Ticket #456 : Develop a screen to generate Certificate Authority

Author: habarthierry-hue

src/IdServer/SimpleIdServer.IdServer.ConformanceSuite.Startup/OtherFeatures.cs

@@ -0,0 +1,75 @@
+using Org.BouncyCastle.Ocsp;
+using System;
+using System.IO;
+using System.Runtime.ConstrainedExecution;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+
+namespace SimpleIdServer.IdServer.ConformanceSuite.Startup
+{
+    public static class OtherFeatures
+    {
+        private const string DIRECTORYPATH = @"c:\Projects\SimpleIdServer\certificates";
+
+        public static void CreateCertificateAuthority(string caName)
+        {
+            using (RSA parent = RSA.Create(2048))
+            using (RSA rsa = RSA.Create(2048))
+            {
+                CertificateRequest parentReq = new CertificateRequest(
+                "CN=sidCA",
+                parent,
+                HashAlgorithmName.SHA256,
+                RSASignaturePadding.Pkcs1);
+
+                parentReq.CertificateExtensions.Add(
+                    new X509BasicConstraintsExtension(true, false, 0, true));
+
+                parentReq.CertificateExtensions.Add(
+                    new X509SubjectKeyIdentifierExtension(parentReq.PublicKey, false));
+
+                using (X509Certificate2 parentCert = parentReq.CreateSelfSigned(
+                    DateTimeOffset.UtcNow.AddDays(-45),
+                    DateTimeOffset.UtcNow.AddDays(365)))
+                {
+                    var exported = new X509Certificate2(parentCert.Export(X509ContentType.Pfx, "password"), "password", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
+                    var caPrivateKey = parentCert.GetRSAPrivateKey().ExportRSAPrivateKeyPem();
+                    File.WriteAllText(Path.Combine(DIRECTORYPATH, "sidCA.crt"), SanitizePem(parentCert.ExportCertificatePem()));
+                    File.WriteAllText(Path.Combine(DIRECTORYPATH, "sidCA.key"), SanitizePem(caPrivateKey));
+                    File.WriteAllBytes(Path.Combine(DIRECTORYPATH, "sidCA.pfx"), exported.Export(X509ContentType.Pfx, "password"));
+                    CertificateRequest req = new CertificateRequest(
+                        "CN=sidClient",
+                        rsa,
+                        HashAlgorithmName.SHA256,
+                        RSASignaturePadding.Pkcs1);
+
+                    req.CertificateExtensions.Add(
+                        new X509BasicConstraintsExtension(false, false, 0, false));
+
+                    req.CertificateExtensions.Add(
+                        new X509KeyUsageExtension(
+                            X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.NonRepudiation | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DataEncipherment,
+                            false));
+
+                    req.CertificateExtensions.Add(
+                        new X509SubjectKeyIdentifierExtension(req.PublicKey, false));
+
+                    using (X509Certificate2 cert = req.Create(
+                        parentCert,
+                        DateTimeOffset.UtcNow.AddDays(-1),
+                        DateTimeOffset.UtcNow.AddDays(90),
+                        new byte[] { 1, 2, 3, 4 }))
+                    {
+                        var privatePem = new string(PemEncoding.Write("PRIVATE KEY", rsa.ExportPkcs8PrivateKey()));
+                        File.WriteAllText(Path.Combine(DIRECTORYPATH, "client.crt"), SanitizePem(cert.ExportCertificatePem()));
+                        File.WriteAllText(Path.Combine(DIRECTORYPATH, "client.key"), SanitizePem(privatePem));
+                        // Do something with these certs, like export them to PFX,
+                        // or add them to an X509Store, or whatever.
+                    }
+                }
+            }
+
+            string SanitizePem(string pem) => pem.Replace("\n", "\r\n");
+        }
+    }
+}

src/IdServer/SimpleIdServer.IdServer.ConformanceSuite.Startup/Program.cs

@@ -11,8 +11,19 @@
 using SimpleIdServer.IdServer.Sms;
 using System;
 using System.Collections.Generic;
+using System.IO;
+using System.Linq;
 using System.Reflection;
 using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+
+OtherFeatures.CreateCertificateAuthority("");
+
+var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
+store.Open(OpenFlags.ReadOnly);
+var cc = store.Certificates.ToList();
+var tt = store.Certificates.Find(X509FindType.FindBySubjectName, "sidCA", true).First();
+var pp = tt.Export(X509ContentType.Pfx, "password");
 
 var builder = WebApplication.CreateBuilder(args);
 builder.Services.Configure<KestrelServerOptions>(options =>

src/IdServer/SimpleIdServer.IdServer.ConformanceSuite.Startup/SimpleIdServer.IdServer.ConformanceSuite.Startup.csproj

