public void ShouldTrustIfHostnameDiffers()
{
var pkcs12 = X509TestUtils.CreateCert("localhost", DateTime.Now.AddYears(-1), DateTime.Now.AddYears(1),
null, null, null);
var cert = X509TestUtils.ToDotnetCertificate(pkcs12);
var trustManager = new InsecureTrustManager(false);
new TrustManagerHandshaker(new Uri("bolt://localhost2"), cert, trustManager).Perform();
}
public async Task <X509CertificateCollection> KeyVaultSigningRequestAsync()
{
Skip.If(!_fixture.KeyVaultInitOk);
var certCollection = new X509CertificateCollection();
var groups = await _registry.ListGroupIdsAsync(null, null);
foreach (var group in groups.Groups)
{
var certificateGroupConfiguration = await _registry.GetGroupInfoAsync(group);
var randomApp = _fixture.RandomGenerator.RandomApplicationTestData();
var csrCertificate = CertificateFactory.CreateCertificate(
null, null, null,
randomApp.ApplicationRecord.ApplicationUri,
null,
randomApp.Subject,
randomApp.DomainNames.ToArray(),
certificateGroupConfiguration.DefaultCertificateKeySize,
DateTime.UtcNow.AddDays(-10),
certificateGroupConfiguration.DefaultCertificateLifetime,
certificateGroupConfiguration.DefaultCertificateHashSize
);
var certificateRequest = CertificateFactory.CreateSigningRequest(
csrCertificate, randomApp.DomainNames);
var newCert = await _services.ProcessSigningRequestAsync(
"cert",
new Registry.Models.ApplicationInfoModel {
ApplicationUri = randomApp.ApplicationRecord.ApplicationUri,
},
certificateRequest);
// get issuer cert used for signing
var issuerCerts = await _services.GetIssuerCACertificateChainAsync(group);
#if WRITECERT
// save cert for debugging
using (var store = Opc.Ua.CertificateStoreIdentifier.CreateStore(
Opc.Ua.CertificateStoreType.Directory)) {
Assert.NotNull(store);
store.Open("d:\\unittest");
await store.Add(newCert.ToStackModel());
foreach (var cert in issuerCerts.ToStackModel())
{
await store.Add(cert);
}
}
#endif
Assert.NotNull(issuerCerts);
Assert.True(issuerCerts.Chain.Count >= 1);
X509TestUtils.VerifySignedApplicationCert(
randomApp, newCert.ToStackModel(), issuerCerts.ToStackModel());
certCollection.Add(newCert.ToStackModel());
}
return(certCollection);
}
public void ShouldTrust()
{
var pkcs12 = X509TestUtils.CreateCert("localhost", DateTime.Now.AddYears(-1), DateTime.Now.AddYears(1),
null, null, null);
var cert = X509TestUtils.ToDotnetCertificate(pkcs12);
var trustManager = new CertificateTrustManager(true, new[] { cert });
new TrustManagerHandshaker(new Uri("bolt://localhost"), cert, trustManager).Perform();
}
public void ShouldNotTrustIfNotTrusted()
{
var pkcs12 = X509TestUtils.CreateCert("localhost", DateTime.Now.AddYears(-1), DateTime.Now.AddYears(1),
null, null, null);
var cert = X509TestUtils.ToDotnetCertificate(pkcs12);
var trustManager = new CertificateTrustManager(true, new X509Certificate2[] {});
var result = new TrustManagerHandshaker(new Uri("bolt://localhost"), cert, trustManager).Perform();
result.Should().BeFalse();
}
public void ShouldNotTrustIfHostnameDiffers()
{
var pkcs12 = X509TestUtils.CreateCert("localhost", DateTime.Now.AddYears(-1), DateTime.Now.AddYears(1),
null, null, null);
var cert = X509TestUtils.ToDotnetCertificate(pkcs12);
var trustManager = new InsecureTrustManager(true);
var ex = Record.Exception(() =>
new TrustManagerHandshaker(new Uri("bolt://localhost2"), cert, trustManager).Perform());
ex.Should().NotBeNull().And.BeOfType <AuthenticationException>();
}
public void FinishGoodNewKeyPairRequests()
{
AssertIgnoreTestWithoutGoodRegistration();
AssertIgnoreTestWithoutGoodNewKeyPairRequest();
ConnectGDS(true);
bool requestBusy;
do
{
requestBusy = false;
foreach (var application in _goodApplicationTestSet)
{
if (application.CertificateRequestId != null)
{
byte[] certificate = _gdsClient.GDSClient.FinishRequest(
application.ApplicationRecord.ApplicationId,
application.CertificateRequestId,
out byte[] privateKey,
out byte[][] issuerCertificates
);
if (certificate != null)
{
application.CertificateRequestId = null;
Assert.NotNull(certificate);
Assert.NotNull(privateKey);
Assert.NotNull(issuerCertificates);
