public int Add(X509Extension extension)
{
if (extension == null)
throw new ArgumentNullException("extension");
_list.Add(extension);
return _list.Count - 1;
}
public void Certificate_CSR_TA_SelfSigned()
{
X500DistinguishedName dn = new X500DistinguishedName("CN=Secondary Trust Anchor,O=TNT,C=US");
AsymmetricCipherKeyPair keyPair = Certificate.CreateRSAKeyPair();
Extensions extensions = new Extensions();
extensions.Add(new TNT.Cryptography.Extension.KeyUsage(KeyUsage.CrlSign | KeyUsage.KeyCertSign | KeyUsage.DigitalSignature));
extensions.Add(new TNT.Cryptography.Extension.AuthorityKeyIdentifier(keyPair.Public));
extensions.Add(new TNT.Cryptography.Extension.SubjectKeyIdentifier(keyPair.Public));
extensions.Add(new TNT.Cryptography.Extension.BasicConstraints(new BasicConstraints(0)));
List <Uri> uris = new List <Uri>(new Uri[] { new Uri("http://domain1.com"), new Uri("http://domain2.com") });
extensions.Add(new TNT.Cryptography.Extension.CrlDistributionPoints(uris));
Pkcs10CertificationRequest csr = Certificate.CreateCertificationRequest(dn.Name, keyPair, extensions);
X509Certificate2 cert = Certificate.CreateCertificate(csr, keyPair, m_EffectiveDate, m_ExpirationDate, null);
X509KeyUsageExtension keyUsageEx = cert.Extensions[0] as X509KeyUsageExtension;
X509BasicConstraintsExtension basicConstraintEx = cert.Extensions[3] as X509BasicConstraintsExtension;
System.Security.Cryptography.X509Certificates.X509Extension aki = cert.Extensions[1];
System.Security.Cryptography.X509Certificates.X509Extension ski = cert.Extensions[2];
Assert.AreEqual(X509KeyUsageFlags.CrlSign | X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.DigitalSignature, keyUsageEx.KeyUsages);
Assert.IsTrue(basicConstraintEx.CertificateAuthority);
Assert.AreEqual("C=US, O=TNT, CN=Secondary Trust Anchor", cert.Subject);
Assert.AreEqual(cert.Subject, cert.Issuer);
var skiCount = ski.Format(false).Length;
Assert.AreEqual(ski.Format(false), aki.Format(false).Substring(6, skiCount));
File.WriteAllBytes("CSR_TA_SS.cer", cert.Export(X509ContentType.Cert));
File.WriteAllBytes("CSR_TA_SS.pfx", cert.Export(X509ContentType.Pfx, "P"));
}
public void Certificate_CSR_SelfSigned_DomainBound()
{
X500DistinguishedName dn = new X500DistinguishedName("cn=domain.com,o=TNT,c=US");
AsymmetricCipherKeyPair keyPair = Certificate.CreateRSAKeyPair();
Extensions extensions = new Extensions();
extensions.Add(new TNT.Cryptography.Extension.KeyUsage(KeyUsage.KeyEncipherment | KeyUsage.DigitalSignature));
extensions.Add(new TNT.Cryptography.Extension.SubjectAlternativeName(new GeneralName(GeneralName.DnsName, dn.Name.Split(',')[0].Split('=')[1])));
extensions.Add(new TNT.Cryptography.Extension.ExtendedKeyUsage(KeyPurposeID.IdKPEmailProtection));
extensions.Add(new TNT.Cryptography.Extension.SubjectKeyIdentifier(keyPair.Public));
extensions.Add(new TNT.Cryptography.Extension.BasicConstraints(new BasicConstraints(false)));
List <Uri> uris = new List <Uri>(new Uri[] { new Uri("http://domain1.com"), new Uri("http://domain2.com") });
extensions.Add(new TNT.Cryptography.Extension.CrlDistributionPoints(uris));
Pkcs10CertificationRequest csr = Certificate.CreateCertificationRequest(dn.Name, keyPair, extensions);
X509Certificate2 cert = Certificate.CreateCertificate(csr, keyPair, m_EffectiveDate, m_ExpirationDate);
System.Security.Cryptography.X509Certificates.X509Extension subAltNameEx = cert.Extensions[1];
X509EnhancedKeyUsageExtension enhancedKUEx = cert.Extensions[2] as X509EnhancedKeyUsageExtension;
X509BasicConstraintsExtension basicConstraintEx = cert.Extensions[4] as X509BasicConstraintsExtension;
enhancedKUEx = cert.GetEnhancedKeyUsage();
Assert.AreEqual("DNS Name=domain.com", subAltNameEx.Format(false));
Assert.AreEqual(KeyPurposeID.IdKPEmailProtection.Id, enhancedKUEx.EnhancedKeyUsages[0].Value);
Assert.IsFalse(basicConstraintEx.CertificateAuthority);
Assert.AreEqual("C=US, O=TNT, CN=domain.com", cert.Issuer);
Assert.AreEqual("C=US, O=TNT, CN=domain.com", cert.Subject);
File.WriteAllBytes("CSR_SelfSigned_DomainBound.cer", cert.Export(X509ContentType.Cert));
}
public void Certificate_CSR_AddressBound()
{
X500DistinguishedName dn = new X500DistinguishedName("[email protected],o=TNT,c=US");
AsymmetricCipherKeyPair keyPair = Certificate.CreateRSAKeyPair();
Extensions extensions = new Extensions();
extensions.Add(new TNT.Cryptography.Extension.KeyUsage(KeyUsage.KeyEncipherment | KeyUsage.DigitalSignature));
extensions.Add(new TNT.Cryptography.Extension.SubjectAlternativeName(new GeneralName(GeneralName.Rfc822Name, dn.Name.Split(',')[0].Split('=')[1])));
extensions.Add(new TNT.Cryptography.Extension.ExtendedKeyUsage(KeyPurposeID.IdKPEmailProtection));
extensions.Add(new TNT.Cryptography.Extension.AuthorityKeyIdentifier(TA));