@@ -19,6 +19,7 @@
 		<PrivateAssets>all</PrivateAssets>
 		<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
 	  </PackageReference>
+	  <PackageReference Include="Portable.BouncyCastle" Version="1.9.0" />
 	</ItemGroup>
 	<ItemGroup>
 	  <Compile Update="Resources\AccountsResource.Designer.cs">
@@ -132,4 +133,7 @@
 	    <LastGenOutput>LayoutResource.Designer.cs</LastGenOutput>
 	  </EmbeddedResource>
 	</ItemGroup>
+	<ItemGroup>
+	  <Folder Include="Cert\" />
+	</ItemGroup>
 </Project>

src/IdServer/SimpleIdServer.IdServer.Domains/CertificateAuthority.cs

@@ -0,0 +1,31 @@
+// Copyright (c) SimpleIdServer. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+using System.Security.Cryptography.X509Certificates;
+
+namespace SimpleIdServer.IdServer.Domains
+{
+    public class CertificateAuthority
+    {
+        public string Id { get; set; } = null!;
+        public string SubjectName { get; set; } = null!;
+        public CertificateAuthoritySources Source { get; set; } = CertificateAuthoritySources.DB;
+        public StoreLocation? StoreLocation { get; set; } = null;
+        public StoreName? StoreName { get; set; } = null;
+        public X509FindType? FindType { get; set; } = null;
+        public string? FindValue { get; set; } = null;
+        public string? Password { get; set; } = null;
+        public string? PublicKey { get; set; } = null;
+        public string? PrivateKey { get; set; } = null;
+        public DateTime StartDateTime { get; set; }
+        public DateTime EndDateTime { get; set; }
+        public DateTime UpdateDateTime { get; set; }
+        public ICollection<ClientCertificate> ClientCertificates { get; set; } = new List<ClientCertificate>();
+        public ICollection<Realm> Realms { get; set; } = new List<Realm>();
+    }
+
+    public enum CertificateAuthoritySources
+    {
+        DB = 0,
+        CERTIFICATESTORE = 1
+    }
+}

src/IdServer/SimpleIdServer.IdServer.Domains/ClientCertificate.cs

@@ -0,0 +1,12 @@
+// Copyright (c) SimpleIdServer. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+namespace SimpleIdServer.IdServer.Domains
+{
+    public class ClientCertificate
+    {
+        public string Id { get; set; } = null!;
+        public string PublicKey { get; set; } = null!;
+        public string PrivateKey { get; set; } = null!;
+        public CertificateAuthority CertificateAuthority { get; set; }
+    }
+}

src/IdServer/SimpleIdServer.IdServer.Domains/Realm.cs

@@ -15,6 +15,7 @@ public class Realm
         public ICollection<AuthenticationContextClassReference> AuthenticationContextClassReferences { get; set; } = new List<AuthenticationContextClassReference>();
         public ICollection<AuthenticationSchemeProvider> AuthenticationSchemeProviders { get; set; } = new List<AuthenticationSchemeProvider>();
         public ICollection<ApiResource> ApiResources { get; set; } = new List<ApiResource>();
-        public ICollection<SerializedFileKey> SerializedFileKeys { get; set; }
+        public ICollection<SerializedFileKey> SerializedFileKeys { get; set; } = new List<SerializedFileKey>();
+        public ICollection<CertificateAuthority> CertificateAuthorities { get; set; } = new List<CertificateAuthority>();
     }
 }

src/IdServer/SimpleIdServer.IdServer.Startup/IdServerConfiguration.cs

@@ -65,5 +65,10 @@ public class IdServerConfiguration
         {
             Constants.StandardRealms.Master
         };
+
+        public static ICollection<CertificateAuthority> CertificateAuthorities = new List<CertificateAuthority>
+        {
+            CertificateAuthorityBuilder.Create("CN=simpleIdServerCA", Constants.StandardRealms.Master).Build()
+        };
     }
 }