private async Task GetAllApplications()
{
await Assert.ThrowsAsync <ArgumentNullException>(async() =>
{
await _applicationsDatabase.GetApplicationAsync(null);
});
await Assert.ThrowsAsync <ArgumentException>(async() =>
{
await _applicationsDatabase.GetApplicationAsync(Guid.Empty.ToString());
});
await Assert.ThrowsAsync <ArgumentException>(async() =>
{
await _applicationsDatabase.GetApplicationAsync("abc");
});
await Assert.ThrowsAsync <ResourceNotFoundException>(async() =>
{
await _applicationsDatabase.GetApplicationAsync(Guid.NewGuid().ToString());
});
Skip.If(!_fixture.RegistrationOk);
foreach (var application in _applicationTestSet)
{
var applicationModel = await _applicationsDatabase.GetApplicationAsync(application.Model.ApplicationId.ToString());
Assert.NotNull(applicationModel);
Assert.NotEqual(applicationModel.ApplicationId, Guid.Empty);
Assert.Equal(applicationModel.ApplicationId, applicationModel.ApplicationId);
ApplicationTestData.AssertEqualApplicationModelData(applicationModel, application.Model);
}
}
public async Task <X509CertificateCollection> KeyVaultSigningRequestAsync()
{
Skip.If(!_fixture.KeyVaultInitOk);
X509CertificateCollection certCollection = new X509CertificateCollection();
string[] groups = await _keyVault.GetCertificateGroupIds();
foreach (string group in groups)
{
var certificateGroupConfiguration = await _keyVault.GetCertificateGroupConfiguration(group);
ApplicationTestData randomApp = _fixture.RandomGenerator.RandomApplicationTestData();
X509Certificate2 csrCertificate = CertificateFactory.CreateCertificate(
null, null, null,
randomApp.ApplicationRecord.ApplicationUri,
null,
randomApp.Subject,
randomApp.DomainNames.ToArray(),
certificateGroupConfiguration.DefaultCertificateKeySize,
DateTime.UtcNow.AddDays(-10),
certificateGroupConfiguration.DefaultCertificateLifetime,
certificateGroupConfiguration.DefaultCertificateHashSize
);
byte[] certificateRequest = CertificateFactory.CreateSigningRequest(csrCertificate, randomApp.DomainNames);
X509Certificate2 newCert = await _keyVault.SigningRequestAsync(
group,
randomApp.ApplicationRecord.ApplicationUri,
certificateRequest);
// get issuer cert used for signing
X509Certificate2Collection issuerCerts = await _keyVault.GetIssuerCACertificateChainAsync(group);
#if WRITECERT
// save cert for debugging
using (ICertificateStore store = CertificateStoreIdentifier.CreateStore(CertificateStoreType.Directory))
{
Assert.NotNull(store);
store.Open("d:\\unittest");
await store.Add(newCert);
foreach (var cert in issuerCerts)
{
await store.Add(cert);
}
}
#endif
Assert.NotNull(issuerCerts);
Assert.True(issuerCerts.Count >= 1);
X509TestUtils.VerifySignedApplicationCert(randomApp, newCert, issuerCerts);
certCollection.Add(newCert);
}
return(certCollection);
}
private async Task RegisterAllApplications()
{
foreach (var application in _applicationTestSet)
{
var applicationModel = await _applicationsDatabase.RegisterApplicationAsync(application.Model);
Assert.NotNull(applicationModel);
Assert.NotEqual(applicationModel.ApplicationId, Guid.Empty);
ApplicationTestData.AssertEqualApplicationModelData(applicationModel, application.Model);
application.Model = applicationModel;
Assert.NotNull(applicationModel);
}
_fixture.RegistrationOk = true;
}
private async Task RegisterAllApplicationsThrow()
{
await Assert.ThrowsAsync <ArgumentNullException>(async() =>
{
await _applicationsDatabase.RegisterApplicationAsync(null);
});
await Assert.ThrowsAsync <ResourceNotFoundException>(async() =>
{
var testModelCopy = ApplicationTestData.ApplicationDeepCopy(_applicationTestSet[0].Model);
testModelCopy.ApplicationId = Guid.NewGuid();
await _applicationsDatabase.RegisterApplicationAsync(testModelCopy);
