public void VerifyX509SubjectAlternateNameExtension()
{
string applicationUri = "urn:opcfoundation.org";
string[] domainNames = { "mypc.mydomain.com", "192.168.100.100", "1234:5678::1" };
TestContext.Out.WriteLine("Encoded:");
var san = new X509SubjectAltNameExtension(applicationUri, domainNames);
TestContext.Out.WriteLine(san.Format(true));
var decodedsan = new X509SubjectAltNameExtension(san.Oid.Value, san.RawData, san.Critical);
Assert.NotNull(decodedsan);
TestContext.Out.WriteLine("Decoded:");
TestContext.Out.WriteLine(decodedsan.Format(true));
Assert.NotNull(decodedsan.DomainNames);
Assert.NotNull(decodedsan.IPAddresses);
Assert.NotNull(decodedsan.Uris);
Assert.AreEqual(1, decodedsan.Uris.Count);
Assert.AreEqual(1, decodedsan.DomainNames.Count);
Assert.AreEqual(2, decodedsan.IPAddresses.Count);
Assert.AreEqual(decodedsan.Oid.Value, san.Oid.Value);
Assert.AreEqual(decodedsan.Critical, san.Critical);
Assert.AreEqual(applicationUri, decodedsan.Uris[0]);
Assert.AreEqual(domainNames[0], decodedsan.DomainNames[0]);
Assert.AreEqual(domainNames[1], decodedsan.IPAddresses[0]);
Assert.AreEqual(domainNames[2], decodedsan.IPAddresses[1]);
}
protected X509SubjectAltNameExtension GetAltNameExtensionFromCSRInfo(Org.BouncyCastle.Asn1.Pkcs.CertificationRequestInfo info)
{
try
{
for (int i = 0; i < info.Attributes.Count; i++)
{
var sequence = Org.BouncyCastle.Asn1.Asn1Sequence.GetInstance(info.Attributes[i].ToAsn1Object());
var oid = Org.BouncyCastle.Asn1.DerObjectIdentifier.GetInstance(sequence[0].ToAsn1Object());
if (oid.Equals(Org.BouncyCastle.Asn1.Pkcs.PkcsObjectIdentifiers.Pkcs9AtExtensionRequest))
{
var extensionInstance = Org.BouncyCastle.Asn1.DerSet.GetInstance(sequence[1]);
var extensionSequence = Org.BouncyCastle.Asn1.Asn1Sequence.GetInstance(extensionInstance[0]);
var extensions = Org.BouncyCastle.Asn1.X509.X509Extensions.GetInstance(extensionSequence);
Org.BouncyCastle.Asn1.X509.X509Extension extension = extensions.GetExtension(Org.BouncyCastle.Asn1.X509.X509Extensions.SubjectAlternativeName);
var asnEncodedAltNameExtension = new System.Security.Cryptography.AsnEncodedData(Org.BouncyCastle.Asn1.X509.X509Extensions.SubjectAlternativeName.ToString(), extension.Value.GetOctets());
var altNameExtension = new X509SubjectAltNameExtension(asnEncodedAltNameExtension, extension.IsCritical);
return(altNameExtension);
}
}
}
catch
{
throw new ServiceResultException(StatusCodes.BadInvalidArgument, "CSR altNameExtension invalid.");
}
return(null);
}
/// <summary>
/// Get alt name extension from info
/// </summary>
/// <param name="info"></param>
/// <returns></returns>
public static X509SubjectAltNameExtension GetSubjectAltNameExtension(
this CertificationRequestInfo info)
{
try {
foreach (Asn1Encodable attribute in info.Attributes)
{
var sequence = Asn1Sequence.GetInstance(attribute.ToAsn1Object());
var oid = DerObjectIdentifier.GetInstance(sequence[0].ToAsn1Object());
if (oid.Equals(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest))
{
var extensionInstance = Asn1Set.GetInstance(sequence[1]);
var extensionSequence = Asn1Sequence.GetInstance(extensionInstance[0]);
var extensions = X509Extensions.GetInstance(extensionSequence);
var extension = extensions.GetExtension(X509Extensions.SubjectAlternativeName);
var asnEncodedAltNameExtension = new AsnEncodedData(
X509Extensions.SubjectAlternativeName.ToString(),
extension.Value.GetOctets());
var altNameExtension = new X509SubjectAltNameExtension(
asnEncodedAltNameExtension, extension.IsCritical);
return(altNameExtension);
}
}
}
catch (Exception ex) {
throw new ArgumentException("CSR altNameExtension invalid.", ex);
}
return(null);
}
public static void VerifyCACert(string subject, X509Certificate2 cert)
{
Assert.NotNull(cert);
Assert.False(cert.HasPrivateKey);
Assert.True(Utils.CompareDistinguishedName(subject, cert.Subject));
Assert.True(Utils.CompareDistinguishedName(subject, cert.Issuer));
// test basic constraints
var constraints = FindExtension <X509BasicConstraintsExtension>(cert);
Assert.NotNull(constraints);
Assert.True(constraints.Critical);
Assert.True(constraints.CertificateAuthority);
Assert.True(constraints.HasPathLengthConstraint);
// key usage
var keyUsage = FindExtension <X509KeyUsageExtension>(cert);
Assert.NotNull(keyUsage);
