public static void CreateIssuerAndSerialFromCertificate() { X509AuthorityKeyIdentifierExtension akid; X500DistinguishedName issuerName; ReadOnlyMemory <byte> serial; using (X509Certificate2 cert = new X509Certificate2(TestData.MicrosoftDotComIssuerBytes)) { issuerName = cert.IssuerName; serial = cert.SerialNumberBytes; akid = X509AuthorityKeyIdentifierExtension.CreateFromCertificate( cert, includeKeyIdentifier: false, includeIssuerAndSerial: true); } Assert.False(akid.Critical, "akid.Critical"); Assert.NotNull(akid.NamedIssuer); AssertExtensions.SequenceEqual(issuerName.RawData, akid.NamedIssuer.RawData); Assert.True(akid.SerialNumber.HasValue, "akid.SerialNumber.HasValue"); AssertExtensions.SequenceEqual(serial.Span, akid.SerialNumber.GetValueOrDefault().Span); Assert.False(akid.KeyIdentifier.HasValue, "akid.KeyIdentifier.HasValue"); const string ExpectedHex = "3072A15EA45C305A310B300906035504061302494531123010060355040A1309" + "42616C74696D6F726531133011060355040B130A437962657254727573743122" + "30200603550403131942616C74696D6F7265204379626572547275737420526F" + "6F7482100F14965F202069994FD5C7AC788941E2"; Assert.Equal(ExpectedHex, akid.RawData.ByteArrayToHex()); }
public void VerifyX509AuthorityKeyIdentifierExtension() { var authorityName = new X500DistinguishedName("CN=Test,O=OPC Foundation,DC=localhost"); byte[] serialNumber = new byte[] { 9, 1, 2, 3, 4, 5, 6, 7, 8, 9 }; byte[] subjectKeyIdentifier = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 }; var aki = new X509AuthorityKeyIdentifierExtension(subjectKeyIdentifier, authorityName, serialNumber); Assert.NotNull(aki); TestContext.Out.WriteLine("Encoded:"); TestContext.Out.WriteLine(aki.Format(true)); Assert.AreEqual(authorityName, aki.Issuer); Assert.AreEqual(serialNumber, aki.GetSerialNumber()); Assert.AreEqual(AsnUtils.ToHexString(serialNumber, true), aki.SerialNumber); Assert.AreEqual(subjectKeyIdentifier, aki.GetKeyIdentifier()); var akidecoded = new X509AuthorityKeyIdentifierExtension(aki.Oid, aki.RawData, aki.Critical); TestContext.Out.WriteLine("Decoded:"); TestContext.Out.WriteLine(akidecoded.Format(true)); Assert.AreEqual(aki.RawData, akidecoded.RawData); Assert.AreEqual(authorityName.ToString(), akidecoded.Issuer.ToString()); Assert.AreEqual(serialNumber, akidecoded.GetSerialNumber()); Assert.AreEqual(AsnUtils.ToHexString(serialNumber, true), akidecoded.SerialNumber); Assert.AreEqual(subjectKeyIdentifier, akidecoded.GetKeyIdentifier()); akidecoded = new X509AuthorityKeyIdentifierExtension(aki.Oid.Value, aki.RawData, aki.Critical); TestContext.Out.WriteLine("Decoded2:"); TestContext.Out.WriteLine(akidecoded.Format(true)); Assert.AreEqual(aki.RawData, akidecoded.RawData); Assert.AreEqual(authorityName.ToString(), akidecoded.Issuer.ToString()); Assert.AreEqual(serialNumber, akidecoded.GetSerialNumber()); Assert.AreEqual(AsnUtils.ToHexString(serialNumber, true), akidecoded.SerialNumber); Assert.AreEqual(subjectKeyIdentifier, akidecoded.GetKeyIdentifier()); }
public static void CreateIssuerAndNegativeSerial(bool fromArray) { X509AuthorityKeyIdentifierExtension akid; X500DistinguishedName issuerName = new X500DistinguishedName("CN=Negative"); ReadOnlySpan <byte> serial = new byte[] { 0x80, 0x02 }; if (fromArray) { akid = X509AuthorityKeyIdentifierExtension.CreateFromIssuerNameAndSerialNumber( issuerName, serial.ToArray()); } else { akid = X509AuthorityKeyIdentifierExtension.CreateFromIssuerNameAndSerialNumber( issuerName, serial); } Assert.False(akid.Critical, "akid.Critical"); Assert.NotNull(akid.NamedIssuer); AssertExtensions.SequenceEqual(issuerName.RawData, akid.NamedIssuer.RawData); Assert.True(akid.SerialNumber.HasValue, "akid.SerialNumber.HasValue"); AssertExtensions.SequenceEqual(serial, akid.SerialNumber.GetValueOrDefault().Span); Assert.False(akid.KeyIdentifier.HasValue, "akid.KeyIdentifier.HasValue"); const string ExpectedHex = "301DA117A41530133111300F060355040313084E6567617469766582028002"; Assert.Equal(ExpectedHex, akid.RawData.ByteArrayToHex()); }
