a575963da9
Former-commit-id: da6be194a6b1221998fc28233f2503bd61dd9d14
245 lines
7.5 KiB
C#
245 lines
7.5 KiB
C#
//
|
|
// X509CertificateBuilder.cs: Handles building of X.509 certificates.
|
|
//
|
|
// Author:
|
|
// Sebastien Pouliot <sebastien@ximian.com>
|
|
//
|
|
// (C) 2003 Motus Technologies Inc. (http://www.motus.com)
|
|
// (C) 2004 Novell (http://www.novell.com)
|
|
//
|
|
|
|
//
|
|
// Permission is hereby granted, free of charge, to any person obtaining
|
|
// a copy of this software and associated documentation files (the
|
|
// "Software"), to deal in the Software without restriction, including
|
|
// without limitation the rights to use, copy, modify, merge, publish,
|
|
// distribute, sublicense, and/or sell copies of the Software, and to
|
|
// permit persons to whom the Software is furnished to do so, subject to
|
|
// the following conditions:
|
|
//
|
|
// The above copyright notice and this permission notice shall be
|
|
// included in all copies or substantial portions of the Software.
|
|
//
|
|
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
// LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
//
|
|
|
|
using System;
|
|
using System.Security.Cryptography;
|
|
|
|
namespace Mono.Security.X509 {
|
|
// From RFC3280
|
|
/*
|
|
* Certificate ::= SEQUENCE {
|
|
* tbsCertificate TBSCertificate,
|
|
* signatureAlgorithm AlgorithmIdentifier,
|
|
* signature BIT STRING
|
|
* }
|
|
* TBSCertificate ::= SEQUENCE {
|
|
* version [0] Version DEFAULT v1,
|
|
* serialNumber CertificateSerialNumber,
|
|
* signature AlgorithmIdentifier,
|
|
* issuer Name,
|
|
* validity Validity,
|
|
* subject Name,
|
|
* subjectPublicKeyInfo SubjectPublicKeyInfo,
|
|
* issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
|
|
* -- If present, version MUST be v2 or v3
|
|
* subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
|
|
* -- If present, version MUST be v2 or v3
|
|
* extensions [3] Extensions OPTIONAL
|
|
* -- If present, version MUST be v3 --
|
|
* }
|
|
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
|
|
* CertificateSerialNumber ::= INTEGER
|
|
* Validity ::= SEQUENCE {
|
|
* notBefore Time,
|
|
* notAfter Time
|
|
* }
|
|
* Time ::= CHOICE {
|
|
* utcTime UTCTime,
|
|
* generalTime GeneralizedTime
|
|
* }
|
|
*/
|
|
public class X509CertificateBuilder : X509Builder {
|
|
|
|
private byte version;
|
|
private byte[] sn;
|
|
private string issuer;
|
|
private DateTime notBefore;
|
|
private DateTime notAfter;
|
|
private string subject;
|
|
private AsymmetricAlgorithm aa;
|
|
private byte[] issuerUniqueID;
|
|
private byte[] subjectUniqueID;
|
|
private X509ExtensionCollection extensions;
|
|
|
|
public X509CertificateBuilder () : this (3) {}
|
|
|
|
public X509CertificateBuilder (byte version)
|
|
{
|
|
if (version > 3)
|
|
throw new ArgumentException ("Invalid certificate version");
|
|
this.version = version;
|
|
extensions = new X509ExtensionCollection ();
|
|
}
|
|
|
|
public byte Version {
|
|
get { return version; }
|
|
set { version = value; }
|
|
}
|
|
|
|
public byte[] SerialNumber {
|
|
get { return sn; }
|
|
set { sn = value; }
|
|
}
|
|
|
|
public string IssuerName {
|
|
get { return issuer; }
|
|
set { issuer = value; }
|
|
}
|
|
|
|
public DateTime NotBefore {
|
|
get { return notBefore; }
|
|
set { notBefore = value; }
|
|
}
|
|
|
|
public DateTime NotAfter {
|
|
get { return notAfter; }
|
|
set { notAfter = value; }
|
|
}
|
|
|
|
public string SubjectName {
|
|
get { return subject; }
|
|
set { subject = value; }
|
|
}
|
|
|
|
public AsymmetricAlgorithm SubjectPublicKey {
|
|
get { return aa; }
|
|
set { aa = value; }
|
|
}
|
|
|
|
public byte[] IssuerUniqueId {
|
|
