public static void BuildEmpty()
{
Assert.Throws <ArgumentException>(
"uris",
() => CertificateRevocationListBuilder.BuildCrlDistributionPointExtension(
System.Linq.Enumerable.Empty <string>()));
}
public static void OnlyAscii7Permitted()
{
Assert.Throws <CryptographicException>(
() => CertificateRevocationListBuilder.BuildCrlDistributionPointExtension(
new[]
{
// http://[nihongo].example/ca4.crl
"http://\u65E5\u672C\u8A8E.example/ca4.crl",
}));
}
public static void UriNotValidated()
{
X509Extension ext = CertificateRevocationListBuilder.BuildCrlDistributionPointExtension(
new[]
{
"!!!!",
});
Assert.Equal("300C300AA008A006860421212121", ext.RawData.ByteArrayToHex());
}
public static void NullUriInEnumerable()
{
Assert.Throws <ArgumentException>(
"uris",
() => CertificateRevocationListBuilder.BuildCrlDistributionPointExtension(
new[]
{
"http://cert.example/ca1.crl",
null,
"http://cdn.cert.example/ca1.crl",
}));
}
public static void BuildOneEntry()
{
X509Extension ext = CertificateRevocationListBuilder.BuildCrlDistributionPointExtension(
new[]
{
"http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl",
});
Assert.False(ext.Critical, "ext.Critical");
Assert.Equal("2.5.29.31", ext.Oid.Value);
byte[] expected = (
"304d304ba049a0478645687474703a2f2f63726c2e6d6963726f736f" +
"66742e636f6d2f706b692f63726c2f70726f64756374732f4d696343" +
"6f645369675043415f30382d33312d323031302e63726c").HexToByteArray();
AssertExtensions.SequenceEqual(expected, ext.RawData);
}
public static void BuildTwoEntries()
{
// Recreate the encoding of the CDP extension from https://crt.sh/?id=3777044
// (the original wasn't marked as critical, but that doesn't affect the RawData value)
X509Extension ext = CertificateRevocationListBuilder.BuildCrlDistributionPointExtension(
new[]
{
"http://crl3.digicert.com/sha2-ev-server-g1.crl",
"http://crl4.digicert.com/sha2-ev-server-g1.crl",
},
critical: true);
Assert.True(ext.Critical, "ext.Critical");
Assert.Equal("2.5.29.31", ext.Oid.Value);
byte[] expected = (
"306C3034A032A030862E687474703A2F2F63726C332E64696769636572742E63" +
"6F6D2F736861322D65762D7365727665722D67312E63726C3034A032A030862E" +
"687474703A2F2F63726C342E64696769636572742E636F6D2F736861322D6576" +
"2D7365727665722D67312E63726C").HexToByteArray();
AssertExtensions.SequenceEqual(expected, ext.RawData);
}
public static void NullEnumerable()
{
Assert.Throws <ArgumentNullException>(
"uris",
() => CertificateRevocationListBuilder.BuildCrlDistributionPointExtension(null));
}
public void TestCertsCreate(string[] args)
{
// Initialize the names.
var rootDomain = "hsgincubator.com";
var redmondDomain = $"redmond.{rootDomain}";
var nhindDomain = $"nhind.{rootDomain}";
var testEmailAddress = $"test@{nhindDomain}";
var testDomain = testEmailAddress.Replace('@', '.');
string path = args.GetOptionalValue(0, Path.Combine(Directory.GetCurrentDirectory(), "Certificates"));
if (!Directory.Exists(path))
{
Directory.CreateDirectory(path);
}
// Create a self-signed certificate authority.
var rootCaBuilder = new CertificateBuilder(1)
{
SubjectDN = new X509Name($"CN={rootDomain}")
};
rootCaBuilder.SetSubjectAlternativeNameToDomain(rootDomain);
var rootCa = rootCaBuilder.Generate();
File.WriteAllBytes(Path.Combine(path, $"{rootDomain}.pfx"), rootCa.Export(X509ContentType.Pfx));
File.WriteAllBytes(Path.Combine(path, $"{rootDomain}.cer"), rootCa.Export(X509ContentType.Cert));
// Create valid organizational certificate.
var redmondValidCertBuilder = new CertificateBuilder(rootCa)
{
AuthorityInformationAccessUri = new Uri($"http://{rootDomain}/pki/{rootDomain}.cer"),
CrlDistributionPointUri = new Uri($"http://{rootDomain}/pki/{rootDomain}.crl"),
SubjectDN = new X509Name($"CN={redmondDomain}")
};
redmondValidCertBuilder.SetSubjectAlternativeNameToDomain(redmondDomain);
var redmondValidCert = redmondValidCertBuilder.Generate();
File.WriteAllBytes(Path.Combine(path, $"{redmondDomain}-valid.pfx"), redmondValidCert.Export(X509ContentType.Pfx));
File.WriteAllBytes(Path.Combine(path, $"{redmondDomain}-valid.cer"), redmondValidCert.Export(X509ContentType.Cert));
// Create revoked organizational certificate.