Assert.True(keyUsage.Critical);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.CrlSign) == X509KeyUsageFlags.CrlSign);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DataEncipherment) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DecipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.DigitalSignature);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.EncipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyAgreement) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyCertSign) == X509KeyUsageFlags.KeyCertSign);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyEncipherment) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.NonRepudiation) == 0);
// enhanced key usage
X509EnhancedKeyUsageExtension enhancedKeyUsage = FindExtension <X509EnhancedKeyUsageExtension>(cert);
Assert.Null(enhancedKeyUsage);
// test for authority key
X509AuthorityKeyIdentifierExtension authority = FindAuthorityKeyIdentifier(cert);
Assert.NotNull(authority);
Assert.NotNull(authority.SerialNumber);
Assert.NotNull(authority.KeyId);
Assert.NotNull(authority.AuthorityNames);
// verify authority key in signed cert
X509SubjectKeyIdentifierExtension subjectKeyId = FindExtension <X509SubjectKeyIdentifierExtension>(cert);
Assert.AreEqual(subjectKeyId.SubjectKeyIdentifier, authority.KeyId);
Assert.AreEqual(cert.SerialNumber, authority.SerialNumber);
X509SubjectAltNameExtension subjectAlternateName = FindSubjectAltName(cert);
Assert.Null(subjectAlternateName);
}
private string GetApplicationUriFromCertificate(System.Security.Cryptography.X509Certificates.X509Certificate2 certificate)
{
// extract the alternate domains from the subject alternate name extension.
X509SubjectAltNameExtension alternateName = null;
foreach (System.Security.Cryptography.X509Certificates.X509Extension extension in certificate.Extensions)
{
if (extension.Oid.Value == X509SubjectAltNameExtension.SubjectAltNameOid || extension.Oid.Value == X509SubjectAltNameExtension.SubjectAltName2Oid)
{
alternateName = new X509SubjectAltNameExtension(extension, extension.Critical);
break;
}
}
// get the application uri.
if (alternateName != null && alternateName.Uris.Count > 0)
{
return(alternateName.Uris[0]);
}
return(string.Empty);
}
/// <summary>
/// Displays the properties of a certificate.
/// </summary>
internal void Initialize(X509Certificate2 certificate)
{
ItemsLV.Items.Clear();
if (certificate == null)
{
Instructions = "No certificate properties to display";
AdjustColumns();
return;
}
AddItem(new FieldInfo("Version", certificate.Version));
AddItem(new FieldInfo("Subject", certificate.Subject));
AddItem(new FieldInfo("FriendlyName", certificate.FriendlyName));
AddItem(new FieldInfo("Thumbprint", certificate.Thumbprint));
AddItem(new FieldInfo("Issuer", certificate.Issuer));
AddItem(new FieldInfo("SerialNumber", certificate.SerialNumber));
AddItem(new FieldInfo("NotBefore", Utils.Format("{0:yyyy-MM-dd}", certificate.NotBefore)));
AddItem(new FieldInfo("NotAfter", Utils.Format("{0:yyyy-MM-dd}", certificate.NotAfter)));
AddItem(new FieldInfo("KeySize", certificate.PublicKey.Key.KeySize));
AddItem(new FieldInfo("KeyExchangeAlgorithm", certificate.PublicKey.Key.KeyExchangeAlgorithm));
AddItem(new FieldInfo("SignatureAlgorithm", certificate.SignatureAlgorithm.FriendlyName));
foreach (X509Extension extension in certificate.Extensions)
{
X509BasicConstraintsExtension basicContraints = extension as X509BasicConstraintsExtension;
if (basicContraints != null)
{
StringBuilder buffer = new StringBuilder();
if (basicContraints.CertificateAuthority)
{
buffer.Append("CA");
}
else
{
buffer.Append("End Entity");
}
if (basicContraints.HasPathLengthConstraint)
{
buffer.AppendFormat(", PathLength={0}", basicContraints.PathLengthConstraint);
}
AddItem(new FieldInfo("BasicConstraints", buffer.ToString()));
continue;
}
X509KeyUsageExtension keyUsage = extension as X509KeyUsageExtension;
if (keyUsage != null)
{
StringBuilder buffer = new StringBuilder();
foreach (X509KeyUsageFlags usageFlag in Enum.GetValues(typeof(X509KeyUsageFlags)))
{
if ((keyUsage.KeyUsages & usageFlag) != 0)
{
if (buffer.Length > 0)
{
buffer.Append(", ");
}
buffer.AppendFormat("{0}", usageFlag);
}
}
AddItem(new FieldInfo("KeyUsage", buffer.ToString()));
continue;
}
X509EnhancedKeyUsageExtension enhancedKeyUsage = extension as X509EnhancedKeyUsageExtension;
if (enhancedKeyUsage != null)
{
StringBuilder buffer = new StringBuilder();
foreach (Oid usageOid in enhancedKeyUsage.EnhancedKeyUsages)
{
if (buffer.Length > 0)
{
buffer.Append(", ");
}
if (!String.IsNullOrEmpty(usageOid.FriendlyName))
{
buffer.AppendFormat("{0}", usageOid.FriendlyName);
}
else
{
buffer.AppendFormat("{0}", usageOid.Value);
}
}
AddItem(new FieldInfo("EnhancedKeyUsage", buffer.ToString()));
