CertificateAutorityServer/CAUtilLib/CaUtil_openssl.cs

using Microsoft.Extensions.Logging;
using Newtonsoft.Json;
using System;
using System.Diagnostics;
using System.Diagnostics.Metrics;
using System.Reflection;
using System.Runtime.ConstrainedExecution;
using System.Security.AccessControl;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Xml.Linq;

namespace CAUtilLib
{
    public partial class CaUtil_openssl
    {
        /// <summary>
        /// 建構子生成路徑可透過SetPath進行路徑覆寫
        /// </summary>
        public CaUtil_openssl(ILogger<CaUtil> logger)
        {
            if (string.IsNullOrWhiteSpace(this.path))
            {
                string path = Directory.GetCurrentDirectory();
                //string parentPath = Directory.GetParent(Directory.GetParent(Directory.GetParent(Directory.GetParent(path).ToString()).ToString()).ToString()) + @"\";
                string filePath = Path.Combine(path, "temp");
                bool exists = Directory.Exists(filePath);
                if (!exists)
                {
                    CreateFolder(filePath);
                    MoveFile(@"zerova_v3.cnf", filePath + @"\zerova_v3.cnf");
                }
                this.path = filePath;
            }

            this.logger = logger;
        }

        private string path = "";
        private readonly ILogger<CaUtil> logger;

        /// <summary>
        /// 檔案路徑
        /// </summary>
        public string SavePath
        {
            get => path;
            set
            {
                if (this.path == value)
                {
                    return;
                }

                this.path = value;
                string filePath = this.path;
                CreateFolder(filePath);
                MoveFile(@"zerova_v3.cnf", Path.Combine(filePath, @"zerova_v3.cnf"));
            }
        }

        public OSType OS { get; set; }

        private string ExecuteShell => OS == OSType.Windows ? "cmd.exe" : "/bin/bash";
        private string CatCmd => OS == OSType.Windows ? "type " : "cat";

        /// <summary>
        /// 生成RootCA憑證
        /// </summary>
        /// <param name="name">Root CA</param>
        /// <param name="Days">憑證有效期限</param>
        /// <param name="SerialNumber">序號</param>
        /// <param name="Cn">主機名或網站地址</param>
        /// <param name="organizationName">組織名稱</param>
        /// <param name="Hash">使用SHA256/SHA512演算法進行簽名</param>
        /// <param name="RsaKey">生成2048位元或4096位元的私鑰</param>
        /// <param name="Caformat">生成crt 或者pem 格式</param>
        /// <returns></returns>
        public async Task<bool> CreateRootCA(
            string name, 
            string commonName,
            string organizationName,
            string Country = "TW",
            string State = "Taipei",
            int Days = 3650,
            string SerialNumber = "",
            HashAlgorithm Hash = HashAlgorithm.SHA512,
            OpensslGenrsaRsa RsaKey = OpensslGenrsaRsa.Key4096)
        {
            if (string.IsNullOrEmpty(SerialNumber))
            {
                SerialNumber = await GetOpenSSLRandSn();
            }

            var status = false;
            var keyName = "";
            keyName = name;
            string sn = "0x" + SerialNumber;
            HashAlgorithm ha = Hash;
            var sslKey = (int)RsaKey;

            var subjString = CreateSubjectString(CommonName: commonName, Organization: organizationName, Country: Country, State: State);

            if (await CreateKey(keyName, RsaKey) &&
                await ExecShellCmd("openssl", $"req -x509 -new -nodes -set_serial {sn} -key {keyName}.key -{ha} -days {Days} -subj \"{subjString}\" -out {name}.crt ") &&
                await MergeFile($"{name}.pem", $"{name}.crt", $"{keyName}.key")
                //&& await ExecShellCmd("certutil", $"-f -addstore root {RootCa}.crt ") 
                //&& await ExecShellCmd("certutil", $"-f -addstore root {RootCa}.crt ")
                )
            {
                return true;
            }

