public static void ArgumentValidation() { SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder(); AssertExtensions.Throws <ArgumentOutOfRangeException>("dnsName", () => builder.AddDnsName(null)); AssertExtensions.Throws <ArgumentOutOfRangeException>("dnsName", () => builder.AddDnsName(string.Empty)); AssertExtensions.Throws <ArgumentOutOfRangeException>("emailAddress", () => builder.AddEmailAddress(null)); AssertExtensions.Throws <ArgumentOutOfRangeException>("emailAddress", () => builder.AddEmailAddress(string.Empty)); AssertExtensions.Throws <ArgumentNullException>("uri", () => builder.AddUri(null)); AssertExtensions.Throws <ArgumentNullException>("ipAddress", () => builder.AddIpAddress(null)); AssertExtensions.Throws <ArgumentOutOfRangeException>("upn", () => builder.AddUserPrincipalName(null)); AssertExtensions.Throws <ArgumentOutOfRangeException>("upn", () => builder.AddUserPrincipalName(string.Empty)); }
public static void EnumerateDnsNames(LoadMode loadMode) { SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder(); builder.AddDnsName("foo"); builder.AddIpAddress(IPAddress.Loopback); builder.AddUserPrincipalName("*****@*****.**"); builder.AddIpAddress(IPAddress.IPv6Loopback); builder.AddDnsName("*.foo"); X509Extension built = builder.Build(true); X509SubjectAlternativeNameExtension ext; switch (loadMode) { case LoadMode.CopyFrom: ext = new X509SubjectAlternativeNameExtension(); ext.CopyFrom(built); break; case LoadMode.Array: ext = new X509SubjectAlternativeNameExtension(built.RawData); break; case LoadMode.Span: byte[] tmp = new byte[built.RawData.Length + 2]; built.RawData.AsSpan().CopyTo(tmp.AsSpan(1)); ext = new X509SubjectAlternativeNameExtension(tmp.AsSpan()[1..^ 1]);
private static X509Certificate2 BuildClientCertificate(X509Certificate2 serverCertificate) { string certificateName = $"Marionet Client {Guid.NewGuid().ToString()}"; SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddUserPrincipalName("Marionet Self-Signed Certificate Generator"); X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={certificateName}"); using (RSA rsa = RSA.Create(2048)) { var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, false)); request.CertificateExtensions.Add(new X509SubjectKeyIdentifierExtension(request.PublicKey, false)); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyAgreement, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.2") }, false)); request.CertificateExtensions.Add(sanBuilder.Build()); var certificate = request.Create(serverCertificate, new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650)), new byte[] { 2, 4, 8, 16 }); certificate.FriendlyName = certificateName; return(certificate.CopyWithPrivateKey(rsa)); } }
public static void MultiValue() { // This produces the same value as the "ComplexGetNameInfo" certificate/test suite. // Subject Alternative Names: // DNS Name=dns1.subject.example.org // DNS Name=dns2.subject.example.org // RFC822 [email protected] // RFC822 [email protected] // Other Name: // Principal [email protected] // Other Name: // Principal [email protected] // URL=http://uri1.subject.example.org/ // URL=http://uri2.subject.example.org/ const string expectedHex = "3081F88218646E73312E7375626A6563742E6578616D706C652E6F7267821864" + "6E73322E7375626A6563742E6578616D706C652E6F7267811573616E656D6169" + "6C31406578616D706C652E6F7267811573616E656D61696C32406578616D706C" + "652E6F7267A027060A2B060104018237140203A0190C177375626A6563747570" + "6E31406578616D706C652E6F7267A027060A2B060104018237140203A0190C17" + "7375626A65637475706E32406578616D706C652E6F72678620687474703A2F2F" + "757269312E7375626A6563742E6578616D706C652E6F72672F8620687474703A" + "2F2F757269322E7375626A6563742E6578616D706C652E6F72672F"; SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder(); builder.AddDnsName("dns1.subject.example.org"); builder.AddDnsName("dns2.subject.example.org"); builder.AddEmailAddress("*****@*****.**"); builder.AddEmailAddress("*****@*****.**"); builder.AddUserPrincipalName("*****@*****.**"); builder.AddUserPrincipalName("*****@*****.**"); builder.AddUri(new Uri("http://uri1.subject.example.org/")); builder.AddUri(new Uri("http://uri2.subject.example.org/")); X509Extension extension = builder.Build(); Assert.Equal(SubjectAltNameOid, extension.Oid.Value); Assert.Equal( expectedHex, extension.RawData.ByteArrayToHex()); }
