using System; using System.Collections; using System.IO; using Org.BouncyCastle.Asn1; using Org.BouncyCastle.Asn1.X509; using Org.BouncyCastle.Crypto; using Org.BouncyCastle.Crypto.Operators; using Org.BouncyCastle.Crypto.Parameters; using Org.BouncyCastle.Math; using Org.BouncyCastle.Security; using Org.BouncyCastle.Security.Certificates; using Org.BouncyCastle.X509.Extension; namespace Org.BouncyCastle.X509 { ///

/// A class to Generate Version 3 X509Certificates. ///

public class X509V3CertificateGenerator { private readonly X509ExtensionsGenerator extGenerator = new X509ExtensionsGenerator(); private V3TbsCertificateGenerator tbsGen; private DerObjectIdentifier sigOid; private AlgorithmIdentifier sigAlgId; private string signatureAlgorithm; public X509V3CertificateGenerator() { tbsGen = new V3TbsCertificateGenerator(); } ///

/// Reset the Generator. ///

public void Reset() { tbsGen = new V3TbsCertificateGenerator(); extGenerator.Reset(); } ///

/// Set the certificate's serial number. ///

/// Make serial numbers long, if you have no serial number policy make sure the number is at least 16 bytes of secure random data. /// You will be surprised how ugly a serial number collision can Get. /// The serial number. public void SetSerialNumber( BigInteger serialNumber) { if (serialNumber.SignValue <= 0) { throw new ArgumentException("serial number must be a positive integer", "serialNumber"); } tbsGen.SetSerialNumber(new DerInteger(serialNumber)); } ///

/// Set the distinguished name of the issuer. /// The issuer is the entity which is signing the certificate. ///

/// The issuer's DN. public void SetIssuerDN( X509Name issuer) { tbsGen.SetIssuer(issuer); } ///

/// Set the date that this certificate is to be valid from. ///

/// public void SetNotBefore( DateTime date) { tbsGen.SetStartDate(new Time(date)); } ///

/// Set the date after which this certificate will no longer be valid. ///

/// public void SetNotAfter( DateTime date) { tbsGen.SetEndDate(new Time(date)); } ///

/// Set the DN of the entity that this certificate is about. ///

/// public void SetSubjectDN( X509Name subject) { tbsGen.SetSubject(subject); } ///

/// Set the public key that this certificate identifies. ///

/// public void SetPublicKey( AsymmetricKeyParameter publicKey) { tbsGen.SetSubjectPublicKeyInfo(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(publicKey)); } ///

/// Set the signature algorithm that will be used to sign this certificate. ///

/// [Obsolete("Not needed if Generate used with an ISignatureCalculator")] public void SetSignatureAlgorithm( string signatureAlgorithm) { this.signatureAlgorithm = signatureAlgorithm; try { sigOid = X509Utilities.GetAlgorithmOid(signatureAlgorithm); } catch (Exception) { throw new ArgumentException("Unknown signature type requested: " + signatureAlgorithm); } sigAlgId = X509Utilities.GetSigAlgID(sigOid, signatureAlgorithm); tbsGen.SetSignature(sigAlgId); } ///

/// Set the subject unique ID - note: it is very rare that it is correct to do this. ///

/// public void SetSubjectUniqueID( bool[] uniqueID) { tbsGen.SetSubjectUniqueID(booleanToBitString(uniqueID)); } ///

/// Set the issuer unique ID - note: it is very rare that it is correct to do this. ///

/// public void SetIssuerUniqueID( bool[] uniqueID) { tbsGen.SetIssuerUniqueID(booleanToBitString(uniqueID)); } private DerBitString booleanToBitString( bool[] id) { byte[] bytes = new byte[(id.Length + 7) / 8]; for (int i = 0; i != id.Length; i++) { if (id[i]) { bytes[i / 8] |= (byte)(1 << ((7 - (i % 8)))); } } int pad = id.Length % 8; if (pad == 0) { return new DerBitString(bytes); } return new DerBitString(bytes, 8 - pad); } ///

