public void CreateForRSAWithGeneratorTest(
KeyHashPair keyHashPair
)
{
// default signing cert with custom key
X509Certificate2 signingCert = CertificateBuilder.Create(Subject)
.SetCAConstraint()
.SetHashAlgorithm(HashAlgorithmName.SHA512)
.SetRSAKeySize(2048)
.CreateForRSA();
WriteCertificate(signingCert, $"Signing RSA {signingCert.GetRSAPublicKey().KeySize} cert");
using (RSA rsaPrivateKey = signingCert.GetRSAPrivateKey())
{
var generator = X509SignatureGenerator.CreateForRSA(rsaPrivateKey, RSASignaturePadding.Pkcs1);
var cert = CertificateBuilder.Create("CN=App Cert")
.SetIssuer(new X509Certificate2(signingCert.RawData))
.CreateForRSA(generator);
Assert.NotNull(cert);
WriteCertificate(cert, $"Default signed RSA cert");
}
using (RSA rsaPrivateKey = signingCert.GetRSAPrivateKey())
using (RSA rsaPublicKey = signingCert.GetRSAPublicKey())
{
var generator = X509SignatureGenerator.CreateForRSA(rsaPrivateKey, RSASignaturePadding.Pkcs1);
var cert = CertificateBuilder.Create("CN=App Cert")
.SetHashAlgorithm(keyHashPair.HashAlgorithmName)
.SetIssuer(new X509Certificate2(signingCert.RawData))
.SetRSAPublicKey(rsaPublicKey)
.CreateForRSA(generator);
Assert.NotNull(cert);
WriteCertificate(cert, $"Default signed RSA cert with Public Key");
}
using (RSA rsaPrivateKey = signingCert.GetRSAPrivateKey())
{
var generator = X509SignatureGenerator.CreateForRSA(rsaPrivateKey, RSASignaturePadding.Pkcs1);
var cert = CertificateBuilder.Create("CN=App Cert")
.SetHashAlgorithm(keyHashPair.HashAlgorithmName)
.SetIssuer(new X509Certificate2(signingCert.RawData))
.SetRSAKeySize(keyHashPair.KeySize)
.CreateForRSA(generator);
Assert.NotNull(cert);
WriteCertificate(cert, $"Default signed RSA cert");
}
// ensure invalid path throws argument exception
Assert.Throws <NotSupportedException>(() => {
using (RSA rsaPrivateKey = signingCert.GetRSAPrivateKey())
{
var generator = X509SignatureGenerator.CreateForRSA(rsaPrivateKey, RSASignaturePadding.Pkcs1);
var cert = CertificateBuilder.Create("CN=App Cert")
.SetHashAlgorithm(keyHashPair.HashAlgorithmName)
.SetRSAKeySize(keyHashPair.KeySize)
.CreateForRSA(generator);
}
});
}
public void CreateCACertForRSA(
KeyHashPair keyHashPair
)
{
// create a CA cert
var cert = CertificateBuilder.Create(Subject)
.SetCAConstraint(-1)
.SetHashAlgorithm(keyHashPair.HashAlgorithmName)
.AddExtension(X509Extensions.BuildX509CRLDistributionPoints("http://myca/mycert.crl"))
.SetRSAKeySize(keyHashPair.KeySize)
.CreateForRSA();
Assert.NotNull(cert);
WriteCertificate(cert, "Default cert with RSA {keyHashPair.KeySize} {keyHashPair.HashAlgorithmName} and CRL distribution points");
Assert.AreEqual(keyHashPair.KeySize, cert.GetRSAPublicKey().KeySize);
Assert.AreEqual(keyHashPair.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value));
var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions);
Assert.NotNull(basicConstraintsExtension);
Assert.True(basicConstraintsExtension.CertificateAuthority);
Assert.False(basicConstraintsExtension.HasPathLengthConstraint);
X509Utils.VerifyRSAKeyPair(cert, cert, true);
Assert.True(X509Utils.VerifySelfSigned(cert));
CheckPEMWriter(cert);
}
public void CrlBuilderTest(KeyHashPair keyHashPair)
{
var crlBuilder = CrlBuilder.Create(m_issuerCert.SubjectName, keyHashPair.HashAlgorithmName)
.SetThisUpdate(DateTime.UtcNow.Date)
.SetNextUpdate(DateTime.UtcNow.Date.AddDays(30));
// little endian byte array as serial number?
