Создание цепочки сертификатов в Bouncy Castle (C#)

Создание цепочки сертификатов в Bouncy Castle (C#) ⇐ C#

1 сообщение • Страница 1 из 1

Anonymous

Создание цепочки сертификатов в Bouncy Castle (C#)

Цитата

Сообщение Anonymous » 17 дек 2024, 05:47

Я создаю оболочку для надувного замка, которая генерирует сертификат и может быть подписана другим сертификатом.
Я настроил AuthorityKeyIndentifier и имена его каталогов, чтобы они соответствовали подписи. сертификат. Я также добавил сертификаты от корня вниз по листу, но продолжаю получать ошибку 20 в openssl.
openssl verify -CAfile ROOT.cer -untrusted INTERMEDIATE.cer LEAF.cer
error 20 at 0 depth lookup: unable to get local issuer certificate
error LEAF.cer: verification failed

Вот код, который я использовал для своей оболочки генератора:
using System;
using System.IO;
using System.Collections.Generic;
using System.Security.Cryptography.X509Certificates;

using Org.BouncyCastle.Math;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Generators;
using Org.BouncyCastle.Crypto.Operators;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Crypto.Prng;
using Org.BouncyCastle.Pkcs;
using Org.BouncyCastle.X509;
using Org.BouncyCastle.Asn1;
using Org.BouncyCastle.Asn1.Pkcs;
using Org.BouncyCastle.Asn1.X509;
using Org.BouncyCastle.Utilities;

using Ensign.Cryptography;
using Ensign.Structures.Cryptography;
using Ensign.Structures.X509Certificates;
using System.Buffers.Text;
using System.Runtime.Serialization;

using Ensign.Structures.X509Certificates;

namespace Ensign.X509.Generators;

partial class X509CertificateGenerator : X509CertificateBuilder {
protected List _X509CertificatesChain = new List();
protected Org.BouncyCastle.X509.X509Certificate _X509Certificate;
protected Pkcs12Store _Pkcs12Store;
protected readonly X509V3CertificateGenerator _CertificateGenerator = new X509V3CertificateGenerator();
protected int _KeyUsages = 0;
protected List _ExtendedKeyUsages = new List();

protected SubjectKeyIdentifier _SubjectKeyIdentifier;
protected AuthorityKeyIdentifier _AuthorityKeyIdentifier;

protected Asn1SignatureFactory _SignatureFactory;

public X509CertificateGenerator() { }
public X509CertificateGenerator(Certificate certificate) : base(certificate) { }
}

partial class X509CertificateGenerator : X509CertificateBuilder {
public X509CertificateGenerator AddToCertificateChain(Org.BouncyCastle.X509.X509Certificate x509Certificate) {
_X509CertificatesChain.Add(x509Certificate);
return this;
}
public new X509CertificateGenerator WithKeyPair(KeyPair keyPair) {
base.WithKeyPair(keyPair);
_SignatureFactory = new Asn1SignatureFactory(keyPair.Algorithm, keyPair.Private);
_CertificateGenerator.SetPublicKey(keyPair.Public);
return this;
}

public X509CertificateGenerator WithPublicKey(AsymmetricKeyParameter publicKey) {
_CertificateGenerator.SetPublicKey(publicKey);
return this;
}

public X509CertificateGenerator WithCertificateAuthoritySignature(Org.BouncyCastle.X509.X509Certificate x509Certificate) {
DisallowIssuerReassignment();
Issuer = RelativeDistinguishedName.Parse(x509Certificate.SubjectDN.ToString());

if (_AuthorityKeyIdentifier is not null)
throw new InvalidOperationException($"{nameof(_AuthorityKeyIdentifier)} already set. " +
"There is already a certificate authority signature signed for this certificate.");

// _CertificateGenerator.SetPublicKey(x509Certificate.GetPublicKey());

_AuthorityKeyIdentifier = new AuthorityKeyIdentifier(
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(x509Certificate.GetPublicKey()),
new GeneralNames(new GeneralName(x509Certificate.SubjectDN)),
x509Certificate.SerialNumber
);

_X509CertificatesChain.Add(x509Certificate);

