I have been following the Oauth2 Service account documentation on Googles website. I have also been picking apart Googles .net client libray trying to get this to work.
I have reached the Computing the signature stage.
The privacy key from Google looks like this
-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDcmuyQC8rwWdPQ\nmIdksgzSJbVWTU5MeUxy+HAap3yut9wR/L6KGMJ4FBYcsPmXN5gQAhErybavGoZG\nfS1X1/PCpPVpTCA4749K8gbvuZg1JEIAqMtmHiBBrJj5l8eiekQc8pd7Pq35H4wi\nJYXAJGwggPcttkLBRi0xZzd+jdwL1st+7zRt8nMao/xFibInBBvKwb/gP4mJxlQg\nnRdGO6zgMk+PLTcA5C+gFyPA4SdkylrLib5CJO9123FgcfTJZJTukeHo1v0EfU+4\n3bK8HBZnOFa4DHH4mXhkhgYMjibv4Sr/WCEoomJJwNN04SbUEdyhgpM2rZ3cvx+4\nsmB0SQflAgMBAAECggEAXZ100+/dL7++zh9cHVQdcrRDzprBplw3H/bjg7wdgftN\n7Wgm5214YQKNG6HSWORjqC9oX/+agZYs8w69xjBDJg9ggU2nwuGOGky4utQ0jiCT\nzbnTjsMsBxKaXBiXxBBEhVBBDjDcHQLRMdBggNgz9lskCYb1rxT7qqJVf2PtxCuZ\nuxw3whLMRHXvKosER12sMQgGB/0+Nk86GWCqPigpfu7Ec92V0ffcSUaq3gjIUD54\n67TduTWaRDQNB+j2yQsWQZnqRv+TvIXOjinAI+pPbvCUovtiTSZAoz3EalsiXQ0l\nUqDVx26uzEJqhB2kzvAeApuW2Nd5EPxUnf48c4xh4QKBgQDw01mEChWyENV5CBKU\nMSfY0rpAPtq7ahHRR458ZKtITDBlqiZLMjydI65Rr1XxpQ3pJZALObMdUhbvCDfm\nu4BY/lCCt+hcdt9IICvVZsgXgvb6M+Fj2IbYZcAnOm4T1Z1D3I+pW5NdK2ALQRiK\nWsGINOqWCB9WRd7nhmb/XwWyjQKBgQDqgWht5laDuLMc4qpj9finY4qmk57eT3KG\npzbVlT3h7kv7j/j6e+6o9psrqdf1PXpu9XZi3bPtPbH1fX9x5pZgJQRMP4FGOURY\nQDkJfiOOSN/8Vl0senqkscT7DSbe2BqyqQlSlTB4BBF29p1wxb5Wz5HH2BvYE2zI\ni9B4WJcAuQKBgADnajCasRYoBgUcSKWRwaqIr/ZJxhxp+4Mjl59T6WiuEIhxKQ+j\nMqMMXT0lQVdU3UaAw5enMcrsYfWnvD37ejHbUoYLFq4yLAhjRobYieu8rByoUTJE\nv8zUJPKAv6UHaj20+D0UgOsanJOuPN9YE93lBPRnN2blgD6yPHS88JKJAoGABFyh\n16F4LH0L/9aLes6BcIOeeZi3VMU/iRelInXjL8eh7CzyYZ5agxQLMNW46ZvaIiQ4\nroAXL6t9GubZrwGt/F3T5aMswWShS87uAKoy+RuL5wKoOwKQM24HDvBgr7ZvULFq\nNfoGa8UPmhneNdHHx4+W05PGeM9rr5NCLmrfbCkCgYA0nMvEDIJvU3KA3S1cQ3fs\nVopRJwqRIFFL1cHTWaEyIsxEh6i/zAUc/habK82dN3/ZDn/XvWY14k7VZPsSdDC9\noVlQj2z8DVO2K99Oxyh0VlthtecW8exjzkIPJL4srOSl/dooQZS/7ZZyaRQU/BLI\nMdzKHlUKKXWcUU+Ko8W4+w\u003d\u003d\n-----END PRIVATE KEY-----\n
Clean up key
First I clean up the key a bit
private const string PrivateKeyPrefix = "-----BEGIN PRIVATE KEY-----";
private const string PrivateKeySuffix = "-----END PRIVATE KEY-----";
/// <summary>Converts the PKCS8 private key to RSA parameters. This method uses the Bouncy Castle library.</summary>
private static RSAParameters ConvertPKCS8ToRSAParameters(string pkcs8PrivateKey)
{
var base64PrivateKey = pkcs8PrivateKey.Replace(PrivateKeyPrefix, "").Replace("\r\n", "").Replace(PrivateKeySuffix, "");
var privateKeyBytes = Convert.FromBase64String(base64PrivateKey);
RsaPrivateCrtKeyParameters crtParameters = (RsaPrivateCrtKeyParameters)PrivateKeyFactory.CreateKey(privateKeyBytes);
return DotNetUtilities.ToRSAParameters(crtParameters);
}
Import Parameters
RSAParameters rsaParameters = ConvertPKCS8ToRSAParameters(results.private_key);
RSACryptoServiceProvider key = new RSACryptoServiceProvider();
key.ImportParameters(rsaParameters);
Error
'System.Security.Cryptography.CryptographicException' occurred in
mscorlib.dll
Additional information: Bad Data.
