public void VerifySignedAppCerts(
KeyHashPair keyHashPair
)
{
X509Certificate2 issuerCertificate = GetIssuer(keyHashPair);
Assert.NotNull(issuerCertificate);
Assert.NotNull(issuerCertificate.RawData);
Assert.True(issuerCertificate.HasPrivateKey);
var appTestGenerator = new ApplicationTestDataGenerator(keyHashPair.KeySize);
ApplicationTestData app = appTestGenerator.ApplicationTestSet(1).First();
var cert = CertificateFactory.CreateCertificate(
app.ApplicationUri, app.ApplicationName, app.Subject, app.DomainNames)
.SetHashAlgorithm(keyHashPair.HashAlgorithmName)
.SetIssuer(issuerCertificate)
.SetRSAKeySize(keyHashPair.KeySize)
.CreateForRSA();
Assert.NotNull(cert);
Assert.NotNull(cert.RawData);
Assert.True(cert.HasPrivateKey);
using (var plainCert = new X509Certificate2(cert.RawData))
{
Assert.NotNull(plainCert);
VerifyApplicationCert(app, plainCert, issuerCertificate);
X509Utils.VerifyRSAKeyPair(plainCert, cert, true);
}
}
public void VerifySelfSignedAppCerts(
KeyHashPair keyHashPair
)
{
var appTestGenerator = new ApplicationTestDataGenerator(keyHashPair.KeySize);
ApplicationTestData app = appTestGenerator.ApplicationTestSet(1).First();
var cert = CertificateFactory.CreateCertificate(app.ApplicationUri, app.ApplicationName, app.Subject, app.DomainNames)
.SetHashAlgorithm(keyHashPair.HashAlgorithmName)
.SetRSAKeySize(keyHashPair.KeySize)
.CreateForRSA();
Assert.NotNull(cert);
Assert.NotNull(cert.RawData);
Assert.True(cert.HasPrivateKey);
using (RSA rsa = cert.GetRSAPrivateKey())
{
rsa.ExportParameters(true);
}
using (RSA rsa = cert.GetRSAPublicKey())
{
rsa.ExportParameters(false);
}
var plainCert = new X509Certificate2(cert.RawData);
Assert.NotNull(plainCert);
VerifyApplicationCert(app, plainCert);
X509Utils.VerifyRSAKeyPair(cert, cert, true);
Assert.True(X509Utils.VerifySelfSigned(cert));
}
public void VerifySignedAppCerts(
KeyHashPair keyHashPair
)
{
X509Certificate2 caCert;
if (!m_rootCACertificate.TryGetValue(keyHashPair.KeySize, out caCert))
{
Assert.Ignore($"Could not load Root CA.");
}
Assert.NotNull(caCert);
Assert.NotNull(caCert.RawData);
Assert.True(caCert.HasPrivateKey);
var appTestGenerator = new ApplicationTestDataGenerator(keyHashPair.KeySize);
ApplicationTestData app = appTestGenerator.ApplicationTestSet(1).First();
var cert = CertificateFactory.CreateCertificate(
app.ApplicationUri, app.ApplicationName, app.Subject, app.DomainNames)
.SetHashAlgorithm(keyHashPair.HashAlgorithmName)
.SetIssuer(caCert)
.SetRSAKeySize(keyHashPair.KeySize)
.CreateForRSA();
Assert.NotNull(cert);
Assert.NotNull(cert.RawData);
Assert.True(cert.HasPrivateKey);
using (var plainCert = new X509Certificate2(cert.RawData))
{
Assert.NotNull(plainCert);
VerifyApplicationCert(app, plainCert, caCert);
X509Utils.VerifyRSAKeyPair(cert, caCert);
}
}
public async Task RegisterAllApplications()
{
foreach (var application in _applicationTestSet)
{
var result = await _applicationsDatabase.RegisterApplicationAsync(
application.Model.ToRegistrationRequest());
var applicationModel = await _applicationsDatabase.GetApplicationAsync(application.Model.ApplicationId);
Assert.NotNull(applicationModel);
Assert.NotNull(applicationModel.Application.ApplicationId);
ApplicationTestData.AssertEqualApplicationModelData(applicationModel.Application, application.Model);
application.Model = applicationModel.Application;
Assert.NotNull(applicationModel);
}
_fixture.RegistrationOk = true;
}
public void VerifySelfSignedAppCerts(
KeyHashPair keyHashPair
)
{
var appTestGenerator = new ApplicationTestDataGenerator(keyHashPair.KeySize);
ApplicationTestData app = appTestGenerator.ApplicationTestSet(1).First();
var cert = CertificateFactory.CreateCertificate(null, null, null,
app.ApplicationUri, app.ApplicationName, app.Subject,
