· 7 years ago · Feb 13, 2018, 09:10 PM
1openssl req -nodes -sha256 -newkey rsa:2048 -keyout secret.key -out request.csr -subj /C=RU/ST=Rostov-na-Donu/L=city/O=COMPANY/emailAddress=EMAIL@site.ru/
2
3openssl x509 -req -sha256 -days 3650 -in request.csr -signkey secret.key -out cert.crt -extfile /etc/ssl/openssl.cnf -extensions v3_ca
4
5openssl x509 -in cert.crt -text
6
7[ v3_ca ]
8# Extensions for a typical CA
9# PKIX recommendation.
10keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
11extendedKeyUsage = emailProtection, clientAuth
12subjectKeyIdentifier=hash
13authorityKeyIdentifier=keyid:always,issuer
14
15public static byte[] Sign(X509Certificate2 certificate, byte[] data)
16{
17 if (data == null)
18 throw new ArgumentNullException("data");
19 if (certificate == null)
20 throw new ArgumentNullException("certificate");
21
22 // setup the data to sign
23 ContentInfo content = new ContentInfo(data);
24 SignedCms signedCms = new SignedCms(content, true);
25 CmsSigner signer = new CmsSigner(certificate);
26 var sha256 = new Oid("2.16.840.1.101.3.4.2.1", "sha256");
27 signer.DigestAlgorithm = sha256;
28
29 // create the signature
30 signedCms.ComputeSignature(signer);
31 var signature = signedCms.Encode();
32
33 return signature;
34}
35
36public static string Base64UrlEncode(byte[] arg)
37{
38 string s = Convert.ToBase64String(arg); // Regular base64 encoder
39 s = s.Split('=')[0]; // Remove any trailing '='s
40 s = s.Replace('+', '-'); // 62nd char of encoding
41 s = s.Replace('/', '_'); // 63rd char of encoding
42 return s;
43}
44
45public static bool ValidateCmsSignature(byte[] data, byte[] signature, X509Certificate2 certificate)
46{
47 bool result = false;
48
49 if (data == null)
50 throw new ArgumentNullException("data");
51 if (signature == null)
52 throw new ArgumentNullException("signature");
53 if (certificate == null)
54 throw new ArgumentNullException("certificate");
55
56 // setup the data to sign
57 ContentInfo content = new ContentInfo(data);
58 SignedCms signedCms = new SignedCms(content, true);
59
60 try
61 {
62 signedCms.Decode(signature);
63 signedCms.CheckSignature(new X509Certificate2Collection(certificate), true);
64 result = true;
65 }
66 catch (Exception ex)
67 {
68 var msg = ex.Message;
69 }
70
71 return result;
72}
73
74public static bool ValidateSignature(byte[] data, byte[] signature, X509Certificate2 certificate)
75{
76 bool result = false;
77 using (var csp = (RSACryptoServiceProvider) certificate.PublicKey.Key)
78 {
79 using (var hasher = new SHA256Managed())
80 {
81 var hash = hasher.ComputeHash(data);
82 string id = CryptoConfig.MapNameToOID("SHA256");
83 bool isDataok = csp.VerifyData(data, id, signature);
84 bool isHashOk = csp.VerifyHash(hash, id, signature);
85
86 // можно ещё так
87 //RSAPKCS1SignatureDeformatter rsaDeformatter = new RSAPKCS1SignatureDeformatter(csp);
88 //rsaDeformatter.SetHashAlgorithm("SHA256");
89 //bool isHashOk2 = rsaDeformatter.VerifySignature(hash, signature);
90
91 result = isDataok && isHashOk;
92 }
93 }
94 return result;
95}