public void CrlInternalBuilderTest() { var dname = new X500DistinguishedName("CN=Test"); var hash = HashAlgorithmName.SHA256; var crlBuilder = CrlBuilder.Create(dname, hash) .SetNextUpdate(DateTime.Today.AddDays(30)); byte[] serial = new byte[] { 4, 5, 6, 7 }; var revokedarray = new RevokedCertificate(serial); crlBuilder.RevokedCertificates.Add(revokedarray); string serstring = "45678910"; var revokedstring = new RevokedCertificate(serstring); crlBuilder.RevokedCertificates.Add(revokedstring); crlBuilder.CrlExtensions.Add(X509Extensions.BuildCRLNumber(123)); var crlEncoded = crlBuilder.Encode(); Assert.NotNull(crlEncoded); var x509Crl = new X509CRL(); x509Crl.DecodeCrl(crlEncoded); Assert.NotNull(x509Crl); Assert.NotNull(x509Crl.CrlExtensions); Assert.NotNull(x509Crl.RevokedCertificates); Assert.AreEqual(dname.RawData, x509Crl.IssuerName.RawData); //Assert.AreEqual(crlBuilder.ThisUpdate, x509Crl.ThisUpdate); //Assert.AreEqual(crlBuilder.NextUpdate, x509Crl.NextUpdate); Assert.AreEqual(2, x509Crl.RevokedCertificates.Count); Assert.AreEqual(serial, x509Crl.RevokedCertificates[0].UserCertificate); Assert.AreEqual(serstring, x509Crl.RevokedCertificates[1].SerialNumber); Assert.AreEqual(1, x509Crl.CrlExtensions.Count); Assert.AreEqual(hash, x509Crl.HashAlgorithmName); }
public void CrlBuilderTest(KeyHashPair keyHashPair) { var crlBuilder = CrlBuilder.Create(m_issuerCert.SubjectName, keyHashPair.HashAlgorithmName) .SetThisUpdate(DateTime.UtcNow.Date) .SetNextUpdate(DateTime.UtcNow.Date.AddDays(30)); // little endian byte array as serial number? byte[] serial = new byte[] { 4, 5, 6, 7 }; var revokedarray = new RevokedCertificate(serial); crlBuilder.RevokedCertificates.Add(revokedarray); string serstring = "123456789101"; var revokedstring = new RevokedCertificate(serstring); crlBuilder.RevokedCertificates.Add(revokedstring); crlBuilder.CrlExtensions.Add(X509Extensions.BuildCRLNumber(1111)); crlBuilder.CrlExtensions.Add(X509Extensions.BuildAuthorityKeyIdentifier(m_issuerCert)); var i509Crl = crlBuilder.CreateForRSA(m_issuerCert); X509CRL x509Crl = new X509CRL(i509Crl.RawData); Assert.NotNull(x509Crl); Assert.NotNull(x509Crl.CrlExtensions); Assert.NotNull(x509Crl.RevokedCertificates); Assert.AreEqual(m_issuerCert.SubjectName.RawData, x509Crl.IssuerName.RawData); Assert.AreEqual(crlBuilder.ThisUpdate, x509Crl.ThisUpdate); Assert.AreEqual(crlBuilder.NextUpdate, x509Crl.NextUpdate); Assert.AreEqual(2, x509Crl.RevokedCertificates.Count); Assert.AreEqual(serial, x509Crl.RevokedCertificates[0].UserCertificate); Assert.AreEqual(serstring, x509Crl.RevokedCertificates[1].SerialNumber); Assert.AreEqual(2, x509Crl.CrlExtensions.Count); Assert.True(x509Crl.VerifySignature(new X509Certificate2(m_issuerCert.RawData), true)); }
/// <summary> /// Revoke the certificates. /// </summary> /// <remarks> /// Merge all existing revoked certificates from CRL list. /// Add serialnumbers of new revoked certificates. /// The CRL number is increased by one and the new CRL is returned. /// </remarks> public static X509CRL RevokeCertificate( X509Certificate2 issuerCertificate, X509CRLCollection issuerCrls, X509Certificate2Collection revokedCertificates, DateTime thisUpdate, DateTime nextUpdate ) { if (!issuerCertificate.HasPrivateKey) { throw new ServiceResultException(StatusCodes.BadCertificateInvalid, "Issuer certificate has no private key, cannot revoke certificate."); } BigInteger crlSerialNumber = 0; var crlRevokedList = new Dictionary <string, RevokedCertificate>(); // merge all existing revocation list if (issuerCrls != null) { foreach (X509CRL issuerCrl in issuerCrls) { var extension = X509Extensions.FindExtension <X509CrlNumberExtension>(issuerCrl.CrlExtensions); if (extension != null && extension.CrlNumber > crlSerialNumber) { crlSerialNumber = extension.CrlNumber; } foreach (var revokedCertificate in issuerCrl.RevokedCertificates) { if (!crlRevokedList.ContainsKey(revokedCertificate.SerialNumber)) { crlRevokedList[revokedCertificate.SerialNumber] = revokedCertificate; } } } } // add existing serial numbers if (revokedCertificates != null) { foreach (var cert in revokedCertificates) { if (!crlRevokedList.ContainsKey(cert.SerialNumber)) { var entry = new RevokedCertificate(cert.SerialNumber, CRLReason.PrivilegeWithdrawn); crlRevokedList[cert.SerialNumber] = entry; } } } CrlBuilder crlBuilder = CrlBuilder.Create(issuerCertificate.SubjectName) .AddRevokedCertificates(crlRevokedList.Values.ToList()) .SetThisUpdate(thisUpdate) .SetNextUpdate(nextUpdate) .AddCRLExtension(X509Extensions.BuildAuthorityKeyIdentifier(issuerCertificate)) .AddCRLExtension(X509Extensions.BuildCRLNumber(crlSerialNumber + 1)); return(new X509CRL(crlBuilder.CreateForRSA(issuerCertificate))); }
