public static void PrintMultiComponentRdn()
{
byte[] encoded = (
"30223120300C060355040313054A616D65733010060355040A13094D6963726F" +
"736F6674").HexToByteArray();
const string expected = "CN=James + O=Microsoft";
X500DistinguishedName dn = new X500DistinguishedName(encoded);
Assert.Equal(expected, dn.Decode(X500DistinguishedNameFlags.None));
// It should not change ordering when reversed, since the two are one unit.
Assert.Equal(expected, dn.Decode(X500DistinguishedNameFlags.Reversed));
}
public static void TestDecodeFormats(X500DistinguishedNameFlags format)
{
// The Issuer field from the Microsoft.com test cert.
byte[] encoding = (
"3077310B3009060355040613025553311D301B060355040A131453796D616E74" +
"656320436F72706F726174696F6E311F301D060355040B131653796D616E7465" +
"63205472757374204E6574776F726B312830260603550403131F53796D616E74" +
"656320436C61737320332045562053534C204341202D204733").HexToByteArray();
X500DistinguishedName name = new X500DistinguishedName(encoding);
string delimiter;
switch (format)
{
case X500DistinguishedNameFlags.UseCommas:
delimiter = ", ";
break;
case X500DistinguishedNameFlags.UseSemicolons:
delimiter = "; ";
break;
case X500DistinguishedNameFlags.UseNewLines:
delimiter = Environment.NewLine;
break;
default:
throw new InvalidOperationException("No handler for format: " + format);
}
string expected = string.Format(
"C=US{0}O=Symantec Corporation{0}OU=Symantec Trust Network{0}CN=Symantec Class 3 EV SSL CA - G3",
delimiter);
string actual = name.Decode(format);
Assert.Equal(expected, actual);
}
public static void PrintUnknownOidRdn()
{
byte[] encoded = (
"30183116301406052901020203130B496E76616C6964204F6964").HexToByteArray();
X500DistinguishedName dn = new X500DistinguishedName(encoded);
Assert.Equal("OID.1.1.1.2.2.3=Invalid Oid", dn.Decode(X500DistinguishedNameFlags.None));
}
public static void NoQuoteWhitespaceAfter(string expectedQuoted, string hexEncoded)
{
string expected = expectedQuoted.Replace("\"", "");
byte[] encoded = hexEncoded.HexToByteArray();
X500DistinguishedName dn = new X500DistinguishedName(encoded);
Assert.Equal(expected, dn.Decode(X500DistinguishedNameFlags.DoNotUseQuotes));
}
public static void PrintInvalidEncoding()
{
// One byte has been removed from the payload here. Since DER is length-prepended
// this will run out of data too soon, and report as invalid.
byte[] encoded = "3017311530130603550403130C436F6D6D6F6E204E616D65".HexToByteArray();
X500DistinguishedName dn = new X500DistinguishedName(encoded);
Assert.Equal("", dn.Decode(X500DistinguishedNameFlags.None));
}
public static string ToCommaSeparatedString(this X500DistinguishedName dn)
{
string decoded = dn?.Decode(X500DistinguishedNameFlags.UseNewLines);
if (decoded == null)
{
return(null);
}
return(string.Join(',', decoded.Split("\r\n")));
}
public void Constructor_String_Flags_Reversed()
{
X500DistinguishedName dn = new X500DistinguishedName(name, X500DistinguishedNameFlags.None);
// can't call RsaIssuer because Name is reversed from None in those cases
Assert.AreEqual(name, dn.Name, "Name");
Assert.AreEqual(name, dn.Decode(X500DistinguishedNameFlags.None), "Decode(None)");
Assert.AreEqual(rname, dn.Decode(X500DistinguishedNameFlags.Reversed), "Decode(Reversed)");
Assert.AreEqual(name, dn.Decode(X500DistinguishedNameFlags.DoNotUsePlusSign), "Decode(DoNotUsePlusSign)");
Assert.AreEqual(name, dn.Decode(X500DistinguishedNameFlags.UseCommas), "Decode(UseCommas)");
Assert.AreEqual(name, dn.Decode(X500DistinguishedNameFlags.UseUTF8Encoding), "Decode(UseUTF8Encoding)");
Assert.AreEqual(name, dn.Decode(X500DistinguishedNameFlags.UseT61Encoding), "Decode(UseT61Encoding)");
Assert.AreEqual(name, dn.Decode(X500DistinguishedNameFlags.ForceUTF8Encoding), "Decode(ForceUTF8Encoding)");
}
public static void PrintComplexReversed()
{
byte[] encoded = MicrosoftDotComSubject.HexToByteArray();
X500DistinguishedName dn = new X500DistinguishedName(encoded);
const string expected =
"CN=www.microsoft.com, OU=MSCOM, O=Microsoft Corporation, STREET=1 Microsoft Way, " +
"L=Redmond, S=Washington, PostalCode=98052, C=US, SERIALNUMBER=600413485, ";
// Windows 8.1 would continue the string with some unknown OIDs, but OpenSSL 1.0.1 can decode
// at least businessCategory (2.5.4.15), and other Windows versions may do so in the future.