});
}
private async Task UnregisteredGetAllApplicationsNot()
{
Skip.If(!_fixture.RegistrationOk);
foreach (var application in _applicationTestSet)
{
var applicationModel = await _applicationsDatabase.GetApplicationAsync(application.Model.ApplicationId.ToString());
Assert.NotNull(applicationModel);
Assert.NotEqual(applicationModel.ApplicationId, Guid.Empty);
Assert.Equal(applicationModel.ApplicationId, applicationModel.ApplicationId);
Assert.Equal(ApplicationState.Unregistered, applicationModel.ApplicationState);
Assert.NotNull(applicationModel.DeleteTime);
ApplicationTestData.AssertEqualApplicationModelData(applicationModel, application.Model);
}
}
public async Task <X509CertificateCollection> KeyVaultNewKeyPairRequestAsync()
{
Skip.If(!_fixture.KeyVaultInitOk);
X509CertificateCollection certCollection = new X509CertificateCollection();
string[] groups = await _keyVault.GetCertificateGroupIds();
foreach (string group in groups)
{
ApplicationTestData randomApp = _fixture.RandomGenerator.RandomApplicationTestData();
Guid requestId = Guid.NewGuid();
Opc.Ua.Gds.Server.X509Certificate2KeyPair newKeyPair = await _keyVault.NewKeyPairRequestAsync(
group,
requestId.ToString(),
randomApp.ApplicationRecord.ApplicationUri,
randomApp.Subject,
randomApp.DomainNames.ToArray(),
randomApp.PrivateKeyFormat,
randomApp.PrivateKeyPassword);
Assert.NotNull(newKeyPair);
Assert.False(newKeyPair.Certificate.HasPrivateKey);
Assert.True(Opc.Ua.Utils.CompareDistinguishedName(randomApp.Subject, newKeyPair.Certificate.Subject));
Assert.False(Opc.Ua.Utils.CompareDistinguishedName(newKeyPair.Certificate.Issuer, newKeyPair.Certificate.Subject));
X509Certificate2Collection issuerCerts = await _keyVault.GetIssuerCACertificateChainAsync(group);
Assert.NotNull(issuerCerts);
Assert.True(issuerCerts.Count >= 1);
X509TestUtils.VerifyApplicationCertIntegrity(
newKeyPair.Certificate,
newKeyPair.PrivateKey,
randomApp.PrivateKeyPassword,
randomApp.PrivateKeyFormat,
issuerCerts
);
certCollection.Add(newKeyPair.Certificate);
// disable and delete private key from KeyVault (requires set/delete rights)
await _keyVault.AcceptPrivateKeyAsync(group, requestId.ToString());
await _keyVault.DeletePrivateKeyAsync(group, requestId.ToString());
}
return(certCollection);
}
public async Task KeyVaultNewKeyPairAndRevokeCertificateAsync()
{
Skip.If(!_fixture.KeyVaultInitOk);
string[] groups = await _keyVault.GetCertificateGroupIds();
foreach (string group in groups)
{
ApplicationTestData randomApp = _fixture.RandomGenerator.RandomApplicationTestData();
Guid requestId = Guid.NewGuid();
Opc.Ua.Gds.Server.X509Certificate2KeyPair newCert = await _keyVault.NewKeyPairRequestAsync(
group,
requestId.ToString(),
randomApp.ApplicationRecord.ApplicationUri,
randomApp.Subject,
randomApp.DomainNames.ToArray(),
randomApp.PrivateKeyFormat,
randomApp.PrivateKeyPassword
);
Assert.NotNull(newCert);
Assert.False(newCert.Certificate.HasPrivateKey);
Assert.True(Opc.Ua.Utils.CompareDistinguishedName(randomApp.Subject, newCert.Certificate.Subject));
Assert.False(Opc.Ua.Utils.CompareDistinguishedName(newCert.Certificate.Issuer, newCert.Certificate.Subject));
X509Certificate2 cert = new X509Certificate2(newCert.Certificate.RawData);
X509CRL crl = await _keyVault.RevokeCertificateAsync(group, cert);
Assert.NotNull(crl);
X509Certificate2Collection caChain = await _keyVault.GetIssuerCACertificateChainAsync(group);
Assert.NotNull(caChain);
X509Certificate2 caCert = caChain[0];
Assert.False(caCert.HasPrivateKey);
crl.VerifySignature(caCert, true);
Assert.True(Opc.Ua.Utils.CompareDistinguishedName(crl.Issuer, caCert.Issuer));
// disable and delete private key from KeyVault (requires set/delete rights)