extensions.Add(new TNT.Cryptography.Extension.SubjectKeyIdentifier(keyPair.Public));
extensions.Add(new TNT.Cryptography.Extension.BasicConstraints(new BasicConstraints(false)));
List <Uri> uris = new List <Uri>(new Uri[] { new Uri("http://domain1.com"), new Uri("http://domain2.com") });
extensions.Add(new TNT.Cryptography.Extension.CrlDistributionPoints(uris));
Pkcs10CertificationRequest csr = Certificate.CreateCertificationRequest(dn.Name, keyPair, extensions);
X509Certificate2 cert = Certificate.CreateCertificate(csr, keyPair, m_EffectiveDate, m_ExpirationDate, TA);
System.Security.Cryptography.X509Certificates.X509Extension ski = TA.Extensions[1];
System.Security.Cryptography.X509Certificates.X509Extension aki = cert.Extensions[3];
Assert.AreEqual("CN=Trust Anchor, O=TNT, C=US", cert.Issuer);
Assert.AreEqual("C=US, O=TNT, [email protected]", cert.Subject);
var skiCount = ski.Format(false).Length;
Assert.AreEqual(ski.Format(false), aki.Format(false).Substring(6, skiCount));
File.WriteAllBytes("CSR_AddressBound.cer", cert.Export(X509ContentType.Cert));
}
public int Add(X509Extension extension)
{
if (extension == null)
{
throw new ArgumentNullException("extension");
}
return this.m_list.Add(extension);
}
public void CopyTo (X509Extension[] array, int index)
{
if (array == null)
throw new ArgumentNullException ("array");
if (index < 0)
throw new ArgumentException ("negative index");
if (index > array.Length)
throw new ArgumentOutOfRangeException ("index > array.Length");
}
public void ConstructorAsnEncodedData ()
{
AsnEncodedData aed = new AsnEncodedData (new Oid ("2.5.29.37"), new byte[] { 0x30, 0x05, 0x06, 0x03, 0x2A, 0x03, 0x04 });
X509Extension ex = new X509Extension (aed, true);
Assert.IsTrue (ex.Critical, "Critical");
Assert.AreEqual (7, ex.RawData.Length, "RawData"); // original Oid ignored
Assert.AreEqual ("2.5.29.37", ex.Oid.Value, "Oid.Value");
Assert.AreEqual ("Enhanced Key Usage", ex.Oid.FriendlyName, "Oid.FriendlyName");
Assert.AreEqual ("Unknown Key Usage (1.2.3.4)" + Environment.NewLine, ex.Format (true), "Format(true)");
Assert.AreEqual ("Unknown Key Usage (1.2.3.4)", ex.Format (false), "Format(false)");
}
public MarshalX509Extension(X509Extension extension)
{
_extension = extension;
_blobPtr = Marshal.AllocHGlobal(extension.RawData.Length);
Marshal.Copy(extension.RawData, 0, _blobPtr, extension.RawData.Length);
var blob = new CRYPT_OBJID_BLOB();
blob.cbData = (uint)extension.RawData.Length;
blob.pbData = _blobPtr;
var nativeExtension = new CERT_EXTENSION();
nativeExtension.fCritical = extension.Critical;
nativeExtension.pszObjId = extension.Oid.Value;
nativeExtension.Value = blob;
_value = nativeExtension;
}
private static bool CheckCertificateUsage(X509Certificate2 cert)
{
try
{
if (cert.Version < 3)
{
return(true);
}
X509KeyUsageExtension x509KeyUsageExtension = (X509KeyUsageExtension)cert.Extensions["2.5.29.15"];
X509EnhancedKeyUsageExtension x509EnhancedKeyUsageExtension = (X509EnhancedKeyUsageExtension)cert.Extensions["2.5.29.37"];
if (x509KeyUsageExtension != null && x509EnhancedKeyUsageExtension != null)
{
if ((x509KeyUsageExtension.KeyUsages & s_flags) == X509KeyUsageFlags.None)
{
return(false);
}
return(x509EnhancedKeyUsageExtension.EnhancedKeyUsages["1.3.6.1.5.5.7.3.1"] != null || x509EnhancedKeyUsageExtension.EnhancedKeyUsages["2.16.840.1.113730.4.1"] != null);
}
if (x509KeyUsageExtension != null)
{
return((x509KeyUsageExtension.KeyUsages & s_flags) != X509KeyUsageFlags.None);
}
if (x509EnhancedKeyUsageExtension != null)
{
return(x509EnhancedKeyUsageExtension.EnhancedKeyUsages["1.3.6.1.5.5.7.3.1"] != null || x509EnhancedKeyUsageExtension.EnhancedKeyUsages["2.16.840.1.113730.4.1"] != null);
}
System.Security.Cryptography.X509Certificates.X509Extension x509Extension = cert.Extensions["2.16.840.1.113730.1.1"];
if (x509Extension != null)
{
string text = x509Extension.NetscapeCertType(multiLine: false);
return(text.IndexOf("SSL Server Authentication") != -1);
}
return(true);
IL_0133:
bool result;
return(result);
}
catch (Exception arg)
{
Console.Error.WriteLine("ERROR processing certificate: {0}", arg);
Console.Error.WriteLine("Please, report this problem to the Mono team");
return(false);
IL_0162:
bool result;
return(result);
}
}
private static Pkcs10CertificationRequest CreatePKCS10ForComputer(string challengePassword, AsymmetricCipherKeyPair rsaKeyPair)
{
// GenerateSelfSignedCertificate("CN=" + LDAPTools.QuoteRDN(fqdn), out RSA algRSA, out CertificateRequest req, out X509Certificate2 selfSignedCert);
AsnX509.X509ExtensionsGenerator extensions = new AsnX509.X509ExtensionsGenerator();
ISet <string> sanDNSCollection = new HashSet <string>(4);
string hostName = Dns.GetHostName();