My ideas
the dp value seams to be off everything I have read says it should be 128 bytes not 127.
Note:
I am not using the p12. file I am using the Json service account file. Answers using the X509Certificate2 and the p12 key file will not help.
{
"private_key_id": "xxxxxx",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDcmuyQC8rwWdPQ\nmIdksgzSJbVWTU5MeUxy+HAap3yut9wR/L6KGMJ4FBYcsPmXN5gQAhErybavGoZG\nfS1X1/PCpPVpTCA4749K8gbvuZg1JEIAqMtmHiBBrJj5l8eiekQc8pd7Pq35H4wi\nJYXAJGwggPcttkLBRi0xZzd+jdwL1st+7zRt8nMao/xFibInBBvKwb/gP4mJxlQg\nnRdGO6zgMk+PLTcA5C+gFyPA4SdkylrLib5CJO9123FgcfTJZJTukeHo1v0EfU+4\n3bK8HBZnOFa4DHH4mXhkhgYMjibv4Sr/WCEoomJJwNN04SbUEdyhgpM2rZ3cvx+4\nsmB0SQflAgMBAAECggEAXZ100+/dL7++zh9cHVQdcrRDzprBplw3H/bjg7wdgftN\n7Wgm5214YQKNG6HSWORjqC9oX/+agZYs8w69xjBDJg9ggU2nwuGOGky4utQ0jiCT\nzbnTjsMsBxKaXBiXxBBEhVBBDjDcHQLRMdBggNgz9lskCYb1rxT7qqJVf2PtxCuZ\nuxw3whLMRHXvKosER12sMQgGB/0+Nk86GWCqPigpfu7Ec92V0ffcSUaq3gjIUD54\n67TduTWaRDQNB+j2yQsWQZnqRv+TvIXOjinAI+pPbvCUovtiTSZAoz3EalsiXQ0l\nUqDVx26uzEJqhB2kzvAeApuW2Nd5EPxUnf48c4xh4QKBgQDw01mEChWyENV5CBKU\nMSfY0rpAPtq7ahHRR458ZKtITDBlqiZLMjydI65Rr1XxpQ3pJZALObMdUhbvCDfm\nu4BY/lCCt+hcdt9IICvVZsgXgvb6M+Fj2IbYZcAnOm4T1Z1D3I+pW5NdK2ALQRiK\nWsGINOqWCB9WRd7nhmb/XwWyjQKBgQDqgWht5laDuLMc4qpj9finY4qmk57eT3KG\npzbVlT3h7kv7j/j6e+6o9psrqdf1PXpu9XZi3bPtPbH1fX9x5pZgJQRMP4FGOURY\nQDkJfiOOSN/8Vl0senqkscT7DSbe2BqyqQlSlTB4BBF29p1wxb5Wz5HH2BvYE2zI\ni9B4WJcAuQKBgADnajCasRYoBgUcSKWRwaqIr/ZJxhxp+4Mjl59T6WiuEIhxKQ+j\nMqMMXT0lQVdU3UaAw5enMcrsYfWnvD37ejHbUoYLFq4yLAhjRobYieu8rByoUTJE\nv8zUJPKAv6UHaj20+D0UgOsanJOuPN9YE93lBPRnN2blgD6yPHS88JKJAoGABFyh\n16F4LH0L/9aLes6BcIOeeZi3VMU/iRelInXjL8eh7CzyYZ5agxQLMNW46ZvaIiQ4\nroAXL6t9GubZrwGt/F3T5aMswWShS87uAKoy+RuL5wKoOwKQM24HDvBgr7ZvULFq\nNfoGa8UPmhneNdHHx4+W05PGeM9rr5NCLmrfbCkCgYA0nMvEDIJvU3KA3S1cQ3fs\nVopRJwqRIFFL1cHTWaEyIsxEh6i/zAUc/habK82dN3/ZDn/XvWY14k7VZPsSdDC9\noVlQj2z8DVO2K99Oxyh0VlthtecW8exjzkIPJL4srOSl/dooQZS/7ZZyaRQU/BLI\nMdzKHlUKKXWcUU+Ko8W4+w\u003d\u003d\n-----END PRIVATE KEY-----\n",
"client_email": "dddddd-2a1f881e7rabfkt2eb1p84aisg30pedg#developer.gserviceaccount.com",
"client_id": "ddddd-2a1f881e7rabfkt2eb1p84aisg30pedg.apps.googleusercontent.com",
"type": "service_account"
}
Just realised how long ago this was reported. I presume you found an answer or gave up.
