public async Task <X509CertificateCollection> KeyVaultNewKeyPairRequestAsync()
{
Skip.If(!_fixture.KeyVaultInitOk);
X509CertificateCollection certCollection = new X509CertificateCollection();
string[] groups = await _keyVault.GetCertificateGroupIds();
foreach (string group in groups)
{
ApplicationTestData randomApp = _fixture.RandomGenerator.RandomApplicationTestData();
Guid requestId = Guid.NewGuid();
Opc.Ua.Gds.Server.X509Certificate2KeyPair newKeyPair = await _keyVault.NewKeyPairRequestAsync(
group,
requestId.ToString(),
randomApp.ApplicationRecord.ApplicationUri,
randomApp.Subject,
randomApp.DomainNames.ToArray(),
randomApp.PrivateKeyFormat,
randomApp.PrivateKeyPassword);
Assert.NotNull(newKeyPair);
Assert.False(newKeyPair.Certificate.HasPrivateKey);
Assert.True(Opc.Ua.Utils.CompareDistinguishedName(randomApp.Subject, newKeyPair.Certificate.Subject));
Assert.False(Opc.Ua.Utils.CompareDistinguishedName(newKeyPair.Certificate.Issuer, newKeyPair.Certificate.Subject));
X509Certificate2Collection issuerCerts = await _keyVault.GetIssuerCACertificateChainAsync(group);
Assert.NotNull(issuerCerts);
Assert.True(issuerCerts.Count >= 1);
X509TestUtils.VerifyApplicationCertIntegrity(
newKeyPair.Certificate,
newKeyPair.PrivateKey,
randomApp.PrivateKeyPassword,
randomApp.PrivateKeyFormat,
issuerCerts
);
certCollection.Add(newKeyPair.Certificate);
// disable and delete private key from KeyVault (requires set/delete rights)
await _keyVault.AcceptPrivateKeyAsync(group, requestId.ToString());
await _keyVault.DeletePrivateKeyAsync(group, requestId.ToString());
}
return(certCollection);
}
public async Task KeyVaultNewKeyPairAndRevokeCertificateAsync()
{
Skip.If(!_fixture.KeyVaultInitOk);
string[] groups = await _keyVault.GetCertificateGroupIds();
foreach (string group in groups)
{
ApplicationTestData randomApp = _fixture.RandomGenerator.RandomApplicationTestData();
Guid requestId = Guid.NewGuid();
Opc.Ua.Gds.Server.X509Certificate2KeyPair newCert = await _keyVault.NewKeyPairRequestAsync(
group,
requestId.ToString(),
randomApp.ApplicationRecord.ApplicationUri,
randomApp.Subject,
randomApp.DomainNames.ToArray(),
randomApp.PrivateKeyFormat,
randomApp.PrivateKeyPassword
);
Assert.NotNull(newCert);
Assert.False(newCert.Certificate.HasPrivateKey);
Assert.True(Opc.Ua.Utils.CompareDistinguishedName(randomApp.Subject, newCert.Certificate.Subject));
Assert.False(Opc.Ua.Utils.CompareDistinguishedName(newCert.Certificate.Issuer, newCert.Certificate.Subject));
X509Certificate2 cert = new X509Certificate2(newCert.Certificate.RawData);
X509CRL crl = await _keyVault.RevokeCertificateAsync(group, cert);
Assert.NotNull(crl);
X509Certificate2Collection caChain = await _keyVault.GetIssuerCACertificateChainAsync(group);
Assert.NotNull(caChain);
X509Certificate2 caCert = caChain[0];
Assert.False(caCert.HasPrivateKey);
crl.VerifySignature(caCert, true);
Assert.True(Opc.Ua.Utils.CompareDistinguishedName(crl.Issuer, caCert.Issuer));
// disable and delete private key from KeyVault (requires set/delete rights)
await _keyVault.AcceptPrivateKeyAsync(group, requestId.ToString());
await _keyVault.DeletePrivateKeyAsync(group, requestId.ToString());
}
}
public async Task KeyVaultNewKeyPairLoadThenDeletePrivateKeyAsync()
{
Skip.If(!_fixture.KeyVaultInitOk);
string[] groups = await _keyVault.GetCertificateGroupIds();
foreach (string group in groups)
{
ApplicationTestData randomApp = _fixture.RandomGenerator.RandomApplicationTestData();
Guid requestId = Guid.NewGuid();
Opc.Ua.Gds.Server.X509Certificate2KeyPair newKeyPair = await _keyVault.NewKeyPairRequestAsync(
group,
requestId.ToString(),
randomApp.ApplicationRecord.ApplicationUri,
randomApp.Subject,
randomApp.DomainNames.ToArray(),
randomApp.PrivateKeyFormat,
randomApp.PrivateKeyPassword
);
Assert.NotNull(newKeyPair);
Assert.False(newKeyPair.Certificate.HasPrivateKey);
Assert.True(Opc.Ua.Utils.CompareDistinguishedName(randomApp.Subject, newKeyPair.Certificate.Subject));
Assert.False(Opc.Ua.Utils.CompareDistinguishedName(newKeyPair.Certificate.Issuer, newKeyPair.Certificate.Subject));
X509Certificate2Collection issuerCerts = await _keyVault.GetIssuerCACertificateChainAsync(group);
