La cadena de certificados está rota

Question

La cadena de certificados está rota

#1 de Iftah (1 votos)

1

Estoy tratando de crear una cadena de certificados usando el castillo hinchable.

Primero creo un certificado de CA:

public static void CreateCertificateAuthorityCertificate(string commonNameValue, [CanBeNull] out AsymmetricKeyParameter caPrivateKey, out X509Certificate2 caCert)
    {
        const int keyStrength = 2048;

        var random = GetSeededSecureRandom();

        // The Certificate Generator
        X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();

        // Serial Number
        BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
        certificateGenerator.SetSerialNumber(serialNumber);

        // Issuer and Subject Name
        X509Name subjectDN = new X509Name("CN=" + commonNameValue);
        X509Name issuerDN = subjectDN;
        certificateGenerator.SetIssuerDN(issuerDN);
        certificateGenerator.SetSubjectDN(subjectDN);

        // Valid For
        DateTime notBefore = DateTime.UtcNow.Date.AddDays(-7);
        DateTime notAfter = notBefore.AddYears(2);

        certificateGenerator.SetNotBefore(notBefore);
        certificateGenerator.SetNotAfter(notAfter);

        // Subject Public Key
        var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
        var keyPairGenerator = new RsaKeyPairGenerator();
        keyPairGenerator.Init(keyGenerationParameters);
        var subjectKeyPair = keyPairGenerator.GenerateKeyPair();

        certificateGenerator.SetPublicKey(subjectKeyPair.Public);

        // Generating the Certificate
        var issuerKeyPair = subjectKeyPair;
        ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerKeyPair.Private, random);

        // selfsign certificate
        var certificate = certificateGenerator.Generate(signatureFactory);

        caPrivateKey = issuerKeyPair.Private;
        caCert = new X509Certificate2(certificate.GetEncoded());
    }

Luego, uso el siguiente código dos veces.

La primera vez, genero un "Certificado de servidor" que se usará para generar certificados de cliente. En este caso, uso la clave privada del certificado CA y isClientCertificate establecido en falso.

Luego, utilizo el mismo código para generar el "Certificado de Cliente", esta vez usando la clave privada del "Certificado de Servidor" e isClientCertificate establecido en verdadero.

public static X509Certificate2 CreateSelfSignedCertificateBasedOnPrivateKey(string commonNameValue, X509Certificate2 issuerCertificate, AsymmetricKeyParameter issuerPrivKey, bool isClientCertificate, int yearsUntilExpiration)
    {
        const int keyStrength = 2048;

        // Generating Random Numbers
        var random = GetSeededSecureRandom();
        ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerPrivKey, random);

        // The Certificate Generator
        X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();

        if (isClientCertificate)
        {
            certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage.Id, true, new ExtendedKeyUsage(KeyPurposeID.IdKPClientAuth));
        }
        else
        {
            certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier.Id, true, 
                new X509KeyUsage(X509KeyUsage.KeyCertSign));
        }

        // Serial Number
        BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
        certificateGenerator.SetSerialNumber(serialNumber);

        // Issuer and Subject Name
        var readCertificate = new X509CertificateParser().ReadCertificate(issuerCertificate.Export(X509ContentType.Cert));
        X509Name subjectDN = new X509Name("CN=" + commonNameValue);
        certificateGenerator.SetIssuerDN(readCertificate.SubjectDN);
        certificateGenerator.SetSubjectDN(subjectDN);

        // Valid For
        DateTime notBefore = DateTime.UtcNow.Date.AddDays(-7);
        DateTime notAfter = notBefore.AddYears(yearsUntilExpiration);
        certificateGenerator.SetNotBefore(notBefore);
        certificateGenerator.SetNotAfter(notAfter);

        // Subject Public Key
        var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
        var keyPairGenerator = new RsaKeyPairGenerator();
        keyPairGenerator.Init(keyGenerationParameters);
        var subjectKeyPair = keyPairGenerator.GenerateKeyPair();

        certificateGenerator.SetPublicKey(subjectKeyPair.Public);

