Esempio n. 1
0
        static bool CanKeyDoKeyExchange(X509Certificate2 certificate)
        {
            bool canDoKeyExchange = false;

            X509KeyUsageExtension keyUsageExtension = null;

            for (int i = 0; i < certificate.Extensions.Count; i++)
            {
                keyUsageExtension = certificate.Extensions[i] as X509KeyUsageExtension;
                if (keyUsageExtension != null)
                {
                    break;
                }
            }

            // No KeyUsage extension means most usages are permitted including key exchange.
            // See RFC 5280 section 4.2.1.3 (Key Usage) for details. If the extension is non-critical
            // then it's non-enforcing and meant as an aid in choosing the best certificate when
            // there are multiple certificates to choose from.
            if (keyUsageExtension == null || !keyUsageExtension.Critical)
            {
                return(true);
            }

            // One of KeyAgreement, KeyEncipherment or DigitalSignature need to be allowed depending on the cipher
            // being used. See RFC 5246 section 7.4.6 for more details.
            // Additionally, according to msdn docs for PFXImportCertStore, the key specification is set to AT_KEYEXCHANGE
            // when the data encipherment usage is set.
            canDoKeyExchange = (keyUsageExtension.KeyUsages &
                                (X509KeyUsageFlags.KeyAgreement | X509KeyUsageFlags.KeyEncipherment |
                                 X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.DataEncipherment)) != X509KeyUsageFlags.None;

            return(canDoKeyExchange);
        }
Esempio n. 2
0
        public void X509CertificateCreationParametersPropertiesTest()
        {
            X500DistinguishedName             dn             = new X500DistinguishedName("CN=Test");
            X509CertificateCreationParameters creationParams = new X509CertificateCreationParameters(dn);

            creationParams.SubjectName = new X500DistinguishedName("CN=Test2");
            Assert.AreEqual(new X500DistinguishedName("CN=Test2").Name, creationParams.SubjectName.Name);

            creationParams.CertificateCreationOptions = X509CertificateCreationOptions.DoNotLinkKeyInformation |
                                                        X509CertificateCreationOptions.DoNotSignCertificate;
            Assert.AreEqual(X509CertificateCreationOptions.DoNotLinkKeyInformation | X509CertificateCreationOptions.DoNotSignCertificate,
                            creationParams.CertificateCreationOptions);

            DateTime newStart = new DateTime(2006, 08, 12);

            creationParams.StartTime = newStart;
            Assert.AreEqual(newStart, creationParams.StartTime);

            DateTime newEnd = new DateTime(2008, 09, 15);

            creationParams.EndTime = newEnd;
            Assert.AreEqual(newEnd, creationParams.EndTime);

            creationParams.SignatureAlgorithm = X509CertificateSignatureAlgorithm.RsaSha256;
            Assert.AreEqual(X509CertificateSignatureAlgorithm.RsaSha256, creationParams.SignatureAlgorithm);

            X509KeyUsageExtension keyUsage = new X509KeyUsageExtension(X509KeyUsageFlags.KeyAgreement, true);

            creationParams.Extensions.Add(keyUsage);

            Assert.AreEqual(1, creationParams.Extensions.Count);
            Assert.IsInstanceOfType(creationParams.Extensions[0], typeof(X509KeyUsageExtension));
            Assert.AreEqual(X509KeyUsageFlags.KeyAgreement,
                            ((X509KeyUsageExtension)creationParams.Extensions[0]).KeyUsages);
        }
Esempio n. 3
0
        public void WrongAsnEncodedData()
        {
            AsnEncodedData        aed = new AsnEncodedData(new byte[0]);
            X509KeyUsageExtension ku  = new X509KeyUsageExtension(X509KeyUsageFlags.CrlSign, true);

            ku.CopyFrom(aed); // note: not the same behaviour than using the constructor!
        }
Esempio n. 4
0
        public static void ReadInvalidExtension_KeyUsage()
        {
            X509KeyUsageExtension keyUsageExtension =
                new X509KeyUsageExtension(new AsnEncodedData(Array.Empty <byte>()), false);