public static void CreateFromCertificateWithNoSki() { using (ECDsa key = ECDsa.Create()) { CertificateRequest req = new CertificateRequest("CN=Hi", key, HashAlgorithmName.SHA256); DateTimeOffset now = DateTimeOffset.UnixEpoch; using (X509Certificate2 cert = req.CreateSelfSigned(now.AddMinutes(-5), now.AddMinutes(5))) { Assert.Throws <CryptographicException>( () => X509AuthorityKeyIdentifierExtension.CreateFromCertificate( cert, includeKeyIdentifier: true, includeIssuerAndSerial: false)); Assert.Throws <CryptographicException>( () => X509AuthorityKeyIdentifierExtension.CreateFromCertificate( cert, includeKeyIdentifier: true, includeIssuerAndSerial: true)); // Assert.NoThrow X509AuthorityKeyIdentifierExtension.CreateFromCertificate( cert, includeKeyIdentifier: false, includeIssuerAndSerial: true); X509AuthorityKeyIdentifierExtension.CreateFromCertificate( cert, includeKeyIdentifier: false, includeIssuerAndSerial: false); } } }
public void VerifyX509AuthorityKeyIdentifierExtensionOnlyKeyID() { byte[] subjectKeyIdentifier = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 }; var aki = new X509AuthorityKeyIdentifierExtension(subjectKeyIdentifier); Assert.NotNull(aki); TestContext.Out.WriteLine("Encoded:"); TestContext.Out.WriteLine(aki.Format(true)); Assert.Null(aki.Issuer); Assert.Null(aki.GetSerialNumber()); Assert.AreEqual(string.Empty, aki.SerialNumber); Assert.AreEqual(subjectKeyIdentifier, aki.GetKeyIdentifier()); var akidecoded = new X509AuthorityKeyIdentifierExtension(aki.Oid, aki.RawData, aki.Critical); TestContext.Out.WriteLine("Decoded:"); TestContext.Out.WriteLine(akidecoded.Format(true)); Assert.AreEqual(aki.RawData, akidecoded.RawData); Assert.Null(aki.Issuer); Assert.Null(aki.GetSerialNumber()); Assert.AreEqual(string.Empty, aki.SerialNumber); Assert.AreEqual(subjectKeyIdentifier, akidecoded.GetKeyIdentifier()); akidecoded = new X509AuthorityKeyIdentifierExtension(aki.Oid.Value, aki.RawData, aki.Critical); TestContext.Out.WriteLine("Decoded2:"); TestContext.Out.WriteLine(akidecoded.Format(true)); Assert.AreEqual(aki.RawData, akidecoded.RawData); Assert.Null(aki.Issuer); Assert.Null(aki.GetSerialNumber()); Assert.AreEqual(string.Empty, aki.SerialNumber); Assert.AreEqual(subjectKeyIdentifier, akidecoded.GetKeyIdentifier()); }
public static void Create_Validation() { Assert.Throws <ArgumentNullException>( "keyIdentifier", () => X509AuthorityKeyIdentifierExtension.Create( (byte[])null, null, (byte[])null)); Assert.Throws <ArgumentNullException>( "issuerName", () => X509AuthorityKeyIdentifierExtension.Create( Array.Empty <byte>(), null, (byte[])null)); X500DistinguishedName dn = new X500DistinguishedName("CN=Hi"); Assert.Throws <ArgumentNullException>( "serialNumber", () => X509AuthorityKeyIdentifierExtension.Create( Array.Empty <byte>(), dn, (byte[])null)); Assert.Throws <ArgumentNullException>( "issuerName", () => X509AuthorityKeyIdentifierExtension.Create( ReadOnlySpan <byte> .Empty, null, ReadOnlySpan <byte> .Empty)); }
public static void CreateFromCertificate_Validation() { Assert.Throws <ArgumentNullException>( "certificate", () => X509AuthorityKeyIdentifierExtension.CreateFromCertificate( null, false, false)); Assert.Throws <ArgumentNullException>( "certificate", () => X509AuthorityKeyIdentifierExtension.CreateFromCertificate( null, false, true)); Assert.Throws <ArgumentNullException>( "certificate", () => X509AuthorityKeyIdentifierExtension.CreateFromCertificate( null, true, false)); Assert.Throws <ArgumentNullException>( "certificate", () => X509AuthorityKeyIdentifierExtension.CreateFromCertificate( null, true, true)); }