byte[] serial = new byte[] { 4, 5, 6, 7 };
var revokedarray = new RevokedCertificate(serial);
crlBuilder.RevokedCertificates.Add(revokedarray);
string serstring = "123456789101";
var revokedstring = new RevokedCertificate(serstring);
crlBuilder.RevokedCertificates.Add(revokedstring);
crlBuilder.CrlExtensions.Add(X509Extensions.BuildCRLNumber(1111));
crlBuilder.CrlExtensions.Add(X509Extensions.BuildAuthorityKeyIdentifier(m_issuerCert));
var i509Crl = crlBuilder.CreateForRSA(m_issuerCert);
X509CRL x509Crl = new X509CRL(i509Crl.RawData);
Assert.NotNull(x509Crl);
Assert.NotNull(x509Crl.CrlExtensions);
Assert.NotNull(x509Crl.RevokedCertificates);
Assert.AreEqual(m_issuerCert.SubjectName.RawData, x509Crl.IssuerName.RawData);
Assert.AreEqual(crlBuilder.ThisUpdate, x509Crl.ThisUpdate);
Assert.AreEqual(crlBuilder.NextUpdate, x509Crl.NextUpdate);
Assert.AreEqual(2, x509Crl.RevokedCertificates.Count);
Assert.AreEqual(serial, x509Crl.RevokedCertificates[0].UserCertificate);
Assert.AreEqual(serstring, x509Crl.RevokedCertificates[1].SerialNumber);
Assert.AreEqual(2, x509Crl.CrlExtensions.Count);
Assert.True(x509Crl.VerifySignature(new X509Certificate2(m_issuerCert.RawData), true));
}
public void CreateSelfSignedForRSAAllFields(
KeyHashPair keyHashPair
)
{
// set dates and extension
var applicationUri = "urn:opcfoundation.org:mypc";
var domains = new string[] { "mypc", "mypc.opcfoundation.org", "192.168.1.100" };
var cert = CertificateBuilder.Create(Subject)
.SetNotBefore(DateTime.Today.AddYears(-1))
.SetNotAfter(DateTime.Today.AddYears(25))
.AddExtension(new X509SubjectAltNameExtension(applicationUri, domains))
.SetHashAlgorithm(keyHashPair.HashAlgorithmName)
.SetRSAKeySize(keyHashPair.KeySize)
.CreateForRSA();
Assert.NotNull(cert);
WriteCertificate(cert, $"Default cert RSA {keyHashPair.KeySize} with modified lifetime and alt name extension");
Assert.AreEqual(Subject, cert.Subject);
Assert.AreEqual(keyHashPair.KeySize, cert.GetRSAPublicKey().KeySize);
Assert.AreEqual(keyHashPair.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value));
var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions);
Assert.NotNull(basicConstraintsExtension);
Assert.True(basicConstraintsExtension.CertificateAuthority);
X509Utils.VerifyRSAKeyPair(cert, cert);
X509Utils.VerifySelfSigned(cert);
}
public void CrlBuilderTestWithSignatureGenerator(KeyHashPair keyHashPair)
{
var crlBuilder = CrlBuilder.Create(m_issuerCert.SubjectName, keyHashPair.HashAlgorithmName)
.SetThisUpdate(DateTime.UtcNow.Date)
.SetNextUpdate(DateTime.UtcNow.Date.AddDays(30));
// little endian byte array as serial number?
byte[] serial = new byte[] { 4, 5, 6, 7 };
var revokedarray = new RevokedCertificate(serial);
crlBuilder.RevokedCertificates.Add(revokedarray);
string serstring = "709876543210";
var revokedstring = new RevokedCertificate(serstring);
crlBuilder.RevokedCertificates.Add(revokedstring);
crlBuilder.CrlExtensions.Add(X509Extensions.BuildCRLNumber(1111));
crlBuilder.CrlExtensions.Add(X509Extensions.BuildAuthorityKeyIdentifier(m_issuerCert));
IX509CRL ix509Crl;
using (RSA rsa = m_issuerCert.GetRSAPrivateKey())
{
X509SignatureGenerator generator = X509SignatureGenerator.CreateForRSA(rsa, RSASignaturePadding.Pkcs1);
ix509Crl = crlBuilder.CreateSignature(generator);
}
X509CRL x509Crl = new X509CRL(ix509Crl);
Assert.NotNull(x509Crl);
Assert.NotNull(x509Crl.CrlExtensions);
Assert.NotNull(x509Crl.RevokedCertificates);
Assert.AreEqual(m_issuerCert.SubjectName.RawData, x509Crl.IssuerName.RawData);
Assert.AreEqual(crlBuilder.ThisUpdate, x509Crl.ThisUpdate);
Assert.AreEqual(crlBuilder.NextUpdate, x509Crl.NextUpdate);
Assert.AreEqual(2, x509Crl.RevokedCertificates.Count);
Assert.AreEqual(serial, x509Crl.RevokedCertificates[0].UserCertificate);
Assert.AreEqual(serstring, x509Crl.RevokedCertificates[1].SerialNumber);
Assert.AreEqual(2, x509Crl.CrlExtensions.Count);
using (var issuerPubKey = new X509Certificate2(m_issuerCert.RawData))
{
Assert.True(x509Crl.VerifySignature(issuerPubKey, true));
}
}
public void CreateSelfSignedForRSADefaultHashCustomKey(
KeyHashPair keyHashPair
)
{
// default cert with custom key
X509Certificate2 cert = CertificateBuilder.Create(Subject)
.SetRSAKeySize(keyHashPair.KeySize)
.CreateForRSA();
WriteCertificate(cert, $"Default RSA {keyHashPair.KeySize} cert");
Assert.AreEqual(Subject, cert.Subject);
Assert.AreEqual(keyHashPair.KeySize, cert.GetRSAPublicKey().KeySize);
Assert.AreEqual(X509Defaults.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value));
var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions);
Assert.NotNull(basicConstraintsExtension);
Assert.True(basicConstraintsExtension.CertificateAuthority);
X509Utils.VerifyRSAKeyPair(cert, cert, true);
Assert.True(X509Utils.VerifySelfSigned(cert));
}