// "OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Washington, " +
// "OID.1.3.6.1.4.1.311.60.2.1.3=US";
Assert.StartsWith(expected, dn.Decode(X500DistinguishedNameFlags.Reversed), StringComparison.Ordinal);
}
private int GetSortOrderInternal(SecurityDescriptorTarget target)
{
try
{
if (target.Type == TargetType.Container && !string.IsNullOrWhiteSpace(target.Target))
{
X500DistinguishedName x500 = new X500DistinguishedName(target.Target);
return(x500.Decode(X500DistinguishedNameFlags.UseNewLines)?.Split("\r\n")?.Length ?? 0);
}
}
catch (Exception ex)
{
this.logger.LogWarning(EventIDs.DNParseError, ex, $"Unable to parse DN {target.Target}. Using default sort order of 0");
}
return(0);
}
public static bool IsValidPackedAttnCertSubject(string attnCertSubj)
{
// parse the DN string using standard rules
var dictSubjectObj = new X500DistinguishedName(attnCertSubj);
// form the string for splitting using new lines to avoid issues with commas
var dictSubjectString = dictSubjectObj.Decode(X500DistinguishedNameFlags.UseNewLines);
var dictSubject = dictSubjectString.Split(new string[] { Environment.NewLine }, StringSplitOptions.None)
.Select(part => part.Split('='))
.ToDictionary(split => split[0], split => split[1]);
return(0 != dictSubject["C"].Length &&
0 != dictSubject["O"].Length &&
0 != dictSubject["OU"].Length &&
0 != dictSubject["CN"].Length &&
"Authenticator Attestation" == dictSubject["OU"].ToString());
}
public void Constructor_String_Flags_None()
{
X500DistinguishedName dn = new X500DistinguishedName(rname, X500DistinguishedNameFlags.None);
// can't call RsaIssuer because Name is reversed from None in those cases
// i.e. X500DistinguishedName (string) != X500DistinguishedName (string, X500DistinguishedNameFlags)
Assert.AreEqual(rname, dn.Name, "Name");
Assert.AreEqual(rname, dn.Decode(X500DistinguishedNameFlags.None), "Decode(None)");
Assert.AreEqual(name, dn.Decode(X500DistinguishedNameFlags.Reversed), "Decode(Reversed)");
Assert.AreEqual("C=US; O=\"RSA Data Security, Inc.\"; OU=Secure Server Certification Authority", dn.Decode(X500DistinguishedNameFlags.UseSemicolons), "Decode(UseSemicolons)");
Assert.AreEqual(rname, dn.Decode(X500DistinguishedNameFlags.DoNotUsePlusSign), "Decode(DoNotUsePlusSign)");
Assert.AreEqual("C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority", dn.Decode(X500DistinguishedNameFlags.DoNotUseQuotes), "Decode(DoNotUseQuotes)");
Assert.AreEqual(rname, dn.Decode(X500DistinguishedNameFlags.UseCommas), "Decode(UseCommas)");
string newline = String.Format("C=US{0}O=\"RSA Data Security, Inc.\"{0}OU=Secure Server Certification Authority", Environment.NewLine);
Assert.AreEqual(newline, dn.Decode(X500DistinguishedNameFlags.UseNewLines), "Decode(UseNewLines)");
Assert.AreEqual(rname, dn.Decode(X500DistinguishedNameFlags.UseUTF8Encoding), "Decode(UseUTF8Encoding)");
Assert.AreEqual(rname, dn.Decode(X500DistinguishedNameFlags.UseT61Encoding), "Decode(UseT61Encoding)");
Assert.AreEqual(rname, dn.Decode(X500DistinguishedNameFlags.ForceUTF8Encoding), "Decode(ForceUTF8Encoding)");
}
public void Decode_Separators()
{
string semicolons = "C=US; O=\"RSA Data Security, Inc.\"; OU=Secure Server Certification Authority";