await _keyVault.AcceptPrivateKeyAsync(group, requestId.ToString());
await _keyVault.DeletePrivateKeyAsync(group, requestId.ToString());
}
}
public ApplicationTestData RandomApplicationTestData()
{
Opc.Ua.ApplicationType appType = (Opc.Ua.ApplicationType)_randomSource.NextInt32((int)Opc.Ua.ApplicationType.ClientAndServer);
string pureAppName = _dataGenerator.GetRandomString("en");
pureAppName = Regex.Replace(pureAppName, @"[^\w\d\s]", "");
string pureAppUri = Regex.Replace(pureAppName, @"[^\w\d]", "");
string appName = "UA " + pureAppName;
StringCollection domainNames = RandomDomainNames();
string localhost = domainNames[0];
string privateKeyFormat = _randomSource.NextInt32(1) == 0 ? "PEM" : "PFX";
string appUri = ("urn:localhost:opcfoundation.org:" + pureAppUri.ToLower()).Replace("localhost", localhost);
string prodUri = "http://opcfoundation.org/UA/" + pureAppUri;
StringCollection discoveryUrls = new StringCollection();
StringCollection serverCapabilities = new StringCollection();
switch (appType)
{
case Opc.Ua.ApplicationType.Client:
appName += " Client";
break;
case Opc.Ua.ApplicationType.ClientAndServer:
appName += " Client and";
goto case Opc.Ua.ApplicationType.Server;
case Opc.Ua.ApplicationType.Server:
appName += " Server";
int port = (_dataGenerator.GetRandomInt16() & 0x1fff) + 50000;
discoveryUrls = RandomDiscoveryUrl(domainNames, port, pureAppUri);
serverCapabilities = RandomServerCapabilities();
break;
}
ApplicationTestData testData = new ApplicationTestData
{
Model = new Application
{
ApplicationUri = appUri,
ApplicationName = appName,
ApplicationType = (Types.ApplicationType)appType,
ProductUri = prodUri,
ServerCapabilities = ApplicationTestData.ServerCapabilities(serverCapabilities.ToArray()),
ApplicationNames = new ApplicationName[] { new ApplicationName {
Locale = "en-us", Text = appName
} },
DiscoveryUrls = discoveryUrls.ToArray()
},
ApplicationRecord = new ApplicationRecordDataType
{
ApplicationNames = new LocalizedTextCollection {
new LocalizedText("en-us", appName)
},
ApplicationUri = appUri,
ApplicationType = appType,
ProductUri = prodUri,
DiscoveryUrls = discoveryUrls,
ServerCapabilities = serverCapabilities
},
DomainNames = domainNames,
Subject = string.Format("CN={0},DC={1},O=OPC Foundation", appName, localhost),
PrivateKeyFormat = privateKeyFormat,
RequestIds = new List <string>()
};
return(testData);
}
public async Task KeyVaultNewKeyPairLoadThenDeletePrivateKeyAsync()
{
Skip.If(!_fixture.KeyVaultInitOk);
string[] groups = await _keyVault.GetCertificateGroupIds();
foreach (string group in groups)
{
ApplicationTestData randomApp = _fixture.RandomGenerator.RandomApplicationTestData();
Guid requestId = Guid.NewGuid();
Opc.Ua.Gds.Server.X509Certificate2KeyPair newKeyPair = await _keyVault.NewKeyPairRequestAsync(
group,
requestId.ToString(),
randomApp.ApplicationRecord.ApplicationUri,
randomApp.Subject,
randomApp.DomainNames.ToArray(),
randomApp.PrivateKeyFormat,
randomApp.PrivateKeyPassword
);
Assert.NotNull(newKeyPair);
Assert.False(newKeyPair.Certificate.HasPrivateKey);
Assert.True(Opc.Ua.Utils.CompareDistinguishedName(randomApp.Subject, newKeyPair.Certificate.Subject));
Assert.False(Opc.Ua.Utils.CompareDistinguishedName(newKeyPair.Certificate.Issuer, newKeyPair.Certificate.Subject));
X509Certificate2Collection issuerCerts = await _keyVault.GetIssuerCACertificateChainAsync(group);
Assert.NotNull(issuerCerts);
Assert.True(issuerCerts.Count >= 1);
X509TestUtils.VerifyApplicationCertIntegrity(
newKeyPair.Certificate,
newKeyPair.PrivateKey,
randomApp.PrivateKeyPassword,
randomApp.PrivateKeyFormat,
issuerCerts
);
// test to load the key from KeyVault
