.Net用Bouncy Castle对PKCS#10请求进行编程签名
本文关键字:编程 请求 PKCS#10 Bouncy Castle Net | 更新日期: 2023-09-27 18:27:02
我们在客户端上使用CertEnroll生成了一个有效的PKCS#10证书请求。
现在我们需要对其进行签名并将结果返回给客户端,CertEnroll将在客户端处理本地证书存储的内容。
这是一个B2B应用程序,根签名证书将自行生成,或者我们可以使用现有的Thawte SSL证书。
服务器(2008)没有运行Active Directory,除非绝对必要,否则我们不想为此创建独立的签名基础结构/服务。不需要撤销等等——我们希望通过编程来实现。
我很乐意使用BouncyCastle库,但C#库缺乏任何有意义的文档,尽管最初的Java文档无可否认是相似的,但C#实现的不同足以让我有点困惑。
是否有人知道(或拥有)示例C#(或VB)代码或已知的可关联链接,使用BouncyCastle或本地.Net类?
如有任何协助,我们将不胜感激!
至少可以说,这是一个有趣的练习:-)
我们同时使用了BouncyCastle和.Net证书对象。解决方案仍然存在!很还有改进的空间,但事实上确实有效。
下面是它的核心(Cert-Gen)。当我们到达这里时,CSR已经在客户端上生成,当我们离开时,生成的证书由客户端代码安装(有关客户端工作方式,请参阅此博客)
同样,我不会把它作为成品提供,但希望对那些面临同样任务的人有一些价值。快乐加密:-)
// Jul 10, 2012 see
// http://social.technet.microsoft.com/Forums/en-NZ/winserversecurity/thread/45781b46-3eb7-4715-b877-883bf0dc2ae7
// instaed of CX509CertificateRequestPkcs10 csr = new CX509CertificateRequestPkcs10(); use:
IX509CertificateRequestPkcs10 csr = (IX509CertificateRequestPkcs10)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509CertificateRequestPkcs10"));
csr.InitializeDecode(csrText, EncodingType.XCN_CRYPT_STRING_BASE64);
csr.CheckSignature(Pkcs10AllowedSignatureTypes.AllowedKeySignature);
//get Bouncy CSRInfo Object
Trace.Write("get Bouncy CSRInfo Object");
Byte[] csrBytes = Convert.FromBase64String(csrText);
CertificationRequestInfo csrInfo = CertificateTools.GetCsrInfo(csrBytes);
SubjectPublicKeyInfo pki = csrInfo.SubjectPublicKeyInfo;
//pub key for the signed cert
Trace.Write("pub key for the signed cert");
AsymmetricKeyParameter publicKey = PublicKeyFactory.CreateKey(pki);
// Build a Version1 (No Extensions) Certificate
DateTime startDate = DateTime.Now;
DateTime expiryDate = startDate.AddYears(100);
BigInteger serialNumber = new BigInteger(32, new Random());
Trace.Write("Build a Version1 (No Extensions) Certificate");
X509V1CertificateGenerator certGen = new X509V1CertificateGenerator();
string signerCN = ConfigurationManager.AppSettings["signerCN"].ToString();
X509Name dnName = new X509Name(String.Format("CN={0}", signerCN));
X509Name cName = new X509Name(csr.Subject.Name);
certGen.SetSerialNumber(serialNumber);
certGen.SetIssuerDN(dnName);
certGen.SetNotBefore(startDate);
certGen.SetNotAfter(expiryDate);
certGen.SetSubjectDN(cName);
certGen.SetSignatureAlgorithm("SHA1withRSA");
certGen.SetPublicKey(publicKey);
//get our Private Key to Sign with
Trace.Write("get our Private Key to Sign with");
X509Store store = new X509Store(StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
string signerThumbprint = ConfigurationManager.AppSettings["signerThumbprint"].ToString();
X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates;
X509Certificate2Collection fcollection = (X509Certificate2Collection)collection.Find(X509FindType.FindByThumbprint, signerThumbprint, false);
X509Certificate2 caCert = fcollection[0];
Trace.Write("Found:" + caCert.FriendlyName);
Trace.Write("Has Private " + caCert.HasPrivateKey.ToString());
Trace.Write("Key Size " + caCert.PrivateKey.KeySize.ToString());
//Get our Signing Key as a Bouncy object
Trace.Write("Get our Signing Key as a Bouncy object from key ");
AsymmetricCipherKeyPair caPair = DotNetUtilities.GetKeyPair(caCert.PrivateKey);
//gen BouncyCastle object
Trace.Write("gen BouncyCastle object");
Org.BouncyCastle.X509.X509Certificate cert = certGen.Generate(caPair.Private);
//convert to windows type 2 and get Base64 String
Trace.Write("convert to windows type 2 and get Base64 String");
X509Certificate2 cert2 = new X509Certificate2(DotNetUtilities.ToX509Certificate(cert));
byte[] encoded = cert2.GetRawCertData();
string certOutString = Convert.ToBase64String(encoded);
//output to the page (hidden)
Certificate.Value = certOutString;