sanDNSCollection.Add(hostName);
string fqdn = Dns.GetHostEntry(hostName).HostName;
sanDNSCollection.Add(fqdn);
#if !DEBUG
Domain computerDomain = Domain.GetComputerDomain();
sanDNSCollection.Add(computerDomain.Name);
string NetBIOSDomain = GetNetbiosDomainName(computerDomain.Name);
if (!string.IsNullOrEmpty(NetBIOSDomain))
{
sanDNSCollection.Add(NetBIOSDomain);
}
#endif // !DEBUG
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
foreach (string dnsName in sanDNSCollection)
{
sanBuilder.AddDnsName(dnsName);
}
System.Security.Cryptography.X509Certificates.X509Extension sanExtension = sanBuilder.Build();
extensions.AddExtension(new DerObjectIdentifier(sanExtension.Oid.Value), sanExtension.Critical, sanExtension.RawData);
BCPkcs.AttributePkcs extensionRequest = new BCPkcs.AttributePkcs(BCPkcs.PkcsObjectIdentifiers.Pkcs9AtExtensionRequest, new DerSet(extensions.Generate()));
BCPkcs.AttributePkcs attrPassword = new BCPkcs.AttributePkcs(BCPkcs.PkcsObjectIdentifiers.Pkcs9AtChallengePassword, new DerSet(new DerPrintableString(challengePassword)));
Pkcs10CertificationRequest request = new Pkcs10CertificationRequest(
"SHA256WITHRSA",
new AsnX509.X509Name(new DerObjectIdentifier[] { AsnX509.X509Name.CN }, new string[] { fqdn }),
rsaKeyPair.Public,
new DerSet(extensionRequest, attrPassword),
rsaKeyPair.Private
);
return(request);
}
public SafeX509Extension(X509Extension extension)
{
this.blobPtr = Marshal.AllocHGlobal(extension.RawData.Length);
Marshal.Copy(extension.RawData, 0, this.blobPtr, extension.RawData.Length);
var blob = new CRYPTOAPI_BLOB
{
cbData = (uint)extension.RawData.Length,
pbData = this.blobPtr
};
var nativeExtension = new CERT_EXTENSION
{
fCritical = extension.Critical,
pszObjId = extension.Oid.Value,
Value = blob
};
this.value = nativeExtension;
}
/// <summary>
/// Return the authority key identifier in the certificate.
/// </summary>
private static X509AuthorityKeyIdentifierExtension FindAuthorityKeyIdentifier(X509Certificate2 certificate)
{
for (int ii = 0; ii < certificate.Extensions.Count; ii++)
{
System.Security.Cryptography.X509Certificates.X509Extension extension = certificate.Extensions[ii];
switch (extension.Oid.Value)
{
case X509AuthorityKeyIdentifierExtension.AuthorityKeyIdentifierOid:
case X509AuthorityKeyIdentifierExtension.AuthorityKeyIdentifier2Oid:
{
return(new X509AuthorityKeyIdentifierExtension(extension, extension.Critical));
}
}
}
return(null);
}
internal unsafe X509ExtensionCollection(System.Security.Cryptography.SafeCertContextHandle safeCertContextHandle)
{
this.m_list = new ArrayList();
using (System.Security.Cryptography.SafeCertContextHandle handle = CAPI.CertDuplicateCertificateContext(safeCertContextHandle))
{
CAPIBase.CERT_CONTEXT cert_context = *((CAPIBase.CERT_CONTEXT*) handle.DangerousGetHandle());
CAPIBase.CERT_INFO cert_info = (CAPIBase.CERT_INFO) Marshal.PtrToStructure(cert_context.pCertInfo, typeof(CAPIBase.CERT_INFO));
uint cExtension = cert_info.cExtension;
IntPtr rgExtension = cert_info.rgExtension;
for (uint i = 0; i < cExtension; i++)
{
X509Extension asnEncodedData = new X509Extension(new IntPtr(((long) rgExtension) + (i * Marshal.SizeOf(typeof(CAPIBase.CERT_EXTENSION)))));
X509Extension extension2 = CryptoConfig.CreateFromName(asnEncodedData.Oid.Value) as X509Extension;
if (extension2 != null)
{
extension2.CopyFrom(asnEncodedData);
asnEncodedData = extension2;
}
this.Add(asnEncodedData);
}
}
}
public void WrongExtension_X509Extension ()
{
X509Extension ex = new X509Extension ("1.2.3", new byte [0], true);
X509KeyUsageExtension ku = new X509KeyUsageExtension (X509KeyUsageFlags.CrlSign, true);
ku.CopyFrom (ex);
Assert.IsTrue (ku.Critical, "Critical");
Assert.AreEqual (String.Empty, BitConverter.ToString (ku.RawData), "RawData");
Assert.AreEqual ("1.2.3", ku.Oid.Value, "Oid.Value");
Assert.IsNull (ku.Oid.FriendlyName, "Oid.FriendlyName");
}
public void WrongExtension_X509Extension_CertificateAuthority ()
{
X509Extension ex = new X509Extension ("1.2.3", new byte[0], true);
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension ();
bc.CopyFrom (ex);
bool b = bc.CertificateAuthority;
}
public void WrongExtension_X509Extension ()
{
X509Extension ex = new X509Extension ("1.2.3", new byte[0], true);
X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension (false, true, 1, false);
Assert.IsFalse (bc.Critical, "Critical");
bc.CopyFrom (ex);
Assert.IsTrue (bc.Critical, "Critical");
Assert.AreEqual (String.Empty, BitConverter.ToString (bc.RawData), "RawData");
Assert.AreEqual ("1.2.3", bc.Oid.Value, "Oid.Value");
Assert.IsNull (bc.Oid.FriendlyName, "Oid.FriendlyName");
}
/// <summary>
/// Initializes a new instance of the <see cref="X509ExtensionWrapper"/> class.