Your code now works - I tried this on BouncyCastle 1.8.1 and it works, it fails on 1.7.0.
Code used:
using System;
using System.Security.Cryptography;
using Newtonsoft.Json;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Security;
namespace ConsoleApp1
{
class Program
{
public static void Main()
{
var json = "{\"private_key_id\":\"xxxxxx\",\"private_key\":\"-----BEGIN PRIVATE KEY-----\\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDcmuyQC8rwWdPQ\\nmIdksgzSJbVWTU5MeUxy+HAap3yut9wR/L6KGMJ4FBYcsPmXN5gQAhErybavGoZG\\nfS1X1/PCpPVpTCA4749K8gbvuZg1JEIAqMtmHiBBrJj5l8eiekQc8pd7Pq35H4wi\\nJYXAJGwggPcttkLBRi0xZzd+jdwL1st+7zRt8nMao/xFibInBBvKwb/gP4mJxlQg\\nnRdGO6zgMk+PLTcA5C+gFyPA4SdkylrLib5CJO9123FgcfTJZJTukeHo1v0EfU+4\\n3bK8HBZnOFa4DHH4mXhkhgYMjibv4Sr/WCEoomJJwNN04SbUEdyhgpM2rZ3cvx+4\\nsmB0SQflAgMBAAECggEAXZ100+/dL7++zh9cHVQdcrRDzprBplw3H/bjg7wdgftN\\n7Wgm5214YQKNG6HSWORjqC9oX/+agZYs8w69xjBDJg9ggU2nwuGOGky4utQ0jiCT\\nzbnTjsMsBxKaXBiXxBBEhVBBDjDcHQLRMdBggNgz9lskCYb1rxT7qqJVf2PtxCuZ\\nuxw3whLMRHXvKosER12sMQgGB/0+Nk86GWCqPigpfu7Ec92V0ffcSUaq3gjIUD54\\n67TduTWaRDQNB+j2yQsWQZnqRv+TvIXOjinAI+pPbvCUovtiTSZAoz3EalsiXQ0l\\nUqDVx26uzEJqhB2kzvAeApuW2Nd5EPxUnf48c4xh4QKBgQDw01mEChWyENV5CBKU\\nMSfY0rpAPtq7ahHRR458ZKtITDBlqiZLMjydI65Rr1XxpQ3pJZALObMdUhbvCDfm\\nu4BY/lCCt+hcdt9IICvVZsgXgvb6M+Fj2IbYZcAnOm4T1Z1D3I+pW5NdK2ALQRiK\\nWsGINOqWCB9WRd7nhmb/XwWyjQKBgQDqgWht5laDuLMc4qpj9finY4qmk57eT3KG\\npzbVlT3h7kv7j/j6e+6o9psrqdf1PXpu9XZi3bPtPbH1fX9x5pZgJQRMP4FGOURY\\nQDkJfiOOSN/8Vl0senqkscT7DSbe2BqyqQlSlTB4BBF29p1wxb5Wz5HH2BvYE2zI\\ni9B4WJcAuQKBgADnajCasRYoBgUcSKWRwaqIr/ZJxhxp+4Mjl59T6WiuEIhxKQ+j\\nMqMMXT0lQVdU3UaAw5enMcrsYfWnvD37ejHbUoYLFq4yLAhjRobYieu8rByoUTJE\\nv8zUJPKAv6UHaj20+D0UgOsanJOuPN9YE93lBPRnN2blgD6yPHS88JKJAoGABFyh\\n16F4LH0L/9aLes6BcIOeeZi3VMU/iRelInXjL8eh7CzyYZ5agxQLMNW46ZvaIiQ4\\nroAXL6t9GubZrwGt/F3T5aMswWShS87uAKoy+RuL5wKoOwKQM24HDvBgr7ZvULFq\\nNfoGa8UPmhneNdHHx4+W05PGeM9rr5NCLmrfbCkCgYA0nMvEDIJvU3KA3S1cQ3fs\\nVopRJwqRIFFL1cHTWaEyIsxEh6i/zAUc/habK82dN3/ZDn/XvWY14k7VZPsSdDC9\\noVlQj2z8DVO2K99Oxyh0VlthtecW8exjzkIPJL4srOSl/dooQZS/7ZZyaRQU/BLI\\nMdzKHlUKKXWcUU+Ko8W4+w==\\n-----END PRIVATE KEY-----\\n\",\"client_email\":\"dddddd-2a1f881e7rabfkt2eb1p84aisg30pedg#developer.gserviceaccount.com\",\"client_id\":\"ddddd-2a1f881e7rabfkt2eb1p84aisg30pedg.apps.googleusercontent.com\",\"type\":\"service_account\"}";