string newline = String.Format("C=US{0}O=\"RSA Data Security, Inc.\"{0}OU=Secure Server Certification Authority", Environment.NewLine);
X500DistinguishedName dn = new X500DistinguishedName(rname, X500DistinguishedNameFlags.None);
Assert.AreEqual(rname, dn.Name, "Name");
Assert.AreEqual(rname, dn.Decode(X500DistinguishedNameFlags.None), "Decode(None)");
Assert.AreEqual(rname, dn.Decode(X500DistinguishedNameFlags.UseCommas), "Decode(UseCommas)");
Assert.AreEqual(semicolons, dn.Decode(X500DistinguishedNameFlags.UseSemicolons), "Decode(UseCommas|UseSemicolons)");
Assert.AreEqual(newline, dn.Decode(X500DistinguishedNameFlags.UseNewLines), "Decode(UseNewLines)");
Assert.AreEqual(semicolons, dn.Decode(X500DistinguishedNameFlags.UseCommas | X500DistinguishedNameFlags.UseSemicolons), "Decode(UseCommas|UseSemicolons)");
Assert.AreEqual(semicolons, dn.Decode(X500DistinguishedNameFlags.UseNewLines | X500DistinguishedNameFlags.UseSemicolons), "Decode(UseNewLines|UseSemicolons)");
Assert.AreEqual(rname, dn.Decode(X500DistinguishedNameFlags.UseCommas | X500DistinguishedNameFlags.UseNewLines), "Decode(UseCommas|UseNewLines)");
}
/// <summary>
/// The extract certificate name.
/// </summary>
/// <param name="subjectName">
/// The subject name.
/// </param>
/// <returns>
/// The <see cref="string"/>.
/// </returns>
public static string ExtractCertificateName(X500DistinguishedName subjectName)
{
var name = string.Empty;
try
{
var str = subjectName.Decode(X500DistinguishedNameFlags.UseUTF8Encoding);
if (!string.IsNullOrEmpty(str))
{
name = str.Split(',').Select(keyValuePair => keyValuePair.Split('=')).First(param => param[0].Trim() == "CN")[1];
}
return(name);
}
catch
{
return(string.Empty);
}
}
public static Dictionary <string, string> Parse(X500DistinguishedName DistinguishedName)
{
string[] parts = DistinguishedName.Decode(X500DistinguishedNameFlags.UseNewLines).Split(new char[2] {
'\r', '\n'
});
var dict = new Dictionary <string, string>(parts.Length);
foreach (string str in parts)
{
if (!string.IsNullOrWhiteSpace(str))
{
int indexOfEq = str.IndexOf('=');
string key = str.Substring(0, indexOfEq);
string value = str.Substring(indexOfEq + 1);
dict.Add(key, value);
}
}
return(dict);
}
private void RsaIssuer(X500DistinguishedName dn)
{
Assert.AreEqual(name, dn.Name, "Name");
Assert.AreEqual(97, dn.RawData.Length, "RawData");
Assert.AreEqual(rname, dn.Decode(X500DistinguishedNameFlags.None), "Decode(None)");
Assert.AreEqual(name, dn.Decode(X500DistinguishedNameFlags.Reversed), "Decode(Reversed)");
Assert.AreEqual("C=US; O=\"RSA Data Security, Inc.\"; OU=Secure Server Certification Authority", dn.Decode(X500DistinguishedNameFlags.UseSemicolons), "Decode(UseSemicolons)");
Assert.AreEqual(rname, dn.Decode(X500DistinguishedNameFlags.DoNotUsePlusSign), "Decode(DoNotUsePlusSign)");
Assert.AreEqual("C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority", dn.Decode(X500DistinguishedNameFlags.DoNotUseQuotes), "Decode(DoNotUseQuotes)");
Assert.AreEqual(rname, dn.Decode(X500DistinguishedNameFlags.UseCommas), "Decode(UseCommas)");
string newline = String.Format("C=US{0}O=\"RSA Data Security, Inc.\"{0}OU=Secure Server Certification Authority", Environment.NewLine);
