C#使用BouncyCastle生成PKCS#12数字证书
背景
- 生成数字证书用于PDF文档数字签名
- 数字证书需要考虑环境兼容性,如linux、windows
- 网上资料不全或版本多样
本文章主要介绍了在C#中使用BouncyCastle生成PKCS#12个人信息交换语法标准的pfx证书、cer证书,旨在引导大家了解非对称加密算法,快速、轻松的使用证书对文本进行加密、解密,额外提供了RSAHelper类,包含加密、解密、签名、验签函数,支持无限长度、分段加解密,如有错误、欢迎留言指正;
pfx证书:含有公钥、私钥
cer证书:只含有公钥
非对称加密算法:常见的有很多,这其中最有名、最常用的还是RSA
RSA文件格式有很多中,PKCS#12只是其中一种,除此之外还有PKCS#1、PKCS#7、PKCS#8等,具体有什么区别,我这里不再进行阐述,自行百度;
不同语言采用的RSA文件格式不同,如java的私钥采用的是PKCS8,c#的私钥采用的是PKCS1,c#和java生成的私钥要让对方使用的就需要进行转换为对方语言适用的文件格式;
依赖
本文示例代码依赖于BouncyCastle.Crypto.dll,可以在项目中使用NuGet程序包引入。
源码
RSAHelper类
1 public class RSAHelper 2 { 3 #region 使用私钥签名Sign(string data, string privateKey, RSAType rsaType, Encoding encoding) 4 /// <summary> 5 /// 使用私钥签名 6 /// </summary> 7 /// <param name="data">待签名串</param> 8 /// <param name="privateKey">私钥</param> 9 /// <param name="encoding">编码类型,推荐使用UTF8</param> 10 /// <param name="rsaType">签名类型,默认RSA2</param> 11 /// <returns></returns> 12 public static string Sign(string data, string privateKey, Encoding encoding, RSAType rsaType = RSAType.RSA2) 13 { 14 encoding = encoding ?? Encoding.UTF8; 15 byte[] dataBytes = encoding.GetBytes(data); 16 RSA _privateKeyRsaProvider = CreateRsaProviderFromPrivateKey(privateKey); 17 HashAlgorithmName _hashAlgorithmName = rsaType == RSAType.RSA ? HashAlgorithmName.SHA1 : HashAlgorithmName.SHA256; 18 var signatureBytes = _privateKeyRsaProvider.SignData(dataBytes, _hashAlgorithmName, RSASignaturePadding.Pkcs1); 19 return Convert.ToBase64String(signatureBytes); 20 } 21 /// <summary> 22 /// 使用私钥签名,默认Encoding为Encoding.UTF8 23 /// </summary> 24 /// <param name="data">待签名串</param> 25 /// <param name="privateKey">私钥</param> 26 /// <param name="rsaType">签名类型,默认RSA2</param> 27 /// <returns></returns> 28 public static string Sign(string data, string privateKey, RSAType rsaType = RSAType.RSA2) 29 { 30 return Sign(data, privateKey, Encoding.UTF8, rsaType); 31 } 32 /// <summary> 33 /// 使用私钥签名 34 /// </summary> 35 /// <param name="parameters">待签参数</param> 36 /// <param name="privateKey">私钥</param> 37 /// <param name="encoding">编码类型,推荐使用UTF8</param> 38 /// <param name="rsaType">签名类型,默认RSA2</param> 39 /// <param name="removeSign">是否移除签名串,默认移除名为“sign”的签名串</param> 40 /// <returns></returns> 41 public static string SignParameters(IDictionary<string, string> parameters, string privateKey, Encoding encoding, RSAType rsaType = RSAType.RSA2, bool removeSign = true) 42 { 43 44 string data = GetSignContent(parameters, removeSign); 45 byte[] dataBytes = encoding.GetBytes(data); 46 RSA _privateKeyRsaProvider = CreateRsaProviderFromPrivateKey(privateKey); 47 HashAlgorithmName _hashAlgorithmName = rsaType == RSAType.RSA ? HashAlgorithmName.SHA1 : HashAlgorithmName.SHA256; 48 var signatureBytes = _privateKeyRsaProvider.SignData(dataBytes, _hashAlgorithmName, RSASignaturePadding.Pkcs1); 49 return Convert.ToBase64String(signatureBytes); 50 } 51 /// <summary> 52 /// 使用私钥签名,默认Encoding为Encoding.UTF8 53 /// </summary> 54 /// <param name="parameters">待签参数</param> 55 /// <param name="privateKey">私钥</param> 56 /// <param name="rsaType">签名类型,默认RSA2</param> 57 /// <param name="removeSign">是否移除签名串,默认移除名为“sign”的签名串</param> 58 /// <returns></returns> 59 public static string SignParameters(IDictionary<string, string> parameters, string