public void CreateForECDsaWithGeneratorTest(
ECCurveHashPair ecCurveHashPair
)
{
// default signing cert with custom key
X509Certificate2 signingCert = CertificateBuilder.Create(Subject)
.SetCAConstraint()
.SetHashAlgorithm(HashAlgorithmName.SHA512)
.SetECCurve(ecCurveHashPair.Curve)
.CreateForECDsa();
WriteCertificate(signingCert, $"Signing ECDsa {signingCert.GetECDsaPublicKey().KeySize} cert");
using (ECDsa ecdsaPrivateKey = signingCert.GetECDsaPrivateKey())
{
var generator = X509SignatureGenerator.CreateForECDsa(ecdsaPrivateKey);
var cert = CertificateBuilder.Create("CN=App Cert")
.SetIssuer(new X509Certificate2(signingCert.RawData))
.CreateForRSA(generator);
Assert.NotNull(cert);
WriteCertificate(cert, "Default signed ECDsa cert");
}
using (ECDsa ecdsaPrivateKey = signingCert.GetECDsaPrivateKey())
using (ECDsa ecdsaPublicKey = signingCert.GetECDsaPublicKey())
{
var generator = X509SignatureGenerator.CreateForECDsa(ecdsaPrivateKey);
var cert = CertificateBuilder.Create("CN=App Cert")
.SetHashAlgorithm(ecCurveHashPair.HashAlgorithmName)
.SetIssuer(new X509Certificate2(signingCert.RawData))
.SetECDsaPublicKey(ecdsaPublicKey)
.CreateForECDsa(generator);
Assert.NotNull(cert);
WriteCertificate(cert, "Default signed ECDsa cert with Public Key");
}
using (ECDsa ecdsaPrivateKey = signingCert.GetECDsaPrivateKey())
{
var generator = X509SignatureGenerator.CreateForECDsa(ecdsaPrivateKey);
var cert = CertificateBuilder.Create("CN=App Cert")
.SetHashAlgorithm(ecCurveHashPair.HashAlgorithmName)
.SetIssuer(new X509Certificate2(signingCert.RawData))
.SetECCurve(ecCurveHashPair.Curve)
.CreateForECDsa(generator);
Assert.NotNull(cert);
WriteCertificate(cert, "Default signed RSA cert");
}
// ensure invalid path throws argument exception
Assert.Throws <NotSupportedException>(() => {
using (ECDsa ecdsaPrivateKey = signingCert.GetECDsaPrivateKey())
{
var generator = X509SignatureGenerator.CreateForECDsa(ecdsaPrivateKey);
var cert = CertificateBuilder.Create("CN=App Cert")
.SetHashAlgorithm(ecCurveHashPair.HashAlgorithmName)
.SetECCurve(ecCurveHashPair.Curve)
.CreateForECDsa(generator);
}
});
}
public void CreateSelfSignedForECDsaDefaultTest(ECCurveHashPair eccurveHashPair)
{
// default cert
X509Certificate2 cert = CertificateBuilder.Create(Subject)
.SetECCurve(eccurveHashPair.Curve)
.CreateForECDsa();
Assert.NotNull(cert);
WriteCertificate(cert, "Default ECDsa cert");
using (var privateKey = cert.GetECDsaPrivateKey())
{
Assert.NotNull(privateKey);
privateKey.ExportParameters(false);
privateKey.ExportParameters(true);
}
using (var publicKey = cert.GetECDsaPublicKey())
{
Assert.NotNull(publicKey);
publicKey.ExportParameters(false);
}
Assert.AreEqual(X509Defaults.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value));
Assert.GreaterOrEqual(DateTime.UtcNow, cert.NotBefore);
Assert.GreaterOrEqual(DateTime.UtcNow.AddMonths(X509Defaults.LifeTime), cert.NotAfter.ToUniversalTime());
var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions);
Assert.NotNull(basicConstraintsExtension);
Assert.True(basicConstraintsExtension.CertificateAuthority);
Assert.AreEqual(0, basicConstraintsExtension.PathLengthConstraint);
var keyUsage = X509Extensions.FindExtension <X509KeyUsageExtension>(cert.Extensions);
Assert.NotNull(keyUsage);
X509PfxUtils.VerifyECDsaKeyPair(cert, cert, true);
Assert.True(X509Utils.VerifySelfSigned(cert), "Verify self signed.");
}
public void CreateSelfSignedForECDsaAllFields(
ECCurveHashPair ecCurveHashPair
)
{
// set dates and extension
var applicationUri = "urn:opcfoundation.org:mypc";
var domains = new string[] { "mypc", "mypc.opcfoundation.org", "192.168.1.100" };
var cert = CertificateBuilder.Create(Subject)
.SetNotBefore(DateTime.Today.AddYears(-1))
.SetNotAfter(DateTime.Today.AddYears(25))
.AddExtension(new X509SubjectAltNameExtension(applicationUri, domains))
.SetHashAlgorithm(ecCurveHashPair.HashAlgorithmName)
.SetECCurve(ecCurveHashPair.Curve)
.CreateForECDsa();
Assert.NotNull(cert);
WriteCertificate(cert, $"Default cert ECDsa {ecCurveHashPair.Curve.Oid.FriendlyName} with modified lifetime and alt name extension");
Assert.AreEqual(Subject, cert.Subject);
using (var privateKey = cert.GetECDsaPrivateKey())
{
Assert.NotNull(privateKey);
privateKey.ExportParameters(false);
privateKey.ExportParameters(true);
}
using (var publicKey = cert.GetECDsaPublicKey())
{
Assert.NotNull(publicKey);
publicKey.ExportParameters(false);
}
Assert.AreEqual(ecCurveHashPair.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value));
var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions);
Assert.NotNull(basicConstraintsExtension);
Assert.True(basicConstraintsExtension.CertificateAuthority);
X509PfxUtils.VerifyECDsaKeyPair(cert, cert, true);
Assert.True(X509Utils.VerifySelfSigned(cert));
CheckPEMWriter(cert);
}
public void CreateCACertForECDsa(
ECCurveHashPair ecCurveHashPair
)
{
// create a CA cert
var cert = CertificateBuilder.Create(Subject)
.SetCAConstraint()
.SetHashAlgorithm(ecCurveHashPair.HashAlgorithmName)
.AddExtension(X509Extensions.BuildX509CRLDistributionPoints("http://myca/mycert.crl"))
.SetECCurve(ecCurveHashPair.Curve)
.CreateForECDsa();
Assert.NotNull(cert);
WriteCertificate(cert, "Default cert with RSA {keyHashPair.KeySize} {keyHashPair.HashAlgorithmName} and CRL distribution points");
Assert.AreEqual(ecCurveHashPair.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value));
var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions);
Assert.NotNull(basicConstraintsExtension);
Assert.True(basicConstraintsExtension.CertificateAuthority);
Assert.False(basicConstraintsExtension.HasPathLengthConstraint);
X509PfxUtils.VerifyECDsaKeyPair(cert, cert, true);
Assert.True(X509Utils.VerifySelfSigned(cert));
}
