如何在不使用过时的 BouncyCastle 1.7.0 代码的情况下生成自签名证书?
How can I generate a self-signed cert without using obsolete BouncyCastle 1.7.0 code?
我有以下代码生成了一个很好的自签名证书,效果很好,但我想更新到最新的 BouncyCastle (1.8.1.0),但我收到有关过时用法的警告:
var persistedCertificateFilename = "ClientCertificate.pfx";
if (!string.IsNullOrWhiteSpace(ConfigurationManager.AppSettings["PersistedCertificateFilename"])) { persistedCertificateFilename = ConfigurationManager.AppSettings["PersistedCertificateFilename"].Trim(); }
if (persistCertificateToDisk)
{
if (File.Exists(persistedCertificateFilename))
{
var certBytes = File.ReadAllBytes(persistedCertificateFilename);
this.clientCertificate = new X509Certificate2(certBytes, (string) null, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
}
}
if (this.clientCertificate == null)
{
// Initialize the new secure keys
KeyGenerator keyGenerator = KeyGenerator.Create();
KeyPair keyPair = keyGenerator.GenerateKeyPair();
this.privateKey = keyPair.ToEncryptedPrivateKeyString(privateKeySecret);
this.publicKey = keyPair.ToPublicKeyString();
// Client certificate permissions
var certificatePermissions = new ArrayList()
{
KeyPurposeID.IdKPCodeSigning,
KeyPurposeID.IdKPServerAuth,
KeyPurposeID.IdKPTimeStamping,
KeyPurposeID.IdKPOcspSigning,
KeyPurposeID.IdKPClientAuth
};
// Initialize the certificate generation
var certificateGenerator = new X509V3CertificateGenerator();
BigInteger serialNo = BigInteger.ProbablePrime(128, new Random());
certificateGenerator.SetSerialNumber(serialNo);
certificateGenerator.SetSubjectDN(GetLicenseeDN());
certificateGenerator.SetIssuerDN(GetLicencerDN());
certificateGenerator.SetNotAfter(DateTime.Now.AddYears(100));
certificateGenerator.SetNotBefore(DateTime.Now.Subtract(new TimeSpan(7, 0, 0, 0)));
//ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", keyPair.PrivateKey); // ??
certificateGenerator.SetSignatureAlgorithm("SHA512withRSA");
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(certificatePermissions));
var subjectKeyIdentifier = new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(keyPair.PublicKey));
certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier.Id, false, subjectKeyIdentifier);
certificateGenerator.SetPublicKey(keyPair.PublicKey);
var result = certificateGenerator.Generate(keyPair.PrivateKey);
var secure = new SecureString();
foreach (char c in privateKeySecret)
{
secure.AppendChar(c);
}
X509KeyStorageFlags flags = X509KeyStorageFlags.MachineKeySet;
if (persistCertificateToDisk) { flags |= X509KeyStorageFlags.Exportable; flags |= X509KeyStorageFlags.PersistKeySet; }
this.clientCertificate = new X509Certificate2(Org.BouncyCastle.Security.DotNetUtilities.ToX509Certificate(result).Export(X509ContentType.Cert), secure, flags);
// This section allows us to use this certificate on Azure (no file access required)
CspParameters cspParams;
const int PROVIDER_RSA_FULL = 1;
cspParams = new CspParameters(PROVIDER_RSA_FULL);
cspParams.KeyContainerName = new Guid().ToString();
cspParams.Flags = CspProviderFlags.UseMachineKeyStore;
cspParams.ProviderName = "Microsoft Strong Cryptographic Provider";
var rule = new CryptoKeyAccessRule("everyone", CryptoKeyRights.FullControl, AccessControlType.Allow);
cspParams.CryptoKeySecurity = new CryptoKeySecurity();
cspParams.CryptoKeySecurity.SetAccessRule(rule);
// Set the private key
var tempRcsp = (RSACryptoServiceProvider) Org.BouncyCastle.Security.DotNetUtilities.ToRSA((RsaPrivateCrtKeyParameters) keyPair.PrivateKey);
var rcsp = new RSACryptoServiceProvider(cspParams);
rcsp.ImportCspBlob(tempRcsp.ExportCspBlob(true));
this.clientCertificate.PrivateKey = rcsp;
if (persistCertificateToDisk)
{
if (!File.Exists(persistedCertificateFilename))
{
File.WriteAllBytes(persistedCertificateFilename, this.clientCertificate.Export(X509ContentType.Pkcs12, (string) null));
}
}
}
具体来说,警告是:
'X509V3CertificateGenerator.SetSignatureAlgorithm(string)' is
obsolete: 'Not needed if Generate used with an ISignatureFactory'
和
'X509V3CertificateGenerator.Generate(AsymmetricKeyParameter)' is
obsolete: 'Use Generate with an ISignatureFactory'
那么,我的问题是:
- 我需要担心这些警告吗?