        X509Certificate certificate = certificateGenerator.Generate(signatureFactory);
        var store = new Pkcs12Store();
        string friendlyName = certificate.SubjectDN.ToString();
        var certificateEntry = new X509CertificateEntry(certificate);
        store.SetCertificateEntry(friendlyName, certificateEntry);
        store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(subjectKeyPair.Private), new[] { certificateEntry });
        var stream = new MemoryStream();
        store.Save(stream, new char[0], random);
        var convertedCertificate =
            new X509Certificate2(
                stream.ToArray(), (string)null,
                X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
        stream.Position = 0;

        return convertedCertificate;
    }

Los certificados de CA y servidor se ven bien, incluida una cadena válida.

Miproblemaesconlacadenadecertificadosdelcliente.

Hayunaadvertenciaamarillaenel"Certificado del servidor" (en la captura de pantalla que se llama CN = iftah-pc), dice: Esta autoridad de certificación no puede emitir certificados o no puede usarse como un certificado de entidad final.

¿Qué estoy haciendo mal?

Utilicé OpenSSL para extraer el contenido del certificado, obtengo:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            45:67:f2:4b:9a:19:ff:f7
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: CN = IFTAH-PC.ravendb.ca
        Validity
            Not Before: Sep  4 00:00:00 2017 GMT
            Not After : Sep  4 00:00:00 2022 GMT
        Subject: CN = iftah-pc
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b4:d1:b9:21:30:fe:d3:25:ec:f5:7d:c0:70:42:
                    ac:8a:eb:4d:88:5a:ee:8a:a4:c3:93:a8:84:47:bc:
                    ad:56:0a:c4:d9:4a:4f:2d:4b:a1:35:37:ed:24:d9:
                    c1:20:40:c3:4a:3f:59:87:8c:da:00:88:52:24:da:
                    bf:59:bd:48:47:f7:f0:30:ad:87:ec:c6:33:33:8d:
                    b6:a8:f7:5e:94:64:ff:16:02:7d:f2:7c:b1:7d:a3:
                    14:0b:5a:13:50:1a:f7:11:02:40:c6:4f:32:a7:a8:
                    87:a2:e1:73:e9:23:19:1f:5f:53:87:d4:79:5f:20:
                    d8:d9:f9:cd:a3:c6:3f:44:ee:56:d7:2f:a4:f7:6d:
                    58:6e:5f:40:80:40:26:e2:31:ff:d4:5b:57:03:77:
                    f4:e0:3f:48:26:91:a4:cf:11:d7:c9:54:d1:82:8b:
                    16:4b:09:92:7e:3a:ad:75:48:ba:7b:9b:48:07:45:
                    37:20:2a:33:cc:5d:70:b2:62:60:e7:38:ea:d2:09:
