Removed BouncyCastle dependency

sadreck · sadreck · commit babb024473ec · 2023-07-30T12:15:52.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Codecepticon Changelog
 
+## v1.2.2
+
+* `[Update]` Removed `BouncyCastle` dependency, now certificates are generated using native .NET functionality.
+
 ## v1.2.1
 
 * `[New]` C#: Added support for renaming Structs.
diff --git a/Codecepticon/Codecepticon.csproj b/Codecepticon/Codecepticon.csproj
@@ -9,7 +9,7 @@
 	<LangVersion>9.0</LangVersion>
 	<PackageId>Codecepticon</PackageId>
 	<Title>Codecepticon</Title>
-	<Version>1.2.1</Version>
+	<Version>1.2.2</Version>
 	<Authors>Pavel Tsakalidis</Authors>
 	<Company>Accenture Security</Company>
 	<Product>Codecepticon</Product>
@@ -57,7 +57,6 @@
 
   <ItemGroup>
     <PackageReference Include="Antlr4.Runtime.Standard" Version="4.9.2" />
-    <PackageReference Include="BouncyCastle" Version="1.8.9" />
     <PackageReference Include="Microsoft.Build" Version="17.3.1" ExcludeAssets="runtime" />
     <PackageReference Include="Microsoft.Build.Locator" Version="1.5.3" />
     <PackageReference Include="Microsoft.CodeAnalysis.Analyzers" Version="3.3.3" PrivateAssets="all" />
diff --git a/Codecepticon/Modules/Sign/CertificateManager.cs b/Codecepticon/Modules/Sign/CertificateManager.cs
@@ -1,101 +1,69 @@
 ﻿using Codecepticon.Utils;
-using Org.BouncyCastle.Asn1;
-using Org.BouncyCastle.Asn1.X509;
-using Org.BouncyCastle.Crypto;
-using Org.BouncyCastle.Crypto.Generators;
-using Org.BouncyCastle.Crypto.Operators;
-using Org.BouncyCastle.Crypto.Prng;
-using Org.BouncyCastle.Math;
-using Org.BouncyCastle.Pkcs;
-using Org.BouncyCastle.Security;
-using Org.BouncyCastle.Utilities;
-using Org.BouncyCastle.X509;
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
 
 namespace Codecepticon.Modules.Sign
 {
     class CertificateManager
     {
-        private const string SignatureAlgorithm = "SHA256WithRSA";
-
         private const int KeyLength = 2048;
 