// TODO: accept a X509Name object in RelativeDistinguishedName
return this;
}
}

partial class X509CertificateGenerator : X509CertificateBuilder {

public Org.BouncyCastle.X509.X509Certificate Build() {
if (_X509Certificate is not null)
throw new InvalidOperationException($"{nameof(_X509Certificate)} already built.");
if (Subject is null)
throw new MissingFieldException($"{nameof(Subject)} is missing. " +
$"Call {nameof(SetSubject)} first.");
if (Issuer is null)
throw new MissingFieldException($"{nameof(Issuer)} is missing. " +
$"Call {nameof(SetIssuer)} first.");
if (SerialNumber is null)
throw new MissingFieldException($"{nameof(SerialNumber)} is missing. " +
$"Call {nameof(SetSerialNumber)} first.");
if (_CipherKeyPair is null)
throw new MissingFieldException($"{nameof(_CipherKeyPair)} is missing. " +
$"Call {nameof(WithKeyPair)} first.");
if (_SignatureFactory is null)
throw new MissingFieldException($"{nameof(_SignatureFactory)} is missing. " +
$"Call {nameof(WithKeyPair)} first.");
if (_Password is null)
throw new MissingFieldException($"{nameof(_Password)} is missing. " +
$"Call {nameof(UsePassword)} first.");
if (_SecureRandom is null)
throw new MissingFieldException($"{nameof(_SecureRandom)} is missing. " +
$"Call {nameof(WithSecureRandom)} first.");
if (_SignatureFactory is null) // NOTE: this code is unreachable
throw new MissingFieldException($"{nameof(_SignatureFactory)} is missing. " +
$"Call {nameof(WithKeyPair)} first.");
if (_KeyUsages == 0)
throw new MissingFieldException($"{nameof(_KeyUsages)} is missing. " +
$"Assign some key usage.");

_SubjectKeyIdentifier = new SubjectKeyIdentifier(
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(PublicKey)
);

_CertificateGenerator.SetSubjectDN(new X509Name(Subject.ToString()));
_CertificateGenerator.SetIssuerDN(new X509Name(Issuer.ToString()));
_CertificateGenerator.SetNotBefore(InvalidBefore);
_CertificateGenerator.SetNotAfter(InvalidAfter);
_CertificateGenerator.SetSerialNumber(SerialNumber);

if (_KeyUsages > 0) { _CertificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(_KeyUsages)); }
if (_ExtendedKeyUsages.Count > 0) {
_CertificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(_ExtendedKeyUsages));
}
_CertificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, _SubjectKeyIdentifier);
_CertificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier.Id, false, _AuthorityKeyIdentifier);

_X509Certificate = _CertificateGenerator.Generate(_SignatureFactory);
_X509CertificatesChain.Add(_X509Certificate);

return _X509Certificate;
}

public X509Certificate2 Generate() {
if (_X509Certificate2 is not null)
throw new InvalidOperationException($"{nameof(_X509Certificate2)} already built.");
if (_X509Certificate is null) // TODO: convert to warning
throw new MissingFieldException($"{nameof(_X509Certificate)} not built. " +
$"Call {nameof(Build)} first.");

// _X509Certificate.CheckValidity(DateTime.Now);
// _X509Certificate.Verify(PublicKey);

_Pkcs12Store = new Pkcs12StoreBuilder().Build();
X509CertificateEntry[] x509CertificateEntries = new X509CertificateEntry[_X509CertificatesChain.Count];
AsymmetricKeyEntry asymmetricKeyEntry = new AsymmetricKeyEntry(_CipherKeyPair.Private);

for (int i = _X509CertificatesChain.Count - 1; i >= 0; i--) {
x509CertificateEntries = new X509CertificateEntry(_X509CertificatesChain);
}

// for (int i = 0; i < _X509CertificatesChain.Count; i++) {
// x509CertificateEntries = new X509CertificateEntry(_X509CertificatesChain);
// }

_Pkcs12Store.SetKeyEntry(Subject.Name, asymmetricKeyEntry, x509CertificateEntries);

using (MemoryStream memoryStream = new MemoryStream()) {
_Pkcs12Store.Save(memoryStream, _Password.ToCharArray(), _SecureRandom);
_X509Certificate2 = new X509Certificate2(memoryStream.ToArray(), _Password, X509KeyStorageFlags.Exportable);
}
return _X509Certificate2;
}

public Org.BouncyCastle.X509.X509Certificate GetCertificateBuild() {
if (_X509Certificate is null)
throw new MissingFieldException($"{nameof(_X509Certificate)} not built. " +
$"Call {nameof(Build)} first.");
return _X509Certificate;
}

public X509Certificate2 GetCertificate() {
if (_X509Certificate2 is null)
throw new MissingFieldException($"{nameof(_X509Certificate2)} not built. " +
$"Call {nameof(Generate)} first.");
return _X509Certificate2;
}

public Certificate GetCertificateInstance() {
if (_X509Certificate2 is null)
throw new MissingFieldException($"{nameof(_X509Certificate2)} not built. " +
$"Call {nameof(Generate)} first.");
return this;
}