/// Add a given extension field for the standard extensions tag (tag 3). ///

/// string containing a dotted decimal Object Identifier. /// Is it critical. /// The value. public void AddExtension( string oid, bool critical, Asn1Encodable extensionValue) { extGenerator.AddExtension(new DerObjectIdentifier(oid), critical, extensionValue); } ///

/// Add an extension to this certificate. ///

/// Its Object Identifier. /// Is it critical. /// The value. public void AddExtension( DerObjectIdentifier oid, bool critical, Asn1Encodable extensionValue) { extGenerator.AddExtension(oid, critical, extensionValue); } ///

/// Add an extension using a string with a dotted decimal OID. ///

/// string containing a dotted decimal Object Identifier. /// Is it critical. /// byte[] containing the value of this extension. public void AddExtension( string oid, bool critical, byte[] extensionValue) { extGenerator.AddExtension(new DerObjectIdentifier(oid), critical, new DerOctetString(extensionValue)); } ///

/// Add an extension to this certificate. ///

/// Its Object Identifier. /// Is it critical. /// byte[] containing the value of this extension. public void AddExtension( DerObjectIdentifier oid, bool critical, byte[] extensionValue) { extGenerator.AddExtension(oid, critical, new DerOctetString(extensionValue)); } ///

/// Add a given extension field for the standard extensions tag (tag 3), /// copying the extension value from another certificate. ///

public void CopyAndAddExtension( string oid, bool critical, X509Certificate cert) { CopyAndAddExtension(new DerObjectIdentifier(oid), critical, cert); } /** * add a given extension field for the standard extensions tag (tag 3) * copying the extension value from another certificate. * @throws CertificateParsingException if the extension cannot be extracted. */ public void CopyAndAddExtension( DerObjectIdentifier oid, bool critical, X509Certificate cert) { Asn1OctetString extValue = cert.GetExtensionValue(oid); if (extValue == null) { throw new CertificateParsingException("extension " + oid + " not present"); } try { Asn1Encodable value = X509ExtensionUtilities.FromExtensionValue(extValue); this.AddExtension(oid, critical, value); } catch (Exception e) { throw new CertificateParsingException(e.Message, e); } } ///

/// Generate an X509Certificate. ///

/// The private key of the issuer that is signing this certificate. /// An X509Certificate. [Obsolete("Use Generate with an ISignatureCalculator")] public X509Certificate Generate( AsymmetricKeyParameter privateKey) { return Generate(privateKey, null); } ///

/// Generate an X509Certificate using your own SecureRandom. ///

/// The private key of the issuer that is signing this certificate. /// You Secure Random instance. /// An X509Certificate. [Obsolete("Use Generate with an ISignatureCalculator")] public X509Certificate Generate( AsymmetricKeyParameter privateKey, SecureRandom random) { return Generate(new Asn1SignatureCalculator(signatureAlgorithm, privateKey, random)); } ///

/// Generate a new X509Certificate using the passed in SignatureCalculator. ///

/// A signature calculator with the necessary algorithm details. /// An X509Certificate. public X509Certificate Generate(ISignatureCalculator signatureCalculator) { tbsGen.SetSignature ((AlgorithmIdentifier)signatureCalculator.AlgorithmDetails); if (!extGenerator.IsEmpty) { tbsGen.SetExtensions(extGenerator.Generate()); } TbsCertificateStructure tbsCert = tbsGen.GenerateTbsCertificate(); IStreamCalculator streamCalculator = signatureCalculator.CreateCalculator(); byte[] encoded = tbsCert.GetDerEncoded(); streamCalculator.Stream.Write (encoded, 0, encoded.Length); streamCalculator.Stream.Close (); return GenerateJcaObject(tbsCert, (AlgorithmIdentifier)signatureCalculator.AlgorithmDetails, ((IBlockResult)streamCalculator.GetResult()).Collect()); } private X509Certificate GenerateJcaObject( TbsCertificateStructure tbsCert, AlgorithmIdentifier sigAlg, byte[] signature) { return new X509Certificate( new X509CertificateStructure(tbsCert, sigAlg, new DerBitString(signature))); } ///

/// Allows enumeration of the signature names supported by the generator. ///

public IEnumerable SignatureAlgNames { get { return X509Utilities.GetAlgNames(); } } } }