app.DomainNames, keyHashPair.KeySize, DateTime.UtcNow,
CertificateFactory.DefaultLifeTime, keyHashPair.HashSize);
Assert.NotNull(cert);
Assert.NotNull(cert.RawData);
Assert.True(cert.HasPrivateKey);
var plainCert = new X509Certificate2(cert.RawData);
Assert.NotNull(plainCert);
VerifySelfSignedApplicationCert(app, plainCert);
CertificateFactory.VerifySelfSigned(cert);
CertificateFactory.VerifyRSAKeyPair(cert, cert);
}
public static void VerifyApplicationCert(ApplicationTestData testApp, X509Certificate2 cert, X509Certificate2 issuerCert = null)
{
bool signedCert = issuerCert != null;
if (issuerCert == null)
{
issuerCert = cert;
}
TestContext.Out.WriteLine($"{nameof(VerifyApplicationCert)}:");
Assert.NotNull(cert);
TestContext.Out.WriteLine(cert);
Assert.False(cert.HasPrivateKey);
Assert.True(X509Utils.CompareDistinguishedName(testApp.Subject, cert.Subject));
Assert.True(X509Utils.CompareDistinguishedName(issuerCert.Subject, cert.Issuer));
// test basic constraints
X509BasicConstraintsExtension constraints = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert);
Assert.NotNull(constraints);
TestContext.Out.WriteLine(constraints.Format(true));
Assert.True(constraints.Critical);
if (signedCert)
{
Assert.False(constraints.CertificateAuthority);
Assert.False(constraints.HasPathLengthConstraint);
}
else
{
Assert.True(constraints.CertificateAuthority);
Assert.True(constraints.HasPathLengthConstraint);
Assert.AreEqual(0, constraints.PathLengthConstraint);
}
// key usage
X509KeyUsageExtension keyUsage = X509Extensions.FindExtension <X509KeyUsageExtension>(cert);
Assert.NotNull(keyUsage);
TestContext.Out.WriteLine(keyUsage.Format(true));
Assert.True(keyUsage.Critical);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.CrlSign) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DataEncipherment) == X509KeyUsageFlags.DataEncipherment);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DecipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.DigitalSignature);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.EncipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyAgreement) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyCertSign) == (signedCert ? 0 : X509KeyUsageFlags.KeyCertSign));
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyEncipherment) == X509KeyUsageFlags.KeyEncipherment);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.NonRepudiation) == X509KeyUsageFlags.NonRepudiation);
// enhanced key usage
X509EnhancedKeyUsageExtension enhancedKeyUsage = X509Extensions.FindExtension <X509EnhancedKeyUsageExtension>(cert);
Assert.NotNull(enhancedKeyUsage);
TestContext.Out.WriteLine(enhancedKeyUsage.Format(true));
Assert.True(enhancedKeyUsage.Critical);
// test for authority key
X509AuthorityKeyIdentifierExtension authority = X509Extensions.FindExtension <X509AuthorityKeyIdentifierExtension>(cert);
Assert.NotNull(authority);
TestContext.Out.WriteLine(authority.Format(true));
Assert.NotNull(authority.SerialNumber);
Assert.NotNull(authority.KeyIdentifier);
Assert.NotNull(authority.Issuer);
if (issuerCert == null)
{
Assert.AreEqual(cert.SubjectName.RawData, authority.Issuer.RawData);
Assert.True(X509Utils.CompareDistinguishedName(cert.SubjectName.Name, authority.Issuer.Name), $"{cert.SubjectName.Name} != {authority.Issuer.Name}");
}
else
{
Assert.AreEqual(issuerCert.SubjectName.RawData, authority.Issuer.RawData);
Assert.True(X509Utils.CompareDistinguishedName(issuerCert.SubjectName.Name, authority.Issuer.Name), $"{cert.SubjectName.Name} != {authority.Issuer.Name}");
}
// verify authority key in signed cert
X509SubjectKeyIdentifierExtension subjectKeyId = X509Extensions.FindExtension <X509SubjectKeyIdentifierExtension>(cert);
