我正在将Visual Studio 2019与c#和Bouncy Castle版的1.8.5一起使用。
我已经能够成功生成Certificate Authority(CA),现在想生成Intermediate Certificate。
在我当前的工作流程中,CA证书作为X509Certificate2对象返回,我将其传递以生成中间证书。
从那里我想阅读PrivateKey,但是这样做很麻烦。
对于生成CA(CACertificateDetails是用于存储要传递的字符串的简单类):
public static X509Certificate2 GenerateCA(CACertificateDetails details)
{
// generate a random number
var random = GetSecureRandom();
// init the certificate generator
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
// serial number
certificateGenerator.SetSerialNumber(SerialNumber(random));
// set issuer and subject name
var subjectDN = new X509Name(details.SubjectName);
var issuerDN = new X509Name(details.IssuerName);
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
// validation time
var notBefore = DateTime.UtcNow.Date;
var notAfter = notBefore.AddYears(details.ValidYears);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// subject public Key
AsymmetricCipherKeyPair subjectKeyPair;
KeyGenerationParameters keyGenerationParameters = new KeyGenerationParameters(random, details.KeyStrength);
RsaKeyPairGenerator keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// set the hash algorithm
AsymmetricCipherKeyPair issuerKeyPair = subjectKeyPair;
ISignatureFactory signatureFactory = new Asn1SignatureFactory(PkcsObjectIdentifiers.Sha512WithRsaEncryption.ToString(), issuerKeyPair.Private, random);
// generate the certificate
var certificate = certificateGenerator.Generate(signatureFactory);
var x509Certificate = new X509Certificate2(certificate.GetEncoded());
PrivateKeyInfo info = PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private);
Asn1Sequence seq = (Asn1Sequence)Asn1Object.FromByteArray(info.ParsePrivateKey().GetDerEncoded());
if (seq.Count != 9)
{
throw new PemException("malformed sequence in RSA private key");
}
RsaPrivateKeyStructure rsa = RsaPrivateKeyStructure.GetInstance(seq);
RsaPrivateCrtKeyParameters rsaparams = new RsaPrivateCrtKeyParameters(
rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient);
var convertedRsa = DotNetUtilities.ToRSA(rsaparams);
var x509CertificateRet = x509Certificate.CopyWithPrivateKey(convertedRsa);
x509CertificateRet.FriendlyName = details.FriendlyName;
return x509CertificateRet;
}
生成中间证书的方法如下(刚生成的CA现在作为对象传递):
public static X509Certificate2 GenerateCertificate(CertificateDetails details, X509Certificate2 issuer)
{
// generate a random number
var random = GetSecureRandom();
// init the certificate generator
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
// serial number
certificateGenerator.SetSerialNumber(SerialNumber(random));
// set issuer and subject name
var issuerDN = new X509Name(issuer.Issuer);
certificateGenerator.SetIssuerDN(issuerDN);
var distinguishedNames = DistinguishedName(details);
var nameOids = new ArrayList(distinguishedNames.Select(x => x.Item1).ToArray());
var nameValues = new ArrayList(distinguishedNames.Select(x => x.Item2).ToArray());
var subjectDN = new X509Name(nameOids, nameValues);
certificateGenerator.SetSubjectDN(subjectDN);
// authority key identifier
var authorityKeyIdentifier = new AuthorityKeyIdentifierStructure(DotNetUtilities.FromX509Certificate(issuer));
certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier.Id, false, authorityKeyIdentifier);
// Basic Constraints - certificate is allowed to be used as intermediate.
certificateGenerator.AddExtension(X509Extensions.BasicConstraints.Id, true, new BasicConstraints(details.IsIntermediateCertificate));
// key usage
if (!details.IsIntermediateCertificate)
{
certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.DataEncipherment | KeyUsage.KeyAgreement));
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(new[] { KeyPurposeID.IdKPServerAuth, KeyPurposeID.IdKPServerAuth }));
}
else
{
certificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.DataEncipherment | KeyUsage.KeyAgreement | KeyUsage.KeyCertSign));
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeID.AnyExtendedKeyUsage));
}
// validation time
var notBefore = DateTime.UtcNow.Date;
var notAfter = notBefore.AddYears(details.ValidYears);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// subject public Key
AsymmetricCipherKeyPair subjectKeyPair;
KeyGenerationParameters keyGenerationParameters = new KeyGenerationParameters(random, details.KeyStrength);
RsaKeyPairGenerator keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
// set the hash algorithm
var issuerPrivateKey = TransformRSAPrivateKey(issuer.PrivateKey);
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA3-512withRSA", issuerPrivateKey, random);
// generate the certificate
var certificate = certificateGenerator.Generate(signatureFactory);
PrivateKeyInfo info = PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private);
var x509Certificate = new X509Certificate2(certificate.GetEncoded());
Asn1Sequence seq = (Asn1Sequence)Asn1Object.FromByteArray(info.ParsePrivateKey().GetDerEncoded());
if (seq.Count != 9)
{
throw new PemException("Malformed sequence in RSA private key");
}
RsaPrivateKeyStructure rsa = RsaPrivateKeyStructure.GetInstance(seq);
RsaPrivateCrtKeyParameters rsaparams = new RsaPrivateCrtKeyParameters(
rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient);
x509Certificate.PrivateKey = DotNetUtilities.ToRSA(rsaparams);
x509Certificate.FriendlyName = details.FriendlyName;
return x509Certificate;
}
我现在在TransformRSAPrivateKey行的函数prov.ExportParameters(true)上失败了,可能是因为没有找到私钥数据,由于我用x509Certificate.CopyWithPrivateKey(convertedRsa)在CA生成。
private static AsymmetricKeyParameter TransformRSAPrivateKey(AsymmetricAlgorithm privateKey)
{
RSACryptoServiceProvider prov = privateKey as RSACryptoServiceProvider;
RSAParameters parameters = prov.ExportParameters(true);
return new RsaPrivateCrtKeyParameters(
new BigInteger(1, parameters.Modulus),
new BigInteger(1, parameters.Exponent),
new BigInteger(1, parameters.D),
new BigInteger(1, parameters.P),
new BigInteger(1, parameters.Q),
new BigInteger(1, parameters.DP),
new BigInteger(1, parameters.DQ),
new BigInteger(1, parameters.InverseQ));
}
如何继续使用CA生成(并签名)我的Intermediate Certificate?
我不想传递AsymmetricKeyParameter,如在stackoverflow上的多个示例中所示。
在某些时候,我可能想将CA保存到磁盘上,并在另一时间读取它,以生成具有相同CA的证书。那时,我将没有CA生成工作流,因此也就没有AsymmetricKeyParameter对象。
答案 0 :(得分:1)
好吧,问题出在以下几行:
// set the hash algorithm
var issuerPrivateKey = TransformRSAPrivateKey(issuer.PrivateKey);
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA3-512withRSA", issuerPrivateKey, random);
可以像原始帖子一样将X509Certificate2颁发者证书传递给GenerateCertificate函数。
诀窍是使用X509KeyStorageFlags.Exportable之类的标志X509Certificate2(certificatePath, password, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);加载该证书。
我进一步将代码更改为
// set the hash algorithm
var issuerPrivateKey = DotNetUtilities.GetKeyPair(issuerCA.PrivateKey).Private;
ISignatureFactory signatureFactory = new Asn1SignatureFactory(PkcsObjectIdentifiers.Sha512WithRsaEncryption.ToString(), issuerPrivateKey, random);