.Net以编程方式与Bouncy Castle签署PKCS#10请求

我们使用CertEnroll在客户端上生成了有效的PKCS#10证书请求。

现在我们需要对其进行签名并将结果返回给客户端,其中CertEnroll将处理本地证书库的内容。

这是一个B2B应用程序,根签名证书将自行生成,或者我们可以使用我们现有的Thawte SSL证书。

Server(2008)没有运行Active Directory,除非绝对必要,否则我们不希望为此创建独立的签名基础结构/服务。 不需要撤销等 – 我们希望以编程方式执行此操作。

我很乐意使用BouncyCastle库但是C#lib缺少任何有意义的文档,而原始的Java文档无疑是相似的,而C#实现的不同之处让我更加困惑。

是否有人知道(或拥有)样本C#(或VB)代码或已知相关链接,使用BouncyCastle或本​​地.Net类?

完成这件事的任何帮助将不胜感激!

这至少可以说是一个有趣的练习:-)

我们使用了BouncyCastle和.Net证书对象。 解决方案仍然有很多! 改进的余地,但确实有效。

它的内核(Cert Gen)如下。 当我们到达这里时,CSR已经在客户端上生成,当我们离开时,生成的证书由客户端代码安装(请参阅此博客了解客户端工作情况。)

同样,我不是将其作为成品提供,但希望对那些面临同样任务的人有一定的价值。 快乐加密:-)

// Jul 10, 2012 see // http://social.technet.microsoft.com/Forums/en-NZ/winserversecurity/thread/45781b46-3eb7-4715-b877-883bf0dc2ae7 // instaed of CX509CertificateRequestPkcs10 csr = new CX509CertificateRequestPkcs10(); use: IX509CertificateRequestPkcs10 csr = (IX509CertificateRequestPkcs10)Activator.CreateInstance(Type.GetTypeFromProgID("X509Enrollment.CX509CertificateRequestPkcs10")); csr.InitializeDecode(csrText, EncodingType.XCN_CRYPT_STRING_BASE64); csr.CheckSignature(Pkcs10AllowedSignatureTypes.AllowedKeySignature); //get Bouncy CSRInfo Object Trace.Write("get Bouncy CSRInfo Object"); Byte[] csrBytes = Convert.FromBase64String(csrText); CertificationRequestInfo csrInfo = CertificateTools.GetCsrInfo(csrBytes); SubjectPublicKeyInfo pki = csrInfo.SubjectPublicKeyInfo; //pub key for the signed cert Trace.Write("pub key for the signed cert"); AsymmetricKeyParameter publicKey = PublicKeyFactory.CreateKey(pki); // Build a Version1 (No Extensions) Certificate DateTime startDate = DateTime.Now; DateTime expiryDate = startDate.AddYears(100); BigInteger serialNumber = new BigInteger(32, new Random()); Trace.Write("Build a Version1 (No Extensions) Certificate"); X509V1CertificateGenerator certGen = new X509V1CertificateGenerator(); string signerCN = ConfigurationManager.AppSettings["signerCN"].ToString(); X509Name dnName = new X509Name(String.Format("CN={0}", signerCN)); X509Name cName = new X509Name(csr.Subject.Name); certGen.SetSerialNumber(serialNumber); certGen.SetIssuerDN(dnName); certGen.SetNotBefore(startDate); certGen.SetNotAfter(expiryDate); certGen.SetSubjectDN(cName); certGen.SetSignatureAlgorithm("SHA1withRSA"); certGen.SetPublicKey(publicKey); //get our Private Key to Sign with Trace.Write("get our Private Key to Sign with"); X509Store store = new X509Store(StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); string signerThumbprint = ConfigurationManager.AppSettings["signerThumbprint"].ToString(); X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates; X509Certificate2Collection fcollection = (X509Certificate2Collection)collection.Find(X509FindType.FindByThumbprint, signerThumbprint, false); X509Certificate2 caCert = fcollection[0]; Trace.Write("Found:" + caCert.FriendlyName); Trace.Write("Has Private " + caCert.HasPrivateKey.ToString()); Trace.Write("Key Size " + caCert.PrivateKey.KeySize.ToString()); //Get our Signing Key as a Bouncy object Trace.Write("Get our Signing Key as a Bouncy object from key "); AsymmetricCipherKeyPair caPair = DotNetUtilities.GetKeyPair(caCert.PrivateKey); //gen BouncyCastle object Trace.Write("gen BouncyCastle object"); Org.BouncyCastle.X509.X509Certificate cert = certGen.Generate(caPair.Private); //convert to windows type 2 and get Base64 String Trace.Write("convert to windows type 2 and get Base64 String"); X509Certificate2 cert2 = new X509Certificate2(DotNetUtilities.ToX509Certificate(cert)); byte[] encoded = cert2.GetRawCertData(); string certOutString = Convert.ToBase64String(encoded); //output to the page (hidden) Certificate.Value = certOutString;