application.Certificate = certificate;
application.PrivateKey = privateKey;
application.IssuerCertificates = issuerCertificates;
X509TestUtils.VerifySignedApplicationCert(application, certificate, issuerCertificates);
X509TestUtils.VerifyApplicationCertIntegrity(certificate, privateKey, application.PrivateKeyPassword, application.PrivateKeyFormat, issuerCertificates);
}
else
{
requestBusy = true;
}
}
}
if (requestBusy)
{
Thread.Sleep(500);
}
} while (requestBusy);
}
public async Task <X509CertificateCollection> KeyVaultNewKeyPairRequestAsync()
{
Skip.If(!_fixture.KeyVaultInitOk);
var certCollection = new X509CertificateCollection();
var groups = await _registry.ListGroupIdsAsync(null, null);
foreach (var group in groups.Groups)
{
var randomApp = _fixture.RandomGenerator.RandomApplicationTestData();
var requestId = Guid.NewGuid();
var newKeyPair = await _services.CreateNewCertificateAsync(
"cert",
requestId.ToString(),
new Registry.Models.ApplicationInfoModel {
ApplicationUri = randomApp.ApplicationRecord.ApplicationUri,
},
randomApp.Subject,
randomApp.DomainNames.ToArray());
Assert.NotNull(newKeyPair);
Assert.False(newKeyPair.Certificate.ToStackModel().HasPrivateKey);
Assert.True(Opc.Ua.Utils.CompareDistinguishedName(randomApp.Subject, newKeyPair.Certificate.Subject));
Assert.False(Opc.Ua.Utils.CompareDistinguishedName(
newKeyPair.Certificate.ToStackModel().Issuer, newKeyPair.Certificate.Subject));
var issuerCerts = await _services.GetIssuerCACertificateChainAsync(group);
Assert.NotNull(issuerCerts);
Assert.True(issuerCerts.Chain.Count >= 1);
X509TestUtils.VerifyApplicationCertIntegrity(
newKeyPair.Certificate.ToStackModel(),
newKeyPair.PrivateKey.ToKey(),
issuerCerts.ToStackModel());
certCollection.Add(newKeyPair.Certificate.ToStackModel());
// disable and delete private key from KeyVault (requires set/delete rights)
await _services.AcceptPrivateKeyAsync(requestId.ToString());
await _services.DeletePrivateKeyAsync(requestId.ToString());
}
return(certCollection);
}
public async Task GetTrustListAsync()
{
Skip.If(!_fixture.KeyVaultInitOk);
var groups = await _registry.ListGroupIdsAsync(null, null);
foreach (var group in groups.Groups)
{
var trustList = await _services.GetGroupTrustListAsync(null, 2);
var nextPageLink = trustList.NextPageLink;
while (nextPageLink != null)
{
var nextTrustList = await _services.GetGroupTrustListAsync(nextPageLink, 2);
trustList.AddRange(nextTrustList);
nextPageLink = nextTrustList.NextPageLink;
}
var validator = X509TestUtils.CreateValidatorAsync(trustList);
}
}
public void FinishGoodSigningRequests()
{
AssertIgnoreTestWithoutGoodRegistration();
AssertIgnoreTestWithoutGoodNewKeyPairRequest();
ConnectGDS(true);
bool requestBusy;
DateTime now = DateTime.UtcNow;
do
{
requestBusy = false;
foreach (var application in _goodApplicationTestSet)
{
if (application.CertificateRequestId != null)
{
try
{
var certificate = _gdsClient.GDSClient.FinishRequest(
application.ApplicationRecord.ApplicationId,
application.CertificateRequestId,
out byte[] privateKey,
out byte[][] issuerCertificates
);
if (certificate != null)
{
application.CertificateRequestId = null;
Assert.Null(privateKey);
Assert.NotNull(issuerCertificates);
application.Certificate = certificate;
application.IssuerCertificates = issuerCertificates;
X509TestUtils.VerifySignedApplicationCert(application, certificate, issuerCertificates);
X509TestUtils.VerifyApplicationCertIntegrity(certificate, application.PrivateKey, application.PrivateKeyPassword, application.PrivateKeyFormat, issuerCertificates);
}
else
{
requestBusy = true;
}
}
catch (ServiceResultException sre)
{
if (sre.StatusCode == StatusCodes.BadNothingToDo &&
now.AddMinutes(5) > DateTime.UtcNow)
{
requestBusy = true;
Thread.Sleep(1000);
}
else
{
throw sre;
}
}
}
}
if (requestBusy)
{
Thread.Sleep(5000);
Console.WriteLine("Waiting for certificate approval");
}
} while (requestBusy);
}
public async Task CreateCAAndAppCertificatesThenRevokeAll()
{
Skip.If(!_fixture.KeyVaultInitOk);
var certCollection = new X509Certificate2Collection();
for (var i = 0; i < 3; i++)
{