                    2f:6f:59:b6:94:f0:f8:c9:fb:7a:53:5f:bb:0b:d8:
                    16:c0:04:7e:06:1d:60:94:50:ae:d3:49:01:35:0d:
                    29:f7:3e:cf:67:7b:57:6d:d3:76:86:44:25:6a:c7:
                    f5:f0:69:34:e8:f3:33:93:d2:32:b5:92:2f:55:96:
                    53:73
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
    Signature Algorithm: sha512WithRSAEncryption
         59:d8:27:48:62:05:24:cc:1d:c8:b5:23:c1:ee:64:c8:f3:2a:
         f1:ee:67:fb:77:23:ec:a4:80:a3:30:a9:44:b4:4b:36:88:7c:
         cf:65:ac:e7:5e:44:63:ba:a3:01:c2:6f:d3:ea:c9:da:31:72:
         0b:57:87:07:58:0e:ce:c7:ad:df:5b:ff:02:f6:d4:b0:65:8f:
         f7:28:0f:5b:4d:32:75:3b:93:ae:0b:3a:13:c6:29:0f:d2:20:
         a8:3e:80:06:13:f4:ef:8d:af:32:25:ee:79:8a:98:3f:63:3f:
         b8:35:cb:a9:a2:c2:a2:73:aa:ea:c1:e4:c2:02:2d:0a:42:42:
         27:c7:78:2b:3e:c8:a1:89:7c:40:76:75:15:4d:b8:45:a8:06:
         6f:85:d0:fd:2c:8c:ae:e4:27:90:0f:56:a6:17:f0:16:e3:5b:
         38:62:af:01:d0:e3:72:ee:17:ac:8c:fe:91:fe:37:02:41:c3:
         5b:51:26:5d:59:d6:ab:fb:54:6d:05:d3:3c:3c:c7:94:b3:8e:
         3d:57:38:3a:cf:35:c5:ac:93:3d:62:39:85:1d:f7:eb:97:54:
         b1:b5:03:f1:3d:38:b8:d5:ae:0e:3e:b1:ec:e2:b3:0c:a5:95:
         58:58:2d:ba:20:df:a3:35:86:f3:f0:94:9e:13:8e:0c:70:92:
         e3:ba:e5:c4
-----BEGIN CERTIFICATE-----
MIICxTCCAa2gAwIBAgIIRWfyS5oZ//cwDQYJKoZIhvcNAQENBQAwHjEcMBoGA1UE
AwwTSUZUQUgtUEMucmF2ZW5kYi5jYTAeFw0xNzA5MDQwMDAwMDBaFw0yMjA5MDQw
MDAwMDBaMBMxETAPBgNVBAMMCGlmdGFoLXBjMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAtNG5ITD+0yXs9X3AcEKsiutNiFruiqTDk6iER7ytVgrE2UpP
LUuhNTftJNnBIEDDSj9Zh4zaAIhSJNq/Wb1IR/fwMK2H7MYzM422qPdelGT/FgJ9
8nyxfaMUC1oTUBr3EQJAxk8yp6iHouFz6SMZH19Th9R5XyDY2fnNo8Y/RO5W1y+k
921Ybl9AgEAm4jH/1FtXA3f04D9IJpGkzxHXyVTRgosWSwmSfjqtdUi6e5tIB0U3
ICozzF1wsmJg5zjq0gkvb1m2lPD4yft6U1+7C9gWwAR+Bh1glFCu00kBNQ0p9z7P
Z3tXbdN2hkQlasf18Gk06PMzk9IytZIvVZZTcwIDAQABoxIwEDAOBgNVHQ8BAf8E
BAMCAQYwDQYJKoZIhvcNAQENBQADggEBAFnYJ0hiBSTMHci1I8HuZMjzKvHuZ/t3
I+ykgKMwqUS0SzaIfM9lrOdeRGO6owHCb9PqydoxcgtXhwdYDs7Hrd9b/wL21LBl
j/coD1tNMnU7k64LOhPGKQ/SIKg+gAYT9O+NrzIl7nmKmD9jP7g1y6miwqJzqurB
5MICLQpCQifHeCs+yKGJfEB2dRVNuEWoBm+F0P0sjK7kJ5APVqYX8BbjWzhirwHQ
43LuF6yM/pH+NwJBw1tRJl1Z1qv7VG0F0zw8x5Szjj1XODrPNcWskz1iOYUd9+uX
VLG1A/E9OLjVrg4+seziswyllVhYLbog36M1hvPwlJ4TjgxwkuO65cQ=
-----END CERTIFICATE-----

Por lo que puedo ver, he hecho las cosas bien, en particular: X509v3 Key Usage: critical Certificate Sign, CRL Sign está configurado correctamente.

