public static void ArgumentValidation()
{
SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder();
AssertExtensions.Throws <ArgumentOutOfRangeException>("dnsName", () => builder.AddDnsName(null));
AssertExtensions.Throws <ArgumentOutOfRangeException>("dnsName", () => builder.AddDnsName(string.Empty));
AssertExtensions.Throws <ArgumentOutOfRangeException>("emailAddress", () => builder.AddEmailAddress(null));
AssertExtensions.Throws <ArgumentOutOfRangeException>("emailAddress", () => builder.AddEmailAddress(string.Empty));
AssertExtensions.Throws <ArgumentNullException>("uri", () => builder.AddUri(null));
AssertExtensions.Throws <ArgumentNullException>("ipAddress", () => builder.AddIpAddress(null));
AssertExtensions.Throws <ArgumentOutOfRangeException>("upn", () => builder.AddUserPrincipalName(null));
AssertExtensions.Throws <ArgumentOutOfRangeException>("upn", () => builder.AddUserPrincipalName(string.Empty));
}
public static void EnumerateDnsNames(LoadMode loadMode)
{
SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder();
builder.AddDnsName("foo");
builder.AddIpAddress(IPAddress.Loopback);
builder.AddUserPrincipalName("*****@*****.**");
builder.AddIpAddress(IPAddress.IPv6Loopback);
builder.AddDnsName("*.foo");
X509Extension built = builder.Build(true);
X509SubjectAlternativeNameExtension ext;
switch (loadMode)
{
case LoadMode.CopyFrom:
ext = new X509SubjectAlternativeNameExtension();
ext.CopyFrom(built);
break;
case LoadMode.Array:
ext = new X509SubjectAlternativeNameExtension(built.RawData);
break;
case LoadMode.Span:
byte[] tmp = new byte[built.RawData.Length + 2];
built.RawData.AsSpan().CopyTo(tmp.AsSpan(1));
ext = new X509SubjectAlternativeNameExtension(tmp.AsSpan()[1..^ 1]);
private static X509Certificate2 BuildClientCertificate(X509Certificate2 serverCertificate)
{
string certificateName = $"Marionet Client {Guid.NewGuid().ToString()}";
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddUserPrincipalName("Marionet Self-Signed Certificate Generator");
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={certificateName}");
using (RSA rsa = RSA.Create(2048))
{
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, false));
request.CertificateExtensions.Add(new X509SubjectKeyIdentifierExtension(request.PublicKey, false));
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyAgreement, false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.2")
}, false));
request.CertificateExtensions.Add(sanBuilder.Build());
var certificate = request.Create(serverCertificate, new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650)), new byte[] { 2, 4, 8, 16 });
certificate.FriendlyName = certificateName;
return(certificate.CopyWithPrivateKey(rsa));
}
}
public static void MultiValue()
{
// This produces the same value as the "ComplexGetNameInfo" certificate/test suite.
// Subject Alternative Names:
// DNS Name=dns1.subject.example.org
// DNS Name=dns2.subject.example.org
// RFC822 [email protected]
// RFC822 [email protected]
// Other Name:
// Principal [email protected]
// Other Name:
// Principal [email protected]
// URL=http://uri1.subject.example.org/
// URL=http://uri2.subject.example.org/
const string expectedHex =
"3081F88218646E73312E7375626A6563742E6578616D706C652E6F7267821864" +
"6E73322E7375626A6563742E6578616D706C652E6F7267811573616E656D6169" +
"6C31406578616D706C652E6F7267811573616E656D61696C32406578616D706C" +
"652E6F7267A027060A2B060104018237140203A0190C177375626A6563747570" +
"6E31406578616D706C652E6F7267A027060A2B060104018237140203A0190C17" +
"7375626A65637475706E32406578616D706C652E6F72678620687474703A2F2F" +
"757269312E7375626A6563742E6578616D706C652E6F72672F8620687474703A" +
"2F2F757269322E7375626A6563742E6578616D706C652E6F72672F";
SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder();
builder.AddDnsName("dns1.subject.example.org");
builder.AddDnsName("dns2.subject.example.org");
builder.AddEmailAddress("*****@*****.**");
builder.AddEmailAddress("*****@*****.**");
builder.AddUserPrincipalName("*****@*****.**");
builder.AddUserPrincipalName("*****@*****.**");
builder.AddUri(new Uri("http://uri1.subject.example.org/"));
builder.AddUri(new Uri("http://uri2.subject.example.org/"));
X509Extension extension = builder.Build();
Assert.Equal(SubjectAltNameOid, extension.Oid.Value);