            Assert.ThrowsAny <CryptographicException>(() => keyUsageExtension.KeyUsages);
        }
        private static void PrintCert(PlatformLogLevel logLevel, X509Certificate2 cert, X509ChainStatus[] chainElementStatus, string chainElementInformation)
        {
            if (cert == null)
            {
                return;
            }
            StringBuilder stringBuilder = new StringBuilder();

            stringBuilder.Append(string.Format("Issuer name: {0}\n", cert.Issuer ?? string.Empty));
            stringBuilder.Append(string.Format("Subject: {0}\n", cert.Subject ?? string.Empty));
            stringBuilder.Append(string.Format("Serial: {0}\n", cert.SerialNumber ?? string.Empty));
            stringBuilder.Append(string.Format("Certificate valid until: {0}\n", cert.NotAfter));
            stringBuilder.Append(string.Format("Error status length: {0}\n", (chainElementStatus == null) ? 0 : chainElementStatus.Length));
            stringBuilder.Append(string.Format("Chain Information: {0}\n", chainElementInformation ?? string.Empty));
            X509KeyUsageExtension x509KeyUsageExtension = (cert.Extensions == null) ? null : (cert.Extensions["2.5.29.15"] as X509KeyUsageExtension);

            if (x509KeyUsageExtension != null)
            {
                stringBuilder.Append(string.Format("Key Usage Extension flags={0:X}\n", x509KeyUsageExtension.KeyUsages));
            }
            if (chainElementStatus != null)
            {
                for (int i = 0; i < chainElementStatus.Length; i++)
                {
                    X509ChainStatus x509ChainStatus = chainElementStatus[i];
                    stringBuilder.Append(string.Format("Error status={0}, info={1}", x509ChainStatus.Status, x509ChainStatus.StatusInformation ?? string.Empty));
                }
            }
            Services.Logging.LogMessage(logLevel, stringBuilder.ToString());
        }
Esempio n. 6
0
        private static unsafe int VerifyCertificate(X509Certificate2 certificate, X509Certificate2Collection extraStore)
        {
            int num;
            int num2 = System.Security.Cryptography.X509Certificates.X509Utils.VerifyCertificate(System.Security.Cryptography.X509Certificates.X509Utils.GetCertContext(certificate), null, null, X509RevocationMode.Online, X509RevocationFlag.ExcludeRoot, DateTime.Now, new TimeSpan(0, 0, 0), extraStore, new IntPtr(1L), new IntPtr((void *)&num));

            if (num2 != 0)
            {
                return(num);
            }
            X509ExtensionEnumerator enumerator = certificate.Extensions.GetEnumerator();

            while (enumerator.MoveNext())
            {
                X509Extension current = enumerator.Current;
                if (string.Compare(current.Oid.Value, "2.5.29.15", StringComparison.OrdinalIgnoreCase) == 0)
                {
                    X509KeyUsageExtension extension2 = new X509KeyUsageExtension();
                    extension2.CopyFrom(current);
                    if (((extension2.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.None) && ((extension2.KeyUsages & X509KeyUsageFlags.NonRepudiation) == X509KeyUsageFlags.None))
                    {
                        return(-2146762480);
                    }
                }
            }
            return(num2);
        }
        public void WrongExtension_X509KeyUsageExtension()
        {
            X509KeyUsageExtension             ku  = new X509KeyUsageExtension();
            X509SubjectKeyIdentifierExtension ski = new X509SubjectKeyIdentifierExtension();

            ski.CopyFrom(ku);
        }
Esempio n. 8
0
        public void Certificate_CSR_TA_SelfSigned()
        {
            X500DistinguishedName   dn      = new X500DistinguishedName("CN=Secondary Trust Anchor,O=TNT,C=US");
            AsymmetricCipherKeyPair keyPair = Certificate.CreateRSAKeyPair();
            Extensions extensions           = new Extensions();

            extensions.Add(new TNT.Cryptography.Extension.KeyUsage(KeyUsage.CrlSign | KeyUsage.KeyCertSign | KeyUsage.DigitalSignature));
            extensions.Add(new TNT.Cryptography.Extension.AuthorityKeyIdentifier(keyPair.Public));
            extensions.Add(new TNT.Cryptography.Extension.SubjectKeyIdentifier(keyPair.Public));
            extensions.Add(new TNT.Cryptography.Extension.BasicConstraints(new BasicConstraints(0)));
            List <Uri> uris = new List <Uri>(new Uri[] { new Uri("http://domain1.com"), new Uri("http://domain2.com") });

            extensions.Add(new TNT.Cryptography.Extension.CrlDistributionPoints(uris));

            Pkcs10CertificationRequest csr  = Certificate.CreateCertificationRequest(dn.Name, keyPair, extensions);
            X509Certificate2           cert = Certificate.CreateCertificate(csr, keyPair, m_EffectiveDate, m_ExpirationDate, null);

            X509KeyUsageExtension         keyUsageEx        = cert.Extensions[0] as X509KeyUsageExtension;
            X509BasicConstraintsExtension basicConstraintEx = cert.Extensions[3] as X509BasicConstraintsExtension;

            System.Security.Cryptography.X509Certificates.X509Extension aki = cert.Extensions[1];
            System.Security.Cryptography.X509Certificates.X509Extension ski = cert.Extensions[2];