            return false;
            //create
            string[] strs = new string[5];
            strs[0] = "openssl genrsa  -out " + keyName + ".key " + sslKey + " ";
            strs[1] = "openssl req -x509 -new -nodes  -set_serial " + sn + " -key " + keyName + ".key  -" + ha + " -days " + Days + "  -subj \"/C=TW/ST=Taipei/O=" + organizationName + "/OU=phihong_sub.IO/CN=" + commonName + "/emailAddress=phihong_sub@mail.com\" -out " + name + ".crt ";
            strs[2] = CatCmd + name + ".crt " + keyName + ".key > " + name + ".pem ";
            strs[3] = "certutil -f -addstore root " + name + ".crt ";
            strs[4] = "certutil -f -addstore root " + name + ".crt ";

            for (int i = 0; i < strs.Length; i++)
            {
                var process = new Process
                {
                    StartInfo = new ProcessStartInfo
                    {
                        FileName = ExecuteShell,
                        Arguments = "/C " + strs[i],
                        WorkingDirectory = this.path,
                        StandardOutputEncoding = Encoding.UTF8,
                        RedirectStandardOutput = true,
                        RedirectStandardError = true,
                        UseShellExecute = false,
                        Verb = "runas"
                    }
                };

                process.Start();
                _ = process.StandardOutput.ReadToEndAsync().ContinueWith(( t => {
                    logger.LogTrace(t.Result);
                }));
                _ = process.StandardError.ReadToEndAsync().ContinueWith((t => {
                    logger.LogTrace(t.Result);
                }));
                await process.WaitForExitAsync();
                if (process.ExitCode != 0)
                {
                    return false;
                }
            }

            return status;
        }

        /// <summary>
        /// 生成SubCA子憑證
        /// </summary>
        /// <param name="RootCaName">CA憑證名稱</param>
        /// <param name="Days">憑證有效期限</param>
        /// <param name="SubCA">子憑證名稱</param>
        /// <param name="SerialNumber">序號</param>
        /// <param name="commonName">主機名或網站地址</param>
        /// <param name="organizationName">組織名稱</param>
        /// <param name="Hash">使用SHA256/SHA512演算法進行簽名</param>
        /// <param name="RsaKey">生成2048位元或4096位元的私鑰</param>
        /// <param name="Caformat">生成crt 或者pem 格式</param>
        /// <returns></returns>        
        public async Task<bool> CreateSubCA(string RootCa, string Days,
        string SubCA, string SerialNumber, string commonName, string organizationName, HashAlgorithm Hash, OpensslGenrsaRsa RsaKey, Certificateformat Caformat)
        {

            if (string.IsNullOrEmpty(SerialNumber))
            {
                SerialNumber = await GetOpenSSLRandSn();
            }

            var status = false;
            var str = "";
            string sn = "0x" + SerialNumber;
            //hashAlgorithm ha = Hash;
            var sslKey = (int)RsaKey;
            Certificateformat format = Caformat;

            if (await ExecShellCmd("openssl", $"genrsa -out {SubCA}.key {sslKey}") &&
                await ExecShellCmd("openssl", $"req -new -{Hash} -nodes -key {SubCA}.key -out {SubCA}.csr -subj \"/C=TW/ST=Taipei/O={organizationName}/OU=phihong_sub.IO/CN={commonName}/emailAddress=phihong_sub@mail.com\" ") &&
                await ExecShellCmd("openssl", $"x509 -set_serial {sn} -req -in {SubCA}.csr -CA {RootCa}.crt -CAkey {RootCa}.key -CAcreateserial -out {SubCA}.crt -days {Days} -sha256 -extfile zerova_v3.cnf  ") &&
                await MergeFile($"{SubCA}.pem", $"{SubCA}.crt", $"{SubCA}.key"))
            {
                return true;
            }
            return false;


