Is there a programatic way of disabling a client app's certificate trust in C#?
You can use X509Certificate Class
and maybe X509Certificate2 Class
Example;
using System;
using System.Security.Cryptography.X509Certificates;
public class X509
{
public static void Main()
{
// The path to the certificate.
string Certificate = "Certificate.cer";
// Load the certificate into an X509Certificate object.
X509Certificate cert = new X509Certificate(Certificate);
// Get the value.
string resultsTrue = cert.ToString(true);
// Display the value to the console.
Console.WriteLine(resultsTrue);
// Get the value.
string resultsFalse = cert.ToString(false);
// Display the value to the console.
Console.WriteLine(resultsFalse);
}
}
Related
I'm getting this error from Azure IoT Provisioning Service when creating the provisioning client.
System.ArgumentException: 'Should specify SharedAccessKeyName'
I copied the Connection String from the Portal, what could be wrong?
using System;
using System.IO;
using System.Reflection;
using System.Security.Cryptography.X509Certificates;
using System.Threading.Tasks;
using Microsoft.Azure.Devices.Provisioning.Service;
namespace EnrollmentApp
{
class Program
{
private static string ProvisioningConnectionString = "HostName=happybeerhub-us.azure-devices.net;DeviceId=test-device-01;SharedAccessKey=tawpddfqUt3EHZg9a5tUzQ5fjros7zMhKsZbmuXzwXE=";
private static string EnrollmentGroupId = "test";
private static string X509RootCertPath = Path.Combine(Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location), #"key.pfx");
static void Main(string[] args)
{
RunSample().GetAwaiter().GetResult();
Console.WriteLine("\nHit <Enter> to exit ...");
Console.ReadLine();
}
public static async Task RunSample()
{
Console.WriteLine("Starting sample...");
using (ProvisioningServiceClient provisioningServiceClient =
ProvisioningServiceClient.CreateFromConnectionString(ProvisioningConnectionString))
{
#region Create a new enrollmentGroup config
Console.WriteLine("\nCreating a new enrollmentGroup...");
var certificate = new X509Certificate2(X509RootCertPath);
Attestation attestation = X509Attestation.CreateFromRootCertificates(certificate);
EnrollmentGroup enrollmentGroup =
new EnrollmentGroup(
EnrollmentGroupId,
attestation)
{
ProvisioningStatus = ProvisioningStatus.Enabled
};
Console.WriteLine(enrollmentGroup);
#endregion
#region Create the enrollmentGroup
Console.WriteLine("\nAdding new enrollmentGroup...");
EnrollmentGroup enrollmentGroupResult =
await provisioningServiceClient.CreateOrUpdateEnrollmentGroupAsync(enrollmentGroup).ConfigureAwait(false);
Console.WriteLine("\nEnrollmentGroup created with success.");
Console.WriteLine(enrollmentGroupResult);
#endregion
}
}
}
}
Well you are missing the SharedAccessKeyName so the validation tries to check it and as it is null in your case you get the exception.
As you can see in the ServiceConnectionStringBuilder.cs the correct connection string format is
/// A valid connection string shall be in the following format:
/// <code>
/// HostName=[ServiceName];SharedAccessKeyName=[keyName];SharedAccessKey=[Key]
/// </code>
Also in line 128 you can see the check which throws your exception:
if (string.IsNullOrWhiteSpace(SharedAccessKeyName))
{
throw new ArgumentException("Should specify SharedAccessKeyName");
}
Now you might think that ServiceConnectionStringBuilder.cs is not used by your code, but the call ProvisioningServiceClient.CreateFromConnectionString creates a new ProvisioningServiceClient instance, which in turn calls ServiceConnectionStringBuilder.Parse().
For more see ProvisioningServiceClient.cs in lines 82, 113 and 123.
SOLUTION:
To solve this you have to provide a SharedAccessKeyName. You should also consider using the IotHubConnectionStringBuilder for this which already checks your properties whhile building the connection string.
The questioner pointed out the key name is the deviceId according to this blog post here. Thus, the solution is to use SharedAccessKeyname=xx instead of DeviceId=xx.
I can't get the signature verification working, like it's described here. I'm using BouncyCastle.NetCore 1.8.1.3 and the project is a .NETCoreApp 1.0.