var redmondRevokedCertBuilder = new CertificateBuilder(rootCa)
{
AuthorityInformationAccessUri = new Uri($"http://{rootDomain}/pki/{rootDomain}.cer"),
CrlDistributionPointUri = new Uri($"http://{rootDomain}/pki/{rootDomain}.crl"),
SubjectDN = new X509Name($"CN={redmondDomain}")
};
redmondRevokedCertBuilder.SetSubjectAlternativeNameToDomain(redmondDomain);
var redmondRevokedCert = redmondRevokedCertBuilder.Generate();
File.WriteAllBytes(Path.Combine(path, $"{redmondDomain}-revoked.pfx"), redmondRevokedCert.Export(X509ContentType.Pfx));
File.WriteAllBytes(Path.Combine(path, $"{redmondDomain}-revoked.cer"), redmondRevokedCert.Export(X509ContentType.Cert));
// Create a certificate revocation list.
var rootCrlBuilder = new CertificateRevocationListBuilder(rootCa, 1)
{
AuthorityInformationAccessUri = new Uri($"http://{rootDomain}/pki/{rootDomain}.cer")
};
rootCrlBuilder.AddRevokedCertificate(redmondRevokedCert);
var rootCrl = rootCrlBuilder.Generate();
var rootCrlBytes = rootCrl.GetEncoded();
File.WriteAllBytes(Path.Combine(path, $"{rootDomain}.crl"), rootCrlBytes);
// Intermediate certificate authority.
var nhindCaBuilder = new CertificateBuilder(rootCa, 0)
{
AuthorityInformationAccessUri = new Uri($"http://{rootDomain}/pki/{rootDomain}.cer"),
CrlDistributionPointUri = new Uri($"http://{rootDomain}/pki/{rootDomain}.crl"),
SubjectDN = new X509Name($"CN={nhindDomain}")
};
nhindCaBuilder.SetSubjectAlternativeNameToDomain(nhindDomain);
var nhindCa = nhindCaBuilder.Generate();
File.WriteAllBytes(Path.Combine(path, $"{nhindDomain}.pfx"), nhindCa.Export(X509ContentType.Pfx));
File.WriteAllBytes(Path.Combine(path, $"{nhindDomain}.cer"), nhindCa.Export(X509ContentType.Cert));
// Create valid address-bound certificate.
var testValidCertBuilder = new CertificateBuilder(nhindCa)
{
AuthorityInformationAccessUri = new Uri($"http://{rootDomain}/pki/{rootDomain}.cer"),
CrlDistributionPointUri = new Uri($"http://{rootDomain}/pki/{rootDomain}.crl"),
SubjectDN = new X509Name($"CN={testEmailAddress}")
};
testValidCertBuilder.SetSubjectAlternativeNameToEmail(testEmailAddress);
var testValidCert = testValidCertBuilder.Generate();
File.WriteAllBytes(Path.Combine(path, $"{testDomain}-valid.pfx"), testValidCert.Export(X509ContentType.Pfx));
File.WriteAllBytes(Path.Combine(path, $"{testDomain}-valid.cer"), testValidCert.Export(X509ContentType.Cert));
// Create revoked address-bound certificate.
var testRevokedCertBuilder = new CertificateBuilder(nhindCa)
{
AuthorityInformationAccessUri = new Uri($"http://{rootDomain}/pki/{rootDomain}.cer"),
CrlDistributionPointUri = new Uri($"http://{rootDomain}/pki/{rootDomain}.crl"),
SubjectDN = new X509Name($"CN={testEmailAddress}")
};
testRevokedCertBuilder.SetSubjectAlternativeNameToEmail(testEmailAddress);
var testRevokedCert = testRevokedCertBuilder.Generate();
File.WriteAllBytes(Path.Combine(path, $"{testDomain}-revoked.pfx"), testRevokedCert.Export(X509ContentType.Pfx));
File.WriteAllBytes(Path.Combine(path, $"{testDomain}-revoked.cer"), testRevokedCert.Export(X509ContentType.Cert));
// Create a certificate revocation list.
var nhindCrlBuilder = new CertificateRevocationListBuilder(nhindCa, 1)
{
AuthorityInformationAccessUri = new Uri($"http://{rootDomain}/pki/{nhindDomain}.cer")
};
nhindCrlBuilder.AddRevokedCertificate(redmondRevokedCert);
var nhindCrl = nhindCrlBuilder.Generate();
var nhindCrlBytes = nhindCrl.GetEncoded();
File.WriteAllBytes(Path.Combine(path, $"{nhindDomain}.crl"), nhindCrlBytes);
}