continue;
}
X509SubjectKeyIdentifierExtension subjectKeyId = extension as X509SubjectKeyIdentifierExtension;
if (subjectKeyId != null)
{
AddItem(new FieldInfo("SubjectKeyIdentifier", subjectKeyId.SubjectKeyIdentifier));
continue;
}
if (extension.Oid.Value == X509SubjectAltNameExtension.SubjectAltNameOid || extension.Oid.Value == X509SubjectAltNameExtension.SubjectAltName2Oid)
{
X509SubjectAltNameExtension alternateName = new X509SubjectAltNameExtension(extension, extension.Critical);
AddItem(new FieldInfo("SubjectAlternateName", alternateName.Format(false)));
continue;
}
if (extension.Oid.Value == X509AuthorityKeyIdentifierExtension.AuthorityKeyIdentifier2Oid)
{
X509AuthorityKeyIdentifierExtension keyId = new X509AuthorityKeyIdentifierExtension(extension, extension.Critical);
AddItem(new FieldInfo("AuthorityKeyIdentifier", keyId.Format(false)));
continue;
}
string name = extension.Oid.FriendlyName;
if (String.IsNullOrEmpty(name))
{
name = extension.Oid.Value;
}
string value = Utils.ToHexString(extension.RawData);
AddItem(new FieldInfo(name, value));
}
AdjustColumns();
}
/// <summary>
/// Creates a certificate signing request from an existing certificate.
/// </summary>
public static byte[] CreateSigningRequest(
X509Certificate2 certificate,
IList <String> domainNames = null
)
{
using (var cfrg = new CertificateFactoryRandomGenerator())
{
SecureRandom random = new SecureRandom(cfrg);
// try to get signing/private key from certificate passed in
AsymmetricKeyParameter signingKey = GetPrivateKeyParameter(certificate);
RsaKeyParameters publicKey = GetPublicKeyParameter(certificate);
ISignatureFactory signatureFactory =
new Asn1SignatureFactory(GetRSAHashAlgorithm(defaultHashSize), signingKey, random);
Asn1Set attributes = null;
X509SubjectAltNameExtension alternateName = null;
foreach (System.Security.Cryptography.X509Certificates.X509Extension extension in certificate.Extensions)
{
if (extension.Oid.Value == X509SubjectAltNameExtension.SubjectAltNameOid || extension.Oid.Value == X509SubjectAltNameExtension.SubjectAltName2Oid)
{
alternateName = new X509SubjectAltNameExtension(extension, extension.Critical);
break;
}
}
domainNames = domainNames ?? new List <String>();
if (alternateName != null)
{
foreach (var name in alternateName.DomainNames)
{
if (!domainNames.Any(s => s.Equals(name, StringComparison.OrdinalIgnoreCase)))
{
domainNames.Add(name);
}
}
foreach (var ipAddress in alternateName.IPAddresses)
{
if (!domainNames.Any(s => s.Equals(ipAddress, StringComparison.OrdinalIgnoreCase)))
{
domainNames.Add(ipAddress);
}
}
}
if (domainNames.Count > 0)
{
List <GeneralName> generalNames = CreateSubjectAlternateNameDomains(domainNames);
if (generalNames.Count > 0)
{
IList oids = new ArrayList();
IList values = new ArrayList();
oids.Add(X509Extensions.SubjectAlternativeName);
values.Add(new Org.BouncyCastle.Asn1.X509.X509Extension(false,
new DerOctetString(new GeneralNames(generalNames.ToArray()).GetDerEncoded())));
AttributePkcs attribute = new AttributePkcs(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest,
new DerSet(new X509Extensions(oids, values)));
attributes = new DerSet(attribute);
}
}
Pkcs10CertificationRequest pkcs10CertificationRequest = new Pkcs10CertificationRequest(
signatureFactory,
new CertificateFactoryX509Name(false, certificate.Subject),
publicKey,
attributes,
signingKey);
return(pkcs10CertificationRequest.GetEncoded());
}
}
public static void VerifySignedApplicationCert(ApplicationTestData testApp, byte [] rawSignedCert, byte [][] rawIssuerCerts)
{
X509Certificate2 signedCert = new X509Certificate2(rawSignedCert);
X509Certificate2 issuerCert = new X509Certificate2(rawIssuerCerts[0]);
Assert.NotNull(signedCert);
Assert.False(signedCert.HasPrivateKey);
Assert.True(Utils.CompareDistinguishedName(testApp.Subject, signedCert.Subject));
Assert.False(Utils.CompareDistinguishedName(signedCert.Issuer, signedCert.Subject));
Assert.True(Utils.CompareDistinguishedName(signedCert.Issuer, issuerCert.Subject));
// test basic constraints
var constraints = FindBasicConstraintsExtension(signedCert);
Assert.NotNull(constraints);
Assert.True(constraints.Critical);
Assert.False(constraints.CertificateAuthority);
Assert.False(constraints.HasPathLengthConstraint);
// key usage
var keyUsage = FindKeyUsageExtension(signedCert);
Assert.NotNull(keyUsage);