I'm developing on macOS 10.12.1, running dotnet core 1.0.4 and my server is running Ubuntu 16.04.2-x64 running the release version, build as netcore1.0 and ubuntu16.04-x64 app.
The rest of the system runs without problems, except the signature verification.
My validation always returns false.
Here is my service for validating the signature and body:
using System;
using System.IO;
using System.Text;
using System.Threading.Tasks;
namespace MySkill.Main.Services
{
public class CertificationValidationService : ICertificationValidationService
{
private const string Algorithm = "SHA1withRSA";
public async Task<bool> IsValidSiganture(Stream body, Stream certData, string signature)
{
var pemReader = new Org.BouncyCastle.OpenSsl.PemReader(new StreamReader(certData));
var cert = (Org.BouncyCastle.X509.X509Certificate)pemReader.ReadObject();
using (var sr = new StreamReader(body))
{
var content = await sr.ReadToEndAsync();
var result = CheckRequestSignature(Encoding.UTF8.GetBytes(content), signature, cert);
return result;
}
}
private static bool CheckRequestSignature(byte[] bodyData, string signature, Org.BouncyCastle.X509.X509Certificate cert)
{
byte[] sig = Convert.FromBase64String(signature);
var pubKey = (Org.BouncyCastle.Crypto.Parameters.RsaKeyParameters)cert.GetPublicKey();
var signer = Org.BouncyCastle.Security.SignerUtilities.GetSigner(Algorithm);
signer.Init(false, pubKey);
signer.BlockUpdate(bodyData, 0, bodyData.Length);
return signer.VerifySignature(sig);
}
}
}
Does anybody have a tip, what i'm doing wrong or has used a different framework or apis?
From the code you shared it looks correct. Without seeing the rest of the code I am not sure if the Signature you got is correct. You can take a look at our C# code that passed certification at https://github.com/sophtron/Alexa-Skill-Sophtron and compare against your own to see if there are any differences.
I tried RSACryptoServiceProvider from .net library for signature validation and it had never worked. So I had to switch to BouncyCastle.1.8.1 too and it worked for me.
I have been following the Oauth2 Service account documentation on Googles website. I have also been picking apart Googles .net client libray trying to get this to work.
I have reached the Computing the signature stage.
The privacy key from Google looks like this
