/// <summary>
/// Build the Subject Alternative name extension
/// </summary>
/// <param name="uris">The Uris</param>
/// <param name="addresses">The domain names.
/// DNS Hostnames, IPv4 or IPv6 addresses</param>
/// <param name="critical"></param>
public static X509Extension BuildSubjectAlternativeName(
IEnumerable <string> uris, IEnumerable <string> addresses, bool critical)
{
var sanBuilder = new SubjectAlternativeNameBuilder();
foreach (var uri in uris)
{
sanBuilder.AddUri(new Uri(uri));
}
foreach (var domainName in addresses)
{
if (string.IsNullOrWhiteSpace(domainName))
{
continue;
}
if (IPAddress.TryParse(domainName, out var ipAddr))
{
sanBuilder.AddIpAddress(ipAddr);
}
else
{
sanBuilder.AddDnsName(domainName);
}
}
return(sanBuilder.Build(critical));
}
public void LoadCertificateAndPrivateKey()
{
try
{
Cert = new X509Certificate2(_appSettings.Certificate);
Key = new RSACryptoServiceProvider();
var rsaPrivParams = UASecurity.ImportRSAPrivateKey(File.ReadAllText(_appSettings.PrivateKey));
Key.ImportParameters(rsaPrivParams);
}
catch
{
var dn = new X500DistinguishedName($"CN={_appSettings.CommonName};OU={_appSettings.OrganizationalUnit}", X500DistinguishedNameFlags.UseSemicolons);
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddUri(new Uri($"urn:{_appSettings.ApplicationUri}"));
using (RSA rsa = RSA.Create(2048))
{
var request = new CertificateRequest(dn, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(sanBuilder.Build());
var selfSignedCert = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650)));
Cert = new X509Certificate2(selfSignedCert.Export(X509ContentType.Pfx, ""), "", X509KeyStorageFlags.DefaultKeySet);
var certPrivateParams = rsa.ExportParameters(true);
File.WriteAllText(_appSettings.Certificate, UASecurity.ExportPEM(Cert));
File.WriteAllText(_appSettings.PrivateKey, UASecurity.ExportRSAPrivateKey(certPrivateParams));
Key = new RSACryptoServiceProvider();
Key.ImportParameters(certPrivateParams);
}
}
}
public static void SingleValue_Uri_UnicodeHost()
{
SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder();
Assert.Throws <CryptographicException>(
() => builder.AddUri(new Uri("http://\u65E5\u672C\u8A8E.example.org/")));
}
public static void MultiValue()
{
// This produces the same value as the "ComplexGetNameInfo" certificate/test suite.
// Subject Alternative Names:
// DNS Name=dns1.subject.example.org
// DNS Name=dns2.subject.example.org
// RFC822 [email protected]
// RFC822 [email protected]
// Other Name:
// Principal [email protected]
// Other Name:
// Principal [email protected]
// URL=http://uri1.subject.example.org/
// URL=http://uri2.subject.example.org/
const string expectedHex =
"3081F88218646E73312E7375626A6563742E6578616D706C652E6F7267821864" +
"6E73322E7375626A6563742E6578616D706C652E6F7267811573616E656D6169" +
"6C31406578616D706C652E6F7267811573616E656D61696C32406578616D706C" +
"652E6F7267A027060A2B060104018237140203A0190C177375626A6563747570" +
"6E31406578616D706C652E6F7267A027060A2B060104018237140203A0190C17" +
"7375626A65637475706E32406578616D706C652E6F72678620687474703A2F2F" +
"757269312E7375626A6563742E6578616D706C652E6F72672F8620687474703A" +
"2F2F757269322E7375626A6563742E6578616D706C652E6F72672F";
SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder();
builder.AddDnsName("dns1.subject.example.org");
builder.AddDnsName("dns2.subject.example.org");
builder.AddEmailAddress("*****@*****.**");
builder.AddEmailAddress("*****@*****.**");
builder.AddUserPrincipalName("*****@*****.**");
builder.AddUserPrincipalName("*****@*****.**");
builder.AddUri(new Uri("http://uri1.subject.example.org/"));
builder.AddUri(new Uri("http://uri2.subject.example.org/"));
X509Extension extension = builder.Build();
Assert.Equal(SubjectAltNameOid, extension.Oid.Value);
Assert.Equal(
expectedHex,
extension.RawData.ByteArrayToHex());
}
public static void ArgumentValidation()
{
SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder();
AssertExtensions.Throws <ArgumentOutOfRangeException>("dnsName", () => builder.AddDnsName(null));
AssertExtensions.Throws <ArgumentOutOfRangeException>("dnsName", () => builder.AddDnsName(string.Empty));
AssertExtensions.Throws <ArgumentOutOfRangeException>("emailAddress", () => builder.AddEmailAddress(null));
AssertExtensions.Throws <ArgumentOutOfRangeException>("emailAddress", () => builder.AddEmailAddress(string.Empty));
AssertExtensions.Throws <ArgumentNullException>("uri", () => builder.AddUri(null));
AssertExtensions.Throws <ArgumentNullException>("ipAddress", () => builder.AddIpAddress(null));
AssertExtensions.Throws <ArgumentOutOfRangeException>("upn", () => builder.AddUserPrincipalName(null));
AssertExtensions.Throws <ArgumentOutOfRangeException>("upn", () => builder.AddUserPrincipalName(string.Empty));
}
/// <summary>
/// Encode the Subject Alternative name extension.