public static void DecodeWithComplexIssuer() { // This extension value has // * A key identifier // * A complex authorityCertIssuer // * One X500 name (CN=Hello) // * One URI (http://cert.example/cert.crt) // * A serial number ReadOnlySpan <byte> encoded = new byte[] { 0x30, 0x44, 0x80, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x80, 0xA1, 0x32, 0xA4, 0x12, 0x30, 0x10, 0x31, 0x0E, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x05, 0x48, 0x65, 0x6C, 0x6C, 0x6F, 0x86, 0x1C, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x63, 0x65, 0x72, 0x74, 0x2E, 0x65, 0x78, 0x61, 0x6D, 0x70, 0x6C, 0x65, 0x2F, 0x63, 0x65, 0x72, 0x74, 0x2E, 0x63, 0x72, 0x74, 0x82, 0x03, 0x00, 0xEE, 0x7B, }; X509AuthorityKeyIdentifierExtension akid = new X509AuthorityKeyIdentifierExtension(encoded, true); Assert.True(akid.Critical, "akid.Critical"); Assert.Equal("000000000000000880", akid.KeyIdentifier.GetValueOrDefault().Span.ByteArrayToHex()); Assert.Equal("00EE7B", akid.SerialNumber.GetValueOrDefault().Span.ByteArrayToHex()); Assert.Equal("CN=Hello", akid.NamedIssuer.Name); AssertExtensions.SequenceEqual(encoded.Slice(13, 52), akid.RawIssuer.GetValueOrDefault().Span); }
public static void CreateFullPreservesKeyIdLeadingZeros() { ReadOnlySpan <byte> encoded = new byte[] { 0x30, 0x26, 0x80, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x80, 0xA1, 0x14, 0xA4, 0x12, 0x30, 0x10, 0x31, 0x0E, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x05, 0x48, 0x65, 0x6C, 0x6C, 0x6F, 0x82, 0x03, 0x00, 0xEE, 0x7B, }; ReadOnlySpan <byte> keyId = encoded.Slice(4, 9); X500DistinguishedName issuerName = new X500DistinguishedName("CN=Hello"); ReadOnlySpan <byte> serial = new byte[] { 0x00, 0xEE, 0x7B }; X509AuthorityKeyIdentifierExtension akid; // From ROSpan akid = X509AuthorityKeyIdentifierExtension.Create(keyId, issuerName, serial); AssertExtensions.SequenceEqual(encoded, akid.RawData); AssertExtensions.SequenceEqual(keyId, akid.KeyIdentifier.GetValueOrDefault().Span); AssertExtensions.SequenceEqual(issuerName.RawData, akid.NamedIssuer.RawData); AssertExtensions.SequenceEqual(serial, akid.SerialNumber.GetValueOrDefault().Span); // From Arrays akid = X509AuthorityKeyIdentifierExtension.Create(keyId.ToArray(), issuerName, serial.ToArray()); AssertExtensions.SequenceEqual(encoded, akid.RawData); AssertExtensions.SequenceEqual(keyId, akid.KeyIdentifier.GetValueOrDefault().Span); AssertExtensions.SequenceEqual(issuerName.RawData, akid.NamedIssuer.RawData); AssertExtensions.SequenceEqual(serial, akid.SerialNumber.GetValueOrDefault().Span); }
public static void CreateFromKeyIdentifierPreservesLeadingZeros() { ReadOnlySpan <byte> encoded = new byte[] { // SEQUENCE( [0]( 0x30, 0x16, 0x80, 0x14, // keyId 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, }; ReadOnlySpan <byte> keyId = encoded.Slice(4); X509AuthorityKeyIdentifierExtension akid; // From ROSpan akid = X509AuthorityKeyIdentifierExtension.CreateFromSubjectKeyIdentifier(keyId); AssertExtensions.SequenceEqual(encoded, akid.RawData); AssertExtensions.SequenceEqual(keyId, akid.KeyIdentifier.GetValueOrDefault().Span); // From array akid = X509AuthorityKeyIdentifierExtension.CreateFromSubjectKeyIdentifier(keyId.ToArray()); AssertExtensions.SequenceEqual(encoded, akid.RawData); AssertExtensions.SequenceEqual(keyId, akid.KeyIdentifier.GetValueOrDefault().Span); // From SKI var skid = new X509SubjectKeyIdentifierExtension(keyId, critical: false); akid = X509AuthorityKeyIdentifierExtension.CreateFromSubjectKeyIdentifier(skid); AssertExtensions.SequenceEqual(encoded, akid.RawData); AssertExtensions.SequenceEqual(keyId, akid.KeyIdentifier.GetValueOrDefault().Span); }