privateKey, RSAType rsaType = RSAType.RSA2, bool removeSign = true) 60 { 61 return SignParameters(parameters, privateKey, Encoding.UTF8, rsaType, removeSign); 62 } 63 #endregion 64 65 #region 使用公钥验证签名Verify(string data, string sign,string publickey,RSAType rsaType,Encoding encoding) 66 /// <summary> 67 /// 使用公钥验证签名 68 /// </summary> 69 /// <param name="data">原始数据</param> 70 /// <param name="sign">签名串</param> 71 /// <param name="publickey">公钥</param> 72 /// <param name="encoding">编码类型,推荐使用UTF8</param> 73 /// <param name="rsaType">签名类型,推默认RSA2</param> 74 /// <returns></returns> 75 public static bool Verify(string data, string sign, string publickey, Encoding encoding, RSAType rsaType = RSAType.RSA2) 76 { 77 byte[] dataBytes = encoding.GetBytes(data); 78 byte[] signBytes = Convert.FromBase64String(sign); 79 RSA _publicKeyRsaProvider = CreateRsaProviderFromPublicKey(publickey); 80 HashAlgorithmName _hashAlgorithmName = rsaType == RSAType.RSA ? HashAlgorithmName.SHA1 : HashAlgorithmName.SHA256; 81 var verify = _publicKeyRsaProvider.VerifyData(dataBytes, signBytes, _hashAlgorithmName, RSASignaturePadding.Pkcs1); 82 return verify; 83 } 84 /// <summary> 85 /// 使用公钥验证签名 默认Encoding为Encoding.UTF8 86 /// </summary> 87 /// <param name="data">原始数据</param> 88 /// <param name="sign">签名串</param> 89 /// <param name="publickey">公钥</param> 90 /// <param name="rsaType">签名类型,推默认RSA2</param> 91 /// <returns></returns> 92 public static bool Verify(string data, string sign, string publickey, RSAType rsaType = RSAType.RSA2) 93 { 94 return Verify(data, sign, publickey, Encoding.UTF8, rsaType); 95 } 96 /// <summary> 97 /// 使用公钥验证签名 98 /// </summary> 99 /// <param name="parameters">代验签参数</param> 100 /// <param name="publickey">公钥</param> 101 /// <param name="encoding">编码类型,推荐使用UTF8</param> 102 /// <param name="rsaType">签名类型,推荐使用RSA2</param> 103 /// <param name="removeSign">是否移除签名串,默认移除名为“sign”的签名串</param> 104 /// <returns></returns> 105 public static bool VerifyParameters(IDictionary<string, string> parameters, string publickey, Encoding encoding, RSAType rsaType = RSAType.RSA2, bool removeSign = true) 106 { 107 string sign = parameters["sign"]; 108 parameters.Remove("sign"); 109 110 byte[] dataBytes = encoding.GetBytes(GetSignContent(parameters, removeSign)); 111 byte[] signBytes = Convert.FromBase64String(sign); 112 RSA _publicKeyRsaProvider = CreateRsaProviderFromPublicKey(publickey); 113 HashAlgorithmName _hashAlgorithmName = rsaType == RSAType.RSA ? HashAlgorithmName.SHA1 : HashAlgorithmName.SHA256; 114 var verify = _publicKeyRsaProvider.VerifyData(dataBytes, signBytes, _hashAlgorithmName, RSASignaturePadding.Pkcs1); 115 return verify; 116 } 117 /// <summary> 118 /// 使用公钥验证签名 默认Encoding为Encoding.UTF8 119 /// </summary> 120 /// <param name="parameters">代验签参数</param> 121 /// <param name="publickey">公钥</param> 122 /// <param name="rsaType">签名类型,推荐使用RSA2</param> 123 /// <param name="removeSign">是否移除签名串,默认移除名为“sign”的签名串</param> 124 /// <returns></returns> 125 public static bool VerifyParameters(IDictionary<string, string> parameters, string publickey, RSAType rsaType = RSAType.RSA2, bool removeSign = true) 126 { 127 return VerifyParameters(parameters, publickey, Encoding.UTF8, rsaType, removeSign); 