Assert.True(keyUsage.Critical);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.CrlSign) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DataEncipherment) == X509KeyUsageFlags.DataEncipherment);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DecipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.DigitalSignature);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.EncipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyAgreement) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyCertSign) == X509KeyUsageFlags.KeyCertSign);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyEncipherment) == X509KeyUsageFlags.KeyEncipherment);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.NonRepudiation) == X509KeyUsageFlags.NonRepudiation);
// enhanced key usage
var enhancedKeyUsage = FindEnhancedKeyUsageExtension(signedCert);
Assert.NotNull(enhancedKeyUsage);
Assert.True(enhancedKeyUsage.Critical);
// test for authority key
X509AuthorityKeyIdentifierExtension authority = FindAuthorityKeyIdentifier(signedCert);
Assert.NotNull(authority);
Assert.NotNull(authority.SerialNumber);
Assert.NotNull(authority.KeyId);
Assert.NotNull(authority.AuthorityNames);
// verify authority key in signed cert
X509SubjectKeyIdentifierExtension subjectKeyId = FindSubjectKeyIdentifierExtension(issuerCert);
Assert.AreEqual(subjectKeyId.SubjectKeyIdentifier, authority.KeyId);
Assert.AreEqual(issuerCert.SerialNumber, authority.SerialNumber);
X509SubjectAltNameExtension subjectAlternateName = FindSubjectAltName(signedCert);
Assert.NotNull(subjectAlternateName);
Assert.False(subjectAlternateName.Critical);
var domainNames = Utils.GetDomainsFromCertficate(signedCert);
foreach (var domainName in testApp.DomainNames)
{
Assert.True(domainNames.Contains(domainName, StringComparer.OrdinalIgnoreCase));
}
Assert.True(subjectAlternateName.Uris.Count == 1);
var applicationUri = Utils.GetApplicationUriFromCertificate(signedCert);
Assert.True(testApp.ApplicationRecord.ApplicationUri == applicationUri);
}
public static void VerifySignedApplicationCert(ApplicationTestData testApp, byte[] rawSignedCert, byte[][] rawIssuerCerts)
{
X509Certificate2 signedCert = new X509Certificate2(rawSignedCert);
X509Certificate2 issuerCert = new X509Certificate2(rawIssuerCerts[0]);
TestContext.Out.WriteLine($"Signed cert: {signedCert}");
TestContext.Out.WriteLine($"Issuer cert: {issuerCert}");
Assert.NotNull(signedCert);
Assert.False(signedCert.HasPrivateKey);
Assert.True(X509Utils.CompareDistinguishedName(testApp.Subject, signedCert.Subject));
Assert.False(X509Utils.CompareDistinguishedName(signedCert.Issuer, signedCert.Subject));
Assert.True(X509Utils.CompareDistinguishedName(signedCert.Issuer, issuerCert.Subject));
TestContext.Out.WriteLine($"Signed Subject: {signedCert.Subject}");
TestContext.Out.WriteLine($"Issuer Subject: {issuerCert.Subject}");
// test basic constraints
X509BasicConstraintsExtension constraints = X509Extensions.FindExtension <X509BasicConstraintsExtension>(signedCert);
Assert.NotNull(constraints);
TestContext.Out.WriteLine($"Constraints: {constraints.Format(true)}");
Assert.True(constraints.Critical);
Assert.False(constraints.CertificateAuthority);
Assert.False(constraints.HasPathLengthConstraint);
// key usage
X509KeyUsageExtension keyUsage = X509Extensions.FindExtension <X509KeyUsageExtension>(signedCert);
Assert.NotNull(keyUsage);
TestContext.Out.WriteLine($"KeyUsage: {keyUsage.Format(true)}");
Assert.True(keyUsage.Critical);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.CrlSign) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DataEncipherment) == X509KeyUsageFlags.DataEncipherment);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DecipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.DigitalSignature);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.EncipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyAgreement) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyCertSign) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyEncipherment) == X509KeyUsageFlags.KeyEncipherment);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.NonRepudiation) == X509KeyUsageFlags.NonRepudiation);
// enhanced key usage
X509EnhancedKeyUsageExtension enhancedKeyUsage = X509Extensions.FindExtension <X509EnhancedKeyUsageExtension>(signedCert);
Assert.NotNull(enhancedKeyUsage);
TestContext.Out.WriteLine($"Enhanced Key Usage: {enhancedKeyUsage.Format(true)}");
Assert.True(enhancedKeyUsage.Critical);
// test for authority key
X509AuthorityKeyIdentifierExtension authority = X509Extensions.FindExtension <X509AuthorityKeyIdentifierExtension>(signedCert);
Assert.NotNull(authority);
