPair = keyPairGenerator.GenerateKeyPair();
_certificateGenerator.SetPublicKey(subjectKeyPair.Public);
var issuerKeyPair = subjectKeyPair;
var certificate = _certificateGenerator.Generate(issuerKeyPair.Private, _random);
var store = new Pkcs12Store();
string friendlyName = certificate.SubjectDN.ToString();
var certificateEntry = new X509CertificateEntry(certificate);
store.SetCertificateEntry(friendlyName, certificateEntry);
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry });
using (var stream = new MemoryStream())
{
store.Save(stream, password.ToCharArray(), _random);
return(new X509Certificate2(stream.ToArray(), password, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable));
}
}
public PublicCertificatePfxPair Generate(string name, string pfxPassword)
{
var keyStrength = 2048;
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyGenerator = new RsaKeyPairGenerator();
keyGenerator.Init(keyGenerationParameters);
Console.WriteLine("Generating key pair...");
var subjectKeyPair = keyGenerator.GenerateKeyPair();
Console.WriteLine("Keypair generated.");
var privateKey = (RsaPrivateCrtKeyParameters)subjectKeyPair.Private;
var publicKey = (RsaKeyParameters)subjectKeyPair.Public;
Console.WriteLine($"Public key exponent: {publicKey.Exponent}");
Console.WriteLine($"Public key modulus: {publicKey.Modulus}");
ISignatureFactory signatureFactory = new Asn1SignatureFactory(PkcsObjectIdentifiers.Sha256WithRsaEncryption.ToString(), privateKey);
var certificateGenerator = new X509V3CertificateGenerator();
BigInteger serialNo = BigInteger.ProbablePrime(128, random);
var subjectName = new X509Name($"CN={name}");
certificateGenerator.SetSerialNumber(serialNo);
certificateGenerator.SetSubjectDN(subjectName);
certificateGenerator.SetIssuerDN(subjectName);
var notBefore = new DateTime(2000, 1, 1);
var notAfter = notBefore.AddYears(1000);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
var certificatePermissions = new List <KeyPurposeID>()
{
KeyPurposeID.IdKPServerAuth,
KeyPurposeID.IdKPClientAuth,
KeyPurposeID.AnyExtendedKeyUsage
};
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(certificatePermissions));
var newCert = certificateGenerator.Generate(signatureFactory);
// DotNetUtilities.ToX509Certificate(newCert).Export(X509ContentType.Pfx, pfxPassword);
// produced a pfx file where the private key could not be loaded
var pfxBytes = CreatePfxFile(newCert, privateKey, name, pfxPassword);
var certBytes = DotNetUtilities.ToX509Certificate(newCert).Export(System.Security.Cryptography.X509Certificates.X509ContentType.Cert);
return(new PublicCertificatePfxPair {
PfxBytes = pfxBytes, PublicCertificateBytes = certBytes
});
}
public override void Build(
X509V3CertificateGenerator certGen,
Pkcs10CertificationRequest request,
X509Certificate caCert)
{
var requestInfo = request.GetCertificationRequestInfo();
var extensionSequence =
requestInfo
.Attributes.OfType <DerSequence>()
.First(o => o.OfType <DerObjectIdentifier>().Any(oo => oo.Id == "1.2.840.113549.1.9.14"));
var extensionSet = extensionSequence.OfType <DerSet>().First().OfType <DerSequence>().First();
var exts = X509Extensions.GetInstance(extensionSet);
var extOIDs = exts.GetExtensionOids();
foreach (var x509ExtOid in extOIDs)
{
var ext = exts.GetExtension(x509ExtOid);
if (x509ExtOid.Id == "2.5.29.37") //extKeyUsage sequence
{
Asn1OctetString oct = ext.Value;
Asn1Sequence seq = Asn1Sequence.GetInstance(oct.GetOctets());
foreach (DerObjectIdentifier obj in seq)
{
if (threeYearsValidExtKeyId == obj.Id)
{
var startDate = DateTime.Now;
certGen.SetNotBefore(startDate);
certGen.SetNotAfter(startDate.AddYears(3));
break;
}
}
}
certGen.AddExtension(
x509ExtOid,