         public bool GenerateCertificate(string Subject, string Issuer, DateTime NotBefore, DateTime NotAfter, string Password, string PfxOutput)
         {
-            // https://mcse.cloud/create-a-self-signed-certificate-with-bouncy-castle-and-c/
-            Logger.Debug("Initialising random generators and certificate generators...");
-            SecureRandom secureRandom = new SecureRandom(new CryptoApiRandomGenerator());
-
-            X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
-
-            // Create and set serial number.
-            Logger.Verbose("Setting up certificate properties...");
-            BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), secureRandom);
-            certificateGenerator.SetSerialNumber(serialNumber);
-
-            Logger.Debug("Creating Subject: " + Subject);
-            X509Name subjectDN = new X509Name(true, Subject);
-            certificateGenerator.SetSubjectDN(subjectDN);
-
-            Logger.Debug("Creating Issuer: " + Issuer);
-            X509Name issuerDN = new X509Name(true, Issuer);
-            certificateGenerator.SetIssuerDN(issuerDN);
-
-            Logger.Debug("Setting NotBefore: " + NotBefore);
-            certificateGenerator.SetNotBefore(NotBefore);
-            Logger.Debug("Setting NotAfter: " + NotAfter);
-            certificateGenerator.SetNotAfter(NotAfter);
-
-            KeyGenerationParameters keyGeneration = new KeyGenerationParameters(secureRandom, KeyLength);
-
-            // Create RSA key.
-            Logger.Verbose("Generating RSA keypair...");
-            RsaKeyPairGenerator keyPairGenerator = new RsaKeyPairGenerator();
-            keyPairGenerator.Init(keyGeneration);
-            AsymmetricCipherKeyPair keyPair = keyPairGenerator.GenerateKeyPair();
-
-            // Add the public/private keys to the certificate generator.
-            Logger.Debug("Setting public key...");
-            certificateGenerator.SetPublicKey(keyPair.Public);
-            ISignatureFactory signatureFactory = new Asn1SignatureFactory(SignatureAlgorithm, keyPair.Private, secureRandom);
-            X509Certificate certificate = certificateGenerator.Generate(signatureFactory);
-
-            Logger.Debug("Creating keystore...");
-            Pkcs12Store keyStore = new Pkcs12Store();
-            X509CertificateEntry certificateEntry = new X509CertificateEntry(certificate);
-            keyStore.SetCertificateEntry(certificate.SubjectDN.ToString(), certificateEntry);
-            keyStore.SetKeyEntry(certificate.SubjectDN.ToString(), new AsymmetricKeyEntry(keyPair.Private), new[] { certificateEntry });
-
-            // Convert to .NET Certificate.
-            Logger.Debug("Converting to a .NET certificate...");
-            MemoryStream stream = new MemoryStream();
-            keyStore.Save(stream, Password.ToCharArray(), secureRandom);
+            // https://stackoverflow.com/a/48210587/2445959
+            RSA keyPair = RSA.Create(KeyLength);
+
+            Logger.Verbose("Generating issuer certificate...");
+            Logger.Verbose("Issuer is " + Issuer);
+            X509Certificate2 certificateIssuer = GenerateIssuerCertificate(Issuer, NotBefore, NotAfter);
+
+            Logger.Info("Generating signing certificate...");
+            Logger.Verbose("Subject is " + Subject);
+            CertificateRequest certRequest = new(Subject, keyPair, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1);
+            certRequest.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, false));
+            //certRequest.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection { new Oid("1.3.6.1.5.5.7.3.8") }, true));
+            certRequest.CertificateExtensions.Add(new X509SubjectKeyIdentifierExtension(certRequest.PublicKey, false));
+            X509Certificate2 cert = certRequest.Create(certificateIssuer, NotBefore, NotAfter, new byte[] { 1, 2, 3, 4 });
+
+            // Add the private key back to the certificate.
+            X509Certificate2 certificate = cert.CopyWithPrivateKey(keyPair);
+
+            Logger.Info("Exporting certificate to file...");
+            File.WriteAllBytes(PfxOutput, certificate.Export(X509ContentType.Pfx, Password));
+            
+            return true;
+        }
 
-            System.Security.Cryptography.X509Certificates.X509Certificate2 netCertificate = new System.Security.Cryptography.X509Certificates.X509Certificate2(stream.ToArray(), Password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.PersistKeySet | System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable);
+        private X509Certificate2 GenerateIssuerCertificate(string Issuer, DateTime NotBefore, DateTime NotAfter)
+        {
+            RSA keyPair = RSA.Create(KeyLength);
 
-            Logger.Verbose("Writing certificate to " + PfxOutput);
-            File.WriteAllBytes(PfxOutput, netCertificate.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Pfx, Password));
-            return true;
+            CertificateRequest issuerRequest = new(Issuer, keyPair, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1);
+            issuerRequest.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, false, 0, true));
+            issuerRequest.CertificateExtensions.Add(new X509SubjectKeyIdentifierExtension(issuerRequest.PublicKey, false));
+            return issuerRequest.CreateSelfSigned(NotBefore, NotAfter);
         }
 
         public bool CheckPfxPassword(string pfxFile, string password)
         {
             try
             {
-                Pkcs12Store keyStore = new Pkcs12Store(File.OpenRead(pfxFile), password.ToCharArray());
-            } catch (Exception e)
+                X509Certificate2 certificate = new(pfxFile, password);
+            }
+            catch (Exception e)
             {
                 return false;
             }
-            
+
             return true;
         }
 
-        public System.Security.Cryptography.X509Certificates.X509Certificate GetCertificateFromFile(string signedFile)
+        public X509Certificate GetCertificateFromFile(string signedFile)
         {
-            return System.Security.Cryptography.X509Certificates.X509Certificate2.CreateFromSignedFile(signedFile);
+            return X509Certificate.CreateFromSignedFile(signedFile);
         }
     }
 }
