public void VerifySelfSignedAppCerts(
KeyHashPair keyHashPair
)
{
var appTestGenerator = new ApplicationTestDataGenerator(keyHashPair.KeySize);
ApplicationTestData app = appTestGenerator.ApplicationTestSet(1).First();
var cert = CertificateFactory.CreateCertificate(app.ApplicationUri, app.ApplicationName, app.Subject, app.DomainNames)
.SetHashAlgorithm(keyHashPair.HashAlgorithmName)
.SetRSAKeySize(keyHashPair.KeySize)
.CreateForRSA();
Assert.NotNull(cert);
Assert.NotNull(cert.RawData);
Assert.True(cert.HasPrivateKey);
using (RSA rsa = cert.GetRSAPrivateKey())
{
rsa.ExportParameters(true);
}
using (RSA rsa = cert.GetRSAPublicKey())
{
rsa.ExportParameters(false);
}
var plainCert = new X509Certificate2(cert.RawData);
Assert.NotNull(plainCert);
VerifyApplicationCert(app, plainCert);
X509Utils.VerifyRSAKeyPair(cert, cert, true);
Assert.True(X509Utils.VerifySelfSigned(cert));
}
public void VerifySignedAppCerts(
KeyHashPair keyHashPair
)
{
X509Certificate2 caCert;
if (!m_rootCACertificate.TryGetValue(keyHashPair.KeySize, out caCert))
{
Assert.Ignore($"Could not load Root CA.");
}
Assert.NotNull(caCert);
Assert.NotNull(caCert.RawData);
Assert.True(caCert.HasPrivateKey);
var appTestGenerator = new ApplicationTestDataGenerator(keyHashPair.KeySize);
ApplicationTestData app = appTestGenerator.ApplicationTestSet(1).First();
var cert = CertificateFactory.CreateCertificate(
app.ApplicationUri, app.ApplicationName, app.Subject, app.DomainNames)
.SetHashAlgorithm(keyHashPair.HashAlgorithmName)
.SetIssuer(caCert)
.SetRSAKeySize(keyHashPair.KeySize)
.CreateForRSA();
Assert.NotNull(cert);
Assert.NotNull(cert.RawData);
Assert.True(cert.HasPrivateKey);
using (var plainCert = new X509Certificate2(cert.RawData))
{
Assert.NotNull(plainCert);
VerifyApplicationCert(app, plainCert, caCert);
X509Utils.VerifyRSAKeyPair(cert, caCert);
}
}
public void VerifySignedAppCerts(
KeyHashPair keyHashPair
)
{
X509Certificate2 issuerCertificate = GetIssuer(keyHashPair);
Assert.NotNull(issuerCertificate);
Assert.NotNull(issuerCertificate.RawData);
Assert.True(issuerCertificate.HasPrivateKey);
var appTestGenerator = new ApplicationTestDataGenerator(keyHashPair.KeySize);
ApplicationTestData app = appTestGenerator.ApplicationTestSet(1).First();
var cert = CertificateFactory.CreateCertificate(
app.ApplicationUri, app.ApplicationName, app.Subject, app.DomainNames)
.SetHashAlgorithm(keyHashPair.HashAlgorithmName)
.SetIssuer(issuerCertificate)
.SetRSAKeySize(keyHashPair.KeySize)
.CreateForRSA();
Assert.NotNull(cert);
Assert.NotNull(cert.RawData);
Assert.True(cert.HasPrivateKey);
using (var plainCert = new X509Certificate2(cert.RawData))
{
Assert.NotNull(plainCert);
VerifyApplicationCert(app, plainCert, issuerCertificate);
X509Utils.VerifyRSAKeyPair(plainCert, cert, true);
}
}
public CertificateStorageTestFixture()
{
var builder = new ConfigurationBuilder()
.SetBasePath(Directory.GetCurrentDirectory())
.AddJsonFile("testsettings.json", false, true)
.AddJsonFile("testsettings.Development.json", true, true)
.AddFromDotEnvFile()
.AddEnvironmentVariables();
var configuration = builder.Build();
_serviceConfig = new VaultConfig(configuration);
_clientConfig = new ClientConfig(configuration);
