public void VerifyX509AuthorityKeyIdentifierExtensionOnlyKeyID() { byte[] subjectKeyIdentifier = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 }; var aki = new X509AuthorityKeyIdentifierExtension(subjectKeyIdentifier); Assert.NotNull(aki); TestContext.Out.WriteLine("Encoded:"); TestContext.Out.WriteLine(aki.Format(true)); Assert.Null(aki.Issuer); Assert.Null(aki.GetSerialNumber()); Assert.AreEqual(string.Empty, aki.SerialNumber); Assert.AreEqual(subjectKeyIdentifier, aki.GetKeyIdentifier()); var akidecoded = new X509AuthorityKeyIdentifierExtension(aki.Oid, aki.RawData, aki.Critical); TestContext.Out.WriteLine("Decoded:"); TestContext.Out.WriteLine(akidecoded.Format(true)); Assert.AreEqual(aki.RawData, akidecoded.RawData); Assert.Null(aki.Issuer); Assert.Null(aki.GetSerialNumber()); Assert.AreEqual(string.Empty, aki.SerialNumber); Assert.AreEqual(subjectKeyIdentifier, akidecoded.GetKeyIdentifier()); akidecoded = new X509AuthorityKeyIdentifierExtension(aki.Oid.Value, aki.RawData, aki.Critical); TestContext.Out.WriteLine("Decoded2:"); TestContext.Out.WriteLine(akidecoded.Format(true)); Assert.AreEqual(aki.RawData, akidecoded.RawData); Assert.Null(aki.Issuer); Assert.Null(aki.GetSerialNumber()); Assert.AreEqual(string.Empty, aki.SerialNumber); Assert.AreEqual(subjectKeyIdentifier, akidecoded.GetKeyIdentifier()); }
public void VerifyX509AuthorityKeyIdentifierExtension() { var authorityName = new X500DistinguishedName("CN=Test,O=OPC Foundation,DC=localhost"); byte[] serialNumber = new byte[] { 9, 1, 2, 3, 4, 5, 6, 7, 8, 9 }; byte[] subjectKeyIdentifier = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 }; var aki = new X509AuthorityKeyIdentifierExtension(subjectKeyIdentifier, authorityName, serialNumber); Assert.NotNull(aki); TestContext.Out.WriteLine("Encoded:"); TestContext.Out.WriteLine(aki.Format(true)); Assert.AreEqual(authorityName, aki.Issuer); Assert.AreEqual(serialNumber, aki.GetSerialNumber()); Assert.AreEqual(AsnUtils.ToHexString(serialNumber, true), aki.SerialNumber); Assert.AreEqual(subjectKeyIdentifier, aki.GetKeyIdentifier()); var akidecoded = new X509AuthorityKeyIdentifierExtension(aki.Oid, aki.RawData, aki.Critical); TestContext.Out.WriteLine("Decoded:"); TestContext.Out.WriteLine(akidecoded.Format(true)); Assert.AreEqual(aki.RawData, akidecoded.RawData); Assert.AreEqual(authorityName.ToString(), akidecoded.Issuer.ToString()); Assert.AreEqual(serialNumber, akidecoded.GetSerialNumber()); Assert.AreEqual(AsnUtils.ToHexString(serialNumber, true), akidecoded.SerialNumber); Assert.AreEqual(subjectKeyIdentifier, akidecoded.GetKeyIdentifier()); akidecoded = new X509AuthorityKeyIdentifierExtension(aki.Oid.Value, aki.RawData, aki.Critical); TestContext.Out.WriteLine("Decoded2:"); TestContext.Out.WriteLine(akidecoded.Format(true)); Assert.AreEqual(aki.RawData, akidecoded.RawData); Assert.AreEqual(authorityName.ToString(), akidecoded.Issuer.ToString()); Assert.AreEqual(serialNumber, akidecoded.GetSerialNumber()); Assert.AreEqual(AsnUtils.ToHexString(serialNumber, true), akidecoded.SerialNumber); Assert.AreEqual(subjectKeyIdentifier, akidecoded.GetKeyIdentifier()); }