-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDcmuyQC8rwWdPQ\nmIdksgzSJbVWTU5MeUxy+HAap3yut9wR/L6KGMJ4FBYcsPmXN5gQAhErybavGoZG\nfS1X1/PCpPVpTCA4749K8gbvuZg1JEIAqMtmHiBBrJj5l8eiekQc8pd7Pq35H4wi\nJYXAJGwggPcttkLBRi0xZzd+jdwL1st+7zRt8nMao/xFibInBBvKwb/gP4mJxlQg\nnRdGO6zgMk+PLTcA5C+gFyPA4SdkylrLib5CJO9123FgcfTJZJTukeHo1v0EfU+4\n3bK8HBZnOFa4DHH4mXhkhgYMjibv4Sr/WCEoomJJwNN04SbUEdyhgpM2rZ3cvx+4\nsmB0SQflAgMBAAECggEAXZ100+/dL7++zh9cHVQdcrRDzprBplw3H/bjg7wdgftN\n7Wgm5214YQKNG6HSWORjqC9oX/+agZYs8w69xjBDJg9ggU2nwuGOGky4utQ0jiCT\nzbnTjsMsBxKaXBiXxBBEhVBBDjDcHQLRMdBggNgz9lskCYb1rxT7qqJVf2PtxCuZ\nuxw3whLMRHXvKosER12sMQgGB/0+Nk86GWCqPigpfu7Ec92V0ffcSUaq3gjIUD54\n67TduTWaRDQNB+j2yQsWQZnqRv+TvIXOjinAI+pPbvCUovtiTSZAoz3EalsiXQ0l\nUqDVx26uzEJqhB2kzvAeApuW2Nd5EPxUnf48c4xh4QKBgQDw01mEChWyENV5CBKU\nMSfY0rpAPtq7ahHRR458ZKtITDBlqiZLMjydI65Rr1XxpQ3pJZALObMdUhbvCDfm\nu4BY/lCCt+hcdt9IICvVZsgXgvb6M+Fj2IbYZcAnOm4T1Z1D3I+pW5NdK2ALQRiK\nWsGINOqWCB9WRd7nhmb/XwWyjQKBgQDqgWht5laDuLMc4qpj9finY4qmk57eT3KG\npzbVlT3h7kv7j/j6e+6o9psrqdf1PXpu9XZi3bPtPbH1fX9x5pZgJQRMP4FGOURY\nQDkJfiOOSN/8Vl0senqkscT7DSbe2BqyqQlSlTB4BBF29p1wxb5Wz5HH2BvYE2zI\ni9B4WJcAuQKBgADnajCasRYoBgUcSKWRwaqIr/ZJxhxp+4Mjl59T6WiuEIhxKQ+j\nMqMMXT0lQVdU3UaAw5enMcrsYfWnvD37ejHbUoYLFq4yLAhjRobYieu8rByoUTJE\nv8zUJPKAv6UHaj20+D0UgOsanJOuPN9YE93lBPRnN2blgD6yPHS88JKJAoGABFyh\n16F4LH0L/9aLes6BcIOeeZi3VMU/iRelInXjL8eh7CzyYZ5agxQLMNW46ZvaIiQ4\nroAXL6t9GubZrwGt/F3T5aMswWShS87uAKoy+RuL5wKoOwKQM24HDvBgr7ZvULFq\nNfoGa8UPmhneNdHHx4+W05PGeM9rr5NCLmrfbCkCgYA0nMvEDIJvU3KA3S1cQ3fs\nVopRJwqRIFFL1cHTWaEyIsxEh6i/zAUc/habK82dN3/ZDn/XvWY14k7VZPsSdDC9\noVlQj2z8DVO2K99Oxyh0VlthtecW8exjzkIPJL4srOSl/dooQZS/7ZZyaRQU/BLI\nMdzKHlUKKXWcUU+Ko8W4+w\u003d\u003d\n-----END PRIVATE KEY-----\n
Clean up key
First I clean up the key a bit
private const string PrivateKeyPrefix = "-----BEGIN PRIVATE KEY-----";
private const string PrivateKeySuffix = "-----END PRIVATE KEY-----";
/// <summary>Converts the PKCS8 private key to RSA parameters. This method uses the Bouncy Castle library.</summary>
private static RSAParameters ConvertPKCS8ToRSAParameters(string pkcs8PrivateKey)
{
var base64PrivateKey = pkcs8PrivateKey.Replace(PrivateKeyPrefix, "").Replace("\r\n", "").Replace(PrivateKeySuffix, "");
var privateKeyBytes = Convert.FromBase64String(base64PrivateKey);
RsaPrivateCrtKeyParameters crtParameters = (RsaPrivateCrtKeyParameters)PrivateKeyFactory.CreateKey(privateKeyBytes);
return DotNetUtilities.ToRSAParameters(crtParameters);
}
Import Parameters
RSAParameters rsaParameters = ConvertPKCS8ToRSAParameters(results.private_key);
RSACryptoServiceProvider key = new RSACryptoServiceProvider();
key.ImportParameters(rsaParameters);
Error
'System.Security.Cryptography.CryptographicException' occurred in
mscorlib.dll
Additional information: Bad Data.
My ideas
the dp value seams to be off everything I have read says it should be 128 bytes not 127.
Note:
I am not using the p12. file I am using the Json service account file. Answers using the X509Certificate2 and the p12 key file will not help.