TestContext.Out.WriteLine(subjectKeyId.Format(true));
if (signedCert)
{
var caCertSubjectKeyId = X509Extensions.FindExtension <X509SubjectKeyIdentifierExtension>(issuerCert);
Assert.NotNull(caCertSubjectKeyId);
Assert.AreEqual(caCertSubjectKeyId.SubjectKeyIdentifier, authority.KeyIdentifier);
}
else
{
Assert.AreEqual(subjectKeyId.SubjectKeyIdentifier, authority.KeyIdentifier);
}
Assert.AreEqual(issuerCert.GetSerialNumber(), authority.GetSerialNumber());
Assert.AreEqual(issuerCert.SerialNumber, authority.SerialNumber);
X509SubjectAltNameExtension subjectAlternateName = X509Extensions.FindExtension <X509SubjectAltNameExtension>(cert);
Assert.NotNull(subjectAlternateName);
TestContext.Out.WriteLine(subjectAlternateName.Format(true));
Assert.False(subjectAlternateName.Critical);
var domainNames = X509Utils.GetDomainsFromCertficate(cert);
foreach (var domainName in testApp.DomainNames)
{
Assert.True(domainNames.Contains(domainName, StringComparer.OrdinalIgnoreCase));
}
Assert.True(subjectAlternateName.Uris.Count == 1);
var applicationUri = X509Utils.GetApplicationUriFromCertificate(cert);
TestContext.Out.WriteLine("ApplicationUri: ");
TestContext.Out.WriteLine(applicationUri);
Assert.AreEqual(testApp.ApplicationUri, applicationUri);
}
public static void VerifySignedApplicationCert(ApplicationTestData testApp,
X509Certificate2 signedCert, X509Certificate2Collection issuerCerts)
{
var issuerCert = issuerCerts[0];
var signedCertO = signedCert.ToCertificate();
Assert.NotNull(signedCertO);
Assert.False(signedCert.HasPrivateKey);
Assert.True(Utils.CompareDistinguishedName(testApp.Subject, signedCert.Subject));
Assert.False(Utils.CompareDistinguishedName(signedCert.Issuer, signedCert.Subject));
Assert.True(Utils.CompareDistinguishedName(signedCert.Issuer, issuerCert.Subject));
// test basic constraints
var constraints = signedCertO.GetBasicConstraintsExtension();
Assert.NotNull(constraints);
Assert.True(constraints.Critical);
Assert.False(constraints.CertificateAuthority);
Assert.False(constraints.HasPathLengthConstraint);
// key usage
var keyUsage = signedCertO.GetKeyUsageExtension();
Assert.NotNull(keyUsage);
Assert.True(keyUsage.Critical);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.CrlSign) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DataEncipherment) == X509KeyUsageFlags.DataEncipherment);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DecipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.DigitalSignature);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.EncipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyAgreement) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyCertSign) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyEncipherment) == X509KeyUsageFlags.KeyEncipherment);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.NonRepudiation) == X509KeyUsageFlags.NonRepudiation);
// enhanced key usage
var enhancedKeyUsage = signedCertO.GetEnhancedKeyUsageExtension();
Assert.NotNull(enhancedKeyUsage);
Assert.True(enhancedKeyUsage.Critical);
// test for authority key
var authority = signedCertO.GetAuthorityKeyIdentifierExtension();
Assert.NotNull(authority);
Assert.NotNull(authority.SerialNumber);
Assert.NotNull(authority.KeyId);
Assert.NotNull(authority.AuthorityNames);
// verify authority key in signed cert
var subjectKeyId = signedCertO.GetSubjectKeyIdentifierExtension();
Assert.Equal(subjectKeyId.SubjectKeyIdentifier, authority.KeyId);
Assert.Equal(issuerCert.SerialNumber, authority.SerialNumber.ToString());
var subjectAlternateName = signedCertO.GetSubjectAltNameExtension();
Assert.NotNull(subjectAlternateName);
Assert.False(subjectAlternateName.Critical);
var domainNames = Utils.GetDomainsFromCertficate(signedCert);