public static void VerifyCACert(X509Certificate2 cert, string subject, int pathLengthConstraint) { TestContext.Out.WriteLine($"{nameof(VerifyCACert)}:"); Assert.NotNull(cert); TestContext.Out.WriteLine(cert); Assert.False(cert.HasPrivateKey); Assert.True(X509Utils.CompareDistinguishedName(subject, cert.Subject)); Assert.True(X509Utils.CompareDistinguishedName(subject, cert.Issuer)); // test basic constraints var constraints = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert); Assert.NotNull(constraints); TestContext.Out.WriteLine(constraints.Format(true)); Assert.True(constraints.Critical); Assert.True(constraints.CertificateAuthority); if (pathLengthConstraint < 0) { Assert.False(constraints.HasPathLengthConstraint); } else { Assert.True(constraints.HasPathLengthConstraint); Assert.AreEqual(pathLengthConstraint, constraints.PathLengthConstraint); } // key usage var keyUsage = X509Extensions.FindExtension <X509KeyUsageExtension>(cert); Assert.NotNull(keyUsage); TestContext.Out.WriteLine(keyUsage.Format(true)); Assert.True(keyUsage.Critical); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.CrlSign) == X509KeyUsageFlags.CrlSign); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DataEncipherment) == 0); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DecipherOnly) == 0); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.DigitalSignature); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.EncipherOnly) == 0); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyAgreement) == 0); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyCertSign) == X509KeyUsageFlags.KeyCertSign); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyEncipherment) == 0); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.NonRepudiation) == 0); // enhanced key usage X509EnhancedKeyUsageExtension enhancedKeyUsage = X509Extensions.FindExtension <X509EnhancedKeyUsageExtension>(cert); Assert.Null(enhancedKeyUsage); // test for authority key X509AuthorityKeyIdentifierExtension authority = X509Extensions.FindExtension <X509AuthorityKeyIdentifierExtension>(cert); Assert.NotNull(authority); TestContext.Out.WriteLine(authority.Format(true)); Assert.NotNull(authority.SerialNumber); Assert.NotNull(authority.GetSerialNumber()); Assert.NotNull(authority.KeyIdentifier); Assert.NotNull(authority.Issuer); Assert.NotNull(authority.ToString()); Assert.AreEqual(authority.SerialNumber, Utils.ToHexString(authority.GetSerialNumber(), true)); // verify authority key in signed cert X509SubjectKeyIdentifierExtension subjectKeyId = X509Extensions.FindExtension <X509SubjectKeyIdentifierExtension>(cert); TestContext.Out.WriteLine(subjectKeyId.Format(true)); Assert.AreEqual(subjectKeyId.SubjectKeyIdentifier, authority.KeyIdentifier); Assert.AreEqual(cert.SerialNumber, authority.SerialNumber); Assert.AreEqual(cert.GetSerialNumber(), authority.GetSerialNumber()); X509SubjectAltNameExtension subjectAlternateName = X509Extensions.FindExtension <X509SubjectAltNameExtension>(cert); Assert.Null(subjectAlternateName); }
public static void VerifyApplicationCert(ApplicationTestData testApp, X509Certificate2 cert, X509Certificate2 issuerCert = null) { bool signedCert = issuerCert != null; if (issuerCert == null) { issuerCert = cert; } TestContext.Out.WriteLine($"{nameof(VerifyApplicationCert)}:"); Assert.NotNull(cert); TestContext.Out.WriteLine(cert); Assert.False(cert.HasPrivateKey); Assert.True(X509Utils.CompareDistinguishedName(testApp.Subject, cert.Subject)); Assert.True(X509Utils.CompareDistinguishedName(issuerCert.Subject, cert.Issuer)); // test basic constraints X509BasicConstraintsExtension constraints = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert); Assert.NotNull(constraints); TestContext.Out.WriteLine(constraints.Format(true)); Assert.True(constraints.Critical); if (signedCert) { Assert.False(constraints.CertificateAuthority); Assert.False(constraints.HasPathLengthConstraint); } else { Assert.True(constraints.CertificateAuthority); Assert.True(constraints.HasPathLengthConstraint); Assert.AreEqual(0, constraints.PathLengthConstraint); } // key