await KeyVaultCreateCACertificateAsync();
for (var v = 0; v < 10; v++)
{
certCollection.AddRange(await KeyVaultSigningRequestAsync());
certCollection.AddRange(await KeyVaultNewKeyPairRequestAsync());
}
}
var groups = await _registry.ListGroupIdsAsync(null, null);
// validate all certificates
foreach (var group in groups.Groups)
{
var trustList = await _services.GetGroupTrustListAsync(group);
var nextPageLink = trustList.NextPageLink;
while (nextPageLink != null)
{
var nextTrustList = await _services.GetGroupTrustListAsync(nextPageLink);
trustList.AddRange(nextTrustList);
nextPageLink = nextTrustList.NextPageLink;
}
var validator = await X509TestUtils.CreateValidatorAsync(trustList);
foreach (var cert in certCollection)
{
validator.Validate(cert);
}
}
// now revoke all certifcates
var revokeCertificates = new X509Certificate2Collection(certCollection).ToServiceModel(null);
foreach (var group in groups.Groups)
{
var unrevokedCertificates = await _services.RevokeCertificatesAsync(revokeCertificates);
Assert.True(unrevokedCertificates.Chain.Count <= revokeCertificates.Chain.Count);
revokeCertificates = unrevokedCertificates;
}
Assert.Empty(revokeCertificates.Chain);
// reload updated trust list from KeyVault
var trustListAllGroups = new TrustListModel {
GroupId = "all"
};
foreach (var group in groups.Groups)
{
var trustList = await _services.GetGroupTrustListAsync(group);
var nextPageLink = trustList.NextPageLink;
while (nextPageLink != null)
{
var nextTrustList = await _services.GetGroupTrustListAsync(nextPageLink);
trustList.AddRange(nextTrustList);
nextPageLink = nextTrustList.NextPageLink;
}
trustListAllGroups.AddRange(trustList);
}
// verify certificates are revoked
{
var validator = await X509TestUtils.CreateValidatorAsync(trustListAllGroups);
foreach (var cert in certCollection)
{
Assert.Throws <Opc.Ua.ServiceResultException>(() => validator.Validate(cert));
}
}
}
public async Task KeyVaultNewKeyPairLoadThenDeletePrivateKeyAsync()
{
Skip.If(!_fixture.KeyVaultInitOk);
var groups = await _registry.ListGroupIdsAsync(null, null);
foreach (var group in groups.Groups)
{
var randomApp = _fixture.RandomGenerator.RandomApplicationTestData();
var requestId = Guid.NewGuid();
var newKeyPair = await _services.CreateNewCertificateAsync(
requestId.ToString(),
new Registry.Models.ApplicationInfoModel {
ApplicationUri = randomApp.ApplicationRecord.ApplicationUri,
}, randomApp.Subject,
randomApp.DomainNames.ToArray()
);
Assert.NotNull(newKeyPair);
Assert.False(newKeyPair.Certificate.ToStackModel().HasPrivateKey);
Assert.True(Opc.Ua.Utils.CompareDistinguishedName(randomApp.Subject,
newKeyPair.Certificate.Subject));
Assert.False(Opc.Ua.Utils.CompareDistinguishedName(
newKeyPair.Certificate.ToStackModel().Issuer, newKeyPair.Certificate.Subject));
var issuerCerts = await _services.GetIssuerCACertificateChainAsync(group);
Assert.NotNull(issuerCerts);
Assert.True(issuerCerts.Chain.Count >= 1);
X509TestUtils.VerifyApplicationCertIntegrity(
newKeyPair.Certificate.ToStackModel(),
newKeyPair.PrivateKey.ToKey(),
issuerCerts.ToStackModel()
);
// test to load the key from KeyVault
var privateKey = await _services.RetrievePrivateKeyAsync(requestId.ToString());
Assert.True(privateKey.HasPrivateKey());
var privateKeyX509 = newKeyPair.Certificate.ToStackModel();
privateKeyX509.PrivateKey = privateKey.ToRSA();
Assert.True(privateKeyX509.HasPrivateKey);
X509TestUtils.VerifyApplicationCertIntegrity(
newKeyPair.Certificate.ToStackModel(),
privateKey,
issuerCerts.ToStackModel()
);
await _services.AcceptPrivateKeyAsync(requestId.ToString());
await Assert.ThrowsAsync <KeyVaultErrorException>(async() => privateKey =
await _services.RetrievePrivateKeyAsync(requestId.ToString()));
await _services.AcceptPrivateKeyAsync(requestId.ToString());
await _services.DeletePrivateKeyAsync(requestId.ToString());
await Assert.ThrowsAsync <KeyVaultErrorException>(() =>
_services.DeletePrivateKeyAsync(requestId.ToString()));
await Assert.ThrowsAsync <KeyVaultErrorException>(async() => privateKey =
await _services.RetrievePrivateKeyAsync(requestId.ToString()));
}
}