var privateKey = await _keyVault.LoadPrivateKeyAsync(group, requestId.ToString(), randomApp.PrivateKeyFormat);
X509Certificate2 privateKeyX509;
if (randomApp.PrivateKeyFormat == "PFX")
{
privateKeyX509 = CertificateFactory.CreateCertificateFromPKCS12(privateKey, randomApp.PrivateKeyPassword);
}
else
{
privateKeyX509 = CertificateFactory.CreateCertificateWithPEMPrivateKey(newKeyPair.Certificate, privateKey, randomApp.PrivateKeyPassword);
}
Assert.True(privateKeyX509.HasPrivateKey);
X509TestUtils.VerifyApplicationCertIntegrity(
newKeyPair.Certificate,
privateKey,
randomApp.PrivateKeyPassword,
randomApp.PrivateKeyFormat,
issuerCerts
);
await _keyVault.AcceptPrivateKeyAsync(group, requestId.ToString());
await Assert.ThrowsAsync <KeyVaultErrorException>(async() =>
{
privateKey = await _keyVault.LoadPrivateKeyAsync(group, requestId.ToString(), randomApp.PrivateKeyFormat);
});
await _keyVault.AcceptPrivateKeyAsync(group, requestId.ToString());
await _keyVault.DeletePrivateKeyAsync(group, requestId.ToString());
await Assert.ThrowsAsync <KeyVaultErrorException>(async() =>
{
await _keyVault.DeletePrivateKeyAsync(group, requestId.ToString());
});
await Assert.ThrowsAsync <KeyVaultErrorException>(async() =>
{
privateKey = await _keyVault.LoadPrivateKeyAsync(group, requestId.ToString(), randomApp.PrivateKeyFormat);
});
}
}
private async Task ApproveAllApplications()
{
await Assert.ThrowsAsync <ArgumentNullException>(async() =>
{
await _applicationsDatabase.ApproveApplicationAsync(null, false, false);
});
await Assert.ThrowsAsync <ArgumentException>(async() =>
{
await _applicationsDatabase.ApproveApplicationAsync(Guid.Empty.ToString(), false, false);
});
Skip.If(!_fixture.RegistrationOk);
int fullPasses = 0;
foreach (var application in _applicationTestSet)
{
// read model to get state
var applicationModel = await _applicationsDatabase.GetApplicationAsync(application.Model.ApplicationId.ToString());
if (applicationModel.ApplicationState == ApplicationState.New)
{
// approve app
applicationModel = await _applicationsDatabase.ApproveApplicationAsync(application.Model.ApplicationId.ToString(), true, false);
Assert.NotNull(applicationModel);
Assert.Equal(ApplicationState.Approved, applicationModel.ApplicationState);
}
// verify start condition
if (applicationModel.ApplicationState != ApplicationState.Approved)
{
continue;
}
// reject approved app should fail
await Assert.ThrowsAsync <ResourceInvalidStateException>(async() =>
{
await _applicationsDatabase.ApproveApplicationAsync(application.Model.ApplicationId.ToString(), false, false);
});
// force approved app to rejected state
applicationModel = await _applicationsDatabase.ApproveApplicationAsync(application.Model.ApplicationId.ToString(), false, true);
Assert.NotNull(applicationModel);
Assert.NotEqual(applicationModel.ApplicationId, Guid.Empty);
Assert.Equal(ApplicationState.Rejected, applicationModel.ApplicationState);
ApplicationTestData.AssertEqualApplicationModelData(applicationModel, application.Model);
// approve rejected app should fail
await Assert.ThrowsAsync <ResourceInvalidStateException>(async() =>
{
await _applicationsDatabase.ApproveApplicationAsync(application.Model.ApplicationId.ToString(), true, false);
});
// force approve of rejected app
applicationModel = await _applicationsDatabase.ApproveApplicationAsync(application.Model.ApplicationId.ToString(), true, true);
Assert.NotNull(applicationModel);
Assert.NotEqual(applicationModel.ApplicationId, Guid.Empty);
Assert.Equal(ApplicationState.Approved, applicationModel.ApplicationState);
ApplicationTestData.AssertEqualApplicationModelData(applicationModel, application.Model);
fullPasses++;
}
// not enough test passes to verify