/// </summary>
/// <param name="extension">The extension.</param>
public X509SimpleExtensionWrapper(X509Extension extension)
: base(extension)
{
x509 = extension;
}
public static X509ExtensionWrapper Create(X509Extension extension)
{
if (extension == null) return null;
else if (extension is X509BasicConstraintsExtension)
return new X509BasicConstraintsExtensionWrapper((X509BasicConstraintsExtension)extension);
else if (extension is X509EnhancedKeyUsageExtension)
return new X509EnhancedKeyUsageExtensionWrapper((X509EnhancedKeyUsageExtension)extension);
else if (extension is X509KeyUsageExtension)
return new X509KeyUsageExtensionWrapper((X509KeyUsageExtension)extension);
else if (extension is X509SubjectKeyIdentifierExtension)
return new X509SubjectKeyIdentifierExtensionWrapper((X509SubjectKeyIdentifierExtension)extension);
else return new X509SimpleExtensionWrapper(extension);
}
public void Build_NetscapeCertTypeExtension ()
{
X509Extension ex = new X509Extension (new Oid ("2.16.840.1.113730.1.1"), new byte[] { 0x03, 0x02, 0x00, 0xFF }, false);
// strangely no NewLine is being appended to Format(true)
// FIXME: Don't expect that FriendlyName is English. This test fails under non-English Windows.
//Assert.AreEqual ("SSL Client Authentication, SSL Server Authentication, SMIME, Signature, Unknown cert type, SSL CA, SMIME CA, Signature CA (ff)", ex.Format (true), "aed.Format(true)");
//Assert.AreEqual ("SSL Client Authentication, SSL Server Authentication, SMIME, Signature, Unknown cert type, SSL CA, SMIME CA, Signature CA (ff)", ex.Format (false), "aed.Format(false)");
}
/// <summary>
/// Gets certificate revocation list sequence number.
/// </summary>
/// <returns>Certificate revocation list sequence number.</returns>
/// <remarks>If CRL is X.509 CRL Version 1, or CRL does not contains 'CRL Number' extension, a zero is returned.</remarks>
public BigInteger GetCRLNumber()
{
X509Extension e = _extensions[X509ExtensionOid.CRLNumber];
return(((X509CRLNumberExtension)e)?.CRLNumber ?? 0);
}
private static bool CheckCertificateUsage(System.Security.Cryptography.X509Certificates.X509Certificate2 cert)
{
bool result;
try
{
if (cert.Version < 3)
{
result = true;
}
else
{
System.Security.Cryptography.X509Certificates.X509KeyUsageExtension x509KeyUsageExtension = (System.Security.Cryptography.X509Certificates.X509KeyUsageExtension)cert.Extensions["2.5.29.15"];
System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension x509EnhancedKeyUsageExtension = (System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension)cert.Extensions["2.5.29.37"];
if (x509KeyUsageExtension != null && x509EnhancedKeyUsageExtension != null)
{
if ((x509KeyUsageExtension.KeyUsages & ServicePointManager.ChainValidationHelper.s_flags) == System.Security.Cryptography.X509Certificates.X509KeyUsageFlags.None)
{
result = false;
}
else
{
result = (x509EnhancedKeyUsageExtension.EnhancedKeyUsages["1.3.6.1.5.5.7.3.1"] != null || x509EnhancedKeyUsageExtension.EnhancedKeyUsages["2.16.840.1.113730.4.1"] != null);
}
}
else if (x509KeyUsageExtension != null)
{
result = ((x509KeyUsageExtension.KeyUsages & ServicePointManager.ChainValidationHelper.s_flags) != System.Security.Cryptography.X509Certificates.X509KeyUsageFlags.None);
}
else if (x509EnhancedKeyUsageExtension != null)
{
result = (x509EnhancedKeyUsageExtension.EnhancedKeyUsages["1.3.6.1.5.5.7.3.1"] != null || x509EnhancedKeyUsageExtension.EnhancedKeyUsages["2.16.840.1.113730.4.1"] != null);
}
else
{
System.Security.Cryptography.X509Certificates.X509Extension x509Extension = cert.Extensions["2.16.840.1.113730.1.1"];
if (x509Extension != null)
{
string text = x509Extension.NetscapeCertType(false);
result = (text.IndexOf("SSL Server Authentication") != -1);
}
else
{
result = true;
}
}
}
}
catch (Exception arg)
{
Console.Error.WriteLine("ERROR processing certificate: {0}", arg);
Console.Error.WriteLine("Please, report this problem to the Mono team");
result = false;
}
return(result);
}
private static void ReadCertPolicyConstraintsExtension(X509Extension extension, CertificatePolicy policy)
{
DerSequenceReader reader = new DerSequenceReader(extension.RawData);
while (reader.HasData)
{
// Policy Constraints context specific tag values are defined in RFC 3280 4.2.1.12,
// and restated (unchanged) in RFC 5280 4.2.1.11.
switch (reader.PeekTag())
{
case DerSequenceReader.ContextSpecificTagFlag | 0:
policy.RequireExplicitPolicyDepth = reader.ReadInteger();
break;
case DerSequenceReader.ContextSpecificTagFlag | 1:
policy.InhibitMappingDepth = reader.ReadInteger();
break;
default:
if (extension.Critical)
{
// If an unknown value is read, but we're marked as critical,
// then we don't know what we're doing and MUST fail validation
// (RFC 3280).