_vaultConfig = new KeyVaultConfig(configuration);
_logger = SerilogTestLogger.Create <CertificateStorageTestFixture>();
if (!InvalidConfiguration())
{
RandomGenerator = new ApplicationTestDataGenerator();
var timeid = DateTime.UtcNow.ToFileTimeUtc() / 1000 % 10000;
// Create registry
GroupId = "test";
Registry = new TrustGroupDatabase(new ItemContainerFactory(
new CosmosDbServiceClient(_serviceConfig, _logger)), _logger);
// Registry.CreateGroupAsync(new CertificateGroupCreateRequestModel {
// Name = "GroupTestIssuerCA" + timeid.ToString(),
// SubjectName = "CN=OPC Vault Cert Request Test CA, O=Microsoft, OU=Azure IoT",
// CertificateType = CertificateType.ApplicationInstanceCertificate
// }, CancellationToken.None).Result.Id
// Create client
var serializer = new KeyVaultKeyHandleSerializer();
var repo = new CertificateDatabase(new ItemContainerFactory(
new CosmosDbServiceClient(_serviceConfig, _logger)), serializer);
_keyVaultServiceClient = new KeyVaultServiceClient(_vaultConfig,
new AppAuthenticationProvider(_clientConfig), repo, _logger);
// Create services
Services = new RequestDatabase(
repo,
_keyVaultServiceClient, // keystore
Registry,
_keyVaultServiceClient, // issuer
new CertificateRevoker(repo, _keyVaultServiceClient, _keyVaultServiceClient),
new EntityExtensionFactory(_keyVaultServiceClient),
_serviceConfig);
// Clear
_keyVaultServiceClient.PurgeAsync("groups", GroupId, CancellationToken.None).Wait();
}
KeyVaultInitOk = false;
}
protected void OneTimeSetUp()
{
// work around travis issue by selecting different ports on every run
int testPort = 50000 + (((Int32)DateTime.UtcNow.ToFileTimeUtc() / 10000) & 0x1fff);
_server = new GlobalDiscoveryTestServer(true);
_server.StartServer(true, testPort).Wait();
// load client
_gdsClient = new GlobalDiscoveryTestClient(true);
_gdsClient.LoadClientConfiguration(testPort).Wait();
// good applications test set
_appTestDataGenerator = new ApplicationTestDataGenerator(1);
_goodApplicationTestSet = _appTestDataGenerator.ApplicationTestSet(goodApplicationsTestCount, false);
_invalidApplicationTestSet = _appTestDataGenerator.ApplicationTestSet(invalidApplicationsTestCount, true);
_goodRegistrationOk = false;
_invalidRegistrationOk = false;
_goodNewKeyPairRequestOk = false;
}
public void VerifySelfSignedAppCerts(
KeyHashPair keyHashPair
)
{
var appTestGenerator = new ApplicationTestDataGenerator(keyHashPair.KeySize);
ApplicationTestData app = appTestGenerator.ApplicationTestSet(1).First();
var cert = CertificateFactory.CreateCertificate(null, null, null,
app.ApplicationUri, app.ApplicationName, app.Subject,
app.DomainNames, keyHashPair.KeySize, DateTime.UtcNow,
CertificateFactory.DefaultLifeTime, keyHashPair.HashSize);
Assert.NotNull(cert);
Assert.NotNull(cert.RawData);
Assert.True(cert.HasPrivateKey);
var plainCert = new X509Certificate2(cert.RawData);
Assert.NotNull(plainCert);
VerifySelfSignedApplicationCert(app, plainCert);
CertificateFactory.VerifySelfSigned(cert);
CertificateFactory.VerifyRSAKeyPair(cert, cert);
}
protected void OneTimeSetUp()
{
// set max RSA key size and max SHA-2 hash size
ushort keySize = 4096;
ushort hashSize = 512;
// pki directory root for test runs.