}

Подробнее здесь: https://stackoverflow.com/questions/792 ... y-castle-c

1734403665

Anonymous

Я создаю оболочку для надувного замка, которая генерирует сертификат и может быть подписана другим сертификатом.
Я настроил AuthorityKeyIndentifier и имена его каталогов, чтобы они соответствовали подписи. сертификат. Я также добавил сертификаты от корня вниз по листу, но продолжаю получать ошибку 20 в openssl.
openssl verify -CAfile ROOT.cer -untrusted INTERMEDIATE.cer LEAF.cer
error 20 at 0 depth lookup: unable to get local issuer certificate
error LEAF.cer: verification failed

Вот код, который я использовал для своей оболочки генератора:
using System;
using System.IO;
using System.Collections.Generic;
using System.Security.Cryptography.X509Certificates;

using Org.BouncyCastle.Math;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Generators;
using Org.BouncyCastle.Crypto.Operators;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Crypto.Prng;
using Org.BouncyCastle.Pkcs;
using Org.BouncyCastle.X509;
using Org.BouncyCastle.Asn1;
using Org.BouncyCastle.Asn1.Pkcs;
using Org.BouncyCastle.Asn1.X509;
using Org.BouncyCastle.Utilities;

using Ensign.Cryptography;
using Ensign.Structures.Cryptography;
using Ensign.Structures.X509Certificates;
using System.Buffers.Text;
using System.Runtime.Serialization;

using Ensign.Structures.X509Certificates;

namespace Ensign.X509.Generators;

partial class X509CertificateGenerator : X509CertificateBuilder {
protected List _X509CertificatesChain = new List();
protected Org.BouncyCastle.X509.X509Certificate _X509Certificate;
protected Pkcs12Store _Pkcs12Store;
protected readonly X509V3CertificateGenerator _CertificateGenerator = new X509V3CertificateGenerator();
protected int _KeyUsages = 0;
protected List _ExtendedKeyUsages = new List();

protected SubjectKeyIdentifier _SubjectKeyIdentifier;
protected AuthorityKeyIdentifier _AuthorityKeyIdentifier;

protected Asn1SignatureFactory _SignatureFactory;

public X509CertificateGenerator() { }
public X509CertificateGenerator(Certificate certificate) : base(certificate) { }
}

partial class X509CertificateGenerator : X509CertificateBuilder {
public X509CertificateGenerator AddToCertificateChain(Org.BouncyCastle.X509.X509Certificate x509Certificate) {
_X509CertificatesChain.Add(x509Certificate);
return this;
}
public new X509CertificateGenerator WithKeyPair(KeyPair keyPair) {
base.WithKeyPair(keyPair);
_SignatureFactory = new Asn1SignatureFactory(keyPair.Algorithm, keyPair.Private);
_CertificateGenerator.SetPublicKey(keyPair.Public);
return this;
}

public X509CertificateGenerator WithPublicKey(AsymmetricKeyParameter publicKey) {
_CertificateGenerator.SetPublicKey(publicKey);
return this;
}

public X509CertificateGenerator WithCertificateAuthoritySignature(Org.BouncyCastle.X509.X509Certificate x509Certificate) {
DisallowIssuerReassignment();
Issuer = RelativeDistinguishedName.Parse(x509Certificate.SubjectDN.ToString());

if (_AuthorityKeyIdentifier is not null)
throw new InvalidOperationException($"{nameof(_AuthorityKeyIdentifier)} already set. " +
"There is already a certificate authority signature signed for this certificate.");

// _CertificateGenerator.SetPublicKey(x509Certificate.GetPublicKey());

_AuthorityKeyIdentifier = new AuthorityKeyIdentifier(
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(x509Certificate.GetPublicKey()),
new GeneralNames(new GeneralName(x509Certificate.SubjectDN)),
x509Certificate.SerialNumber
);

_X509CertificatesChain.Add(x509Certificate);

