public async Task KeyVaultCreateCACertificateAsync() { Skip.If(!_fixture.KeyVaultInitOk); string[] groups = await _keyVault.GetCertificateGroupIds(); foreach (string group in groups) { X509Certificate2 result = await _keyVault.CreateIssuerCACertificateAsync(group); Assert.NotNull(result); Assert.False(result.HasPrivateKey); Assert.True(Opc.Ua.Utils.CompareDistinguishedName(result.Issuer, result.Subject)); X509BasicConstraintsExtension basicConstraints = X509TestUtils.FindBasicConstraintsExtension(result); Assert.NotNull(basicConstraints); Assert.True(basicConstraints.CertificateAuthority); Assert.True(basicConstraints.Critical); var subjectKeyId = result.Extensions.OfType <X509SubjectKeyIdentifierExtension>().Single(); Assert.False(subjectKeyId.Critical); var authorityKeyIdentifier = X509TestUtils.FindAuthorityKeyIdentifier(result); Assert.NotNull(authorityKeyIdentifier); Assert.False(authorityKeyIdentifier.Critical); Assert.Equal(authorityKeyIdentifier.SerialNumber, result.SerialNumber, ignoreCase: true); Assert.Equal(authorityKeyIdentifier.KeyId, subjectKeyId.SubjectKeyIdentifier, ignoreCase: true); } }
public async Task <X509CertificateCollection> KeyVaultSigningRequestAsync() { Skip.If(!_fixture.KeyVaultInitOk); X509CertificateCollection certCollection = new X509CertificateCollection(); string[] groups = await _keyVault.GetCertificateGroupIds(); foreach (string group in groups) { var certificateGroupConfiguration = await _keyVault.GetCertificateGroupConfiguration(group); ApplicationTestData randomApp = _fixture.RandomGenerator.RandomApplicationTestData(); X509Certificate2 csrCertificate = CertificateFactory.CreateCertificate( null, null, null, randomApp.ApplicationRecord.ApplicationUri, null, randomApp.Subject, randomApp.DomainNames.ToArray(), certificateGroupConfiguration.DefaultCertificateKeySize, DateTime.UtcNow.AddDays(-10), certificateGroupConfiguration.DefaultCertificateLifetime, certificateGroupConfiguration.DefaultCertificateHashSize ); byte[] certificateRequest = CertificateFactory.CreateSigningRequest(csrCertificate, randomApp.DomainNames); X509Certificate2 newCert = await _keyVault.SigningRequestAsync( group, randomApp.ApplicationRecord.ApplicationUri, certificateRequest); // get issuer cert used for signing X509Certificate2Collection issuerCerts = await _keyVault.GetIssuerCACertificateChainAsync(group); #if WRITECERT // save cert for debugging using (ICertificateStore store = CertificateStoreIdentifier.CreateStore(CertificateStoreType.Directory)) { Assert.NotNull(store); store.Open("d:\\unittest"); await store.Add(newCert); foreach (var cert in issuerCerts) { await store.Add(cert); } } #endif Assert.NotNull(issuerCerts); Assert.True(issuerCerts.Count >= 1); X509TestUtils.VerifySignedApplicationCert(randomApp, newCert, issuerCerts); certCollection.Add(newCert); } return(certCollection); }
public async Task <X509CertificateCollection> KeyVaultNewKeyPairRequestAsync() { Skip.If(!_fixture.KeyVaultInitOk); X509CertificateCollection certCollection = new X509CertificateCollection(); string[] groups = await _keyVault.GetCertificateGroupIds(); foreach (string group in groups) { ApplicationTestData randomApp = _fixture.RandomGenerator.RandomApplicationTestData(); Guid requestId = Guid.NewGuid(); Opc.Ua.Gds.Server.X509Certificate2KeyPair newKeyPair = await _keyVault.NewKeyPairRequestAsync( group, requestId.ToString(), randomApp.ApplicationRecord.ApplicationUri, randomApp.Subject, randomApp.DomainNames.ToArray(), randomApp.PrivateKeyFormat, randomApp.PrivateKeyPassword); Assert.NotNull(newKeyPair); Assert.False(newKeyPair.Certificate.HasPrivateKey); Assert.True(Opc.Ua.Utils.CompareDistinguishedName(randomApp.Subject, newKeyPair.Certificate.Subject)); Assert.False(Opc.Ua.Utils.CompareDistinguishedName(newKeyPair.Certificate.Issuer, newKeyPair.Certificate.Subject)); X509Certificate2Collection issuerCerts = await _keyVault.GetIssuerCACertificateChainAsync(group); Assert.NotNull(issuerCerts); Assert.True(issuerCerts.Count >= 1); X509TestUtils.VerifyApplicationCertIntegrity( newKeyPair.Certificate, newKeyPair.PrivateKey, randomApp.PrivateKeyPassword, randomApp.PrivateKeyFormat, issuerCerts ); certCollection.Add(newKeyPair.Certificate); // disable and delete private key from KeyVault (requires set/delete rights) await _keyVault.AcceptPrivateKeyAsync(group, requestId.ToString()); await _keyVault.DeletePrivateKeyAsync(group, requestId.ToString()); } return(certCollection); }
public async Task GetTrustListAsync() { Skip.If(!_fixture.KeyVaultInitOk); string[] groups = await _keyVault.GetCertificateGroupIds(); foreach (string group in groups) { var trustList = await _keyVault.GetTrustListAsync(group, null, 2); string nextPageLink = trustList.NextPageLink; while (nextPageLink != null) { var nextTrustList = await _keyVault.GetTrustListAsync(group, nextPageLink, 2); trustList.AddRange(nextTrustList); nextPageLink = nextTrustList.NextPageLink; } var validator = X509TestUtils.CreateValidatorAsync(trustList); } }