// If it isn't critical then it means we're allowed to be ignorant
// of data defined more recently than we understand.
throw new CryptographicException();
}
break;
}
}
}
internal static ISet<string> ReadCertPolicyExtension(X509Extension extension)
{
DerSequenceReader reader = new DerSequenceReader(extension.RawData);
HashSet<string> policies = new HashSet<string>();
while (reader.HasData)
{
DerSequenceReader policyInformation = reader.ReadSequence();
policies.Add(policyInformation.ReadOidAsString());
// There is an optional policy qualifier here, but it is for information
// purposes, there is no logic that would be changed.
// Since reader (the outer one) has already skipped past the rest of the
// sequence we don't particularly need to drain out here.
}
return policies;
}
// methods
public int Add (X509Extension extension)
{
return _list.Add (extension);
}
public void ConstructorAsnEncodedData_BadAsn ()
{
AsnEncodedData aed = new AsnEncodedData ("1.2.3", new byte[0]);
X509Extension ex = new X509Extension (aed, true);
Assert.AreEqual (String.Empty, ex.Format (true), "Format(true)");
Assert.AreEqual (String.Empty, ex.Format (false), "Format(false)");
// no exception for an "empty" extension
}
public void ConstructorAsnEncodedData_WithNullOid ()
{
AsnEncodedData aed = new AsnEncodedData (new byte[] { 0x30, 0x05, 0x06, 0x03, 0x2A, 0x03, 0x04 });
X509Extension eku = new X509Extension (aed, true);
}
public void WrongExtension_X509Extension_KeyUsages ()
{
X509Extension ex = new X509Extension ("1.2.3", new byte[0], true);
X509KeyUsageExtension ku = new X509KeyUsageExtension ();
ku.CopyFrom (ex);
Assert.AreEqual (0, ku.KeyUsages, "KeyUsages");
}
internal X509AuthorityKeyIdentifierExtension(X509Extension untypedAkid)
: base(untypedAkid, untypedAkid.Critical)
{
_decoded = false;
}
public int Add(X509Extension extension)
{
return(default(int));
}
private static unsafe CertificateRequest LoadSigningRequest(
ReadOnlySpan <byte> pkcs10,
bool permitTrailingData,
HashAlgorithmName signerHashAlgorithm,
out int bytesConsumed,
CertificateRequestLoadOptions options,
RSASignaturePadding?signerSignaturePadding)
{
ArgumentException.ThrowIfNullOrEmpty(signerHashAlgorithm.Name, nameof(signerHashAlgorithm));
if ((options & ~AllOptions) != 0)
{
throw new ArgumentOutOfRangeException(nameof(options), options, SR.Argument_InvalidFlag);
}
bool skipSignatureValidation =
(options & CertificateRequestLoadOptions.SkipSignatureValidation) != 0;
bool unsafeLoadCertificateExtensions =
(options & CertificateRequestLoadOptions.UnsafeLoadCertificateExtensions) != 0;
try
{
AsnValueReader outer = new AsnValueReader(pkcs10, AsnEncodingRules.DER);
int encodedLength = outer.PeekEncodedValue().Length;
AsnValueReader pkcs10Asn = outer.ReadSequence();
CertificateRequest req;
if (!permitTrailingData)
{
outer.ThrowIfNotEmpty();
}
fixed(byte *p10ptr = pkcs10)
{
using (PointerMemoryManager <byte> manager = new PointerMemoryManager <byte>(p10ptr, encodedLength))
{
ReadOnlyMemory <byte> rebind = manager.Memory;
ReadOnlySpan <byte> encodedRequestInfo = pkcs10Asn.PeekEncodedValue();
CertificationRequestInfoAsn requestInfo;
AlgorithmIdentifierAsn algorithmIdentifier;
ReadOnlySpan <byte> signature;
int signatureUnusedBitCount;
CertificationRequestInfoAsn.Decode(ref pkcs10Asn, rebind, out requestInfo);
AlgorithmIdentifierAsn.Decode(ref pkcs10Asn, rebind, out algorithmIdentifier);
if (!pkcs10Asn.TryReadPrimitiveBitString(out signatureUnusedBitCount, out signature))
{
throw new CryptographicException(SR.Cryptography_Der_Invalid_Encoding);
}
pkcs10Asn.ThrowIfNotEmpty();
if (requestInfo.Version < 0)
{
throw new CryptographicException(SR.Cryptography_Der_Invalid_Encoding);
}
// They haven't bumped from v0 to v1 as of 2022.
const int MaxSupportedVersion = 0;
if (requestInfo.Version != MaxSupportedVersion)
{
throw new CryptographicException(
SR.Format(
SR.Cryptography_CertReq_Load_VersionTooNew,
requestInfo.Version,
MaxSupportedVersion));
}
PublicKey publicKey = PublicKey.DecodeSubjectPublicKeyInfo(ref requestInfo.SubjectPublicKeyInfo);
if (!skipSignatureValidation)
{
// None of the supported signature algorithms support signatures that are not full bytes.
