public void CreateSelfSignedForECDsaDefaultTest(ECCurveHashPair eccurveHashPair) { // default cert X509Certificate2 cert = CertificateBuilder.Create(Subject) .SetECCurve(eccurveHashPair.Curve) .CreateForECDsa(); Assert.NotNull(cert); WriteCertificate(cert, "Default ECDsa cert"); using (var privateKey = cert.GetECDsaPrivateKey()) { Assert.NotNull(privateKey); privateKey.ExportParameters(false); privateKey.ExportParameters(true); } using (var publicKey = cert.GetECDsaPublicKey()) { Assert.NotNull(publicKey); publicKey.ExportParameters(false); } Assert.AreEqual(X509Defaults.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value)); Assert.GreaterOrEqual(DateTime.UtcNow, cert.NotBefore); Assert.GreaterOrEqual(DateTime.UtcNow.AddMonths(X509Defaults.LifeTime), cert.NotAfter.ToUniversalTime()); var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions); Assert.NotNull(basicConstraintsExtension); Assert.True(basicConstraintsExtension.CertificateAuthority); Assert.AreEqual(0, basicConstraintsExtension.PathLengthConstraint); var keyUsage = X509Extensions.FindExtension <X509KeyUsageExtension>(cert.Extensions); Assert.NotNull(keyUsage); X509PfxUtils.VerifyECDsaKeyPair(cert, cert, true); Assert.True(X509Utils.VerifySelfSigned(cert), "Verify self signed."); }
public void VerifyOneSelfSignedAppCertForAll() { var builder = CertificateBuilder.Create(Subject) .SetNotBefore(DateTime.Today.AddYears(-1)) .SetNotAfter(DateTime.Today.AddYears(25)) .AddExtension(new X509SubjectAltNameExtension("urn:opcfoundation.org:mypc", new string[] { "mypc", "mypc.opcfoundation.org", "192.168.1.100" })); byte[] previousSerialNumber = null; foreach (var eCCurveHash in ECCurveHashPairs) { if (!eCCurveHash.Curve.IsNamed) { continue; } using (var cert = builder .SetHashAlgorithm(eCCurveHash.HashAlgorithmName) .SetECCurve(eCCurveHash.Curve) .CreateForECDsa()) { Assert.NotNull(cert); WriteCertificate(cert, $"Default cert with ECDsa {eCCurveHash.Curve.Oid.FriendlyName} {eCCurveHash.HashAlgorithmName} signature."); Assert.AreEqual(eCCurveHash.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value)); // ensure serial numbers are different Assert.AreNotEqual(previousSerialNumber, cert.GetSerialNumber()); X509PfxUtils.VerifyECDsaKeyPair(cert, cert, true); Assert.True(X509Utils.VerifySelfSigned(cert)); } } }
public void CreateSelfSignedForRSADefaultTest() { // default cert X509Certificate2 cert = CertificateBuilder.Create(Subject).CreateForRSA(); Assert.NotNull(cert); WriteCertificate(cert, "Default RSA cert"); using (var privateKey = cert.GetRSAPrivateKey()) { Assert.NotNull(privateKey); privateKey.ExportParameters(false); privateKey.ExportParameters(true); } using (var publicKey = cert.GetRSAPublicKey()) { Assert.NotNull(publicKey); Assert.AreEqual(X509Defaults.RSAKeySize, publicKey.KeySize); publicKey.ExportParameters(false); } Assert.AreEqual(X509Defaults.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value)); Assert.GreaterOrEqual(DateTime.UtcNow, cert.NotBefore); Assert.GreaterOrEqual(DateTime.UtcNow.AddMonths(X509Defaults.LifeTime), cert.NotAfter.ToUniversalTime()); var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions); Assert.NotNull(basicConstraintsExtension); Assert.True(basicConstraintsExtension.CertificateAuthority); X509Utils.VerifyRSAKeyPair(cert, cert, true); Assert.True(X509Utils.VerifySelfSigned(cert)); }