            Assert.AreEqual(X509KeyUsageFlags.CrlSign | X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.DigitalSignature, keyUsageEx.KeyUsages);
            Assert.IsTrue(basicConstraintEx.CertificateAuthority);
            Assert.AreEqual("C=US, O=TNT, CN=Secondary Trust Anchor", cert.Subject);
            Assert.AreEqual(cert.Subject, cert.Issuer);

            var skiCount = ski.Format(false).Length;

            Assert.AreEqual(ski.Format(false), aki.Format(false).Substring(6, skiCount));

            File.WriteAllBytes("CSR_TA_SS.cer", cert.Export(X509ContentType.Cert));
            File.WriteAllBytes("CSR_TA_SS.pfx", cert.Export(X509ContentType.Pfx, "P"));
        }
Esempio n. 9
0
        public void WrongExtension_X509EnhancedKeyUsageExtension()
        {
            X509EnhancedKeyUsageExtension eku = new X509EnhancedKeyUsageExtension();
            X509KeyUsageExtension         ku  = new X509KeyUsageExtension();

            ku.CopyFrom(eku);
        }
Esempio n. 10
0
        public static void VerifyWriteNamedBitList_KeyUsage_OneByte(AsnEncodingRules ruleSet)
        {
            //     KeyUsage ::= BIT STRING {
            //       digitalSignature   (0),
            //       nonRepudiation     (1),
            //       keyEncipherment    (2),
            //       dataEncipherment   (3),
            //       keyAgreement       (4),
            //       keyCertSign        (5),
            //       cRLSign            (6),
            //       encipherOnly       (7),
            //       decipherOnly       (8) }

            X509KeyUsageExtension kuExt = new X509KeyUsageExtension(
                X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign,
                critical: false);

            BitArray array = new BitArray(7);

            array.Set(6, true);
            array.Set(5, true);

            AsnWriter writer = new AsnWriter(ruleSet);

            writer.WriteNamedBitList(array);

            Verify(writer, kuExt.RawData.ByteArrayToHex());
        }
Esempio n. 11
0
        public void WrongExtension_X509KeyUsageExtension()
        {
            X509KeyUsageExtension         ku = new X509KeyUsageExtension();
            X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension();

            bc.CopyFrom(ku);
        }
Esempio n. 12
0
        static X509Certificate2 GenerateCertificate(DateTime?notBefore = null, DateTime?notAfter = null, bool addServerAuthentication = true, bool addClientAuthentication = true)
        {
            var name    = Guid.NewGuid().ToString("N");
            var builder = new SubjectAlternativeNameBuilder();

            builder.AddDnsName(name);

            var dn = new X500DistinguishedName($"CN={name}");

            using (var rsa = RSA.Create(2048))
            {
                var request = new CertificateRequest(dn, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);

                var usage = new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyAgreement, true);
                request.CertificateExtensions.Add(usage);

                var oids = new OidCollection();
                if (addServerAuthentication)
                {
                    oids.Add(new Oid("1.3.6.1.5.5.7.3.1"));
                }
                if (addClientAuthentication)
                {
                    oids.Add(new Oid("1.3.6.1.5.5.7.3.2"));
                }

                request.CertificateExtensions.Add(
                    new X509EnhancedKeyUsageExtension(oids, false));

                request.CertificateExtensions.Add(builder.Build());

                return(request.CreateSelfSigned(new DateTimeOffset(notBefore ?? DateTime.UtcNow.AddMinutes(-5)), new DateTimeOffset(notAfter ?? DateTime.UtcNow.AddMinutes(5))));
            }
        }
Esempio n. 13
0
 // Token: 0x06001C2C RID: 7212 RVA: 0x0006F7E8 File Offset: 0x0006D9E8
 private bool IsValidUsage(X509Certificate2 cert, X509KeyUsageFlags expectedUsage)
 {
     for (int i = 0; i < cert.Extensions.Count; i++)
     {
         if (cert.Extensions[i].Oid.Value == WellKnownOid.KeyUsage.Value)
         {
             X509KeyUsageExtension x509KeyUsageExtension = (X509KeyUsageExtension)cert.Extensions[i];
             if ((expectedUsage & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.DigitalSignature && x509KeyUsageExtension.KeyUsages.HasFlag(X509KeyUsageFlags.DigitalSignature))
             {
                 return(true);
             }
             if ((expectedUsage & X509KeyUsageFlags.NonRepudiation) == X509KeyUsageFlags.NonRepudiation && x509KeyUsageExtension.KeyUsages.HasFlag(X509KeyUsageFlags.NonRepudiation))
             {
                 return(true);
             }
             if ((expectedUsage & X509KeyUsageFlags.KeyEncipherment) == X509KeyUsageFlags.KeyEncipherment && x509KeyUsageExtension.KeyUsages.HasFlag(X509KeyUsageFlags.KeyEncipherment))
             {
                 return(true);
             }
             if ((expectedUsage & X509KeyUsageFlags.DataEncipherment) == X509KeyUsageFlags.DataEncipherment && x509KeyUsageExtension.KeyUsages.HasFlag(X509KeyUsageFlags.DataEncipherment))
             {
                 return(true);
             }
         }
     }
     return(false);
 }
Esempio n. 14
0
        public static void VerifyReadNamedBitList_KeyUsage_OneByte(AsnEncodingRules ruleSet)
        {
            //     KeyUsage ::= BIT STRING {
            //       digitalSignature   (0),
            //       nonRepudiation     (1),
            //       keyEncipherment    (2),
            //       dataEncipherment   (3),
            //       keyAgreement       (4),
            //       keyCertSign        (5),
            //       cRLSign            (6),
            //       encipherOnly       (7),
            //       decipherOnly       (8) }