{
"private_key_id": "xxxxxx",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDcmuyQC8rwWdPQ\nmIdksgzSJbVWTU5MeUxy+HAap3yut9wR/L6KGMJ4FBYcsPmXN5gQAhErybavGoZG\nfS1X1/PCpPVpTCA4749K8gbvuZg1JEIAqMtmHiBBrJj5l8eiekQc8pd7Pq35H4wi\nJYXAJGwggPcttkLBRi0xZzd+jdwL1st+7zRt8nMao/xFibInBBvKwb/gP4mJxlQg\nnRdGO6zgMk+PLTcA5C+gFyPA4SdkylrLib5CJO9123FgcfTJZJTukeHo1v0EfU+4\n3bK8HBZnOFa4DHH4mXhkhgYMjibv4Sr/WCEoomJJwNN04SbUEdyhgpM2rZ3cvx+4\nsmB0SQflAgMBAAECggEAXZ100+/dL7++zh9cHVQdcrRDzprBplw3H/bjg7wdgftN\n7Wgm5214YQKNG6HSWORjqC9oX/+agZYs8w69xjBDJg9ggU2nwuGOGky4utQ0jiCT\nzbnTjsMsBxKaXBiXxBBEhVBBDjDcHQLRMdBggNgz9lskCYb1rxT7qqJVf2PtxCuZ\nuxw3whLMRHXvKosER12sMQgGB/0+Nk86GWCqPigpfu7Ec92V0ffcSUaq3gjIUD54\n67TduTWaRDQNB+j2yQsWQZnqRv+TvIXOjinAI+pPbvCUovtiTSZAoz3EalsiXQ0l\nUqDVx26uzEJqhB2kzvAeApuW2Nd5EPxUnf48c4xh4QKBgQDw01mEChWyENV5CBKU\nMSfY0rpAPtq7ahHRR458ZKtITDBlqiZLMjydI65Rr1XxpQ3pJZALObMdUhbvCDfm\nu4BY/lCCt+hcdt9IICvVZsgXgvb6M+Fj2IbYZcAnOm4T1Z1D3I+pW5NdK2ALQRiK\nWsGINOqWCB9WRd7nhmb/XwWyjQKBgQDqgWht5laDuLMc4qpj9finY4qmk57eT3KG\npzbVlT3h7kv7j/j6e+6o9psrqdf1PXpu9XZi3bPtPbH1fX9x5pZgJQRMP4FGOURY\nQDkJfiOOSN/8Vl0senqkscT7DSbe2BqyqQlSlTB4BBF29p1wxb5Wz5HH2BvYE2zI\ni9B4WJcAuQKBgADnajCasRYoBgUcSKWRwaqIr/ZJxhxp+4Mjl59T6WiuEIhxKQ+j\nMqMMXT0lQVdU3UaAw5enMcrsYfWnvD37ejHbUoYLFq4yLAhjRobYieu8rByoUTJE\nv8zUJPKAv6UHaj20+D0UgOsanJOuPN9YE93lBPRnN2blgD6yPHS88JKJAoGABFyh\n16F4LH0L/9aLes6BcIOeeZi3VMU/iRelInXjL8eh7CzyYZ5agxQLMNW46ZvaIiQ4\nroAXL6t9GubZrwGt/F3T5aMswWShS87uAKoy+RuL5wKoOwKQM24HDvBgr7ZvULFq\nNfoGa8UPmhneNdHHx4+W05PGeM9rr5NCLmrfbCkCgYA0nMvEDIJvU3KA3S1cQ3fs\nVopRJwqRIFFL1cHTWaEyIsxEh6i/zAUc/habK82dN3/ZDn/XvWY14k7VZPsSdDC9\noVlQj2z8DVO2K99Oxyh0VlthtecW8exjzkIPJL4srOSl/dooQZS/7ZZyaRQU/BLI\nMdzKHlUKKXWcUU+Ko8W4+w\u003d\u003d\n-----END PRIVATE KEY-----\n",
"client_email": "dddddd-2a1f881e7rabfkt2eb1p84aisg30pedg#developer.gserviceaccount.com",
"client_id": "ddddd-2a1f881e7rabfkt2eb1p84aisg30pedg.apps.googleusercontent.com",
"type": "service_account"
}
Just realised how long ago this was reported. I presume you found an answer or gave up.
Your code now works - I tried this on BouncyCastle 1.8.1 and it works, it fails on 1.7.0.
