/// <summary> /// Build the Subject Alternative name extension /// </summary> /// <param name="uris">The Uris</param> /// <param name="addresses">The domain names. /// DNS Hostnames, IPv4 or IPv6 addresses</param> /// <param name="critical"></param> public static X509Extension BuildSubjectAlternativeName( IEnumerable <string> uris, IEnumerable <string> addresses, bool critical) { var sanBuilder = new SubjectAlternativeNameBuilder(); foreach (var uri in uris) { sanBuilder.AddUri(new Uri(uri)); } foreach (var domainName in addresses) { if (string.IsNullOrWhiteSpace(domainName)) { continue; } if (IPAddress.TryParse(domainName, out var ipAddr)) { sanBuilder.AddIpAddress(ipAddr); } else { sanBuilder.AddDnsName(domainName); } } return(sanBuilder.Build(critical)); }
public void LoadCertificateAndPrivateKey() { try { Cert = new X509Certificate2(_appSettings.Certificate); Key = new RSACryptoServiceProvider(); var rsaPrivParams = UASecurity.ImportRSAPrivateKey(File.ReadAllText(_appSettings.PrivateKey)); Key.ImportParameters(rsaPrivParams); } catch { var dn = new X500DistinguishedName($"CN={_appSettings.CommonName};OU={_appSettings.OrganizationalUnit}", X500DistinguishedNameFlags.UseSemicolons); SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddUri(new Uri($"urn:{_appSettings.ApplicationUri}")); using (RSA rsa = RSA.Create(2048)) { var request = new CertificateRequest(dn, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add(sanBuilder.Build()); var selfSignedCert = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650))); Cert = new X509Certificate2(selfSignedCert.Export(X509ContentType.Pfx, ""), "", X509KeyStorageFlags.DefaultKeySet); var certPrivateParams = rsa.ExportParameters(true); File.WriteAllText(_appSettings.Certificate, UASecurity.ExportPEM(Cert)); File.WriteAllText(_appSettings.PrivateKey, UASecurity.ExportRSAPrivateKey(certPrivateParams)); Key = new RSACryptoServiceProvider(); Key.ImportParameters(certPrivateParams); } } }
public static void SingleValue_Uri_UnicodeHost() { SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder(); Assert.Throws <CryptographicException>( () => builder.AddUri(new Uri("http://\u65E5\u672C\u8A8E.example.org/"))); }
public static void MultiValue() { // This produces the same value as the "ComplexGetNameInfo" certificate/test suite. // Subject Alternative Names: // DNS Name=dns1.subject.example.org // DNS Name=dns2.subject.example.org // RFC822 [email protected] // RFC822 [email protected] // Other Name: // Principal [email protected] // Other Name: // Principal [email protected] // URL=http://uri1.subject.example.org/ // URL=http://uri2.subject.example.org/ const string expectedHex = "3081F88218646E73312E7375626A6563742E6578616D706C652E6F7267821864" + "6E73322E7375626A6563742E6578616D706C652E6F7267811573616E656D6169" + "6C31406578616D706C652E6F7267811573616E656D61696C32406578616D706C" + "652E6F7267A027060A2B060104018237140203A0190C177375626A6563747570" + "6E31406578616D706C652E6F7267A027060A2B060104018237140203A0190C17" + "7375626A65637475706E32406578616D706C652E6F72678620687474703A2F2F" + "757269312E7375626A6563742E6578616D706C652E6F72672F8620687474703A" + "2F2F757269322E7375626A6563742E6578616D706C652E6F72672F"; SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder(); builder.AddDnsName("dns1.subject.example.org"); builder.AddDnsName("dns2.subject.example.org"); builder.AddEmailAddress("*****@*****.**"); builder.AddEmailAddress("*****@*****.**"); builder.AddUserPrincipalName("*****@*****.**"); builder.AddUserPrincipalName("*****@*****.**"); builder.AddUri(new Uri("http://uri1.subject.example.org/")); builder.AddUri(new Uri("http://uri2.subject.example.org/")); X509Extension extension = builder.Build(); Assert.Equal(SubjectAltNameOid, extension.Oid.Value); Assert.Equal( expectedHex, extension.RawData.ByteArrayToHex()); }
