public void SaveLoadCsr(PkiAsymmetricAlgorithm algor, int bits) { var hashAlgor = PkiHashAlgorithm.Sha256; var sn = "CN=foo.example.com"; var sans = new[] { "foo-alt1.example.com", "foo-alt2.example.com", }; var keys = PkiKeyTests.GenerateKeyPair(algor, bits); var csr = new PkiCertificateSigningRequest(sn, keys, hashAlgor); csr.CertificateExtensions.Add( PkiCertificateExtension.CreateDnsSubjectAlternativeNames(sans)); var saveOut = Path.Combine(_testTemp, $"csrsave-{algor}-{bits}-{hashAlgor}-sans.ser"); using (var ms = new MemoryStream()) { csr.Save(ms); File.WriteAllBytes(saveOut, ms.ToArray()); } PkiCertificateSigningRequest csr2; using (var fs = new FileStream(saveOut, FileMode.Open)) { csr2 = PkiCertificateSigningRequest.Load(fs); } using (var ms = new MemoryStream()) { csr2.Save(ms); File.WriteAllBytes(saveOut + 2, ms.ToArray()); } File.WriteAllBytes(saveOut + "1a.pem", csr.ExportSigningRequest(PkiEncodingFormat.Pem)); File.WriteAllBytes(saveOut + "1b.pem", csr.ExportSigningRequest(PkiEncodingFormat.Pem)); File.WriteAllBytes(saveOut + "2a.pem", csr2.ExportSigningRequest(PkiEncodingFormat.Pem)); File.WriteAllBytes(saveOut + "2b.pem", csr2.ExportSigningRequest(PkiEncodingFormat.Pem)); Assert.AreEqual(csr.SubjectName, csr2.SubjectName); Assert.AreEqual(csr.HashAlgorithm, csr2.HashAlgorithm); CollectionAssert.AreEqual( csr.PublicKey.Export(PkiEncodingFormat.Der), csr2.PublicKey.Export(PkiEncodingFormat.Der)); CollectionAssert.AreEqual( csr.CertificateExtensions, csr2.CertificateExtensions, CertExtComparerInstance); Assert.AreEqual(csr.PublicKey.IsPrivate, csr2.PublicKey.IsPrivate); Assert.AreEqual(csr.PublicKey.Algorithm, csr2.PublicKey.Algorithm); CollectionAssert.AreEqual( csr.PublicKey.Export(PkiEncodingFormat.Der), csr2.PublicKey.Export(PkiEncodingFormat.Der)); }
public void ExportSignedCert(PkiAsymmetricAlgorithm algor, int bits) { var hashAlgor = PkiHashAlgorithm.Sha256; var isurName = "CN=SelfSigned"; var isurKeys = PkiKeyTests.GenerateKeyPair(algor, bits); var subjName = "CN=foo.example.com"; var subjKeys = PkiKeyTests.GenerateKeyPair(algor, bits); var isurCsr = new PkiCertificateSigningRequest(isurName, isurKeys, hashAlgor); var subjCsr = new PkiCertificateSigningRequest(subjName, subjKeys, hashAlgor); subjCsr.CertificateExtensions.Add( PkiCertificateExtension.CreateDnsSubjectAlternativeNames( new[] { "foo-alt1.example.com", "foo-alt2.example.com", })); var pemOut = Path.Combine(_testTemp, $"cert-{algor}-{bits}-{hashAlgor}.pem"); var derOut = Path.Combine(_testTemp, $"cert-{algor}-{bits}-{hashAlgor}.der"); var isurCert = isurCsr.CreateCa( DateTime.Now.AddMonths(-5), DateTime.Now.AddMonths(5)); Assert.AreEqual(isurName, isurCert.SubjectName, "Issuer Name on Issuer Certificate"); var subjCert = subjCsr.Create(isurCert, isurKeys.PrivateKey, DateTime.Now.AddMonths(-1), DateTime.Now.AddMonths(1), new[] { (byte)0x2b }); Assert.AreEqual(isurName, isurCert.SubjectName, "Subject Name on Subject Certificate"); File.WriteAllBytes(pemOut, subjCert.Export(PkiEncodingFormat.Pem)); File.WriteAllBytes(derOut, subjCert.Export(PkiEncodingFormat.Der)); using (var proc = OpenSsl.Start($"x509 -text -noout -in {pemOut}")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } using (var proc = OpenSsl.Start($"x509 -text -noout -inform DER -in {derOut}")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } }
public void ExportSelfSignedCert(PkiAsymmetricAlgorithm algor, int bits) { var hashAlgor = PkiHashAlgorithm.Sha256; var sn = "CN=foo.example.com"; var keys = PkiKeyTests.GenerateKeyPair(algor, bits); var csr = new PkiCertificateSigningRequest(sn, keys, hashAlgor); var pemOut = Path.Combine(_testTemp, $"certself-{algor}-{bits}-{hashAlgor}.pem"); var derOut = Path.Combine(_testTemp, $"certself-{algor}-{bits}-{hashAlgor}.der"); Assert.AreEqual(sn, csr.SubjectName); Assert.AreSame(keys.PublicKey, keys.PublicKey); Assert.AreEqual(hashAlgor, csr.HashAlgorithm); var cert = csr.CreateSelfSigned( DateTime.Now.AddMonths(-1), DateTime.Now.AddMonths(1)); Assert.AreEqual(sn, cert.SubjectName, "Subject Name on PKI Certificate"); var bclCert = cert.ToBclCertificate(); Assert.AreEqual(sn, bclCert.Subject, "Subject Name on BCL Certificate"); Assert.IsFalse(bclCert.HasPrivateKey); Assert.IsNull(bclCert.PrivateKey); File.WriteAllBytes(pemOut, cert.Export(PkiEncodingFormat.Pem)); File.WriteAllBytes(derOut, cert.Export(PkiEncodingFormat.Der)); using (var proc = OpenSsl.Start($"x509 -text -noout -in {pemOut}")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } using (var proc = OpenSsl.Start($"x509 -text -noout -inform DER -in {derOut}")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } }
public void SaveLoadCertificate(PkiAsymmetricAlgorithm algor, int bits) { var hashAlgor = PkiHashAlgorithm.Sha256; var isurName = "CN=SelfSigned"; var isurKeys = PkiKeyTests.GenerateKeyPair(algor, bits); var subjName = "CN=foo.example.com"; var subjKeys = PkiKeyTests.GenerateKeyPair(algor, bits); var isurCsr = new PkiCertificateSigningRequest(isurName, isurKeys, hashAlgor); var subjCsr = new PkiCertificateSigningRequest(subjName, subjKeys, hashAlgor); subjCsr.CertificateExtensions.Add(PkiCertificateExtension.CreateDnsSubjectAlternativeNames( new[] { "foo-alt1.example.com", "foo-alt2.example.com", } )); var selfOut = Path.Combine(_testTemp, $"certsave-{algor}-{bits}-{hashAlgor}-self.ser"); var signedOut = Path.Combine(_testTemp, $"certsave-{algor}-{bits}-{hashAlgor}-signed.ser"); var isurCert = isurCsr.CreateCa( DateTime.Now.AddMonths(-5), DateTime.Now.AddMonths(5)); var subjCert = subjCsr.Create(isurCert, isurKeys.PrivateKey, DateTime.Now.AddMonths(-1), DateTime.Now.AddMonths(1), new[] { (byte)0x2b }); using (var ms = new MemoryStream()) { isurCert.Save(ms); File.WriteAllBytes(selfOut, ms.ToArray()); } using (var ms = new MemoryStream()) { subjCert.Save(ms); File.WriteAllBytes(signedOut, ms.ToArray()); } PkiCertificate isurCert2; PkiCertificate subjCert2; using (var fs = new FileStream(selfOut, FileMode.Open)) isurCert2 = PkiCertificate.Load(fs); using (var fs = new FileStream(signedOut, FileMode.Open)) subjCert2 = PkiCertificate.Load(fs); var bclIsur = isurCert.ToBclCertificate(); var bclSubj = subjCert.ToBclCertificate(); var bclIsur2 = isurCert2.ToBclCertificate(); var bclSubj2 = subjCert2.ToBclCertificate(); Assert.AreEqual(bclIsur.GetSerialNumberString(), bclIsur2.GetSerialNumberString(), "Issuer