- 如果是这样,哪些行会发生变化?
- 如果我更新此代码,是否有性能优势?
注意:如果有人好奇,我将其保存到磁盘的原因是每次实例化客户端时此代码都会创建一个证书,并且由于最小密钥大小为 2048 和1.7.0.
的表现
我也为此苦苦挣扎了一段时间。
我终于有了解决方案。
让我们来看看其中一个错误:
'X509V3CertificateGenerator.Generate(AsymmetricKeyParameter)' is obsolete: 'Use Generate with an ISignatureFactory'
您基本上是这样使用(我也在做同样的事情)Generate 方法:
var certificate = certificateGenerator.Generate(issuerCertificate.PrivateKey, random);
其中 certificateGenerator 是 class CertificateContainer 的实例
错误说:'Use Generate with an ISignatureFactory'
因此,为此让我们首先创建一个 ISignatureFactory 实例。
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerKeyPair.Private, random);
为了在此之前正常工作,您还应该声明以下内容:
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
AsymmetricCipherKeyPair subjectKeyPair = default(AsymmetricCipherKeyPair);
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair();
AsymmetricCipherKeyPair issuerKeyPair = subjectKeyPair;
现在在这些更改之后,将方法 Generate 更改为:
var certificate = certificateGenerator.Generate(issuerCertificate.PrivateKey, random);
至:
var certificate = certificateGenerator.Generate(signatureFactory);
希望对您有所帮助。
我有以下代码生成了一个很好的自签名证书,效果很好,但我想更新到最新的 BouncyCastle (1.8.1.0),但我收到有关过时用法的警告:
var persistedCertificateFilename = "ClientCertificate.pfx";
if (!string.IsNullOrWhiteSpace(ConfigurationManager.AppSettings["PersistedCertificateFilename"])) { persistedCertificateFilename = ConfigurationManager.AppSettings["PersistedCertificateFilename"].Trim(); }
if (persistCertificateToDisk)
{
if (File.Exists(persistedCertificateFilename))
{
var certBytes = File.ReadAllBytes(persistedCertificateFilename);
this.clientCertificate = new X509Certificate2(certBytes, (string) null, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
}
}
if (this.clientCertificate == null)
{
// Initialize the new secure keys
KeyGenerator keyGenerator = KeyGenerator.Create();
KeyPair keyPair = keyGenerator.GenerateKeyPair();
this.privateKey = keyPair.ToEncryptedPrivateKeyString(privateKeySecret);
this.publicKey = keyPair.ToPublicKeyString();
// Client certificate permissions
var certificatePermissions = new ArrayList()
{
KeyPurposeID.IdKPCodeSigning,
KeyPurposeID.IdKPServerAuth,
KeyPurposeID.IdKPTimeStamping,
KeyPurposeID.IdKPOcspSigning,
KeyPurposeID.IdKPClientAuth
};
// Initialize the certificate generation
var certificateGenerator = new X509V3CertificateGenerator();
BigInteger serialNo = BigInteger.ProbablePrime(128, new Random());
certificateGenerator.SetSerialNumber(serialNo);
certificateGenerator.SetSubjectDN(GetLicenseeDN());
certificateGenerator.SetIssuerDN(GetLicencerDN());
certificateGenerator.SetNotAfter(DateTime.Now.AddYears(100));
certificateGenerator.SetNotBefore(DateTime.Now.Subtract(new TimeSpan(7, 0, 0, 0)));
//ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", keyPair.PrivateKey); // ??