ext.IsCritical,
ext.GetParsedValue()
);
}
ApplyCrlExtension(certGen, _crlLink);
ApplyAuthorityInfoAccess(certGen, _rootCertLink);
}
public static X509Certificate2 GenerateNewCertificate(string name)
{
var kpGen = new RsaKeyPairGenerator();
kpGen.Init(new KeyGenerationParameters(new SecureRandom(new CryptoApiRandomGenerator()), 1024));
AsymmetricCipherKeyPair keyPair = kpGen.GenerateKeyPair();
var gen = new X509V3CertificateGenerator();
var certificateName = new X509Name("CN=" + name);
BigInteger serialNumber = BigInteger.ProbablePrime(120, new Random());
gen.SetSerialNumber(serialNumber);
gen.SetSubjectDN(certificateName);
gen.SetIssuerDN(certificateName);
gen.SetNotAfter(DateTime.Now.AddYears(100));
gen.SetNotBefore(DateTime.Now.AddDays(-1));
gen.SetSignatureAlgorithm("SHA256WithRSAEncryption");
gen.SetPublicKey(keyPair.Public);
gen.AddExtension(X509Extensions.AuthorityKeyIdentifier.Id, false,
new AuthorityKeyIdentifier(
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(keyPair.Public),
new GeneralNames(new GeneralName(certificateName)), serialNumber));
X509Certificate newCert = gen.Generate(keyPair.Private);
var newStore = new Pkcs12Store();
var certEntry = new X509CertificateEntry(newCert);
newStore.SetCertificateEntry(
Environment.MachineName,
certEntry
);
newStore.SetKeyEntry(
Environment.MachineName,
new AsymmetricKeyEntry(keyPair.Private),
new[] { certEntry }
);
var memoryStream = new MemoryStream();
newStore.Save(
memoryStream,
new char[0],
new SecureRandom(new CryptoApiRandomGenerator())
);
return(new X509Certificate2(memoryStream.ToArray()));
}
public static Tuple <SigningCredentials, X509Certificate2> GenerateSigningInformation()
{
var kp = GenereateKeys();
var gen = new X509V3CertificateGenerator();
var certName = new X509Name("CN=Test_" + Guid.NewGuid());
var serialNo = BigInteger.ProbablePrime(120, new Random());
gen.SetSerialNumber(serialNo);
gen.SetSubjectDN(certName);
gen.SetIssuerDN(certName);
gen.SetNotAfter(DateTime.Now.AddYears(100));
gen.SetNotBefore(DateTime.Now.Subtract(new TimeSpan(7, 0, 0, 0)));
gen.SetPublicKey(kp.Public);
gen.AddExtension(
X509Extensions.AuthorityKeyIdentifier.Id,
false,
new AuthorityKeyIdentifier(
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(kp.Public),
new GeneralNames(new GeneralName(certName)),
serialNo));
gen.AddExtension(
X509Extensions.ExtendedKeyUsage.Id,
false,
new ExtendedKeyUsage(new ArrayList()
{
new DerObjectIdentifier("1.3.6.1.5.5.7.3.1")
}));
var signatureFactory = new Asn1SignatureFactory("MD5WithRSA", kp.Private);
var x509Certificate = new X509Certificate2(gen.Generate(signatureFactory).GetEncoded());
var rsa = ToRsaParameters((RsaPrivateCrtKeyParameters)kp.Private);
var signingCredentials = new SigningCredentials(new RsaSecurityKey(rsa), SecurityAlgorithms.RsaSha256Signature);
return(new Tuple <SigningCredentials, X509Certificate2>(signingCredentials, x509Certificate));
}
protected override void AddSubjectAlternativeNames(X509V3CertificateGenerator certificateGenerator,
IEnumerable <string> subjectAlternativeNames)
{
// Adição de 'Subject Alternative Names'
// NOTA: tem que se repetir o 'Subject Name'
// Serve para wildcards certificates. Tipo '*.dominio.com', 'dominio.com'
var subjectAlternativeNamesExtension =
new DerSequence(
subjectAlternativeNames.Select(name => new GeneralName(GeneralName.DnsName, name))
.ToArray <Asn1Encodable>());
certificateGenerator.AddExtension(
X509Extensions.SubjectAlternativeName.Id, false, subjectAlternativeNamesExtension);
}
protected void AddAuthorityKeyIdentifier(
X509V3CertificateGenerator certificateGenerator,
AsymmetricCipherKeyPair issuerKeyPair)
{
// Apenas adicionando KeyId.