128 } 129 #endregion 130 131 #region 获取/组装待签名串GetSignContent(IDictionary<string, string> parameters, bool removeSign = true) 132 /// <summary> 133 /// 获取/组装待签名串 134 /// </summary> 135 /// <param name="parameters">参数内容</param> 136 /// <param name="removeSign">是否移除签名串,默认移除名为“sign”的签名串</param> 137 /// <returns></returns> 138 public static string GetSignContent(IDictionary<string, string> parameters, bool removeSign = true) 139 { 140 if (removeSign && parameters.ContainsKey("sign")) 141 { 142 parameters.Remove("sign"); 143 } 144 // 第一步:把字典按Key的字母顺序排序 145 IDictionary<string, string> sortedParams = new SortedDictionary<string, string>(parameters); 146 IEnumerator<KeyValuePair<string, string>> dem = sortedParams.GetEnumerator(); 147 148 // 第二步:把所有参数名和参数值串在一起 149 StringBuilder query = new StringBuilder(""); 150 while (dem.MoveNext()) 151 { 152 string key = dem.Current.Key; 153 string value = dem.Current.Value; 154 if (!string.IsNullOrEmpty(key) && !string.IsNullOrEmpty(value)) // 空字段不加入签名/验签 155 { 156 query.Append(key).Append("=").Append(value).Append("&"); 157 } 158 } 159 string content = query.ToString().Substring(0, query.Length - 1); 160 161 return content; 162 } 163 #endregion 164 165 #region 解密Decrypt(string cipherText,string privateKey) 166 /// <summary> 167 /// 解密(无限长度) 168 /// </summary> 169 /// <param name="cipherText">加密串</param> 170 /// <param name="privateKey">私钥</param> 171 /// <returns></returns> 172 public static string Decrypt(string cipherText, string privateKey) 173 { 174 RSA _privateKeyRsaProvider = CreateRsaProviderFromPrivateKey(privateKey); 175 if (_privateKeyRsaProvider == null) 176 { 177 throw new Exception("_privateKeyRsaProvider is null"); 178 } 179 var inputBytes = Convert.FromBase64String(cipherText); 180 int bufferSize = _privateKeyRsaProvider.KeySize / 8; 181 var buffer = new byte[bufferSize]; 182 using (MemoryStream inputStream = new MemoryStream(inputBytes), 183 outputStream = new MemoryStream()) 184 { 185 while (true) 186 { 187 int readSize = inputStream.Read(buffer, 0, bufferSize); 188 if (readSize <= 0) 189 { 190 break; 191 } 192 193 var temp = new byte[readSize]; 194 Array.Copy(buffer, 0, temp, 0, readSize); 195 var rawBytes = _privateKeyRsaProvider.Decrypt(temp, RSAEncryptionPadding.Pkcs1); 196 outputStream.Write(rawBytes, 0, rawBytes.Length); 197 } 198 return Encoding.UTF8.GetString(outputStream.ToArray()); 199 } 200 201 //return Encoding.UTF8.GetString(_privateKeyRsaProvider.Decrypt(Convert.FromBase64String(cipherText), RSAEncryptionPadding.Pkcs1)); 202 } 203 /// <summary> 204 /// 分段解密 205 /// </summary> 206 /// <param name="encryptedInput"></param> 207 /// <param name="privateKey"></param> 208 /// <returns></returns> 209 private string RsaDecrypt(string encryptedInput, string privateKey) 210 { 211 if (string.IsNullOrEmpty(encryptedInput)) 212 { 213 return string.Empty; 214 } 215 216 if (string.IsNullOrWhiteSpace(privateKey)) 217 { 218 throw new ArgumentException("Invalid Private Key"); 219 } 220 221 using (var rsaProvider = new RSACryptoServiceProvider()) 222 { 223 var inputBytes = Convert.FromBase64String(encryptedInput); 224 rsaProvider.FromXmlString(privateKey); 225 int bufferSize = rsaProvider.KeySize / 8; 226 var buffer = new byte[bufferSize]; 227 using (MemoryStream inputStream = new MemoryStream(inputBytes), 228 outputStream = new MemoryStream()) 229 { 230 while (true) 231 { 232 int readSize = inputStream.Read(buffer, 0, bufferSize); 233 if (readSize <= 0) 234 { 235 break; 236 } 237 238 var temp = new byte[readSize]; 239 Array.Copy(buffer, 0, temp, 0, readSize); 240 var rawBytes = rsaProvider.Decrypt(temp, false); 241 outputStream.Write(rawBytes, 0, rawBytes.Length); 242 } 243 return Encoding.UTF8.GetString(outputStream.ToArray()); 244 } 245 } 246 } 247 #endregion 248 249 #region 加密 Encrypt(string text,string publickey) 250 /// <summary> 251 /// 加密(无限长度) 252 /// </summary> 253 /// <param name="text">待加密串</param> 254 /// <param name="publickey">公钥</param> 255 /// <returns></returns> 256 public static string Encrypt(string text, string publickey) 257 { 258 RSA _publicKeyRsaProvider = CreateRsaProviderFromPublicKey(publickey); 259 if (_publicKeyRsaProvider == null) 260 { 261 throw new Exception("_publicKeyRsaProvider is null"); 262 } 263 var inputBytes = Encoding.UTF8.GetBytes(text); 264 int bufferSize = (_publicKeyRsaProvider.KeySize / 8) - 11;//单块最大长度 265 var buffer = new byte[bufferSize]; 266 using (MemoryStream inputStream = new MemoryStream(inputBytes), 267 outputStream = new MemoryStream()) 268 { 269 while (true) 270 { //分段加密 271 int readSize = inputStream.Read(buffer, 0, bufferSize); 272 if (readSize <= 0) 273 { 274 break; 275 } 276 277 var temp = new byte[readSize]; 278 Array.Copy(buffer, 0, temp, 0, readSize); 279 var encryptedBytes = _publicKeyRsaProvider.Encrypt(temp, RSAEncryptionPadding.Pkcs1); 280 outputStream.Write(encryptedBytes, 0, encryptedBytes.Length); 281 } 282 return Convert.ToBase64String(outputStream.ToArray());//转化为字节流方便传输 283 } 284 } 285 /// <summary> 286 /// 分段加密 287 /// </summary> 288 /// <param name="rawInput"></param> 289 /// <param name="publicKey"></param> 290 /// <returns></returns> 291 private string RsaEncrypt(string rawInput, string publicKey) 292 { 293 if (string.IsNullOrEmpty(rawInput)) 294 { 295 return string.Empty; 296 } 297 298 if (string.IsNullOrWhiteSpace(publicKey)) 299 { 300 throw new ArgumentException("Invalid Public Key"); 301 } 302 303 using (var rsaProvider = new RSACryptoServiceProvider()) 304 { 305 var inputBytes = Encoding.UTF8.GetBytes(rawInput);//有含义的字符串转化为字节流 306 rsaProvider.FromXmlString(publicKey);//载入公钥 307 int bufferSize = (rsaProvider.KeySize / 8) - 11;//单块最大长度 308 var buffer = new byte[bufferSize]; 309 using (MemoryStream inputStream = new MemoryStream(inputBytes), 310 outputStream = new MemoryStream()) 311 { 312 while (true) 313 { //分段加密 314 int readSize = inputStream.Read(buffer, 0, bufferSize); 315 if (readSize <= 0) 316 { 317 break; 318 } 319 320 var temp = new byte[readSize]; 321 Array.Copy(buffer, 0, temp, 0, readSize); 322 var encryptedBytes = rsaProvider.Encrypt(temp, false); 323 outputStream.Write(encryptedBytes, 0, encryptedBytes.Length); 324 } 325 return Convert.ToBase64String(outputStream.ToArray());//转化为字节流方便传输 326 } 327 } 328 } 329 #endregion 330 331 #region 私有方法 332 /// <summary> 333 /// 使用私钥创建RSA实例 334 /// </summary> 335 /// <param name="privateKey">私钥</param> 336 /// <returns></returns> 337 private static RSA