// TODO: accept a X509Name object in RelativeDistinguishedName
return this;
}
}

partial class X509CertificateGenerator : X509CertificateBuilder {

public Org.BouncyCastle.X509.X509Certificate Build() {
if (_X509Certificate is not null)
throw new InvalidOperationException($"{nameof(_X509Certificate)} already built.");
if (Subject is null)
throw new MissingFieldException($"{nameof(Subject)} is missing.  " +
$"Call {nameof(SetSubject)} first.");
if (Issuer is null)
throw new MissingFieldException($"{nameof(Issuer)} is missing. " +
$"Call {nameof(SetIssuer)} first.");
if (SerialNumber is null)
throw new MissingFieldException($"{nameof(SerialNumber)} is missing. " +
$"Call {nameof(SetSerialNumber)} first.");
if (_CipherKeyPair is null)
throw new MissingFieldException($"{nameof(_CipherKeyPair)} is missing. " +
$"Call {nameof(WithKeyPair)} first.");
if (_SignatureFactory is null)
throw new MissingFieldException($"{nameof(_SignatureFactory)} is missing. " +
$"Call {nameof(WithKeyPair)} first.");
if (_Password is null)
throw new MissingFieldException($"{nameof(_Password)} is missing. " +
$"Call {nameof(UsePassword)} first.");
if (_SecureRandom is null)
throw new MissingFieldException($"{nameof(_SecureRandom)} is missing. " +
$"Call {nameof(WithSecureRandom)} first.");
if (_SignatureFactory is null) // NOTE: this code is unreachable
throw new MissingFieldException($"{nameof(_SignatureFactory)} is missing. " +
$"Call {nameof(WithKeyPair)} first.");
if (_KeyUsages == 0)
throw new MissingFieldException($"{nameof(_KeyUsages)} is missing. " +
$"Assign some key usage.");

_SubjectKeyIdentifier = new SubjectKeyIdentifier(
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(PublicKey)
);

_CertificateGenerator.SetSubjectDN(new X509Name(Subject.ToString()));
_CertificateGenerator.SetIssuerDN(new X509Name(Issuer.ToString()));
_CertificateGenerator.SetNotBefore(InvalidBefore);
_CertificateGenerator.SetNotAfter(InvalidAfter);
_CertificateGenerator.SetSerialNumber(SerialNumber);

if (_KeyUsages > 0) { _CertificateGenerator.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(_KeyUsages)); }
if (_ExtendedKeyUsages.Count > 0) {
_CertificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(_ExtendedKeyUsages));
}
_CertificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, _SubjectKeyIdentifier);
_CertificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier.Id, false, _AuthorityKeyIdentifier);

_X509Certificate = _CertificateGenerator.Generate(_SignatureFactory);
_X509CertificatesChain.Add(_X509Certificate);

return _X509Certificate;
}

public X509Certificate2 Generate() {
if (_X509Certificate2 is not null)
throw new InvalidOperationException($"{nameof(_X509Certificate2)} already built.");
if (_X509Certificate is null) // TODO: convert to warning
throw new MissingFieldException($"{nameof(_X509Certificate)} not built. " +
$"Call {nameof(Build)} first.");

// _X509Certificate.CheckValidity(DateTime.Now);
// _X509Certificate.Verify(PublicKey);

_Pkcs12Store = new Pkcs12StoreBuilder().Build();
X509CertificateEntry[] x509CertificateEntries = new X509CertificateEntry[_X509CertificatesChain.Count];
AsymmetricKeyEntry asymmetricKeyEntry = new AsymmetricKeyEntry(_CipherKeyPair.Private);

for (int i = _X509CertificatesChain.Count - 1; i >= 0; i--) {
x509CertificateEntries[i] = new X509CertificateEntry(_X509CertificatesChain[i]);
}

// for (int i = 0; i < _X509CertificatesChain.Count; i++) {
//     x509CertificateEntries[i] = new X509CertificateEntry(_X509CertificatesChain[i]);
// }

_Pkcs12Store.SetKeyEntry(Subject.Name, asymmetricKeyEntry, x509CertificateEntries);

using (MemoryStream memoryStream = new MemoryStream()) {
_Pkcs12Store.Save(memoryStream, _Password.ToCharArray(), _SecureRandom);
_X509Certificate2 = new X509Certificate2(memoryStream.ToArray(), _Password, X509KeyStorageFlags.Exportable);
}
return _X509Certificate2;
}

public Org.BouncyCastle.X509.X509Certificate GetCertificateBuild() {
if (_X509Certificate is null)
throw new MissingFieldException($"{nameof(_X509Certificate)} not built.  " +
$"Call {nameof(Build)} first.");
return _X509Certificate;
}

public X509Certificate2 GetCertificate() {
if (_X509Certificate2 is null)
throw new MissingFieldException($"{nameof(_X509Certificate2)} not built. " +
$"Call {nameof(Generate)} first.");
return _X509Certificate2;
}

public Certificate GetCertificateInstance() {
if (_X509Certificate2 is null)
throw new MissingFieldException($"{nameof(_X509Certificate2)} not built. " +
$"Call {nameof(Generate)} first.");
return this;
}