dynamic jsonObject = JsonConvert.DeserializeObject(json);
var rsaParams = ConvertPKCS8ToRSAParameters((string)jsonObject.private_key);
RSACryptoServiceProvider key = new RSACryptoServiceProvider();
key.ImportParameters(rsaParams);
Console.WriteLine($"Key size: {key.KeySize}, DP: {rsaParams.DP.Length}");
Console.ReadLine();
}
private const string PrivateKeyPrefix = "-----BEGIN PRIVATE KEY-----";
private const string PrivateKeySuffix = "-----END PRIVATE KEY-----";
/// <summary>Converts the PKCS8 private key to RSA parameters. This method uses the Bouncy Castle library.</summary>
private static RSAParameters ConvertPKCS8ToRSAParameters(string pkcs8PrivateKey)
{
var base64PrivateKey = pkcs8PrivateKey.Replace(PrivateKeyPrefix, "").Replace("\r\n", "").Replace(PrivateKeySuffix, "");
var privateKeyBytes = Convert.FromBase64String(base64PrivateKey);
RsaPrivateCrtKeyParameters crtParameters = (RsaPrivateCrtKeyParameters)PrivateKeyFactory.CreateKey(privateKeyBytes);
return DotNetUtilities.ToRSAParameters(crtParameters);
}
}
}
I've made this .net project that uses both json and p12 files to authenticate a service account with or without user impersonation.
GoogleApiServiceFactory
Related
There are examples on the web on how to use bouncy castle library in Java to encrypt with RSA/ECB/OAEPWithSHA256AndMGF1Padding (Example is shown at breaking down RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING). However the bouncy castle library in C# seem to have deviated from Java library in that it is more explicit (hence requires more steps) and I am not able to figure out how to make it work for the above algorithm.
Would appreciate if some body can put a code sample together to encrypt a sample text using RSA/ECB/OAEPWithSHA256AndMGF1Padding.
Unfortunately, even the Java construct is ambiguous as it's open to different and incompatible interpretations, as is shown here. The Java Bouncycastle provider will do one thing with "RSA/ECB/OAEPWithSHA-256AndMGF1Padding" and the Oracle provider will do a different thing.
You can and should specify exactly which behavior you want in both the Java and C# code.
