public void CreateSelfSignedForECDsaDefaultTest(ECCurveHashPair eccurveHashPair)
{
// default cert
X509Certificate2 cert = CertificateBuilder.Create(Subject)
.SetECCurve(eccurveHashPair.Curve)
.CreateForECDsa();
Assert.NotNull(cert);
WriteCertificate(cert, "Default ECDsa cert");
using (var privateKey = cert.GetECDsaPrivateKey())
{
Assert.NotNull(privateKey);
privateKey.ExportParameters(false);
privateKey.ExportParameters(true);
}
using (var publicKey = cert.GetECDsaPublicKey())
{
Assert.NotNull(publicKey);
publicKey.ExportParameters(false);
}
Assert.AreEqual(X509Defaults.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value));
Assert.GreaterOrEqual(DateTime.UtcNow, cert.NotBefore);
Assert.GreaterOrEqual(DateTime.UtcNow.AddMonths(X509Defaults.LifeTime), cert.NotAfter.ToUniversalTime());
var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions);
Assert.NotNull(basicConstraintsExtension);
Assert.True(basicConstraintsExtension.CertificateAuthority);
Assert.AreEqual(0, basicConstraintsExtension.PathLengthConstraint);
var keyUsage = X509Extensions.FindExtension <X509KeyUsageExtension>(cert.Extensions);
Assert.NotNull(keyUsage);
X509PfxUtils.VerifyECDsaKeyPair(cert, cert, true);
Assert.True(X509Utils.VerifySelfSigned(cert), "Verify self signed.");
}
public void VerifyOneSelfSignedAppCertForAll()
{
var builder = CertificateBuilder.Create(Subject)
.SetNotBefore(DateTime.Today.AddYears(-1))
.SetNotAfter(DateTime.Today.AddYears(25))
.AddExtension(new X509SubjectAltNameExtension("urn:opcfoundation.org:mypc", new string[] { "mypc", "mypc.opcfoundation.org", "192.168.1.100" }));
byte[] previousSerialNumber = null;
foreach (var eCCurveHash in ECCurveHashPairs)
{
if (!eCCurveHash.Curve.IsNamed)
{
continue;
}
using (var cert = builder
.SetHashAlgorithm(eCCurveHash.HashAlgorithmName)
.SetECCurve(eCCurveHash.Curve)
.CreateForECDsa())
{
Assert.NotNull(cert);
WriteCertificate(cert, $"Default cert with ECDsa {eCCurveHash.Curve.Oid.FriendlyName} {eCCurveHash.HashAlgorithmName} signature.");
Assert.AreEqual(eCCurveHash.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value));
// ensure serial numbers are different
Assert.AreNotEqual(previousSerialNumber, cert.GetSerialNumber());
X509PfxUtils.VerifyECDsaKeyPair(cert, cert, true);
Assert.True(X509Utils.VerifySelfSigned(cert));
}
}
}
public void CreateSelfSignedForRSADefaultTest()
{
// default cert
X509Certificate2 cert = CertificateBuilder.Create(Subject).CreateForRSA();
Assert.NotNull(cert);
WriteCertificate(cert, "Default RSA cert");
using (var privateKey = cert.GetRSAPrivateKey())
{
Assert.NotNull(privateKey);
privateKey.ExportParameters(false);
privateKey.ExportParameters(true);
}
using (var publicKey = cert.GetRSAPublicKey())
{
Assert.NotNull(publicKey);
Assert.AreEqual(X509Defaults.RSAKeySize, publicKey.KeySize);
publicKey.ExportParameters(false);
}
Assert.AreEqual(X509Defaults.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value));
Assert.GreaterOrEqual(DateTime.UtcNow, cert.NotBefore);
Assert.GreaterOrEqual(DateTime.UtcNow.AddMonths(X509Defaults.LifeTime), cert.NotAfter.ToUniversalTime());
var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions);
Assert.NotNull(basicConstraintsExtension);
Assert.True(basicConstraintsExtension.CertificateAuthority);
X509Utils.VerifyRSAKeyPair(cert, cert, true);