CreateRsaProviderFromPrivateKey(string privateKey) 338 { 339 var privateKeyBits = Convert.FromBase64String(privateKey); 340 341 var rsa = RSA.Create(); 342 var rsaParameters = new RSAParameters(); 343 344 using (BinaryReader binr = new BinaryReader(new MemoryStream(privateKeyBits))) 345 { 346 byte bt = 0; 347 ushort twobytes = 0; 348 twobytes = binr.ReadUInt16(); 349 if (twobytes == 0x8130) 350 binr.ReadByte(); 351 else if (twobytes == 0x8230) 352 binr.ReadInt16(); 353 else 354 throw new Exception("Unexpected value read binr.ReadUInt16()"); 355 356 twobytes = binr.ReadUInt16(); 357 if (twobytes != 0x0102) 358 throw new Exception("Unexpected version"); 359 360 bt = binr.ReadByte(); 361 if (bt != 0x00) 362 throw new Exception("Unexpected value read binr.ReadByte()"); 363 364 rsaParameters.Modulus = binr.ReadBytes(GetIntegerSize(binr)); 365 rsaParameters.Exponent = binr.ReadBytes(GetIntegerSize(binr)); 366 rsaParameters.D = binr.ReadBytes(GetIntegerSize(binr)); 367 rsaParameters.P = binr.ReadBytes(GetIntegerSize(binr)); 368 rsaParameters.Q = binr.ReadBytes(GetIntegerSize(binr)); 369 rsaParameters.DP = binr.ReadBytes(GetIntegerSize(binr)); 370 rsaParameters.DQ = binr.ReadBytes(GetIntegerSize(binr)); 371 rsaParameters.InverseQ = binr.ReadBytes(GetIntegerSize(binr)); 372 } 373 374 rsa.ImportParameters(rsaParameters); 375 return rsa; 376 } 377 378 /// <summary> 379 /// 使用公钥创建RSA实例 380 /// </summary> 381 /// <param name="publicKeyString">公钥</param> 382 /// <returns></returns> 383 private static RSA CreateRsaProviderFromPublicKey(string publicKeyString) 384 { 385 // encoded OID sequence for PKCS #1 rsaEncryption szOID_RSA_RSA = "1.2.840.113549.1.1.1" 386 byte[] seqOid = { 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00 }; 387 byte[] seq = new byte[15]; 388 389 var x509Key = Convert.FromBase64String(publicKeyString); 390 391 // --------- Set up stream to read the asn.1 encoded SubjectPublicKeyInfo blob ------ 392 using (MemoryStream mem = new MemoryStream(x509Key)) 393 { 394 using (BinaryReader binr = new BinaryReader(mem)) //wrap Memory Stream with BinaryReader for easy reading 395 { 396 byte bt = 0; 397 ushort twobytes = 0; 398 399 twobytes = binr.ReadUInt16(); 400 if (twobytes == 0x8130) //data read as little endian order (actual data order for Sequence is 30 81) 401 binr.ReadByte(); //advance 1 byte 402 else if (twobytes == 0x8230) 403 binr.ReadInt16(); //advance 2 bytes 404 else 405 return null; 406 407 seq = binr.ReadBytes(15); //read the Sequence OID 408 if (!CompareBytearrays(seq, seqOid)) //make sure Sequence for OID is correct 409 return null; 410 411 twobytes = binr.ReadUInt16(); 412 if (twobytes == 0x8103) //data read as little endian order (actual data order for Bit String is 03 81) 413 binr.ReadByte(); //advance 1 byte 414 else if (twobytes == 0x8203) 415 binr.ReadInt16(); //advance 2 bytes 416 else 417 return null; 418 419 bt = binr.ReadByte(); 420 if (bt != 0x00) //expect null byte next 421 return null; 422 423 twobytes = binr.ReadUInt16(); 424 if (twobytes == 0x8130) //data read as little endian order (actual data order for Sequence is 30 81) 425 binr.ReadByte(); //advance 1 byte 426 else if (twobytes == 0x8230) 427 binr.ReadInt16(); //advance 2 bytes 428 else 429 