            string[] strs = new string[4];
            strs[0] = "openssl genrsa -out " + SubCA + ".key " + sslKey + "  ";
            strs[1] = "openssl req -new -" + Hash + " -nodes -key " + SubCA + ".key -out " + SubCA + ".csr -subj \"/C=TW/ST=Taipei/O=" + organizationName + "/OU=phihong_sub.IO/CN=" + commonName + "/emailAddress=phihong_sub@mail.com\" ";
            //var str8 = "openssl x509 -set_serial " + sn + " -req -in " + subKeyName + ".csr -CA " + caPath + "\\" + crtName + ".crt -CAkey " + this.path + "\\" + rootCaName + ".key -CAcreateserial -out " + subKeyName + ".crt -days " + days + "   -sha256 -extfile zerova_v3.cnf  ";
            strs[2] = "openssl x509 -set_serial " + sn + " -req -in " + SubCA + ".csr -CA " + RootCa + ".crt -CAkey " + this.path + "\\" + RootCa + ".key -CAcreateserial -out " + SubCA + ".crt -days " + Days + "   -sha256 -extfile zerova_v3.cnf  ";
            strs[3] = CatCmd + SubCA + ".crt " + SubCA + ".key > " + SubCA + ".pem ";


            for (int i = 0; i < strs.Length; i++)
            {
                var process = new Process
                {
                    StartInfo = new ProcessStartInfo
                    {
                        FileName = ExecuteShell,
                        Arguments = "/C " + strs[i],
                        WorkingDirectory = this.path,//"D:\\project\\vs\\ConsoleApp2",
                        RedirectStandardOutput = true,
                        UseShellExecute = false,
                        Verb = "runas"
                    }
                };

                process.Start();
                string output = process.StandardOutput.ReadToEnd();
                await process.WaitForExitAsync();
            }
            return status;
        }

        public async Task<bool> SignCsr(string SubCA, string RootCa, int? Days = null, string? SerialNumber = null)
        {
            Days ??= 3650;

            if (string.IsNullOrEmpty(SerialNumber))
            {
                SerialNumber = await GetOpenSSLRandSn();
            }
            string sn = "0x" + SerialNumber;

            if (await ExecShellCmd("openssl", $"x509 -set_serial {sn} -req -in {SubCA}.csr -CA {RootCa}.crt -CAkey {RootCa}.key -CAcreateserial -out {SubCA}.crt -days {Days} -sha256 -extfile zerova_v3.cnf  "))
            {
                return true;
            }
            return false;
        }

        /// <summary>
        /// 生成Csr 檔案
        /// </summary>
        /// <param name="Key">key 名稱</param>
        /// <param name="Csr">csr 名稱</param>
        /// <param name="commonName">主機名或網站地址</param>
        /// <param name="organizationName">組織名稱</param>
        /// <returns></returns>
        public async Task<bool> CreateCsr(
            string Key,
            string Csr,
            string commonName, 
            string organizationName,
            HashAlgorithm Hash = HashAlgorithm.SHA512)
        {
            var status = false;
            var subjString = CreateSubjectString(CommonName: commonName, Organization: organizationName, Country: "TW", State: "Taipei");

            if (await ExecShellCmd("openssl", $"req -new -{Hash} -nodes -key {Key}.key -out {Csr}.csr -subj \"{subjString}\" "))
            {
                return true;
            }
            return false;

            string[] strs = new string[4];
            strs[0] = "openssl req -new -SHA256 -nodes -key " + Key + ".key -out " + Csr + ".csr -subj \"/C=TW/ST=Taipei/O=" + organizationName + "/OU=phihong_sub.IO/CN=" + commonName + "/emailAddress=phihong_sub@mail.com\"  ";
            for (int i = 0; i < strs.Length; i++)
            {
                var process = new Process
                {
                    StartInfo = new ProcessStartInfo
                    {
                        FileName = ExecuteShell,
                        Arguments = "/C " + strs[i],
                        WorkingDirectory = this.path,//"D:\\project\\vs\\ConsoleApp2",
                        RedirectStandardOutput = true,
                        UseShellExecute = false,
                        Verb = "runas"
                    }
                };