Assert.True(X509Utils.VerifySelfSigned(cert));
}
public void VerifyOneSelfSignedAppCertForAll()
{
var builder = CertificateBuilder.Create(Subject)
.SetNotBefore(DateTime.Today.AddYears(-1))
.SetNotAfter(DateTime.Today.AddYears(25))
.AddExtension(new X509SubjectAltNameExtension("urn:opcfoundation.org:mypc", new string[] { "mypc", "mypc.opcfoundation.org", "192.168.1.100" }));
byte[] previousSerialNumber = null;
foreach (var keyHash in KeyHashPairs)
{
using (var cert = builder
.SetHashAlgorithm(keyHash.HashAlgorithmName)
.SetRSAKeySize(keyHash.KeySize)
.CreateForRSA())
{
Assert.NotNull(cert);
WriteCertificate(cert, $"Default cert with RSA {keyHash.KeySize} {keyHash.HashAlgorithmName} signature.");
Assert.AreEqual(keyHash.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value));
// ensure serial numbers are different
Assert.AreNotEqual(previousSerialNumber, cert.GetSerialNumber());
X509PfxUtils.VerifyRSAKeyPair(cert, cert, true);
Assert.True(X509Utils.VerifySelfSigned(cert));
Assert.AreEqual(cert.SubjectName.Name, cert.IssuerName.Name);
Assert.AreEqual(cert.SubjectName.RawData, cert.IssuerName.RawData);
CheckPEMWriter(cert);
}
}
}
public void CreateCACertForRSA(
KeyHashPair keyHashPair
)
{
// create a CA cert
var cert = CertificateBuilder.Create(Subject)
.SetCAConstraint(-1)
.SetHashAlgorithm(keyHashPair.HashAlgorithmName)
.AddExtension(X509Extensions.BuildX509CRLDistributionPoints("http://myca/mycert.crl"))
.SetRSAKeySize(keyHashPair.KeySize)
.CreateForRSA();
Assert.NotNull(cert);
WriteCertificate(cert, "Default cert with RSA {keyHashPair.KeySize} {keyHashPair.HashAlgorithmName} and CRL distribution points");
Assert.AreEqual(keyHashPair.KeySize, cert.GetRSAPublicKey().KeySize);
Assert.AreEqual(keyHashPair.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value));
var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions);
Assert.NotNull(basicConstraintsExtension);
Assert.True(basicConstraintsExtension.CertificateAuthority);
Assert.False(basicConstraintsExtension.HasPathLengthConstraint);
X509Utils.VerifyRSAKeyPair(cert, cert, true);
Assert.True(X509Utils.VerifySelfSigned(cert));
CheckPEMWriter(cert);
}
public void CreateSelfSignedForRSAAllFields(
KeyHashPair keyHashPair
)
{
// set dates and extension
var applicationUri = "urn:opcfoundation.org:mypc";
var domains = new string[] { "mypc", "mypc.opcfoundation.org", "192.168.1.100" };
var cert = CertificateBuilder.Create(Subject)
.SetNotBefore(DateTime.Today.AddYears(-1))
.SetNotAfter(DateTime.Today.AddYears(25))
.AddExtension(new X509SubjectAltNameExtension(applicationUri, domains))
.SetHashAlgorithm(keyHashPair.HashAlgorithmName)
.SetRSAKeySize(keyHashPair.KeySize)
.CreateForRSA();
Assert.NotNull(cert);
WriteCertificate(cert, $"Default cert RSA {keyHashPair.KeySize} with modified lifetime and alt name extension");
Assert.AreEqual(Subject, cert.Subject);
Assert.AreEqual(keyHashPair.KeySize, cert.GetRSAPublicKey().KeySize);
Assert.AreEqual(keyHashPair.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value));
var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions);
Assert.NotNull(basicConstraintsExtension);
Assert.True(basicConstraintsExtension.CertificateAuthority);
X509Utils.VerifyRSAKeyPair(cert, cert);
X509Utils.VerifySelfSigned(cert);
}
/// <summary>
/// Creates a certificate signing request from an existing certificate.