Assert.NotNull(issuerCerts);
Assert.True(issuerCerts.Count >= 1);
X509TestUtils.VerifyApplicationCertIntegrity(
newKeyPair.Certificate,
newKeyPair.PrivateKey,
randomApp.PrivateKeyPassword,
randomApp.PrivateKeyFormat,
issuerCerts
);
// test to load the key from KeyVault
var privateKey = await _keyVault.LoadPrivateKeyAsync(group, requestId.ToString(), randomApp.PrivateKeyFormat);
X509Certificate2 privateKeyX509;
if (randomApp.PrivateKeyFormat == "PFX")
{
privateKeyX509 = CertificateFactory.CreateCertificateFromPKCS12(privateKey, randomApp.PrivateKeyPassword);
}
else
{
privateKeyX509 = CertificateFactory.CreateCertificateWithPEMPrivateKey(newKeyPair.Certificate, privateKey, randomApp.PrivateKeyPassword);
}
Assert.True(privateKeyX509.HasPrivateKey);
X509TestUtils.VerifyApplicationCertIntegrity(
newKeyPair.Certificate,
privateKey,
randomApp.PrivateKeyPassword,
randomApp.PrivateKeyFormat,
issuerCerts
);
await _keyVault.AcceptPrivateKeyAsync(group, requestId.ToString());
await Assert.ThrowsAsync <KeyVaultErrorException>(async() =>
{
privateKey = await _keyVault.LoadPrivateKeyAsync(group, requestId.ToString(), randomApp.PrivateKeyFormat);
});
await _keyVault.AcceptPrivateKeyAsync(group, requestId.ToString());
await _keyVault.DeletePrivateKeyAsync(group, requestId.ToString());
await Assert.ThrowsAsync <KeyVaultErrorException>(async() =>
{
await _keyVault.DeletePrivateKeyAsync(group, requestId.ToString());
});
await Assert.ThrowsAsync <KeyVaultErrorException>(async() =>
{
privateKey = await _keyVault.LoadPrivateKeyAsync(group, requestId.ToString(), randomApp.PrivateKeyFormat);
});
}
}
public async Task ApproveAsync(
string requestId,
bool isRejected
)
{
Guid reqId = GetIdFromString(requestId);
bool retryUpdate;
do
{
retryUpdate = false;
CertificateRequest request = await _certificateRequests.GetAsync(reqId);
if (request.CertificateRequestState != CertificateRequestState.New)
{
throw new ResourceInvalidStateException("The record is not in a valid state for this operation.");
}
Application application = await _applicationsDatabase.GetApplicationAsync(request.ApplicationId);
if (isRejected)
{
request.CertificateRequestState = CertificateRequestState.Rejected;
// erase information which is not required anymore
request.PrivateKeyFormat = null;
request.SigningRequest = null;
request.PrivateKeyPassword = null;
}
else
{
request.CertificateRequestState = CertificateRequestState.Approved;
X509Certificate2 certificate;
if (request.SigningRequest != null)
{
try
{
certificate = await _certificateGroup.SigningRequestAsync(
request.CertificateGroupId,
application.ApplicationUri,
request.SigningRequest
);
request.Certificate = certificate.RawData;
}
catch (Exception e)
{
StringBuilder error = new StringBuilder();
error.Append("Error Generating Certificate=" + e.Message);
error.Append("\r\nApplicationId=" + application.ApplicationId);
error.Append("\r\nApplicationUri=" + application.ApplicationUri);
error.Append("\r\nApplicationName=" + application.ApplicationNames[0].Text);
throw new ResourceInvalidStateException(error.ToString());
}
}
else
{
Opc.Ua.Gds.Server.X509Certificate2KeyPair newKeyPair = null;
try
{
newKeyPair = await _certificateGroup.NewKeyPairRequestAsync(
request.CertificateGroupId,
requestId,
application.ApplicationUri,
request.SubjectName,
request.DomainNames,
request.PrivateKeyFormat,
request.PrivateKeyPassword);
}
catch (Exception e)
{
StringBuilder error = new StringBuilder();
error.Append("Error Generating New Key Pair Certificate=" + e.Message);
error.Append("\r\nApplicationId=" + application.ApplicationId);
error.Append("\r\nApplicationUri=" + application.ApplicationUri);
throw new ResourceInvalidStateException(error.ToString());
}
request.Certificate = newKeyPair.Certificate.RawData;
// ignore private key, it is stored in KeyVault
}
}
request.ApproveRejectTime = DateTime.UtcNow;
try
{
await _certificateRequests.UpdateAsync(reqId, request, request.ETag);
}
catch (DocumentClientException dce)
{
if (dce.StatusCode == HttpStatusCode.PreconditionFailed)
{
retryUpdate = true;
}
}
} while (retryUpdate);
}