public static void SingleValue_Upn() { SubjectAlternativeNameBuilder builder = new SubjectAlternativeNameBuilder(); builder.AddUserPrincipalName("*****@*****.**"); X509Extension extension = builder.Build(); Assert.Equal(SubjectAltNameOid, extension.Oid.Value); Assert.Equal( "3022A020060A2B060104018237140203A0120C1075736572406578616D706C652E6F7267", extension.RawData.ByteArrayToHex()); }
public void SetUp() { SetUpProvider(); _context = new DefaultHttpContext(); X509Certificate2 certificate; using (RSA rsa = RSA.Create()) { var certReq = new CertificateRequest("CN=eventstoredb-node", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); var sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddEmailAddress("*****@*****.**"); sanBuilder.AddUserPrincipalName("*****@*****.**"); sanBuilder.AddUri(new Uri("http://localhost")); certReq.CertificateExtensions.Add(sanBuilder.Build()); certificate = certReq.CreateSelfSigned(DateTimeOffset.UtcNow.AddMonths(-1), DateTimeOffset.UtcNow.AddMonths(1)); } _context.Connection.ClientCertificate = certificate; _authenticateResult = _provider.Authenticate(_context, out _authenticateRequest); }
public void AddSubjectAlternativeName(CertificateRequest request, SubjectAlternativeName subjectAlternativeName) { foreach (var dnsName in subjectAlternativeName.DnsName) { if (UriHostNameType.Unknown == Uri.CheckHostName(dnsName)) { throw new ArgumentException("Must be a valid DNS name", nameof(dnsName)); } } var sanBuilder = new SubjectAlternativeNameBuilder(); foreach (var dnsName in subjectAlternativeName.DnsName) { sanBuilder.AddDnsName(dnsName); } if (!string.IsNullOrEmpty(subjectAlternativeName.Email)) { sanBuilder.AddEmailAddress(subjectAlternativeName.Email); } if (subjectAlternativeName.IpAddress != null) { sanBuilder.AddIpAddress(subjectAlternativeName.IpAddress); } if (!string.IsNullOrEmpty(subjectAlternativeName.UserPrincipalName)) { sanBuilder.AddUserPrincipalName(subjectAlternativeName.UserPrincipalName); } if (subjectAlternativeName.Uri != null) { sanBuilder.AddUri(subjectAlternativeName.Uri); } var sanExtension = sanBuilder.Build(); request.CertificateExtensions.Add(sanExtension); }
public async Task <IActionResult> Register([FromBody] RegisterDto model) { IActionResult actionResult = NoContent(); try { if (_options.CACertificate == null && model.TLS) { actionResult = BadRequest(new { code = -1, msg = "There is no root certificate, please initialize the server first" }); } else { var user = new IdentityUser { UserName = model.UserName, Email = model.Email }; var result = await _userManager.CreateAsync(user, model.Password); if (result.Succeeded) { await _signInManager.SignInAsync(user, false); await _signInManager.UserManager.AddClaimAsync(user, new Claim(ClaimTypes.GivenName, model.ClientId)); await _signInManager.UserManager.AddClaimAsync(user, new Claim(ClaimTypes.Email, model.Email)); int _StoreCertPem = 0; if (model.TLS) { SubjectAlternativeNameBuilder altNames = new SubjectAlternativeNameBuilder(); altNames.AddDnsName(model.ClientId); altNames.AddEmailAddress(model.Email); altNames.AddUserPrincipalName(model.UserName); altNames.AddUri(new Uri($"mqtt://{_options.BrokerCertificate.GetNameInfo(X509NameType.DnsName, false)}:{_options.SSLPort}")); string name = $"CN={model.ClientId},C=CN, O={_options.BrokerCertificate.GetNameInfo(X509NameType.SimpleName, false)},OU={model.ClientId}"; var tlsclient = _options.CACertificate.CreateTlsClientRSA(name, altNames); tlsclient.SavePem(out string x509CRT, out string x509Key); _context.StoreCertPem.Add(new StoreCertPem() { Id = user.Id, ClientCert = x509CRT, ClientKey = x509Key }); _StoreCertPem = _context.SaveChanges(); await _signInManager.UserManager.AddClaimAsync(user, new Claim(ClaimTypes.Thumbprint, tlsclient.Thumbprint)); } actionResult = Ok(new { code = 0, msg = "OK", data = GenerateJwtToken(model.UserName, user), model.TLS, StoreTLS = _StoreCertPem > 0 }); } else { var msg = from e in result.Errors select $"{e.Code}:{e.Description}\r\n"; actionResult = BadRequest(new { code = -3, msg = string.Join(';', msg.ToArray()) }); } } } catch (Exception ex) { actionResult = BadRequest(new { code = -2, msg = ex.Message, data = ex }); _logger.LogError(ex, ex.Message); } return(actionResult); }