TestContext.Out.WriteLine($"Authority Key Identifier: {authority.Format(true)}");
Assert.NotNull(authority.SerialNumber);
Assert.NotNull(authority.KeyIdentifier);
Assert.NotNull(authority.Issuer);
Assert.AreEqual(issuerCert.SubjectName.RawData, authority.Issuer.RawData);
Assert.AreEqual(issuerCert.SubjectName.RawData, authority.Issuer.RawData);
// verify authority key in signed cert
X509SubjectKeyIdentifierExtension subjectKeyId = X509Extensions.FindExtension <X509SubjectKeyIdentifierExtension>(issuerCert);
TestContext.Out.WriteLine($"Issuer Subject Key Identifier: {subjectKeyId}");
Assert.AreEqual(subjectKeyId.SubjectKeyIdentifier, authority.KeyIdentifier);
Assert.AreEqual(issuerCert.SerialNumber, authority.SerialNumber);
X509SubjectAltNameExtension subjectAlternateName = X509Extensions.FindExtension <X509SubjectAltNameExtension>(signedCert);
Assert.NotNull(subjectAlternateName);
TestContext.Out.WriteLine($"Issuer Subject Alternate Name: {subjectAlternateName}");
Assert.False(subjectAlternateName.Critical);
var domainNames = X509Utils.GetDomainsFromCertficate(signedCert);
foreach (var domainName in testApp.DomainNames)
{
Assert.True(domainNames.Contains(domainName, StringComparer.OrdinalIgnoreCase));
}
Assert.True(subjectAlternateName.Uris.Count == 1);
var applicationUri = X509Utils.GetApplicationUriFromCertificate(signedCert);
Assert.True(testApp.ApplicationRecord.ApplicationUri == applicationUri);
}
public static void VerifyCACert(X509Certificate2 cert, string subject, int pathLengthConstraint)
{
TestContext.Out.WriteLine($"{nameof(VerifyCACert)}:");
Assert.NotNull(cert);
TestContext.Out.WriteLine(cert);
Assert.False(cert.HasPrivateKey);
Assert.True(X509Utils.CompareDistinguishedName(subject, cert.Subject));
Assert.True(X509Utils.CompareDistinguishedName(subject, cert.Issuer));
// test basic constraints
var constraints = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert);
Assert.NotNull(constraints);
TestContext.Out.WriteLine(constraints.Format(true));
Assert.True(constraints.Critical);
Assert.True(constraints.CertificateAuthority);
if (pathLengthConstraint < 0)
{
Assert.False(constraints.HasPathLengthConstraint);
}
else
{
Assert.True(constraints.HasPathLengthConstraint);
Assert.AreEqual(pathLengthConstraint, constraints.PathLengthConstraint);
}
// key usage
var keyUsage = X509Extensions.FindExtension <X509KeyUsageExtension>(cert);
Assert.NotNull(keyUsage);
TestContext.Out.WriteLine(keyUsage.Format(true));
Assert.True(keyUsage.Critical);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.CrlSign) == X509KeyUsageFlags.CrlSign);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DataEncipherment) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DecipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.DigitalSignature);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.EncipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyAgreement) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyCertSign) == X509KeyUsageFlags.KeyCertSign);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyEncipherment) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.NonRepudiation) == 0);
// enhanced key usage
X509EnhancedKeyUsageExtension enhancedKeyUsage = X509Extensions.FindExtension <X509EnhancedKeyUsageExtension>(cert);
Assert.Null(enhancedKeyUsage);
// test for authority key
X509AuthorityKeyIdentifierExtension authority = X509Extensions.FindExtension <X509AuthorityKeyIdentifierExtension>(cert);
Assert.NotNull(authority);
TestContext.Out.WriteLine(authority.Format(true));
Assert.NotNull(authority.SerialNumber);
Assert.NotNull(authority.GetSerialNumber());
Assert.NotNull(authority.KeyIdentifier);
Assert.NotNull(authority.Issuer);
Assert.NotNull(authority.ToString());
Assert.AreEqual(authority.SerialNumber, Utils.ToHexString(authority.GetSerialNumber(), true));
// verify authority key in signed cert
X509SubjectKeyIdentifierExtension subjectKeyId = X509Extensions.FindExtension <X509SubjectKeyIdentifierExtension>(cert);
TestContext.Out.WriteLine(subjectKeyId.Format(true));
Assert.AreEqual(subjectKeyId.SubjectKeyIdentifier, authority.KeyIdentifier);
Assert.AreEqual(cert.SerialNumber, authority.SerialNumber);
Assert.AreEqual(cert.GetSerialNumber(), authority.GetSerialNumber());
X509SubjectAltNameExtension subjectAlternateName = X509Extensions.FindExtension <X509SubjectAltNameExtension>(cert);
Assert.Null(subjectAlternateName);
}
public static void VerifyApplicationCert(ApplicationTestData testApp, X509Certificate2 cert, X509Certificate2 issuerCert = null)