public static void CreateWithInvalidSerialNumber() { // This value has 9 leading zero bits, making it an invalid encoding for a BER/DER INTEGER. byte[] tooManyZeros = { 0x00, 0x7F }; byte[] invalidValue = tooManyZeros; X500DistinguishedName dn = new X500DistinguishedName("CN=Bad Serial"); // Array Assert.Throws <ArgumentException>( "serialNumber", () => X509AuthorityKeyIdentifierExtension.Create(invalidValue, dn, invalidValue)); // Span Assert.Throws <ArgumentException>( "serialNumber", () => X509AuthorityKeyIdentifierExtension.Create( new ReadOnlySpan <byte>(invalidValue), dn, new ReadOnlySpan <byte>(invalidValue))); // Array Assert.Throws <ArgumentException>( "serialNumber", () => X509AuthorityKeyIdentifierExtension.CreateFromIssuerNameAndSerialNumber(dn, invalidValue)); // Span Assert.Throws <ArgumentException>( "serialNumber", () => X509AuthorityKeyIdentifierExtension.CreateFromIssuerNameAndSerialNumber( dn, new ReadOnlySpan <byte>(invalidValue))); // The leading 9 bits are all one, also invalid. byte[] tooManyOnes = { 0xFF, 0x80 }; invalidValue = tooManyOnes; // Array Assert.Throws <ArgumentException>( "serialNumber", () => X509AuthorityKeyIdentifierExtension.Create(invalidValue, dn, invalidValue)); // Span Assert.Throws <ArgumentException>( "serialNumber", () => X509AuthorityKeyIdentifierExtension.Create( new ReadOnlySpan <byte>(invalidValue), dn, new ReadOnlySpan <byte>(invalidValue))); // Array Assert.Throws <ArgumentException>( "serialNumber", () => X509AuthorityKeyIdentifierExtension.CreateFromIssuerNameAndSerialNumber(dn, invalidValue)); // Span Assert.Throws <ArgumentException>( "serialNumber", () => X509AuthorityKeyIdentifierExtension.CreateFromIssuerNameAndSerialNumber( dn, new ReadOnlySpan <byte>(invalidValue))); }
public static void CopyFrom_ReadSerialNumberFirst() { X509AuthorityKeyIdentifierExtension ext = new X509AuthorityKeyIdentifierExtension(); ext.CopyFrom(GetFullyValuedExtension()); ReadOnlyMemory <byte>?serial = ext.SerialNumber; Assert.Equal("00EE7B", serial.GetValueOrDefault().ByteArrayToHex()); }
public static void CopyFrom_ReadKeyIdentifierFirst() { X509AuthorityKeyIdentifierExtension ext = new X509AuthorityKeyIdentifierExtension(); ext.CopyFrom(GetFullyValuedExtension()); ReadOnlyMemory <byte>?keyIdentifier = ext.KeyIdentifier; Assert.Equal("000000000000000880", keyIdentifier.GetValueOrDefault().ByteArrayToHex()); }
public static void CopyFrom_ReadNamedIssuerFirst() { X509AuthorityKeyIdentifierExtension ext = new X509AuthorityKeyIdentifierExtension(); ext.CopyFrom(GetFullyValuedExtension()); X500DistinguishedName namedIssuer = ext.NamedIssuer; Assert.NotNull(namedIssuer); Assert.Equal("CN=Hello", namedIssuer.Name); }
public static void VerifyCACert(string subject, X509Certificate2 cert) { Assert.NotNull(cert); Assert.False(cert.HasPrivateKey); Assert.True(Utils.CompareDistinguishedName(subject, cert.Subject)); Assert.True(Utils.CompareDistinguishedName(subject, cert.Issuer)); // test basic constraints var constraints = FindExtension <X509BasicConstraintsExtension>(cert); Assert.NotNull(constraints); Assert.True(constraints.Critical); Assert.True(constraints.CertificateAuthority); Assert.True(constraints.HasPathLengthConstraint); // key usage var keyUsage = FindExtension <X509KeyUsageExtension>(cert); Assert.NotNull(keyUsage); Assert.True(keyUsage.Critical); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.CrlSign) == X509KeyUsageFlags.CrlSign); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DataEncipherment) == 0); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DecipherOnly) == 0); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.DigitalSignature); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.EncipherOnly) == 0); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyAgreement) == 0); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyCertSign) == X509KeyUsageFlags.KeyCertSign); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyEncipherment) == 0); Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.NonRepudiation) == 0); // enhanced key usage X509EnhancedKeyUsageExtension enhancedKeyUsage = FindExtension <X509EnhancedKeyUsageExtension>(cert); Assert.Null(enhancedKeyUsage); // test for authority key