public static void AddReadOnlyThrowsWhenCertificateExists()
{
using (X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
store.Open(OpenFlags.ReadOnly);
X509Certificate2 toAdd = null;
// Look through the certificates to find one with no private key to call add on.
// (The private key restriction is so that in the event of an "accidental success"
// that no potential permissions would be modified)
using (var coll = new ImportedCollection(store.Certificates))
{
foreach (X509Certificate2 cert in coll.Collection)
{
if (!cert.HasPrivateKey)
{
toAdd = cert;
break;
}
}
if (toAdd != null)
{
Assert.ThrowsAny<CryptographicException>(() => store.Add(toAdd));
}
}
}
}
public static void ImportPkcs7PemFile_Chain()
{
using (ImportedCollection ic = Cert.Import(Path.Combine("TestData", "certchain.p7c")))
{
X509Certificate2Collection collection = ic.Collection;
Assert.Equal(3, collection.Count);
}
}
public static void ImportPkcs7PemBytes_Chain()
{
using (ImportedCollection ic = Cert.Import(TestData.Pkcs7ChainPemBytes))
{
X509Certificate2Collection collection = ic.Collection;
Assert.Equal(3, collection.Count);
}
}
public static void ImportPkcs7DerFile_Single()
{
using (ImportedCollection ic = Cert.Import(Path.Combine("TestData", "singlecert.p7b")))
{
X509Certificate2Collection collection = ic.Collection;
Assert.Equal(1, collection.Count);
}
}
public static void ImportPkcs7DerBytes_Single()
{
using (ImportedCollection ic = Cert.Import(TestData.Pkcs7SingleDerBytes))
{
X509Certificate2Collection collection = ic.Collection;
Assert.Equal(1, collection.Count);
}
}
public static void ImportPkcs7DerFile_Empty()
{
using (ImportedCollection ic = Cert.Import(TestFiles.Pkcs7EmptyDerFile))
{
X509Certificate2Collection collection = ic.Collection;
Assert.Equal(0, collection.Count);
}
}
public static void ImportX509DerFile()
{
using (ImportedCollection ic = Cert.Import(TestFiles.MsCertificateDerFile))
{
X509Certificate2Collection collection = ic.Collection;
Assert.Equal(1, collection.Count);
}
}
public static void ImportX509PemFile()
{
using (ImportedCollection ic = Cert.Import(Path.Combine("TestData", "MS.pem")))
{
X509Certificate2Collection collection = ic.Collection;
Assert.Equal(1, collection.Count);
}
}
public static void ImportEmpty_Pkcs12()
{
using (ImportedCollection ic = Cert.Import(TestData.EmptyPfx))
{
X509Certificate2Collection collection = ic.Collection;
Assert.Equal(0, collection.Count);
}
}
public static void ImportX509PemBytes()
{
using (ImportedCollection ic = Cert.Import(TestData.MsCertificatePemBytes))
{
X509Certificate2Collection collection = ic.Collection;
Assert.Equal(1, collection.Count);
}
}
public static void ImportPkcs12File_Chain()
{
using (ImportedCollection ic = Cert.Import(Path.Combine("TestData", "test.pfx"), TestData.ChainPfxPassword, X509KeyStorageFlags.DefaultKeySet))
{
X509Certificate2Collection certs = ic.Collection;
int count = certs.Count;
Assert.Equal(3, count);
}
}
public static void ImportPkcs12Bytes_Chain()
{
using (ImportedCollection ic = Cert.Import(TestData.ChainPfxBytes, TestData.ChainPfxPassword, X509KeyStorageFlags.DefaultKeySet))
{
X509Certificate2Collection certs = ic.Collection;
int count = certs.Count;
Assert.Equal(3, count);
}
}
public static void ImportPkcs12Bytes_Single()