public void VerifyOneSelfSignedAppCertForAll() { var builder = CertificateBuilder.Create(Subject) .SetNotBefore(DateTime.Today.AddYears(-1)) .SetNotAfter(DateTime.Today.AddYears(25)) .AddExtension(new X509SubjectAltNameExtension("urn:opcfoundation.org:mypc", new string[] { "mypc", "mypc.opcfoundation.org", "192.168.1.100" })); byte[] previousSerialNumber = null; foreach (var keyHash in KeyHashPairs) { using (var cert = builder .SetHashAlgorithm(keyHash.HashAlgorithmName) .SetRSAKeySize(keyHash.KeySize) .CreateForRSA()) { Assert.NotNull(cert); WriteCertificate(cert, $"Default cert with RSA {keyHash.KeySize} {keyHash.HashAlgorithmName} signature."); Assert.AreEqual(keyHash.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value)); // ensure serial numbers are different Assert.AreNotEqual(previousSerialNumber, cert.GetSerialNumber()); X509PfxUtils.VerifyRSAKeyPair(cert, cert, true); Assert.True(X509Utils.VerifySelfSigned(cert)); Assert.AreEqual(cert.SubjectName.Name, cert.IssuerName.Name); Assert.AreEqual(cert.SubjectName.RawData, cert.IssuerName.RawData); CheckPEMWriter(cert); } } }
public void CreateCACertForRSA( KeyHashPair keyHashPair ) { // create a CA cert var cert = CertificateBuilder.Create(Subject) .SetCAConstraint(-1) .SetHashAlgorithm(keyHashPair.HashAlgorithmName) .AddExtension(X509Extensions.BuildX509CRLDistributionPoints("http://myca/mycert.crl")) .SetRSAKeySize(keyHashPair.KeySize) .CreateForRSA(); Assert.NotNull(cert); WriteCertificate(cert, "Default cert with RSA {keyHashPair.KeySize} {keyHashPair.HashAlgorithmName} and CRL distribution points"); Assert.AreEqual(keyHashPair.KeySize, cert.GetRSAPublicKey().KeySize); Assert.AreEqual(keyHashPair.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value)); var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions); Assert.NotNull(basicConstraintsExtension); Assert.True(basicConstraintsExtension.CertificateAuthority); Assert.False(basicConstraintsExtension.HasPathLengthConstraint); X509Utils.VerifyRSAKeyPair(cert, cert, true); Assert.True(X509Utils.VerifySelfSigned(cert)); CheckPEMWriter(cert); }
public void CreateSelfSignedForRSAAllFields( KeyHashPair keyHashPair ) { // set dates and extension var applicationUri = "urn:opcfoundation.org:mypc"; var domains = new string[] { "mypc", "mypc.opcfoundation.org", "192.168.1.100" }; var cert = CertificateBuilder.Create(Subject) .SetNotBefore(DateTime.Today.AddYears(-1)) .SetNotAfter(DateTime.Today.AddYears(25)) .AddExtension(new X509SubjectAltNameExtension(applicationUri, domains)) .SetHashAlgorithm(keyHashPair.HashAlgorithmName) .SetRSAKeySize(keyHashPair.KeySize) .CreateForRSA(); Assert.NotNull(cert); WriteCertificate(cert, $"Default cert RSA {keyHashPair.KeySize} with modified lifetime and alt name extension"); Assert.AreEqual(Subject, cert.Subject); Assert.AreEqual(keyHashPair.KeySize, cert.GetRSAPublicKey().KeySize); Assert.AreEqual(keyHashPair.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value)); var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions); Assert.NotNull(basicConstraintsExtension); Assert.True(basicConstraintsExtension.CertificateAuthority); X509Utils.VerifyRSAKeyPair(cert, cert); X509Utils.VerifySelfSigned(cert); }
/// <summary> /// Creates a certificate signing request from an existing certificate. /// </summary> public static byte[] CreateSigningRequest( X509Certificate2 certificate, IList <String> domainNames = null ) { if (!certificate.HasPrivateKey) { throw new NotSupportedException("Need a certificate with a private key."); } RSA rsaPublicKey = certificate.GetRSAPublicKey(); var request = new CertificateRequest(certificate.SubjectName, rsaPublicKey, Oids.GetHashAlgorithmName(certificate.SignatureAlgorithm.Value), RSASignaturePadding.Pkcs1); var alternateName = X509Extensions.FindExtension <X509SubjectAltNameExtension>(certificate); domainNames = domainNames ?? new List <String>(); if (alternateName != null) { foreach (var name in alternateName.DomainNames) { if (!domainNames.Any(s => s.Equals(name, StringComparison.OrdinalIgnoreCase))) { domainNames.Add(name); } } foreach (var ipAddress in alternateName.IPAddresses) { if (!domainNames.Any(s => s.Equals(ipAddress, StringComparison.OrdinalIgnoreCase))) { domainNames.Add(ipAddress); } } } string applicationUri = X509Utils.GetApplicationUriFromCertificate(certificate); // Subject Alternative Name var subjectAltName = new X509SubjectAltNameExtension(applicationUri, domainNames); request.CertificateExtensions.Add(new X509Extension(subjectAltName, false)); using (RSA rsa = certificate.GetRSAPrivateKey()) { var x509SignatureGenerator = X509SignatureGenerator.CreateForRSA(rsa, RSASignaturePadding.Pkcs1); return(request.CreateSigningRequest(x509SignatureGenerator)); } }
public void CreateSelfSignedForRSADefaultHashCustomKey( KeyHashPair keyHashPair ) { // default cert with custom key X509Certificate2 cert = CertificateBuilder.Create(Subject) .SetRSAKeySize(keyHashPair.KeySize) .CreateForRSA(); WriteCertificate(cert, $"Default RSA {keyHashPair.KeySize} cert"); Assert.AreEqual(Subject, cert.Subject); Assert.AreEqual(keyHashPair.KeySize, cert.GetRSAPublicKey().KeySize); Assert.AreEqual(X509Defaults.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value)); var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions); Assert.NotNull(basicConstraintsExtension); Assert.True(basicConstraintsExtension.CertificateAuthority); X509Utils.VerifyRSAKeyPair(cert, cert, true); Assert.True(X509Utils.VerifySelfSigned(cert)); }
public void CreateSelfSignedForECDsaAllFields( ECCurveHashPair ecCurveHashPair ) { // set dates and extension var applicationUri = "urn:opcfoundation.org:mypc"; var domains = new string[] { "mypc", "mypc.opcfoundation.org", "192.168.1.100" }; var cert = CertificateBuilder.Create(Subject) .SetNotBefore(DateTime.Today.AddYears(-1)) .SetNotAfter(DateTime.Today.AddYears(25)) .AddExtension(new X509SubjectAltNameExtension(applicationUri, domains)) .SetHashAlgorithm(ecCurveHashPair.HashAlgorithmName) .SetECCurve(ecCurveHashPair.Curve) .CreateForECDsa(); Assert.NotNull(cert); WriteCertificate(cert, $"Default cert ECDsa {ecCurveHashPair.Curve.Oid.FriendlyName} with modified lifetime and alt name extension"); Assert.AreEqual(Subject, cert.Subject); using (var privateKey = cert.GetECDsaPrivateKey()) { Assert.NotNull(privateKey); privateKey.ExportParameters(false); privateKey.ExportParameters(true); } using (var publicKey = cert.GetECDsaPublicKey()) { Assert.NotNull(publicKey); publicKey.ExportParameters(false); } Assert.AreEqual(ecCurveHashPair.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value)); var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions); Assert.NotNull(basicConstraintsExtension); Assert.True(basicConstraintsExtension.CertificateAuthority); X509PfxUtils.VerifyECDsaKeyPair(cert, cert, true); Assert.True(X509Utils.VerifySelfSigned(cert)); CheckPEMWriter(cert); }
public void CreateCACertForECDsa( ECCurveHashPair ecCurveHashPair ) { // create a CA cert var cert = CertificateBuilder.Create(Subject) .SetCAConstraint() .SetHashAlgorithm(ecCurveHashPair.HashAlgorithmName) .AddExtension(X509Extensions.BuildX509CRLDistributionPoints(new string[] { "http://myca/mycert.crl", "http://myaltca/mycert.crl" })) .SetECCurve(ecCurveHashPair.Curve) .CreateForECDsa(); Assert.NotNull(cert); WriteCertificate(cert, "Default cert with RSA {keyHashPair.KeySize} {keyHashPair.HashAlgorithmName} and CRL distribution points"); Assert.AreEqual(ecCurveHashPair.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value)); var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions); Assert.NotNull(basicConstraintsExtension); Assert.True(basicConstraintsExtension.CertificateAuthority); Assert.False(basicConstraintsExtension.HasPathLengthConstraint); X509PfxUtils.VerifyECDsaKeyPair(cert, cert, true); Assert.True(X509Utils.VerifySelfSigned(cert)); }