public void CrlBuilderTest(KeyHashPair keyHashPair)
{
var crlBuilder = CrlBuilder.Create(m_issuerCert.SubjectName, keyHashPair.HashAlgorithmName)
.SetThisUpdate(DateTime.UtcNow.Date)
.SetNextUpdate(DateTime.UtcNow.Date.AddDays(30));
// little endian byte array as serial number?
byte[] serial = new byte[] { 4, 5, 6, 7 };
var revokedarray = new RevokedCertificate(serial);
crlBuilder.RevokedCertificates.Add(revokedarray);
string serstring = "123456789101";
var revokedstring = new RevokedCertificate(serstring);
crlBuilder.RevokedCertificates.Add(revokedstring);
crlBuilder.CrlExtensions.Add(X509Extensions.BuildCRLNumber(1111));
crlBuilder.CrlExtensions.Add(X509Extensions.BuildAuthorityKeyIdentifier(m_issuerCert));
var i509Crl = crlBuilder.CreateForRSA(m_issuerCert);
X509CRL x509Crl = new X509CRL(i509Crl.RawData);
Assert.NotNull(x509Crl);
Assert.NotNull(x509Crl.CrlExtensions);
Assert.NotNull(x509Crl.RevokedCertificates);
Assert.AreEqual(m_issuerCert.SubjectName.RawData, x509Crl.IssuerName.RawData);
Assert.AreEqual(crlBuilder.ThisUpdate, x509Crl.ThisUpdate);
Assert.AreEqual(crlBuilder.NextUpdate, x509Crl.NextUpdate);
Assert.AreEqual(2, x509Crl.RevokedCertificates.Count);
Assert.AreEqual(serial, x509Crl.RevokedCertificates[0].UserCertificate);
Assert.AreEqual(serstring, x509Crl.RevokedCertificates[1].SerialNumber);
Assert.AreEqual(2, x509Crl.CrlExtensions.Count);
Assert.True(x509Crl.VerifySignature(new X509Certificate2(m_issuerCert.RawData), true));
}
public void CrlBuilderTestWithSignatureGenerator(KeyHashPair keyHashPair)
{
var crlBuilder = CrlBuilder.Create(m_issuerCert.SubjectName, keyHashPair.HashAlgorithmName)
.SetThisUpdate(DateTime.UtcNow.Date)
.SetNextUpdate(DateTime.UtcNow.Date.AddDays(30));
// little endian byte array as serial number?
byte[] serial = new byte[] { 4, 5, 6, 7 };
var revokedarray = new RevokedCertificate(serial);
crlBuilder.RevokedCertificates.Add(revokedarray);
string serstring = "709876543210";
var revokedstring = new RevokedCertificate(serstring);
crlBuilder.RevokedCertificates.Add(revokedstring);
crlBuilder.CrlExtensions.Add(X509Extensions.BuildCRLNumber(1111));
crlBuilder.CrlExtensions.Add(X509Extensions.BuildAuthorityKeyIdentifier(m_issuerCert));
IX509CRL ix509Crl;
using (RSA rsa = m_issuerCert.GetRSAPrivateKey())
{
X509SignatureGenerator generator = X509SignatureGenerator.CreateForRSA(rsa, RSASignaturePadding.Pkcs1);
ix509Crl = crlBuilder.CreateSignature(generator);
}
X509CRL x509Crl = new X509CRL(ix509Crl);
Assert.NotNull(x509Crl);
Assert.NotNull(x509Crl.CrlExtensions);
Assert.NotNull(x509Crl.RevokedCertificates);
Assert.AreEqual(m_issuerCert.SubjectName.RawData, x509Crl.IssuerName.RawData);
Assert.AreEqual(crlBuilder.ThisUpdate, x509Crl.ThisUpdate);
Assert.AreEqual(crlBuilder.NextUpdate, x509Crl.NextUpdate);
Assert.AreEqual(2, x509Crl.RevokedCertificates.Count);
Assert.AreEqual(serial, x509Crl.RevokedCertificates[0].UserCertificate);
Assert.AreEqual(serstring, x509Crl.RevokedCertificates[1].SerialNumber);
Assert.AreEqual(2, x509Crl.CrlExtensions.Count);
using (var issuerPubKey = new X509Certificate2(m_issuerCert.RawData))
{
Assert.True(x509Crl.VerifySignature(issuerPubKey, true));
}
}
public async Task KeyVaultNewKeyPairAndRevokeCertificateAsync()
{
Skip.If(!_fixture.KeyVaultInitOk);