{
using (ImportedCollection ic = Cert.Import(TestData.PfxData, TestData.PfxDataPassword, X509KeyStorageFlags.DefaultKeySet))
{
X509Certificate2Collection cc2 = ic.Collection;
int count = cc2.Count;
Assert.Equal(1, count);
}
}
public static void ImportPkcs12File_Single()
{
using (ImportedCollection ic = Cert.Import(Path.Combine("TestData", "My.pfx"), TestData.PfxDataPassword, X509KeyStorageFlags.DefaultKeySet))
{
X509Certificate2Collection cc2 = ic.Collection;
int count = cc2.Count;
Assert.Equal(1, count);
}
}
public static void ImportPkcs12File_Single(X509KeyStorageFlags keyStorageFlags)
{
using (ImportedCollection ic = Cert.Import(TestFiles.PfxFile, TestData.PfxDataPassword, keyStorageFlags))
{
X509Certificate2Collection cc2 = ic.Collection;
int count = cc2.Count;
Assert.Equal(1, count);
}
}
public static void ImportPkcs12File_Chain(X509KeyStorageFlags keyStorageFlags)
{
using (ImportedCollection ic = Cert.Import(TestFiles.ChainPfxFile, TestData.ChainPfxPassword, keyStorageFlags))
{
X509Certificate2Collection certs = ic.Collection;
int count = certs.Count;
Assert.Equal(3, count);
}
}
public static void ImportPkcs7PemFile_Single()
{
using (ImportedCollection ic = Cert.Import(Path.Combine("TestData", "singlecert.p7c")))
{
X509Certificate2Collection collection = ic.Collection;
Assert.Equal(1, collection.Count);
Assert.Equal("D5B5BC1C458A558845BFF51CB4DFF31C", collection[0].SerialNumber);
}
}
public static void ImportPkcs7PemFile_Single()
{
using (ImportedCollection ic = Cert.Import(TestFiles.Pkcs7SinglePemFile))
{
X509Certificate2Collection collection = ic.Collection;
Assert.Equal(1, collection.Count);
Assert.Equal("D5B5BC1C458A558845BFF51CB4DFF31C", collection[0].SerialNumber);
}
}
public static void ImportPkcs12Bytes_Single_VerifyContents_SpanSpan(X509KeyStorageFlags keyStorageFlags)
{
ReadOnlySpan <byte> rawData = TestData.PfxData.AsSpan();
ReadOnlySpan <char> password = TestData.PfxDataPassword.AsSpan();
using (ImportedCollection ic = Cert.Import(rawData, password, keyStorageFlags))
{
ImportPkcs12Bytes_Single_VerifyContents(ic);
}
}
public static void EphemeralKeySet_OSX()
{
// EphemeralKeySet fails when loading a PFX, and is ignored otherwise.
using (ImportedCollection coll = Cert.Import(TestData.Pkcs7ChainDerBytes, null, X509KeyStorageFlags.EphemeralKeySet))
{
Assert.Equal(3, coll.Collection.Count);
}
Assert.Throws <PlatformNotSupportedException>(
() => new X509Certificate2(TestData.EmptyPfx, string.Empty, X509KeyStorageFlags.EphemeralKeySet));
}
public static void ImportPkcs12ByteSpan_Chain_SpanPassword(X509KeyStorageFlags keyStorageFlags)
{
ReadOnlySpan <byte> data = TestData.ChainPfxBytes.AsSpan();
ReadOnlySpan <char> password = TestData.ChainPfxPassword.AsSpan();
using (ImportedCollection ic = Cert.Import(data, password, keyStorageFlags))
{
X509Certificate2Collection certs = ic.Collection;
int count = certs.Count;
Assert.Equal(3, count);
}
}
public static void EnumerateDisallowedStore(StoreLocation location)
{
using (X509Store store = new X509Store(StoreName.Disallowed, location))
{
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
using (var storeCerts = new ImportedCollection(store.Certificates))
{
// That's all. We enumerated it.
// There might not even be data in it.