public void CreateCRL() { // little endian byte array as serial number? byte[] serial = new byte[] { 1, 2, 3 }; var revokedarray = new RevokedCertificate(serial); var crlBuilder = CrlBuilder.Create(m_issuerCert.SubjectName, HashAlgorithmName.SHA256) .SetThisUpdate(DateTime.UtcNow.Date) .SetNextUpdate(DateTime.UtcNow.Date.AddDays(30)); crlBuilder.RevokedCertificates.Add(revokedarray); crlBuilder.CrlExtensions.Add(X509Extensions.BuildCRLNumber(1)); crlBuilder.CrlExtensions.Add(X509Extensions.BuildAuthorityKeyIdentifier(m_issuerCert)); _ = crlBuilder.CreateForRSA(m_issuerCert); }
public void CrlBuilderTestWithSignatureGenerator(KeyHashPair keyHashPair) { var crlBuilder = CrlBuilder.Create(m_issuerCert.SubjectName, keyHashPair.HashAlgorithmName) .SetThisUpdate(DateTime.UtcNow.Date) .SetNextUpdate(DateTime.UtcNow.Date.AddDays(30)); // little endian byte array as serial number? byte[] serial = new byte[] { 4, 5, 6, 7 }; var revokedarray = new RevokedCertificate(serial); crlBuilder.RevokedCertificates.Add(revokedarray); string serstring = "709876543210"; var revokedstring = new RevokedCertificate(serstring); crlBuilder.RevokedCertificates.Add(revokedstring); crlBuilder.CrlExtensions.Add(X509Extensions.BuildCRLNumber(1111)); crlBuilder.CrlExtensions.Add(X509Extensions.BuildAuthorityKeyIdentifier(m_issuerCert)); IX509CRL ix509Crl; using (RSA rsa = m_issuerCert.GetRSAPrivateKey()) { X509SignatureGenerator generator = X509SignatureGenerator.CreateForRSA(rsa, RSASignaturePadding.Pkcs1); ix509Crl = crlBuilder.CreateSignature(generator); } X509CRL x509Crl = new X509CRL(ix509Crl); Assert.NotNull(x509Crl); Assert.NotNull(x509Crl.CrlExtensions); Assert.NotNull(x509Crl.RevokedCertificates); Assert.AreEqual(m_issuerCert.SubjectName.RawData, x509Crl.IssuerName.RawData); Assert.AreEqual(crlBuilder.ThisUpdate, x509Crl.ThisUpdate); Assert.AreEqual(crlBuilder.NextUpdate, x509Crl.NextUpdate); Assert.AreEqual(2, x509Crl.RevokedCertificates.Count); Assert.AreEqual(serial, x509Crl.RevokedCertificates[0].UserCertificate); Assert.AreEqual(serstring, x509Crl.RevokedCertificates[1].SerialNumber); Assert.AreEqual(2, x509Crl.CrlExtensions.Count); using (var issuerPubKey = new X509Certificate2(m_issuerCert.RawData)) { Assert.True(x509Crl.VerifySignature(issuerPubKey, true)); } }
public void GlobalSetup() { m_issuerCert = CertificateBuilder.Create("CN=Root CA") .SetCAConstraint() .CreateForRSA(); m_certificate = CertificateBuilder.Create("CN=TestCert") .SetNotBefore(DateTime.Today.AddDays(-1)) .AddExtension( new X509SubjectAltNameExtension("urn:opcfoundation.org:mypc", new string[] { "mypc", "mypc.opcfoundation.org", "192.168.1.100" })) .CreateForRSA(); var crlBuilder = CrlBuilder.Create(m_issuerCert.SubjectName, HashAlgorithmName.SHA256) .SetThisUpdate(DateTime.UtcNow.Date) .SetNextUpdate(DateTime.UtcNow.Date.AddDays(30)); var revokedarray = new RevokedCertificate(m_certificate.SerialNumber); crlBuilder.RevokedCertificates.Add(revokedarray); crlBuilder.CrlExtensions.Add(X509Extensions.BuildCRLNumber(1)); crlBuilder.CrlExtensions.Add(X509Extensions.BuildAuthorityKeyIdentifier(m_issuerCert)); m_issuerCrl = crlBuilder.CreateForRSA(m_issuerCert); m_x509Crl = new X509CRL(m_issuerCrl.RawData); var random = new Random(); m_rsaPrivateKey = m_certificate.GetRSAPrivateKey(); m_rsaPublicKey = m_certificate.GetRSAPublicKey(); // blob size for RSA padding OaepSHA256 int blobSize = m_rsaPublicKey.KeySize / 8 - 66; m_randomByteArray = new byte[blobSize]; random.NextBytes(m_randomByteArray); m_encryptedByteArray = m_rsaPublicKey.Encrypt(m_randomByteArray, RSAEncryptionPadding.OaepSHA256); m_signature = m_rsaPrivateKey.SignData(m_randomByteArray, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); }