/// </summary>
public static byte[] CreateSigningRequest(
X509Certificate2 certificate,
IList <String> domainNames = null
)
{
if (!certificate.HasPrivateKey)
{
throw new NotSupportedException("Need a certificate with a private key.");
}
RSA rsaPublicKey = certificate.GetRSAPublicKey();
var request = new CertificateRequest(certificate.SubjectName, rsaPublicKey,
Oids.GetHashAlgorithmName(certificate.SignatureAlgorithm.Value), RSASignaturePadding.Pkcs1);
var alternateName = X509Extensions.FindExtension <X509SubjectAltNameExtension>(certificate);
domainNames = domainNames ?? new List <String>();
if (alternateName != null)
{
foreach (var name in alternateName.DomainNames)
{
if (!domainNames.Any(s => s.Equals(name, StringComparison.OrdinalIgnoreCase)))
{
domainNames.Add(name);
}
}
foreach (var ipAddress in alternateName.IPAddresses)
{
if (!domainNames.Any(s => s.Equals(ipAddress, StringComparison.OrdinalIgnoreCase)))
{
domainNames.Add(ipAddress);
}
}
}
string applicationUri = X509Utils.GetApplicationUriFromCertificate(certificate);
// Subject Alternative Name
var subjectAltName = new X509SubjectAltNameExtension(applicationUri, domainNames);
request.CertificateExtensions.Add(new X509Extension(subjectAltName, false));
using (RSA rsa = certificate.GetRSAPrivateKey())
{
var x509SignatureGenerator = X509SignatureGenerator.CreateForRSA(rsa, RSASignaturePadding.Pkcs1);
return(request.CreateSigningRequest(x509SignatureGenerator));
}
}
public void CreateSelfSignedForRSADefaultHashCustomKey(
KeyHashPair keyHashPair
)
{
// default cert with custom key
X509Certificate2 cert = CertificateBuilder.Create(Subject)
.SetRSAKeySize(keyHashPair.KeySize)
.CreateForRSA();
WriteCertificate(cert, $"Default RSA {keyHashPair.KeySize} cert");
Assert.AreEqual(Subject, cert.Subject);
Assert.AreEqual(keyHashPair.KeySize, cert.GetRSAPublicKey().KeySize);
Assert.AreEqual(X509Defaults.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value));
var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions);
Assert.NotNull(basicConstraintsExtension);
Assert.True(basicConstraintsExtension.CertificateAuthority);
X509Utils.VerifyRSAKeyPair(cert, cert, true);
Assert.True(X509Utils.VerifySelfSigned(cert));
}
public void CreateSelfSignedForECDsaAllFields(
ECCurveHashPair ecCurveHashPair
)
{
// set dates and extension
var applicationUri = "urn:opcfoundation.org:mypc";
var domains = new string[] { "mypc", "mypc.opcfoundation.org", "192.168.1.100" };
var cert = CertificateBuilder.Create(Subject)
.SetNotBefore(DateTime.Today.AddYears(-1))
.SetNotAfter(DateTime.Today.AddYears(25))
.AddExtension(new X509SubjectAltNameExtension(applicationUri, domains))
.SetHashAlgorithm(ecCurveHashPair.HashAlgorithmName)
.SetECCurve(ecCurveHashPair.Curve)
.CreateForECDsa();
Assert.NotNull(cert);
WriteCertificate(cert, $"Default cert ECDsa {ecCurveHashPair.Curve.Oid.FriendlyName} with modified lifetime and alt name extension");
Assert.AreEqual(Subject, cert.Subject);
using (var privateKey = cert.GetECDsaPrivateKey())
{
Assert.NotNull(privateKey);
privateKey.ExportParameters(false);
privateKey.ExportParameters(true);
}
using (var publicKey = cert.GetECDsaPublicKey())
{
Assert.NotNull(publicKey);
publicKey.ExportParameters(false);
}
Assert.AreEqual(ecCurveHashPair.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value));
var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions);
Assert.NotNull(basicConstraintsExtension);
Assert.True(basicConstraintsExtension.CertificateAuthority);
X509PfxUtils.VerifyECDsaKeyPair(cert, cert, true);
Assert.True(X509Utils.VerifySelfSigned(cert));
CheckPEMWriter(cert);
}
public void CreateCACertForECDsa(
ECCurveHashPair ecCurveHashPair
)
{
// create a CA cert
var cert = CertificateBuilder.Create(Subject)
.SetCAConstraint()
.SetHashAlgorithm(ecCurveHashPair.HashAlgorithmName)
.AddExtension(X509Extensions.BuildX509CRLDistributionPoints(new string[] { "http://myca/mycert.crl", "http://myaltca/mycert.crl" }))
.SetECCurve(ecCurveHashPair.Curve)
.CreateForECDsa();
Assert.NotNull(cert);
WriteCertificate(cert, "Default cert with RSA {keyHashPair.KeySize} {keyHashPair.HashAlgorithmName} and CRL distribution points");
Assert.AreEqual(ecCurveHashPair.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value));
var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions);
Assert.NotNull(basicConstraintsExtension);
Assert.True(basicConstraintsExtension.CertificateAuthority);
Assert.False(basicConstraintsExtension.HasPathLengthConstraint);
X509PfxUtils.VerifyECDsaKeyPair(cert, cert, true);
Assert.True(X509Utils.VerifySelfSigned(cert));
}
