Generating Certificate Policies Extension In C# Using Mono Security API -
i appreciate advice can on issue has been driving me crazy , cannot find documentaion. trying generate self-signed root certificate in c# using mono security api meets requirements (rsa 2048, sha256, etc). have been able generate certificate meets of these requirements one.
i trying add certificatepoliciesextension these extensions formatted follows in x509 certs
[4]: objectid: 2.5.29.32 criticality=false certificatepolicies [ [certificatepolicyid: [some policy oid] [policyqualifierinfo: [qualifierid: qualifier oid qualifier: ascii encoded byte stream]]]] my code below:
private void generaterootcertmono(rsacryptoserviceprovider rsa, byte[] serialnumber, string password) { // default values string subject = "cn= company name"; string issuer = "cn=company name"; datetime notbefore = datetime.now; datetime notafter = new datetime(643445675990000000); // 12/31/2039 23:59:59z x509certificatebuilder cb = new x509certificatebuilder(3); cb.serialnumber = serialnumber; cb.issuername = issuer; cb.notbefore = notbefore; cb.notafter = notafter; cb.subjectname = subject; cb.subjectpublickey = rsa; // extensions basicconstraintsextension bce = new basicconstraintsextension(); bce.certificateauthority = true; cb.extensions.add(bce); keyusageextension kue = new keyusageextension(); kue.keyusage = keyusages.digitalsignature ; keyusageextension kue1 = new keyusageextension(); kue1.keyusage = keyusages.keycertsign; //my failed attempt generate simple certificate policy extension **asn1 = new asn1 (); a.add(asn1convert.fromoid("2.5.29.32")); a.add(asn1convert.fromoid("some oid")); a.add(new asn1 (system.text.encoding.ascii.getbytes("some text"))); certificatepoliciesextension pce = new certificatepoliciesextension(a); cb.extensions.add(pce); cb.extensions.add(kue); cb.extensions.add(kue1); // signature cb.hash = "sha256"; byte[] rawcert = cb.sign(rsa); x509certificate2 pfx = new x509certificate2(rawcert); pfx.privatekey = rsa; this.pfx = pfx.export(x509contenttype.pkcs12, password); return; } i know generating these extensions possible because have seen them in other certificates. have experience or advice? flexible api if knows how generate theses extensions using mscapi in c# example acceptable solution. thank in advance help.
after scouring multiple sources able solve problem switching mono microsoft's certenroll.dll. code generating self signed certificate policy extensions below. hope helps having similar problems.
code based off of following reference: http://technet.microsoft.com/en-us/library/ff182332(v=ws.10).aspx.
public x509certificate2 createselfsignedcert(string subject,string password,datetime expdate) { // create dn subject , issuer var dn = new cx500distinguishedname(); // dn.encode("cn=" + subject, x500nameflags.xcn_cert_name_str_none); dn.encode(subject, x500nameflags.xcn_cert_name_str_none); // create new private key certificate cx509privatekey privatekey = new cx509privatekey(); privatekey.providername = "microsoft base cryptographic provider v1.0"; privatekey.machinecontext = true; privatekey.length = 2048; privatekey.keyspec = x509keyspec.xcn_at_signature; // use not limited privatekey.exportpolicy = x509privatekeyexportflags.xcn_ncrypt_allow_plaintext_export_flag; privatekey.create(); // use sha256 hashing algorithm var hashobj = new cobjectid(); hashobj.initializefromalgorithmname( objectidgroupid.xcn_crypt_hash_alg_oid_group_id, objectidpublickeyflags.xcn_crypt_oid_info_pubkey_any, algorithmflags.algorithmflagsnone, "sha256"); // create self signing request var cert = new cx509certificaterequestcertificate(); cert.initializefromprivatekey( x509certificateenrollmentcontext.contextmachine, privatekey, string.empty); cert.subject = dn; cert.issuer = dn; // issuer , subject same cert.notbefore = datetime.now; cert.notafter = expdate; cert.hashalgorithm = hashobj; // extensions cx509extensionkeyusage ku = new cx509extensionkeyusage(); ku.initializeencode(certenrolllib.x509keyusageflags.xcn_cert_key_cert_sign_key_usage | certenrolllib.x509keyusageflags.xcn_cert_digital_signature_key_usage); ku.critical = true; cert.x509extensions.add((cx509extension)ku); cx509extensionbasicconstraints bc = new cx509extensionbasicconstraints(); bc.initializeencode(true,0); bc.critical = false; cert.x509extensions.add((cx509extension)bc); // add certificate policy. cobjectid cpoid = new cobjectid(); cpoid.initializefromvalue("some oid"); ccertificatepolicy cp = new ccertificatepolicy(); cpolicyqualifier qualifier = new cpolicyqualifier(); qualifier.initializeencode("policy notice", policyqualifiertype.policyqualifiertypeusernotice); cp.initialize(cpoid); cp.policyqualifiers.add(qualifier); ccertificatepolicies cps = new ccertificatepolicies(); cps.add(cp); cx509extensioncertificatepolicies cpext = new cx509extensioncertificatepolicies(); cpext.initializeencode(cps); cert.x509extensions.add((cx509extension)cpext); // final enrollment process var enroll = new cx509enrollment(); enroll.initializefromrequest(cert); // load certificate string csr = enroll.createrequest(); // output request in base64 // , install response enroll.installresponse(installresponserestrictionflags.allowuntrustedcertificate, csr, encodingtype.xcn_crypt_string_base64, ""); // no password // output base64 encoded pkcs#12 can import .net security classes var base64encoded = enroll.createpfx( "", pfxexportoptions.pfxexportchainwithroot); // instantiate target class pkcs#12 data (and empty password) return new system.security.cryptography.x509certificates.x509certificate2( system.convert.frombase64string(base64encoded), "", // mark private key exportable system.security.cryptography.x509certificates.x509keystorageflags.exportable ); }
Comments
Post a Comment