Assert.AreEqual(newline, dn.Decode(X500DistinguishedNameFlags.UseNewLines), "Decode(UseNewLines)");
Assert.AreEqual(rname, dn.Decode(X500DistinguishedNameFlags.UseUTF8Encoding), "Decode(UseUTF8Encoding)");
Assert.AreEqual(rname, dn.Decode(X500DistinguishedNameFlags.UseT61Encoding), "Decode(UseT61Encoding)");
Assert.AreEqual(rname, dn.Decode(X500DistinguishedNameFlags.ForceUTF8Encoding), "Decode(ForceUTF8Encoding)");
Assert.AreEqual(newline + Environment.NewLine, dn.Format(true), "Format(true)");
Assert.AreEqual(rname, dn.Format(false), "Format(false)");
}
public static List <string> GetRdns(this X500DistinguishedName distinguishedName, string rdn)
{
var decodedString = distinguishedName.Decode(X500DistinguishedNameFlags.UseNewLines | X500DistinguishedNameFlags.Reversed);
if (decodedString != null)
{
List <string> values = new List <string>();
IList <string> parts =
decodedString.Split(new[] { Environment.NewLine }, StringSplitOptions.None);
foreach (var part in parts)
{
if (part.StartsWith(rdn, StringComparison.OrdinalIgnoreCase))
{
values.Add(part.Split('=').LastOrDefault());
}
}
return(values);
}
return(null);
}
public static void TestDecodeFormats(X500DistinguishedNameFlags format)
{
// The Issuer field from the Microsoft.com test cert.
byte[] encoding = (
"3077310B3009060355040613025553311D301B060355040A131453796D616E74" +
"656320436F72706F726174696F6E311F301D060355040B131653796D616E7465" +
"63205472757374204E6574776F726B312830260603550403131F53796D616E74" +
"656320436C61737320332045562053534C204341202D204733").HexToByteArray();
X500DistinguishedName name = new X500DistinguishedName(encoding);
string delimiter;
switch (format)
{
case X500DistinguishedNameFlags.UseCommas:
delimiter = ", ";
break;
case X500DistinguishedNameFlags.UseSemicolons:
delimiter = "; ";
break;
case X500DistinguishedNameFlags.UseNewLines:
delimiter = Environment.NewLine;
break;
default:
throw new InvalidOperationException("No handler for format: " + format);
}
string expected = string.Format(
"C=US{0}O=Symantec Corporation{0}OU=Symantec Trust Network{0}CN=Symantec Class 3 EV SSL CA - G3",
delimiter);
string actual = name.Decode(format);
Assert.Equal(expected, actual);
}
/// <summary>
/// Extract the Serial Number (OID 2.5.4.5) from a X500 Distinguished Name (DN).
/// </summary>
/// <param name="dn"></param>
/// <returns>
/// If DN contains exactly one Serial Number attribute, return its value.
/// If DN does not contain Serial Number, return <c>null</c>.
/// If DN contains multiple Serial Number, return the first value, in the order in ASN1 encoding.
/// </returns>
public static string ExtractFirstSnFromDn(X500DistinguishedName dn)
{
string snName = new Oid("2.5.4.5").FriendlyName;
string dnMultiLine = dn.Decode(X500DistinguishedNameFlags.UseNewLines);
int iStart = dnMultiLine.IndexOf(snName);
if (iStart == -1)
{
return(null);
}
;
iStart += snName.Length + 1;
int iEnd = dnMultiLine.IndexOf(Environment.NewLine, iStart);
if (iEnd != -1)
{
return(dnMultiLine.Substring(iStart, iEnd - iStart));
}
else
{
return(dnMultiLine.Substring(iStart));
}
}
private static X509Certificate2Collection findCertificates(string prop, StoreLocation storeLocation,
string name, string value)
{
//
// Open the X509 certificate store.