// Razões: ver outra implementação
// a maioria das entidades certificadoras apenas usam KeyID
certificateGenerator.AddExtension(
X509Extensions.AuthorityKeyIdentifier.Id,
false,
new AuthorityKeyIdentifier(
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(issuerKeyPair.Public))
);
}
public void GenerateCertUsingExistigCertificate()
{
var root = File.ReadAllBytes(@"root.pfx");
var childRoot = File.ReadAllBytes(@"childroot.pfx");
X509KeyUsageExtension var = new X509KeyUsageExtension(
X509KeyUsageFlags.CrlSign | X509KeyUsageFlags.DecipherOnly | X509KeyUsageFlags.KeyCertSign, true);
var x509ChildCertificate = new X509Certificate2(childRoot, "airwatch",
X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet);
var x509RootCert = new X509Certificate2(root, "airwatch",
X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet);
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
var cert = new X509V3CertificateGenerator();
var serialNumber =
BigIntegers.CreateRandomInRange(
BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
cert.SetSerialNumber(serialNumber);
var rootSubject = new X509Name(x509RootCert.SubjectName.Name);
var subjectDN = new X509Name(x509ChildCertificate.SubjectName.Name);
cert.SetIssuerDN(rootSubject);
cert.SetSubjectDN(subjectDN);
var notBefore = DateTime.UtcNow.Date;
var notAfter = notBefore.AddYears(10);
cert.SetNotBefore(notBefore);
cert.SetNotAfter(notAfter);
//var x509Certificate = new X509Certificate(X509CertificateStructure.GetInstance(new DerTaggedObject(x509RootCert, new )))
cert.SetSignatureAlgorithm("SHA256withRSA");
cert.SetPublicKey(TransformRSAPublicKey(x509ChildCertificate.PublicKey.Key, false));
cert.AddExtension(X509Extensions.AuthorityKeyIdentifier, true, new AuthorityKeyIdentifierStructure(new X509CertificateParser().ReadCertificate(x509RootCert.RawData)));
//new X509CertificateParser().ReadCertificate(x509RootCert.RawData);
//var factory = new Asn1SignatureFactory(SHA256.Create().ToString(), TransformRSAPrivateKey(x509RootCert.PrivateKey, true));
var certificate = cert.Generate(TransformRSAPrivateKey(x509RootCert.PrivateKey, true), random);
x509ChildCertificate.Extensions.Add(var);
var certexp = new X509Certificate2(certificate.GetEncoded(), "1234");
//var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
//store.Open(OpenFlags.ReadWrite);
//store.Add(certexp);
var chain = new X509Chain(true);
chain.Build(certexp);
File.WriteAllBytes(@"C:\cmstest\test.pfx", certexp
.Export(X509ContentType.Pfx, "1234"));
}
public static Pkcs12Store CreateCert(string commonName, DateTime notBefore, DateTime notAfter,
IEnumerable <string> dnsAltNames, IEnumerable <string> ipAddressAltNames, Pkcs12Store signBy)
{
var keyPairGen = new RsaKeyPairGenerator();
keyPairGen.Init(new KeyGenerationParameters(new SecureRandom(), 2048));
var keyPair = keyPairGen.GenerateKeyPair();
var certGenerator = new X509V3CertificateGenerator();
certGenerator.SetSubjectDN(new X509Name("CN=" + commonName));
if (signBy == null)
{
certGenerator.SetIssuerDN(new X509Name("CN=" + commonName));
}
else
{
certGenerator.SetIssuerDN(signBy.GetCertificate().SubjectDN);
}
certGenerator.SetSerialNumber(BigInteger.ProbablePrime(64, new Random()));
certGenerator.SetNotBefore(notBefore);
certGenerator.SetNotAfter(notAfter);
certGenerator.SetPublicKey(keyPair.Public);
if ((dnsAltNames?.Any() ?? false) || (ipAddressAltNames?.Any() ?? false))
{
var alternativeNames = new List <Asn1Encodable>();
alternativeNames.AddRange(dnsAltNames?.Select(name => new GeneralName(GeneralName.DnsName, name)) ??
Enumerable.Empty <Asn1Encodable>());
alternativeNames.AddRange(ipAddressAltNames?.Select(ip => new GeneralName(GeneralName.IPAddress, ip)) ??