            X509KeyUsageExtension kuExt = new X509KeyUsageExtension(
                X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign,
                critical: false);

            BitArray expected = new BitArray(7);

            expected.Set(6, true);
            expected.Set(5, true);

            AsnReader reader = new AsnReader(kuExt.RawData, ruleSet);
            BitArray  actual = reader.ReadNamedBitList();

            Assert.Equal(expected.Cast <bool>(), actual.Cast <bool>());
        }
        public X509Certificate2 GenerateCertificate(DateTime? notBefore = null, DateTime? notAfter = null)
        {
            var name = Guid.NewGuid().ToString("N");
            var builder = new SubjectAlternativeNameBuilder();
            builder.AddDnsName(name);

            var dn = new X500DistinguishedName($"CN={name}");
            using (var rsa = RSA.Create(2048))
            {
                var request = new CertificateRequest(dn, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);

                var usage = new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyAgreement, true);
                request.CertificateExtensions.Add(usage);

                var oids = new OidCollection
                {
                    new Oid("1.3.6.1.5.5.7.3.1"), // Server authentication
                    new Oid("1.3.6.1.5.5.7.3.2") // Client authentication
                };

                request.CertificateExtensions.Add(
                   new X509EnhancedKeyUsageExtension(oids, false));

                request.CertificateExtensions.Add(builder.Build());

                var certificate = request.CreateSelfSigned(new DateTimeOffset(notBefore ?? DateTime.UtcNow.AddMinutes(-5)), new DateTimeOffset(notAfter ?? DateTime.UtcNow.AddMinutes(5)));
                var bytes = certificate.Export(X509ContentType.Pfx);
                return new X509Certificate2(bytes, null as string, X509KeyStorageFlags.Exportable); // don't ask me why, but this is required for some tests to work; i.e. Mtls tests
            }
        }
Esempio n. 16
0
        public void WrongExtension_X509Extension_KeyUsages()
        {
            X509Extension         ex = new X509Extension("1.2.3", new byte[0], true);
            X509KeyUsageExtension ku = new X509KeyUsageExtension();

            ku.CopyFrom(ex);
            Assert.AreEqual(0, ku.KeyUsages, "KeyUsages");
        }
Esempio n. 17
0
        /// <summary>
        /// Metodo para escribir el certificado de seguridad
        /// </summary>
        /// <param name="xCertificate"></param>
        ///<remarks>
        /// Autor:          José Faustino Posas
        /// Company:        Ssoft Colombia
        /// Fecha:          2012-01-16
        /// -------------------
        /// Control de Cambios
        /// -------------------
        /// Autor:
        /// Fecha:
        /// Descripción:
        /// </remarks>
        public string setCertificateWriten(X509Certificate2 xCertificate)
        {
            string sCertificate = null;

            try
            {
                X509Certificate2   objCert   = xCertificate; //Acá tenemos que poner el certificado
                StringBuilder      objSB     = new StringBuilder("Detalle del certificado: \n\n");
                SymmetricAlgorithm algoritmo = SymmetricAlgorithm.Create("Rijndael");

