.Net Programmatically Sign PKCS # 10 Request from Bouncy Castle

We have a valid PKCS # 10 certificate request created on the client using CertEnroll.

Now we need to sign it and return the result to the client, where CertEnroll will process the local certificate store.

This is a B2B application and the root signature certificate will be self-generated or we can use our existing Thawte SSL certificate.

Server (2008) does not work in Active Directory, and we do not want to create a separate signature infrastructure or service for it if it is absolutely necessary. No need to cancel, etc. - we want to do this programmatically.

I would be happy to use the BouncyCastle library, however C # lib does not have any meaningful documentation, and although the original Java docs are admittedly similar, the C # implementation is different to leave me a bit confusing.

Does anyone know (or have) a sample C # (or VB) code or a well-known reference to it using BouncyCastle or, in this case, native .Net classes?

Any help in achieving this goal would be greatly appreciated!

+6
source share
1 answer

This turned out to be an interesting exercise, to say the least :-)

We used both BouncyCastle and .Net objects. There is still a solution! Many! room for improvement, but it really works.

Below are the guts (Cert Gen). When we get there, the CSR is already generated on the client, and when we leave the received certificate, the client code will be installed (see this blog for the client side of the work.)

Again, I do not propose this as a finished product, but, I hope, it has some significance for those who are faced with one task. Happy Encrypting: -)

// Jul 10, 2012 see // http://social.technet.microsoft.com/Forums/en-NZ/winserversecurity/thread/45781b46-3eb7-4715-b877-883bf0dc2ae7 // instaed of CX509CertificateRequestPkcs10 csr = new CX509CertificateRequestPkcs10(); use: IX509CertificateRequestPkcs10 csr = (IX509CertificateRequestPkcs10)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509CertificateRequestPkcs10")); csr.InitializeDecode(csrText, EncodingType.XCN_CRYPT_STRING_BASE64); csr.CheckSignature(Pkcs10AllowedSignatureTypes.AllowedKeySignature); //get Bouncy CSRInfo Object Trace.Write("get Bouncy CSRInfo Object"); Byte[] csrBytes = Convert.FromBase64String(csrText); CertificationRequestInfo csrInfo = CertificateTools.GetCsrInfo(csrBytes); SubjectPublicKeyInfo pki = csrInfo.SubjectPublicKeyInfo; //pub key for the signed cert Trace.Write("pub key for the signed cert"); AsymmetricKeyParameter publicKey = PublicKeyFactory.CreateKey(pki); // Build a Version1 (No Extensions) Certificate DateTime startDate = DateTime.Now; DateTime expiryDate = startDate.AddYears(100); BigInteger serialNumber = new BigInteger(32, new Random()); Trace.Write("Build a Version1 (No Extensions) Certificate"); X509V1CertificateGenerator certGen = new X509V1CertificateGenerator(); string signerCN = ConfigurationManager.AppSettings["signerCN"].ToString(); X509Name dnName = new X509Name(String.Format("CN={0}", signerCN)); X509Name cName = new X509Name(csr.Subject.Name); certGen.SetSerialNumber(serialNumber); certGen.SetIssuerDN(dnName); certGen.SetNotBefore(startDate); certGen.SetNotAfter(expiryDate); certGen.SetSubjectDN(cName); certGen.SetSignatureAlgorithm("SHA1withRSA"); certGen.SetPublicKey(publicKey); //get our Private Key to Sign with Trace.Write("get our Private Key to Sign with"); X509Store store = new X509Store(StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); string signerThumbprint = ConfigurationManager.AppSettings["signerThumbprint"].ToString(); X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates; X509Certificate2Collection fcollection = (X509Certificate2Collection)collection.Find(X509FindType.FindByThumbprint, signerThumbprint, false); X509Certificate2 caCert = fcollection[0]; Trace.Write("Found:" + caCert.FriendlyName); Trace.Write("Has Private " + caCert.HasPrivateKey.ToString()); Trace.Write("Key Size " + caCert.PrivateKey.KeySize.ToString()); //Get our Signing Key as a Bouncy object Trace.Write("Get our Signing Key as a Bouncy object from key "); AsymmetricCipherKeyPair caPair = DotNetUtilities.GetKeyPair(caCert.PrivateKey); //gen BouncyCastle object Trace.Write("gen BouncyCastle object"); Org.BouncyCastle.X509.X509Certificate cert = certGen.Generate(caPair.Private); //convert to windows type 2 and get Base64 String Trace.Write("convert to windows type 2 and get Base64 String"); X509Certificate2 cert2 = new X509Certificate2(DotNetUtilities.ToX509Certificate(cert)); byte[] encoded = cert2.GetRawCertData(); string certOutString = Convert.ToBase64String(encoded); //output to the page (hidden) Certificate.Value = certOutString; 
+9
source

Source: https://habr.com/ru/post/910120/


All Articles