                process.Start();
                string output = process.StandardOutput.ReadToEnd();
                await process.WaitForExitAsync();
            }
            return status;
        }

        private object CreateSubjectString(string CommonName = "", string Organization = "", string Country = "", string State = "")
        {
            ///C=TW/ST=Taipei/O={organizationName}/OU=phihong_sub.IO/CN={commonName}/emailAddress=phihong_sub@mail.com\
            var toReturn = string.Empty;
            if (!string.IsNullOrEmpty(Country))
            {
                toReturn += $"/C={Country}";
            }
            if (!string.IsNullOrEmpty(State))
            {
                toReturn += $"/ST={State}";
            }
            if (!string.IsNullOrEmpty(Organization))
            {
                toReturn += $"/O={Organization}";
            }
            if (!string.IsNullOrEmpty(CommonName))
            {
                toReturn += $"/CN={CommonName}";
            }
            return toReturn;
        }

        /// <summary>
        /// 讀取憑證資訊
        /// </summary>
        /// <param name="path">檔案名稱</param>
        /// <param name="fileName">檔案路徑</param>
        /// <returns></returns>
        public string ReadCertificateHashData(string path, string fileName)//改成接收pem string 格式
        {
            var json = "";
            var file = Path.Combine(path, fileName);
            X509Certificate2 certificate = new X509Certificate2(file);


            X509Extension extension = certificate.Extensions["2.5.29.35"];
            var issuer_key_hash = "";
            if (extension != null)
            {
                issuer_key_hash = extension.Format(true);
            }

            string hashAlgorithm = certificate.SignatureAlgorithm.FriendlyName;


            string serialNumber = certificate.SerialNumber;
            byte[] issuerDER = certificate.IssuerName.RawData;
            SHA1 sha1 = SHA1.Create();
            byte[] hashBytes = sha1.ComputeHash(issuerDER);

            var data = new
            {
                hashAlgorithm = hashAlgorithm,
                issuerNameHash = BitConverter.ToString(hashBytes).Replace("-", ""),
                issuerKeyHash = issuer_key_hash,
                serialNumber = serialNumber,
                thumbprint = certificate.Thumbprint
            };
            string thumbprint = certificate.Thumbprint;

            json = JsonConvert.SerializeObject(data);
            return json;
        }

        /// <summary>
        /// 讀取憑證資訊
        /// </summary>
        /// <param name="FileName">檔案名稱</param>
        /// <returns></returns>
        public string ReadCertificateHashData(string fileName)
        {
            var json = "";
            var file = Path.Combine(this.path, fileName);
            X509Certificate2 certificate = new X509Certificate2(file);

            X509Extension extension = certificate.Extensions["2.5.29.35"];
            var issuer_key_hash = "";
            if (extension != null)
            {
                issuer_key_hash = extension.Format(true);
            }

            string hashAlgorithm = certificate.SignatureAlgorithm.FriendlyName;

            string serialNumber = certificate.SerialNumber;
            byte[] issuerDER = certificate.IssuerName.RawData;
            SHA1 sha1 = SHA1.Create();
            byte[] hashBytes = sha1.ComputeHash(issuerDER);

            var data = new
            {
                hashAlgorithm,
                issuerNameHash = BitConverter.ToString(hashBytes).Replace("-", ""),
                issuerKeyHash = issuer_key_hash,
                serialNumber,
                thumbprint = certificate.Thumbprint
            };
            string thumbprint = certificate.Thumbprint;

            json = JsonConvert.SerializeObject(data);
            return json;
        }

        /// <summary>
        /// PEM 格式的憑證的內容
        /// </summary>
        /// <param name="str">憑證內容</param>
        /// <returns></returns>
        public string ReadCertificateHashDataByString(string str)
        {
            var json = "";
            byte[] UTF8bytes = Encoding.UTF8.GetBytes(str);
            X509Certificate2 certificate = new X509Certificate2(UTF8bytes);