get { return issuerUniqueID; }
|
|
set { issuerUniqueID = value; }
|
|
}
|
|
|
|
public byte[] SubjectUniqueId {
|
|
get { return subjectUniqueID; }
|
|
set { subjectUniqueID = value; }
|
|
}
|
|
|
|
public X509ExtensionCollection Extensions {
|
|
get { return extensions; }
|
|
}
|
|
|
|
|
|
/* SubjectPublicKeyInfo ::= SEQUENCE {
|
|
* algorithm AlgorithmIdentifier,
|
|
* subjectPublicKey BIT STRING }
|
|
*/
|
|
private ASN1 SubjectPublicKeyInfo ()
|
|
{
|
|
ASN1 keyInfo = new ASN1 (0x30);
|
|
if (aa is RSA) {
|
|
keyInfo.Add (PKCS7.AlgorithmIdentifier ("1.2.840.113549.1.1.1"));
|
|
RSAParameters p = (aa as RSA).ExportParameters (false);
|
|
/* RSAPublicKey ::= SEQUENCE {
|
|
* modulus INTEGER, -- n
|
|
* publicExponent INTEGER } -- e
|
|
*/
|
|
ASN1 key = new ASN1 (0x30);
|
|
key.Add (ASN1Convert.FromUnsignedBigInteger (p.Modulus));
|
|
key.Add (ASN1Convert.FromUnsignedBigInteger (p.Exponent));
|
|
keyInfo.Add (new ASN1 (UniqueIdentifier (key.GetBytes ())));
|
|
}
|
|
else if (aa is DSA) {
|
|
DSAParameters p = (aa as DSA).ExportParameters (false);
|
|
/* Dss-Parms ::= SEQUENCE {
|
|
* p INTEGER,
|
|
* q INTEGER,
|
|
* g INTEGER }
|
|
*/
|
|
ASN1 param = new ASN1 (0x30);
|
|
param.Add (ASN1Convert.FromUnsignedBigInteger (p.P));
|
|
param.Add (ASN1Convert.FromUnsignedBigInteger (p.Q));
|
|
param.Add (ASN1Convert.FromUnsignedBigInteger (p.G));
|
|
keyInfo.Add (PKCS7.AlgorithmIdentifier ("1.2.840.10040.4.1", param));
|
|
ASN1 key = keyInfo.Add (new ASN1 (0x03));
|
|
// DSAPublicKey ::= INTEGER -- public key, y
|
|
key.Add (ASN1Convert.FromUnsignedBigInteger (p.Y));
|
|
}
|
|
else
|
|
throw new NotSupportedException ("Unknown Asymmetric Algorithm " + aa.ToString ());
|
|
return keyInfo;
|
|
}
|
|
|
|
private byte[] UniqueIdentifier (byte[] id)
|
|
{
|
|
// UniqueIdentifier ::= BIT STRING
|
|
ASN1 uid = new ASN1 (0x03);
|
|
// first byte in a BITSTRING is the number of unused bits in the first byte
|
|
byte[] v = new byte [id.Length + 1];
|
|
Buffer.BlockCopy (id, 0, v, 1, id.Length);
|
|
uid.Value = v;
|
|
return uid.GetBytes ();
|
|
}
|
|
|
|
protected override ASN1 ToBeSigned (string oid)
|
|
{
|
|
// TBSCertificate
|
|
ASN1 tbsCert = new ASN1 (0x30);
|
|
|
|
if (version > 1) {
|
|
// TBSCertificate / [0] Version DEFAULT v1,
|
|
byte[] ver = { (byte)(version - 1) };
|
|
ASN1 v = tbsCert.Add (new ASN1 (0xA0));
|
|
v.Add (new ASN1 (0x02, ver));
|
|
}
|
|
|
|
// TBSCertificate / CertificateSerialNumber,
|
|
tbsCert.Add (new ASN1 (0x02, sn));
|
|
|
|
// TBSCertificate / AlgorithmIdentifier,
|
|
tbsCert.Add (PKCS7.AlgorithmIdentifier (oid));
|
|
|
|
// TBSCertificate / Name
|
|
tbsCert.Add (X501.FromString (issuer));
|
|
|
|
// TBSCertificate / Validity
|
|
ASN1 validity = tbsCert.Add (new ASN1 (0x30));
|
|
// TBSCertificate / Validity / Time
|
|
validity.Add (ASN1Convert.FromDateTime (notBefore));
|
|
// TBSCertificate / Validity / Time
|
|
validity.Add (ASN1Convert.FromDateTime (notAfter));
|
|
|
|
// TBSCertificate / Name
|
|
tbsCert.Add (X501.FromString (subject));
|
|
|
|
// TBSCertificate / SubjectPublicKeyInfo
|
|
tbsCert.Add (SubjectPublicKeyInfo ());
|
|
|
|
if (version > 1) {
|
|
// TBSCertificate / [1] IMPLICIT UniqueIdentifier OPTIONAL
|
|
if (issuerUniqueID != null)
|
|
tbsCert.Add (new ASN1 (0xA1, UniqueIdentifier (issuerUniqueID)));
|
|
|
|
// TBSCertificate / [2] IMPLICIT UniqueIdentifier OPTIONAL
|
|
if (subjectUniqueID != null)
|
|
tbsCert.Add (new ASN1 (0xA1, UniqueIdentifier (subjectUniqueID)));
|
|
|
|
// TBSCertificate / [3] Extensions OPTIONAL
|
|
if ((version > 2) && (extensions.Count > 0))
|
|
tbsCert.Add (new ASN1 (0xA3, extensions.GetBytes ()));
|
|
}
|
|
|
|
return tbsCert;
|
|
}
|
|
}
|
|
}
|