/// </summary>
private byte[] Encode()
{
var sanBuilder = new SubjectAlternativeNameBuilder();
foreach (var uri in m_uris)
{
sanBuilder.AddUri(new Uri(uri));
}
EncodeGeneralNames(sanBuilder, m_domainNames);
EncodeGeneralNames(sanBuilder, m_ipAddresses);
var extension = sanBuilder.Build();
return(extension.RawData);
}
public static void SingleValue_Uri_Ascii()
{
SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder();
builder.AddUri(new Uri("http://www.example.org/"));
X509Extension extension = builder.Build();
Assert.Equal(SubjectAltNameOid, extension.Oid.Value);
Assert.Equal(
"30198617687474703A2F2F7777772E6578616D706C652E6F72672F",
extension.RawData.ByteArrayToHex());
}
public static void SingleValue_Uri_UnicodePath()
{
SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder();
builder.AddUri(new Uri("http://www.example.org/\u65E5\u672C\u8A8E"));
X509Extension extension = builder.Build();
Assert.Equal(SubjectAltNameOid, extension.Oid.Value);
const string expectedHex =
"30348632687474703A2F2F7777772E6578616D706C652E6F72672F2545362539" +
"37254135254536253943254143254538254141253845";
Assert.Equal(
expectedHex,
extension.RawData.ByteArrayToHex());
}
public void SetUp()
{
SetUpProvider();
_context = new DefaultHttpContext();
X509Certificate2 certificate;
using (RSA rsa = RSA.Create())
{
var certReq = new CertificateRequest("CN=eventstoredb-node", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
var sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddEmailAddress("*****@*****.**");
sanBuilder.AddUserPrincipalName("*****@*****.**");
sanBuilder.AddUri(new Uri("http://localhost"));
certReq.CertificateExtensions.Add(sanBuilder.Build());
certificate = certReq.CreateSelfSigned(DateTimeOffset.UtcNow.AddMonths(-1), DateTimeOffset.UtcNow.AddMonths(1));
}
_context.Connection.ClientCertificate = certificate;
_authenticateResult = _provider.Authenticate(_context, out _authenticateRequest);
}
private void LoadCertificateAndPrivateKey()
{
try
{
// Try to load existing (public key) and associated private key
appCertificate = new X509Certificate2("ServerCert.der");
cryptPrivateKey = new RSACryptoServiceProvider();
var rsaPrivParams = UASecurity.ImportRSAPrivateKey(File.ReadAllText("ServerKey.pem"));
cryptPrivateKey.ImportParameters(rsaPrivParams);
}
catch
{
// Make a new certificate (public key) and associated private key
var dn = new X500DistinguishedName("CN=Client certificate;OU=Demo organization",
X500DistinguishedNameFlags.UseSemicolons);
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddUri(new Uri("urn:DemoApplication"));
using (RSA rsa = RSA.Create(2048))
{
var request = new CertificateRequest(dn, rsa, HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(sanBuilder.Build());
var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)),
new DateTimeOffset(DateTime.UtcNow.AddDays(3650)));
appCertificate = new X509Certificate2(certificate.Export(X509ContentType.Pfx, ""),
"", X509KeyStorageFlags.DefaultKeySet);
var certPrivateParams = rsa.ExportParameters(true);
File.WriteAllText("ServerCert.der", UASecurity.ExportPEM(appCertificate));
File.WriteAllText("ServerKey.pem", UASecurity.ExportRSAPrivateKey(certPrivateParams));
cryptPrivateKey = new RSACryptoServiceProvider();
cryptPrivateKey.ImportParameters(certPrivateParams);
}
}
}
/// <inheritdoc/>
public static IEnumerable <X509Extension> ToX509Extensions(this EntityInfoModel entity)
{
// Client/Server auth usage extension
yield return(new X509EnhancedKeyUsageExtension(
new OidCollection {
new Oid("1.3.6.1.5.5.7.3.1"),
new Oid("1.3.6.1.5.5.7.3.2")
}, true));
// Subject Alternative Name
var sanBuilder = new SubjectAlternativeNameBuilder();
if (entity.Uris != null)
{
foreach (var uri in entity.Uris)
{
sanBuilder.AddUri(new Uri(uri));
}
}
if (entity.Addresses != null)
{
foreach (var domainName in entity.Addresses)
{
if (string.IsNullOrWhiteSpace(domainName))
{
continue;
}
if (IPAddress.TryParse(domainName, out var ipAddr))
{
sanBuilder.AddIpAddress(ipAddr);
}
else
{
sanBuilder.AddDnsName(domainName);
}
// TODO: Parse email, principal, etc.
