.NET编程登录PKCS＃10请求与充气城堡 [英] .Net Programmatically Sign PKCS#10 Request with Bouncy Castle

问题描述

我们有一个有效的PKCS＃10上使用CertEnroll客户端生成的证书请求。

We have a valid PKCS#10 Certificate Request generated on the Client using CertEnroll.

现在，我们需要签字，并将结果返回给客户端，其中CertEnroll将处理本地证书存储的东西。

Now we need to sign it and return the result to the Client, where CertEnroll will handle the local Certificate Store stuff.

这是一个B2B的应用程序和根签名证书将是自生成的，或者我们可以利用我们现有的Thawte的SSL证书。

This is a B2B application and the root signing certificate will be self-generated or we can use our existing Thawte SSL cert.

服务器（2008）没有Active Directory的运行，我们不想为此创建一个独立的签名基础设施/服务，除非绝对必要的。没有必要撤销等 - 我们希望以编程方式做到这一点。

The Server (2008) does not have Active Directory running and we don't want to create a stand-alone signing infrastructure/service for this unless absolutely necessary. There is no need for revocation etc. - we want to do it programmatically.

我会很乐意使用BouncyCastle的图书馆但是C＃的lib缺乏任何有意义的文件，虽然原始的Java文档是无可否认的类似C＃实现足够的不同已经给我留下了不小的困惑了。

I would be happy to use the BouncyCastle Library however the C# lib lacks any meaningful documentation and while the original Java docs are admittedly similar the C# implementation is different enough to have left me more than a little confused.

是任何人都知道的（或有）C＃示例（或VB）代码或已知relaible链接一样，采用BouncyCastle的或为此事本地.NET类？

Is anyone aware of (or have) sample C# (or VB) code or a known-relaible link to same, using BouncyCastle or for that matter the native .Net classes ?

在收到这件事情做任何援助将不胜感激！

Any assistance in getting this thing done would be greatly appreciated!

推荐答案

这证明是一个有趣的练习，至少可以说： - ）

This proved an interesting exercise to say the least :-)

我们同时使用BouncyCastle的和.Net证书对象。该解决方案还拥有！多！改进的空间，但它事实上的工作。

We used both BouncyCastle and the .Net certificate objects. The solution still has !much! room for improvement, but it does in fact work.

它（证书代）的胆量如下。当我们到达这里的CSR已经在客户端上生成的，当我们离开所产生的证书是由客户端代码安装（请参阅this用于客户端运作博客。）

The guts of it (Cert Gen) are below. When we get here the CSR has already been generated on the client and and when we leave the resulting certificate is installed by Client-side code (see this blog for client-side workings.)

再次我不提供这种作为成品，但希望一些价值给那些面临相同的任务。快乐加密： - ）

Again, I am not offering this as a Finished Product but hopefully of some value to those facing the same task. Happy Encrypting :-)

        // Jul 10, 2012 see
        // http://social.technet.microsoft.com/Forums/en-NZ/winserversecurity/thread/45781b46-3eb7-4715-b877-883bf0dc2ae7
        // instaed of CX509CertificateRequestPkcs10 csr = new CX509CertificateRequestPkcs10(); use:
        IX509CertificateRequestPkcs10 csr = (IX509CertificateRequestPkcs10)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509CertificateRequestPkcs10"));
        csr.InitializeDecode(csrText, EncodingType.XCN_CRYPT_STRING_BASE64);
        csr.CheckSignature(Pkcs10AllowedSignatureTypes.AllowedKeySignature);

        //get Bouncy CSRInfo Object
        Trace.Write("get Bouncy CSRInfo Object");
        Byte[] csrBytes = Convert.FromBase64String(csrText);
        CertificationRequestInfo csrInfo = CertificateTools.GetCsrInfo(csrBytes);
        SubjectPublicKeyInfo pki = csrInfo.SubjectPublicKeyInfo;

        //pub key for the signed cert
        Trace.Write("pub key for the signed cert");
        AsymmetricKeyParameter publicKey = PublicKeyFactory.CreateKey(pki);

        // Build a Version1 (No Extensions) Certificate
        DateTime startDate = DateTime.Now;
        DateTime expiryDate = startDate.AddYears(100);
        BigInteger serialNumber = new BigInteger(32, new Random());

        Trace.Write("Build a Version1 (No Extensions) Certificate");
        X509V1CertificateGenerator certGen = new X509V1CertificateGenerator();
        string signerCN = ConfigurationManager.AppSettings["signerCN"].ToString();
        X509Name dnName = new X509Name(String.Format("CN={0}", signerCN));
        X509Name cName = new X509Name(csr.Subject.Name);
        certGen.SetSerialNumber(serialNumber);
        certGen.SetIssuerDN(dnName);
        certGen.SetNotBefore(startDate);
        certGen.SetNotAfter(expiryDate);
        certGen.SetSubjectDN(cName);
        certGen.SetSignatureAlgorithm("SHA1withRSA");
        certGen.SetPublicKey(publicKey);

        //get our Private Key to Sign with
        Trace.Write("get our Private Key to Sign with");
        X509Store store = new X509Store(StoreLocation.LocalMachine);
        store.Open(OpenFlags.ReadOnly);
        string signerThumbprint = ConfigurationManager.AppSettings["signerThumbprint"].ToString();
        X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates;
        X509Certificate2Collection fcollection = (X509Certificate2Collection)collection.Find(X509FindType.FindByThumbprint, signerThumbprint, false);
        X509Certificate2 caCert = fcollection[0];

        Trace.Write("Found:" + caCert.FriendlyName);
        Trace.Write("Has Private " + caCert.HasPrivateKey.ToString());
        Trace.Write("Key Size " + caCert.PrivateKey.KeySize.ToString());

        //Get our Signing Key as a Bouncy object
        Trace.Write("Get our Signing Key as a Bouncy object from key ");
        AsymmetricCipherKeyPair caPair = DotNetUtilities.GetKeyPair(caCert.PrivateKey);

        //gen BouncyCastle object
        Trace.Write("gen BouncyCastle object");
        Org.BouncyCastle.X509.X509Certificate cert = certGen.Generate(caPair.Private);

        //convert to windows type 2 and get Base64 String
        Trace.Write("convert to windows type 2 and get Base64 String");
        X509Certificate2 cert2 = new X509Certificate2(DotNetUtilities.ToX509Certificate(cert));
        byte[] encoded = cert2.GetRawCertData();
        string certOutString = Convert.ToBase64String(encoded);

        //output to the page (hidden)
        Certificate.Value = certOutString;

这篇关于.NET编程登录PKCS＃10请求与充气城堡的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！