                //Detalle
                objSB.AppendLine("Persona = " + objCert.Subject);
                objSB.AppendLine("Emisor = " + objCert.Issuer);
                objSB.AppendLine("Válido desde = " + objCert.NotBefore.ToString());
                objSB.AppendLine("Válido hasta = " + objCert.NotAfter.ToString());
                objSB.AppendLine("Tamaño de la clave = " + objCert.PublicKey.Key.KeySize.ToString());
                objSB.AppendLine("Valor de la clave = " + objCert.GetPublicKeyString().ToString());
                objSB.AppendLine("Algoritmo de la clave = " + objCert.GetKeyAlgorithm().ToString());
                objSB.AppendLine("Número de serie = " + objCert.SerialNumber);
                objSB.AppendLine("Hash = " + objCert.Thumbprint);
                //Extensiones
                objSB.AppendLine("\nExtensiones:\n");
                foreach (X509Extension objExt in objCert.Extensions)
                {
                    objSB.AppendLine(objExt.Oid.FriendlyName + " (" + objExt.Oid.Value + ')');
                    if (objExt.Oid.FriendlyName == "Key Usage")
                    {
                        X509KeyUsageExtension ext = (X509KeyUsageExtension)objExt;
                        objSB.AppendLine("    " + ext.KeyUsages);
                    }
                    if (objExt.Oid.FriendlyName == "Basic Constraints")
                    {
                        X509BasicConstraintsExtension ext = (X509BasicConstraintsExtension)objExt;
                        objSB.AppendLine("    " + ext.CertificateAuthority);
                        objSB.AppendLine("    " + ext.HasPathLengthConstraint);
                        objSB.AppendLine("    " + ext.PathLengthConstraint);
                    }
                    if (objExt.Oid.FriendlyName == "Subject Key Identifier")
                    {
                        X509SubjectKeyIdentifierExtension ext = (X509SubjectKeyIdentifierExtension)objExt;
                        objSB.AppendLine("    " + ext.SubjectKeyIdentifier);
                    }
                    if (objExt.Oid.FriendlyName == "Enhanced Key Usage") //2.5.29.37
                    {
                        X509EnhancedKeyUsageExtension ext = (X509EnhancedKeyUsageExtension)objExt;
                        OidCollection objOids             = ext.EnhancedKeyUsages;
                        foreach (Oid oid in objOids)
                        {
                            objSB.AppendLine("    " + oid.FriendlyName + " (" + oid.Value + ')');
                        }
                    }
                }
                sCertificate = objSB.ToString();
                //Debug.Print(objSB.ToString());
            }
            catch { }
            return(sCertificate);
        }
        public TestResult Validate(IReadOnlyList <ICmsSignature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration)
        {
            var signatures = graph.VisitAll(SignatureKind.AnySignature);
            var pass       = false;

            foreach (var signature in signatures)
            {
                string  serialNumber = "";
                string  KU           = "";
                Boolean KUCritical   = false;
                int     KU_extension = 0;

                string thumbprint = signature.Certificate.Thumbprint;
                serialNumber = signature.Certificate.SerialNumber;
                X509ExtensionCollection extensions = signature.Certificate.Extensions;
                foreach (X509Extension extension in extensions)
                {
                    //extension.Oid.FriendlyName
                    Console.WriteLine(extension.Oid.FriendlyName + "(" + extension.Oid.Value + ")");


                    if (extension.Oid.FriendlyName == "Key Usage")
                    {
                        X509KeyUsageExtension ext = (X509KeyUsageExtension)extension;
                        KUCritical = ext.Critical;
                        KU         = ext.KeyUsages.ToString();
                        Console.WriteLine(KU);
                        KU_extension++;
                    }
                }

                if (KU_extension == 1)
                {
                    if (KUCritical)
                    {
                        verboseWriter.LogSignatureMessage(signature, "Key Usage extension is marked critical.");
                        pass = true;
                    }
                    else
                    {
                        verboseWriter.LogSignatureMessage(signature, "Key Usage extension is not marked critical.");
                        pass = false;
                    }
                }
                else if (KU_extension == 0)
                {
                    verboseWriter.LogSignatureMessage(signature, "Signature does not have Key Usage extension.");
                    pass = false;
                }
                else if (KU_extension > 1)
                {
                    verboseWriter.LogSignatureMessage(signature, "Signature has duplicate Key Usage extension.");
                    pass = false;
                }
            }

            return(pass ? TestResult.Pass : TestResult.Fail);
        }
Esempio n. 19
0
        static void Main(string[] args)
        {
            //Fetch certificates in the currently connected card
            List <X509Certificate2> cardCertificates = new List <X509Certificate2>();

            try
            {
                cardCertificates.AddRange(BaseSmartCardCryptoProvider.GetCertificates());
            }
            catch (Win32Exception ex)
            {
                Console.WriteLine(ex.Message);
            }
            X509Certificate2 digitalSignatureCertificate = null;

            //Get the certificate that has non repudiation key usage as it is the digital signature key for the Kuwaiti civil id
            foreach (X509Certificate2 x509 in cardCertificates)
            {
                foreach (X509Extension extension in x509.Extensions)
                {
                    //OID 2.5.29.15 is for key usage
                    if (extension.Oid.Value.Equals("2.5.29.15"))
                    {
                        X509KeyUsageExtension ext = (X509KeyUsageExtension)extension;
                        if (((ext.KeyUsages & X509KeyUsageFlags.NonRepudiation) | (ext.KeyUsages & X509KeyUsageFlags.DigitalSignature)) == (X509KeyUsageFlags.NonRepudiation | X509KeyUsageFlags.DigitalSignature))
                        {
                            digitalSignatureCertificate = x509;
                        }
                    }
                }
            }