usage X509KeyUsageExtension keyUsage = X509Extensions.FindExtension <X509KeyUsageExtension>(cert); Assert.NotNull(keyUsage); TestContext.Out.WriteLine(keyUsage.Format(true)); Assert.True(keyUsage.Critical); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.CrlSign) == 0); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DataEncipherment) == X509KeyUsageFlags.DataEncipherment); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DecipherOnly) == 0); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.DigitalSignature); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.EncipherOnly) == 0); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyAgreement) == 0); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyCertSign) == (signedCert ? 0 : X509KeyUsageFlags.KeyCertSign)); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyEncipherment) == X509KeyUsageFlags.KeyEncipherment); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.NonRepudiation) == X509KeyUsageFlags.NonRepudiation); // enhanced key usage X509EnhancedKeyUsageExtension enhancedKeyUsage = X509Extensions.FindExtension <X509EnhancedKeyUsageExtension>(cert); Assert.NotNull(enhancedKeyUsage); TestContext.Out.WriteLine(enhancedKeyUsage.Format(true)); Assert.True(enhancedKeyUsage.Critical); // test for authority key X509AuthorityKeyIdentifierExtension authority = X509Extensions.FindExtension <X509AuthorityKeyIdentifierExtension>(cert); Assert.NotNull(authority); TestContext.Out.WriteLine(authority.Format(true)); Assert.NotNull(authority.SerialNumber); Assert.NotNull(authority.KeyIdentifier); Assert.NotNull(authority.Issuer); if (issuerCert == null) { Assert.AreEqual(cert.SubjectName.RawData, authority.Issuer.RawData); Assert.True(X509Utils.CompareDistinguishedName(cert.SubjectName.Name, authority.Issuer.Name), $"{cert.SubjectName.Name} != {authority.Issuer.Name}"); } else { Assert.AreEqual(issuerCert.SubjectName.RawData, authority.Issuer.RawData); Assert.True(X509Utils.CompareDistinguishedName(issuerCert.SubjectName.Name, authority.Issuer.Name), $"{cert.SubjectName.Name} != {authority.Issuer.Name}"); } // verify authority key in signed cert X509SubjectKeyIdentifierExtension subjectKeyId = X509Extensions.FindExtension <X509SubjectKeyIdentifierExtension>(cert); TestContext.Out.WriteLine(subjectKeyId.Format(true)); if (signedCert) { var caCertSubjectKeyId = X509Extensions.FindExtension <X509SubjectKeyIdentifierExtension>(issuerCert); Assert.NotNull(caCertSubjectKeyId); Assert.AreEqual(caCertSubjectKeyId.SubjectKeyIdentifier, authority.KeyIdentifier); } else { Assert.AreEqual(subjectKeyId.SubjectKeyIdentifier, authority.KeyIdentifier); } Assert.AreEqual(issuerCert.GetSerialNumber(), authority.GetSerialNumber()); Assert.AreEqual(issuerCert.SerialNumber, authority.SerialNumber); X509SubjectAltNameExtension subjectAlternateName = X509Extensions.FindExtension <X509SubjectAltNameExtension>(cert); Assert.NotNull(subjectAlternateName); TestContext.Out.WriteLine(subjectAlternateName.Format(true)); Assert.False(subjectAlternateName.Critical); var domainNames = X509Utils.GetDomainsFromCertficate(cert); foreach (var domainName in testApp.DomainNames) { Assert.True(domainNames.Contains(domainName, StringComparer.OrdinalIgnoreCase)); } Assert.True(subjectAlternateName.Uris.Count == 1); var applicationUri = X509Utils.GetApplicationUriFromCertificate(cert); TestContext.Out.WriteLine("ApplicationUri: "); TestContext.Out.WriteLine(applicationUri); Assert.AreEqual(testApp.ApplicationUri, applicationUri); }