C#:
using System;
using System.IO;
using System.Text;
using Org.BouncyCastle.Crypto.Digests;
using Org.BouncyCastle.Crypto.Encodings;
using Org.BouncyCastle.Crypto.Engines;
using Org.BouncyCastle.OpenSsl;
namespace ScratchPad
{
class MainClass
{
public static void OaepEncryptExample()
{
var plain = Encoding.UTF8.GetBytes("The sun also rises.");
// Read in public key from file
var pemReader = new PemReader(File.OpenText(#"/Users/horton/tmp/key-examples/myserver_pub.pem"));
var rsaPub = (Org.BouncyCastle.Crypto.Parameters.RsaKeyParameters)pemReader.ReadObject();
// create encrypter
var encrypter = new OaepEncoding(new RsaEngine(), new Sha256Digest(), new Sha256Digest(), null);
encrypter.Init(true, rsaPub);
var cipher = encrypter.ProcessBlock(plain, 0, plain.Length);
Console.WriteLine(Convert.ToBase64String(cipher));
}
}
}
Java:
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.openssl.PEMParser;
import javax.crypto.Cipher;
import javax.crypto.spec.OAEPParameterSpec;
import javax.crypto.spec.PSource;
import java.io.FileReader;
import java.nio.charset.StandardCharsets;
import java.security.KeyFactory;
import java.security.interfaces.RSAPrivateKey;
import java.security.spec.MGF1ParameterSpec;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;
public class OaepExample {
public static void oeapDecrypt() throws Exception {
final PEMParser pemParser = new PEMParser(new FileReader("/Users/horton/tmp/key-examples/myserver.p8"));
final PrivateKeyInfo privKey = (PrivateKeyInfo) pemParser.readObject();
KeyFactory kf = KeyFactory.getInstance("RSA");
RSAPrivateKey rsaPriv = (RSAPrivateKey) kf.generatePrivate(new PKCS8EncodedKeySpec(privKey.getEncoded()));
String cipher64 = "k8AYnTV6RgzQXmD7qn8QwucDXGjbYct+qMVvDmMELTnUcCOeTp82oJ0BryZyEEGXVSZ2BFg95e72Jt9ZAKWNcot2rZ0+POcda8pzY/MfdwIpnSJKITovk8xHL3B/jZDJyQrLMmNPjVV/uBFY2vgKhhLhJzzAJATcGpNdw+gF+XI=";
Cipher decrypter = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
OAEPParameterSpec parameterSpec = new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256,
PSource.PSpecified.DEFAULT);
decrypter.init(Cipher.DECRYPT_MODE, rsaPriv, parameterSpec);
final byte[] plain = decrypter.doFinal(Base64.getDecoder().decode(cipher64));
System.out.println(new String(plain, StandardCharsets.UTF_8));
}
}
I can't get the signature verification working, like it's described here. I'm using BouncyCastle.NetCore 1.8.1.3 and the project is a .NETCoreApp 1.0.
I'm developing on macOS 10.12.1, running dotnet core 1.0.4 and my server is running Ubuntu 16.04.2-x64 running the release version, build as netcore1.0 and ubuntu16.04-x64 app.
The rest of the system runs without problems, except the signature verification.
My validation always returns false.
Here is my service for validating the signature and body:
using System;
using System.IO;
using System.Text;
using System.Threading.Tasks;
namespace MySkill.Main.Services
{
public class CertificationValidationService : ICertificationValidationService
{
private const string Algorithm = "SHA1withRSA";
public async Task<bool> IsValidSiganture(Stream body, Stream certData, string signature)
{
var pemReader = new Org.BouncyCastle.OpenSsl.PemReader(new StreamReader(certData));
var cert = (Org.BouncyCastle.X509.X509Certificate)pemReader.ReadObject();
using (var sr = new StreamReader(body))
{
var content = await sr.ReadToEndAsync();
var result = CheckRequestSignature(Encoding.UTF8.GetBytes(content), signature, cert);
return result;
}
}
private static bool CheckRequestSignature(byte[] bodyData, string signature, Org.BouncyCastle.X509.X509Certificate cert)
{
byte[] sig = Convert.FromBase64String(signature);
var pubKey = (Org.BouncyCastle.Crypto.Parameters.RsaKeyParameters)cert.GetPublicKey();
var signer = Org.BouncyCastle.Security.SignerUtilities.GetSigner(Algorithm);
signer.Init(false, pubKey);
signer.BlockUpdate(bodyData, 0, bodyData.Length);
return signer.VerifySignature(sig);
}
}
}
Does anybody have a tip, what i'm doing wrong or has used a different framework or apis?
From the code you shared it looks correct. Without seeing the rest of the code I am not sure if the Signature you got is correct. You can take a look at our C# code that passed certification at https://github.com/sophtron/Alexa-Skill-Sophtron and compare against your own to see if there are any differences.