m_pkiRoot = "%LocalApplicationData%/OPC/CertValidatorTest/" + ((DateTime.UtcNow.Ticks / 10000) % 3600000).ToString() + "/";
m_issuerStore = new DirectoryCertificateStore();
m_issuerStore.Open(m_pkiRoot + "issuer");
m_trustedStore = new DirectoryCertificateStore();
m_trustedStore.Open(m_pkiRoot + "trusted");
// good applications test set
var appTestDataGenerator = new ApplicationTestDataGenerator(1);
m_goodApplicationTestSet = appTestDataGenerator.ApplicationTestSet(kGoodApplicationsTestCount);
// create all certs and CRL
m_caChain = new X509Certificate2[kCaChainCount];
m_caDupeChain = new X509Certificate2[kCaChainCount];
m_caAllSameIssuerChain = new X509Certificate2[kCaChainCount];
m_crlChain = new X509CRL[kCaChainCount];
m_crlDupeChain = new X509CRL[kCaChainCount];
m_crlRevokedChain = new X509CRL[kCaChainCount];
m_appCerts = new X509Certificate2Collection();
m_appSelfSignedCerts = new X509Certificate2Collection();
DateTime rootCABaseTime = DateTime.UtcNow;
rootCABaseTime = new DateTime(rootCABaseTime.Year - 1, 1, 1);
var rootCert = CertificateFactory.CreateCertificate(
null, null, null,
null, null, "CN=Root CA Test Cert",
null, keySize, rootCABaseTime, 25 * 12, hashSize, true,
pathLengthConstraint: -1);
m_caChain[0] = rootCert;
m_crlChain[0] = CertificateFactory.RevokeCertificate(rootCert, null, null);
m_caDupeChain[0] = CertificateFactory.CreateCertificate(
null, null, null,
null, null, "CN=Root CA Test Cert",
null, keySize, rootCABaseTime, 25 * 12, hashSize, true,
pathLengthConstraint: -1);
m_crlDupeChain[0] = CertificateFactory.RevokeCertificate(m_caDupeChain[0], null, null);
m_crlRevokedChain[0] = null;
var signingCert = rootCert;
DateTime subCABaseTime = DateTime.UtcNow;
subCABaseTime = new DateTime(subCABaseTime.Year, subCABaseTime.Month, subCABaseTime.Day);
for (int i = 1; i < kCaChainCount; i++)
{
if (keySize > 2048)
{
keySize -= 1024;
}
if (hashSize > 256)
{
hashSize -= 128;
}
var subject = $"CN=Sub CA {i} Test Cert";
var subCACert = CertificateFactory.CreateCertificate(
null, null, null,
null, null, subject,
null, keySize, subCABaseTime, 5 * 12, hashSize, true,
signingCert, pathLengthConstraint: kCaChainCount - 1 - i);
m_caChain[i] = subCACert;
m_crlChain[i] = CertificateFactory.RevokeCertificate(subCACert, null, null, subCABaseTime, subCABaseTime + TimeSpan.FromDays(10));
var subCADupeCert = CertificateFactory.CreateCertificate(
null, null, null,
null, null, subject,
null, keySize, subCABaseTime, 5 * 12, hashSize, true,
signingCert, pathLengthConstraint: kCaChainCount - 1 - i);
m_caDupeChain[i] = subCADupeCert;
m_crlDupeChain[i] = CertificateFactory.RevokeCertificate(subCADupeCert, null, null, subCABaseTime, subCABaseTime + TimeSpan.FromDays(10));
m_crlRevokedChain[i] = null;
signingCert = subCACert;
}
// create a CRL with a revoked Sub CA
for (int i = 0; i < kCaChainCount - 1; i++)
{
m_crlRevokedChain[i] = CertificateFactory.RevokeCertificate(
m_caChain[i],
new List <X509CRL>()
{
m_crlChain[i]
},
new X509Certificate2Collection {
m_caChain[i + 1]
});
}
// create self signed app certs
DateTime appBaseTime = DateTime.UtcNow - TimeSpan.FromDays(1);
foreach (var app in m_goodApplicationTestSet)
{
var subject = app.Subject;
var appCert = CertificateFactory.CreateCertificate(
null, null, null,
app.ApplicationUri,
app.ApplicationName,
subject,
app.DomainNames,
CertificateFactory.DefaultKeySize, appBaseTime, 2 * 12,
