public static byte[] GenerateRootCACertificate(CertificateSubject subject, DateTime startDate, DateTime expiryDate,
SignatureHashAlgorithm signatureAlgorithm, TCertificateFormat certificateFormat)
{
if (subject == null)
{
throw new ArgumentNullException(nameof(subject));
}
if (signatureAlgorithm == null)
{
throw new ArgumentNullException(nameof(signatureAlgorithm));
}
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
var certificateGenerator = new X509V3CertificateGenerator();
AddStandardCertificateInfo(certificateGenerator, random, subject, subject, startDate, expiryDate);
var subjectKeyPair = GenerateKeys(certificateGenerator, random, signatureAlgorithm);
certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true));
certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyCertSign));
var subjectKeyID = new byte[20];
random.NextBytes(subjectKeyID, 0, 20);
certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(subjectKeyID));
certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(subjectKeyID));
var algorithm = GetAlgorithm(signatureAlgorithm);
// selfsign certificate
var certificate = certificateGenerator.Generate(new Asn1SignatureFactory(algorithm, subjectKeyPair.Private, random));
return(ExportCertificate(certificate, subjectKeyPair, certificateFormat));
}
public static byte[] GenerateRootCACertificate(CertificateSubject subject, DateTime startDate, DateTime expiryDate, SignatureHashAlgorithm signatureAlgorithm, TCertificateFormat certificateFormat)
{
byte[] result = null;
CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
SecureRandom random = new SecureRandom(randomGenerator);
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
AddStandardCertificateInfo(certificateGenerator, random, subject, subject, startDate, expiryDate);
AsymmetricCipherKeyPair subjectKeyPair = GenerateKeys(certificateGenerator, random, signatureAlgorithm);
certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true));
certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyCertSign));
byte[] subjectKeyID = new byte[20];
random.NextBytes(subjectKeyID, 0, 20);
certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(subjectKeyID));
certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(subjectKeyID));
string algorithm = GetAlgorithm(signatureAlgorithm);
// selfsign certificate
Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(new Asn1SignatureFactory(algorithm, subjectKeyPair.Private, random));
result = ExportCertificate(certificate, subjectKeyPair, certificateFormat);
return(result);
}
public static byte[] GenerateCertificate(CertificateSubject subject, CertificateInfo issuer, DateTime startDate,
DateTime expiryDate, SignatureHashAlgorithm signatureAlgorithm, TCertificateFormat certificateFormat)
{
if (subject == null)
{
throw new ArgumentNullException(nameof(subject));
}
if (issuer == null)
{
throw new ArgumentNullException(nameof(issuer));
}
if (signatureAlgorithm == null)
{
throw new ArgumentNullException(nameof(issuer));
}
if (!(issuer.PrivateKey is AsymmetricKeyParameter privateKey))
{
return(null);
}
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
var certificateGenerator = new X509V3CertificateGenerator();
AddStandardCertificateInfo(certificateGenerator, random, subject, issuer.Subject, startDate, expiryDate);
var subjectKeyPair = GenerateKeys(certificateGenerator, random, signatureAlgorithm);
var algorithm = GetAlgorithm(signatureAlgorithm);
certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyEncipherment));
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(new KeyPurposeID[] { KeyPurposeID.IdKPServerAuth, KeyPurposeID.IdKPClientAuth }));
var subjectKeyID = new byte[20];
random.NextBytes(subjectKeyID, 0, 20);
certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(subjectKeyID));
if (issuer.SubjectKeyID != null)
{
certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(issuer.SubjectKeyID));
}
//if ((subject.AlternativeNames != null) && (subject.AlternativeNames.Count > 0))
//{
// certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, true, new SubjectAlternativeNames(false));
// //SubjectAlternativeName
// //GeneralName.DirectoryName
// //GeneralName.IPAddress
//}
var certificate = certificateGenerator.Generate(new Asn1SignatureFactory(algorithm, privateKey, random));
return(ExportCertificate(certificate, subjectKeyPair, certificateFormat));
}
public static byte[] Sign(AsymmetricKeyParameter privateKey, RSACryptoServiceProvider rsaKey, bool client, Version version, HandshakeInfo handshakeInfo,
SignatureHashAlgorithm signatureHashAlgorithm, byte[] hash)
#endif
{
if (privateKey == null && rsaKey == null)
{
throw new ArgumentException("No key or Rsa CSP provided");
}
if (privateKey == null)
{
if (signatureHashAlgorithm.Signature == TSignatureAlgorithm.RSA)
{
return(SignRsa(rsaKey, hash));
}
throw new ArgumentException("Need private key for non-RSA Algorithms");
}
if (version == null)
{
throw new ArgumentNullException(nameof(version));
}
if (handshakeInfo == null)
{
throw new ArgumentNullException(nameof(handshakeInfo));
}
if (signatureHashAlgorithm == null)
{
throw new ArgumentNullException(nameof(signatureHashAlgorithm));
}
if (hash == null)
{
throw new ArgumentNullException(nameof(hash));
}
TlsSigner signer = null;
switch (signatureHashAlgorithm.Signature)
{
case TSignatureAlgorithm.Anonymous:
break;
case TSignatureAlgorithm.RSA:
signer = new TlsRsaSigner();
break;
case TSignatureAlgorithm.DSA:
signer = new TlsDssSigner();
break;
case TSignatureAlgorithm.ECDSA:
signer = new TlsECDsaSigner();
break;
default:
break;
}
var context = new DTLSContext(client, version, handshakeInfo);
var randomGenerator = new CryptoApiRandomGenerator();
context.SecureRandom = new SecureRandom(randomGenerator);
signer.Init(context);
if (TlsUtilities.IsTlsV12(context))
{
var signatureAndHashAlgorithm = new SignatureAndHashAlgorithm((byte)signatureHashAlgorithm.Hash, (byte)signatureHashAlgorithm.Signature);
return(signer.GenerateRawSignature(signatureAndHashAlgorithm, privateKey, hash));
}
else
{
return(signer.GenerateRawSignature(privateKey, hash));
}
}