Code used:
using System;
using System.Security.Cryptography;
using Newtonsoft.Json;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Security;
namespace ConsoleApp1
{
class Program
{
public static void Main()
{
var json = "{\"private_key_id\":\"xxxxxx\",\"private_key\":\"-----BEGIN PRIVATE KEY-----\\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDcmuyQC8rwWdPQ\\nmIdksgzSJbVWTU5MeUxy+HAap3yut9wR/L6KGMJ4FBYcsPmXN5gQAhErybavGoZG\\nfS1X1/PCpPVpTCA4749K8gbvuZg1JEIAqMtmHiBBrJj5l8eiekQc8pd7Pq35H4wi\\nJYXAJGwggPcttkLBRi0xZzd+jdwL1st+7zRt8nMao/xFibInBBvKwb/gP4mJxlQg\\nnRdGO6zgMk+PLTcA5C+gFyPA4SdkylrLib5CJO9123FgcfTJZJTukeHo1v0EfU+4\\n3bK8HBZnOFa4DHH4mXhkhgYMjibv4Sr/WCEoomJJwNN04SbUEdyhgpM2rZ3cvx+4\\nsmB0SQflAgMBAAECggEAXZ100+/dL7++zh9cHVQdcrRDzprBplw3H/bjg7wdgftN\\n7Wgm5214YQKNG6HSWORjqC9oX/+agZYs8w69xjBDJg9ggU2nwuGOGky4utQ0jiCT\\nzbnTjsMsBxKaXBiXxBBEhVBBDjDcHQLRMdBggNgz9lskCYb1rxT7qqJVf2PtxCuZ\\nuxw3whLMRHXvKosER12sMQgGB/0+Nk86GWCqPigpfu7Ec92V0ffcSUaq3gjIUD54\\n67TduTWaRDQNB+j2yQsWQZnqRv+TvIXOjinAI+pPbvCUovtiTSZAoz3EalsiXQ0l\\nUqDVx26uzEJqhB2kzvAeApuW2Nd5EPxUnf48c4xh4QKBgQDw01mEChWyENV5CBKU\\nMSfY0rpAPtq7ahHRR458ZKtITDBlqiZLMjydI65Rr1XxpQ3pJZALObMdUhbvCDfm\\nu4BY/lCCt+hcdt9IICvVZsgXgvb6M+Fj2IbYZcAnOm4T1Z1D3I+pW5NdK2ALQRiK\\nWsGINOqWCB9WRd7nhmb/XwWyjQKBgQDqgWht5laDuLMc4qpj9finY4qmk57eT3KG\\npzbVlT3h7kv7j/j6e+6o9psrqdf1PXpu9XZi3bPtPbH1fX9x5pZgJQRMP4FGOURY\\nQDkJfiOOSN/8Vl0senqkscT7DSbe2BqyqQlSlTB4BBF29p1wxb5Wz5HH2BvYE2zI\\ni9B4WJcAuQKBgADnajCasRYoBgUcSKWRwaqIr/ZJxhxp+4Mjl59T6WiuEIhxKQ+j\\nMqMMXT0lQVdU3UaAw5enMcrsYfWnvD37ejHbUoYLFq4yLAhjRobYieu8rByoUTJE\\nv8zUJPKAv6UHaj20+D0UgOsanJOuPN9YE93lBPRnN2blgD6yPHS88JKJAoGABFyh\\n16F4LH0L/9aLes6BcIOeeZi3VMU/iRelInXjL8eh7CzyYZ5agxQLMNW46ZvaIiQ4\\nroAXL6t9GubZrwGt/F3T5aMswWShS87uAKoy+RuL5wKoOwKQM24HDvBgr7ZvULFq\\nNfoGa8UPmhneNdHHx4+W05PGeM9rr5NCLmrfbCkCgYA0nMvEDIJvU3KA3S1cQ3fs\\nVopRJwqRIFFL1cHTWaEyIsxEh6i/zAUc/habK82dN3/ZDn/XvWY14k7VZPsSdDC9\\noVlQj2z8DVO2K99Oxyh0VlthtecW8exjzkIPJL4srOSl/dooQZS/7ZZyaRQU/BLI\\nMdzKHlUKKXWcUU+Ko8W4+w==\\n-----END PRIVATE KEY-----\\n\",\"client_email\":\"dddddd-2a1f881e7rabfkt2eb1p84aisg30pedg#developer.gserviceaccount.com\",\"client_id\":\"ddddd-2a1f881e7rabfkt2eb1p84aisg30pedg.apps.googleusercontent.com\",\"type\":\"service_account\"}";
dynamic jsonObject = JsonConvert.DeserializeObject(json);
var rsaParams = ConvertPKCS8ToRSAParameters((string)jsonObject.private_key);
RSACryptoServiceProvider key = new RSACryptoServiceProvider();
key.ImportParameters(rsaParams);
Console.WriteLine($"Key size: {key.KeySize}, DP: {rsaParams.DP.Length}");
Console.ReadLine();
}
private const string PrivateKeyPrefix = "-----BEGIN PRIVATE KEY-----";
private const string PrivateKeySuffix = "-----END PRIVATE KEY-----";
/// <summary>Converts the PKCS8 private key to RSA parameters. This method uses the Bouncy Castle library.</summary>
private static RSAParameters ConvertPKCS8ToRSAParameters(string pkcs8PrivateKey)
{
var base64PrivateKey = pkcs8PrivateKey.Replace(PrivateKeyPrefix, "").Replace("\r\n", "").Replace(PrivateKeySuffix, "");
var privateKeyBytes = Convert.FromBase64String(base64PrivateKey);
RsaPrivateCrtKeyParameters crtParameters = (RsaPrivateCrtKeyParameters)PrivateKeyFactory.CreateKey(privateKeyBytes);
return DotNetUtilities.ToRSAParameters(crtParameters);
}
}
}
I've made this .net project that uses both json and p12 files to authenticate a service account with or without user impersonation.
