public void ItFetchesACertificateGroupConfigurationFromTheServiceLayer()
{
// Test syntax: "AAA" see https://msdn.microsoft.com/en-us/library/hh694602.aspx
// *Arrange*: setup the current context, in preparation for the test
// *Act*: execute an action in the system under test (SUT)
// *Assert*: verify that the test succeeded
var id = "Default";
var configuration = new CertificateGroupConfigurationModel()
{
Id = id
};
// Inject a fake response when Devices.GetAsync() is invoked
// Moq Quickstart: https://github.com/Moq/moq4/wiki/Quickstart
_group.Setup(x => x.GetCertificateGroupConfiguration(id)).ReturnsAsync(configuration);
// Act
// Note: don't use "var" so to implicitly assert that the
// method is returning an object of the expected type. We test only
// public methods, i.e. to test code inside private methods, we
// write a test that starts from a public method.
CertificateGroupConfigurationApiModel result = _target.GetCertificateGroupConfigurationAsync(id).Result;
// Verify that Devices.GetAsync() has been called, exactly once
// with the correct parameters
_group.Verify(x => x.GetCertificateGroupConfiguration(It.Is <string>(s => s == id)), Times.Once);
}
public static async Task <CertificateGroupConfigurationModel> UpdateCertificateGroupConfiguration(
KeyVaultServiceClient keyVaultServiceClient,
string id,
CertificateGroupConfigurationModel config)
{
if (id.ToLower() != config.Id.ToLower())
{
throw new ArgumentException("groupid doesn't match config id");
}
string json = await keyVaultServiceClient.GetCertificateConfigurationGroupsAsync().ConfigureAwait(false);
List <CertificateGroupConfigurationModel> certificateGroupCollection = JsonConvert.DeserializeObject <List <CertificateGroupConfigurationModel> >(json);
var original = certificateGroupCollection.SingleOrDefault(cg => String.Equals(cg.Id, id, StringComparison.OrdinalIgnoreCase));
if (original == null)
{
throw new ArgumentException("invalid groupid");
}
ValidateConfiguration(config);
var index = certificateGroupCollection.IndexOf(original);
certificateGroupCollection[index] = config;
json = JsonConvert.SerializeObject(certificateGroupCollection);
// update config
json = await keyVaultServiceClient.PutCertificateConfigurationGroupsAsync(json).ConfigureAwait(false);
// read it back to verify
certificateGroupCollection = JsonConvert.DeserializeObject <List <CertificateGroupConfigurationModel> >(json);
return(certificateGroupCollection.SingleOrDefault(cg => String.Equals(cg.Id, id, StringComparison.OrdinalIgnoreCase)));
}
private static CertificateGroupConfigurationModel DefaultConfiguration(string id, string subject, string certType)
{
var config = new CertificateGroupConfigurationModel()
{
Id = id ?? "Default",
SubjectName = subject ?? "CN=Azure Industrial IoT CA, O=Microsoft Corp.",
CertificateType = CertTypeMap()[Opc.Ua.ObjectTypeIds.RsaSha256ApplicationCertificateType],
DefaultCertificateLifetime = 24,
DefaultCertificateHashSize = 256,
DefaultCertificateKeySize = 2048,
IssuerCACertificateLifetime = 60,
IssuerCACertificateHashSize = 256,
IssuerCACertificateKeySize = 2048,
IssuerCACrlDistributionPoint = "http://%servicehost%/certs/crl/%serial%/%group%.crl",
IssuerCAAuthorityInformationAccess = "http://%servicehost%/certs/issuer/%serial%/%group%.cer"
};
if (certType != null)
{
var checkedCertType = CertTypeMap().Where(c => c.Value.ToLower() == certType.ToLower()).Single();
config.CertificateType = checkedCertType.Value;
}
ValidateConfiguration(config);
return(config);
}
public static KeyVaultCertificateGroupProvider Create(
KeyVaultServiceClient keyVaultServiceClient,
CertificateGroupConfigurationModel certificateGroupConfiguration,
string serviceHost
)
{
return(new KeyVaultCertificateGroupProvider(keyVaultServiceClient, certificateGroupConfiguration, serviceHost));
}
private KeyVaultCertificateGroupProvider(
KeyVaultServiceClient keyVaultServiceClient,
CertificateGroupConfigurationModel certificateGroupConfiguration,
string serviceHost
) :
base(null, certificateGroupConfiguration.ToGdsServerModel())
{
_keyVaultServiceClient = keyVaultServiceClient;
CertificateGroupConfiguration = certificateGroupConfiguration;
_serviceHost = serviceHost ?? "localhost";
Certificate = null;
Crl = null;
}
public CertificateGroupConfigurationApiModel(string id, CertificateGroupConfigurationModel config)
{
this.Id = id;
this.CertificateType = config.CertificateType;