I tried RSACryptoServiceProvider from .net library for signature validation and it had never worked. So I had to switch to BouncyCastle.1.8.1 too and it worked for me.
ASP.NET MVC4 C# application needs to verify message signature as described in Digitally sign in PHP using private key, verify in C#
I tried to create public key for this using BouncyCastle CreateKey
string base64pubkey = #"-----BEGIN CERTIFICATE-----
MIICnzCCAggCCQDbr9OvJHgzmDANBgkqhkiG9w0BAQUFADCBkzELMAkGA1UEBhMC
RUUxETAPBgNVBAgMCEhhcmp1bWFhMRAwDgYDVQQHDAdUYWxsaW5uMREwDwYDVQQK
DAhFZXRhc29mdDERMA8GA1UECwwIYmFua2xpbmsxFjAUBgNVBAMMDXBhbmdhbGlu
ay5uZXQxITAfBgkqhkiG9w0BCQEWEmVldGFzb2Z0QG9ubGluZS5lZTAeFw0xNDEy
MjQxNjI1MjdaFw0zNDEyMTkxNjI1MjdaMIGTMQswCQYDVQQGEwJFRTERMA8GA1UE
CAwISGFyanVtYWExEDAOBgNVBAcMB1RhbGxpbm4xETAPBgNVBAoMCEVldGFzb2Z0
MREwDwYDVQQLDAhiYW5rbGluazEWMBQGA1UEAwwNcGFuZ2FsaW5rLm5ldDEhMB8G
CSqGSIb3DQEJARYSZWV0YXNvZnRAb25saW5lLmVlMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDCi9usnv8rJLBeBgHhbM/80zPUOlkuH0uYrdzj/zxQSZS0QEoH
yVvosEWqO34+17CzQ0sc34kzK5qhLws7AKetjLH7cpgmVH5YnQxKgZ2a5I5mpj02
v9rjwDSKX2ZDXCeRUdnZa26beMcX/i1C9jxk9tpE2NWud910yHPRpnAQFwIDAQAB
MA0GCSqGSIb3DQEBBQUAA4GBAFmlXa8NkR2OP0bC0EapmCaoObUG2WOi6Fhl2dBB
PInJq6tzv+YtMbaIAPANo1EzBeBcQTRvxgGIrqE/JJkjDhOvwxjdNcxp7Mt+7hkk
PI55KkKAfOeE0ss0EUcCdnyCGAXdhJfUCxJydg0PaVpE70FXUcLZcZXfT968mDOC
NpaS
-----END CERTIFICATE-----
";
RsaKeyParameters pubKey = PublicKeyFactory.CreateKey(
Convert.FromBase64String(base64pubkey)) as RsaKeyParameters;
but this returns exception since FromBase64String accepts only pure base64 string.
How to fix this ? Probably I need to extract key from base64pubkey in binary form to pass to CreateKey
You could try use only:
string base64pubkey = #"MIICnzCCAggCCQDbr9OvJHgzmDANBgkqhkiG9w0BAQUFADCBkzELMAkGA1UEBhMC
RUUxETAPBgNVBAgMCEhhcmp1bWFhMRAwDgYDVQQHDAdUYWxsaW5uMREwDwYDVQQK
DAhFZXRhc29mdDERMA8GA1UECwwIYmFua2xpbmsxFjAUBgNVBAMMDXBhbmdhbGlu
ay5uZXQxITAfBgkqhkiG9w0BCQEWEmVldGFzb2Z0QG9ubGluZS5lZTAeFw0xNDEy
MjQxNjI1MjdaFw0zNDEyMTkxNjI1MjdaMIGTMQswCQYDVQQGEwJFRTERMA8GA1UE
CAwISGFyanVtYWExEDAOBgNVBAcMB1RhbGxpbm4xETAPBgNVBAoMCEVldGFzb2Z0
MREwDwYDVQQLDAhiYW5rbGluazEWMBQGA1UEAwwNcGFuZ2FsaW5rLm5ldDEhMB8G
CSqGSIb3DQEJARYSZWV0YXNvZnRAb25saW5lLmVlMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDCi9usnv8rJLBeBgHhbM/80zPUOlkuH0uYrdzj/zxQSZS0QEoH
yVvosEWqO34+17CzQ0sc34kzK5qhLws7AKetjLH7cpgmVH5YnQxKgZ2a5I5mpj02
v9rjwDSKX2ZDXCeRUdnZa26beMcX/i1C9jxk9tpE2NWud910yHPRpnAQFwIDAQAB
MA0GCSqGSIb3DQEBBQUAA4GBAFmlXa8NkR2OP0bC0EapmCaoObUG2WOi6Fhl2dBB
PInJq6tzv+YtMbaIAPANo1EzBeBcQTRvxgGIrqE/JJkjDhOvwxjdNcxp7Mt+7hkk
PI55KkKAfOeE0ss0EUcCdnyCGAXdhJfUCxJydg0PaVpE70FXUcLZcZXfT968mDOC
NpaS";
without -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
Here is a simple example showing one possible solution.