            //See if digital signature certificate was found
            if (digitalSignatureCertificate != null)
            {
                //Export the public key which will be used in validation
                X509Certificate2 publicKeySigning = new X509Certificate2(digitalSignatureCertificate.Export(X509ContentType.Cert));

                //Read the pin
                Console.Write("Please enter your pin: ");
                string pin = Console.ReadLine();

                //Load XML document to be signed
                string xmlData = File.ReadAllText(@"XMLDocuments\cd_catalog.xml");
                //Sign the XML document
                string signedXMLData = Crypto.SignXml(xmlData, digitalSignatureCertificate, true, pin);
                //Output the signed XML to file
                File.WriteAllText(@"XMLDocuments\cd_catalog_SIGNED.xml", signedXMLData);

                //Read a signed XML document
                signedXMLData = File.ReadAllText(@"XMLDocuments\cd_catalog_SIGNED.xml");
                //Validate the signed XML document using the embedded key in it
                Console.WriteLine("Verifying XML using internal signature STATUS = " + Crypto.VerifyXml(signedXMLData));
                //Validate the signed XML document using external certificate
                Console.WriteLine("Verifying XML using publicKey STATUS = " + Crypto.VerifyXml(signedXMLData, publicKeySigning));
            }
            Console.ReadKey();
        }
Esempio n. 20
0
        public void ConstructorAsnEncodedData_BadAsn()
        {
            AsnEncodedData        aed = new AsnEncodedData("1.2.3", new byte[0]);
            X509KeyUsageExtension ku  = new X509KeyUsageExtension(aed, true);

            Assert.AreEqual(String.Empty, ku.Format(true), "Format(true)");
            Assert.AreEqual(String.Empty, ku.Format(false), "Format(false)");
            X509KeyUsageFlags kuf = ku.KeyUsages;
        }
Esempio n. 21
0
        public void ConstructorAsnEncodedData_BadAsnTag()
        {
            AsnEncodedData        aed = new AsnEncodedData("1.2.3", new byte[] { 0x05, 0x00 });
            X509KeyUsageExtension ku  = new X509KeyUsageExtension(aed, true);

            Assert.AreEqual("0500", ku.Format(true), "Format(true)");
            Assert.AreEqual("0500", ku.Format(false), "Format(false)");
            X509KeyUsageFlags kuf = ku.KeyUsages;
        }
Esempio n. 22
0
        public X509Certificate2 CreateAspNetCoreHttpsDevelopmentCertificate(DateTimeOffset notBefore, DateTimeOffset notAfter, string subjectOverride, DiagnosticInformation diagnostics = null)
        {
            var subject    = new X500DistinguishedName(subjectOverride ?? LocalhostHttpsDistinguishedName);
            var extensions = new List <X509Extension>();
            var sanBuilder = new SubjectAlternativeNameBuilder();

            sanBuilder.AddDnsName(LocalhostHttpsDnsName);

            var keyUsage         = new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, critical: true);
            var enhancedKeyUsage = new X509EnhancedKeyUsageExtension(
                new OidCollection()
            {
                new Oid(
                    ServerAuthenticationEnhancedKeyUsageOid,
                    ServerAuthenticationEnhancedKeyUsageOidFriendlyName)
            },
                critical: true);

            var basicConstraints = new X509BasicConstraintsExtension(
                certificateAuthority: false,
                hasPathLengthConstraint: false,
                pathLengthConstraint: 0,
                critical: true);

            byte[] bytePayload;

            if (AspNetHttpsCertificateVersion != 0)
            {
                bytePayload    = new byte[1];
                bytePayload[0] = (byte)AspNetHttpsCertificateVersion;
            }
            else
            {
                bytePayload = Encoding.ASCII.GetBytes(AspNetHttpsOidFriendlyName);
            }

            var aspNetHttpsExtension = new X509Extension(
                new AsnEncodedData(
                    new Oid(AspNetHttpsOid, AspNetHttpsOidFriendlyName),
                    bytePayload),
                critical: false);

            extensions.Add(basicConstraints);
            extensions.Add(keyUsage);
            extensions.Add(enhancedKeyUsage);
            extensions.Add(sanBuilder.Build(critical: true));
            extensions.Add(aspNetHttpsExtension);

            var certificate = CreateSelfSignedCertificate(subject, extensions, notBefore, notAfter);

            if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
            {
                certificate.FriendlyName = AspNetHttpsOidFriendlyName;
            }

            return(certificate);
        }
            // Adapted to System 2.0+ from TlsServerCertificate.cs
            //------------------------------
            // Note: this method only works for RSA certificates
            // DH certificates requires some changes - does anyone use one ?
            private static bool CheckCertificateUsage(X509Certificate2 cert)
            {
                try
                {
                    // certificate extensions are required for this
                    // we "must" accept older certificates without proofs
                    if (cert.Version < 3)
                    {
                        return(true);
                    }