X509AuthorityKeyIdentifierExtension authority = FindAuthorityKeyIdentifier(cert); Assert.NotNull(authority); Assert.NotNull(authority.SerialNumber); Assert.NotNull(authority.KeyId); Assert.NotNull(authority.AuthorityNames); // verify authority key in signed cert X509SubjectKeyIdentifierExtension subjectKeyId = FindExtension <X509SubjectKeyIdentifierExtension>(cert); Assert.AreEqual(subjectKeyId.SubjectKeyIdentifier, authority.KeyId); Assert.AreEqual(cert.SerialNumber, authority.SerialNumber); X509SubjectAltNameExtension subjectAlternateName = FindSubjectAltName(cert); Assert.Null(subjectAlternateName); }
public static void CopyFrom_ReadRawIssuerFirst() { X509AuthorityKeyIdentifierExtension ext = new X509AuthorityKeyIdentifierExtension(); ext.CopyFrom(GetFullyValuedExtension()); ReadOnlyMemory <byte>?rawIssuer = ext.RawIssuer; Assert.Equal( "A114A4123010310E300C0603550403130548656C6C6F", rawIssuer.GetValueOrDefault().ByteArrayToHex()); }
public static void CreateFromSubjectKeyIdentifier_Validation() { Assert.Throws <ArgumentNullException>( "subjectKeyIdentifier", () => X509AuthorityKeyIdentifierExtension.CreateFromSubjectKeyIdentifier( (X509SubjectKeyIdentifierExtension)null)); Assert.Throws <ArgumentNullException>( "subjectKeyIdentifier", () => X509AuthorityKeyIdentifierExtension.CreateFromSubjectKeyIdentifier( (byte[])null)); }
public static void DefaultConstructor() { X509AuthorityKeyIdentifierExtension e = new X509AuthorityKeyIdentifierExtension(); string oidValue = e.Oid.Value; Assert.Equal("2.5.29.35", oidValue); Assert.Empty(e.RawData); Assert.False(e.KeyIdentifier.HasValue, "e.KeyIdentifier.HasValue"); Assert.Null(e.NamedIssuer); Assert.False(e.RawIssuer.HasValue, "e.RawIssuer.HasValue"); Assert.False(e.SerialNumber.HasValue, "e.SerialNumber.HasValue"); }
// generates SKI and optionally AKI void generateKeyIdentifiers(X509Certificate2 signer) { using (var hasher = SHA1.Create()) { var hash = hasher.ComputeHash(PrivateKeyInfo.GetPublicKey().EncodedKeyValue.RawData); var ext = new X509SubjectKeyIdentifierExtension(hash, false); _extensions.Add(ext); } if (signer != null) { var ext = new X509AuthorityKeyIdentifierExtension(signer, AuthorityKeyIdentifierFlags.KeyIdentifier, false); _extensions.Add(ext); } }
public static void CreateFromLargeKeyIdentifier() { byte[] keyId = new byte[128]; X509AuthorityKeyIdentifierExtension akid = X509AuthorityKeyIdentifierExtension.CreateFromSubjectKeyIdentifier(keyId); AssertExtensions.SequenceEqual(keyId, akid.KeyIdentifier.GetValueOrDefault().Span); byte[] rawData = akid.RawData; AssertExtensions.SequenceEqual(keyId, rawData.AsSpan(6)); Assert.Equal("308183808180", rawData.AsSpan(0, 6).ByteArrayToHex()); }
public static void CreateEmptyFromCertificate() { X509AuthorityKeyIdentifierExtension akid; using (X509Certificate2 cert = new X509Certificate2(TestData.MicrosoftDotComIssuerBytes)) { akid = X509AuthorityKeyIdentifierExtension.CreateFromCertificate( cert, includeKeyIdentifier: false, includeIssuerAndSerial: false); } Assert.False(akid.Critical, "akid.Critical"); Assert.Equal("3000", akid.RawData.ByteArrayToHex()); }
public static void DecodeWithSerialNoIssuer() { // This extension has a keyID and serialNumber, but no issuerName. // It's implied as invalid by the RFC and X.509, but the structure allows it. ReadOnlySpan <byte> encoded = new byte[] { 0x30, 0x10, 0x80, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x80, 0x82, 0x03, 0x00, 0xEE, 0x7B, }; X509AuthorityKeyIdentifierExtension akid = new X509AuthorityKeyIdentifierExtension(encoded); Assert.False(akid.Critical, "akid.Critical"); Assert.Equal("000000000000000880", akid.KeyIdentifier.GetValueOrDefault().Span.ByteArrayToHex()); Assert.Equal("00EE7B", akid.SerialNumber.GetValueOrDefault().Span.ByteArrayToHex()); Assert.Null(akid.NamedIssuer); Assert.False(akid.RawIssuer.HasValue, "akid.RawIssuer.HasValue"); }