}
}
yield return(sanBuilder.Build());
}
public void AddSubjectAlternativeName(CertificateRequest request, SubjectAlternativeName subjectAlternativeName)
{
foreach (var dnsName in subjectAlternativeName.DnsName)
{
if (UriHostNameType.Unknown == Uri.CheckHostName(dnsName))
{
throw new ArgumentException("Must be a valid DNS name", nameof(dnsName));
}
}
var sanBuilder = new SubjectAlternativeNameBuilder();
foreach (var dnsName in subjectAlternativeName.DnsName)
{
sanBuilder.AddDnsName(dnsName);
}
if (!string.IsNullOrEmpty(subjectAlternativeName.Email))
{
sanBuilder.AddEmailAddress(subjectAlternativeName.Email);
}
if (subjectAlternativeName.IpAddress != null)
{
sanBuilder.AddIpAddress(subjectAlternativeName.IpAddress);
}
if (!string.IsNullOrEmpty(subjectAlternativeName.UserPrincipalName))
{
sanBuilder.AddUserPrincipalName(subjectAlternativeName.UserPrincipalName);
}
if (subjectAlternativeName.Uri != null)
{
sanBuilder.AddUri(subjectAlternativeName.Uri);
}
var sanExtension = sanBuilder.Build();
request.CertificateExtensions.Add(sanExtension);
}
/// <summary>
/// Build the Subject Alternative name extension (for OPC UA application certs)
/// </summary>
/// <param name="applicationUri">The application Uri</param>
/// <param name="domainNames">The domain names. DNS Hostnames, IPv4 or IPv6 addresses</param>
private static X509Extension BuildSubjectAlternativeName(string applicationUri, IList <string> domainNames)
{
var sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddUri(new Uri(applicationUri));
foreach (string domainName in domainNames)
{
IPAddress ipAddr;
if (String.IsNullOrWhiteSpace(domainName))
{
continue;
}
if (IPAddress.TryParse(domainName, out ipAddr))
{
sanBuilder.AddIpAddress(ipAddr);
}
else
{
sanBuilder.AddDnsName(domainName);
}
}
return(sanBuilder.Build());
}
public async Task <IActionResult> Register([FromBody] RegisterDto model)
{
IActionResult actionResult = NoContent();
try
{
if (_options.CACertificate == null && model.TLS)
{
actionResult = BadRequest(new { code = -1, msg = "There is no root certificate, please initialize the server first" });
}
else
{
var user = new IdentityUser
{
UserName = model.UserName,
Email = model.Email
};
var result = await _userManager.CreateAsync(user, model.Password);
if (result.Succeeded)
{
await _signInManager.SignInAsync(user, false);
await _signInManager.UserManager.AddClaimAsync(user, new Claim(ClaimTypes.GivenName, model.ClientId));
await _signInManager.UserManager.AddClaimAsync(user, new Claim(ClaimTypes.Email, model.Email));
int _StoreCertPem = 0;
if (model.TLS)
{
SubjectAlternativeNameBuilder altNames = new SubjectAlternativeNameBuilder();
altNames.AddDnsName(model.ClientId);
altNames.AddEmailAddress(model.Email);
altNames.AddUserPrincipalName(model.UserName);
altNames.AddUri(new Uri($"mqtt://{_options.BrokerCertificate.GetNameInfo(X509NameType.DnsName, false)}:{_options.SSLPort}"));
string name = $"CN={model.ClientId},C=CN, O={_options.BrokerCertificate.GetNameInfo(X509NameType.SimpleName, false)},OU={model.ClientId}";
var tlsclient = _options.CACertificate.CreateTlsClientRSA(name, altNames);
tlsclient.SavePem(out string x509CRT, out string x509Key);
_context.StoreCertPem.Add(new StoreCertPem()
{
Id = user.Id,
ClientCert = x509CRT,
ClientKey = x509Key
});
_StoreCertPem = _context.SaveChanges();
await _signInManager.UserManager.AddClaimAsync(user, new Claim(ClaimTypes.Thumbprint, tlsclient.Thumbprint));
}
actionResult = Ok(new { code = 0, msg = "OK", data = GenerateJwtToken(model.UserName, user), model.TLS, StoreTLS = _StoreCertPem > 0 });
}
else
{
var msg = from e in result.Errors select $"{e.Code}:{e.Description}\r\n";
actionResult = BadRequest(new { code = -3, msg = string.Join(';', msg.ToArray()) });
}
}
}
catch (Exception ex)
{
actionResult = BadRequest(new { code = -2, msg = ex.Message, data = ex });
_logger.LogError(ex, ex.Message);
}
return(actionResult);
}