string[] groups = await _keyVault.GetCertificateGroupIds();
foreach (string group in groups)
{
ApplicationTestData randomApp = _fixture.RandomGenerator.RandomApplicationTestData();
Guid requestId = Guid.NewGuid();
Opc.Ua.Gds.Server.X509Certificate2KeyPair newCert = await _keyVault.NewKeyPairRequestAsync(
group,
requestId.ToString(),
randomApp.ApplicationRecord.ApplicationUri,
randomApp.Subject,
randomApp.DomainNames.ToArray(),
randomApp.PrivateKeyFormat,
randomApp.PrivateKeyPassword
);
Assert.NotNull(newCert);
Assert.False(newCert.Certificate.HasPrivateKey);
Assert.True(Opc.Ua.Utils.CompareDistinguishedName(randomApp.Subject, newCert.Certificate.Subject));
Assert.False(Opc.Ua.Utils.CompareDistinguishedName(newCert.Certificate.Issuer, newCert.Certificate.Subject));
X509Certificate2 cert = new X509Certificate2(newCert.Certificate.RawData);
X509CRL crl = await _keyVault.RevokeCertificateAsync(group, cert);
Assert.NotNull(crl);
X509Certificate2Collection caChain = await _keyVault.GetIssuerCACertificateChainAsync(group);
Assert.NotNull(caChain);
X509Certificate2 caCert = caChain[0];
Assert.False(caCert.HasPrivateKey);
crl.VerifySignature(caCert, true);
Assert.True(Opc.Ua.Utils.CompareDistinguishedName(crl.Issuer, caCert.Issuer));
// disable and delete private key from KeyVault (requires set/delete rights)
await _keyVault.AcceptPrivateKeyAsync(group, requestId.ToString());
await _keyVault.DeletePrivateKeyAsync(group, requestId.ToString());
}
}
public void Initialize(TrustListDataType trustList, X509Certificate2Collection rejectedList, bool deleteBeforeAdd)
{
if (deleteBeforeAdd)
{
CertificatesTable.Rows.Clear();
}
if (trustList != null)
{
if ((trustList.SpecifiedLists & (uint)TrustListMasks.TrustedCertificates) != 0 && trustList.TrustedCertificates != null)
{
foreach (var certificateBytes in trustList.TrustedCertificates)
{
var certificate = new X509Certificate2(certificateBytes);
List <X509CRL> crls = new List <X509CRL>();
if ((trustList.SpecifiedLists & (uint)TrustListMasks.TrustedCrls) != 0 && trustList.TrustedCrls != null)
{
foreach (var crlBytes in trustList.TrustedCrls)
{
X509CRL crl = new X509CRL(crlBytes);
if (Utils.CompareDistinguishedName(crl.Issuer, certificate.Subject) &&
crl.VerifySignature(certificate, false))
{
crls.Add(crl);
}
}
}
AddCertificate(certificate, Status.Trusted, crls);
}
}
if ((trustList.SpecifiedLists & (uint)TrustListMasks.IssuerCertificates) != 0 && trustList.IssuerCertificates != null)
{
foreach (var certificateBytes in trustList.IssuerCertificates)
{
var certificate = new X509Certificate2(certificateBytes);
List <X509CRL> crls = new List <X509CRL>();
if ((trustList.SpecifiedLists & (uint)TrustListMasks.IssuerCrls) != 0 && trustList.IssuerCrls != null)
{
foreach (var crlBytes in trustList.IssuerCrls)
{
X509CRL crl = new X509CRL(crlBytes);
if (Utils.CompareDistinguishedName(crl.Issuer, certificate.Subject) &&
crl.VerifySignature(certificate, false))
{
crls.Add(crl);
}
}
}
AddCertificate(certificate, Status.Issuer, crls);
}
}
}
if (rejectedList != null)
{
foreach (X509Certificate2 certificate in rejectedList)
{
AddCertificate(certificate, Status.Rejected, null);
}
}
m_dataset.AcceptChanges();
NoDataWarningLabel.Visible = CertificatesTable.Rows.Count == 0;
}
public void VerifyCRLSignature()
{
_ = m_x509Crl.VerifySignature(m_issuerCert, true);
}