                    X509KeyUsageExtension         kux = (cert.Extensions["2.5.29.15"] as X509KeyUsageExtension);
                    X509EnhancedKeyUsageExtension eku = (cert.Extensions["2.5.29.37"] as X509EnhancedKeyUsageExtension);
                    if (kux != null && eku != null)
                    {
                        // RFC3280 states that when both KeyUsageExtension and
                        // ExtendedKeyUsageExtension are present then BOTH should
                        // be valid
                        if ((kux.KeyUsages & s_flags) == 0)
                        {
                            return(false);
                        }
                        return(eku.EnhancedKeyUsages["1.3.6.1.5.5.7.3.1"] != null || eku.EnhancedKeyUsages["2.16.840.1.113730.4.1"] != null);
                    }
                    else if (kux != null)
                    {
                        return((kux.KeyUsages & s_flags) != 0);
                    }
                    else if (eku != null)
                    {
                        // Server Authentication (1.3.6.1.5.5.7.3.1) or
                        // Netscape Server Gated Crypto (2.16.840.1.113730.4)
                        return(eku.EnhancedKeyUsages["1.3.6.1.5.5.7.3.1"] != null || eku.EnhancedKeyUsages["2.16.840.1.113730.4.1"] != null);
                    }

                    // last chance - try with older (deprecated) Netscape extensions
                    X509Extension ext = cert.Extensions["2.16.840.1.113730.1.1"];
                    if (ext != null)
                    {
                        string text = ext.NetscapeCertType(false);
                        return(text.IndexOf("SSL Server Authentication", StringComparison.Ordinal) != -1);
                    }
                    return(true);
                }
                catch (Exception e)
                {
#if SSHARP
                    ErrorLog.Error("ERROR processing certificate: {0}", e);
                    ErrorLog.Error("Please, report this problem to the Mono team");
#else
                    Console.Error.WriteLine("ERROR processing certificate: {0}", e);
                    Console.Error.WriteLine("Please, report this problem to the Mono team");
#endif
                    return(false);
                }
            }
Esempio n. 24
0
 internal string KeyUsageExtension(bool multiLine)
 {
     try {
         X509KeyUsageExtension ku = new X509KeyUsageExtension(this, false);
         return(ku.ToString(multiLine));
     }
     catch {
         return(String.Empty);
     }
 }
Esempio n. 25
0
        public X509Certificate2Collection GetCertificates()
        {
            X509Certificate2Collection certs = new X509Certificate2Collection();
            X509Store certificateStore       = new X509Store(StoreName.My, StoreLocation.CurrentUser);

            try
            {
                certificateStore.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly);
                foreach (X509Certificate2 certificate in certificateStore.Certificates)
                {
                    if (certificate.HasPrivateKey)
                    {
                        bool digitalSignatureUsage     = false;
                        bool clientAuthEnhancedUsage   = false;
                        bool enhancedKeyUsageSupported = false;

                        foreach (X509Extension extension in certificate.Extensions)
                        {
                            X509KeyUsageExtension keyUsage = extension as X509KeyUsageExtension;
                            if (keyUsage != null)
                            {
                                digitalSignatureUsage = (keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) != 0;
                            }
                            else
                            {
                                X509EnhancedKeyUsageExtension enhancedKeyUsage = extension as X509EnhancedKeyUsageExtension;
                                if (enhancedKeyUsage != null && enhancedKeyUsage.EnhancedKeyUsages != null)
                                {
                                    enhancedKeyUsageSupported = true;
                                    foreach (var oid in enhancedKeyUsage.EnhancedKeyUsages)
                                    {
                                        if (oid.Value == OidClientAuthValue)
                                        {
                                            clientAuthEnhancedUsage = true;
                                            break;
                                        }
                                    }
                                }
                            }
                        }