public static void ArgumentValidation() { SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder(); AssertExtensions.Throws <ArgumentOutOfRangeException>("dnsName", () => builder.AddDnsName(null)); AssertExtensions.Throws <ArgumentOutOfRangeException>("dnsName", () => builder.AddDnsName(string.Empty)); AssertExtensions.Throws <ArgumentOutOfRangeException>("emailAddress", () => builder.AddEmailAddress(null)); AssertExtensions.Throws <ArgumentOutOfRangeException>("emailAddress", () => builder.AddEmailAddress(string.Empty)); AssertExtensions.Throws <ArgumentNullException>("uri", () => builder.AddUri(null)); AssertExtensions.Throws <ArgumentNullException>("ipAddress", () => builder.AddIpAddress(null)); AssertExtensions.Throws <ArgumentOutOfRangeException>("upn", () => builder.AddUserPrincipalName(null)); AssertExtensions.Throws <ArgumentOutOfRangeException>("upn", () => builder.AddUserPrincipalName(string.Empty)); }
/// <summary> /// Encode the Subject Alternative name extension. /// </summary> private byte[] Encode() { var sanBuilder = new SubjectAlternativeNameBuilder(); foreach (var uri in m_uris) { sanBuilder.AddUri(new Uri(uri)); } EncodeGeneralNames(sanBuilder, m_domainNames); EncodeGeneralNames(sanBuilder, m_ipAddresses); var extension = sanBuilder.Build(); return(extension.RawData); }
public static void SingleValue_Uri_Ascii() { SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder(); builder.AddUri(new Uri("http://www.example.org/")); X509Extension extension = builder.Build(); Assert.Equal(SubjectAltNameOid, extension.Oid.Value); Assert.Equal( "30198617687474703A2F2F7777772E6578616D706C652E6F72672F", extension.RawData.ByteArrayToHex()); }
public static void SingleValue_Uri_UnicodePath() { SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder(); builder.AddUri(new Uri("http://www.example.org/\u65E5\u672C\u8A8E")); X509Extension extension = builder.Build(); Assert.Equal(SubjectAltNameOid, extension.Oid.Value); const string expectedHex = "30348632687474703A2F2F7777772E6578616D706C652E6F72672F2545362539" + "37254135254536253943254143254538254141253845"; Assert.Equal( expectedHex, extension.RawData.ByteArrayToHex()); }
public void SetUp() { SetUpProvider(); _context = new DefaultHttpContext(); X509Certificate2 certificate; using (RSA rsa = RSA.Create()) { var certReq = new CertificateRequest("CN=eventstoredb-node", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); var sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddEmailAddress("*****@*****.**"); sanBuilder.AddUserPrincipalName("*****@*****.**"); sanBuilder.AddUri(new Uri("http://localhost")); certReq.CertificateExtensions.Add(sanBuilder.Build()); certificate = certReq.CreateSelfSigned(DateTimeOffset.UtcNow.AddMonths(-1), DateTimeOffset.UtcNow.AddMonths(1)); } _context.Connection.ClientCertificate = certificate; _authenticateResult = _provider.Authenticate(_context, out _authenticateRequest); }
private void LoadCertificateAndPrivateKey() { try { // Try to load existing (public key) and associated private key appCertificate = new X509Certificate2("ServerCert.der"); cryptPrivateKey = new RSACryptoServiceProvider(); var rsaPrivParams = UASecurity.ImportRSAPrivateKey(File.ReadAllText("ServerKey.pem")); cryptPrivateKey.ImportParameters(rsaPrivParams); } catch { // Make a new certificate (public key) and associated private key var dn = new X500DistinguishedName("CN=Client certificate;OU=Demo organization", X500DistinguishedNameFlags.UseSemicolons); SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddUri(new Uri("urn:DemoApplication")); using (RSA rsa = RSA.Create(2048)) { var request = new CertificateRequest(dn, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add(sanBuilder.Build()); var certificate = request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650))); appCertificate = new X509Certificate2(certificate.Export(X509ContentType.Pfx, ""), "", X509KeyStorageFlags.DefaultKeySet); var certPrivateParams = rsa.ExportParameters(true); File.WriteAllText("ServerCert.der", UASecurity.ExportPEM(appCertificate)); File.WriteAllText("ServerKey.pem", UASecurity.ExportRSAPrivateKey(certPrivateParams)); cryptPrivateKey = new RSACryptoServiceProvider(); cryptPrivateKey.ImportParameters(certPrivateParams); } } }