foreach (var domainName in testApp.DomainNames)
{
Assert.Contains(domainName, domainNames, StringComparer.OrdinalIgnoreCase);
}
Assert.True(subjectAlternateName.Uris.Count == 1);
var applicationUri = Utils.GetApplicationUriFromCertificate(signedCert);
Assert.True(testApp.ApplicationRecord.ApplicationUri == applicationUri);
var issuerCertIdCollection = new CertificateIdentifierCollection();
foreach (var cert in issuerCerts)
{
issuerCertIdCollection.Add(new CertificateIdentifier(cert));
}
// verify cert with issuer chain
var certValidator = new CertificateValidator();
var issuerStore = new CertificateTrustList();
var trustedStore = new CertificateTrustList {
TrustedCertificates = issuerCertIdCollection
};
certValidator.Update(trustedStore, issuerStore, null);
Assert.Throws <ServiceResultException>(() => certValidator.Validate(signedCert));
issuerStore.TrustedCertificates = issuerCertIdCollection;
certValidator.Update(issuerStore, trustedStore, null);
certValidator.Validate(signedCert);
}
public static void VerifySelfSignedApplicationCert(ApplicationTestData testApp, X509Certificate2 cert)
{
Assert.NotNull(cert);
Assert.False(cert.HasPrivateKey);
Assert.True(Utils.CompareDistinguishedName(testApp.Subject, cert.Subject));
Assert.True(Utils.CompareDistinguishedName(testApp.Subject, cert.Issuer));
// test basic constraints
var constraints = FindExtension <X509BasicConstraintsExtension>(cert);
Assert.NotNull(constraints);
Assert.True(constraints.Critical);
Assert.True(constraints.CertificateAuthority);
Assert.True(constraints.HasPathLengthConstraint);
Assert.AreEqual(0, constraints.PathLengthConstraint);
// key usage
var keyUsage = FindExtension <X509KeyUsageExtension>(cert);
Assert.NotNull(keyUsage);
Assert.True(keyUsage.Critical);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.CrlSign) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DataEncipherment) == X509KeyUsageFlags.DataEncipherment);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DecipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.DigitalSignature);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.EncipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyAgreement) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyCertSign) == X509KeyUsageFlags.KeyCertSign);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyEncipherment) == X509KeyUsageFlags.KeyEncipherment);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.NonRepudiation) == X509KeyUsageFlags.NonRepudiation);
// enhanced key usage
X509EnhancedKeyUsageExtension enhancedKeyUsage = FindExtension <X509EnhancedKeyUsageExtension>(cert);
Assert.NotNull(enhancedKeyUsage);
Assert.True(enhancedKeyUsage.Critical);
// test for authority key
X509AuthorityKeyIdentifierExtension authority = FindAuthorityKeyIdentifier(cert);
Assert.NotNull(authority);
Assert.NotNull(authority.SerialNumber);
Assert.NotNull(authority.KeyId);
Assert.NotNull(authority.AuthorityNames);
// verify authority key in signed cert
X509SubjectKeyIdentifierExtension subjectKeyId = FindExtension <X509SubjectKeyIdentifierExtension>(cert);
Assert.AreEqual(subjectKeyId.SubjectKeyIdentifier, authority.KeyId);
Assert.AreEqual(cert.SerialNumber, authority.SerialNumber);
X509SubjectAltNameExtension subjectAlternateName = FindSubjectAltName(cert);
Assert.NotNull(subjectAlternateName);
Assert.False(subjectAlternateName.Critical);
var domainNames = Utils.GetDomainsFromCertficate(cert);
foreach (var domainName in testApp.DomainNames)
{
Assert.True(domainNames.Contains(domainName, StringComparer.OrdinalIgnoreCase));
}
Assert.True(subjectAlternateName.Uris.Count == 1);
var applicationUri = Utils.GetApplicationUriFromCertificate(cert);
Assert.AreEqual(testApp.ApplicationUri, applicationUri);
}