}
}
}
private static void AssertEqualContents(X509Store storeA, X509Store storeB)
{
Assert.NotSame(storeA, storeB);
using (var storeATracker = new ImportedCollection(storeA.Certificates))
using (var storeBTracker = new ImportedCollection(storeB.Certificates))
{
X509Certificate2Collection storeACerts = storeATracker.Collection;
X509Certificate2Collection storeBCerts = storeBTracker.Collection;
Assert.Equal(storeACerts.OfType <X509Certificate2>(), storeBCerts.OfType <X509Certificate2>());
}
}
private static bool IsCertInStore(X509Certificate2 cert, X509Store store)
{
using (ImportedCollection coll = new ImportedCollection(store.Certificates))
{
foreach (X509Certificate2 storeCert in coll.Collection)
{
if (cert.Equals(storeCert))
{
return(true);
}
}
}
return(false);
}
public static void ImportPkcs12File_Single_SpanPassword(X509KeyStorageFlags keyStorageFlags)
{
Span <char> password = stackalloc char[30];
password.Fill('Z');
TestData.PfxDataPassword.AsSpan().CopyTo(password.Slice(1));
password = password.Slice(1, TestData.PfxDataPassword.Length);
using (ImportedCollection ic = Cert.Import(TestFiles.PfxFile, password, keyStorageFlags))
{
X509Certificate2Collection cc2 = ic.Collection;
int count = cc2.Count;
Assert.Equal(1, count);
}
}
private static bool StoreHasPrivateKey(X509Store store, X509Certificate2 forCert)
{
using (ImportedCollection coll = new ImportedCollection(store.Certificates))
{
foreach (X509Certificate2 storeCert in coll.Collection)
{
if (forCert.Equals(storeCert))
{
return(storeCert.HasPrivateKey);
}
}
}
Assert.True(false, $"Certificate ({forCert.Subject}) exists in the store");
return(false);
}
public static void ReadMyCertificates()
{
using (X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
store.Open(OpenFlags.ReadOnly);
using (var coll = new ImportedCollection(store.Certificates))
{
int certCount = coll.Collection.Count;
// This assert is just so certCount appears to be used, the test really
// is that store.get_Certificates didn't throw.
Assert.True(certCount >= 0);
}
}
}
public static void ReadMyCertificates()
{
using (X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
store.Open(OpenFlags.ReadOnly);
using (var coll = new ImportedCollection(store.Certificates))
{
int certCount = coll.Collection.Count;
// This assert is just so certCount appears to be used, the test really
// is that store.get_Certificates didn't throw.
Assert.True(certCount >= 0);
}
}
}
public static void EnumerateDisallowedStore(StoreLocation location, bool useEnum)
{
X509Store store = useEnum
? new X509Store(StoreName.Disallowed, location)
// Non-normative casing, proving that we aren't case-sensitive (Windows isn't)
: new X509Store("disallowed", location);
using (store)
{
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
using (var storeCerts = new ImportedCollection(store.Certificates))
{
// That's all. We enumerated it.
// There might not even be data in it.
}
}
}
private static void ImportPkcs12Bytes_Single_VerifyContents(ImportedCollection ic)
{
using (var pfxCer = new X509Certificate2(TestData.PfxData, TestData.PfxDataPassword, Cert.EphemeralIfPossible))
{
X509Certificate2Collection cc2 = ic.Collection;
int count = cc2.Count;
Assert.Equal(1, count);
using (X509Certificate2 c = cc2[0])
{
// pfxCer was loaded directly, cc2[0] was Imported, two distinct copies.