//
X509Store store = null;
try
{
try
{
store = new X509Store((StoreName)Enum.Parse(typeof(StoreName), name, true), storeLocation);
}
catch (ArgumentException)
{
store = new X509Store(name, storeLocation);
}
store.Open(OpenFlags.ReadOnly);
}
catch (Exception ex)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException(ex);
e.reason = "IceSSL: failure while opening store specified by " + prop;
throw e;
}
//
// Start with all of the certificates in the collection and filter as necessary.
//
// - If the value is "*", return all certificates.
// - Otherwise, search using key:value pairs. The following keys are supported:
//
// Issuer
// IssuerDN
// Serial
// Subject
// SubjectDN
// SubjectKeyId
// Thumbprint
//
// A value must be enclosed in single or double quotes if it contains whitespace.
//
X509Certificate2Collection result = new X509Certificate2Collection();
result.AddRange(store.Certificates);
try
{
if (value != "*")
{
if (value.IndexOf(':') == -1)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: no key in `" + value + "'";
throw e;
}
int start = 0;
int pos;
while ((pos = value.IndexOf(':', start)) != -1)
{
//
// Parse the X509FindType.
//
string field = value.Substring(start, pos - start).Trim().ToUpperInvariant();
X509FindType findType;
if (field.Equals("SUBJECT"))
{
findType = X509FindType.FindBySubjectName;
}
else if (field.Equals("SUBJECTDN"))
{
findType = X509FindType.FindBySubjectDistinguishedName;
}
else if (field.Equals("ISSUER"))
{
findType = X509FindType.FindByIssuerName;
}
else if (field.Equals("ISSUERDN"))
{
findType = X509FindType.FindByIssuerDistinguishedName;
}
else if (field.Equals("THUMBPRINT"))
{
findType = X509FindType.FindByThumbprint;
}
else if (field.Equals("SUBJECTKEYID"))
{
findType = X509FindType.FindBySubjectKeyIdentifier;
}
else if (field.Equals("SERIAL"))
{
findType = X509FindType.FindBySerialNumber;
}
else
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: unknown key in `" + value + "'";
throw e;
}
//
// Parse the argument.
//
start = pos + 1;
while (start < value.Length && (value[start] == ' ' || value[start] == '\t'))
{
++start;
}
if (start == value.Length)
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: missing argument in `" + value + "'";
throw e;
}
string arg;
if (value[start] == '"' || value[start] == '\'')
{
int end = start;
++end;
while (end < value.Length)
{
if (value[end] == value[start] && value[end - 1] != '\\')
{
break;
}
++end;
}
if (end == value.Length || value[end] != value[start])
{
Ice.PluginInitializationException e = new Ice.PluginInitializationException();
e.reason = "IceSSL: unmatched quote in `" + value + "'";
throw e;
}
++start;
arg = value.Substring(start, end - start);
start = end + 1;
}
else
{
char[] ws = new char[] { ' ', '\t' };
int end = value.IndexOfAny(ws, start);
if (end == -1)
{
arg = value.Substring(start);
start = value.Length;
}
else
{
arg = value.Substring(start, end - start);
start = end + 1;
}
}
//
// Execute the query.
//
// TODO: allow user to specify a value for validOnly?
//
bool validOnly = false;
if (findType == X509FindType.FindBySubjectDistinguishedName ||
findType == X509FindType.FindByIssuerDistinguishedName)
{
X500DistinguishedNameFlags[] flags =
{
X500DistinguishedNameFlags.None,
X500DistinguishedNameFlags.Reversed,
};
X500DistinguishedName dn = new X500DistinguishedName(arg);
X509Certificate2Collection r = result;
for (int i = 0; i < flags.Length; ++i)
{
r = result.Find(findType, dn.Decode(flags[i]), validOnly);
if (r.Count > 0)
{
break;
}
}
result = r;
}
else
{
result = result.Find(findType, arg, validOnly);
}
}
}
}
finally
{
store.Close();
}
return(result);
}
public static void NameWithSTIdentifierForState()
{
X500DistinguishedName dn = new X500DistinguishedName("ST=VA, C=US");
Assert.Equal("C=US, S=VA", dn.Decode(X500DistinguishedNameFlags.None));
}
public static void TpmIdentifiers()
{
// On Windows the X.500 name pretty printer is in crypt32, so it doesn't use our OidLookup.