}
 

Подробнее здесь: [url]https://stackoverflow.com/questions/79286556/establish-certificate-chain-in-bouncy-castle-c[/url]

Ответить Пред. тема След. тема

1 сообщение • Страница 1 из 1

Быстрый ответ

Заголовок:

Имя пользователя:

Изменение регистра текста:

Смайлики

Ещё смайлики…

К этому ответу прикреплено по крайней мере одно вложение.

Если вы не хотите добавлять вложения, оставьте поля пустыми. Можно прикреплять файлы, перетаскивая их в окно сообщения.

Максимально разрешённый размер вложения: 15 МБ.

Имя файла:

Комментарий к файлу:

Имя файла	Комментарий к файлу	Размер	Статус

Похожие темы

Ответы

Просмотры

Последнее сообщение

Java 11: получение «Пустой цепочки сертификатов [клиента]» вместо «Пустой цепочки сертификатов [сервера]»

Последнее сообщение Anonymous « 01 дек 2024, 10:09
Добавлено в форуме JAVA

Anonymous » 01 дек 2024, 10:09 » в форуме JAVA

Я пытаюсь отладить тестовый код Java 11, который использует SSLServerSocket для сервера и SSLSocket для ответа. Основной код работает следующим образом:
server.setNeedClientAuth(false);
need_Client_Auth = server.getNeedClientAuth();
assertFalse(...

0 Ответы

35 Просмотры

Последнее сообщение Anonymous
01 дек 2024, 10:09
Bouncy Castle GeneralName Создание сбоя с «несоответствием типа аргумента» в CFML

Последнее сообщение Anonymous « 05 фев 2025, 08:32
Добавлено в форуме JAVA

Anonymous » 05 фев 2025, 08:32 » в форуме JAVA

Я пытаюсь генерировать запрос на подпись сертификата (CSR), используя Bouncy Castle в CFML/LUCEE. КСО необходимо включать в себя альтернативные имена предметов (SAN) как для имен DNS, так и для IP -адресов. Тем не менее, я получаю ошибку...

0 Ответы

12 Просмотры

Последнее сообщение Anonymous
05 фев 2025, 08:32
Создание Public/Private Pare Pare с помощью Bouncy Castle или .NET RSACRYPTOServiceProvider

Последнее сообщение Anonymous « 24 апр 2025, 05:06
Добавлено в форуме C#

Anonymous » 24 апр 2025, 05:06 » в форуме C#

Итак, я немного испортил с помощью RSAcryptoServiceProvider и Bouncy Castle. />
.net с надувным замком:

private const int RsaKeySize = 4096;
public static AsymmetricCipherKeyPair GetKeyPairWithDotNet()
{
using (RSACryptoServiceProvider rsaProvider...

0 Ответы

9 Просмотры

Последнее сообщение Anonymous
24 апр 2025, 05:06
Создание Public/Private Pare Pare с помощью Bouncy Castle или .NET RSACRYPTOServiceProvider

Последнее сообщение Anonymous « 24 авг 2025, 11:06
Добавлено в форуме C#

Anonymous » 24 авг 2025, 11:06 » в форуме C#

Итак, я немного испортил с помощью RSAcryptoServiceProvider и Bouncy Castle. />
.net с надувным замком:

private const int RsaKeySize = 4096;
public static AsymmetricCipherKeyPair GetKeyPairWithDotNet()
{
using (RSACryptoServiceProvider rsaProvider...

0 Ответы

1 Просмотры

Последнее сообщение Anonymous
24 авг 2025, 11:06
Проверка подписи без подписанных атрибутов с помощью Bouncy Castle 1.70

Последнее сообщение Гость « 25 сен 2023, 09:04
Добавлено в форуме JAVA

Гость » 25 сен 2023, 09:04 » в форуме JAVA

Я начал работать над проектом, в котором мы используем Bouncy Castle для проверки цифровых подписей, и наткнулся на ошибку. Это метод проверки: `

private SetverifySignature(PDSignature sig, X509Certificate SignerCertificate, SignerInformation...

0 Ответы

28 Просмотры

Последнее сообщение Гость
25 сен 2023, 09:04

Вернуться в «C#»