public static void BuildEmpty() { Assert.Throws <ArgumentException>( "uris", () => CertificateRevocationListBuilder.BuildCrlDistributionPointExtension( System.Linq.Enumerable.Empty <string>())); }
public static void OnlyAscii7Permitted() { Assert.Throws <CryptographicException>( () => CertificateRevocationListBuilder.BuildCrlDistributionPointExtension( new[] { // http://[nihongo].example/ca4.crl "http://\u65E5\u672C\u8A8E.example/ca4.crl", })); }
public static void UriNotValidated() { X509Extension ext = CertificateRevocationListBuilder.BuildCrlDistributionPointExtension( new[] { "!!!!", }); Assert.Equal("300C300AA008A006860421212121", ext.RawData.ByteArrayToHex()); }
public static void NullUriInEnumerable() { Assert.Throws <ArgumentException>( "uris", () => CertificateRevocationListBuilder.BuildCrlDistributionPointExtension( new[] { "http://cert.example/ca1.crl", null, "http://cdn.cert.example/ca1.crl", })); }
public static void BuildOneEntry() { X509Extension ext = CertificateRevocationListBuilder.BuildCrlDistributionPointExtension( new[] { "http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl", }); Assert.False(ext.Critical, "ext.Critical"); Assert.Equal("2.5.29.31", ext.Oid.Value); byte[] expected = ( "304d304ba049a0478645687474703a2f2f63726c2e6d6963726f736f" + "66742e636f6d2f706b692f63726c2f70726f64756374732f4d696343" + "6f645369675043415f30382d33312d323031302e63726c").HexToByteArray(); AssertExtensions.SequenceEqual(expected, ext.RawData); }
public static void BuildTwoEntries() { // Recreate the encoding of the CDP extension from https://crt.sh/?id=3777044 // (the original wasn't marked as critical, but that doesn't affect the RawData value) X509Extension ext = CertificateRevocationListBuilder.BuildCrlDistributionPointExtension( new[] { "http://crl3.digicert.com/sha2-ev-server-g1.crl", "http://crl4.digicert.com/sha2-ev-server-g1.crl", }, critical: true); Assert.True(ext.Critical, "ext.Critical"); Assert.Equal("2.5.29.31", ext.Oid.Value); byte[] expected = ( "306C3034A032A030862E687474703A2F2F63726C332E64696769636572742E63" + "6F6D2F736861322D65762D7365727665722D67312E63726C3034A032A030862E" + "687474703A2F2F63726C342E64696769636572742E636F6D2F736861322D6576" + "2D7365727665722D67312E63726C").HexToByteArray(); AssertExtensions.SequenceEqual(expected, ext.RawData); }
public static void NullEnumerable() { Assert.Throws <ArgumentNullException>( "uris", () => CertificateRevocationListBuilder.BuildCrlDistributionPointExtension(null)); }
public void TestCertsCreate(string[] args) { // Initialize the names. var rootDomain = "hsgincubator.com"; var redmondDomain = $"redmond.{rootDomain}"; var nhindDomain = $"nhind.{rootDomain}"; var testEmailAddress = $"test@{nhindDomain}"; var testDomain = testEmailAddress.Replace('@', '.'); string path = args.GetOptionalValue(0, Path.Combine(Directory.GetCurrentDirectory(), "Certificates")); if (!Directory.Exists(path)) { Directory.CreateDirectory(path); } // Create a self-signed certificate authority. var rootCaBuilder = new CertificateBuilder(1) { SubjectDN = new X509Name($"CN={rootDomain}") }; rootCaBuilder.SetSubjectAlternativeNameToDomain(rootDomain); var rootCa = rootCaBuilder.Generate(); File.WriteAllBytes(Path.Combine(path, $"{rootDomain}.pfx"), rootCa.Export(X509ContentType.Pfx)); File.WriteAllBytes(Path.Combine(path, $"{rootDomain}.cer"), rootCa.Export(X509ContentType.Cert)); // Create valid organizational certificate. var redmondValidCertBuilder = new CertificateBuilder(rootCa) { AuthorityInformationAccessUri = new Uri($"http://{rootDomain}/pki/{rootDomain}.cer"), CrlDistributionPointUri = new Uri($"http://{rootDomain}/pki/{rootDomain}.crl"), SubjectDN = new X509Name($"CN={redmondDomain}") }; redmondValidCertBuilder.SetSubjectAlternativeNameToDomain(redmondDomain); var redmondValidCert = redmondValidCertBuilder.Generate(); File.WriteAllBytes(Path.Combine(path, $"{redmondDomain}-valid.pfx"), redmondValidCert.Export(X509ContentType.Pfx)); File.WriteAllBytes(Path.Combine(path, $"{redmondDomain}-valid.cer"), redmondValidCert.Export(X509ContentType.Cert)); // Create revoked organizational certificate. var redmondRevokedCertBuilder = new CertificateBuilder(rootCa) { AuthorityInformationAccessUri = new Uri($"http://{rootDomain}/pki/{rootDomain}.cer"), CrlDistributionPointUri = new Uri($"http://{rootDomain}/pki/{rootDomain}.crl"), SubjectDN = new X509Name($"CN={redmondDomain}") }; redmondRevokedCertBuilder.SetSubjectAlternativeNameToDomain(redmondDomain); var redmondRevokedCert = redmondRevokedCertBuilder.Generate(); File.WriteAllBytes(Path.Combine(path, $"{redmondDomain}-revoked.pfx"), redmondRevokedCert.Export(X509ContentType.Pfx)); File.WriteAllBytes(Path.Combine(path, $"{redmondDomain}-revoked.cer"), redmondRevokedCert.Export(X509ContentType.Cert)); // Create a certificate revocation list. var rootCrlBuilder = new CertificateRevocationListBuilder(rootCa, 1) { AuthorityInformationAccessUri = new Uri($"http://{rootDomain}/pki/{rootDomain}.cer") }; rootCrlBuilder.AddRevokedCertificate(redmondRevokedCert); var rootCrl = rootCrlBuilder.Generate(); var rootCrlBytes = rootCrl.GetEncoded(); File.WriteAllBytes(Path.Combine(path, $"{rootDomain}.crl"), rootCrlBytes); // Intermediate certificate authority. var nhindCaBuilder = new CertificateBuilder(rootCa, 0) { AuthorityInformationAccessUri = new Uri($"http://{rootDomain}/pki/{rootDomain}.cer"), CrlDistributionPointUri = new Uri($"http://{rootDomain}/pki/{rootDomain}.crl"), SubjectDN = new X509Name($"CN={nhindDomain}") }; nhindCaBuilder.SetSubjectAlternativeNameToDomain(nhindDomain); var nhindCa = nhindCaBuilder.Generate(); File.WriteAllBytes(Path.Combine(path, $"{nhindDomain}.pfx"), nhindCa.Export(X509ContentType.Pfx)); File.WriteAllBytes(Path.Combine(path, $"{nhindDomain}.cer"), nhindCa.Export(X509ContentType.Cert)); // Create valid address-bound certificate. var testValidCertBuilder = new CertificateBuilder(nhindCa) { AuthorityInformationAccessUri = new Uri($"http://{rootDomain}/pki/{rootDomain}.cer"), CrlDistributionPointUri = new Uri($"http://{rootDomain}/pki/{rootDomain}.crl"), SubjectDN = new X509Name($"CN={testEmailAddress}") }; testValidCertBuilder.SetSubjectAlternativeNameToEmail(testEmailAddress); var testValidCert = testValidCertBuilder.Generate(); File.WriteAllBytes(Path.Combine(path, $"{testDomain}-valid.pfx"), testValidCert.Export(X509ContentType.Pfx)); File.WriteAllBytes(Path.Combine(path, $"{testDomain}-valid.cer"), testValidCert.Export(X509ContentType.Cert)); // Create revoked address-bound certificate. var testRevokedCertBuilder = new CertificateBuilder(nhindCa) { AuthorityInformationAccessUri = new Uri($"http://{rootDomain}/pki/{rootDomain}.cer"), CrlDistributionPointUri = new Uri($"http://{rootDomain}/pki/{rootDomain}.crl"), SubjectDN = new X509Name($"CN={testEmailAddress}") }; testRevokedCertBuilder.SetSubjectAlternativeNameToEmail(testEmailAddress); var testRevokedCert = testRevokedCertBuilder.Generate(); File.WriteAllBytes(Path.Combine(path, $"{testDomain}-revoked.pfx"), testRevokedCert.Export(X509ContentType.Pfx)); File.WriteAllBytes(Path.Combine(path, $"{testDomain}-revoked.cer"), testRevokedCert.Export(X509ContentType.Cert)); // Create a certificate revocation list. var nhindCrlBuilder = new CertificateRevocationListBuilder(nhindCa, 1) { AuthorityInformationAccessUri = new Uri($"http://{rootDomain}/pki/{nhindDomain}.cer") }; nhindCrlBuilder.AddRevokedCertificate(redmondRevokedCert); var nhindCrl = nhindCrlBuilder.Generate(); var nhindCrlBytes = nhindCrl.GetEncoded(); File.WriteAllBytes(Path.Combine(path, $"{nhindDomain}.crl"), nhindCrlBytes); }