// Windows 7 doesn't have the TPM OIDs mapped, so they come back as (e.g.) OID.2.23.133.2.3 still.
//
// Just skip this test there.
if (PlatformDetection.IsWindows7)
{
return;
}
X500DistinguishedName dn = new X500DistinguishedName("OID.2.23.133.2.3=id:0020065,OID.2.23.133.2.2=,OID.2.23.133.2.1=id:564D5700");
X500DistinguishedName dn2 = new X500DistinguishedName(dn.RawData);
Assert.Equal("TPMManufacturer=id:564D5700, TPMModel=\"\", TPMVersion=id:0020065", dn2.Decode(X500DistinguishedNameFlags.None));
}
public static bool IsDnMatch(string dn1, string dn2)
{
try
{
X500DistinguishedName x1 = new X500DistinguishedName(dn1);
X500DistinguishedName x2 = new X500DistinguishedName(dn2);
return(string.Equals(x1.Decode(X500DistinguishedNameFlags.UseUTF8Encoding), x2.Decode(X500DistinguishedNameFlags.UseUTF8Encoding), StringComparison.InvariantCultureIgnoreCase));
}
catch
{
return(false);
}
}
public static void QuoteByContents(string expected, string hexEncoded)
{
byte[] encoded = hexEncoded.HexToByteArray();
X500DistinguishedName dn = new X500DistinguishedName(encoded);
Assert.Equal(expected, dn.Decode(X500DistinguishedNameFlags.None));
}
public static X509Certificate2 LookupCertificateBySubjectDn(X500DistinguishedName subjectDn)
{
foreach (var entry in TheRootCertificates)
{
if (entry.Value.SubjectName.Decode(X500DistinguishedNameFlags.None).ToLower() == subjectDn.Decode(X500DistinguishedNameFlags.None).ToLower())
{
return(entry.Value);
}
}
throw new ArgumentException("No certificate for subjectDn: " + subjectDn.Format(false));
}
public static void PrintComplexForwards()
{
byte[] encoded = MicrosoftDotComSubject.HexToByteArray();
X500DistinguishedName dn = new X500DistinguishedName(encoded);
const string expected =
", SERIALNUMBER=600413485, C=US, PostalCode=98052, S=Washington, L=Redmond, " +
"STREET=1 Microsoft Way, O=Microsoft Corporation, OU=MSCOM, CN=www.microsoft.com";
Assert.EndsWith(expected, dn.Decode(X500DistinguishedNameFlags.None), StringComparison.Ordinal);
}
public static void PrintComplexReversed()
{
byte[] encoded = MicrosoftDotComSubject.HexToByteArray();
X500DistinguishedName dn = new X500DistinguishedName(encoded);
const string expected =
"CN=www.microsoft.com, OU=MSCOM, O=Microsoft Corporation, STREET=1 Microsoft Way, " +
"L=Redmond, S=Washington, PostalCode=98052, C=US, SERIALNUMBER=600413485, ";
// Windows 8.1 would continue the string with some unknown OIDs, but OpenSSL 1.0.1 can decode
// at least businessCategory (2.5.4.15), and other Windows versions may do so in the future.
// "OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Washington, " +
// "OID.1.3.6.1.4.1.311.60.2.1.3=US";
Assert.StartsWith(expected, dn.Decode(X500DistinguishedNameFlags.Reversed), StringComparison.Ordinal);
}
public static void NotQuotedWithQuotes(string quoted, string notQuoted, string hexEncoded)
{
byte[] encoded = hexEncoded.HexToByteArray();
X500DistinguishedName dn = new X500DistinguishedName(encoded);
Assert.Equal(notQuoted, dn.Decode(X500DistinguishedNameFlags.DoNotUseQuotes));
}