public static void DecodeWithTwoX500Names() { // This extension has two separate X500 names, one with CN=Hello, the other with CN=Goodbye ReadOnlySpan <byte> encoded = new byte[] { 0x30, 0x3C, 0x80, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x80, 0xA1, 0x2A, 0xA4, 0x12, 0x30, 0x10, 0x31, 0x0E, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x05, 0x48, 0x65, 0x6C, 0x6C, 0x6F, 0xA4, 0x14, 0x30, 0x12, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x07, 0x47, 0x6F, 0x6F, 0x64, 0x62, 0x79, 0x65, 0x82, 0x03, 0x00, 0xEE, 0x7B, }; X509AuthorityKeyIdentifierExtension akid = new X509AuthorityKeyIdentifierExtension(encoded); Assert.False(akid.Critical, "akid.Critical"); Assert.Equal("000000000000000880", akid.KeyIdentifier.GetValueOrDefault().Span.ByteArrayToHex()); Assert.Equal("00EE7B", akid.SerialNumber.GetValueOrDefault().Span.ByteArrayToHex()); Assert.Null(akid.NamedIssuer); AssertExtensions.SequenceEqual(encoded.Slice(13, 44), akid.RawIssuer.GetValueOrDefault().Span); }
public static void DecodeWithNoX500Names() { // This extension has no X500 names, but has a fetch URI (that no one supports) ReadOnlySpan <byte> encoded = new byte[] { 0x30, 0x30, 0x80, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x80, 0xA1, 0x1E, 0x86, 0x1C, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x63, 0x65, 0x72, 0x74, 0x2E, 0x65, 0x78, 0x61, 0x6D, 0x70, 0x6C, 0x65, 0x2F, 0x63, 0x65, 0x72, 0x74, 0x2E, 0x63, 0x72, 0x74, 0x82, 0x03, 0x00, 0xEE, 0x7B, }; X509AuthorityKeyIdentifierExtension akid = new X509AuthorityKeyIdentifierExtension(encoded); Assert.False(akid.Critical, "akid.Critical"); Assert.Equal("000000000000000880", akid.KeyIdentifier.GetValueOrDefault().Span.ByteArrayToHex()); Assert.Equal("00EE7B", akid.SerialNumber.GetValueOrDefault().Span.ByteArrayToHex()); Assert.Null(akid.NamedIssuer); AssertExtensions.SequenceEqual(encoded.Slice(13, 32), akid.RawIssuer.GetValueOrDefault().Span); }
public static void DecodeWithIssuerNoSerial() { // This extension has a keyID and an issuerName, but no serialNumber. // It's implied as invalid by the RFC and X.509, but the structure allows it. ReadOnlySpan <byte> encoded = new byte[] { 0x30, 0x21, 0x80, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x80, 0xA1, 0x14, 0xA4, 0x12, 0x30, 0x10, 0x31, 0x0E, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x05, 0x48, 0x65, 0x6C, 0x6C, 0x6F, }; X509AuthorityKeyIdentifierExtension akid = new X509AuthorityKeyIdentifierExtension(encoded); Assert.False(akid.Critical, "akid.Critical"); Assert.Equal("000000000000000880", akid.KeyIdentifier.GetValueOrDefault().Span.ByteArrayToHex()); Assert.False(akid.SerialNumber.HasValue, "akid.SerialNumber.HasValue"); Assert.Equal("CN=Hello", akid.NamedIssuer.Name); AssertExtensions.SequenceEqual(encoded.Slice(13, 22), akid.RawIssuer.GetValueOrDefault().Span); }
/// <summary> /// Compares the signed cert Issuer with the local issuer, updates local issuer if necessary. /// </summary> /// <param name="signedCertificate"></param> public async Task UpdateIssuerCertificateAsync(X509Certificate2 signedCertificate) { X509AuthorityKeyIdentifierExtension authority = FindAuthorityKeyIdentifier(signedCertificate); X509SubjectKeyIdentifierExtension subjectKeyId = FindSubjectKeyIdentifierExtension(Certificate); if (authority.KeyId != subjectKeyId.SubjectKeyIdentifier || authority.SerialNumber != Certificate.SerialNumber) { // reload CA certs and trust lists await Init(); // check again, if no match fail subjectKeyId = FindSubjectKeyIdentifierExtension(Certificate); if (authority.KeyId != subjectKeyId.SubjectKeyIdentifier || authority.SerialNumber != Certificate.SerialNumber) { throw new ServiceResultException(StatusCodes.BadInvalidState, "No Match of signed certificate and CA certificate"); } } }