return null; 430 431 twobytes = binr.ReadUInt16(); 432 byte lowbyte = 0x00; 433 byte highbyte = 0x00; 434 435 if (twobytes == 0x8102) //data read as little endian order (actual data order for Integer is 02 81) 436 lowbyte = binr.ReadByte(); // read next bytes which is bytes in modulus 437 else if (twobytes == 0x8202) 438 { 439 highbyte = binr.ReadByte(); //advance 2 bytes 440 lowbyte = binr.ReadByte(); 441 } 442 else 443 return null; 444 byte[] modint = { lowbyte, highbyte, 0x00, 0x00 }; //reverse byte order since asn.1 key uses big endian order 445 int modsize = BitConverter.ToInt32(modint, 0); 446 447 int firstbyte = binr.PeekChar(); 448 if (firstbyte == 0x00) 449 { //if first byte (highest order) of modulus is zero, don't include it 450 binr.ReadByte(); //skip this null byte 451 modsize -= 1; //reduce modulus buffer size by 1 452 } 453 454 byte[] modulus = binr.ReadBytes(modsize); //read the modulus bytes 455 456 if (binr.ReadByte() != 0x02) //expect an Integer for the exponent data 457 return null; 458 int expbytes = (int)binr.ReadByte(); // should only need one byte for actual exponent data (for all useful values) 459 byte[] exponent = binr.ReadBytes(expbytes); 460 461 // ------- create RSACryptoServiceProvider instance and initialize with public key ----- 462 var rsa = RSA.Create(); 463 RSAParameters rsaKeyInfo = new RSAParameters 464 { 465 Modulus = modulus, 466 Exponent = exponent 467 }; 468 rsa.ImportParameters(rsaKeyInfo); 469 470 return rsa; 471 } 472 473 } 474 } 475 476 /// <summary> 477 /// 导入密钥算法 478 /// </summary> 479 /// <param name="binr">BinaryReader</param> 480 /// <returns></returns> 481 private static int GetIntegerSize(BinaryReader binr) 482 { 483 byte bt = 0; 484 int count = 0; 485 bt = binr.ReadByte(); 486 if (bt != 0x02) 487 return 0; 488 bt = binr.ReadByte(); 489 490 if (bt == 0x81) 491 count = binr.ReadByte(); 492 else 493 if (bt == 0x82) 494 { 495 var highbyte = binr.ReadByte(); 496 var lowbyte = binr.ReadByte(); 497 byte[] modint = { lowbyte, highbyte, 0x00, 0x00 }; 498 count = BitConverter.ToInt32(modint, 0); 499 } 500 else 501 { 502 count = bt; 503 } 504 505 while (binr.ReadByte() == 0x00) 506 { 507 count -= 1; 508 } 509 binr.BaseStream.Seek(-1, SeekOrigin.Current); 510 return count; 511 } 512 513 private static bool CompareBytearrays(byte[] a, byte[] b) 514 { 515 if (a.Length != b.Length) 516 return false; 517 int i = 0; 518 foreach (byte c in a) 519 { 520 if (c != b[i]) 521 return false; 522 i++; 523 } 524 return true; 525 } 526 527 #endregion 528 } 529 530 public enum RSAType 531 { 532 /// <summary> 533 /// SHA1 534 /// </summary> 535 RSA = 0, 536 /// <summary> 537 /// RSA2 密钥长度至少为2048 538 /// SHA256 539 /// </summary> 540 RSA2 541 }
生成证书源码:
1 static void Main(string[] args) 2 { 3 /* 4 前言:最近有个需求是需要对文档进行签名,考虑到数字签名证书问题,所以生成一个自签名的数字证书; 5 描述:本示例基于BouncyCastle.Crypto组件提供的算法生成证书, 6 演示了生成了cer证书、pfx证书及加载pfx证书对字符串加密解密 7 8 */ 9 10 var takeEffect = DateTime.Now; // 生效时间 11 var loseEffect = DateTime.Now.AddYears(2); // 失效时间 12 var password = "ABCD123456"; //证书密码 13 var signatureAlgorithm = "SHA256WITHRSA"; //签名算法 14 var friendlyName = $"{Guid.NewGuid().ToString("N")}dpps.fun"; // 别名 15 16 // 获取颁发者DN 17 X509Name issuer = GetIssuer(); 18 19 // 获取使用者DN 