public static void ImportPkcs7DerBytes_Single()
{
using (ImportedCollection ic = Cert.Import(TestData.Pkcs7SingleDerBytes))
{
X509Certificate2Collection collection = ic.Collection;
Assert.Equal(1, collection.Count);
Assert.Equal("D5B5BC1C458A558845BFF51CB4DFF31C", collection[0].SerialNumber);
}
}
public static void ImportPkcs12Bytes_Single_VerifyContents_SpanSpan(X509KeyStorageFlags keyStorageFlags)
{
ReadOnlySpan <byte> rawData = TestData.PfxData.AsSpan();
ReadOnlySpan <char> password = TestData.PfxDataPassword.AsSpan();
using (ImportedCollection ic = Cert.Import(rawData, password, keyStorageFlags))
{
ImportPkcs12Bytes_Single_VerifyContents(ic);
}
}
public static void ImportPkcs7PemFile_Single()
{
using (ImportedCollection ic = Cert.Import(Path.Combine("TestData", "singlecert.p7c")))
{
X509Certificate2Collection collection = ic.Collection;
Assert.Equal(1, collection.Count);
Assert.Equal("D5B5BC1C458A558845BFF51CB4DFF31C", collection[0].SerialNumber);
}
}
public static void EphemeralKeySet_OSX()
{
// EphemeralKeySet fails when loading a PFX, and is ignored otherwise.
using (ImportedCollection coll = Cert.Import(TestData.Pkcs7ChainDerBytes, null, X509KeyStorageFlags.EphemeralKeySet))
{
Assert.Equal(3, coll.Collection.Count);
}
Assert.Throws <PlatformNotSupportedException>(
() => new X509Certificate2(TestData.EmptyPfx, string.Empty, X509KeyStorageFlags.EphemeralKeySet));
}
public static void ImportPkcs12ByteSpan_Chain_SpanPassword(X509KeyStorageFlags keyStorageFlags)
{
ReadOnlySpan <byte> data = TestData.ChainPfxBytes.AsSpan();
ReadOnlySpan <char> password = TestData.ChainPfxPassword.AsSpan();
using (ImportedCollection ic = Cert.Import(data, password, keyStorageFlags))
{
X509Certificate2Collection certs = ic.Collection;
int count = certs.Count;
Assert.Equal(3, count);
}
}
public static void ImportPkcs12File_Single_SpanPassword(X509KeyStorageFlags keyStorageFlags)
{
Span <char> password = stackalloc char[30];
password.Fill('Z');
TestData.PfxDataPassword.AsSpan().CopyTo(password.Slice(1));
password = password.Slice(1, TestData.PfxDataPassword.Length);
using (ImportedCollection ic = Cert.Import(TestFiles.PfxFile, password, keyStorageFlags))
{
X509Certificate2Collection cc2 = ic.Collection;
int count = cc2.Count;
Assert.Equal(1, count);
}
}
public static void BuildChainExtraStoreUntrustedRoot()
{
using (var testCert = new X509Certificate2(Path.Combine("TestData", "test.pfx"), TestData.ChainPfxPassword))
using (ImportedCollection ic = Cert.Import(Path.Combine("TestData", "test.pfx"), TestData.ChainPfxPassword, X509KeyStorageFlags.DefaultKeySet))
using (var chainHolder = new ChainHolder())
{
X509Certificate2Collection collection = ic.Collection;
X509Chain chain = chainHolder.Chain;
chain.ChainPolicy.ExtraStore.AddRange(collection);
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.VerificationTime = new DateTime(2015, 9, 22, 12, 25, 0);
bool valid = chain.Build(testCert);
Assert.False(valid);
Assert.Contains(chain.ChainStatus, s => s.Status == X509ChainStatusFlags.UntrustedRoot);
}
}
public static void ExportPublicKeyAsPkcs12()
{
using (X509Certificate2 publicOnly = new X509Certificate2(TestData.MsCertificate))
{
// Pre-condition: There's no private key
Assert.False(publicOnly.HasPrivateKey);
byte[] pkcs12Bytes = publicOnly.Export(X509ContentType.Pkcs12);
// Read it back as a collection, there should be only one cert, and it should
// be equal to the one we started with.
using (ImportedCollection ic = Cert.Import(pkcs12Bytes))
{
X509Certificate2Collection fromPfx = ic.Collection;
Assert.Equal(1, fromPfx.Count);
Assert.Equal(publicOnly, fromPfx[0]);
}
}
}
public static void ImportPkcs12Bytes_Single_VerifyContents(X509KeyStorageFlags keyStorageFlags)
{
using (var pfxCer = new X509Certificate2(TestData.PfxData, TestData.PfxDataPassword, Cert.EphemeralIfPossible))
{
using (ImportedCollection ic = Cert.Import(TestData.PfxData, TestData.PfxDataPassword, keyStorageFlags))
{
X509Certificate2Collection cc2 = ic.Collection;
int count = cc2.Count;
Assert.Equal(1, count);
using (X509Certificate2 c = cc2[0])
{
// pfxCer was loaded directly, cc2[0] was Imported, two distinct copies.
Assert.NotSame(pfxCer, c);
Assert.Equal(pfxCer, c);
Assert.Equal(pfxCer.Thumbprint, c.Thumbprint);
}
}
}
}
[PlatformSpecific(TestPlatforms.Windows)] // Uses P/Invokes
public static void CollectionPerphemeralImport_HasKeyName()
{
using (var importedCollection = Cert.Import(TestData.PfxData, TestData.PfxDataPassword, X509KeyStorageFlags.DefaultKeySet))
{
X509Certificate2 cert = importedCollection.Collection[0];
using (RSA rsa = cert.GetRSAPrivateKey())
{
Assert.NotNull(rsa);
// While RSACng is not a guaranteed answer, it's currently the answer and we'd have to
// rewrite the rest of this test if it changed.