            X509Extension extension = certificate.Extensions["2.5.29.35"];
            var issuer_key_hash = "";
            if (extension != null)
            {
                issuer_key_hash = extension.Format(true);
            }

            string hashAlgorithm = certificate.SignatureAlgorithm.FriendlyName;


            string serialNumber = certificate.SerialNumber;
            byte[] issuerDER = certificate.IssuerName.RawData;
            SHA1 sha1 = SHA1.Create();
            byte[] hashBytes = sha1.ComputeHash(issuerDER);

            var data = new
            {
                hashAlgorithm = hashAlgorithm,
                issuerNameHash = BitConverter.ToString(hashBytes).Replace("-", ""),
                issuerKeyHash = issuer_key_hash,
                serialNumber = serialNumber,
                thumbprint = certificate.Thumbprint
            };
            string thumbprint = certificate.Thumbprint;

            json = JsonConvert.SerializeObject(data);
            return json;
        }


        /// <summary>
        /// 驗證client憑證
        /// </summary>
        /// <param name="StrCA">CA憑證</param>
        /// <param name="StrSub">子憑證</param>
        /// <param name="Url">url localhost:3000</param>
        /// <returns></returns>
        public async Task<bool> VerifyClient(string CA, string SubCA, string Url)
        {
            var str = "";
            bool isExists = false;
            if (await ExecShellCmd("openssl", $"s_client -connect {Url} -CAfile {CA} -cert {SubCA} -tls1_2 -state"))
            {
                return true;
            }
            return false;


            var str1 = "openssl s_client -connect " + Url + " -CAfile " + CA + " -cert " + SubCA + " -tls1_2 -state  ";

            str = await ClientCmd(str1);
            string searchString = "(ok)";
            string line = GetLineFromString(str, searchString);
            if (line != null)
                isExists = line.Contains(searchString);
            return isExists;
        }

        /// <summary>
        /// Cmd字串指令
        /// </summary>
        /// <param name="str1">字串指令</param>
        /// <returns></returns>
        private async Task<string> ClientCmd(string str1)
        {
            var status = false;

            var str = "";
            string[] strs = { str1 };
            for (int i = 0; i < strs.Length; i++)
            {
                var process = new Process
                {
                    StartInfo = new ProcessStartInfo
                    {
                        FileName = ExecuteShell,
                        Arguments = "/C " + strs[i],
                        WorkingDirectory = this.path,//"D:\\project\\vs\\ConsoleApp2",
                        RedirectStandardOutput = true,
                        UseShellExecute = false,
                        //Verb = "runas"
                    }
                };

                process.Start();
                var output = new List<string>();
                while (process.StandardOutput.Peek() > -1)
                {
                    output.Add(process.StandardOutput.ReadLine());
                }

                process.Kill();
                str = string.Join("", output.ToArray());

            }
            return str;
        }

        /// <summary>
        ///  將Root CA與Sub CA進行憑證驗證
        /// </summary>
        /// <param name="Ca">CA檔案名稱</param>
        /// <param name="Sub">SubCA憑證名稱</param>
        /// <returns>True/Flase</returns>
        public async Task<bool> VerifyCertificateByCertificate(string Sub, string Ca)
        {
            if (await ExecShellCmd("openssl", $"verify -CAfile {Ca} {Sub}"))
            {
                return true;
            }
            return false;

            var status = true;
            var str = "";
            var str1 = "openssl verify -CAfile " + Ca + " " + Sub;

            bool isExists = false;
            str = await ClientCmd(str1);
            string searchString = "OK";
            string line = GetLineFromString(str, searchString);
            if (line != null)
                isExists = line.Contains(searchString);
            return isExists;
        }

        public async Task<bool> VerifyCertificateByCertificates(string Sub, string CaPath)
        {
            if (await ExecShellCmd("openssl", $"verify -CApath {CaPath} {Sub}"))
            {
                return true;
            }
            return false;
        }

        public async Task<bool> CalculateHash(string CrtName,string hashName)
        {
            if (await ExecShellCmd("openssl", $"x509 -in {CrtName} -hash -noout -out {hashName}"))
            {
                return true;
            }
            return false;
        }