¿Hay algo que me esté perdiendo aquí?

certificate-authority

pregunta Iftah 11.09.2017 - 14:05

fuente

1 respuesta

Lea otras preguntas en las etiquetas certificate-authority

¿Google Assistant escucha todo? [cerrado] Shadowsocks: ¿La comunicación con un solo servidor no parece sospechosa para el GFW?

score 1 · Accepted Answer

Administrado para resolverlo yo mismo, faltaba una restricción básica.

certificateGenerator.AddExtension( X509Extensions.BasicConstraints.Id, true, new BasicConstraints(3) );

Y mediante openssl podemos ver que se agregó una restricción CA:TRUE

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        cf:06:3a:b1:ce:8d:98:f4
Signature Algorithm: sha256WithRSAEncryption
    Issuer: C = GB, ST = England, O = Alice Ltd
    Validity
        Not Before: Sep 11 12:53:06 2017 GMT
        Not After : Sep  6 12:53:06 2037 GMT
    Subject: C = GB, ST = England, O = Alice Ltd
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (4096 bit)
            Modulus:
                00:dc:c5:c9:d3:15:5c:62:d5:2c:9d:e7:74:31:e8:
                96:db:08:c2:4d:3b:68:22:5a:df:e5:56:ef:ad:3a:
                0f:7d:82:6a:ab:f5:a2:5c:11:76:49:38:d0:3b:9f:
                18:8e:99:09:3d:91:14:6b:1f:32:70:05:bc:33:d5:
                73:8e:53:6e:0d:f0:83:44:9d:5b:96:fa:0f:47:27:
                54:3d:6e:a1:71:25:db:04:9b:e3:f6:58:bc:da:b4:
                e1:f2:43:cb:d1:73:f2:1f:3b:b6:c7:de:10:6b:22:
                ee:55:38:6e:79:ac:7d:83:ff:d2:dd:18:0d:9a:89:
                23:7e:01:7a:08:07:04:9d:65:28:1d:05:5c:de:3e:
                d4:ad:62:e4:85:34:94:56:b0:e0:19:10:f3:90:32:
                37:19:06:2f:ba:81:d1:67:d2:cc:89:4d:1d:dd:cf:
                3d:46:27:28:c9:0d:ee:d1:9e:b1:be:de:00:2b:65:
                46:45:18:d2:45:19:de:b3:e1:a3:7c:5d:1d:24:05:
                79:13:57:24:36:b9:ab:07:68:0c:fa:78:eb:84:ee:
                ea:c8:6b:05:96:9f:af:d6:8b:74:97:6f:8b:55:cc:
                6c:50:22:85:f5:fc:ea:fc:08:b2:fc:d2:23:64:59:
                a1:61:55:ef:fb:be:f0:ad:60:41:62:24:07:bf:31:
                0b:93:1b:ee:02:6d:f3:9f:1e:c6:09:69:70:3a:64:
                c4:5f:c0:5a:b8:a3:21:e1:7d:72:96:75:75:db:b0:
                0d:b5:9a:52:b4:d3:13:0e:a4:22:66:8c:47:09:4d:
                82:c5:97:15:9a:f2:f9:38:e4:38:6d:82:53:ce:76:
                45:8d:32:ef:82:0c:5b:12:ac:0d:9f:74:c6:4c:8f:
                13:7a:05:8f:44:d1:70:e6:41:b7:da:74:28:d3:8b:
                a3:d1:24:42:b7:66:35:62:d1:1d:44:8d:62:da:ce:
                b8:39:fb:29:e7:0f:9b:9d:49:c1:c0:5c:41:22:01:
                9d:4c:4a:74:f4:66:30:12:77:c9:44:f2:af:c6:03:
                d3:1c:a4:3f:bb:52:a8:9e:58:b8:97:a2:b0:ce:54:
                9c:2e:ae:2a:0c:15:97:87:b3:c2:29:a8:59:ba:55:
                a4:98:c0:e7:de:54:9d:68:03:df:87:ee:82:b3:c7:
                21:23:ff:63:b7:a8:39:a6:36:21:7a:50:04:53:7b:
                30:20:5b:a5:f2:4d:c3:a4:f2:30:f9:b2:b9:39:87:
                3a:a7:bf:15:1d:71:ad:15:e0:1c:86:4a:25:06:d4:
                d1:2d:be:82:a1:f1:e2:79:d5:32:ad:a9:05:44:dd:
                c4:9a:83:3f:3c:8c:f1:55:ba:17:81:7c:0a:b6:90:
                e0:21:c9
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Subject Key Identifier:
            44:3F:CD:D2:03:9D:0B:24:D9:FF:AE:7A:8D:23:8C:63:91:FD:EF:6C
        X509v3 Authority Key Identifier:
            keyid:44:3F:CD:D2:03:9D:0B:24:D9:FF:AE:7A:8D:23:8C:63:91:FD:EF:6C