public async Task CreateCAAndAppCertificatesThenRevokeAll() { Skip.If(!_fixture.KeyVaultInitOk); X509Certificate2Collection certCollection = new X509Certificate2Collection(); for (int i = 0; i < 3; i++) { await KeyVaultCreateCACertificateAsync(); for (int v = 0; v < 10; v++) { certCollection.AddRange(await KeyVaultSigningRequestAsync()); certCollection.AddRange(await KeyVaultNewKeyPairRequestAsync()); } } string[] groups = await _keyVault.GetCertificateGroupIds(); // validate all certificates foreach (string group in groups) { var trustList = await _keyVault.GetTrustListAsync(group); string nextPageLink = trustList.NextPageLink; while (nextPageLink != null) { var nextTrustList = await _keyVault.GetTrustListAsync(group, nextPageLink); trustList.AddRange(nextTrustList); nextPageLink = nextTrustList.NextPageLink; } var validator = await X509TestUtils.CreateValidatorAsync(trustList); foreach (var cert in certCollection) { validator.Validate(cert); } } // now revoke all certifcates var revokeCertificates = new X509Certificate2Collection(certCollection); foreach (string group in groups) { var unrevokedCertificates = await _keyVault.RevokeCertificatesAsync(group, revokeCertificates); Assert.True(unrevokedCertificates.Count <= revokeCertificates.Count); revokeCertificates = unrevokedCertificates; } Assert.Empty(revokeCertificates); // reload updated trust list from KeyVault var trustListAllGroups = new KeyVaultTrustListModel("all"); foreach (string group in groups) { var trustList = await _keyVault.GetTrustListAsync(group); string nextPageLink = trustList.NextPageLink; while (nextPageLink != null) { var nextTrustList = await _keyVault.GetTrustListAsync(group, nextPageLink); trustList.AddRange(nextTrustList); nextPageLink = nextTrustList.NextPageLink; } trustListAllGroups.AddRange(trustList); } // verify certificates are revoked { var validator = await X509TestUtils.CreateValidatorAsync(trustListAllGroups); foreach (var cert in certCollection) { Assert.Throws <Opc.Ua.ServiceResultException>(() => { validator.Validate(cert); }); } } }
public async Task KeyVaultNewKeyPairLoadThenDeletePrivateKeyAsync() { Skip.If(!_fixture.KeyVaultInitOk); string[] groups = await _keyVault.GetCertificateGroupIds(); foreach (string group in groups) { ApplicationTestData randomApp = _fixture.RandomGenerator.RandomApplicationTestData(); Guid requestId = Guid.NewGuid(); Opc.Ua.Gds.Server.X509Certificate2KeyPair newKeyPair = await _keyVault.NewKeyPairRequestAsync( group, requestId.ToString(), randomApp.ApplicationRecord.ApplicationUri, randomApp.Subject, randomApp.DomainNames.ToArray(), randomApp.PrivateKeyFormat, randomApp.PrivateKeyPassword ); Assert.NotNull(newKeyPair); Assert.False(newKeyPair.Certificate.HasPrivateKey); Assert.True(Opc.Ua.Utils.CompareDistinguishedName(randomApp.Subject, newKeyPair.Certificate.Subject)); Assert.False(Opc.Ua.Utils.CompareDistinguishedName(newKeyPair.Certificate.Issuer, newKeyPair.Certificate.Subject)); X509Certificate2Collection issuerCerts = await _keyVault.GetIssuerCACertificateChainAsync(group); Assert.NotNull(issuerCerts); Assert.True(issuerCerts.Count >= 1); X509TestUtils.VerifyApplicationCertIntegrity( newKeyPair.Certificate, newKeyPair.PrivateKey, randomApp.PrivateKeyPassword, randomApp.PrivateKeyFormat, issuerCerts ); // test to load the key from KeyVault var privateKey = await _keyVault.LoadPrivateKeyAsync(group, requestId.ToString(), randomApp.PrivateKeyFormat); X509Certificate2 privateKeyX509; if (randomApp.PrivateKeyFormat == "PFX") { privateKeyX509 = CertificateFactory.CreateCertificateFromPKCS12(privateKey, randomApp.PrivateKeyPassword); } else { privateKeyX509 = CertificateFactory.CreateCertificateWithPEMPrivateKey(newKeyPair.Certificate, privateKey, randomApp.PrivateKeyPassword); } Assert.True(privateKeyX509.HasPrivateKey); X509TestUtils.VerifyApplicationCertIntegrity( newKeyPair.Certificate, privateKey, randomApp.PrivateKeyPassword, randomApp.PrivateKeyFormat, issuerCerts ); await _keyVault.AcceptPrivateKeyAsync(group, requestId.ToString()); await Assert.ThrowsAsync <KeyVaultErrorException>(async() => { privateKey = await _keyVault.LoadPrivateKeyAsync(group, requestId.ToString(), randomApp.PrivateKeyFormat); }); await _keyVault.AcceptPrivateKeyAsync(group, requestId.ToString()); await _keyVault.DeletePrivateKeyAsync(group, requestId.ToString()); await Assert.ThrowsAsync <KeyVaultErrorException>(async() => { await _keyVault.DeletePrivateKeyAsync(group, requestId.ToString()); }); await Assert.ThrowsAsync <KeyVaultErrorException>(async() => { privateKey = await _keyVault.LoadPrivateKeyAsync(group, requestId.ToString(), randomApp.PrivateKeyFormat); }); } }