public static void DecodeInvalid() { byte[] invalidEncoding = { 0x05, 0x00 }; Assert.Throws <CryptographicException>( () => new X509AuthorityKeyIdentifierExtension(invalidEncoding)); Assert.Throws <CryptographicException>( () => new X509AuthorityKeyIdentifierExtension(new ReadOnlySpan <byte>(invalidEncoding))); X509Extension untypedExt = new X509Extension("0.1", invalidEncoding, critical: true); X509AuthorityKeyIdentifierExtension ext = new X509AuthorityKeyIdentifierExtension(); ext.CopyFrom(untypedExt); Assert.True(ext.Critical, "ext.Critical"); Assert.Equal("0.1", ext.Oid.Value); Assert.Throws <CryptographicException>(() => ext.KeyIdentifier); Assert.Throws <CryptographicException>(() => ext.SerialNumber); Assert.Throws <CryptographicException>(() => ext.NamedIssuer); Assert.Throws <CryptographicException>(() => ext.RawIssuer); }
public static void CreateKeyIdOnlyFromCertificate() { X509AuthorityKeyIdentifierExtension akid; using (X509Certificate2 cert = new X509Certificate2(TestData.MicrosoftDotComIssuerBytes)) { akid = X509AuthorityKeyIdentifierExtension.CreateFromCertificate( cert, includeKeyIdentifier: true, includeIssuerAndSerial: false); } Assert.False(akid.Critical, "akid.Critical"); Assert.Equal("30168014B5760C3011CEC792424D4CC75C2CC8A90CE80B64", akid.RawData.ByteArrayToHex()); Assert.False(akid.RawIssuer.HasValue, "akid.RawIssuer.HasValue"); Assert.Null(akid.NamedIssuer); Assert.False(akid.SerialNumber.HasValue, "akid.SerialNumber.HasValue"); Assert.True(akid.KeyIdentifier.HasValue, "akid.KeyIdentifier.HasValue"); Assert.Equal( "B5760C3011CEC792424D4CC75C2CC8A90CE80B64", akid.KeyIdentifier.GetValueOrDefault().ByteArrayToHex()); }
public static void DecodeWithThreeX500Names() { // This extension has three separate X500 names: CN=Hello; CN=Middle; CN=Goodbye ReadOnlySpan <byte> encoded = new byte[] { 0x30, 0x6F, 0x80, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x80, 0xA1, 0x5D, 0xA4, 0x12, 0x30, 0x10, 0x31, 0x0E, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x05, 0x48, 0x65, 0x6C, 0x6C, 0x6F, 0xA4, 0x13, 0x30, 0x11, 0x31, 0x0F, 0x30, 0x0D, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x06, 0x4D, 0x69, 0x64, 0x64, 0x6C, 0x65, 0xA4, 0x14, 0x30, 0x12, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x07, 0x47, 0x6F, 0x6F, 0x64, 0x62, 0x79, 0x65, 0x86, 0x1C, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x63, 0x65, 0x72, 0x74, 0x2E, 0x65, 0x78, 0x61, 0x6D, 0x70, 0x6C, 0x65, 0x2F, 0x63, 0x65, 0x72, 0x74, 0x2E, 0x63, 0x72, 0x74, 0x82, 0x03, 0x00, 0xEE, 0x7B, }; X509AuthorityKeyIdentifierExtension akid = new X509AuthorityKeyIdentifierExtension(encoded); Assert.False(akid.Critical, "akid.Critical"); Assert.Equal("000000000000000880", akid.KeyIdentifier.GetValueOrDefault().Span.ByteArrayToHex()); Assert.Equal("00EE7B", akid.SerialNumber.GetValueOrDefault().Span.ByteArrayToHex()); Assert.Null(akid.NamedIssuer); AssertExtensions.SequenceEqual(encoded.Slice(13, 95), akid.RawIssuer.GetValueOrDefault().Span); }
public static void RoundtripFull() { byte[] encoded = ( "303C80140235857ED35BD13609F22DE8A71F93DFEBD3F495A11AA41830163114" + "301206035504030C0B49737375696E6743657274820852E6DEFA1D32A969").HexToByteArray(); X509AuthorityKeyIdentifierExtension akid = new X509AuthorityKeyIdentifierExtension(encoded, true); Assert.True(akid.Critical, "akid.Critical"); Assert.True(akid.KeyIdentifier.HasValue, "akid.KeyIdentifier.HasValue"); Assert.Equal( "0235857ED35BD13609F22DE8A71F93DFEBD3F495", akid.KeyIdentifier.Value.ByteArrayToHex()); Assert.True(akid.RawIssuer.HasValue, "akid.RawIssuer.HasValue"); Assert.NotNull(akid.NamedIssuer); Assert.Equal( "A11AA41830163114301206035504030C0B49737375696E6743657274", akid.RawIssuer.Value.ByteArrayToHex()); Assert.Equal( "30163114301206035504030C0B49737375696E6743657274", akid.NamedIssuer.RawData.ByteArrayToHex()); Assert.True(akid.SerialNumber.HasValue, "akid.SerialNumber.HasValue"); Assert.Equal("52E6DEFA1D32A969", akid.SerialNumber.Value.ByteArrayToHex()); X509AuthorityKeyIdentifierExtension akid2 = X509AuthorityKeyIdentifierExtension.Create( akid.KeyIdentifier.Value.Span, akid.NamedIssuer, akid.SerialNumber.Value.Span); Assert.False(akid2.Critical, "akid2.Critical"); AssertExtensions.SequenceEqual(akid.RawData, akid2.RawData); }