20 X509Name subject = GetSubject(); 21 22 // 证书存放目录 23 string file = System.Environment.CurrentDirectory + "\\Cert\\"; 24 if (!Directory.Exists(file)) 25 { 26 Directory.CreateDirectory(file); 27 } 28 string pfxPath = $"{file}{friendlyName}.pfx"; 29 string certPath = $"{file}{friendlyName}.cer"; 30 31 // 生成证书 32 GenerateCertificate(certPath, pfxPath, password, signatureAlgorithm, issuer, subject, takeEffect, loseEffect, friendlyName); 33 34 // 加载PFX证书 35 LoadingPfxCertificate(pfxPath, password); 36 37 Console.WriteLine("OK"); 38 Console.ReadLine(); 39 } 40 41 /// <summary> 42 /// 获取使用者DN. 43 /// </summary> 44 /// <returns>使用者DN.</returns> 45 private static X509Name GetSubject() 46 { 47 // 使用者DN 48 return new X509Name( 49 new ArrayList 50 { 51 X509Name.C, 52 X509Name.O, 53 X509Name.CN 54 }, 55 new Hashtable 56 { 57 [X509Name.C] = "CN", 58 [X509Name.O] = "ICH", 59 [X509Name.CN] = "*.dpps.fun" 60 } 61 ); 62 } 63 64 /// <summary> 65 /// 获取颁发者DN. 66 /// </summary> 67 /// <returns>颁发者DN.</returns> 68 private static X509Name GetIssuer() 69 { 70 // 颁发者DN 71 return new X509Name( 72 new ArrayList 73 { 74 X509Name.C, 75 X509Name.O, 76 X509Name.OU, 77 X509Name.L, 78 X509Name.ST, 79 X509Name.E, 80 }, 81 new Hashtable 82 { 83 [X509Name.C] = "CN",// 证书的语言 84 [X509Name.O] = "dpps.fun",//设置证书的办法者 85 [X509Name.OU] = "dpps.fun Fulu RSA CA 2020", 86 [X509Name.L] = "dpps", 87 [X509Name.ST] = "dpps", 88 [X509Name.E] = "472067093@qq.com", 89 } 90 ); 91 } 92 93 94 /// <summary> 95 /// 生成证书 96 /// </summary> 97 /// <param name="certPath">certPath(只含公钥)</param> 98 /// <param name="pfxPath">pfxPath(含公私钥)</param> 99 /// <param name="password">证书密码</param> 100 /// <param name="signatureAlgorithm">设置将用于签署此证书的签名算法</param> 101 /// <param name="issuer">设置此证书颁发者的DN</param> 102 /// <param name="subject">设置此证书使用者的DN</param> 103 /// <param name="takeEffect">证书生效时间</param> 104 /// <param name="loseEffect">证书失效时间</param> 105 /// <param name="friendlyName">设置证书友好名称(可选)</param> 106 /// <param name="keyStrength">密钥长度</param> 107 public static void GenerateCertificate( 108 string certPath, 109 string pfxPath, 110 string password, 111 string signatureAlgorithm, 112 X509Name issuer, 113 X509Name subject, 114 DateTime takeEffect, 115 DateTime loseEffect, 116 string friendlyName, 117 int keyStrength = 2048) 118 { 119 SecureRandom random = new SecureRandom(new CryptoApiRandomGenerator()); 120 var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength); 121 var keyPairGenerator = new RsaKeyPairGenerator(); //RSA密钥对生成器 122 keyPairGenerator.Init(keyGenerationParameters); 123 var subjectKeyPair = keyPairGenerator.GenerateKeyPair(); 124 ISignatureFactory signatureFactory = new Asn1SignatureFactory(signatureAlgorithm, subjectKeyPair.Private, random); 125 //the certificate generator 126 127 X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator(); 128 129 var spki = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(subjectKeyPair.Public); 130 131 //允许作为一个CA证书(可以颁发下级证书或进行签名) 132 certificateGenerator.