this.SubjectName = config.SubjectName;
this.DefaultCertificateLifetime = config.DefaultCertificateLifetime;
this.DefaultCertificateKeySize = config.DefaultCertificateKeySize;
this.DefaultCertificateHashSize = config.DefaultCertificateHashSize;
this.IssuerCACertificateLifetime = config.IssuerCACertificateLifetime;
this.IssuerCACertificateKeySize = config.IssuerCACertificateKeySize;
this.IssuerCACertificateHashSize = config.IssuerCACertificateHashSize;
this.IssuerCACrlDistributionPoint = config.IssuerCACrlDistributionPoint;
this.IssuerCAAuthorityInformationAccess = config.IssuerCAAuthorityInformationAccess;
}
public CertificateGroupConfigurationModel ToServiceModel()
{
var serviceModel = new CertificateGroupConfigurationModel();
serviceModel.Id = this.Id;
serviceModel.CertificateType = this.CertificateType;
serviceModel.SubjectName = this.SubjectName;
serviceModel.DefaultCertificateLifetime = this.DefaultCertificateLifetime;
serviceModel.DefaultCertificateKeySize = this.DefaultCertificateKeySize;
serviceModel.DefaultCertificateHashSize = this.DefaultCertificateHashSize;
serviceModel.IssuerCACertificateLifetime = this.IssuerCACertificateLifetime;
serviceModel.IssuerCACertificateKeySize = this.IssuerCACertificateKeySize;
serviceModel.IssuerCACertificateHashSize = this.IssuerCACertificateHashSize;
serviceModel.IssuerCACrlDistributionPoint = this.IssuerCACrlDistributionPoint;
serviceModel.IssuerCAAuthorityInformationAccess = this.IssuerCAAuthorityInformationAccess;
return(serviceModel);
}
/// <inheritdoc/>
public async Task <CertificateGroupConfigurationModel> UpdateCertificateGroupConfiguration(string id, CertificateGroupConfigurationModel config)
{
return(await KeyVaultCertificateGroupProvider.UpdateCertificateGroupConfiguration(_keyVaultServiceClient, id, config).ConfigureAwait(false));
}
private static void ValidateConfiguration(CertificateGroupConfigurationModel update)
{
char[] delimiters = new char[] { ' ', '\r', '\n' };
var updateIdWords = update.Id.Split(delimiters, StringSplitOptions.RemoveEmptyEntries);
if (updateIdWords.Length != 1)
{
throw new ArgumentException("Invalid number of words in group Id");
}
update.Id = updateIdWords[0];
if (!update.Id.All(char.IsLetterOrDigit))
{
throw new ArgumentException("Invalid characters in group Id");
}
// verify subject
var subjectList = Opc.Ua.Utils.ParseDistinguishedName(update.SubjectName);
if (subjectList == null ||
subjectList.Count == 0)
{
throw new ArgumentException("Invalid Subject");
}
if (!subjectList.Any(c => c.StartsWith("CN=", StringComparison.InvariantCulture)))
{
throw new ArgumentException("Invalid Subject, must have a common name entry");
}
// enforce proper formatting for the subject name string
update.SubjectName = string.Join(", ", subjectList);
try
{
// only allow specific cert types for now
var certType = CertTypeMap().Where(c => c.Value.ToLower() == update.CertificateType.ToLower()).Single();
update.CertificateType = certType.Value;
}
catch (Exception)
{
throw new ArgumentException("Invalid CertificateType");
}
// specify ranges for lifetime (months)
if (update.DefaultCertificateLifetime < 1 ||
update.IssuerCACertificateLifetime < 1 ||
update.DefaultCertificateLifetime * 2 > update.IssuerCACertificateLifetime ||
update.DefaultCertificateLifetime > 60 ||
update.IssuerCACertificateLifetime > 1200)
{
throw new ArgumentException("Invalid lifetime");
}
if (update.DefaultCertificateKeySize < 2048 ||
update.DefaultCertificateKeySize % 1024 != 0 ||
update.DefaultCertificateKeySize > 2048)
{
throw new ArgumentException("Invalid key size, must be 2048, 3072 or 4096");
}
if (update.IssuerCACertificateKeySize < 2048 ||
update.IssuerCACertificateKeySize % 1024 != 0 ||
update.IssuerCACertificateKeySize > 4096)
{
throw new ArgumentException("Invalid key size, must be 2048, 3072 or 4096");
}
if (update.DefaultCertificateKeySize > update.IssuerCACertificateKeySize)
{
throw new ArgumentException("Invalid key size, Isser CA key must be >= application key");
}
if (update.DefaultCertificateHashSize < 256 ||
update.DefaultCertificateHashSize % 128 != 0 ||
update.DefaultCertificateHashSize > 512)
{
throw new ArgumentException("Invalid hash size, must be 256, 384 or 512");
}
if (update.IssuerCACertificateHashSize < 256 ||
update.IssuerCACertificateHashSize % 128 != 0 ||
update.IssuerCACertificateHashSize > 512)
{
throw new ArgumentException("Invalid hash size, must be 256, 384 or 512");
}
}