        X509v3 Basic Constraints: critical
            CA:TRUE
        X509v3 Key Usage: critical
            Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
     b9:f6:30:1d:20:e6:19:f5:90:57:95:eb:93:4c:e9:40:ee:b7:
     60:12:83:a5:02:42:b3:c6:51:f5:41:cc:46:b6:c5:40:12:59:
     f7:a2:0b:0e:04:2e:54:f4:55:8e:23:68:f1:2f:f2:a4:80:ea:
     a8:24:45:fc:5a:61:3a:af:96:75:52:e2:fb:f9:28:43:9c:6f:
     0e:2f:08:d9:1f:cc:05:4a:93:40:fe:ab:8b:8d:4b:4f:fe:16:
     b6:89:b4:b6:f2:47:6d:8f:b7:89:71:d1:2f:56:d6:36:0a:7b:
     e0:1e:b3:96:bc:ba:ba:cf:c1:ff:10:45:2d:60:7a:33:11:71:
     84:bd:9e:94:e7:6a:52:8f:2d:e3:6b:b5:23:4c:2e:53:fe:56:
     7e:f1:a0:ba:56:93:65:5a:3c:98:e4:ac:84:e9:ea:4f:fd:4a:
     35:84:f9:d1:82:8c:7f:62:57:85:37:e8:6c:16:b3:0d:8b:08:
     d8:57:e5:e0:d3:b1:91:6d:da:b9:05:e8:2f:2e:34:6a:d6:2a:
     9b:79:1c:4d:0c:a4:56:f1:94:27:58:a5:98:67:c0:91:28:ab:
     96:cf:d0:cd:73:a7:4a:22:5b:f9:97:c0:3b:c7:f7:47:59:60:
     55:7c:70:c5:4c:d0:e8:09:39:91:70:fb:aa:e8:8c:bb:72:66:
     04:7b:15:c1:de:1a:81:42:d7:0e:69:a2:8c:7b:00:c9:2a:be:
     94:0d:a1:ef:6c:40:3c:0b:08:2c:40:32:8f:0e:3b:ec:04:6c:
     a1:d3:3f:21:b1:03:24:c8:86:86:3b:d9:3b:43:11:69:0f:b3:
     d6:0a:6d:a5:f4:36:40:04:41:93:fd:56:ad:ec:68:82:47:9f:
     cb:f5:ad:3b:0e:0a:fc:3e:ad:21:6f:e6:81:fa:56:69:40:d2:
     9e:82:71:1e:a0:f9:8b:a1:82:d9:4d:11:89:85:30:c5:be:e4:
     e2:0d:33:6b:e2:a0:2b:75:4c:df:da:ac:d5:54:4a:fd:bd:06:
     73:4e:85:5b:2c:a7:9e:f2:37:91:2c:e7:07:fb:d7:49:18:3a:
     7f:bc:6a:08:3c:e3:42:c6:c2:58:ec:4a:65:cc:e4:7e:1e:38:
     91:ee:79:cf:23:a9:a1:28:0f:9c:41:ef:64:27:a5:0d:3f:aa:
     0d:40:2c:13:a1:c4:51:6b:c9:a4:4a:b0:57:4d:3a:2e:b0:38:
     a8:5d:f6:94:a6:da:29:20:d2:3f:2c:ba:5c:63:01:a3:77:3f:
     6b:21:f2:01:6a:fe:bf:3b:ff:de:b6:4d:23:d1:3b:08:43:f2:
     c0:97:7a:f4:17:36:71:e7:67:72:9f:c4:61:61:93:9f:33:f8:
     49:f4:b6:99:cf:da:cd:ed

Final feliz :)