Serial Number"); Assert.AreEqual(bclIsur.GetCertHashString(), bclIsur2.GetCertHashString(), "Issuer Hash"); Assert.AreEqual(bclIsur.GetRawCertDataString(), bclIsur2.GetRawCertDataString(), "Issuer Raw Data"); Assert.AreEqual(bclSubj.GetSerialNumberString(), bclSubj2.GetSerialNumberString(), "Subject Serial Number"); Assert.AreEqual(bclSubj.GetCertHashString(), bclSubj2.GetCertHashString(), "Subject Hash"); Assert.AreEqual(bclSubj.GetRawCertDataString(), bclSubj2.GetRawCertDataString(), "Subject Raw Data"); }
public void ExportSelfSignedPemChain(PkiAsymmetricAlgorithm algor, int bits) { var hashAlgor = PkiHashAlgorithm.Sha256; var sn = "CN=foo.example.com"; var keys = PkiKeyTests.GenerateKeyPair(algor, bits); var csr = new PkiCertificateSigningRequest(sn, keys, hashAlgor); var pemSansKey = Path.Combine(_testTemp, $"certselfexp-{algor}-{bits}-{hashAlgor}-sanskey.pem"); var pemWithKey = Path.Combine(_testTemp, $"certselfexp-{algor}-{bits}-{hashAlgor}-withkey.pem"); Assert.AreEqual(sn, csr.SubjectName); Assert.AreSame(keys.PublicKey, keys.PublicKey); Assert.AreEqual(hashAlgor, csr.HashAlgorithm); var cert = csr.CreateSelfSigned( DateTime.Now.AddMonths(-1), DateTime.Now.AddMonths(1)); Assert.AreEqual(sn, cert.SubjectName, "Subject Name on PKI Certificate"); var bclCert = cert.ToBclCertificate(); Assert.AreEqual(sn, bclCert.Subject, "Subject Name on BCL Certificate"); Assert.IsFalse(bclCert.HasPrivateKey); Assert.IsNull(bclCert.PrivateKey); File.WriteAllBytes(pemSansKey, cert.Export(PkiArchiveFormat.Pem)); File.WriteAllBytes(pemWithKey, cert.Export(PkiArchiveFormat.Pem, keys.PrivateKey)); // Check Cert using (var proc = OpenSsl.Start($"x509 -text -noout -in {pemSansKey}")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } // Check Cert using (var proc = OpenSsl.Start($"x509 -text -noout -in {pemWithKey}")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } // Check Private Key var opensslCmd = "rsa"; if (algor == PkiAsymmetricAlgorithm.Ecdsa) { opensslCmd = "ec"; } using (var proc = OpenSsl.Start($"{opensslCmd} -in {pemWithKey} -check")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } var certSansKey = new System.Security.Cryptography.X509Certificates.X509Certificate2(File.ReadAllBytes(pemSansKey)); Assert.IsFalse(certSansKey.HasPrivateKey); Assert.IsNull(certSansKey.PrivateKey); }
public void ExportSignedPkcs12(PkiAsymmetricAlgorithm algor, int bits) { var hashAlgor = PkiHashAlgorithm.Sha256; var isurName = "CN=SelfSigned"; var isurKeys = PkiKeyTests.GenerateKeyPair(algor, bits); var subjName = "CN=foo.example.com"; var subjKeys = PkiKeyTests.GenerateKeyPair(algor, bits); var isurCsr = new PkiCertificateSigningRequest(isurName, isurKeys, hashAlgor); var subjCsr = new PkiCertificateSigningRequest(subjName, subjKeys, hashAlgor); subjCsr.CertificateExtensions.Add( PkiCertificateExtension.CreateDnsSubjectAlternativeNames( new[] { "foo-alt1.example.com", "foo-alt2.example.com", })); var pfxSansKey = Path.Combine(_testTemp, $"certexp-{algor}-{bits}-{hashAlgor}-sanskey.pfx"); var pfxWithKey = Path.Combine(_testTemp, $"certexp-{algor}-{bits}-{hashAlgor}-withkey.pfx"); var isurCert = isurCsr.CreateCa( DateTime.Now.AddMonths(-5), DateTime.Now.AddMonths(5)); Assert.AreEqual(isurName, isurCert.SubjectName, "Issuer Name on Issuer Certificate"); var subjCert = subjCsr.Create(isurCert, isurKeys.PrivateKey, DateTime.Now.AddMonths(-1), DateTime.Now.AddMonths(1), new[] { (byte)0x2b }); Assert.AreEqual(isurName, isurCert.SubjectName, "Subject Name on Subject Certificate"); File.WriteAllBytes(pfxSansKey, subjCert.Export(PkiArchiveFormat.Pkcs12, chain: new[] { isurCert })); File.WriteAllBytes(pfxWithKey, subjCert.Export(PkiArchiveFormat.Pkcs12, subjKeys.PrivateKey, new[] { isurCert })); using (var proc = OpenSsl.Start($"pkcs12 -info -in {pfxSansKey} -passin pass:"******"pkcs12 -info -in {pfxWithKey} -passin pass: -nokeys")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } var certSansKey = new System.Security.Cryptography.X509Certificates.X509Certificate2(File.ReadAllBytes(pfxSansKey)); Assert.IsFalse(certSansKey.HasPrivateKey); Assert.IsNull(certSansKey.PrivateKey); var certWithKey = new System.Security.Cryptography.X509Certificates.X509Certificate2(File.ReadAllBytes(pfxWithKey)); Assert.IsTrue(certWithKey.HasPrivateKey); if (algor != PkiAsymmetricAlgorithm.Ecdsa) { // This throws: System.NotSupportedException: The certificate key algorithm is not supported. Assert.IsNotNull(certWithKey.PrivateKey); } }
public void ExportSelfSignedPkcs12(PkiAsymmetricAlgorithm algor, int bits) { var hashAlgor = PkiHashAlgorithm.Sha256; var sn = "CN=foo.example.com"; var keys = PkiKeyTests.GenerateKeyPair(algor, bits); var csr = new PkiCertificateSigningRequest(sn, keys, hashAlgor); var pfxSansKey = Path.Combine(_testTemp, $"certselfexp-{algor}-{bits}-{hashAlgor}-sanskey.pfx"); var pfxWithKey = Path.Combine(_testTemp, $"certselfexp-{algor}-{bits}-{hashAlgor}-withkey.pfx"); Assert.AreEqual(sn, csr.SubjectName); Assert.AreSame(keys.PublicKey, keys.PublicKey); Assert.AreEqual(hashAlgor, csr.HashAlgorithm); var cert = csr.CreateSelfSigned( DateTime.Now.AddMonths(-1), DateTime.Now.AddMonths(1)); Assert.AreEqual(sn, cert.SubjectName, "Subject Name on PKI Certificate"); var bclCert = cert.ToBclCertificate(); Assert.AreEqual(sn, bclCert.Subject, "Subject Name on BCL Certificate"); Assert.IsFalse(bclCert.HasPrivateKey); Assert.IsNull(bclCert.PrivateKey); File.WriteAllBytes(pfxSansKey, cert.Export(PkiArchiveFormat.Pkcs12)); File.WriteAllBytes(pfxWithKey, cert.Export(PkiArchiveFormat.Pkcs12, keys.PrivateKey)); using (var proc = OpenSsl.Start($"pkcs12 -info -in {pfxSansKey} -passin pass:"******"pkcs12 -info -in {pfxWithKey} -passin pass: -nokeys")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } var certSansKey = new System.Security.Cryptography.X509Certificates.X509Certificate2(File.ReadAllBytes(pfxSansKey)); Assert.IsFalse(certSansKey.HasPrivateKey); Assert.IsNull(certSansKey.PrivateKey); var certWithKey = new System.Security.Cryptography.X509Certificates.X509Certificate2(File.ReadAllBytes(pfxWithKey)); Assert.IsTrue(certWithKey.HasPrivateKey); if (algor != PkiAsymmetricAlgorithm.Ecdsa) { // This throws: System.NotSupportedException: The certificate key algorithm is not supported. Assert.IsNotNull(certWithKey.PrivateKey); } }