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true)); 133 134 //使用者密钥标识符 135 certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(spki)); 136 137 //授权密钥标识符 138 certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(spki)); 139 140 certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage.Id, true, new ExtendedKeyUsage(KeyPurposeID.IdKPServerAuth)); 141 142 //证书序列号 143 BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random); 144 145 certificateGenerator.SetSerialNumber(serialNumber); 146 147 certificateGenerator.SetIssuerDN(issuer); //颁发者信息 148 149 certificateGenerator.SetSubjectDN(subject); //使用者信息 150 151 certificateGenerator.SetNotBefore(takeEffect); //证书生效时间 152 153 certificateGenerator.SetNotAfter(loseEffect); //证书失效时间 154 155 certificateGenerator.SetPublicKey(subjectKeyPair.Public); 156 157 Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(signatureFactory); 158 159 //生成cer证书,公钥证 160 var certificate2 = new X509Certificate2(DotNetUtilities.ToX509Certificate(certificate)) 161 { 162 FriendlyName = friendlyName, //设置友好名称 163 }; 164 // cer公钥文件 165 var bytes = certificate2.Export(X509ContentType.Cert); 166 using (var fs = new FileStream(certPath, FileMode.Create)) 167 { 168 fs.Write(bytes, 0, bytes.Length); 169 } 170 171 //另一种代码生成p12证书的方式(要求使用.net standard 2.1) 172 //certificate2 = certificate2.CopyWithPrivateKey(DotNetUtilities.ToRSA((RsaPrivateCrtKeyParameters)keyPair.Private)); 173 //var bytes2 = certificate2.Export(X509ContentType.Pfx, password); 174 //using (var fs = new FileStream(pfxPath, FileMode.Create)) 175 //{ 176 // fs.Write(bytes2, 0, bytes2.Length); 177 //} 178 179 // 生成pfx证书,公私钥证 180 var certEntry = new X509CertificateEntry(certificate); 181 var store = new Pkcs12StoreBuilder().Build(); 182 store.SetCertificateEntry(friendlyName, certEntry); //设置证书 183 var chain = new X509CertificateEntry[1]; 184 chain[0] = certEntry; 185 store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), chain); //设置私钥 186 using (var fs = File.Create(pfxPath)) 187 { 188 store.Save(fs, password.ToCharArray(), random); //保存 189 }; 190 } 191 192 /// <summary> 193 /// 加载证书 194 /// </summary> 195 /// <param name="pfxPath"></param> 196 /// <param name="password"></param> 197 private static void LoadingPfxCertificate(string pfxPath, string password) 198 { 199 //加载证书 200 X509Certificate2 pfx = new X509Certificate2(pfxPath, password, X509KeyStorageFlags.Exportable); 201 var keyPair = DotNetUtilities.GetKeyPair(pfx.PrivateKey); 202 var subjectPublicKeyInfo = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(keyPair.Public); 203 var privateKeyInfo = PrivateKeyInfoFactory.CreatePrivateKeyInfo(keyPair.Private); 204 var privateKey = Base64.ToBase64String(privateKeyInfo.ParsePrivateKey().GetEncoded()); 205 var publicKey = Base64.ToBase64String(subjectPublicKeyInfo.GetEncoded()); 206 Console.ForegroundColor = ConsoleColor.DarkYellow; 207 208 Console.WriteLine("Pfx证书私钥:"); 209 Console.WriteLine(privateKey); 210 Console.WriteLine("Pfx证书公钥:"); 211 Console.WriteLine(publicKey); 212 213 var beEncryptedData = "hello rsa"; 214 Console.WriteLine($"加密原文:{beEncryptedData}"); 215 var cipherText = RSAHelper.Encrypt(beEncryptedData, publicKey); 216 Console.WriteLine("加密结果:"); 217 Console.WriteLine(cipherText); 218 219 var datares = RSAHelper.Decrypt(cipherText, privateKey); 220 Console.WriteLine($"解密结果:{datares}"); 221 }
完全源码地址:https://github.com/daileass/CreateSelfSignedCertificateByBouncyCastle.git