GoogleApiServiceFactory
ASP.NET MVC4 C# application needs to verify message signature as described in Digitally sign in PHP using private key, verify in C#
I tried to create public key for this using BouncyCastle CreateKey
string base64pubkey = #"-----BEGIN CERTIFICATE-----
MIICnzCCAggCCQDbr9OvJHgzmDANBgkqhkiG9w0BAQUFADCBkzELMAkGA1UEBhMC
RUUxETAPBgNVBAgMCEhhcmp1bWFhMRAwDgYDVQQHDAdUYWxsaW5uMREwDwYDVQQK
DAhFZXRhc29mdDERMA8GA1UECwwIYmFua2xpbmsxFjAUBgNVBAMMDXBhbmdhbGlu
ay5uZXQxITAfBgkqhkiG9w0BCQEWEmVldGFzb2Z0QG9ubGluZS5lZTAeFw0xNDEy
MjQxNjI1MjdaFw0zNDEyMTkxNjI1MjdaMIGTMQswCQYDVQQGEwJFRTERMA8GA1UE
CAwISGFyanVtYWExEDAOBgNVBAcMB1RhbGxpbm4xETAPBgNVBAoMCEVldGFzb2Z0
MREwDwYDVQQLDAhiYW5rbGluazEWMBQGA1UEAwwNcGFuZ2FsaW5rLm5ldDEhMB8G
CSqGSIb3DQEJARYSZWV0YXNvZnRAb25saW5lLmVlMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDCi9usnv8rJLBeBgHhbM/80zPUOlkuH0uYrdzj/zxQSZS0QEoH
yVvosEWqO34+17CzQ0sc34kzK5qhLws7AKetjLH7cpgmVH5YnQxKgZ2a5I5mpj02
v9rjwDSKX2ZDXCeRUdnZa26beMcX/i1C9jxk9tpE2NWud910yHPRpnAQFwIDAQAB
MA0GCSqGSIb3DQEBBQUAA4GBAFmlXa8NkR2OP0bC0EapmCaoObUG2WOi6Fhl2dBB
PInJq6tzv+YtMbaIAPANo1EzBeBcQTRvxgGIrqE/JJkjDhOvwxjdNcxp7Mt+7hkk
PI55KkKAfOeE0ss0EUcCdnyCGAXdhJfUCxJydg0PaVpE70FXUcLZcZXfT968mDOC
NpaS
-----END CERTIFICATE-----
";
RsaKeyParameters pubKey = PublicKeyFactory.CreateKey(
Convert.FromBase64String(base64pubkey)) as RsaKeyParameters;
but this returns exception since FromBase64String accepts only pure base64 string.