RSACng rsaCng = rsa as RSACng;
Assert.NotNull(rsaCng);
CngKey key = rsaCng.Key;
Assert.NotNull(key);
Assert.False(key.IsEphemeral, "key.IsEphemeral");
Assert.NotNull(key.KeyName);
}
}
}
public static void ImportPkcs12File_Chain_VerifyContents(X509KeyStorageFlags keyStorageFlags)
{
using (ImportedCollection ic = Cert.Import(TestFiles.ChainPfxFile, TestData.ChainPfxPassword, keyStorageFlags))
{
X509Certificate2Collection certs = ic.Collection;
int count = certs.Count;
Assert.Equal(3, count);
// Verify that the read ordering is consistent across the platforms
string[] expectedSubjects =
{
"MS Passport Test Sub CA",
"MS Passport Test Root CA",
"test.local",
};
string[] actualSubjects = certs.OfType <X509Certificate2>().
Select(cert => cert.GetNameInfo(X509NameType.SimpleName, false)).
ToArray();
Assert.Equal(expectedSubjects, actualSubjects);
// And verify that we have private keys when we expect them
bool[] expectedHasPrivateKeys =
{
false,
false,
true,
};
bool[] actualHasPrivateKeys = certs.OfType <X509Certificate2>().
Select(cert => cert.HasPrivateKey).
ToArray();
Assert.Equal(expectedHasPrivateKeys, actualHasPrivateKeys);
}
}
public void TwoCerts_TwoKeys_ManySafeContentsValues(bool invertCertOrder, bool invertKeyOrder)
{
string pw = nameof(TwoCerts_TwoKeys_ManySafeContentsValues);
using (ImportedCollection ic = Cert.Import(TestData.MultiPrivateKeyPfx, null, s_exportableImportFlags))
{
X509Certificate2Collection certs = ic.Collection;
X509Certificate2 first = certs[0];
X509Certificate2 second = certs[1];
if (invertCertOrder)
{
X509Certificate2 tmp = first;
first = second;
second = tmp;
}
using (AsymmetricAlgorithm firstKey = first.GetRSAPrivateKey())
using (AsymmetricAlgorithm secondKey = second.GetRSAPrivateKey())
{
AsymmetricAlgorithm firstAdd = firstKey;
AsymmetricAlgorithm secondAdd = secondKey;
if (invertKeyOrder != invertCertOrder)
{
AsymmetricAlgorithm tmp = firstKey;
firstAdd = secondAdd;
secondAdd = tmp;
}
Pkcs12Builder builder = new Pkcs12Builder();
Pkcs12SafeContents firstKeyContents = new Pkcs12SafeContents();
Pkcs12SafeContents secondKeyContents = new Pkcs12SafeContents();
Pkcs12SafeContents firstCertContents = new Pkcs12SafeContents();
Pkcs12SafeContents secondCertContents = new Pkcs12SafeContents();
Pkcs12SafeContents irrelevant = new Pkcs12SafeContents();
irrelevant.AddSecret(new Oid("0.0"), new byte[] { 0x05, 0x00 });
Pkcs12SafeBag firstAddedKeyBag = firstKeyContents.AddShroudedKey(firstAdd, pw, s_windowsPbe);
Pkcs12SafeBag secondAddedKeyBag = secondKeyContents.AddShroudedKey(secondAdd, pw, s_windowsPbe);
Pkcs12SafeBag firstCertBag = firstCertContents.AddCertificate(first);
Pkcs12SafeBag secondCertBag = secondCertContents.AddCertificate(second);
Pkcs12SafeBag firstKeyBag = firstAddedKeyBag;
Pkcs12SafeBag secondKeyBag = secondAddedKeyBag;
if (invertKeyOrder != invertCertOrder)
{
Pkcs12SafeBag tmp = firstKeyBag;
firstKeyBag = secondKeyBag;
secondKeyBag = tmp;
}
firstCertBag.Attributes.Add(s_keyIdOne);
firstKeyBag.Attributes.Add(s_keyIdOne);
Pkcs9LocalKeyId secondKeyId = new Pkcs9LocalKeyId(second.GetCertHash());
secondCertBag.Attributes.Add(secondKeyId);
secondKeyBag.Attributes.Add(secondKeyId);
// 2C, 1K, 1C, 2K
// With some non-participating contents values sprinkled in for good measure.
AddContents(irrelevant, builder, pw, encrypt: true);
AddContents(secondCertContents, builder, pw, encrypt: true);
AddContents(irrelevant, builder, pw, encrypt: false);
AddContents(firstKeyContents, builder, pw, encrypt: false);
AddContents(firstCertContents, builder, pw, encrypt: true);
AddContents(irrelevant, builder, pw, encrypt: false);
AddContents(secondKeyContents, builder, pw, encrypt: true);
AddContents(irrelevant, builder, pw, encrypt: true);
builder.SealWithMac(pw, s_digestAlgorithm, MacCount);
byte[] pfxBytes = builder.Encode();
X509Certificate2[] expectedOrder = { first, second };
Action <X509Certificate2> followup = CheckKeyConsistency;
// For unknown reasons, CheckKeyConsistency on this test fails
// on Windows 7 with an Access Denied in all variations for
// Collections, and in invertCertOrder: true for Single.
//
// Obviously this hit some sort of weird corner case in the Win7
// loader, but it's not important to the test.
if (OperatingSystem.IsWindows() &&
!PlatformDetection.IsWindows8xOrLater)
{
followup = null;
}
ReadMultiPfx(
pfxBytes,
pw,
first,
expectedOrder,
followup);
}
}
}