Skip.If(fullPasses < _applicationTestSet.Count / 2);
}
public static void VerifySignedApplicationCert(ApplicationTestData testApp, X509Certificate2 signedCert, X509Certificate2Collection issuerCerts)
{
X509Certificate2 issuerCert = issuerCerts[0];
Assert.NotNull(signedCert);
Assert.False(signedCert.HasPrivateKey);
Assert.True(Opc.Ua.Utils.CompareDistinguishedName(testApp.Subject, signedCert.Subject));
Assert.False(Opc.Ua.Utils.CompareDistinguishedName(signedCert.Issuer, signedCert.Subject));
Assert.True(Opc.Ua.Utils.CompareDistinguishedName(signedCert.Issuer, issuerCert.Subject));
// test basic constraints
var constraints = FindBasicConstraintsExtension(signedCert);
Assert.NotNull(constraints);
Assert.True(constraints.Critical);
Assert.False(constraints.CertificateAuthority);
Assert.False(constraints.HasPathLengthConstraint);
// key usage
var keyUsage = FindKeyUsageExtension(signedCert);
Assert.NotNull(keyUsage);
Assert.True(keyUsage.Critical);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.CrlSign) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DataEncipherment) == X509KeyUsageFlags.DataEncipherment);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DecipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.DigitalSignature);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.EncipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyAgreement) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyCertSign) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyEncipherment) == X509KeyUsageFlags.KeyEncipherment);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.NonRepudiation) == X509KeyUsageFlags.NonRepudiation);
// enhanced key usage
var enhancedKeyUsage = FindEnhancedKeyUsageExtension(signedCert);
Assert.NotNull(enhancedKeyUsage);
Assert.True(enhancedKeyUsage.Critical);
// test for authority key
X509AuthorityKeyIdentifierExtension authority = FindAuthorityKeyIdentifier(signedCert);
Assert.NotNull(authority);
Assert.NotNull(authority.SerialNumber);
Assert.NotNull(authority.KeyId);
Assert.NotNull(authority.AuthorityNames);
// verify authority key in signed cert
X509SubjectKeyIdentifierExtension subjectKeyId = FindSubjectKeyIdentifierExtension(issuerCert);
Assert.Equal(subjectKeyId.SubjectKeyIdentifier, authority.KeyId);
Assert.Equal(issuerCert.SerialNumber, authority.SerialNumber);
X509SubjectAltNameExtension subjectAlternateName = FindSubjectAltName(signedCert);
Assert.NotNull(subjectAlternateName);
Assert.False(subjectAlternateName.Critical);
var domainNames = Opc.Ua.Utils.GetDomainsFromCertficate(signedCert);
foreach (var domainName in testApp.DomainNames)
{
Assert.Contains(domainName, domainNames, StringComparer.OrdinalIgnoreCase);
}
Assert.True(subjectAlternateName.Uris.Count == 1);
var applicationUri = Opc.Ua.Utils.GetApplicationUriFromCertificate(signedCert);
Assert.True(testApp.ApplicationRecord.ApplicationUri == applicationUri);
CertificateIdentifierCollection issuerCertIdCollection = new CertificateIdentifierCollection();
foreach (var cert in issuerCerts)
{
issuerCertIdCollection.Add(new CertificateIdentifier(cert));
}
// verify cert with issuer chain
CertificateValidator certValidator = new CertificateValidator();
CertificateTrustList issuerStore = new CertificateTrustList();
CertificateTrustList trustedStore = new CertificateTrustList();
trustedStore.TrustedCertificates = issuerCertIdCollection;
certValidator.Update(trustedStore, issuerStore, null);
Assert.Throws <Opc.Ua.ServiceResultException>(() =>
{
certValidator.Validate(signedCert);
});
issuerStore.TrustedCertificates = issuerCertIdCollection;
certValidator.Update(issuerStore, trustedStore, null);
certValidator.Validate(signedCert);
}