Assert.Equal(
expectedHex,
extension.RawData.ByteArrayToHex());
}
public static void SingleValue_Upn()
{
SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder();
builder.AddUserPrincipalName("*****@*****.**");
X509Extension extension = builder.Build();
Assert.Equal(SubjectAltNameOid, extension.Oid.Value);
Assert.Equal(
"3022A020060A2B060104018237140203A0120C1075736572406578616D706C652E6F7267",
extension.RawData.ByteArrayToHex());
}
public void SetUp()
{
SetUpProvider();
_context = new DefaultHttpContext();
X509Certificate2 certificate;
using (RSA rsa = RSA.Create())
{
var certReq = new CertificateRequest("CN=eventstoredb-node", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
var sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddEmailAddress("*****@*****.**");
sanBuilder.AddUserPrincipalName("*****@*****.**");
sanBuilder.AddUri(new Uri("http://localhost"));
certReq.CertificateExtensions.Add(sanBuilder.Build());
certificate = certReq.CreateSelfSigned(DateTimeOffset.UtcNow.AddMonths(-1), DateTimeOffset.UtcNow.AddMonths(1));
}
_context.Connection.ClientCertificate = certificate;
_authenticateResult = _provider.Authenticate(_context, out _authenticateRequest);
}
public void AddSubjectAlternativeName(CertificateRequest request, SubjectAlternativeName subjectAlternativeName)
{
foreach (var dnsName in subjectAlternativeName.DnsName)
{
if (UriHostNameType.Unknown == Uri.CheckHostName(dnsName))
{
throw new ArgumentException("Must be a valid DNS name", nameof(dnsName));
}
}
var sanBuilder = new SubjectAlternativeNameBuilder();
foreach (var dnsName in subjectAlternativeName.DnsName)
{
sanBuilder.AddDnsName(dnsName);
}
if (!string.IsNullOrEmpty(subjectAlternativeName.Email))
{
sanBuilder.AddEmailAddress(subjectAlternativeName.Email);
}
if (subjectAlternativeName.IpAddress != null)
{
sanBuilder.AddIpAddress(subjectAlternativeName.IpAddress);
}
if (!string.IsNullOrEmpty(subjectAlternativeName.UserPrincipalName))
{
sanBuilder.AddUserPrincipalName(subjectAlternativeName.UserPrincipalName);
}
if (subjectAlternativeName.Uri != null)
{
sanBuilder.AddUri(subjectAlternativeName.Uri);
}
var sanExtension = sanBuilder.Build();
request.CertificateExtensions.Add(sanExtension);
}
public async Task <IActionResult> Register([FromBody] RegisterDto model)
{
IActionResult actionResult = NoContent();
try
{
if (_options.CACertificate == null && model.TLS)
{
actionResult = BadRequest(new { code = -1, msg = "There is no root certificate, please initialize the server first" });
}
else
{
var user = new IdentityUser
{
UserName = model.UserName,
Email = model.Email
};
var result = await _userManager.CreateAsync(user, model.Password);
if (result.Succeeded)
{
await _signInManager.SignInAsync(user, false);
await _signInManager.UserManager.AddClaimAsync(user, new Claim(ClaimTypes.GivenName, model.ClientId));
await _signInManager.UserManager.AddClaimAsync(user, new Claim(ClaimTypes.Email, model.Email));
int _StoreCertPem = 0;
if (model.TLS)
{
SubjectAlternativeNameBuilder altNames = new SubjectAlternativeNameBuilder();
altNames.AddDnsName(model.ClientId);
altNames.AddEmailAddress(model.Email);
altNames.AddUserPrincipalName(model.UserName);
altNames.AddUri(new Uri($"mqtt://{_options.BrokerCertificate.GetNameInfo(X509NameType.DnsName, false)}:{_options.SSLPort}"));
string name = $"CN={model.ClientId},C=CN, O={_options.BrokerCertificate.GetNameInfo(X509NameType.SimpleName, false)},OU={model.ClientId}";
var tlsclient = _options.CACertificate.CreateTlsClientRSA(name, altNames);
tlsclient.SavePem(out string x509CRT, out string x509Key);
_context.StoreCertPem.Add(new StoreCertPem()
{
Id = user.Id,
ClientCert = x509CRT,
ClientKey = x509Key
});
_StoreCertPem = _context.SaveChanges();
await _signInManager.UserManager.AddClaimAsync(user, new Claim(ClaimTypes.Thumbprint, tlsclient.Thumbprint));
}
actionResult = Ok(new { code = 0, msg = "OK", data = GenerateJwtToken(model.UserName, user), model.TLS, StoreTLS = _StoreCertPem > 0 });
}
else
{
var msg = from e in result.Errors select $"{e.Code}:{e.Description}\r\n";
actionResult = BadRequest(new { code = -3, msg = string.Join(';', msg.ToArray()) });
}
}
}
catch (Exception ex)
{
actionResult = BadRequest(new { code = -2, msg = ex.Message, data = ex });
_logger.LogError(ex, ex.Message);
}
return(actionResult);
}