{
bool signedCert = issuerCert != null;
if (issuerCert == null)
{
issuerCert = cert;
}
TestContext.Out.WriteLine($"{nameof(VerifyApplicationCert)}:");
Assert.NotNull(cert);
TestContext.Out.WriteLine(cert);
Assert.False(cert.HasPrivateKey);
Assert.True(X509Utils.CompareDistinguishedName(testApp.Subject, cert.Subject));
Assert.True(X509Utils.CompareDistinguishedName(issuerCert.Subject, cert.Issuer));
// test basic constraints
X509BasicConstraintsExtension constraints = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert);
Assert.NotNull(constraints);
TestContext.Out.WriteLine(constraints.Format(true));
Assert.True(constraints.Critical);
if (signedCert)
{
Assert.False(constraints.CertificateAuthority);
Assert.False(constraints.HasPathLengthConstraint);
}
else
{
Assert.True(constraints.CertificateAuthority);
Assert.True(constraints.HasPathLengthConstraint);
Assert.AreEqual(0, constraints.PathLengthConstraint);
}
// key usage
X509KeyUsageExtension keyUsage = X509Extensions.FindExtension <X509KeyUsageExtension>(cert);
Assert.NotNull(keyUsage);
TestContext.Out.WriteLine(keyUsage.Format(true));
Assert.True(keyUsage.Critical);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.CrlSign) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DataEncipherment) == X509KeyUsageFlags.DataEncipherment);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DecipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.DigitalSignature);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.EncipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyAgreement) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyCertSign) == (signedCert ? 0 : X509KeyUsageFlags.KeyCertSign));
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyEncipherment) == X509KeyUsageFlags.KeyEncipherment);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.NonRepudiation) == X509KeyUsageFlags.NonRepudiation);
// enhanced key usage
X509EnhancedKeyUsageExtension enhancedKeyUsage = X509Extensions.FindExtension <X509EnhancedKeyUsageExtension>(cert);
Assert.NotNull(enhancedKeyUsage);
TestContext.Out.WriteLine(enhancedKeyUsage.Format(true));
Assert.True(enhancedKeyUsage.Critical);
// test for authority key
X509AuthorityKeyIdentifierExtension authority = X509Extensions.FindExtension <X509AuthorityKeyIdentifierExtension>(cert);
Assert.NotNull(authority);
TestContext.Out.WriteLine(authority.Format(true));
Assert.NotNull(authority.SerialNumber);
Assert.NotNull(authority.KeyIdentifier);
Assert.NotNull(authority.Issuer);
if (issuerCert == null)
{
Assert.AreEqual(cert.SubjectName.RawData, authority.Issuer.RawData);
Assert.True(X509Utils.CompareDistinguishedName(cert.SubjectName.Name, authority.Issuer.Name), $"{cert.SubjectName.Name} != {authority.Issuer.Name}");
}
else
{
Assert.AreEqual(issuerCert.SubjectName.RawData, authority.Issuer.RawData);
Assert.True(X509Utils.CompareDistinguishedName(issuerCert.SubjectName.Name, authority.Issuer.Name), $"{cert.SubjectName.Name} != {authority.Issuer.Name}");
}
// verify authority key in signed cert
X509SubjectKeyIdentifierExtension subjectKeyId = X509Extensions.FindExtension <X509SubjectKeyIdentifierExtension>(cert);
TestContext.Out.WriteLine(subjectKeyId.Format(true));
if (signedCert)
{
var caCertSubjectKeyId = X509Extensions.FindExtension <X509SubjectKeyIdentifierExtension>(issuerCert);
Assert.NotNull(caCertSubjectKeyId);
Assert.AreEqual(caCertSubjectKeyId.SubjectKeyIdentifier, authority.KeyIdentifier);
}
else
{
Assert.AreEqual(subjectKeyId.SubjectKeyIdentifier, authority.KeyIdentifier);
}
Assert.AreEqual(issuerCert.GetSerialNumber(), authority.GetSerialNumber());
Assert.AreEqual(issuerCert.SerialNumber, authority.SerialNumber);
X509SubjectAltNameExtension subjectAlternateName = X509Extensions.FindExtension <X509SubjectAltNameExtension>(cert);
Assert.NotNull(subjectAlternateName);
TestContext.Out.WriteLine(subjectAlternateName.Format(true));
Assert.False(subjectAlternateName.Critical);
var domainNames = X509Utils.GetDomainsFromCertficate(cert);
foreach (var domainName in testApp.DomainNames)
{
Assert.True(domainNames.Contains(domainName, StringComparer.OrdinalIgnoreCase));
}
Assert.True(subjectAlternateName.Uris.Count == 1);
var applicationUri = X509Utils.GetApplicationUriFromCertificate(cert);
TestContext.Out.WriteLine("ApplicationUri: ");
TestContext.Out.WriteLine(applicationUri);
Assert.AreEqual(testApp.ApplicationUri, applicationUri);
}
/// <summary>
/// Displays the properties of a certificate.