// So, shortcut the verification on the bit length
if (signatureUnusedBitCount != 0 ||
!VerifyX509Signature(encodedRequestInfo, signature, publicKey, algorithmIdentifier))
{
throw new CryptographicException(SR.Cryptography_CertReq_SignatureVerificationFailed);
}
}
X500DistinguishedName subject = new X500DistinguishedName(requestInfo.Subject.Span);
req = new CertificateRequest(
subject,
publicKey,
signerHashAlgorithm,
signerSignaturePadding);
if (requestInfo.Attributes is not null)
{
bool foundCertExt = false;
foreach (AttributeAsn attr in requestInfo.Attributes)
{
if (attr.AttrType == Oids.Pkcs9ExtensionRequest)
{
if (foundCertExt)
{
throw new CryptographicException(
SR.Cryptography_CertReq_Load_DuplicateExtensionRequests);
}
foundCertExt = true;
if (attr.AttrValues.Length != 1)
{
throw new CryptographicException(
SR.Cryptography_CertReq_Load_DuplicateExtensionRequests);
}
AsnValueReader extsReader = new AsnValueReader(
attr.AttrValues[0].Span,
AsnEncodingRules.DER);
AsnValueReader exts = extsReader.ReadSequence();
extsReader.ThrowIfNotEmpty();
// Minimum length is 1, so do..while
do
{
X509ExtensionAsn.Decode(ref exts, rebind, out X509ExtensionAsn extAsn);
if (unsafeLoadCertificateExtensions)
{
X509Extension ext = new X509Extension(
extAsn.ExtnId,
extAsn.ExtnValue.Span,
extAsn.Critical);
X509Extension?rich =
X509Certificate2.CreateCustomExtensionIfAny(extAsn.ExtnId);
if (rich is not null)
{
rich.CopyFrom(ext);
req.CertificateExtensions.Add(rich);
}
else
{
req.CertificateExtensions.Add(ext);
}
}
} while (exts.HasData);
}
else
{
if (attr.AttrValues.Length == 0)
{
throw new CryptographicException(SR.Cryptography_Der_Invalid_Encoding);
}
foreach (ReadOnlyMemory <byte> val in attr.AttrValues)
{
req.OtherRequestAttributes.Add(
new AsnEncodedData(attr.AttrType, val.Span));
}
}
}
}
}
}
bytesConsumed = encodedLength;
return(req);
}
catch (AsnContentException e)
{
throw new CryptographicException(SR.Cryptography_Der_Invalid_Encoding, e);
}
}
public int Add(X509Extension extension)
{
throw new NotImplementedException();
}
/// <summary>
/// Qualification of extension by type
/// </summary>
/// <param name="asn1Encodable"></param>
/// <returns></returns>
private System.Security.Cryptography.X509Certificates.X509Extension QualificationExtension(Asn1Encodable asn1Encodable)
{
Asn1Sequence s = Asn1Sequence.GetInstance(asn1Encodable.ToAsn1Object());
if (s.Count < 2 || s.Count > 3)
{
throw new ArgumentException("Bad sequence size: " + s.Count);
}
DerObjectIdentifier oid = DerObjectIdentifier.GetInstance(s[0].ToAsn1Object());
bool isCritical = s.Count == 3 &&
DerBoolean.GetInstance(s[1].ToAsn1Object()).IsTrue;
Asn1OctetString octets = Asn1OctetString.GetInstance(s[s.Count - 1].ToAsn1Object());
var extension = new System.Security.Cryptography.X509Certificates.X509Extension(new Oid(oid.Id), octets.GetOctets(), isCritical);
var value = Asn1Object.FromByteArray(octets.GetOctets());
switch (extension.Oid.Value)
{
case OidExtensions.SubjectKeyIdentifier:
var spki = Asn1OctetString.GetInstance(value).GetOctets();
extension = new X509SubjectKeyIdentifierExtension(spki, isCritical);
break;
case OidExtensions.ExtKeyUsage:
var bcEKU = ExtendedKeyUsage.GetInstance(value);
var collectionFlags = new OidCollection();
foreach (DerObjectIdentifier item in bcEKU.GetAllUsages())
{
collectionFlags.Add(new Oid(item.Id));
}
extension = new X509EnhancedKeyUsageExtension(collectionFlags, isCritical);
break;
case OidExtensions.KeyUsage:
var bitString = DerBitString.GetInstance(value);
byte[] data = bitString.GetBytes();
var keyUsage = data.Length == 1
? data[0] & 0xff
: (data[1] & 0xff) << 8 | (data[0] & 0xff);
extension = new X509KeyUsageExtension((X509KeyUsageFlags)keyUsage, isCritical);
break;
case OidExtensions.BasicConstraints:
var bcBC = BasicConstraints.GetInstance(value);
extension = new X509BasicConstraintsExtension(bcBC.IsCA(), true, bcBC.PathLenConstraint.IntValue, isCritical);
break;
case OidExtensions.TemplateV2:
extension = new X509TemplateExtensionV2(octets.GetOctets(), isCritical);
break;
case OidExtensions.TemplateV1:
extension = new X509TemplateExtensionV1(octets.GetOctets(), isCritical);
break;
default:
break;
}
return(extension);
}
private static int ReadInhibitAnyPolicyExtension(X509Extension extension)
{
DerSequenceReader reader = DerSequenceReader.CreateForPayload(extension.RawData);
return reader.ReadInteger();
}
public override string ToString(bool verbose)
{
if (!verbose || this.m_safeCertContext.IsInvalid)
{
return(this.ToString());
}
StringBuilder sb = new StringBuilder();
sb.Append("[Version]" + Environment.NewLine + " ");
sb.Append("V" + this.Version);
sb.Append(Environment.NewLine + Environment.NewLine + "[Subject]" + Environment.NewLine + " ");