                        if (digitalSignatureUsage && (!enhancedKeyUsageSupported || clientAuthEnhancedUsage))
                        {
                            certs.Add(certificate);
                        }
                    }
                }
            }
            finally
            {
                certificateStore.Dispose();
            }

            return(certs);
        }
Esempio n. 26
0
        public static void DecodeFromBER()
        {
            // Extensions encoded inside PKCS#8 on Windows may use BER encoding that would be invalid DER.
            // Ensure that no exception is thrown and the value is decoded correctly.
            X509KeyUsageExtension ext;

            ext = new X509KeyUsageExtension(new AsnEncodedData("230403020080".HexToByteArray()), false);
            Assert.Equal(X509KeyUsageFlags.DigitalSignature, ext.KeyUsages);
            ext = new X509KeyUsageExtension(new AsnEncodedData("038200020080".HexToByteArray()), false);
            Assert.Equal(X509KeyUsageFlags.DigitalSignature, ext.KeyUsages);
        }
Esempio n. 27
0
        public static void DefaultConstructor()
        {
            X509KeyUsageExtension e = new X509KeyUsageExtension();
            string oidValue         = e.Oid.Value;

            Assert.Equal("2.5.29.15", oidValue);
            Assert.Empty(e.RawData);
            X509KeyUsageFlags keyUsages = e.KeyUsages;

            Assert.Equal(X509KeyUsageFlags.None, keyUsages);
        }
        /// <summary>
        /// Gets the
        /// </summary>
        /// <param name="certificate"></param>
        /// <returns></returns>
        public static X509KeyUsageFlags GetKeyUsage(this X509Certificate2 certificate)
        {
            if (certificate == null)
            {
                return(X509KeyUsageFlags.None);
            }

            X509KeyUsageExtension kue = (certificate.Extensions[X509Extensions.KeyUsage.ToString()] as X509KeyUsageExtension);

            return(kue == null ? X509KeyUsageFlags.None : kue.KeyUsages);
        }
Esempio n. 29
0
        // [ExpectedException (typeof (...))]
        public void ConstructorKeyUsage_Invalid()
        {
            X509KeyUsageFlags     kuf = (X509KeyUsageFlags)Int32.MinValue;
            X509KeyUsageExtension ku  = new X509KeyUsageExtension(kuf, false);

            Assert.AreEqual(0, (int)ku.KeyUsages, "KeyUsages");
            Assert.AreEqual("03-01-00", BitConverter.ToString(ku.RawData), "RawData");
            // FIXME: Don't expect that FriendlyName is English. This test fails under non-English Windows.
            //Assert.AreEqual ("Information Not Available", ku.Format (true), "Format(true)");
            //Assert.AreEqual ("Information Not Available", ku.Format (false), "Format(false)");
        }
Esempio n. 30
0
        public void WrongExtension_X509Extension()
        {
            X509Extension         ex = new X509Extension("1.2.3", new byte [0], true);
            X509KeyUsageExtension ku = new X509KeyUsageExtension(X509KeyUsageFlags.CrlSign, true);

            ku.CopyFrom(ex);
            Assert.IsTrue(ku.Critical, "Critical");
            Assert.AreEqual(String.Empty, BitConverter.ToString(ku.RawData), "RawData");
            Assert.AreEqual("1.2.3", ku.Oid.Value, "Oid.Value");
            Assert.IsNull(ku.Oid.FriendlyName, "Oid.FriendlyName");
        }
Esempio n. 31
0
        public static void ReadInvalidExtension_KeyUsage()
        {
            X509KeyUsageExtension keyUsageExtension =
                new X509KeyUsageExtension(new AsnEncodedData(Array.Empty<byte>()), false);

            Assert.ThrowsAny<CryptographicException>(() => keyUsageExtension.KeyUsages);
        }
Esempio n. 32
0
		internal string KeyUsageExtension (bool multiLine)
		{
			try {
				X509KeyUsageExtension ku = new X509KeyUsageExtension  (this, false);
				return ku.ToString (multiLine);
			}
			catch {
				return String.Empty;
			}
		}
Esempio n. 33
0
        private static void TestKeyUsageExtension(X509KeyUsageFlags flags, bool critical, byte[] expectedDer)
        {
            X509KeyUsageExtension ext = new X509KeyUsageExtension(flags, critical);
            byte[] rawData = ext.RawData;
            Assert.Equal(expectedDer, rawData);

            // Assert that format doesn't crash
            string s = ext.Format(false);

            // Rebuild it from the RawData.
            ext = new X509KeyUsageExtension(new AsnEncodedData(rawData), critical);
            Assert.Equal(flags, ext.KeyUsages);
        }
Esempio n. 34
0
 public static void KeyUsageExtensionDefaultCtor()
 {
     X509KeyUsageExtension e = new X509KeyUsageExtension();
     string oidValue = e.Oid.Value;
     Assert.Equal("2.5.29.15", oidValue);
     byte[] r = e.RawData;
     Assert.Null(r);
     X509KeyUsageFlags keyUsages = e.KeyUsages;
     Assert.Equal(X509KeyUsageFlags.None, keyUsages);
 }