certificateGenerator.SetSignatureAlgorithm("SHA512withRSA");
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(certificatePermissions));
var subjectKeyIdentifier = new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(keyPair.PublicKey));
certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier.Id, false, subjectKeyIdentifier);
certificateGenerator.SetPublicKey(keyPair.PublicKey);
var result = certificateGenerator.Generate(keyPair.PrivateKey);
var secure = new SecureString();
foreach (char c in privateKeySecret)
{
secure.AppendChar(c);
}
X509KeyStorageFlags flags = X509KeyStorageFlags.MachineKeySet;
if (persistCertificateToDisk) { flags |= X509KeyStorageFlags.Exportable; flags |= X509KeyStorageFlags.PersistKeySet; }
this.clientCertificate = new X509Certificate2(Org.BouncyCastle.Security.DotNetUtilities.ToX509Certificate(result).Export(X509ContentType.Cert), secure, flags);
// This section allows us to use this certificate on Azure (no file access required)
CspParameters cspParams;
const int PROVIDER_RSA_FULL = 1;
cspParams = new CspParameters(PROVIDER_RSA_FULL);
cspParams.KeyContainerName = new Guid().ToString();
cspParams.Flags = CspProviderFlags.UseMachineKeyStore;
cspParams.ProviderName = "Microsoft Strong Cryptographic Provider";
var rule = new CryptoKeyAccessRule("everyone", CryptoKeyRights.FullControl, AccessControlType.Allow);
cspParams.CryptoKeySecurity = new CryptoKeySecurity();
cspParams.CryptoKeySecurity.SetAccessRule(rule);
// Set the private key
var tempRcsp = (RSACryptoServiceProvider) Org.BouncyCastle.Security.DotNetUtilities.ToRSA((RsaPrivateCrtKeyParameters) keyPair.PrivateKey);
var rcsp = new RSACryptoServiceProvider(cspParams);
rcsp.ImportCspBlob(tempRcsp.ExportCspBlob(true));
this.clientCertificate.PrivateKey = rcsp;
if (persistCertificateToDisk)
{
if (!File.Exists(persistedCertificateFilename))
{
File.WriteAllBytes(persistedCertificateFilename, this.clientCertificate.Export(X509ContentType.Pkcs12, (string) null));
}
}
}
具体来说,警告是:
'X509V3CertificateGenerator.SetSignatureAlgorithm(string)' is obsolete: 'Not needed if Generate used with an ISignatureFactory'
和
'X509V3CertificateGenerator.Generate(AsymmetricKeyParameter)' is obsolete: 'Use Generate with an ISignatureFactory'
那么,我的问题是:
- 我需要担心这些警告吗?
- 如果是这样,哪些行会发生变化?
- 如果我更新此代码,是否有性能优势?
注意:如果有人好奇,我将其保存到磁盘的原因是每次实例化客户端时此代码都会创建一个证书,并且由于最小密钥大小为 2048 和1.7.0.
的表现我也为此苦苦挣扎了一段时间。 我终于有了解决方案。 让我们来看看其中一个错误:
'X509V3CertificateGenerator.Generate(AsymmetricKeyParameter)' is obsolete: 'Use Generate with an ISignatureFactory'
您基本上是这样使用(我也在做同样的事情)Generate 方法:
var certificate = certificateGenerator.Generate(issuerCertificate.PrivateKey, random);
其中 certificateGenerator 是 class CertificateContainer 的实例
错误说:'Use Generate with an ISignatureFactory'
因此,为此让我们首先创建一个 ISignatureFactory 实例。
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerKeyPair.Private, random);
为了在此之前正常工作,您还应该声明以下内容:
var randomGenerator = new CryptoApiRandomGenerator();
var random = new SecureRandom(randomGenerator);
AsymmetricCipherKeyPair subjectKeyPair = default(AsymmetricCipherKeyPair);
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair();
AsymmetricCipherKeyPair issuerKeyPair = subjectKeyPair;
现在在这些更改之后,将方法 Generate 更改为:
var certificate = certificateGenerator.Generate(issuerCertificate.PrivateKey, random);
至:
var certificate = certificateGenerator.Generate(signatureFactory);
希望对您有所帮助。