/// </summary>
internal void Initialize(X509Certificate2 certificate)
{
ItemsLV.Items.Clear();
if (certificate == null)
{
Instructions = "No certificate properties to display";
AdjustColumns();
return;
}
AddItem(new FieldInfo("Version", certificate.Version));
AddItem(new FieldInfo("Subject", certificate.Subject));
AddItem(new FieldInfo("FriendlyName", certificate.FriendlyName));
AddItem(new FieldInfo("Thumbprint", certificate.Thumbprint));
AddItem(new FieldInfo("Issuer", certificate.Issuer));
AddItem(new FieldInfo("SerialNumber", certificate.SerialNumber));
AddItem(new FieldInfo("NotBefore", Utils.Format("{0:yyyy-MM-dd}", certificate.NotBefore)));
AddItem(new FieldInfo("NotAfter", Utils.Format("{0:yyyy-MM-dd}", certificate.NotAfter)));
AddItem(new FieldInfo("KeySize", certificate.PublicKey.Key.KeySize));
AddItem(new FieldInfo("KeyExchangeAlgorithm", certificate.PublicKey.Key.KeyExchangeAlgorithm));
AddItem(new FieldInfo("SignatureAlgorithm", certificate.SignatureAlgorithm.FriendlyName));
foreach (X509Extension extension in certificate.Extensions)
{
X509BasicConstraintsExtension basicContraints = extension as X509BasicConstraintsExtension;
if (basicContraints != null)
{
StringBuilder buffer = new StringBuilder();
if (basicContraints.CertificateAuthority)
{
buffer.Append("CA");
}
else
{
buffer.Append("End Entity");
}
if (basicContraints.HasPathLengthConstraint)
{
buffer.AppendFormat(", PathLength={0}", basicContraints.PathLengthConstraint);
}
AddItem(new FieldInfo("BasicConstraints", buffer.ToString()));
continue;
}
X509KeyUsageExtension keyUsage = extension as X509KeyUsageExtension;
if (keyUsage != null)
{
StringBuilder buffer = new StringBuilder();
foreach (X509KeyUsageFlags usageFlag in Enum.GetValues(typeof(X509KeyUsageFlags)))
{
if ((keyUsage.KeyUsages & usageFlag) != 0)
{
if (buffer.Length > 0)
{
buffer.Append(", ");
}
buffer.AppendFormat("{0}", usageFlag);
}
}
AddItem(new FieldInfo("KeyUsage", buffer.ToString()));
continue;
}
X509EnhancedKeyUsageExtension enhancedKeyUsage = extension as X509EnhancedKeyUsageExtension;
if (enhancedKeyUsage != null)
{
StringBuilder buffer = new StringBuilder();
foreach (Oid usageOid in enhancedKeyUsage.EnhancedKeyUsages)
{
if (buffer.Length > 0)
{
buffer.Append(", ");
}
if (!String.IsNullOrEmpty(usageOid.FriendlyName))
{
buffer.AppendFormat("{0}", usageOid.FriendlyName);
}
else
{
buffer.AppendFormat("{0}", usageOid.Value);
}
}
AddItem(new FieldInfo("EnhancedKeyUsage", buffer.ToString()));
continue;
}
X509SubjectKeyIdentifierExtension subjectKeyId = extension as X509SubjectKeyIdentifierExtension;
if (subjectKeyId != null)
{
AddItem(new FieldInfo("SubjectKeyIdentifier", subjectKeyId.SubjectKeyIdentifier));
continue;
}
if (extension.Oid.Value == X509SubjectAltNameExtension.SubjectAltNameOid || extension.Oid.Value == X509SubjectAltNameExtension.SubjectAltName2Oid)
{
X509SubjectAltNameExtension alternateName = new X509SubjectAltNameExtension(extension, extension.Critical);
AddItem(new FieldInfo("SubjectAlternateName", alternateName.Format(false)));
continue;
}
if (extension.Oid.Value == X509AuthorityKeyIdentifierExtension.AuthorityKeyIdentifier2Oid)
{
X509AuthorityKeyIdentifierExtension keyId = new X509AuthorityKeyIdentifierExtension(extension, extension.Critical);
AddItem(new FieldInfo("AuthorityKeyIdentifier", keyId.Format(false)));
continue;
}
string name = extension.Oid.FriendlyName;
if (String.IsNullOrEmpty(name))
{
name = extension.Oid.Value;
}
string value = Utils.ToHexString(extension.RawData);
AddItem(new FieldInfo(name, value));
}
AdjustColumns();
}