CertificateFactory.DefaultHashSize);
m_appSelfSignedCerts.Add(appCert);
}
// create signed app certs
foreach (var app in m_goodApplicationTestSet)
{
var subject = app.Subject;
var appCert = CertificateFactory.CreateCertificate(
null, null, null,
app.ApplicationUri,
app.ApplicationName,
subject,
app.DomainNames,
CertificateFactory.DefaultKeySize, appBaseTime, 2 * 12,
CertificateFactory.DefaultHashSize, false, signingCert);
app.Certificate = appCert.RawData;
m_appCerts.Add(appCert);
}
// create a CRL with all apps revoked
m_crlRevokedChain[kCaChainCount - 1] = CertificateFactory.RevokeCertificate(
m_caChain[kCaChainCount - 1],
new List <X509CRL>()
{
m_crlChain[kCaChainCount - 1]
},
m_appCerts);
}
public CertificateAuthorityTestFixture()
{
RandomGenerator = new ApplicationTestDataGenerator(kRandomStart);
var builder = new ConfigurationBuilder()
.SetBasePath(Directory.GetCurrentDirectory())
.AddJsonFile("testsettings.json", false, true)
.AddJsonFile("testsettings.Development.json", true, true)
.AddFromDotEnvFile()
.AddEnvironmentVariables();
var configuration = builder.Build();
_serviceConfig = new VaultConfig(configuration);
_clientConfig = new ClientConfig(configuration);
_vaultConfig = new KeyVaultConfig(configuration);
_logger = SerilogTestLogger.Create <CertificateAuthorityTestFixture>();
if (!InvalidConfiguration())
{
ApplicationsDatabase = new ApplicationRegistry(new ApplicationDatabase(
new ItemContainerFactory(new CosmosDbServiceClient(_serviceConfig, _logger)), _logger),
new EndpointRegistryStub(), new EndpointRegistryStub(),
new ApplicationEventBrokerStub(), _logger);
var timeid = DateTime.UtcNow.ToFileTimeUtc() / 1000 % 10000;
// Create group registry
Registry = new TrustGroupDatabase(new ItemContainerFactory(
new CosmosDbServiceClient(_serviceConfig, _logger)), _logger);
_groupId = Registry.CreateGroupAsync(new Models.TrustGroupRegistrationRequestModel {
Name = "CertReqConfig" + timeid.ToString(),
SubjectName = "CN=OPC Vault Cert Request Test CA, O=Microsoft, OU=Azure IoT",
}).Result.Id;
// Create client
var serializer = new KeyVaultKeyHandleSerializer();
var repo = new CertificateDatabase(new ItemContainerFactory(
new CosmosDbServiceClient(_serviceConfig, _logger)), serializer);
_keyVaultServiceClient = new KeyVaultServiceClient(_vaultConfig,
new AppAuthenticationProvider(_clientConfig), repo, _logger);
// Create services
_keyVaultCertificateGroup = new RequestDatabase(
repo,
_keyVaultServiceClient, // keystore
Registry,
_keyVaultServiceClient, // issuer
new CertificateRevoker(repo, _keyVaultServiceClient, _keyVaultServiceClient),
new EntityExtensionFactory(_keyVaultServiceClient),
_serviceConfig);
_keyVaultServiceClient.PurgeAsync("groups", _groupId, CancellationToken.None).Wait();
Services = _keyVaultCertificateGroup;
CertificateAuthority = new CertificateRequestManager(ApplicationsDatabase, Services,
new ItemContainerFactory(new CosmosDbServiceClient(_serviceConfig, _logger)), _logger);
RequestManagement = (IRequestManagement)CertificateAuthority;
// create test set
ApplicationTestSet = new List <ApplicationTestData>();
for (var i = 0; i < kTestSetSize; i++)
{
var randomApp = RandomGenerator.RandomApplicationTestData();
ApplicationTestSet.Add(randomApp);
}
}
RegistrationOk = false;
}
protected void OneTimeSetUp()
{
// set max RSA key size and max SHA-2 hash size
ushort keySize = 4096;
ushort hashSize = 512;
// pki directory root for test runs.