sb.Append(this.SubjectName.Name);
string nameInfo = this.GetNameInfo(X509NameType.SimpleName, false);
if (nameInfo.Length > 0)
{
sb.Append(Environment.NewLine + " Simple Name: ");
sb.Append(nameInfo);
}
string str2 = this.GetNameInfo(X509NameType.EmailName, false);
if (str2.Length > 0)
{
sb.Append(Environment.NewLine + " Email Name: ");
sb.Append(str2);
}
string str3 = this.GetNameInfo(X509NameType.UpnName, false);
if (str3.Length > 0)
{
sb.Append(Environment.NewLine + " UPN Name: ");
sb.Append(str3);
}
string str4 = this.GetNameInfo(X509NameType.DnsName, false);
if (str4.Length > 0)
{
sb.Append(Environment.NewLine + " DNS Name: ");
sb.Append(str4);
}
sb.Append(Environment.NewLine + Environment.NewLine + "[Issuer]" + Environment.NewLine + " ");
sb.Append(this.IssuerName.Name);
nameInfo = this.GetNameInfo(X509NameType.SimpleName, true);
if (nameInfo.Length > 0)
{
sb.Append(Environment.NewLine + " Simple Name: ");
sb.Append(nameInfo);
}
str2 = this.GetNameInfo(X509NameType.EmailName, true);
if (str2.Length > 0)
{
sb.Append(Environment.NewLine + " Email Name: ");
sb.Append(str2);
}
str3 = this.GetNameInfo(X509NameType.UpnName, true);
if (str3.Length > 0)
{
sb.Append(Environment.NewLine + " UPN Name: ");
sb.Append(str3);
}
str4 = this.GetNameInfo(X509NameType.DnsName, true);
if (str4.Length > 0)
{
sb.Append(Environment.NewLine + " DNS Name: ");
sb.Append(str4);
}
sb.Append(Environment.NewLine + Environment.NewLine + "[Serial Number]" + Environment.NewLine + " ");
sb.Append(this.SerialNumber);
sb.Append(Environment.NewLine + Environment.NewLine + "[Not Before]" + Environment.NewLine + " ");
sb.Append(X509Certificate.FormatDate(this.NotBefore));
sb.Append(Environment.NewLine + Environment.NewLine + "[Not After]" + Environment.NewLine + " ");
sb.Append(X509Certificate.FormatDate(this.NotAfter));
sb.Append(Environment.NewLine + Environment.NewLine + "[Thumbprint]" + Environment.NewLine + " ");
sb.Append(this.Thumbprint);
sb.Append(Environment.NewLine + Environment.NewLine + "[Signature Algorithm]" + Environment.NewLine + " ");
sb.Append(this.SignatureAlgorithm.FriendlyName + "(" + this.SignatureAlgorithm.Value + ")");
System.Security.Cryptography.X509Certificates.PublicKey publicKey = this.PublicKey;
sb.Append(Environment.NewLine + Environment.NewLine + "[Public Key]" + Environment.NewLine + " Algorithm: ");
sb.Append(publicKey.Oid.FriendlyName);
sb.Append(Environment.NewLine + " Length: ");
sb.Append(publicKey.Key.KeySize);
sb.Append(Environment.NewLine + " Key Blob: ");
sb.Append(publicKey.EncodedKeyValue.Format(true));
sb.Append(Environment.NewLine + " Parameters: ");
sb.Append(publicKey.EncodedParameters.Format(true));
this.AppendPrivateKeyInfo(sb);
X509ExtensionCollection extensions = this.Extensions;
if (extensions.Count > 0)
{
sb.Append(Environment.NewLine + Environment.NewLine + "[Extensions]");
X509ExtensionEnumerator enumerator = extensions.GetEnumerator();
while (enumerator.MoveNext())
{
X509Extension current = enumerator.Current;
sb.Append(Environment.NewLine + "* " + current.Oid.FriendlyName + "(" + current.Oid.Value + "):" + Environment.NewLine + " " + current.Format(true));
}
}
sb.Append(Environment.NewLine);
return(sb.ToString());
}
private static ISet<string> ReadExtendedKeyUsageExtension(X509Extension extension)
{
X509EnhancedKeyUsageExtension ekusExtension = (X509EnhancedKeyUsageExtension)extension;
HashSet<string> oids = new HashSet<string>();
foreach (Oid oid in ekusExtension.EnhancedKeyUsages)
{
oids.Add(oid.Value);
}
return oids;
}
public void WrongExtension_X509Extension ()
{
X509Extension ex = new X509Extension ("1.2.3", new byte[0], true);
OidCollection oc = new OidCollection ();
oc.Add (new Oid ("1.2.3.4"));
X509EnhancedKeyUsageExtension eku = new X509EnhancedKeyUsageExtension (oc, false);
Assert.AreEqual (1, eku.EnhancedKeyUsages.Count, "EnhancedKeyUsages");
Assert.IsFalse (eku.Critical, "Critical");
eku.CopyFrom (ex);
Assert.IsTrue (eku.Critical, "Critical");
Assert.AreEqual (String.Empty, BitConverter.ToString (eku.RawData), "RawData");
Assert.AreEqual ("1.2.3", eku.Oid.Value, "Oid.Value");
Assert.IsNull (eku.Oid.FriendlyName, "Oid.FriendlyName");
}
private static List<CertificatePolicyMapping> ReadCertPolicyMappingsExtension(X509Extension extension)
{
DerSequenceReader reader = new DerSequenceReader(extension.RawData);
List<CertificatePolicyMapping> mappings = new List<CertificatePolicyMapping>();
while (reader.HasData)
{
DerSequenceReader mappingSequence = reader.ReadSequence();
mappings.Add(
new CertificatePolicyMapping
{
IssuerDomainPolicy = mappingSequence.ReadOidAsString(),
SubjectDomainPolicy = mappingSequence.ReadOidAsString(),
});
}
return mappings;
}
public void WrongExtension_X509Extension_KeyUsages ()
