public void CreateForRSAWithGeneratorTest( KeyHashPair keyHashPair ) { // default signing cert with custom key X509Certificate2 signingCert = CertificateBuilder.Create(Subject) .SetCAConstraint() .SetHashAlgorithm(HashAlgorithmName.SHA512) .SetRSAKeySize(2048) .CreateForRSA(); WriteCertificate(signingCert, $"Signing RSA {signingCert.GetRSAPublicKey().KeySize} cert"); using (RSA rsaPrivateKey = signingCert.GetRSAPrivateKey()) { var generator = X509SignatureGenerator.CreateForRSA(rsaPrivateKey, RSASignaturePadding.Pkcs1); var cert = CertificateBuilder.Create("CN=App Cert") .SetIssuer(new X509Certificate2(signingCert.RawData)) .CreateForRSA(generator); Assert.NotNull(cert); WriteCertificate(cert, $"Default signed RSA cert"); } using (RSA rsaPrivateKey = signingCert.GetRSAPrivateKey()) using (RSA rsaPublicKey = signingCert.GetRSAPublicKey()) { var generator = X509SignatureGenerator.CreateForRSA(rsaPrivateKey, RSASignaturePadding.Pkcs1); var cert = CertificateBuilder.Create("CN=App Cert") .SetHashAlgorithm(keyHashPair.HashAlgorithmName) .SetIssuer(new X509Certificate2(signingCert.RawData)) .SetRSAPublicKey(rsaPublicKey) .CreateForRSA(generator); Assert.NotNull(cert); WriteCertificate(cert, $"Default signed RSA cert with Public Key"); } using (RSA rsaPrivateKey = signingCert.GetRSAPrivateKey()) { var generator = X509SignatureGenerator.CreateForRSA(rsaPrivateKey, RSASignaturePadding.Pkcs1); var cert = CertificateBuilder.Create("CN=App Cert") .SetHashAlgorithm(keyHashPair.HashAlgorithmName) .SetIssuer(new X509Certificate2(signingCert.RawData)) .SetRSAKeySize(keyHashPair.KeySize) .CreateForRSA(generator); Assert.NotNull(cert); WriteCertificate(cert, $"Default signed RSA cert"); } // ensure invalid path throws argument exception Assert.Throws <NotSupportedException>(() => { using (RSA rsaPrivateKey = signingCert.GetRSAPrivateKey()) { var generator = X509SignatureGenerator.CreateForRSA(rsaPrivateKey, RSASignaturePadding.Pkcs1); var cert = CertificateBuilder.Create("CN=App Cert") .SetHashAlgorithm(keyHashPair.HashAlgorithmName) .SetRSAKeySize(keyHashPair.KeySize) .CreateForRSA(generator); } }); }
public void CreateCACertForRSA( KeyHashPair keyHashPair ) { // create a CA cert var cert = CertificateBuilder.Create(Subject) .SetCAConstraint(-1) .SetHashAlgorithm(keyHashPair.HashAlgorithmName) .AddExtension(X509Extensions.BuildX509CRLDistributionPoints("http://myca/mycert.crl")) .SetRSAKeySize(keyHashPair.KeySize) .CreateForRSA(); Assert.NotNull(cert); WriteCertificate(cert, "Default cert with RSA {keyHashPair.KeySize} {keyHashPair.HashAlgorithmName} and CRL distribution points"); Assert.AreEqual(keyHashPair.KeySize, cert.GetRSAPublicKey().KeySize); Assert.AreEqual(keyHashPair.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value)); var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions); Assert.NotNull(basicConstraintsExtension); Assert.True(basicConstraintsExtension.CertificateAuthority); Assert.False(basicConstraintsExtension.HasPathLengthConstraint); X509Utils.VerifyRSAKeyPair(cert, cert, true); Assert.True(X509Utils.VerifySelfSigned(cert)); CheckPEMWriter(cert); }
public void CrlBuilderTest(KeyHashPair keyHashPair) { var crlBuilder = CrlBuilder.Create(m_issuerCert.SubjectName, keyHashPair.HashAlgorithmName) .SetThisUpdate(DateTime.UtcNow.Date) .SetNextUpdate(DateTime.UtcNow.Date.AddDays(30)); // little endian byte array as serial number? byte[] serial = new byte[] { 4, 5, 6, 7 }; var revokedarray = new RevokedCertificate(serial); crlBuilder.RevokedCertificates.Add(revokedarray); string serstring = "123456789101"; var revokedstring = new RevokedCertificate(serstring); crlBuilder.RevokedCertificates.Add(revokedstring); crlBuilder.CrlExtensions.Add(X509Extensions.BuildCRLNumber(1111)); crlBuilder.CrlExtensions.Add(X509Extensions.BuildAuthorityKeyIdentifier(m_issuerCert)); var i509Crl = crlBuilder.CreateForRSA(m_issuerCert); X509CRL x509Crl = new X509CRL(i509Crl.RawData); Assert.NotNull(x509Crl); Assert.NotNull(x509Crl.CrlExtensions); Assert.NotNull(x509Crl.RevokedCertificates); Assert.AreEqual(m_issuerCert.SubjectName.RawData, x509Crl.IssuerName.RawData); Assert.AreEqual(crlBuilder.ThisUpdate, x509Crl.ThisUpdate); Assert.AreEqual(crlBuilder.NextUpdate, x509Crl.NextUpdate); Assert.AreEqual(2, x509Crl.RevokedCertificates.Count); Assert.AreEqual(serial, x509Crl.RevokedCertificates[0].UserCertificate); Assert.AreEqual(serstring, x509Crl.RevokedCertificates[1].SerialNumber); Assert.AreEqual(2, x509Crl.CrlExtensions.Count); Assert.True(x509Crl.VerifySignature(new X509Certificate2(m_issuerCert.RawData), true)); }