using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
namespace ReadKeyFromCert
{
class MainClass
{
public static void Main (string[] args)
{
string base64X509Cert = #"-----BEGIN CERTIFICATE-----
MIICnzCCAggCCQDbr9OvJHgzmDANBgkqhkiG9w0BAQUFADCBkzELMAkGA1UEBhMC
RUUxETAPBgNVBAgMCEhhcmp1bWFhMRAwDgYDVQQHDAdUYWxsaW5uMREwDwYDVQQK
DAhFZXRhc29mdDERMA8GA1UECwwIYmFua2xpbmsxFjAUBgNVBAMMDXBhbmdhbGlu
ay5uZXQxITAfBgkqhkiG9w0BCQEWEmVldGFzb2Z0QG9ubGluZS5lZTAeFw0xNDEy
MjQxNjI1MjdaFw0zNDEyMTkxNjI1MjdaMIGTMQswCQYDVQQGEwJFRTERMA8GA1UE
CAwISGFyanVtYWExEDAOBgNVBAcMB1RhbGxpbm4xETAPBgNVBAoMCEVldGFzb2Z0
MREwDwYDVQQLDAhiYW5rbGluazEWMBQGA1UEAwwNcGFuZ2FsaW5rLm5ldDEhMB8G
CSqGSIb3DQEJARYSZWV0YXNvZnRAb25saW5lLmVlMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDCi9usnv8rJLBeBgHhbM/80zPUOlkuH0uYrdzj/zxQSZS0QEoH
yVvosEWqO34+17CzQ0sc34kzK5qhLws7AKetjLH7cpgmVH5YnQxKgZ2a5I5mpj02
v9rjwDSKX2ZDXCeRUdnZa26beMcX/i1C9jxk9tpE2NWud910yHPRpnAQFwIDAQAB
MA0GCSqGSIb3DQEBBQUAA4GBAFmlXa8NkR2OP0bC0EapmCaoObUG2WOi6Fhl2dBB
PInJq6tzv+YtMbaIAPANo1EzBeBcQTRvxgGIrqE/JJkjDhOvwxjdNcxp7Mt+7hkk
PI55KkKAfOeE0ss0EUcCdnyCGAXdhJfUCxJydg0PaVpE70FXUcLZcZXfT968mDOC
NpaS
-----END CERTIFICATE-----
";
base64X509Cert = base64X509Cert.Replace ("-----BEGIN CERTIFICATE-----", "");
base64X509Cert = base64X509Cert.Replace ("-----END CERTIFICATE-----", "");
var derCert = Convert.FromBase64String (base64X509Cert);
var x509 = new X509Certificate2 (derCert);
RSACryptoServiceProvider rsa = (RSACryptoServiceProvider) x509.PublicKey.Key;
Console.WriteLine (rsa.ToXmlString(false));
}
}
}
Is there a programatic way of disabling a client app's certificate trust in C#?
You can use X509Certificate Class
and maybe X509Certificate2 Class
Example;
using System;
using System.Security.Cryptography.X509Certificates;
public class X509
{
public static void Main()
{
// The path to the certificate.
string Certificate = "Certificate.cer";
// Load the certificate into an X509Certificate object.
X509Certificate cert = new X509Certificate(Certificate);
// Get the value.
string resultsTrue = cert.ToString(true);
// Display the value to the console.
Console.WriteLine(resultsTrue);
// Get the value.
string resultsFalse = cert.ToString(false);
// Display the value to the console.