{
X509Extension ex = new X509Extension ("1.2.3", new byte[0], true);
X509EnhancedKeyUsageExtension eku = new X509EnhancedKeyUsageExtension ();
eku.CopyFrom (ex);
Assert.AreEqual (0, eku.EnhancedKeyUsages.Count, "EnhancedKeyUsages");
}
internal unsafe X509ExtensionCollection(SafeCertContextHandle safeCertContextHandle) {
using (SafeCertContextHandle certContext = CAPI.CertDuplicateCertificateContext(safeCertContextHandle)) {
CAPI.CERT_CONTEXT pCertContext = *((CAPI.CERT_CONTEXT*) certContext.DangerousGetHandle());
CAPI.CERT_INFO pCertInfo = (CAPI.CERT_INFO) Marshal.PtrToStructure(pCertContext.pCertInfo, typeof(CAPI.CERT_INFO));
uint cExtensions = pCertInfo.cExtension;
IntPtr rgExtensions = pCertInfo.rgExtension;
for (uint index = 0; index < cExtensions; index++) {
X509Extension extension = new X509Extension(new IntPtr((long)rgExtensions + (index * Marshal.SizeOf(typeof(CAPI.CERT_EXTENSION)))));
X509Extension customExtension = CryptoConfig.CreateFromName(extension.Oid.Value) as X509Extension;
if (customExtension != null) {
customExtension.CopyFrom(extension);
extension = customExtension;
}
Add(extension);
}
}
}
public void WrongExtension_X509Extension ()
{
X509Extension ex = new X509Extension ("1.2.3", new byte[0], true);
X509SubjectKeyIdentifierExtension ski = new X509SubjectKeyIdentifierExtension ("www.go-mono.com", false); // odd length
Assert.IsFalse (ski.Critical, "Critical");
Assert.AreEqual ("FFFFFFFFFFFFFF", ski.SubjectKeyIdentifier, "SubjectKeyIdentifier");
Assert.AreEqual ("ff ff ff ff ff ff ff" + Environment.NewLine, ski.Format (true), "Format(true)");
Assert.AreEqual ("ff ff ff ff ff ff ff", ski.Format (false), "Format(false)");
ski.CopyFrom (ex);
Assert.IsTrue (ski.Critical, "Critical");
Assert.AreEqual (String.Empty, BitConverter.ToString (ski.RawData), "RawData");
Assert.AreEqual ("1.2.3", ski.Oid.Value, "Oid.Value");
// FIXME: Don't expect that FriendlyName is English. This test fails under non-English Windows.
//Assert.IsNull (ski.Oid.FriendlyName, "Oid.FriendlyName");
Assert.AreEqual (String.Empty, ski.Format (true), "Format(true)");
Assert.AreEqual (String.Empty, ski.Format (false), "Format(false)");
}
// static initializer runs only when one of the properties is accessed
static X509SubjectAlternativeNameConstants()
{
// Extracted a well-known X509Extension
byte[] x509ExtensionBytes = new byte[] {
48, 36, 130, 21, 110, 111, 116, 45, 114, 101, 97, 108, 45, 115, 117, 98, 106, 101, 99,
116, 45, 110, 97, 109, 101, 130, 11, 101, 120, 97, 109, 112, 108, 101, 46, 99, 111, 109
};
const string subjectName1 = "not-real-subject-name";
try
{
X509Extension x509Extension = new X509Extension(Oid, x509ExtensionBytes, true);
string x509ExtensionFormattedString = x509Extension.Format(false);
// Each OS has a different dNSName identifier and delimiter
// On Windows, dNSName == "DNS Name" (localizable), on Linux, dNSName == "DNS"
// e.g.,
// Windows: x509ExtensionFormattedString is: "DNS Name=not-real-subject-name, DNS Name=example.com"
// Linux: x509ExtensionFormattedString is: "DNS:not-real-subject-name, DNS:example.com"
// Parse: <identifier><delimter><value><separator(s)>
int delimiterIndex = x509ExtensionFormattedString.IndexOf(subjectName1) - 1;
_delimiter = x509ExtensionFormattedString[delimiterIndex];
// Make an assumption that all characters from the the start of string to the delimiter
// are part of the identifier
_identifier = x509ExtensionFormattedString.Substring(0, delimiterIndex);
int separatorFirstChar = delimiterIndex + subjectName1.Length + 1;
int separatorLength = 1;
for (int i = separatorFirstChar + 1; i < x509ExtensionFormattedString.Length; i++)
{
// We advance until the first character of the identifier to determine what the
// separator is. This assumes that the identifier assumption above is correct
if (x509ExtensionFormattedString[i] == _identifier[0])
{
break;
}
separatorLength++;
}
_separator = x509ExtensionFormattedString.Substring(separatorFirstChar, separatorLength);
_successfullyInitialized = true;
}
catch (Exception ex)
{
_successfullyInitialized = false;
_initializationException = ex;
}
}
public void WrongExtension_X509Extension_CertificateAuthority ()
{
X509Extension ex = new X509Extension ("1.2.3", new byte[0], true);
X509SubjectKeyIdentifierExtension ski = new X509SubjectKeyIdentifierExtension ();
ski.CopyFrom (ex);
string s = ski.SubjectKeyIdentifier;
}
public void CopyTo(X509Extension[] array, int index)
{
((ICollection)this).CopyTo(array, index);
}
/// <summary>
/// Initializes a new instance of the <see cref="X509ExtensionWrapper"/> class.
/// </summary>
/// <param name="extension">The extension.</param>
protected X509ExtensionWrapper(X509Extension extension)
{
x509ext = extension;
}