public void CreateSelfSignedForRSAAllFields( KeyHashPair keyHashPair ) { // set dates and extension var applicationUri = "urn:opcfoundation.org:mypc"; var domains = new string[] { "mypc", "mypc.opcfoundation.org", "192.168.1.100" }; var cert = CertificateBuilder.Create(Subject) .SetNotBefore(DateTime.Today.AddYears(-1)) .SetNotAfter(DateTime.Today.AddYears(25)) .AddExtension(new X509SubjectAltNameExtension(applicationUri, domains)) .SetHashAlgorithm(keyHashPair.HashAlgorithmName) .SetRSAKeySize(keyHashPair.KeySize) .CreateForRSA(); Assert.NotNull(cert); WriteCertificate(cert, $"Default cert RSA {keyHashPair.KeySize} with modified lifetime and alt name extension"); Assert.AreEqual(Subject, cert.Subject); Assert.AreEqual(keyHashPair.KeySize, cert.GetRSAPublicKey().KeySize); Assert.AreEqual(keyHashPair.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value)); var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions); Assert.NotNull(basicConstraintsExtension); Assert.True(basicConstraintsExtension.CertificateAuthority); X509Utils.VerifyRSAKeyPair(cert, cert); X509Utils.VerifySelfSigned(cert); }
public void CrlBuilderTestWithSignatureGenerator(KeyHashPair keyHashPair) { var crlBuilder = CrlBuilder.Create(m_issuerCert.SubjectName, keyHashPair.HashAlgorithmName) .SetThisUpdate(DateTime.UtcNow.Date) .SetNextUpdate(DateTime.UtcNow.Date.AddDays(30)); // little endian byte array as serial number? byte[] serial = new byte[] { 4, 5, 6, 7 }; var revokedarray = new RevokedCertificate(serial); crlBuilder.RevokedCertificates.Add(revokedarray); string serstring = "709876543210"; var revokedstring = new RevokedCertificate(serstring); crlBuilder.RevokedCertificates.Add(revokedstring); crlBuilder.CrlExtensions.Add(X509Extensions.BuildCRLNumber(1111)); crlBuilder.CrlExtensions.Add(X509Extensions.BuildAuthorityKeyIdentifier(m_issuerCert)); IX509CRL ix509Crl; using (RSA rsa = m_issuerCert.GetRSAPrivateKey()) { X509SignatureGenerator generator = X509SignatureGenerator.CreateForRSA(rsa, RSASignaturePadding.Pkcs1); ix509Crl = crlBuilder.CreateSignature(generator); } X509CRL x509Crl = new X509CRL(ix509Crl); Assert.NotNull(x509Crl); Assert.NotNull(x509Crl.CrlExtensions); Assert.NotNull(x509Crl.RevokedCertificates); Assert.AreEqual(m_issuerCert.SubjectName.RawData, x509Crl.IssuerName.RawData); Assert.AreEqual(crlBuilder.ThisUpdate, x509Crl.ThisUpdate); Assert.AreEqual(crlBuilder.NextUpdate, x509Crl.NextUpdate); Assert.AreEqual(2, x509Crl.RevokedCertificates.Count); Assert.AreEqual(serial, x509Crl.RevokedCertificates[0].UserCertificate); Assert.AreEqual(serstring, x509Crl.RevokedCertificates[1].SerialNumber); Assert.AreEqual(2, x509Crl.CrlExtensions.Count); using (var issuerPubKey = new X509Certificate2(m_issuerCert.RawData)) { Assert.True(x509Crl.VerifySignature(issuerPubKey, true)); } }
public void CreateSelfSignedForRSADefaultHashCustomKey( KeyHashPair keyHashPair ) { // default cert with custom key X509Certificate2 cert = CertificateBuilder.Create(Subject) .SetRSAKeySize(keyHashPair.KeySize) .CreateForRSA(); WriteCertificate(cert, $"Default RSA {keyHashPair.KeySize} cert"); Assert.AreEqual(Subject, cert.Subject); Assert.AreEqual(keyHashPair.KeySize, cert.GetRSAPublicKey().KeySize); Assert.AreEqual(X509Defaults.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value)); var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions); Assert.NotNull(basicConstraintsExtension); Assert.True(basicConstraintsExtension.CertificateAuthority); X509Utils.VerifyRSAKeyPair(cert, cert, true); Assert.True(X509Utils.VerifySelfSigned(cert)); }