Console.WriteLine(resultsFalse);
}
}
We're trying to generate an X509 certificate (including the private key) programmatically using C# and the BouncyCastle library. We've tried using some of the code from this sample by Felix Kollmann but the private key part of the certificate returns null. Code and unit test are as below:
using System;
using System.Collections;
using Org.BouncyCastle.Asn1;
using Org.BouncyCastle.Asn1.X509;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Generators;
using Org.BouncyCastle.Crypto.Prng;
using Org.BouncyCastle.Math;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.X509;
namespace MyApp
{
public class CertificateGenerator
{
/// <summary>
///
/// </summary>
/// <remarks>Based on <see cref="http://www.fkollmann.de/v2/post/Creating-certificates-using-BouncyCastle.aspx"/></remarks>
/// <param name="subjectName"></param>
/// <returns></returns>
public static byte[] GenerateCertificate(string subjectName)
{
var kpgen = new RsaKeyPairGenerator();
kpgen.Init(new KeyGenerationParameters(new SecureRandom(new CryptoApiRandomGenerator()), 1024));
var kp = kpgen.GenerateKeyPair();
var gen = new X509V3CertificateGenerator();
var certName = new X509Name("CN=" + subjectName);
var serialNo = BigInteger.ProbablePrime(120, new Random());
gen.SetSerialNumber(serialNo);
gen.SetSubjectDN(certName);
gen.SetIssuerDN(certName);
gen.SetNotAfter(DateTime.Now.AddYears(100));
gen.SetNotBefore(DateTime.Now.Subtract(new TimeSpan(7, 0, 0, 0)));
gen.SetSignatureAlgorithm("MD5WithRSA");
gen.SetPublicKey(kp.Public);
gen.AddExtension(
X509Extensions.AuthorityKeyIdentifier.Id,
false,
new AuthorityKeyIdentifier(
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(kp.Public),
new GeneralNames(new GeneralName(certName)),
serialNo));
gen.AddExtension(
X509Extensions.ExtendedKeyUsage.Id,
false,
new ExtendedKeyUsage(new ArrayList() { new DerObjectIdentifier("1.3.6.1.5.5.7.3.1") }));
var newCert = gen.Generate(kp.Private);
return DotNetUtilities.ToX509Certificate(newCert).Export(System.Security.Cryptography.X509Certificates.X509ContentType.Pkcs12, "password");
}
}
}
Unit test:
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using Microsoft.VisualStudio.TestTools.UnitTesting;
namespace MyApp
{
[TestClass]
public class CertificateGeneratorTests
{
[TestMethod]
public void GenerateCertificate_Test_ValidCertificate()
{
// Arrange
string subjectName = "test";
// Act
byte[] actual = CertificateGenerator.GenerateCertificate(subjectName);
// Assert
var cert = new X509Certificate2(actual, "password");
Assert.AreEqual("CN=" + subjectName, cert.Subject);
Assert.IsInstanceOfType(cert.PrivateKey, typeof(RSACryptoServiceProvider));
}
}
}
Just to clarify, an X.509 certificate does not contain the private key. The word certificate is sometimes misused to represent the combination of the certificate and the private key, but they are two distinct entities. The whole point of using certificates is to send them more or less openly, without sending the private key, which must be kept secret. An X509Certificate2 object may have a private key associated with it (via its PrivateKey property), but that's only a convenience as part of the design of this class.
In your first BouncyCastle code example, newCert is really just the certificate and DotNetUtilities.ToX509Certificate(newCert) is built from the certificate only.
Considering that the PKCS#12 format requires the presence of a private key, I'm quite surprised that the following part even works (considering you're calling it on a certificate which can't possibly know the private key):
.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Pkcs12,
"password");
(gen.Generate(kp.Private) signs the certificate using the private key, but doesn't put the private key in the certificate, which wouldn't make sense.)
If you want your method to return both the certificate and the private key you could either:
Return an X509Certificate2 object in which you've initialized the PrivateKey property
Build a PKCS#12 store and returns its byte[] content (as if it was a file). Step 3 in the link you've sent (mirror) explains how to build a PKCS#12 store.
Returning the byte[] (DER) structure for the X.509 certificate itself will not contain the private key.
If your main concern (according to your test case) is to check that the certificate was built from an RSA key-pair, you can check the type of its public key instead.
I realise this is an old post but I found these excellent articles which go through the process:
Using Bouncy Castle from .NET