Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I generate a self-signed cert without using obsolete BouncyCastle 1.7.0 code?

I have the following code which generates a nice self-signed cert, works great, but I'd like to update to the latest BouncyCastle (1.8.1.0) and I'm getting warnings about obsolete usage:

var persistedCertificateFilename = "ClientCertificate.pfx";
if (!string.IsNullOrWhiteSpace(ConfigurationManager.AppSettings["PersistedCertificateFilename"])) { persistedCertificateFilename = ConfigurationManager.AppSettings["PersistedCertificateFilename"].Trim(); }
if (persistCertificateToDisk)
{
    if (File.Exists(persistedCertificateFilename))
    {
        var certBytes = File.ReadAllBytes(persistedCertificateFilename);
                this.clientCertificate = new X509Certificate2(certBytes, (string) null, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
    }
}

if (this.clientCertificate == null)
{
    // Initialize the new secure keys
    KeyGenerator keyGenerator = KeyGenerator.Create();
    KeyPair keyPair = keyGenerator.GenerateKeyPair();
    this.privateKey = keyPair.ToEncryptedPrivateKeyString(privateKeySecret);
    this.publicKey = keyPair.ToPublicKeyString();

    // Client certificate permissions
    var certificatePermissions = new ArrayList()
    {
         KeyPurposeID.IdKPCodeSigning,
         KeyPurposeID.IdKPServerAuth,
         KeyPurposeID.IdKPTimeStamping,
         KeyPurposeID.IdKPOcspSigning,
         KeyPurposeID.IdKPClientAuth
    };

    // Initialize the certificate generation
    var certificateGenerator = new X509V3CertificateGenerator();
    BigInteger serialNo = BigInteger.ProbablePrime(128, new Random());
    certificateGenerator.SetSerialNumber(serialNo);
    certificateGenerator.SetSubjectDN(GetLicenseeDN());
    certificateGenerator.SetIssuerDN(GetLicencerDN());
    certificateGenerator.SetNotAfter(DateTime.Now.AddYears(100));
    certificateGenerator.SetNotBefore(DateTime.Now.Subtract(new TimeSpan(7, 0, 0, 0)));
    //ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", keyPair.PrivateKey); // ??
    certificateGenerator.SetSignatureAlgorithm("SHA512withRSA");
    certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(certificatePermissions));
    var subjectKeyIdentifier = new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(keyPair.PublicKey));
    certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier.Id, false, subjectKeyIdentifier);
    certificateGenerator.SetPublicKey(keyPair.PublicKey);
    var result = certificateGenerator.Generate(keyPair.PrivateKey);
    var secure = new SecureString();
    foreach (char c in privateKeySecret)
    {
        secure.AppendChar(c);
    }

    X509KeyStorageFlags flags = X509KeyStorageFlags.MachineKeySet;
    if (persistCertificateToDisk) { flags |= X509KeyStorageFlags.Exportable; flags |= X509KeyStorageFlags.PersistKeySet; }
    this.clientCertificate = new X509Certificate2(Org.BouncyCastle.Security.DotNetUtilities.ToX509Certificate(result).Export(X509ContentType.Cert), secure, flags);

    // This section allows us to use this certificate on Azure (no file access required)
    CspParameters cspParams;
    const int PROVIDER_RSA_FULL = 1;
    cspParams = new CspParameters(PROVIDER_RSA_FULL);
    cspParams.KeyContainerName = new Guid().ToString();
    cspParams.Flags = CspProviderFlags.UseMachineKeyStore;
    cspParams.ProviderName = "Microsoft Strong Cryptographic Provider";
    var rule = new CryptoKeyAccessRule("everyone", CryptoKeyRights.FullControl, AccessControlType.Allow);
    cspParams.CryptoKeySecurity = new CryptoKeySecurity();
    cspParams.CryptoKeySecurity.SetAccessRule(rule);

    // Set the private key
    var tempRcsp = (RSACryptoServiceProvider) Org.BouncyCastle.Security.DotNetUtilities.ToRSA((RsaPrivateCrtKeyParameters) keyPair.PrivateKey);
    var rcsp = new RSACryptoServiceProvider(cspParams);
    rcsp.ImportCspBlob(tempRcsp.ExportCspBlob(true));
    this.clientCertificate.PrivateKey = rcsp;

    if (persistCertificateToDisk)
    {
        if (!File.Exists(persistedCertificateFilename))
        {
            File.WriteAllBytes(persistedCertificateFilename, this.clientCertificate.Export(X509ContentType.Pkcs12, (string) null));
        }
    }
}

Specifically, the warnings are:

'X509V3CertificateGenerator.SetSignatureAlgorithm(string)' is obsolete: 'Not needed if Generate used with an ISignatureFactory'

and

'X509V3CertificateGenerator.Generate(AsymmetricKeyParameter)' is obsolete: 'Use Generate with an ISignatureFactory'

So, my questions are:

  1. Do I need to worry about these warnings?
  2. If so, what lines change?
  3. If I do update this code, is there a performance benefit?

Note: If any one is curious, the reason I'm persisting this to disk is that this code created a cert every time the client was instantiated, and this was particularly harsh due to the min key size being 2048 and the performance of 1.7.0.

like image 880
djbyter Avatar asked Apr 29 '16 15:04

djbyter


1 Answers

I struggled with this for some time, too. I finally have a solution for this. Let's take one of the errors:

'X509V3CertificateGenerator.Generate(AsymmetricKeyParameter)' is obsolete: 'Use Generate with an ISignatureFactory'

You are basically using (i was doing the same thing) the Generate method like this:

var certificate = certificateGenerator.Generate(issuerCertificate.PrivateKey, random);

where certificateGenerator is instance of class CertificateContainer Error says that: 'Use Generate with an ISignatureFactory'
So for this let us create first an instance to ISignatureFactory.

ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerKeyPair.Private, random);

And for this to work correctly before this you should also declare the followings:

var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
AsymmetricCipherKeyPair subjectKeyPair = default(AsymmetricCipherKeyPair);
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);

keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair();
AsymmetricCipherKeyPair issuerKeyPair = subjectKeyPair;

And now after these changes, change the method Generate from:

var certificate = certificateGenerator.Generate(issuerCertificate.PrivateKey, random);

to:

var certificate = certificateGenerator.Generate(signatureFactory);

I hope it helps.

like image 157
drgmak Avatar answered Nov 17 '22 04:11

drgmak