Enumerable.Empty <Asn1Encodable>());
certGenerator.AddExtension(
X509Extensions.SubjectAlternativeName,
false,
new DerSequence(alternativeNames.ToArray())
);
}
var signatureKeyPair = signBy != null
? new AsymmetricCipherKeyPair(signBy.GetCertificate().GetPublicKey(), signBy.GetKey())
: keyPair;
var signer = new Asn1SignatureFactory("SHA256WITHRSA", signatureKeyPair.Private);
var certificate = certGenerator.Generate(signer);
return(ToPkcs12(certificate, keyPair.Private));
}
private static void AddExtensionCrlDistributionPoints(X509V3CertificateGenerator certGen, string crl)
{
certGen.AddExtension(X509Extensions.CrlDistributionPoints, false,
new CrlDistPoint(new[]
{
new DistributionPoint(
new DistributionPointName(
DistributionPointName.FullName,
new GeneralNames(
new GeneralName(GeneralName.UniformResourceIdentifier, crl)
)
)
, null, null)
}));
}
private static byte[] GenerateSelfSignedCertificate(string subjectName)
{
// Generating Random Numbers
CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
SecureRandom random = new SecureRandom(randomGenerator);
// Subject Public Key
KeyGenerationParameters keyGenerationParameters = new KeyGenerationParameters(random, KeySize);
RsaKeyPairGenerator keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
AsymmetricCipherKeyPair subjectKeyPair = keyPairGenerator.GenerateKeyPair();
// The Certificate Generator
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
certificateGenerator.SetSerialNumber(BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random));
certificateGenerator.SetSignatureAlgorithm(SignatureAlgorithm);
certificateGenerator.SetIssuerDN(new X509Name(subjectName));
certificateGenerator.SetSubjectDN(new X509Name(subjectName));
certificateGenerator.SetNotBefore(DateTime.UtcNow.Date);
certificateGenerator.SetNotAfter(DateTime.UtcNow.Date);
certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyEncipherment));
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage.Id, false, new ExtendedKeyUsage(KeyPurposeID.IdKPServerAuth, KeyPurposeID.IdKPClientAuth));
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
Org.BouncyCastle.X509.X509Certificate cert = certificateGenerator.Generate(subjectKeyPair.Private, random);
Pkcs12Store store = new Pkcs12StoreBuilder().SetUseDerEncoding(true).Build();
store.SetKeyEntry("unused", new AsymmetricKeyEntry(subjectKeyPair.Private), new X509CertificateEntry[] { new X509CertificateEntry(cert) });
using (MemoryStream stream = new MemoryStream())
{
store.Save(stream, new char[0], random);
return(stream.ToArray());
}
}
private static void setSubjectAndIssuer(X509V3CertificateGenerator generator, String subjectName, String issuerName)
{
var subjectDN = new X509Name(subjectName);
generator.SetSubjectDN(subjectDN);
var issuerDN = issuerName == null ? subjectDN : new X509Name(issuerName);
generator.SetIssuerDN(issuerDN);
var subjectAlt = subjectName.CleanSubject();
var subjectAltName = new GeneralNames(new GeneralName(GeneralName.DnsName, subjectAlt));
generator.AddExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName);
}
/// <summary>
/// Call to request a certificate
/// </summary>
/// <param name="csr">Certificate signing request</param>
/// <param name="effectiveDate">Effective date of certificate</param>
/// <param name="expirationDate">Expiration date of certificate</param>
/// <param name="ca">Signing authority</param>
/// <param name="asn1Set">Extensions</param>
/// <exception cref="InvalidParameterException">Thrown if <paramref name="ca"/> is null</exception>
/// <returns>Certificate signed by <paramref name="ca"/></returns>
public static X509Certificate2 RequestCertificate(Pkcs10CertificationRequest csr, DateTime effectiveDate, DateTime expirationDate, X509Certificate2 ca, Asn1Set asn1Set)
{
AsymmetricKeyParameter keyParameter = null;
if (ca == null)
{
throw new InvalidParameterException("ca can not be null");
}
keyParameter = TransformRSAPrivateKey((RSACryptoServiceProvider)ca.PrivateKey);
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.SetSerialNumber(CreateSerialNumber());