public static void VerifySignedApplicationCert(ApplicationTestData testApp, X509Certificate2 signedCert, X509Certificate2Collection issuerCerts)
{
X509Certificate2 issuerCert = issuerCerts[0];
Assert.NotNull(signedCert);
Assert.False(signedCert.HasPrivateKey);
Assert.True(Opc.Ua.Utils.CompareDistinguishedName(testApp.Subject, signedCert.Subject));
Assert.False(Opc.Ua.Utils.CompareDistinguishedName(signedCert.Issuer, signedCert.Subject));
Assert.True(Opc.Ua.Utils.CompareDistinguishedName(signedCert.Issuer, issuerCert.Subject));
// test basic constraints
var constraints = FindBasicConstraintsExtension(signedCert);
Assert.NotNull(constraints);
Assert.True(constraints.Critical);
Assert.False(constraints.CertificateAuthority);
Assert.False(constraints.HasPathLengthConstraint);
// key usage
var keyUsage = FindKeyUsageExtension(signedCert);
Assert.NotNull(keyUsage);
Assert.True(keyUsage.Critical);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.CrlSign) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DataEncipherment) == X509KeyUsageFlags.DataEncipherment);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DecipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.DigitalSignature);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.EncipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyAgreement) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyCertSign) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyEncipherment) == X509KeyUsageFlags.KeyEncipherment);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.NonRepudiation) == X509KeyUsageFlags.NonRepudiation);
// enhanced key usage
var enhancedKeyUsage = FindEnhancedKeyUsageExtension(signedCert);
Assert.NotNull(enhancedKeyUsage);
Assert.True(enhancedKeyUsage.Critical);
// test for authority key
X509AuthorityKeyIdentifierExtension authority = FindAuthorityKeyIdentifier(signedCert);
Assert.NotNull(authority);
Assert.NotNull(authority.SerialNumber);
Assert.NotNull(authority.KeyId);
Assert.NotNull(authority.AuthorityNames);
// verify authority key in signed cert
X509SubjectKeyIdentifierExtension subjectKeyId = FindSubjectKeyIdentifierExtension(issuerCert);
Assert.Equal(subjectKeyId.SubjectKeyIdentifier, authority.KeyId);
Assert.Equal(issuerCert.SerialNumber, authority.SerialNumber);
X509SubjectAltNameExtension subjectAlternateName = FindSubjectAltName(signedCert);
Assert.NotNull(subjectAlternateName);
Assert.False(subjectAlternateName.Critical);
var domainNames = Opc.Ua.Utils.GetDomainsFromCertficate(signedCert);
foreach (var domainName in testApp.DomainNames)
{
Assert.Contains(domainName, domainNames, StringComparer.OrdinalIgnoreCase);
}
Assert.True(subjectAlternateName.Uris.Count == 1);
var applicationUri = Opc.Ua.Utils.GetApplicationUriFromCertificate(signedCert);
Assert.True(testApp.ApplicationRecord.ApplicationUri == applicationUri);
CertificateIdentifierCollection issuerCertIdCollection = new CertificateIdentifierCollection();
foreach (var cert in issuerCerts)
{
issuerCertIdCollection.Add(new CertificateIdentifier(cert));
}
// verify cert with issuer chain
CertificateValidator certValidator = new CertificateValidator();
CertificateTrustList issuerStore = new CertificateTrustList();
CertificateTrustList trustedStore = new CertificateTrustList();
trustedStore.TrustedCertificates = issuerCertIdCollection;
certValidator.Update(trustedStore, issuerStore, null);
Assert.Throws <Opc.Ua.ServiceResultException>(() =>
{
certValidator.Validate(signedCert);
});
issuerStore.TrustedCertificates = issuerCertIdCollection;
certValidator.Update(issuerStore, trustedStore, null);
certValidator.Validate(signedCert);
}