How to fix this ? Probably I need to extract key from base64pubkey in binary form to pass to CreateKey
You could try use only:
string base64pubkey = #"MIICnzCCAggCCQDbr9OvJHgzmDANBgkqhkiG9w0BAQUFADCBkzELMAkGA1UEBhMC
RUUxETAPBgNVBAgMCEhhcmp1bWFhMRAwDgYDVQQHDAdUYWxsaW5uMREwDwYDVQQK
DAhFZXRhc29mdDERMA8GA1UECwwIYmFua2xpbmsxFjAUBgNVBAMMDXBhbmdhbGlu
ay5uZXQxITAfBgkqhkiG9w0BCQEWEmVldGFzb2Z0QG9ubGluZS5lZTAeFw0xNDEy
MjQxNjI1MjdaFw0zNDEyMTkxNjI1MjdaMIGTMQswCQYDVQQGEwJFRTERMA8GA1UE
CAwISGFyanVtYWExEDAOBgNVBAcMB1RhbGxpbm4xETAPBgNVBAoMCEVldGFzb2Z0
MREwDwYDVQQLDAhiYW5rbGluazEWMBQGA1UEAwwNcGFuZ2FsaW5rLm5ldDEhMB8G
CSqGSIb3DQEJARYSZWV0YXNvZnRAb25saW5lLmVlMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDCi9usnv8rJLBeBgHhbM/80zPUOlkuH0uYrdzj/zxQSZS0QEoH
yVvosEWqO34+17CzQ0sc34kzK5qhLws7AKetjLH7cpgmVH5YnQxKgZ2a5I5mpj02
v9rjwDSKX2ZDXCeRUdnZa26beMcX/i1C9jxk9tpE2NWud910yHPRpnAQFwIDAQAB
MA0GCSqGSIb3DQEBBQUAA4GBAFmlXa8NkR2OP0bC0EapmCaoObUG2WOi6Fhl2dBB
PInJq6tzv+YtMbaIAPANo1EzBeBcQTRvxgGIrqE/JJkjDhOvwxjdNcxp7Mt+7hkk
PI55KkKAfOeE0ss0EUcCdnyCGAXdhJfUCxJydg0PaVpE70FXUcLZcZXfT968mDOC
NpaS";
without -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
Here is a simple example showing one possible solution.
using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
namespace ReadKeyFromCert
{
class MainClass
{
public static void Main (string[] args)
{
string base64X509Cert = #"-----BEGIN CERTIFICATE-----
MIICnzCCAggCCQDbr9OvJHgzmDANBgkqhkiG9w0BAQUFADCBkzELMAkGA1UEBhMC
RUUxETAPBgNVBAgMCEhhcmp1bWFhMRAwDgYDVQQHDAdUYWxsaW5uMREwDwYDVQQK
DAhFZXRhc29mdDERMA8GA1UECwwIYmFua2xpbmsxFjAUBgNVBAMMDXBhbmdhbGlu
ay5uZXQxITAfBgkqhkiG9w0BCQEWEmVldGFzb2Z0QG9ubGluZS5lZTAeFw0xNDEy
MjQxNjI1MjdaFw0zNDEyMTkxNjI1MjdaMIGTMQswCQYDVQQGEwJFRTERMA8GA1UE
CAwISGFyanVtYWExEDAOBgNVBAcMB1RhbGxpbm4xETAPBgNVBAoMCEVldGFzb2Z0
MREwDwYDVQQLDAhiYW5rbGluazEWMBQGA1UEAwwNcGFuZ2FsaW5rLm5ldDEhMB8G
CSqGSIb3DQEJARYSZWV0YXNvZnRAb25saW5lLmVlMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDCi9usnv8rJLBeBgHhbM/80zPUOlkuH0uYrdzj/zxQSZS0QEoH
yVvosEWqO34+17CzQ0sc34kzK5qhLws7AKetjLH7cpgmVH5YnQxKgZ2a5I5mpj02
v9rjwDSKX2ZDXCeRUdnZa26beMcX/i1C9jxk9tpE2NWud910yHPRpnAQFwIDAQAB
MA0GCSqGSIb3DQEBBQUAA4GBAFmlXa8NkR2OP0bC0EapmCaoObUG2WOi6Fhl2dBB
PInJq6tzv+YtMbaIAPANo1EzBeBcQTRvxgGIrqE/JJkjDhOvwxjdNcxp7Mt+7hkk
PI55KkKAfOeE0ss0EUcCdnyCGAXdhJfUCxJydg0PaVpE70FXUcLZcZXfT968mDOC
NpaS
-----END CERTIFICATE-----
";
base64X509Cert = base64X509Cert.Replace ("-----BEGIN CERTIFICATE-----", "");
base64X509Cert = base64X509Cert.Replace ("-----END CERTIFICATE-----", "");
var derCert = Convert.FromBase64String (base64X509Cert);
var x509 = new X509Certificate2 (derCert);
RSACryptoServiceProvider rsa = (RSACryptoServiceProvider) x509.PublicKey.Key;
Console.WriteLine (rsa.ToXmlString(false));
}
}
}
We're trying to generate an X509 certificate (including the private key) programmatically using C# and the BouncyCastle library. We've tried using some of the code from this sample by Felix Kollmann but the private key part of the certificate returns null. Code and unit test are as below:
using System;
using System.Collections;
using Org.BouncyCastle.Asn1;
using Org.BouncyCastle.Asn1.X509;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Generators;
using Org.BouncyCastle.Crypto.Prng;
using Org.BouncyCastle.Math;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.X509;
namespace MyApp
{
public class CertificateGenerator
{
/// <summary>
///
/// </summary>
/// <remarks>Based on <see cref="http://www.fkollmann.de/v2/post/Creating-certificates-using-BouncyCastle.aspx"/></remarks>
/// <param name="subjectName"></param>
/// <returns></returns>
