Generate PKI using Bouncy Castle: An Example

Lộc Nguyễn

4.05/5 (4 votes)

Jan 4, 2018

CPOL

20176

584

Generate Key Pair and Cert Request

Download source code - 9 KB

Introduction

I've been given a task similar to this. After searching documentation and code examples, I came up with this solution. Now I'd like to share with you.

Setup

Create the project (either .NET Console, WPF or .NET Core Console, UWP). Then add Bouncy Castle Nuget package:

The Code

PKI Model

The PKI is modeled to contain the Key-Pair and CSR:

    public class Pki
    {
        public string PrivateKey { get; set; }
        public string PublicKey { get; set; }
        public string Csr { get; set; }
    }

The Input

First comes the Key Length and Hashing Algorithm:

    public enum RsaKeyLength
    {
        Length2048Bits = 2048, Length3072Bits = 3072, Length4096Bits = 4096
    }

    public enum SignatureAlgorithm
    {
        SHA1, SHA256, SHA512
    }

You can provide additional options if needed, SHA384 for example.

Then additional input, such as: common name (Fully Qualified Domain Name, FQDN), organization, city, state, country, email address, etc. So, the out main method signature is as follows:

            Pki pki = GenPki(commonName: "mail.google.com",
                organization: "Google Inc.",
                organizationalUnit: "Information Technology",
                locality: "San Diego",
                state: "California",
                countryIso2Characters: "US",
                emailAddress: "support@google.com",
                signatureAlgorithm: SignatureAlgorithm.SHA256,
                rsaKeyLength: RsaKeyLength.Length2048Bits);

The Generator

        public static Pki GenPki(
            string commonName,
            string organization,
            string organizationalUnit,
            string locality,
            string state,
            string countryIso2Characters = "US",
            string emailAddress = "",
            SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.SHA256,
            RsaKeyLength rsaKeyLength = RsaKeyLength.Length2048Bits)
        {
            Pki pki = new Pki();

            #region Determine Signature Algorithm

            string signatureAlgorithmStr;
            switch (signatureAlgorithm)
            {
                case SignatureAlgorithm.SHA1:
                    signatureAlgorithmStr = PkcsObjectIdentifiers.Sha1WithRsaEncryption.Id;
                    break;

                case SignatureAlgorithm.SHA256:
                    signatureAlgorithmStr = PkcsObjectIdentifiers.Sha256WithRsaEncryption.Id;
                    break;

                case SignatureAlgorithm.SHA512:
                    signatureAlgorithmStr = PkcsObjectIdentifiers.Sha512WithRsaEncryption.Id;
                    break;

                default:
                    signatureAlgorithmStr = PkcsObjectIdentifiers.Sha256WithRsaEncryption.Id;
                    break;
            }

            #endregion Determine Signature Algorithm

            #region Cert Info

            IDictionary attrs = new Hashtable();

            attrs.Add(X509Name.CN, commonName);
            attrs.Add(X509Name.O, organization);
            attrs.Add(X509Name.OU, organizationalUnit);
            attrs.Add(X509Name.L, locality);
            attrs.Add(X509Name.ST, state);
            attrs.Add(X509Name.C, countryIso2Characters);
            attrs.Add(X509Name.EmailAddress, emailAddress);

            X509Name subject = new X509Name(new ArrayList(attrs.Keys), attrs);

            #endregion Cert Info

            #region Key Generator

            RsaKeyPairGenerator rsaKeyPairGenerator = new RsaKeyPairGenerator();
            rsaKeyPairGenerator.Init(new KeyGenerationParameters
               (new SecureRandom(new CryptoApiRandomGenerator()), (int)rsaKeyLength));
            AsymmetricCipherKeyPair pair = rsaKeyPairGenerator.GenerateKeyPair();

            #endregion Key Generator

            #region CSR Generator

            Asn1SignatureFactory signatureFactory = new Asn1SignatureFactory
                                             (signatureAlgorithmStr, pair.Private);

            Pkcs10CertificationRequest csr = new Pkcs10CertificationRequest
                             (signatureFactory, subject, pair.Public, null, pair.Private);

            #endregion CSR Generator

            #region Convert to PEM and Output

            #region Private Key

            StringBuilder privateKeyStrBuilder = new StringBuilder();
            PemWriter privateKeyPemWriter = new PemWriter(new StringWriter(privateKeyStrBuilder));
            privateKeyPemWriter.WriteObject(pair.Private);
            privateKeyPemWriter.Writer.Flush();

            pki.PrivateKey = privateKeyStrBuilder.ToString();

            #endregion Private Key

            #region Public Key

            StringBuilder publicKeyStrBuilder = new StringBuilder();
            PemWriter publicKeyPemWriter = new PemWriter(new StringWriter(publicKeyStrBuilder));
            publicKeyPemWriter.WriteObject(pair.Private);
            publicKeyPemWriter.Writer.Flush();

            pki.PublicKey = publicKeyStrBuilder.ToString();

            #endregion Public Key

            #region CSR

            StringBuilder csrStrBuilder = new StringBuilder();
            PemWriter csrPemWriter = new PemWriter(new StringWriter(csrStrBuilder));
            csrPemWriter.WriteObject(csr);
            csrPemWriter.Writer.Flush();

            pki.Csr = csrStrBuilder.ToString();

            #endregion CSR

            #endregion Convert to PEM and Output

            return pki;
        }

The code above is self-explanatory. Put a break point, you will get the result similar to something like this: