private static RSA CreateRSAKeyFromPem(string key)
{
TextReader reader = new StringReader(key);
PemReader pemReader = new PemReader(reader);
object result = pemReader.ReadObject();
RSA provider = RSA.Create();
if (result is AsymmetricCipherKeyPair keyPair)
{
var rsaParams = DotNetUtilities.ToRSAParameters((RsaPrivateCrtKeyParameters)keyPair.Private);
provider.ImportParameters(rsaParams);
return(provider);
}
else if (result is RsaKeyParameters keyParameters)
{
var rsaParams = DotNetUtilities.ToRSAParameters(keyParameters);
provider.ImportParameters(rsaParams);
return(provider);
}
throw new Exception("Unexpected PEM type");
}
public void ReadInvalidLabel()
{
const string pem = @"
-----BEGIN CERTIFICATE
MIIDCDCCAfCgAwIBAgIUB9Mxn1KLNBaTKu6pYdn3W1EBvWkwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAwwJQXp1cmUgU0RLMB4XDTIxMDIwNDE5MzUzNVoXDTIxMTAy
NzE5MzUzNVowFDESMBAGA1UEAwwJQXp1cmUgU0RLMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA20VE95MMlyn7yu76XmEPBV5Gj7Sn0BzavGTYc497HXRp
y4Ec8edX5C6u7QpO+eQOVlFAbeyIg1/IMGdod8Quarx11mqCyBhXVlStrjqoNTIo
00OA9EFrWjka2ZYrLxlnS6k/w2k18nQE+FP63DIX1OkXU3TxHfVhZWwHgObq5jWz
x4EjG37hnYSJknAB/71N9f2g63cUM28HcGDfMzNrEhbk+TpFfGg3rZiosHybDyDH
x88jTxRxFYBiaWQpNOzZA+M9XUeUK3rdxOfj5JL8ExWGuPMj9QNKGcKkccrLoMtM
5hFP9R8f9nBeeYrmAUsZwU7HWUfaTzWH4goWfZRFQQIDAQABo1IwUDAJBgNVHRME
AjAAMAsGA1UdDwQEAwIF4DATBgNVHSUEDDAKBggrBgEFBQcDATAhBgNVHREEGjAY
gRZhenVyZXNka0BtaWNyb3NvZnQuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAbUn/U
IrlqGYv417Zwx00VEKOsis3Hafof6KjxQKzHwhNZ2EhLSNIRPrzK3ITbR2f0ZoCO
J5RnL11/KiLA1C9i38aAiekMxxYYikVWkpQHc3BB85v+lhSm5cuSvrdVeTcCXDTA
rJUjjPW4aQuo0GyzL4v1M1U2pByKsVCYAikuLmQKS2zXLoyW3ana1aQYyh2/3cXm
lkApwUZg00+9hRWxv0DTh/mRS2zu5i/9W+cZbIcRah0JHgOzAjvsyY9RHjqZ9r7c
Md7RrFHxnAKJj5TZJJJOf5h3OaaF3A5W8gf9Bc68aGQLFT5Y2afIawkYNSULypc3
pn29yMivL7r48dlo";
Assert.IsFalse(PemReader.TryRead(pem.AsSpan(), out _));
}
public void ReadsPrivateKey(string lineEnding)
{
string pem =
$"-----BEGIN PRIVATE KEY-----{lineEnding}" +
$"MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDbRUT3kwyXKfvK{lineEnding}" +
$"7vpeYQ8FXkaPtKfQHNq8ZNhzj3sddGnLgRzx51fkLq7tCk755A5WUUBt7IiDX8gw{lineEnding}" +
$"Z2h3xC5qvHXWaoLIGFdWVK2uOqg1MijTQ4D0QWtaORrZlisvGWdLqT/DaTXydAT4{lineEnding}" +
$"U/rcMhfU6RdTdPEd9WFlbAeA5urmNbPHgSMbfuGdhImScAH/vU31/aDrdxQzbwdw{lineEnding}" +
$"YN8zM2sSFuT5OkV8aDetmKiwfJsPIMfHzyNPFHEVgGJpZCk07NkD4z1dR5Qret3E{lineEnding}" +
$"5+PkkvwTFYa48yP1A0oZwqRxysugy0zmEU/1Hx/2cF55iuYBSxnBTsdZR9pPNYfi{lineEnding}" +
$"ChZ9lEVBAgMBAAECggEBALOLCcjrCLEyeHGXszzanrEXnBGJrKt1JQqETNR7FSVu{lineEnding}" +
$"MD6pjyjo9IfsTeHcwgROYAr/5xDbUIC6SjKQSfNfmV5eyOJ0PnhXrhQLrFdwwlEk{lineEnding}" +
$"rFco/AuFEcFD5x9pnhyn4XQLtyFsIfdQVs17/nqVLfxxjF8S72hHh6PDjHVZH9i1{lineEnding}" +
$"daF4woC7obyKqv8+uoc/MEqTgE/bbaQoL8tDUhCcuoKjcBEXpRryWFaeMoolnuTU{lineEnding}" +
$"D7656CHKFAnloGpNaeNPy8XmpicRxHEODXSoEZDxYoj3SSbPqn/7FDzHqh/Fk3kD{lineEnding}" +
$"tfjhYdhwZFrlTkvC766DxEBgIQHvJbdjujsX4uLJVQECgYEA/HoOKmA2KgK+f126{lineEnding}" +
$"oKmF38o4S/8hBd4vT7Qq2Q88zFom7MWrdlHdg5WO0ZLXS+l6LTOVkS2NM+WtbeeF{lineEnding}" +
$"5el4ICEl0x/Z1/e3vZl0QTDDOKqzfWsVxNwM9FD2bmVjVZHU0o9DPy45ugZdV0ti{lineEnding}" +
$"9YTm9TLIachAjU5vIIwz6CJ5g9ECgYEA3lSWtSeo76q0hlXE/FN5jn9BeuZHYmCJ{lineEnding}" +
$"aHYhtG50tXUxghwPRzfTVoQFbUQa1w/Ex4Ny2xZ+OnQTzdBjC13Xz2PAaldrNYlH{lineEnding}" +
$"5C/LjhbFdOvuQWU3nli9wXq25GTvzla3F5dn0NCUP3xwUIMld1Yq7mCaIy9HrP4i{lineEnding}" +
$"gn6jZimzNnECgYEAsXdR0bODHxCCuqA1eIzwTxejbrfMjIVamBm6LIyrXbDYv4FK{lineEnding}" +
$"PobYv482rlUbBH7+pBsoPL3aDOqadzBQTAVJrLvgDIDM7SNwgdMFhnUyI/jI5ZWJ{lineEnding}" +
$"3bAXYvwt2/dkVVeGUuLkj9p8NSgYIC4bRxy+AwhJGyHpTeod7rDeI4NoCqECgYB1{lineEnding}" +
$"DKWXU/ztyLpn6undSfk6GycXE/tLALX2yBKwkmJhUgSxkiI9BVf/OVw+DVfwF34q{lineEnding}" +
$"57plO69TCN+QQICUcGB47/RSSBnKQq8VpFAPS0/DYZ660RX6CJBGN1voXHef8ylL{lineEnding}" +
$"g0uFtPoHfnUG/jSQYk4R18vucCrVGaqDdzaBR7zxEQKBgCEqovhMGJ1xOrkzetBB{lineEnding}" +
$"+zgh5zJbAWx5DQk5ZdmAcAnEeqconM2yhFB636wC07UbeAZaQmhB5kQYMOuiCstt{lineEnding}" +
$"30sdQlNG9EGdqNsoVn/363Cg1iKJy4JU5uW/5kjh4UfBZG6DDwjLK88ZWh0OHPRV{lineEnding}" +
$"h8q0or9YnvqnVrELMR8cjUkZ{lineEnding}" +
$"-----END PRIVATE KEY-----";
Assert.IsTrue(PemReader.TryRead(pem.AsSpan(), out PemReader.PemField field));
Assert.AreEqual("PRIVATE KEY", field.Label.ToString());
Assert.AreEqual(PrivateKeyBytes, field.FromBase64Data());
}
public override Crt ImportCertificate(EncodingFormat fmt, Stream source)
{
if (false)
{
throw new NotImplementedException();
}
X509Certificate bcCert = null;
if (fmt == EncodingFormat.DER)
{
var certParser = new X509CertificateParser();
bcCert = certParser.ReadCertificate(source);
}
else if (fmt == EncodingFormat.PEM)
{
using (var tr = new StreamReader(source))
{
var pr = new PemReader(tr);
bcCert = (X509Certificate)pr.ReadObject();
}
}
else
{
throw new NotSupportedException("encoding format has not been implemented");
}
using (var tw = new StringWriter())
{
var pw = new PemWriter(tw);
pw.WriteObject(bcCert);
return(new Crt {
Pem = tw.GetStringBuilder().ToString()
});
}
}
public void ExportSubjectPublicKeyInfo(AsnFormat format)
{
using ECDsa ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256);
byte[] exported = ecdsa.ExportSubjectPublicKeyInfo(format);
if (format == AsnFormat.Der)
{
SubjectPublicKeyInfo info = SubjectPublicKeyInfo.GetInstance(Asn1Object.FromByteArray(exported));
Assert.IsNotNull(info);
Assert.IsNotNull(info.AlgorithmID);
Assert.IsNotNull(info.PublicKeyData);
}
if (format == AsnFormat.Pem)
{
using MemoryStream ms = new MemoryStream(exported);
using TextReader tr = new StreamReader(ms, Encoding.ASCII);
PemReader pemReader = new PemReader(tr);
object obj = pemReader.ReadObject();
Assert.IsNotNull(obj);
}
this.CheckFormat(format, exported);
}
private void InitializeRsa()
{
using (RSA publicRsa = RSA.Create())
{
var publicKeyXml = _settings.UseRsaFilePath ?
System.IO.File.ReadAllText(_settings.RsaPublicKeyXML) :
_settings.RsaPublicKeyXML;
RSACryptoServiceProviderExtensions.FromXmlString(publicRsa, publicKeyXml);
_issuerSigningKey = new RsaSecurityKey(publicRsa);
}
if (_settings.RsaPrivateKey.Empty())
{
return;
}
using (RSA privateRsa = RSA.Create())
{
if (_settings.UseRsaFilePath)
{
using (var streamReader = File.OpenText(_settings.RsaPrivateKey))
{
var pemReader = new PemReader(streamReader);
privateRsa.ImportParameters(pemReader.ReadPrivatekey());
}
}
else
{
using (var stringReader = new StringReader(_settings.RsaPrivateKey))
{
var pemReader = new PemReader(stringReader);
privateRsa.ImportParameters(pemReader.ReadPrivatekey());
}
}
var privateKey = new RsaSecurityKey(privateRsa);
_signingCredentials = new SigningCredentials(privateKey, SecurityAlgorithms.RsaSha256);
}
}
/// <summary>
/// Gets the decrypted password using the RSA private key which can be found in the
/// PEM file for the key pair.
/// </summary>
/// <param name="rsaPrivateKey">The RSA private key from the PEM file</param>
/// <returns>The decrypted password</returns>
public string GetDecryptedPassword(string rsaPrivateKey)
{
RSAParameters rsaParams;
try
{
rsaParams = new PemReader(new StringReader(rsaPrivateKey.Trim())).ReadPrivatekey();
}
catch (Exception e)
{
throw new AmazonEC2Exception("Invalid RSA Private Key", e);
}
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();
rsa.ImportParameters(rsaParams);
byte[] encryptedBytes = Convert.FromBase64String(this.PasswordData);
var decryptedBytes = rsa.Decrypt(encryptedBytes, false);
string decrypted = Encoding.UTF8.GetString(decryptedBytes);
return(decrypted);
}
public static BcCertificate ImportCertificate(EncodingFormat fmt, Stream source)
{
X509Certificate bcCert = null;
if (fmt == EncodingFormat.DER)
{
var certParser = new X509CertificateParser();
bcCert = certParser.ReadCertificate(source);
}
else if (fmt == EncodingFormat.PEM)
{
using (var tr = new StreamReader(source))
{
var pr = new PemReader(tr);
bcCert = (X509Certificate)pr.ReadObject();
}
}
else
{
throw new NotSupportedException("encoding format has not been implemented");
}
return(bcCert);
}
public static ECDsa GetTestUserPlatformEcdsaProvider()
{
using (var stringReader = new StringReader(TestUserEcdsaPrivKey))
{
var pemReader = new PemReader(stringReader);
var ecdsaPrivKeyParams = pemReader.ReadObject() as ECPrivateKeyParameters;
var Q = ecdsaPrivKeyParams.Parameters.G.Multiply(ecdsaPrivKeyParams.D);
var ecdsaPubKeyParams = new ECPublicKeyParameters(Q, ecdsaPrivKeyParams.Parameters);
ECParameters ecParams = new ECParameters()
{
Curve = ECCurve.CreateFromValue(ecdsaPrivKeyParams.PublicKeyParamSet.Id),
D = ecdsaPrivKeyParams.D.ToByteArrayUnsigned(),
Q = new ECPoint()
{
X = ecdsaPubKeyParams.Q.XCoord.ToBigInteger().ToByteArrayUnsigned(),
Y = ecdsaPubKeyParams.Q.YCoord.ToBigInteger().ToByteArrayUnsigned()
}
};
return(ECDsa.Create(ecParams));
}
}
AsymmetricKeyParameter DnsLookup(string domain, string selector, CancellationToken cancellationToken)
{
var query = selector + "._domainkey." + domain;
AsymmetricKeyParameter pubkey;
// checked if we've already fetched this key
if (cache.TryGetValue(query, out pubkey))
{
return(pubkey);
}
// make a DNS query
var response = resolver.Query(query, QType.TXT);
var builder = new StringBuilder();
// combine the TXT records into 1 string buffer
foreach (var record in response.RecordsTXT)
{
foreach (var text in record.TXT)
{
builder.Append(text);
}
}
var txt = builder.ToString();
string k = null, p = null;
int index = 0;
// parse the response (will look something like: "k=rsa; p=<base64>")
while (index < txt.Length)
{
while (index < txt.Length && char.IsWhiteSpace(txt[index]))
{
index++;
}
if (index == txt.Length)
{
break;
}
// find the end of the key
int startIndex = index;
while (index < txt.Length && txt[index] != '=')
{
index++;
}
if (index == txt.Length)
{
break;
}
var key = txt.Substring(startIndex, index - startIndex);
// skip over the '='
index++;
// find the end of the value
startIndex = index;
while (index < txt.Length && txt[index] != ';')
{
index++;
}
var value = txt.Substring(startIndex, index - startIndex);
switch (key)
{
case "k": k = value; break;
case "p": p = value; break;
}
// skip over the ';'
index++;
}
if (k != null && p != null)
{
var data = "-----BEGIN PUBLIC KEY-----\r\n" + p + "\r\n-----END PUBLIC KEY-----\r\n";
var rawData = Encoding.ASCII.GetBytes(data);
using (var stream = new MemoryStream(rawData, false)) {
using (var reader = new StreamReader(stream)) {
var pem = new PemReader(reader);
pubkey = pem.ReadObject() as AsymmetricKeyParameter;
if (pubkey != null)
{
cache.Add(query, pubkey);
return(pubkey);
}
}
}
}
throw new Exception(string.Format("Failed to look up public key for: {0}", domain));
}
private void keyPairTest(
string name,
IAsymmetricCipherKeyPair pair)
{
MemoryStream bOut = new MemoryStream();
PemWriter pWrt = new PemWriter(new StreamWriter(bOut));
pWrt.WriteObject(pair.Public);
pWrt.Writer.Close();
PemReader pemRd = new PemReader(new StreamReader(new MemoryStream(bOut.ToArray(), false)));
IAsymmetricKeyParameter pubK = (AsymmetricKeyParameter) pemRd.ReadObject();
if (!pubK.Equals(pair.Public))
{
Fail("Failed public key read: " + name);
}
bOut = new MemoryStream();
pWrt = new PemWriter(new StreamWriter(bOut));
pWrt.WriteObject(pair.Private);
pWrt.Writer.Close();
pemRd = new PemReader(new StreamReader(new MemoryStream(bOut.ToArray(), false)));
IAsymmetricCipherKeyPair kPair = (AsymmetricCipherKeyPair) pemRd.ReadObject();
if (!kPair.Private.Equals(pair.Private))
{
Fail("Failed private key read: " + name);
}
if (!kPair.Public.Equals(pair.Public))
{
Fail("Failed private key public read: " + name);
}
}
/// <summary>
/// Load an RSA private key from a OpenSSL style file (DER or PEM)
/// </summary>
/// <param name="keyFile">The file to load</param>
/// <param name="password">The optional password</param>
/// <param name="signature">Whether to load the key as a signature or key exchange</param>
/// <returns>The RSA algorithm object</returns>
public static RSA ImportPrivateKeyFromPEM(string keyFile, string password, bool signature)
{
RSA ret = null;
byte[] data = File.ReadAllBytes(keyFile);
RsaPrivateCrtKeyParameters keyParams = null;
if (data.Length > 0)
{
if (data[0] != 0x30)
{
try
{
// Probably a PEM file
using (StreamReader reader = new StreamReader(new MemoryStream(data)))
{
PemReader pem;
if (password != null)
{
pem = new PemReader(reader, new PasswordFinderClass(password));
}
else
{
pem = new PemReader(reader);
}
object o = pem.ReadObject();
while (o != null)
{
if (o is RsaPrivateCrtKeyParameters)
{
keyParams = o as RsaPrivateCrtKeyParameters;
break;
}
else if (o is AsymmetricCipherKeyPair)
{
AsymmetricCipherKeyPair pair = o as AsymmetricCipherKeyPair;
keyParams = pair.Private as RsaPrivateCrtKeyParameters;
break;
}
o = pem.ReadObject();
}
}
}
catch (InvalidCipherTextException)
{
// Catch this exception and convert to standard CryptographicException
throw new CryptographicException("Cannot decrypt private key");
}
}
else
{
Asn1Sequence seq = (Asn1Sequence)Asn1Object.FromByteArray(data);
if (seq.Count != 9)
{
throw new CryptographicException("Malformed ASN.1 Sequence");
}
RsaPrivateKeyStructure rsa = RsaPrivateKeyStructure.GetInstance(seq);
keyParams = new RsaPrivateCrtKeyParameters(
rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent,
rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2,
rsa.Coefficient);
}
if (keyParams != null)
{
ret = LoadKey(keyParams, signature);
}
}
return(ret);
}
public void LoadECDsaCertificateAutomatically()
{
// Support for ECDsa certificates are not supported by default. See Azure.Security.KeyVault.Certificates for support.
Assert.Throws <NotSupportedException>(() => PemReader.LoadCertificate(ECDsaCertificate.AsSpan(), keyType: PemReader.KeyType.Auto));
}
public static byte[] GetRSABytes(byte[] bytes, string key)
{
if (key == null)
{
key =
"-----BEGIN RSA PUBLIC KEY-----\n" +
"MIIBCgKCAQEAwVACPi9w23mF3tBkdZz+zwrzKOaaQdr01vAbU4E1pvkfj4sqDsm6\n" +
"lyDONS789sVoD/xCS9Y0hkkC3gtL1tSfTlgCMOOul9lcixlEKzwKENj1Yz/s7daS\n" +
"an9tqw3bfUV/nqgbhGX81v/+7RFAEd+RwFnK7a+XYl9sluzHRyVVaTTveB2GazTw\n" +
"Efzk2DWgkBluml8OREmvfraX3bkHZJTKX4EQSjBbbdJ2ZXIsRrYOXfaA+xayEGB+\n" +
"8hdlLmAjbCVfaigxX0CDqWeR1yFL9kwd9P0NsZRPsmoqVwMbMu7mStFai6aIhc3n\n" +
"Slv8kg9qv1m6XHVQY3PnEw+QQtqSIXklHwIDAQAB\n" +
"-----END RSA PUBLIC KEY-----";
}
using (var text = new StringReader(key))
{
var reader = new PemReader(text);
var parameter = reader.ReadObject() as RsaKeyParameters;
if (parameter != null)
{
var modulus = parameter.Modulus;
var exponent = parameter.Exponent;
var num = new BigInteger(new byte[] { 0x00 }.Concat(bytes).ToArray());
var rsa = num.ModPow(exponent, modulus).ToByteArray();
#if LOG_REGISTRATION
TLUtils.WriteLog("RSA bytes length " + rsa.Length);
#endif
if (rsa.Length == 257)
{
if (rsa[0] != 0x00)
{
throw new Exception("rsa last byte is " + rsa[0]);
}
#if LOG_REGISTRATION
TLUtils.WriteLog("First RSA byte removes: byte value is " + rsa[0]);
#endif
TLUtils.WriteLine("First RSA byte removes: byte value is " + rsa[0]);
rsa = rsa.SubArray(1, 256);
}
else if (rsa.Length < 256)
{
var correctedRsa = new byte[256];
Array.Copy(rsa, 0, correctedRsa, 256 - rsa.Length, rsa.Length);
for (var i = 0; i < 256 - rsa.Length; i++)
{
correctedRsa[i] = 0;
#if LOG_REGISTRATION
TLUtils.WriteLog("First RSA bytes added i=" + i + " " + correctedRsa[i]);
#endif
}
rsa = correctedRsa;
}
return(rsa);
}
}
return(null);
}
public async Task ValidateMergeCertificate()
{
string serverCertificateName = Recording.GenerateId();
// Generate the request.
CertificatePolicy policy = new CertificatePolicy(WellKnownIssuerNames.Unknown, "CN=Azure SDK")
{
CertificateTransparency = false,
ContentType = CertificateContentType.Pkcs12,
};
CertificateOperation operation = await Client.StartCreateCertificateAsync(serverCertificateName, policy);
RegisterForCleanup(serverCertificateName);
await using IAsyncDisposable disposableOperation = EnsureDeleted(operation);
// Read the CA.
byte[] caCertificateBytes = Convert.FromBase64String(CaPublicKeyBase64);
X509Certificate2 caCertificate = new X509Certificate2(caCertificateBytes);
// Read CA private key since getting it from caCertificate above throws.
AsymmetricCipherKeyPair caPrivateKey;
using (StringReader caPrivateKeyReader = new StringReader(CaPrivateKeyPem))
{
PemReader reader = new PemReader(caPrivateKeyReader);
caPrivateKey = (AsymmetricCipherKeyPair)reader.ReadObject();
}
// Read the CSR.
Pkcs10CertificationRequest csr = new Pkcs10CertificationRequest(operation.Properties.Csr);
CertificationRequestInfo csrInfo = csr.GetCertificationRequestInfo();
// Parse the issuer subject name.
Hashtable oidLookup = new Hashtable(X509Name.DefaultLookup)
{
{ "s", new DerObjectIdentifier("2.5.4.8") },
};
X509Name issuerName = new X509Name(true, oidLookup, caCertificate.Subject);
// Sign the request.
X509V3CertificateGenerator generator = new X509V3CertificateGenerator();
generator.SetIssuerDN(issuerName);
generator.SetSerialNumber(BigInteger.One);
generator.SetNotBefore(DateTime.Now);
generator.SetNotAfter(DateTime.Now.AddDays(1));
generator.SetSubjectDN(csrInfo.Subject);
generator.SetPublicKey(csr.GetPublicKey());
Asn1SignatureFactory signatureFactory = new Asn1SignatureFactory("SHA256WITHRSA", caPrivateKey.Private);
X509Certificate serverSignedPublicKey = generator.Generate(signatureFactory);
// Merge the certificate chain.
MergeCertificateOptions options = new MergeCertificateOptions(serverCertificateName, new[] { serverSignedPublicKey.GetEncoded(), caCertificateBytes });
KeyVaultCertificateWithPolicy mergedServerCertificate = await Client.MergeCertificateAsync(options);
X509Certificate2 serverCertificate = new X509Certificate2(mergedServerCertificate.Cer);
Assert.AreEqual(csrInfo.Subject.ToString(), serverCertificate.Subject);
Assert.AreEqual(serverCertificateName, mergedServerCertificate.Name);
KeyVaultCertificateWithPolicy completedServerCertificate = await WaitForCompletion(operation);
Assert.AreEqual(mergedServerCertificate.Name, completedServerCertificate.Name);
CollectionAssert.AreEqual(mergedServerCertificate.Cer, completedServerCertificate.Cer);
}
public void LoadCertificateWithoutPrivateKey()
{
Exception ex = Assert.Throws <InvalidDataException>(() => PemReader.LoadCertificate(ECDsaCertificate.AsSpan(), keyType: PemReader.KeyType.ECDsa));
Assert.AreEqual("The certificate is missing the private key", ex.Message);
}
public void LoadCertificateWithNoKeys()
{
Exception ex = Assert.Throws <InvalidDataException>(() => PemReader.LoadCertificate(Span <char> .Empty, keyType: PemReader.KeyType.ECDsa));
Assert.AreEqual("The certificate is missing the public key", ex.Message);
}
public CngBuilder(PemReader theReader)
{
_theReader = theReader;
}
/// <summary>
/// Get the public key from a DNS TXT record.
/// </summary>
/// <remarks>
/// Gets the public key from a DNS TXT record.
/// </remarks>
/// <param name="txt">The DNS TXT record.</param>
/// <returns>The public key.</returns>
/// <exception cref="System.ArgumentNullException">
/// The <paramref name="txt"/> is <c>null</c>.
/// </exception>
/// <exception cref="ParseException">
/// There was an error parsing the DNS TXT record.
/// </exception>
protected AsymmetricKeyParameter GetPublicKey(string txt)
{
AsymmetricKeyParameter pubkey;
string k = null, p = null;
int index = 0;
if (txt == null)
{
throw new ArgumentNullException(nameof(txt));
}
// parse the response (will look something like: "k=rsa; p=<base64>")
while (index < txt.Length)
{
while (index < txt.Length && char.IsWhiteSpace(txt[index]))
{
index++;
}
if (index == txt.Length)
{
break;
}
// find the end of the key
int startIndex = index;
while (index < txt.Length && txt[index] != '=')
{
index++;
}
if (index == txt.Length)
{
break;
}
var key = txt.Substring(startIndex, index - startIndex);
// skip over the '='
index++;
// find the end of the value
startIndex = index;
while (index < txt.Length && txt[index] != ';')
{
index++;
}
var value = txt.Substring(startIndex, index - startIndex);
switch (key)
{
case "k":
switch (value)
{
case "rsa":
case "ed25519": k = value; break;
default: throw new ParseException($"Unknown public key algorithm: {value}", startIndex, index);
}
break;
case "p":
p = value.Replace(" ", "");
break;
}
// skip over the ';'
index++;
}
if (k != null && p != null)
{
if (k == "ed25519")
{
var decoded = Convert.FromBase64String(p);
return(new Ed25519PublicKeyParameters(decoded, 0));
}
var data = "-----BEGIN PUBLIC KEY-----\r\n" + p + "\r\n-----END PUBLIC KEY-----\r\n";
var rawData = Encoding.ASCII.GetBytes(data);
using (var stream = new MemoryStream(rawData, false)) {
using (var reader = new StreamReader(stream)) {
var pem = new PemReader(reader);
pubkey = pem.ReadObject() as AsymmetricKeyParameter;
if (pubkey != null)
{
return(pubkey);
}
}
}
}
throw new ParseException("Public key parameters not found in DNS TXT record.", 0, txt.Length);
}
public void TestMalformed()
{
PemReader rd = new PemReader(new StringReader("-----BEGIN \n"));
Assert.IsNull(rd.ReadPemObject());
}
private void ConfigureClientWithMachineEnv()
{
var envResult = RunDockerMachine("env", MachineName);
if (envResult.ExitCode != 0)
{
throw new DockerMachineExecutionException("Could not read machine environment", envResult.ExitCode, envResult.Output);
}
var outputLines = envResult.Output.Split('\n').Where(x => x.Contains('=')).ToArray();
var envOutput = outputLines
.Select(x => x.StartsWith("$Env:") ? x.Substring("$Env:".Length) : x)
.Select(x => x.StartsWith("SET") ? x.Substring("SET".Length) : x)
.Select(x => x.Split('='))
.Select(x => (key: x[0].Trim(), value: x[1].Trim()))
.ToDictionary(x => x.key, x => x.value);
var host = envOutput["DOCKER_HOST"];
var machineName = envOutput["DOCKER_MACHINE_NAME"];
var machineUsesTls = false;
try {
var tlsVerify = envOutput["DOCKER_TLS_VERIFY"];
if (!string.IsNullOrEmpty(tlsVerify))
{
machineUsesTls = true;
}
} catch (KeyNotFoundException) { }
var certsPath = envOutput["DOCKER_CERT_PATH"];
var pfxPath = Path.Combine(certsPath, "key.pfx");
// Adapted from https://stackoverflow.com/a/46598020/528131
if (machineUsesTls)
{
var cerPath = Path.Combine(certsPath, "cert.pem");
var keyPath = Path.Combine(certsPath, "key.pem");
X509Certificate publicKey = null;
AsymmetricCipherKeyPair privateKey = null;
using (var cerFile = File.OpenRead(cerPath)) {
using (var cerDataReader = new StreamReader(cerFile)) {
var cerReader = new PemReader(cerDataReader);
publicKey = (X509Certificate)cerReader.ReadObject();
}
}
using (var keyFile = File.OpenRead(keyPath)) {
using (var keyDataReader = new StreamReader(keyFile)) {
var keyReader = new PemReader(keyDataReader);
privateKey = (AsymmetricCipherKeyPair)keyReader.ReadObject();
}
}
var certStore = new Pkcs12StoreBuilder().Build();
var certChain = new X509CertificateEntry[1];
var privateKeyEntry = new AsymmetricKeyEntry(privateKey.Private);
var publicKeyEntry = new X509CertificateEntry(publicKey);
certChain[0] = publicKeyEntry;
certStore.SetKeyEntry("dockerHostKey", privateKeyEntry, certChain);
if (File.Exists(pfxPath))
{
File.Delete(pfxPath);
}
using (var pfxFile = File.Create(pfxPath)) {
certStore.Save(pfxFile, new char[0], new SecureRandom());
}
}
ConfigureClientWithHost(host, machineUsesTls, pfxPath);
}
public static AsymmetricCipherKeyPair LoadRsaKey(StreamReader keyStream)
{
var pemReader = new PemReader(keyStream);
return((AsymmetricCipherKeyPair)pemReader.ReadObject());
}
public void ReadWithExtraneousData()
{
Assert.IsTrue(PemReader.TryRead(RsaPemPrivateKey.AsSpan(), out PemReader.PemField field));
Assert.AreEqual("PRIVATE KEY", field.Label.ToString());
Assert.AreEqual(s_rsaPrivateKeyBytes, field.FromBase64Data());
}
/**
* Determines whether the current AppKeyPair (as specified by {@link #pemFilePathname}) is a valid X.509 certificate.
* <br /><br />
* Writes diagnostic messages to the console if the the current AppKeyPair does not exist or is not valid.
* This is useful since SkypeKit currently reports only "TLS handshake failure" (with no further explanation)
* if the certificate can't be found/accessed or is not validly formatted.
*
* @return
* <ul>
* <li>true: Valid certificate file</li>
* <li>false:
* <ul>
* <li>Could not open the file</li>
* <li>Could not read the file</li>
* <li>Not a valid certificate file</li>
* </ul>
* </li>
* </ul>
*
* @see #pemFilePathname
* @see com.skype.tutorial.util.MySession#myClientConfiguration
* @since 2.0
*/
public bool isValidCertificate()
{
java.security.cert.X509Certificate x509CertificateData;
java.security.PrivateKey privateKeyData;
String pathName = getPemFilePathname();
try
{
String derPath = pathName.Substring(0, pathName.Length - 3);
derPath += "der";
PemReader myPemReader = new PemReader(getPemFilePathname());
x509CertificateData = myPemReader.getCertificate();
privateKeyData = myPemReader.getKey();
}
catch (FileNotFoundException e1)
{
MySession.myConsole.printf("%s/isValidCertificate: Could not find certificate file:%n\t%s%n",
MY_CLASS_TAG, pathName);
return (false);
}
catch (IOException e2)
{
MySession.myConsole.printf("%s/isValidCertificate: Unable to read certificate file:%n\t%s%n",
MY_CLASS_TAG, pathName);
return (false);
}
catch (Exception e3)
{
MySession.myConsole.printf("%s/isValidCertificate: Certificate file %s contains invalid certficate data.%n",
MY_CLASS_TAG, pathName);
return (false);
}
if ((x509CertificateData != null) && (privateKeyData != null))
{
MySession.myConsole.printf("%s/isValidCertificate: Certificate has valid format%n",
MY_CLASS_TAG);
return (true);
}
else
{
MySession.myConsole.printf("%s/isValidCertificate: Certificate has invalid format%n",
MY_CLASS_TAG);
return (false);
}
}
public async void StartMQTT(string clientid, string cafile, string clientcertfile, string clientprivate, string clientprivatepassword = "")
{
var ca = new X509Certificate(cafile, "");
var reader = new PemReader(File.OpenText(clientprivate));
var privatekey = (AsymmetricCipherKeyPair)reader.ReadObject();
var pkinfo = (Org.BouncyCastle.Crypto.Parameters.RsaPrivateCrtKeyParameters)privatekey.Private;
var ce1 = new X509Certificate2(File.ReadAllBytes(clientcertfile), clientprivatepassword,
X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
CspParameters parms = new CspParameters();
parms.Flags = CspProviderFlags.NoFlags;
parms.KeyContainerName = Guid.NewGuid().ToString().ToUpperInvariant();
parms.ProviderType = ((Environment.OSVersion.Version.Major > 5) || ((Environment.OSVersion.Version.Major == 5) && (Environment.OSVersion.Version.Minor >= 1))) ? 0x18 : 1;
System.Security.Cryptography.RSACryptoServiceProvider rcsp =
new System.Security.Cryptography.RSACryptoServiceProvider(parms)
{
PersistKeyInCsp = true
};
rcsp.ImportParameters(DotNetUtilities.ToRSAParameters(pkinfo));
ce1.PrivateKey = rcsp;
//var clientcert = CertificatesToDBandBack.Certificate.GetCertificateFromPEMstring(File.ReadAllText(clientcertfile), File.ReadAllText(clientprivate), clientprivatepassword);
MQTTClient = new MqttFactory().CreateMqttClient();
var options = new MqttClientOptionsBuilder()
.WithTcpServer(mqtt_host, mqtt_port).WithClientId(clientid).WithTls(new MqttClientOptionsBuilderTlsParameters
{
AllowUntrustedCertificates = false,
IgnoreCertificateChainErrors = false,
IgnoreCertificateRevocationErrors = false,
UseTls = true,
SslProtocol = System.Security.Authentication.SslProtocols.Tls12,
Certificates = new List <byte[]>
{
ca.Export(X509ContentType.SerializedCert),
ce1.Export(X509ContentType.SerializedCert)
},
CertificateValidationCallback = (X509Certificate x, X509Chain y, SslPolicyErrors z, IMqttClientOptions o) =>
{
return(true);
}
}).Build();
MQTTClient.ApplicationMessageReceivedHandler = new MqttApplicationMessageReceivedHandlerDelegate(e =>
{
Console.WriteLine("### RECEIVED APPLICATION MESSAGE ###");
Console.WriteLine($"+ Topic = {e.ApplicationMessage.Topic}");
Console.WriteLine($"+ Payload = {Encoding.UTF8.GetString(e.ApplicationMessage.Payload)}");
Console.WriteLine($"+ QoS = {e.ApplicationMessage.QualityOfServiceLevel}");
Console.WriteLine($"+ Retain = {e.ApplicationMessage.Retain}");
Console.WriteLine();
});
MQTTClient.ConnectedHandler = new MqttClientConnectedHandlerDelegate(async a =>
{
Console.WriteLine("### CONNECTED WITH SERVER ###");
await MQTTClient.SubscribeAsync(new TopicFilterBuilder().WithTopic("#").Build());
});
MQTTClient.DisconnectedHandler = new MqttClientDisconnectedHandlerDelegate(async a =>
{
Console.WriteLine("### DISCONNECTED FROM SERVER ###");
});
var connect = await MQTTClient.ConnectAsync(options);
var sub = MQTTClient.SubscribeAsync(new TopicFilter
{
Topic = "test", QualityOfServiceLevel = MqttQualityOfServiceLevel.AtMostOnce
});
}
public AsymmetricKeyParameter LocatePublicKey(string methods, string domain, string selector, CancellationToken cancellationToken = default(CancellationToken))
{
var query = selector + "._domainkey." + domain;
if (keys.TryGetValue(query, out string txt))
{
AsymmetricKeyParameter pubkey;
string k = null, p = null;
int index = 0;
// parse the response (will look something like: "k=rsa; p=<base64>")
while (index < txt.Length)
{
while (index < txt.Length && char.IsWhiteSpace(txt[index]))
{
index++;
}
if (index == txt.Length)
{
break;
}
// find the end of the key
int startIndex = index;
while (index < txt.Length && txt[index] != '=')
{
index++;
}
if (index == txt.Length)
{
break;
}
var key = txt.Substring(startIndex, index - startIndex);
// skip over the '='
index++;
// find the end of the value
startIndex = index;
while (index < txt.Length && txt[index] != ';')
{
index++;
}
var value = txt.Substring(startIndex, index - startIndex).Replace(" ", "");
switch (key)
{
case "k": k = value; break;
case "p": p = value; break;
}
// skip over the ';'
index++;
}
if (k != null && p != null)
{
if (k == "rsa")
{
var data = "-----BEGIN PUBLIC KEY-----\r\n" + p + "\r\n-----END PUBLIC KEY-----\r\n";
var rawData = Encoding.ASCII.GetBytes(data);
using (var stream = new MemoryStream(rawData, false)) {
using (var reader = new StreamReader(stream)) {
var pem = new PemReader(reader);
pubkey = pem.ReadObject() as AsymmetricKeyParameter;
if (pubkey != null)
{
return(pubkey);
}
}
}
}
else if (k == "ed25519")
{
var decoded = Convert.FromBase64String(p);
return(new Ed25519PublicKeyParameters(decoded, 0));
}
}
}
throw new Exception(string.Format("Failed to look up public key for: {0}", domain));
}
/// <summary>
/// Generates pfx from client configuration
/// </summary>
/// <param name="config">Kubernetes Client Configuration</param>
/// <returns>Generated Pfx Path</returns>
public static X509Certificate2 GeneratePfx(KubernetesClientConfiguration config)
{
byte[] keyData = null;
byte[] certData = null;
if (!string.IsNullOrWhiteSpace(config.ClientCertificateKeyData))
{
keyData = Convert.FromBase64String(config.ClientCertificateKeyData);
}
if (!string.IsNullOrWhiteSpace(config.ClientKeyFilePath))
{
keyData = File.ReadAllBytes(config.ClientKeyFilePath);
}
if (keyData == null)
{
throw new KubeConfigException("keyData is empty");
}
if (!string.IsNullOrWhiteSpace(config.ClientCertificateData))
{
certData = Convert.FromBase64String(config.ClientCertificateData);
}
if (!string.IsNullOrWhiteSpace(config.ClientCertificateFilePath))
{
certData = File.ReadAllBytes(config.ClientCertificateFilePath);
}
if (certData == null)
{
throw new KubeConfigException("certData is empty");
}
var cert = new X509CertificateParser().ReadCertificate(new MemoryStream(certData));
// key usage is a bit string, zero-th bit is 'digitalSignature'
// See https://www.alvestrand.no/objectid/2.5.29.15.html for more details.
if (cert != null && cert.GetKeyUsage() != null && !cert.GetKeyUsage()[0])
{
throw new Exception(
"Client certificates must be marked for digital signing. " +
"See https://github.com/kubernetes-client/csharp/issues/319");
}
object obj;
using (var reader = new StreamReader(new MemoryStream(keyData)))
{
obj = new PemReader(reader).ReadObject();
var key = obj as AsymmetricCipherKeyPair;
if (key != null)
{
var cipherKey = key;
obj = cipherKey.Private;
}
}
var keyParams = (AsymmetricKeyParameter)obj;
var store = new Pkcs12StoreBuilder().Build();
store.SetKeyEntry("K8SKEY", new AsymmetricKeyEntry(keyParams), new[] { new X509CertificateEntry(cert) });
using (var pkcs = new MemoryStream())
{
store.Save(pkcs, new char[0], new SecureRandom());
if (config.ClientCertificateKeyStoreFlags.HasValue)
{
return(new X509Certificate2(pkcs.ToArray(), "", config.ClientCertificateKeyStoreFlags.Value));
}
else
{
return(new X509Certificate2(pkcs.ToArray()));
}
}
}
public override void PerformTest()
{
IPasswordFinder pGet = new Password("secret".ToCharArray());
PemReader pemRd = OpenPemResource("test.pem", pGet);
AsymmetricCipherKeyPair pair;
object o;
while ((o = pemRd.ReadObject()) != null)
{
// if (o is AsymmetricCipherKeyPair)
// {
// ackp = (AsymmetricCipherKeyPair)o;
//
// Console.WriteLine(ackp.Public);
// Console.WriteLine(ackp.Private);
// }
// else
// {
// Console.WriteLine(o.ToString());
// }
}
//
// pkcs 7 data
//
pemRd = OpenPemResource("pkcs7.pem", null);
ContentInfo d = (ContentInfo)pemRd.ReadObject();
if (!d.ContentType.Equals(CmsObjectIdentifiers.EnvelopedData))
{
Fail("failed envelopedData check");
}
/*
* {
* //
* // ECKey
* //
* pemRd = OpenPemResource("eckey.pem", null);
*
* // TODO Resolve return type issue with EC keys and fix PemReader to return parameters
* // ECNamedCurveParameterSpec spec = (ECNamedCurveParameterSpec)pemRd.ReadObject();
*
* pair = (AsymmetricCipherKeyPair)pemRd.ReadObject();
* ISigner sgr = SignerUtilities.GetSigner("ECDSA");
*
* sgr.Init(true, pair.Private);
*
* byte[] message = new byte[] { (byte)'a', (byte)'b', (byte)'c' };
*
* sgr.BlockUpdate(message, 0, message.Length);
*
* byte[] sigBytes = sgr.GenerateSignature();
*
* sgr.Init(false, pair.Public);
*
* sgr.BlockUpdate(message, 0, message.Length);
*
* if (!sgr.VerifySignature(sigBytes))
* {
* Fail("EC verification failed");
* }
*
* // TODO Resolve this issue with the algorithm name, study Java version
* // if (!((ECPublicKeyParameters) pair.Public).AlgorithmName.Equals("ECDSA"))
* // {
* // Fail("wrong algorithm name on public got: " + ((ECPublicKeyParameters) pair.Public).AlgorithmName);
* // }
* //
* // if (!((ECPrivateKeyParameters) pair.Private).AlgorithmName.Equals("ECDSA"))
* // {
* // Fail("wrong algorithm name on private got: " + ((ECPrivateKeyParameters) pair.Private).AlgorithmName);
* // }
* }
*/
//
// writer/parser test
//
IAsymmetricCipherKeyPairGenerator kpGen = GeneratorUtilities.GetKeyPairGenerator("RSA");
kpGen.Init(
new RsaKeyGenerationParameters(
BigInteger.ValueOf(0x10001),
new SecureRandom(),
768,
25));
pair = kpGen.GenerateKeyPair();
keyPairTest("RSA", pair);
// kpGen = KeyPairGenerator.getInstance("DSA");
// kpGen.initialize(512, new SecureRandom());
DsaParametersGenerator pGen = new DsaParametersGenerator();
pGen.Init(512, 80, new SecureRandom());
kpGen = GeneratorUtilities.GetKeyPairGenerator("DSA");
kpGen.Init(
new DsaKeyGenerationParameters(
new SecureRandom(),
pGen.GenerateParameters()));
pair = kpGen.GenerateKeyPair();
keyPairTest("DSA", pair);
//
// PKCS7
//
MemoryStream bOut = new MemoryStream();
PemWriter pWrt = new PemWriter(new StreamWriter(bOut));
pWrt.WriteObject(d);
pWrt.Writer.Close();
pemRd = new PemReader(new StreamReader(new MemoryStream(bOut.ToArray(), false)));
d = (ContentInfo)pemRd.ReadObject();
if (!d.ContentType.Equals(CmsObjectIdentifiers.EnvelopedData))
{
Fail("failed envelopedData recode check");
}
// OpenSSL test cases (as embedded resources)
doOpenSslDsaTest("unencrypted");
doOpenSslRsaTest("unencrypted");
doOpenSslTests("aes128");
doOpenSslTests("aes192");
doOpenSslTests("aes256");
doOpenSslTests("blowfish");
doOpenSslTests("des1");
doOpenSslTests("des2");
doOpenSslTests("des3");
doOpenSslTests("rc2_128");
doOpenSslDsaTest("rc2_40_cbc");
doOpenSslRsaTest("rc2_40_cbc");
doOpenSslDsaTest("rc2_64_cbc");
doOpenSslRsaTest("rc2_64_cbc");
doDudPasswordTest("7fd98", 0, "Corrupted stream - out of bounds length found");
doDudPasswordTest("ef677", 1, "Corrupted stream - out of bounds length found");
doDudPasswordTest("800ce", 2, "unknown tag 26 encountered");
doDudPasswordTest("b6cd8", 3, "DEF length 81 object truncated by 56");
doDudPasswordTest("28ce09", 4, "DEF length 110 object truncated by 28");
doDudPasswordTest("2ac3b9", 5, "DER length more than 4 bytes: 11");
doDudPasswordTest("2cba96", 6, "DEF length 100 object truncated by 35");
doDudPasswordTest("2e3354", 7, "DEF length 42 object truncated by 9");
doDudPasswordTest("2f4142", 8, "DER length more than 4 bytes: 14");
doDudPasswordTest("2fe9bb", 9, "DER length more than 4 bytes: 65");
doDudPasswordTest("3ee7a8", 10, "DER length more than 4 bytes: 57");
doDudPasswordTest("41af75", 11, "unknown tag 16 encountered");
doDudPasswordTest("1704a5", 12, "corrupted stream detected");
doDudPasswordTest("1c5822", 13, "extra data found after object");
doDudPasswordTest("5a3d16", 14, "corrupted stream detected");
doDudPasswordTest("8d0c97", 15, "corrupted stream detected");
doDudPasswordTest("bc0daf", 16, "corrupted stream detected");
doDudPasswordTest("aaf9c4d", 17, "Corrupted stream - out of bounds length found");
// encrypted private key test
pGet = new Password("password".ToCharArray());
pemRd = OpenPemResource("enckey.pem", pGet);
RsaPrivateCrtKeyParameters privKey = (RsaPrivateCrtKeyParameters)pemRd.ReadObject();
if (!privKey.PublicExponent.Equals(new BigInteger("10001", 16)))
{
Fail("decryption of private key data check failed");
}
// general PKCS8 test
pGet = new Password("password".ToCharArray());
pemRd = OpenPemResource("pkcs8test.pem", pGet);
while ((privKey = (RsaPrivateCrtKeyParameters)pemRd.ReadObject()) != null)
{
if (!privKey.PublicExponent.Equals(new BigInteger("10001", 16)))
{
Fail("decryption of private key data check failed");
}
}
}
public override void PerformTest()
{
IPasswordFinder pGet = new Password("secret".ToCharArray());
PemReader pemRd = OpenPemResource("test.pem", pGet);
IAsymmetricCipherKeyPair pair;
object o;
while ((o = pemRd.ReadObject()) != null)
{
// if (o is AsymmetricCipherKeyPair)
// {
// ackp = (AsymmetricCipherKeyPair)o;
//
// Console.WriteLine(ackp.Public);
// Console.WriteLine(ackp.Private);
// }
// else
// {
// Console.WriteLine(o.ToString());
// }
}
//
// pkcs 7 data
//
pemRd = OpenPemResource("pkcs7.pem", null);
ContentInfo d = (ContentInfo)pemRd.ReadObject();
if (!d.ContentType.Equals(CmsObjectIdentifiers.EnvelopedData))
{
Fail("failed envelopedData check");
}
/*
{
//
// ECKey
//
pemRd = OpenPemResource("eckey.pem", null);
// TODO Resolve return type issue with EC keys and fix PemReader to return parameters
// ECNamedCurveParameterSpec spec = (ECNamedCurveParameterSpec)pemRd.ReadObject();
pair = (AsymmetricCipherKeyPair)pemRd.ReadObject();
ISigner sgr = SignerUtilities.GetSigner("ECDSA");
sgr.Init(true, pair.Private);
byte[] message = new byte[] { (byte)'a', (byte)'b', (byte)'c' };
sgr.BlockUpdate(message, 0, message.Length);
byte[] sigBytes = sgr.GenerateSignature();
sgr.Init(false, pair.Public);
sgr.BlockUpdate(message, 0, message.Length);
if (!sgr.VerifySignature(sigBytes))
{
Fail("EC verification failed");
}
// TODO Resolve this issue with the algorithm name, study Java version
// if (!((ECPublicKeyParameters) pair.Public).AlgorithmName.Equals("ECDSA"))
// {
// Fail("wrong algorithm name on public got: " + ((ECPublicKeyParameters) pair.Public).AlgorithmName);
// }
//
// if (!((ECPrivateKeyParameters) pair.Private).AlgorithmName.Equals("ECDSA"))
// {
// Fail("wrong algorithm name on private got: " + ((ECPrivateKeyParameters) pair.Private).AlgorithmName);
// }
}
*/
//
// writer/parser test
//
IAsymmetricCipherKeyPairGenerator kpGen = GeneratorUtilities.GetKeyPairGenerator("RSA");
kpGen.Init(
new RsaKeyGenerationParameters(
BigInteger.ValueOf(0x10001),
new SecureRandom(),
768,
25));
pair = kpGen.GenerateKeyPair();
keyPairTest("RSA", pair);
// kpGen = KeyPairGenerator.getInstance("DSA");
// kpGen.initialize(512, new SecureRandom());
DsaParametersGenerator pGen = new DsaParametersGenerator();
pGen.Init(512, 80, new SecureRandom());
kpGen = GeneratorUtilities.GetKeyPairGenerator("DSA");
kpGen.Init(
new DsaKeyGenerationParameters(
new SecureRandom(),
pGen.GenerateParameters()));
pair = kpGen.GenerateKeyPair();
keyPairTest("DSA", pair);
//
// PKCS7
//
MemoryStream bOut = new MemoryStream();
PemWriter pWrt = new PemWriter(new StreamWriter(bOut));
pWrt.WriteObject(d);
pWrt.Writer.Close();
pemRd = new PemReader(new StreamReader(new MemoryStream(bOut.ToArray(), false)));
d = (ContentInfo)pemRd.ReadObject();
if (!d.ContentType.Equals(CmsObjectIdentifiers.EnvelopedData))
{
Fail("failed envelopedData recode check");
}
// OpenSSL test cases (as embedded resources)
doOpenSslDsaTest("unencrypted");
doOpenSslRsaTest("unencrypted");
doOpenSslTests("aes128");
doOpenSslTests("aes192");
doOpenSslTests("aes256");
doOpenSslTests("blowfish");
doOpenSslTests("des1");
doOpenSslTests("des2");
doOpenSslTests("des3");
doOpenSslTests("rc2_128");
doOpenSslDsaTest("rc2_40_cbc");
doOpenSslRsaTest("rc2_40_cbc");
doOpenSslDsaTest("rc2_64_cbc");
doOpenSslRsaTest("rc2_64_cbc");
// TODO Figure out why exceptions differ for commented out cases
doDudPasswordTest("7fd98", 0, "Corrupted stream - out of bounds length found");
doDudPasswordTest("ef677", 1, "Corrupted stream - out of bounds length found");
// doDudPasswordTest("800ce", 2, "cannot recognise object in stream");
doDudPasswordTest("b6cd8", 3, "DEF length 81 object truncated by 56");
doDudPasswordTest("28ce09", 4, "DEF length 110 object truncated by 28");
doDudPasswordTest("2ac3b9", 5, "DER length more than 4 bytes: 11");
doDudPasswordTest("2cba96", 6, "DEF length 100 object truncated by 35");
doDudPasswordTest("2e3354", 7, "DEF length 42 object truncated by 9");
doDudPasswordTest("2f4142", 8, "DER length more than 4 bytes: 14");
doDudPasswordTest("2fe9bb", 9, "DER length more than 4 bytes: 65");
doDudPasswordTest("3ee7a8", 10, "DER length more than 4 bytes: 57");
doDudPasswordTest("41af75", 11, "malformed sequence in DSA private key");
doDudPasswordTest("1704a5", 12, "corrupted stream detected");
// doDudPasswordTest("1c5822", 13, "corrupted stream detected");
// doDudPasswordTest("5a3d16", 14, "corrupted stream detected");
doDudPasswordTest("8d0c97", 15, "corrupted stream detected");
doDudPasswordTest("bc0daf", 16, "corrupted stream detected");
doDudPasswordTest("aaf9c4d",17, "Corrupted stream - out of bounds length found");
// encrypted private key test
pGet = new Password("password".ToCharArray());
pemRd = OpenPemResource("enckey.pem", pGet);
RsaPrivateCrtKeyParameters privKey = (RsaPrivateCrtKeyParameters)pemRd.ReadObject();
if (!privKey.PublicExponent.Equals(new BigInteger("10001", 16)))
{
Fail("decryption of private key data check failed");
}
// general PKCS8 test
pGet = new Password("password".ToCharArray());
pemRd = OpenPemResource("pkcs8test.pem", pGet);
while ((privKey = (RsaPrivateCrtKeyParameters)pemRd.ReadObject()) != null)
{
if (!privKey.PublicExponent.Equals(new BigInteger("10001", 16)))
{
Fail("decryption of private key data check failed");
}
}
}
public PkiCertificateSigningRequest(PkiEncodingFormat format, byte[] encoded,
PkiHashAlgorithm hashAlgorithm)
{
Pkcs10CertificationRequest pkcs10;
switch (format)
{
case PkiEncodingFormat.Pem:
var encodedString = Encoding.UTF8.GetString(encoded);
using (var sr = new StringReader(encodedString))
{
var pemReader = new PemReader(sr);
pkcs10 = pemReader.ReadObject() as Pkcs10CertificationRequest;
if (pkcs10 == null)
{
throw new Exception("invalid PEM object is not PKCS#10 archive");
}
}
break;
case PkiEncodingFormat.Der:
pkcs10 = new Pkcs10CertificationRequest(encoded);
break;
default:
throw new NotSupportedException();
}
var info = pkcs10.GetCertificationRequestInfo();
var nativePublicKey = pkcs10.GetPublicKey();
var rsaKey = nativePublicKey as RsaKeyParameters;
var ecdsaKey = nativePublicKey as ECPublicKeyParameters;
if (rsaKey != null)
{
PublicKey = new PkiKey(nativePublicKey, PkiAsymmetricAlgorithm.Rsa);
}
else if (ecdsaKey != null)
{
PublicKey = new PkiKey(nativePublicKey, PkiAsymmetricAlgorithm.Ecdsa);
}
else
{
throw new NotSupportedException("unsupported asymmetric algorithm key");
}
SubjectName = info.Subject.ToString();
HashAlgorithm = hashAlgorithm;
// // // Based on:
// // // http://forum.rebex.net/4284/pkcs10-certificate-request-example-provided-castle-working
// // var extGen = new X509ExtensionsGenerator();
// // foreach (var ext in CertificateExtensions)
// // {
// // extGen.AddExtension(ext.Identifier, ext.IsCritical, ext.Value);
// // }
// // var attr = new AttributeX509(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest,
// // new DerSet(extGen.Generate()));
// Based on:
// http://unitstep.net/blog/2008/10/27/extracting-x509-extensions-from-a-csr-using-the-bouncy-castle-apis/
// https://stackoverflow.com/q/24448909/5428506
foreach (var attr in info.Attributes.ToArray())
{
if (attr is DerSequence derSeq && derSeq.Count == 2)
{
var attrX509 = AttributeX509.GetInstance(attr);
if (object.Equals(attrX509.AttrType, PkcsObjectIdentifiers.Pkcs9AtExtensionRequest))
{
// The `Extension Request` attribute is present.
// The X509Extensions are contained as a value of the ASN.1 Set.
// Assume that it is the first value of the set.
if (attrX509.AttrValues.Count >= 1)
{
var csrExts = X509Extensions.GetInstance(attrX509.AttrValues[0]);
foreach (var extOid in csrExts.GetExtensionOids())
{
if (object.Equals(extOid, X509Extensions.SubjectAlternativeName))
{
var ext = csrExts.GetExtension(extOid);
var extVal = ext.Value;
var der = extVal.GetDerEncoded();
// The ext value, which is an ASN.1 Octet String, **MIGHT** be tagged with
// a leading indicator that it's an Octet String and its length, so we want
// to remove it if that's the case to extract the GeneralNames collection
if (der.Length > 2 && der[0] == 4 && der[1] == der.Length - 2)
{
der = der.Skip(2).ToArray();
}
var asn1obj = Asn1Object.FromByteArray(der);
var gnames = GeneralNames.GetInstance(asn1obj);
CertificateExtensions.Add(new PkiCertificateExtension
{
Identifier = extOid,
IsCritical = ext.IsCritical,
Value = gnames,
});
}
}
// No need to search any more.
break;
}
}
}
}
}
/// <summary>
/// Generates pfx from client configuration
/// </summary>
/// <param name="config">Kubernetes Client Configuration</param>
/// <returns>Generated Pfx Path</returns>
public static X509Certificate2 GeneratePfx(KubernetesClientConfiguration config)
{
byte[] keyData = null;
byte[] certData = null;
if (!string.IsNullOrWhiteSpace(config.ClientCertificateKeyData))
{
keyData = Convert.FromBase64String(config.ClientCertificateKeyData);
}
if (!string.IsNullOrWhiteSpace(config.ClientKeyFilePath))
{
keyData = File.ReadAllBytes(config.ClientKeyFilePath);
}
if (keyData == null)
{
throw new KubeConfigException("keyData is empty");
}
if (!string.IsNullOrWhiteSpace(config.ClientCertificateData))
{
certData = Convert.FromBase64String(config.ClientCertificateData);
}
if (!string.IsNullOrWhiteSpace(config.ClientCertificateFilePath))
{
certData = File.ReadAllBytes(config.ClientCertificateFilePath);
}
if (certData == null)
{
throw new KubeConfigException("certData is empty");
}
var cert = new X509CertificateParser().ReadCertificate(new MemoryStream(certData));
object obj;
using (var reader = new StreamReader(new MemoryStream(keyData)))
{
obj = new PemReader(reader).ReadObject();
var key = obj as AsymmetricCipherKeyPair;
if (key != null)
{
var cipherKey = key;
obj = cipherKey.Private;
}
}
var rsaKeyParams = (RsaPrivateCrtKeyParameters)obj;
var store = new Pkcs12StoreBuilder().Build();
store.SetKeyEntry("K8SKEY", new AsymmetricKeyEntry(rsaKeyParams), new[] { new X509CertificateEntry(cert) });
using (var pkcs = new MemoryStream())
{
store.Save(pkcs, new char[0], new SecureRandom());
if (config.ClientCertificateKeyStoreFlags.HasValue)
{
return(new X509Certificate2(pkcs.ToArray(), "", config.ClientCertificateKeyStoreFlags.Value));
}
else
{
return(new X509Certificate2(pkcs.ToArray()));
}
}
}
public async Task <int> Run(VerifyOptions options, string httpMessage)
{
ISignatureAlgorithm signatureAlgorithmForVerification;
if (string.IsNullOrEmpty(options.KeyType) || options.KeyType.Equals("RSA", StringComparison.OrdinalIgnoreCase))
{
RSAParameters rsaPublicKey;
using (var stream = File.OpenRead(options.PublicKey)) {
using (var reader = new PemReader(stream)) {
rsaPublicKey = reader.ReadRsaKey();
}
}
signatureAlgorithmForVerification = RSASignatureAlgorithm.CreateForVerification(HashAlgorithmName.SHA512, rsaPublicKey);
}
else if (options.KeyType.Equals("P256", StringComparison.OrdinalIgnoreCase) || options.KeyType.Equals("ECDSA", StringComparison.OrdinalIgnoreCase))
{
ECParameters ecPublicKey;
using (var stream = File.OpenRead(options.PublicKey)) {
using (var reader = new StreamReader(stream)) {
var fileContents = reader.ReadToEnd();
var lines = fileContents.Split(new[] { '\n', '\r' }, StringSplitOptions.RemoveEmptyEntries);
lines = lines.Skip(1).Take(lines.Length - 2).ToArray();
var pem = string.Join("", lines);
var ecdsa = ECDsa.Create();
var derArray = Convert.FromBase64String(pem);
ecdsa.ImportSubjectPublicKeyInfo(derArray, out _);
ecPublicKey = ecdsa.ExportParameters(false);
}
}
signatureAlgorithmForVerification = ECDsaSignatureAlgorithm.CreateForVerification(HashAlgorithmName.SHA512, ecPublicKey);
}
else if (options.KeyType.Equals("HMAC", StringComparison.OrdinalIgnoreCase))
{
signatureAlgorithmForVerification = SignatureAlgorithm.CreateForVerification(options.PublicKey, HashAlgorithmName.SHA512);
}
else
{
throw new NotSupportedException("The specified key type is not supported.");
}
var serviceProvider = new ServiceCollection()
.AddHttpMessageSignatureVerification(provider => {
var clientStore = new InMemoryClientStore();
clientStore.Register(new Client(
new KeyId("test"),
"ConformanceClient",
signatureAlgorithmForVerification,
TimeSpan.FromSeconds(30),
TimeSpan.FromMinutes(1)));
return(clientStore);
})
.BuildServiceProvider();
var verifier = serviceProvider.GetRequiredService <IRequestSignatureVerifier>();
var clientRequest = HttpRequestMessageParser.Parse(httpMessage);
var requestToVerify = await clientRequest.ToServerSideHttpRequest();
var verificationResult = await verifier.VerifySignature(requestToVerify, new SignedRequestAuthenticationOptions {
OnSignatureParsed = (request, signature) => {
if (!string.IsNullOrEmpty(options.Algorithm))
{
signature.Algorithm = options.Algorithm;
}
return(Task.CompletedTask);
}
});
return(verificationResult is RequestSignatureVerificationResultSuccess
? 0
: 1);
}
public void LoadCertificateWithOnlyPublicKeyAllowed()
{
using X509Certificate2 certificate = PemReader.LoadCertificate(ECDsaCertificate.AsSpan(), allowCertificateOnly: true, keyType: PemReader.KeyType.ECDsa);
Assert.AreEqual("CN=Azure SDK", certificate.Subject);
Assert.IsFalse(certificate.HasPrivateKey);
}
private void EncryptedTest(IAsymmetricKeyParameter privKey, string algorithm)
{
StringWriter sw = new StringWriter();
PemWriter pWrt = new PemWriter(sw);
Pkcs8Generator pkcs8 = new Pkcs8Generator(privKey, algorithm);
pkcs8.Password = "******".ToCharArray();
pWrt.WriteObject(pkcs8);
pWrt.Writer.Close();
String result = sw.ToString();
PemReader pRd = new PemReader(new StringReader(result), new Password("hello".ToCharArray()));
IAsymmetricKeyParameter rdKey = (AsymmetricKeyParameter)pRd.ReadObject();
pRd.Reader.Close();
Assert.AreEqual(privKey, rdKey);
}
/// <inheritdoc/>
public async Task <(X509Certificate Certificate, RsaKeyParameters Key)> GetLocalCertificateAsync(ApplicationDescription applicationDescription, ILogger logger = null)
{
string applicationUri = applicationDescription.ApplicationUri;
if (string.IsNullOrEmpty(applicationUri))
{
throw new ArgumentOutOfRangeException(nameof(applicationDescription), "Expecting ApplicationUri in the form of 'http://{hostname}/{appname}' -or- 'urn:{hostname}:{appname}'.");
}
string subjectName = null;
string hostName = null;
string appName = null;
UriBuilder appUri = new UriBuilder(applicationUri);
if (appUri.Scheme == "http" && !string.IsNullOrEmpty(appUri.Host))
{
var path = appUri.Path.Trim('/');
if (!string.IsNullOrEmpty(path))
{
hostName = appUri.Host;
appName = path;
subjectName = $"CN={appName},DC={hostName}";
}
}
if (appUri.Scheme == "urn")
{
var parts = appUri.Path.Split(new[] { ':' }, 2);
if (parts.Length == 2)
{
hostName = parts[0];
appName = parts[1];
subjectName = $"CN={appName},DC={hostName}";
}
}
if (subjectName == null)
{
throw new ArgumentOutOfRangeException(nameof(applicationDescription), "Expecting ApplicationUri in the form of 'http://{hostname}/{appname}' -or- 'urn:{hostname}:{appname}'.");
}
var crt = default(X509Certificate);
var key = default(RsaKeyParameters);
// Build 'own/certs' certificate store.
var ownCerts = new Org.BouncyCastle.Utilities.Collections.HashSet();
var ownCertsInfo = new DirectoryInfo(Path.Combine(this.pkiPath, "own", "certs"));
if (ownCertsInfo.Exists)
{
foreach (var info in ownCertsInfo.EnumerateFiles())
{
using (var crtStream = info.OpenRead())
{
var c = this.certParser.ReadCertificate(crtStream);
if (c != null)
{
ownCerts.Add(c);
}
}
}
}
IX509Store ownCertStore = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(ownCerts));
// Select the newest certificate that matches by subject name.
var selector = new X509CertStoreSelector()
{
Subject = new X509Name(subjectName)
};
crt = ownCertStore.GetMatches(selector).OfType <X509Certificate>().OrderBy(c => c.NotBefore).LastOrDefault();
if (crt != null)
{
// If certificate found, verify alt-name, and retrieve private key.
var asn1OctetString = crt.GetExtensionValue(X509Extensions.SubjectAlternativeName);
if (asn1OctetString != null)
{
var asn1Object = X509ExtensionUtilities.FromExtensionValue(asn1OctetString);
GeneralNames gns = GeneralNames.GetInstance(asn1Object);
if (gns.GetNames().Any(n => n.TagNo == GeneralName.UniformResourceIdentifier && n.Name.ToString() == applicationUri))
{
var ki = new FileInfo(Path.Combine(this.pkiPath, "own", "private", $"{crt.SerialNumber}.key"));
if (ki.Exists)
{
using (var keyStream = new StreamReader(ki.OpenRead()))
{
var keyReader = new PemReader(keyStream);
var keyPair = keyReader.ReadObject() as AsymmetricCipherKeyPair;
if (keyPair != null)
{
key = keyPair.Private as RsaKeyParameters;
}
}
}
}
}
}
// If certificate and key are found, return to caller.
if (crt != null && key != null)
{
logger?.LogTrace($"Found certificate with subject alt name '{applicationUri}'.");
return(crt, key);
}
if (!this.CreateLocalCertificateIfNotExist)
{
return(null, null);
}
// Create new certificate
var subjectDN = new X509Name(subjectName);
// Create a keypair.
var kp = await Task.Run <AsymmetricCipherKeyPair>(() =>
{
RsaKeyPairGenerator kg = new RsaKeyPairGenerator();
kg.Init(new KeyGenerationParameters(this.rng, 2048));
return(kg.GenerateKeyPair());
});
key = kp.Private as RsaPrivateCrtKeyParameters;
// Create a certificate.
X509V3CertificateGenerator cg = new X509V3CertificateGenerator();
var subjectSN = BigInteger.ProbablePrime(120, this.rng);
cg.SetSerialNumber(subjectSN);
cg.SetSubjectDN(subjectDN);
cg.SetIssuerDN(subjectDN);
cg.SetNotBefore(DateTime.Now.Date.ToUniversalTime());
cg.SetNotAfter(DateTime.Now.Date.ToUniversalTime().AddYears(25));
cg.SetPublicKey(kp.Public);
cg.AddExtension(
X509Extensions.BasicConstraints.Id,
true,
new BasicConstraints(false));
cg.AddExtension(
X509Extensions.SubjectKeyIdentifier.Id,
false,
new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(kp.Public)));
cg.AddExtension(
X509Extensions.AuthorityKeyIdentifier.Id,
false,
new AuthorityKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(kp.Public), new GeneralNames(new GeneralName(subjectDN)), subjectSN));
cg.AddExtension(
X509Extensions.SubjectAlternativeName,
false,
new GeneralNames(new[] { new GeneralName(GeneralName.UniformResourceIdentifier, applicationUri), new GeneralName(GeneralName.DnsName, hostName) }));
cg.AddExtension(
X509Extensions.KeyUsage,
true,
new KeyUsage(KeyUsage.DataEncipherment | KeyUsage.DigitalSignature | KeyUsage.NonRepudiation | KeyUsage.KeyCertSign | KeyUsage.KeyEncipherment));
cg.AddExtension(
X509Extensions.ExtendedKeyUsage,
true,
new ExtendedKeyUsage(KeyPurposeID.IdKPClientAuth, KeyPurposeID.IdKPServerAuth));
crt = cg.Generate(new Asn1SignatureFactory("SHA256WITHRSA", key, this.rng));
logger?.LogTrace($"Created certificate with subject alt name '{applicationUri}'.");
var keyInfo = new FileInfo(Path.Combine(this.pkiPath, "own", "private", $"{crt.SerialNumber}.key"));
if (!keyInfo.Directory.Exists)
{
Directory.CreateDirectory(keyInfo.DirectoryName);
}
else if (keyInfo.Exists)
{
keyInfo.Delete();
}
using (var keystream = new StreamWriter(keyInfo.OpenWrite()))
{
var pemwriter = new PemWriter(keystream);
pemwriter.WriteObject(key);
}
var crtInfo = new FileInfo(Path.Combine(this.pkiPath, "own", "certs", $"{crt.SerialNumber}.crt"));
if (!crtInfo.Directory.Exists)
{
Directory.CreateDirectory(crtInfo.DirectoryName);
}
else if (crtInfo.Exists)
{
crtInfo.Delete();
}
using (var crtstream = new StreamWriter(crtInfo.OpenWrite()))
{
var pemwriter = new PemWriter(crtstream);
pemwriter.WriteObject(crt);
}
return(crt, key);
}
public void TestPkcs8Plain()
{
IAsymmetricCipherKeyPairGenerator kpGen = GeneratorUtilities.GetKeyPairGenerator("RSA");
kpGen.Init(new KeyGenerationParameters(new SecureRandom(), 1024));
IAsymmetricKeyParameter privKey = kpGen.GenerateKeyPair().Private;
StringWriter sw = new StringWriter();
PemWriter pWrt = new PemWriter(sw);
Pkcs8Generator pkcs8 = new Pkcs8Generator(privKey);
pWrt.WriteObject(pkcs8);
pWrt.Writer.Close();
string result = sw.ToString();
PemReader pRd = new PemReader(new StringReader(result), new Password("hello".ToCharArray()));
IAsymmetricKeyParameter rdKey = (AsymmetricKeyParameter)pRd.ReadObject();
pRd.Reader.Close();
Assert.AreEqual(privKey, rdKey);
}