        /// <summary>
        /// Crt轉Pem
        /// </summary>
        /// <param name="CaName">檔案名稱</param>
        /// <returns></returns>
        public async Task<bool> CrtToPem(string CaName)
        {
            if (await ExecShellCmd("openssl", $"x509 -in {CaName}.crt -out {CaName}.pem"))
            {
                return true;
            }
            return false;

            var status = false;
            var str = "openssl x509 -in " + CaName + ".crt -out " + CaName + ".pem  ";

            var process = new Process
            {
                StartInfo = new ProcessStartInfo
                {
                    FileName = ExecuteShell,
                    Arguments = "/C " + str,
                    WorkingDirectory = this.path,
                    RedirectStandardOutput = true,
                    UseShellExecute = false,
                    Verb = "runas"
                }
            };

            process.Start();
            string output = process.StandardOutput.ReadToEnd();
            await process.WaitForExitAsync();
            return status;
        }

        /// <summary>
        /// Pem轉Crt
        /// </summary>
        /// <param name="CaName">檔案名稱</param>
        /// <returns></returns>
        public async Task<bool> PemToCrt(string CaName)
        {
            if (await ExecShellCmd("openssl", $"x509 -outform der -in {CaName}.pem -out {CaName}.crt"))
            {
                return true;
            }
            return false;

            var status = false;
            var str = "openssl x509 -outform der -in " + CaName + ".pem -out " + CaName + ".crt  ";

            var process = new Process
            {
                StartInfo = new ProcessStartInfo
                {
                    FileName = ExecuteShell,
                    Arguments = "/C " + str,
                    WorkingDirectory = this.path,
                    RedirectStandardOutput = true,
                    UseShellExecute = false,
                    Verb = "runas"
                }
            };

            process.Start();
            string output = process.StandardOutput.ReadToEnd();
            await process.WaitForExitAsync();
            return status;
        }

        public async Task<bool> CreateKey(string keyName,
            OpensslGenrsaRsa RsaKey = OpensslGenrsaRsa.Key4096)
        {
            var sslKey = (int)RsaKey;
            if (await ExecShellCmd("openssl", $"genrsa -out {keyName}.key {sslKey}"))
            {
                return true;
            }
            return false;
        }

        /// <summary>
        /// 產生資料夾
        /// </summary>
        /// <param name="path"></param>
        /// <returns></returns>
        private bool CreateFolder(string path)
        {
            string subPath = path;
            bool status = true;
            bool exists = Directory.Exists(subPath);
            status = !exists;

            if (status)
            {
                Directory.CreateDirectory(subPath);
            }

            return status;
        }

        /// <summary>
        /// 確認檔案是否存在
        /// </summary>
        /// <param name="filePath"></param>
        /// <returns></returns>
        private bool CheckFiles(string FilePath)
        {
            bool status = true;
            bool exists = File.Exists(FilePath);
            status = exists;
            return status;
        }

        /// <summary>
        /// 檔案搬移
        /// </summary>
        /// <param name="file"></param>
        /// <param name="moveTo"></param>
        /// <returns></returns>
        private bool MoveFile(string file, string moveTo)
        {
            bool status = false;
            if (CheckFiles(file) &&
                !CheckFiles(moveTo))
            {
                //File.Move(file, moveTo);
                File.Copy(file, moveTo, true);
                status = true;
            }
            else
            {

            }
            return status;
        }

        /// <summary>
        /// 取得第幾行的字串
        /// </summary>
        /// <param name="InputString"></param>
        /// <param name="SearchString"></param>
        /// <returns></returns>
        private static string GetLineFromString(string InputString, string SearchString)
        {
            using (StringReader reader = new StringReader(InputString))
            {
                int lineNumber = 1;
                string line = "";
                while ((line = reader.ReadLine()) != null)
                {
                    if (line.Contains(SearchString))
                    {
                        return line;
                    }
                    lineNumber++;
                }

                return reader.ReadLine();
            }
        }



    }
}