m_pkiRoot = "%LocalApplicationData%/OPC/CertValidatorTest/" + ((DateTime.UtcNow.Ticks / 10000) % 3600000).ToString() + "/";
m_issuerStore = new DirectoryCertificateStore();
m_issuerStore.Open(m_pkiRoot + "issuer");
m_trustedStore = new DirectoryCertificateStore();
m_trustedStore.Open(m_pkiRoot + "trusted");
// good applications test set
var appTestDataGenerator = new ApplicationTestDataGenerator(1);
m_goodApplicationTestSet = appTestDataGenerator.ApplicationTestSet(kGoodApplicationsTestCount);
// create all certs and CRL
m_caChain = new X509Certificate2[kCaChainCount];
m_caDupeChain = new X509Certificate2[kCaChainCount];
m_crlChain = new X509CRL[kCaChainCount];
m_crlDupeChain = new X509CRL[kCaChainCount];
m_crlRevokedChain = new X509CRL[kCaChainCount];
m_appCerts = new X509Certificate2Collection();
m_appSelfSignedCerts = new X509Certificate2Collection();
DateTime rootCABaseTime = DateTime.UtcNow;
rootCABaseTime = new DateTime(rootCABaseTime.Year - 1, 1, 1);
var rootCert = CertificateFactory.CreateCertificate(RootCASubject)
.SetNotBefore(rootCABaseTime)
.SetLifeTime(25 * 12)
.SetCAConstraint()
.SetHashAlgorithm(CertificateFactory.GetRSAHashAlgorithmName(hashSize))
.SetRSAKeySize(keySize)
.CreateForRSA();
m_caChain[0] = rootCert;
m_crlChain[0] = CertificateFactory.RevokeCertificate(rootCert, null, null);
// to save time, the dupe chain uses just the default key size/hash
m_caDupeChain[0] = CertificateFactory.CreateCertificate(RootCASubject)
.SetNotBefore(rootCABaseTime)
.SetLifeTime(25 * 12)
.SetCAConstraint()
.CreateForRSA();
m_crlDupeChain[0] = CertificateFactory.RevokeCertificate(m_caDupeChain[0], null, null);
m_crlRevokedChain[0] = null;
var signingCert = rootCert;
DateTime subCABaseTime = DateTime.UtcNow;
subCABaseTime = new DateTime(subCABaseTime.Year, subCABaseTime.Month, subCABaseTime.Day, 0, 0, 0, DateTimeKind.Utc);
for (int i = 1; i < kCaChainCount; i++)
{
if (keySize > 2048)
{
keySize -= 1024;
}
if (hashSize > 256)
{
hashSize -= 128;
}
var subject = $"CN=Sub CA {i} Test Cert";
var subCACert = CertificateFactory.CreateCertificate(subject)
.SetNotBefore(subCABaseTime)
.SetLifeTime(5 * 12)
.SetHashAlgorithm(CertificateFactory.GetRSAHashAlgorithmName(hashSize))
.SetCAConstraint(kCaChainCount - 1 - i)
.SetIssuer(signingCert)
.SetRSAKeySize(keySize)
.CreateForRSA();
m_caChain[i] = subCACert;
m_crlChain[i] = CertificateFactory.RevokeCertificate(subCACert, null, null, subCABaseTime, subCABaseTime + TimeSpan.FromDays(10));
var subCADupeCert = CertificateFactory.CreateCertificate(subject)
.SetNotBefore(subCABaseTime)
.SetLifeTime(5 * 12)
.SetCAConstraint(kCaChainCount - 1 - i)
.SetIssuer(signingCert)
.CreateForRSA();
m_caDupeChain[i] = subCADupeCert;
m_crlDupeChain[i] = CertificateFactory.RevokeCertificate(subCADupeCert, null, null, subCABaseTime, subCABaseTime + TimeSpan.FromDays(10));
m_crlRevokedChain[i] = null;
signingCert = subCACert;
}
// create a CRL with a revoked Sub CA
for (int i = 0; i < kCaChainCount - 1; i++)
{
m_crlRevokedChain[i] = CertificateFactory.RevokeCertificate(
m_caChain[i],
new List <X509CRL>()
{
m_crlChain[i]
},
new X509Certificate2Collection {
m_caChain[i + 1]
});
}
// create self signed app certs
foreach (var app in m_goodApplicationTestSet)
{
var subject = app.Subject;
var appCert = CertificateFactory.CreateCertificate(
app.ApplicationUri,
app.ApplicationName,
subject,
app.DomainNames)
.CreateForRSA();
m_appSelfSignedCerts.Add(appCert);
}
// create signed app certs
foreach (var app in m_goodApplicationTestSet)
{
var subject = app.Subject;
var appCert = CertificateFactory.CreateCertificate(
app.ApplicationUri,
app.ApplicationName,
subject,
app.DomainNames)
.SetIssuer(signingCert)
.CreateForRSA();
app.Certificate = appCert.RawData;
m_appCerts.Add(appCert);
}
// create a CRL with all apps revoked
m_crlRevokedChain[kCaChainCount - 1] = CertificateFactory.RevokeCertificate(
m_caChain[kCaChainCount - 1],
new List <X509CRL>()
{
m_crlChain[kCaChainCount - 1]
},
m_appCerts);
}