Assert.NotSame(pfxCer, c);
Assert.Equal(pfxCer, c);
Assert.Equal(pfxCer.Thumbprint, c.Thumbprint);
}
}
}
public static void AddReadOnlyThrows()
{
using (X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
using (X509Certificate2 cert = new X509Certificate2(TestData.MsCertificate))
{
store.Open(OpenFlags.ReadOnly);
using (var coll = new ImportedCollection(store.Certificates))
{
// Add only throws when it has to do work. If, for some reason, this certificate
// is already present in the CurrentUser\My store, we can't really test this
// functionality.
if (!coll.Collection.Contains(cert))
{
Assert.ThrowsAny <CryptographicException>(() => store.Add(cert));
}
}
}
}
public static void BuildChainExtraStoreUntrustedRoot()
{
using (var testCert = new X509Certificate2(Path.Combine("TestData", "test.pfx"), TestData.ChainPfxPassword))
using (ImportedCollection ic = Cert.Import(Path.Combine("TestData", "test.pfx"), TestData.ChainPfxPassword, X509KeyStorageFlags.DefaultKeySet))
using (var chainHolder = new ChainHolder())
{
X509Certificate2Collection collection = ic.Collection;
X509Chain chain = chainHolder.Chain;
chain.ChainPolicy.ExtraStore.AddRange(collection);
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.VerificationTime = new DateTime(2015, 9, 22, 12, 25, 0);
bool valid = chain.Build(testCert);
Assert.False(valid);
Assert.Contains(chain.ChainStatus, s => s.Status == X509ChainStatusFlags.UntrustedRoot);
}
}
public static void AddReadOnlyThrows()
{
using (X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
using (X509Certificate2 cert = new X509Certificate2(TestData.MsCertificate))
{
store.Open(OpenFlags.ReadOnly);
using (var coll = new ImportedCollection(store.Certificates))
{
// Add only throws when it has to do work. If, for some reason, this certificate
// is already present in the CurrentUser\My store, we can't really test this
// functionality.
if (!coll.Collection.Contains(cert))
{
Assert.ThrowsAny<CryptographicException>(() => store.Add(cert));
}
}
}
}
private static void X509Store_AddOneAfterUpgrade()
{
RunX509StoreTest(
(store, storeDirectory) =>
{
using (var cert = new X509Certificate2(TestData.MsCertificate))
{
store.Open(OpenFlags.ReadOnly);
// Adding a certificate when the store is ReadOnly should fail:
Assert.Throws<CryptographicException>(() => store.Add(cert));
// Since we haven't done anything yet, we shouldn't have polluted the hard drive.
Assert.False(Directory.Exists(storeDirectory), "Directory.Exists(storeDirectory)");
// Calling Open on an open store changes the access rights:
store.Open(OpenFlags.ReadWrite);
store.Add(cert);
Assert.True(Directory.Exists(storeDirectory), "Directory.Exists(storeDirectory)");
Assert.Equal(1, Directory.GetFiles(storeDirectory).Length);
using (var coll = new ImportedCollection(store.Certificates))
{
X509Certificate2Collection storeCerts = coll.Collection;
Assert.Equal(1, storeCerts.Count);
using (X509Certificate2 storeCert = storeCerts[0])
{
Assert.Equal(cert, storeCert);
Assert.NotSame(cert, storeCert);
}
}
}
});
}
public static void RemoveReadOnlyThrowsWhenFound()
{
// This test is unfortunate, in that it will mostly never test.
// In order to do so it would have to open the store ReadWrite, put in a known value,
// and call Remove on a ReadOnly copy.
//
// Just calling Remove on the first item found could also work (when the store isn't empty),
// but if it fails the cost is too high.
//
// So what's the purpose of this test, you ask? To record why we're not unit testing it.