certGen.SetIssuerDN(new X509Name(ca.Subject));
certGen.SetNotBefore(effectiveDate.ToUniversalTime());
certGen.SetNotAfter(expirationDate.ToUniversalTime());
certGen.SetSubjectDN(csr.GetCertificationRequestInfo().Subject);
certGen.SetPublicKey(csr.GetPublicKey());
certGen.SetSignatureAlgorithm(SIGNATURE_ALGORITHM);
CertificationRequestInfo info = csr.GetCertificationRequestInfo();
if (asn1Set != null)
{
// Iterate through each extension and add it to the certificate
for (int i = 0; i < asn1Set.Count; i++)
{
AttributePkcs attr = AttributePkcs.GetInstance(asn1Set[i]);
if (attr != null && attr.AttrType.Equals(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest))
{
X509Extensions extensions = X509Extensions.GetInstance(attr.AttrValues[0]);
foreach (DerObjectIdentifier extOid in extensions.ExtensionOids)
{
Org.BouncyCastle.Asn1.X509.X509Extension ext = extensions.GetExtension(extOid);
certGen.AddExtension(extOid, ext.IsCritical, ext.GetParsedValue());
}
}
}
}
Org.BouncyCastle.X509.X509Certificate bcCert = certGen.Generate(keyParameter);
return(new X509Certificate2(bcCert.GetEncoded()));
}
public void TestCreationECDSA()
{
BigInteger ECParraGX = new BigInteger(Base64.Decode("D/qWPNyogWzMM7hkK+35BcPTWFc9Pyf7vTs8uaqv"));
BigInteger ECParraGY = new BigInteger(Base64.Decode("AhQXGxb1olGRv6s1LPRfuatMF+cx3ZTGgzSE/Q5R"));
BigInteger ECParraH = new BigInteger(Base64.Decode("AQ=="));
BigInteger ECParraN = new BigInteger(Base64.Decode("f///////////////f///nl6an12QcfvRUiaIkJ0L"));
BigInteger ECPubQX = new BigInteger(Base64.Decode("HWWi17Yb+Bm3PYr/DMjLOYNFhyOwX1QY7ZvqqM+l"));
BigInteger ECPubQY = new BigInteger(Base64.Decode("JrlJfxu3WGhqwtL/55BOs/wsUeiDFsvXcGhB8DGx"));
BigInteger ECPrivD = new BigInteger(Base64.Decode("GYQmd/NF1B+He1iMkWt3by2Az6Eu07t0ynJ4YCAo"));
FpCurve curve = new FpCurve(
new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839"), // q
new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), // a
new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16)); // b
ECDomainParameters ecDomain =
new ECDomainParameters(curve, new FpPoint(curve, curve.FromBigInteger(ECParraGX), curve.FromBigInteger(ECParraGY)), ECParraN);
ECPublicKeyParameters ecPub = new ECPublicKeyParameters(
"ECDSA",
new FpPoint(curve,
curve.FromBigInteger(ECPubQX),
curve.FromBigInteger(ECPubQY)),
ecDomain);
ECPrivateKeyParameters ecPriv = new ECPrivateKeyParameters("ECDSA", ECPrivD, ecDomain);
IDictionary attrs = new Hashtable();
attrs[X509Name.C] = "AU";
attrs[X509Name.O] = "The Legion of the Bouncy Castle";
attrs[X509Name.L] = "Melbourne";
attrs[X509Name.ST] = "Victoria";
attrs[X509Name.E] = "*****@*****.**";
IList ord = new ArrayList();
ord.Add(X509Name.C);
ord.Add(X509Name.O);
ord.Add(X509Name.L);
ord.Add(X509Name.ST);
ord.Add(X509Name.E);
IList values = new ArrayList();
values.Add("AU");
values.Add("The Legion of the Bouncy Castle");
values.Add("Melbourne");
values.Add("Victoria");
values.Add("*****@*****.**");
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.SetSerialNumber(BigInteger.One);
certGen.SetIssuerDN(new X509Name(ord, attrs));
certGen.SetNotBefore(DateTime.Today.Subtract(new TimeSpan(1, 0, 0, 0)));
certGen.SetNotAfter(DateTime.Today.AddDays(1));
certGen.SetSubjectDN(new X509Name(ord, attrs));
certGen.SetPublicKey(ecPub);
certGen.SetSignatureAlgorithm("SHA1WITHECDSA");
certGen.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
X509Certificate cert = certGen.Generate(ecPriv);
// Assert.IsTrue((cert.IsValidNow && cert.Verify(ecPub)), "Certificate failed to be valid (ECDSA)");
cert.CheckValidity();
cert.Verify(ecPub);
ISet extOidSet = cert.GetCriticalExtensionOids();
if (extOidSet.Count != 1)
{
Fail("wrong number of oids");
}
//if (dummySet != null)
//{
// foreach (string key in dummySet)
// {
// Console.WriteLine("\t{0}:\t{1}", key);
// }
//}
//Console.WriteLine();
//dummySet = cert.GetNonCriticalExtensionOids();
//if (dummySet != null)
//{
// foreach (string key in dummySet)
// {
// Console.WriteLine("\t{0}:\t{1}", key);
// }
//}
//Console.WriteLine();
}