/// <inheritdoc/> public static IEnumerable <X509Extension> ToX509Extensions(this EntityInfoModel entity) { // Client/Server auth usage extension yield return(new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.1"), new Oid("1.3.6.1.5.5.7.3.2") }, true)); // Subject Alternative Name var sanBuilder = new SubjectAlternativeNameBuilder(); if (entity.Uris != null) { foreach (var uri in entity.Uris) { sanBuilder.AddUri(new Uri(uri)); } } if (entity.Addresses != null) { foreach (var domainName in entity.Addresses) { if (string.IsNullOrWhiteSpace(domainName)) { continue; } if (IPAddress.TryParse(domainName, out var ipAddr)) { sanBuilder.AddIpAddress(ipAddr); } else { sanBuilder.AddDnsName(domainName); } // TODO: Parse email, principal, etc. } } yield return(sanBuilder.Build()); }
public void AddSubjectAlternativeName(CertificateRequest request, SubjectAlternativeName subjectAlternativeName) { foreach (var dnsName in subjectAlternativeName.DnsName) { if (UriHostNameType.Unknown == Uri.CheckHostName(dnsName)) { throw new ArgumentException("Must be a valid DNS name", nameof(dnsName)); } } var sanBuilder = new SubjectAlternativeNameBuilder(); foreach (var dnsName in subjectAlternativeName.DnsName) { sanBuilder.AddDnsName(dnsName); } if (!string.IsNullOrEmpty(subjectAlternativeName.Email)) { sanBuilder.AddEmailAddress(subjectAlternativeName.Email); } if (subjectAlternativeName.IpAddress != null) { sanBuilder.AddIpAddress(subjectAlternativeName.IpAddress); } if (!string.IsNullOrEmpty(subjectAlternativeName.UserPrincipalName)) { sanBuilder.AddUserPrincipalName(subjectAlternativeName.UserPrincipalName); } if (subjectAlternativeName.Uri != null) { sanBuilder.AddUri(subjectAlternativeName.Uri); } var sanExtension = sanBuilder.Build(); request.CertificateExtensions.Add(sanExtension); }
/// <summary> /// Build the Subject Alternative name extension (for OPC UA application certs) /// </summary> /// <param name="applicationUri">The application Uri</param> /// <param name="domainNames">The domain names. DNS Hostnames, IPv4 or IPv6 addresses</param> private static X509Extension BuildSubjectAlternativeName(string applicationUri, IList <string> domainNames) { var sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddUri(new Uri(applicationUri)); foreach (string domainName in domainNames) { IPAddress ipAddr; if (String.IsNullOrWhiteSpace(domainName)) { continue; } if (IPAddress.TryParse(domainName, out ipAddr)) { sanBuilder.AddIpAddress(ipAddr); } else { sanBuilder.AddDnsName(domainName); } } return(sanBuilder.Build()); }
public async Task <IActionResult> Register([FromBody] RegisterDto model) { IActionResult actionResult = NoContent(); try { if (_options.CACertificate == null && model.TLS) { actionResult = BadRequest(new { code = -1, msg = "There is no root certificate, please initialize the server first" }); } else { var user = new IdentityUser { UserName = model.UserName, Email = model.Email }; var result = await _userManager.CreateAsync(user, model.Password); if (result.Succeeded) { await _signInManager.SignInAsync(user, false); await _signInManager.UserManager.AddClaimAsync(user, new Claim(ClaimTypes.GivenName, model.ClientId)); await _signInManager.UserManager.AddClaimAsync(user, new Claim(ClaimTypes.Email, model.Email)); int _StoreCertPem = 0; if (model.TLS) { SubjectAlternativeNameBuilder altNames = new SubjectAlternativeNameBuilder(); altNames.AddDnsName(model.ClientId); altNames.AddEmailAddress(model.Email); altNames.AddUserPrincipalName(model.UserName); altNames.AddUri(new Uri($"mqtt://{_options.BrokerCertificate.GetNameInfo(X509NameType.DnsName, false)}:{_options.SSLPort}")); string name = $"CN={model.ClientId},C=CN, O={_options.BrokerCertificate.GetNameInfo(X509NameType.SimpleName, false)},OU={model.ClientId}"; var tlsclient = _options.CACertificate.CreateTlsClientRSA(name, altNames); tlsclient.SavePem(out string x509CRT, out string x509Key); _context.StoreCertPem.Add(new StoreCertPem() { Id = user.Id, ClientCert = x509CRT, ClientKey = x509Key }); _StoreCertPem = _context.SaveChanges(); await _signInManager.UserManager.AddClaimAsync(user, new Claim(ClaimTypes.Thumbprint, tlsclient.Thumbprint)); } actionResult = Ok(new { code = 0, msg = "OK", data = GenerateJwtToken(model.UserName, user), model.TLS, StoreTLS = _StoreCertPem > 0 }); } else { var msg = from e in result.Errors select $"{e.Code}:{e.Description}\r\n"; actionResult = BadRequest(new { code = -3, msg = string.Join(';', msg.ToArray()) }); } } } catch (Exception ex) { actionResult = BadRequest(new { code = -2, msg = ex.Message, data = ex }); _logger.LogError(ex, ex.Message); } return(actionResult); }