/// <summary> /// Displays the properties of a certificate. /// </summary> internal void Initialize(X509Certificate2 certificate) { ItemsLV.Items.Clear(); if (certificate == null) { Instructions = "No certificate properties to display"; AdjustColumns(); return; } AddItem(new FieldInfo("Version", certificate.Version)); AddItem(new FieldInfo("Subject", certificate.Subject)); AddItem(new FieldInfo("FriendlyName", certificate.FriendlyName)); AddItem(new FieldInfo("Thumbprint", certificate.Thumbprint)); AddItem(new FieldInfo("Issuer", certificate.Issuer)); AddItem(new FieldInfo("SerialNumber", certificate.SerialNumber)); AddItem(new FieldInfo("NotBefore", Utils.Format("{0:yyyy-MM-dd}", certificate.NotBefore))); AddItem(new FieldInfo("NotAfter", Utils.Format("{0:yyyy-MM-dd}", certificate.NotAfter))); AddItem(new FieldInfo("KeySize", certificate.PublicKey.Key.KeySize)); AddItem(new FieldInfo("KeyExchangeAlgorithm", certificate.PublicKey.Key.KeyExchangeAlgorithm)); AddItem(new FieldInfo("SignatureAlgorithm", certificate.SignatureAlgorithm.FriendlyName)); foreach (X509Extension extension in certificate.Extensions) { X509BasicConstraintsExtension basicContraints = extension as X509BasicConstraintsExtension; if (basicContraints != null) { StringBuilder buffer = new StringBuilder(); if (basicContraints.CertificateAuthority) { buffer.Append("CA"); } else { buffer.Append("End Entity"); } if (basicContraints.HasPathLengthConstraint) { buffer.AppendFormat(", PathLength={0}", basicContraints.PathLengthConstraint); } AddItem(new FieldInfo("BasicConstraints", buffer.ToString())); continue; } X509KeyUsageExtension keyUsage = extension as X509KeyUsageExtension; if (keyUsage != null) { StringBuilder buffer = new StringBuilder(); foreach (X509KeyUsageFlags usageFlag in Enum.GetValues(typeof(X509KeyUsageFlags))) { if ((keyUsage.KeyUsages & usageFlag) != 0) { if (buffer.Length > 0) { buffer.Append(", "); } buffer.AppendFormat("{0}", usageFlag); } } AddItem(new FieldInfo("KeyUsage", buffer.ToString())); continue; } X509EnhancedKeyUsageExtension enhancedKeyUsage = extension as X509EnhancedKeyUsageExtension; if (enhancedKeyUsage != null) { StringBuilder buffer = new StringBuilder(); foreach (Oid usageOid in enhancedKeyUsage.EnhancedKeyUsages) { if (buffer.Length > 0) { buffer.Append(", "); } if (!String.IsNullOrEmpty(usageOid.FriendlyName)) { buffer.AppendFormat("{0}", usageOid.FriendlyName); } else { buffer.AppendFormat("{0}", usageOid.Value); } } AddItem(new FieldInfo("EnhancedKeyUsage", buffer.ToString())); continue; } X509SubjectKeyIdentifierExtension subjectKeyId = extension as X509SubjectKeyIdentifierExtension; if (subjectKeyId != null) { AddItem(new FieldInfo("SubjectKeyIdentifier", subjectKeyId.SubjectKeyIdentifier)); continue; } if (extension.Oid.Value == X509SubjectAltNameExtension.SubjectAltNameOid || extension.Oid.Value == X509SubjectAltNameExtension.SubjectAltName2Oid) { X509SubjectAltNameExtension alternateName = new X509SubjectAltNameExtension(extension, extension.Critical); AddItem(new FieldInfo("SubjectAlternateName", alternateName.Format(false))); continue; } if (extension.Oid.Value == X509AuthorityKeyIdentifierExtension.AuthorityKeyIdentifier2Oid) { X509AuthorityKeyIdentifierExtension keyId = new X509AuthorityKeyIdentifierExtension(extension, extension.Critical); AddItem(new FieldInfo("AuthorityKeyIdentifier", keyId.Format(false))); continue; } string name = extension.Oid.FriendlyName; if (String.IsNullOrEmpty(name)) { name = extension.Oid.Value; } string value = Utils.ToHexString(extension.RawData); AddItem(new FieldInfo(name, value)); } AdjustColumns(); }