public static byte[] GenerateCertificate(string subjectName)
{
var kpgen = new RsaKeyPairGenerator();
kpgen.Init(new KeyGenerationParameters(new SecureRandom(new CryptoApiRandomGenerator()), 1024));
var kp = kpgen.GenerateKeyPair();
var gen = new X509V3CertificateGenerator();
var certName = new X509Name("CN=" + subjectName);
var serialNo = BigInteger.ProbablePrime(120, new Random());
gen.SetSerialNumber(serialNo);
gen.SetSubjectDN(certName);
gen.SetIssuerDN(certName);
gen.SetNotAfter(DateTime.Now.AddYears(100));
gen.SetNotBefore(DateTime.Now.Subtract(new TimeSpan(7, 0, 0, 0)));
gen.SetSignatureAlgorithm("MD5WithRSA");
gen.SetPublicKey(kp.Public);
gen.AddExtension(
X509Extensions.AuthorityKeyIdentifier.Id,
false,
new AuthorityKeyIdentifier(
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(kp.Public),
new GeneralNames(new GeneralName(certName)),
serialNo));
gen.AddExtension(
X509Extensions.ExtendedKeyUsage.Id,
false,
new ExtendedKeyUsage(new ArrayList() { new DerObjectIdentifier("1.3.6.1.5.5.7.3.1") }));
var newCert = gen.Generate(kp.Private);
return DotNetUtilities.ToX509Certificate(newCert).Export(System.Security.Cryptography.X509Certificates.X509ContentType.Pkcs12, "password");
}
}
}
Unit test:
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using Microsoft.VisualStudio.TestTools.UnitTesting;
namespace MyApp
{
[TestClass]
public class CertificateGeneratorTests
{
[TestMethod]
public void GenerateCertificate_Test_ValidCertificate()
{
// Arrange
string subjectName = "test";
// Act
byte[] actual = CertificateGenerator.GenerateCertificate(subjectName);
// Assert
var cert = new X509Certificate2(actual, "password");
Assert.AreEqual("CN=" + subjectName, cert.Subject);
Assert.IsInstanceOfType(cert.PrivateKey, typeof(RSACryptoServiceProvider));
}
}
}
Just to clarify, an X.509 certificate does not contain the private key. The word certificate is sometimes misused to represent the combination of the certificate and the private key, but they are two distinct entities. The whole point of using certificates is to send them more or less openly, without sending the private key, which must be kept secret. An X509Certificate2 object may have a private key associated with it (via its PrivateKey property), but that's only a convenience as part of the design of this class.
In your first BouncyCastle code example, newCert is really just the certificate and DotNetUtilities.ToX509Certificate(newCert) is built from the certificate only.
Considering that the PKCS#12 format requires the presence of a private key, I'm quite surprised that the following part even works (considering you're calling it on a certificate which can't possibly know the private key):
.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Pkcs12,
"password");
(gen.Generate(kp.Private) signs the certificate using the private key, but doesn't put the private key in the certificate, which wouldn't make sense.)
If you want your method to return both the certificate and the private key you could either:
Return an X509Certificate2 object in which you've initialized the PrivateKey property
Build a PKCS#12 store and returns its byte[] content (as if it was a file). Step 3 in the link you've sent (mirror) explains how to build a PKCS#12 store.
Returning the byte[] (DER) structure for the X.509 certificate itself will not contain the private key.
If your main concern (according to your test case) is to check that the certificate was built from an RSA key-pair, you can check the type of its public key instead.
I realise this is an old post but I found these excellent articles which go through the process:
Using Bouncy Castle from .NET