使用BouncyCastle签署证书

时间:2017-03-16 15:22:23

标签: c# security ssl x509certificate bouncycastle

对不起大量的代码,但没有其他方式来解释我的麻烦。

步骤:

  1. 使用CN=localhost(pvk和cer文件)为makecert生成密钥对;
  2. 将cer文件添加到Trusted Root Authorirties;
  3. 转换(密钥对=> .pfx与pvk2pfx => .pem);
  4. 将此密钥对作为pem文件加载到我的程序中;
  5. 使用example.comBouncyCastleissuerDN=localhostsubjectDN=example.com签署SslSocketFactory.CreateKeyMaterial("example.com")证书;
  6. 使用生成的证书向客户端验证为服务器。

    7. 故障: 浏览器警告我的证书颁发者未知。

    身份验证证书是调用public class SslSocketFactory { private static string myCertPath = "MyCA.pem"; private static string myPublCertPath = "MyCA.cer"; private static AsymmetricCipherKeyPair LocalCertificate; private static X509Certificate PublicLocalCertificate; private static X509Certificate RemoteCertificate; private static System.Security.Cryptography.X509Certificates.X509Chain RemoteCertChain; public static System.Security.Cryptography.X509Certificates.X509Certificate2 CreateKeyMaterial(string domainName) { ReadLocalCertificate(); // Reading Pem and Cer files LoadRemoteCert(domainName); // Loading Certificate from domain return CreateSelfSignedCertificate("CN=localhost"); } private static void LoadRemoteCert(string domainName) { var server = new TcpClient(); server.ConnectAsync(domainName, 443).Wait(); var stream = new SslStream(server.GetStream(), true, new RemoteCertificateValidationCallback((a, b, c, d) => { RemoteCertChain = c; return true; }), null); stream.AuthenticateAsClientAsync(domainName).Wait(); RemoteCertificate = new X509CertificateParser().ReadCertificate(stream.RemoteCertificate.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Cert)); } private static void ReadLocalCertificate() { PublicLocalCertificate = new X509CertificateParser().ReadCertificate( new System.Security.Cryptography.X509Certificates.X509Certificate2(myPublCertPath) .Export(System.Security.Cryptography.X509Certificates.X509ContentType.Cert) ); var fs = new FileStream(myCertPath, FileMode.Open); StreamReader sr = new StreamReader(fs); PemReader pr = new PemReader(sr, new PemPassword()); LocalCertificate = (AsymmetricCipherKeyPair)pr.ReadObject(); sr.Dispose(); fs.Dispose(); } public static System.Security.Cryptography.X509Certificates.X509Certificate2 CreateSelfSignedCertificate(string issuerName) { var issuerPrivKey = LocalCertificate.Private; // Init Random SecureRandom random = new SecureRandom(); ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA256WITHRSA", issuerPrivKey, random); // Serial Number BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random); certificateGenerator.SetSerialNumber(serialNumber); // The Certificate Generator X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator(); var subjectKeyID = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(LocalCertificate.Public); var issuerKeyID = PublicLocalCertificate.CertificateStructure.SubjectPublicKeyInfo; certificateGenerator.CopyAndAddExtension(X509Extensions.SubjectAlternativeName, false, RemoteCertificate); certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier.Id, false, new AuthorityKeyIdentifier(issuerKeyID, new GeneralNames(new GeneralName(new X509Name(PublicLocalCertificate.IssuerDN.ToString()))), PublicLocalCertificate.SerialNumber)); certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(subjectKeyID)); // Issuer and Subject Name X509Name subjectDN = new X509Name(RemoteCertificate.SubjectDN.ToString()); X509Name issuerDN = new X509Name(issuerName); certificateGenerator.SetIssuerDN(issuerDN); certificateGenerator.SetSubjectDN(subjectDN); // Valid For DateTime notBefore = DateTime.UtcNow.Date; DateTime notAfter = notBefore.AddYears(10); certificateGenerator.SetNotBefore(notBefore); certificateGenerator.SetNotAfter(notAfter); // Subject Public Key certificateGenerator.SetPublicKey(LocalCertificate.Public); // Generating a certificate X509Certificate certificate = certificateGenerator.Generate(signatureFactory); //Converting BC x509 to .net X509Certificate2, adding Private key var p12Store = new Pkcs12StoreBuilder().Build(); p12Store.SetKeyEntry("1", new AsymmetricKeyEntry(LocalCertificate.Private), new[] { new X509CertificateEntry(certificate) }); var p12data = new MemoryStream(); p12Store.Save(p12data, "password".ToCharArray(), new SecureRandom()); var x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(p12data.ToArray(), "password", System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable); return x509; } class PemPassword : IPasswordFinder { public char[] GetPassword() { return "password".ToCharArray(); } } } 的结果。

    我做错了什么?

    生成证书的类:

    Enum Protocols {
    Sftp
    Ftp
    Ftps
}

0 个答案:

没有答案
相关问题
最新问题