// And someone could test it manually if they wanted.
using (X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
using (X509Certificate2 cert = new X509Certificate2(TestData.MsCertificate))
{
store.Open(OpenFlags.ReadOnly);
using (var coll = new ImportedCollection(store.Certificates))
{
if (coll.Collection.Contains(cert))
{
Assert.ThrowsAny<CryptographicException>(() => store.Remove(cert));
}
}
}
}
public static void Constructor_StoreHandle()
{
using (X509Store store1 = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
store1.Open(OpenFlags.ReadOnly);
int certCount1;
using (var coll = new ImportedCollection(store1.Certificates))
{
certCount1 = coll.Collection.Count;
Assert.True(certCount1 >= 0);
}
using (X509Store store2 = new X509Store(store1.StoreHandle))
{
using (var coll = new ImportedCollection(store2.Certificates))
{
int certCount2 = coll.Collection.Count;
Assert.Equal(certCount1, certCount2);
}
}
}
}
private static void X509Store_AddOne()
{
RunX509StoreTest(
(store, storeDirectory) =>
{
using (var cert = new X509Certificate2(TestData.MsCertificate))
{
store.Open(OpenFlags.ReadWrite);
store.Add(cert);
Assert.True(Directory.Exists(storeDirectory), "Directory.Exists(storeDirectory)");
Assert.Equal(1, Directory.GetFiles(storeDirectory).Length);
using (var coll = new ImportedCollection(store.Certificates))
{
X509Certificate2Collection storeCerts = coll.Collection;
Assert.Equal(1, storeCerts.Count);
using (X509Certificate2 storeCert = storeCerts[0])
{
Assert.Equal(cert, storeCert);
Assert.NotSame(cert, storeCert);
}
}
}
});
}
private static void X509Store_FiltersDuplicateOnLoad()
{
RunX509StoreTest(
(store, storeDirectory) =>
{
using (var certA = new X509Certificate2(TestData.MsCertificate))
{
store.Open(OpenFlags.ReadWrite);
store.Add(certA);
// Emulate a race condition of parallel adds with the following flow
// AdderA: Notice [thumbprint].pfx is available, create it (0 bytes)
// AdderB: Notice [thumbprint].pfx already exists, but can't be read, move to [thumbprint].1.pfx
// AdderA: finish write
// AdderB: finish write
string[] files = Directory.GetFiles(storeDirectory, "*.pfx");
Assert.Equal(1, files.Length);
string srcFile = files[0];
string baseName = Path.GetFileNameWithoutExtension(srcFile);
string destFile = Path.Combine(storeDirectory, srcFile + ".1.pfx");
File.Copy(srcFile, destFile);
using (var coll = new ImportedCollection(store.Certificates))
{
Assert.Equal(1, coll.Collection.Count);
Assert.Equal(certA, coll.Collection[0]);
}
// Also check that remove removes both files.
store.Remove(certA);
string[] filesAfter = Directory.GetFiles(storeDirectory, "*.pfx");
Assert.Equal(0, filesAfter.Length);
}
});
}
private static void AssertEqualContents(X509Store storeA, X509Store storeB)
{
Assert.NotSame(storeA, storeB);
using (var storeATracker = new ImportedCollection(storeA.Certificates))
using (var storeBTracker = new ImportedCollection(storeB.Certificates))
{
X509Certificate2Collection storeACerts = storeATracker.Collection;
X509Certificate2Collection storeBCerts = storeBTracker.Collection;
Assert.Equal(storeACerts.OfType<X509Certificate2>(), storeBCerts.OfType<X509Certificate2>());
}
}
public static void MachineRootStore_NonEmpty()
{
// This test will fail on systems where the administrator has gone out of their
// way to prune the trusted CA list down below this threshold.
//
// As of 2016-01-25, Ubuntu 14.04 has 169, and CentOS 7.1 has 175, so that'd be
// quite a lot of pruning.
//
// And as of 2016-01-29 we understand the Homebrew-installed root store, with 180.
const int MinimumThreshold = 5;
using (X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine))
{
store.Open(OpenFlags.ReadOnly);
using (var storeCerts = new ImportedCollection(store.Certificates))
{
int certCount = storeCerts.Collection.Count;
Assert.InRange(certCount, MinimumThreshold, int.MaxValue);
}
}
}
