/// <summary> /// Returns the token from the cert in the given cert store. /// </summary> public async static Task <string> ReadAsync(string name, string storeType, string storePath) { string token = null; // handle each store type differently switch (storeType) { case CertificateStoreType.Directory: { // search a non expired cert with the given subject in the directory cert store and return the token using (DirectoryCertificateStore store = new DirectoryCertificateStore()) { store.Open(storePath); X509CertificateCollection certificates = await store.Enumerate(); foreach (X509Certificate2 cert in certificates) { if ((token = CheckForToken(cert, name)) != null) { return(token); } } } break; } case CertificateStoreType.X509Store: { // search a non expired cert with the given subject in the X509 cert store and return the token using (X509Store store = new X509Store(storePath, StoreLocation.CurrentUser)) { store.Open(OpenFlags.ReadOnly); foreach (X509Certificate2 cert in store.Certificates) { if ((token = CheckForToken(cert, name)) != null) { return(token); } } } break; } default: { throw new Exception($"The requested store type '{storeType}' is not supported. Please change."); } } return(null); }
/// <summary> /// Ctor of the store, creates the random path name in a OS temp folder. /// </summary> private TemporaryCertValidator(bool rejectedStore) { // pki directory root for test runs. m_pkiRoot = Path.GetTempPath() + Path.GetRandomFileName() + Path.DirectorySeparatorChar; m_issuerStore = new DirectoryCertificateStore(); m_issuerStore.Open(m_pkiRoot + "issuer"); m_trustedStore = new DirectoryCertificateStore(); m_trustedStore.Open(m_pkiRoot + "trusted"); if (rejectedStore) { m_rejectedStore = new DirectoryCertificateStore(); m_rejectedStore.Open(m_pkiRoot + "rejected"); } }
/// <summary> /// Creates a cert with the connectionstring (token) and stores it in the given cert store. /// </summary> public async static Task WriteAsync(string name, string connectionString, string storeType, string storePath) { if (string.IsNullOrEmpty(connectionString)) { throw new ArgumentException("Token not found in X509Store and no new token provided!"); } SecureRandom random = new SecureRandom(); KeyGenerationParameters keyGenerationParameters = new KeyGenerationParameters(random, 2048); RsaKeyPairGenerator keyPairGenerator = new RsaKeyPairGenerator(); keyPairGenerator.Init(keyGenerationParameters); AsymmetricCipherKeyPair keys = keyPairGenerator.GenerateKeyPair(); ArrayList nameOids = new ArrayList(); nameOids.Add(X509Name.CN); ArrayList nameValues = new ArrayList(); nameValues.Add(name); X509Name subjectDN = new X509Name(nameOids, nameValues); X509Name issuerDN = subjectDN; X509V3CertificateGenerator cg = new X509V3CertificateGenerator(); cg.SetSerialNumber(BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random)); cg.SetIssuerDN(issuerDN); cg.SetSubjectDN(subjectDN); cg.SetNotBefore(DateTime.Now); cg.SetNotAfter(DateTime.Now.AddMonths(12)); cg.SetPublicKey(keys.Public); cg.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DataEncipherment)); // encrypt the token with the public key so only the owner of the assoc. private key can decrypt it and // "hide" it in the instruction code cert extension RSA rsa = RSA.Create(); RSAParameters rsaParams = new RSAParameters(); RsaKeyParameters keyParams = (RsaKeyParameters)keys.Public; rsaParams.Modulus = new byte[keyParams.Modulus.ToByteArrayUnsigned().Length]; keyParams.Modulus.ToByteArrayUnsigned().CopyTo(rsaParams.Modulus, 0); rsaParams.Exponent = new byte[keyParams.Exponent.ToByteArrayUnsigned().Length]; keyParams.Exponent.ToByteArrayUnsigned().CopyTo(rsaParams.Exponent, 0); rsa.ImportParameters(rsaParams); if (rsa != null) { byte[] bytes = rsa.Encrypt(Encoding.ASCII.GetBytes(connectionString), RSAEncryptionPadding.OaepSHA1); if (bytes != null) { cg.AddExtension(X509Extensions.InstructionCode, false, bytes); } else { RsaUtils.RSADispose(rsa); throw new CryptographicException("Can not encrypt IoTHub security token using generated public key!"); } } RsaUtils.RSADispose(rsa); // sign the cert with the private key ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA256WITHRSA", keys.Private, random); Org.BouncyCastle.X509.X509Certificate x509 = cg.Generate(signatureFactory); // create a PKCS12 store for the cert and its private key X509Certificate2 certificate = null; using (MemoryStream pfxData = new MemoryStream()) { Pkcs12StoreBuilder builder = new Pkcs12StoreBuilder(); builder.SetUseDerEncoding(true); Pkcs12Store pkcsStore = builder.Build(); X509CertificateEntry[] chain = new X509CertificateEntry[1]; string passcode = Guid.NewGuid().ToString(); chain[0] = new X509CertificateEntry(x509); pkcsStore.SetKeyEntry(name, new AsymmetricKeyEntry(keys.Private), chain); pkcsStore.Save(pfxData, passcode.ToCharArray(), random); // create X509Certificate2 object from PKCS12 file certificate = CertificateFactory.CreateCertificateFromPKCS12(pfxData.ToArray(), passcode); // handle each store type differently switch (storeType) { case CertificateStoreType.Directory: { // Add to DirectoryStore using (DirectoryCertificateStore store = new DirectoryCertificateStore()) { store.Open(storePath); X509CertificateCollection certificates = await store.Enumerate(); // remove any existing cert with our name from the store foreach (X509Certificate2 cert in certificates) { if (cert.SubjectName.Decode(X500DistinguishedNameFlags.None | X500DistinguishedNameFlags.DoNotUseQuotes).Equals("CN=" + name, StringComparison.OrdinalIgnoreCase)) { await store.Delete(cert.Thumbprint); } } // add new one await store.Add(certificate); } break; } case CertificateStoreType.X509Store: { // Add to X509Store using (X509Store store = new X509Store(storePath, StoreLocation.CurrentUser)) { store.Open(OpenFlags.ReadWrite); // remove any existing cert with our name from the store foreach (X509Certificate2 cert in store.Certificates) { if (cert.SubjectName.Decode(X500DistinguishedNameFlags.None | X500DistinguishedNameFlags.DoNotUseQuotes).Equals("CN=" + name, StringComparison.OrdinalIgnoreCase)) { store.Remove(cert); } } // add new cert to store try { store.Add(certificate); } catch (Exception e) { throw new Exception($"Not able to add cert to the requested store type '{storeType}' (exception message: '{e.Message}'."); } } break; } default: { throw new Exception($"The requested store type '{storeType}' is not supported. Please change."); } } return; } }
protected void OneTimeSetUp() { // set max RSA key size and max SHA-2 hash size ushort keySize = 4096; ushort hashSize = 512; // pki directory root for test runs. m_pkiRoot = "%LocalApplicationData%/OPC/CertValidatorTest/" + ((DateTime.UtcNow.Ticks / 10000) % 3600000).ToString() + "/"; m_issuerStore = new DirectoryCertificateStore(); m_issuerStore.Open(m_pkiRoot + "issuer"); m_trustedStore = new DirectoryCertificateStore(); m_trustedStore.Open(m_pkiRoot + "trusted"); // good applications test set var appTestDataGenerator = new ApplicationTestDataGenerator(1); m_goodApplicationTestSet = appTestDataGenerator.ApplicationTestSet(kGoodApplicationsTestCount); // create all certs and CRL m_caChain = new X509Certificate2[kCaChainCount]; m_caDupeChain = new X509Certificate2[kCaChainCount]; m_caAllSameIssuerChain = new X509Certificate2[kCaChainCount]; m_crlChain = new X509CRL[kCaChainCount]; m_crlDupeChain = new X509CRL[kCaChainCount]; m_crlRevokedChain = new X509CRL[kCaChainCount]; m_appCerts = new X509Certificate2Collection(); m_appSelfSignedCerts = new X509Certificate2Collection(); DateTime rootCABaseTime = DateTime.UtcNow; rootCABaseTime = new DateTime(rootCABaseTime.Year - 1, 1, 1); var rootCert = CertificateFactory.CreateCertificate( null, null, null, null, null, "CN=Root CA Test Cert", null, keySize, rootCABaseTime, 25 * 12, hashSize, true, pathLengthConstraint: -1); m_caChain[0] = rootCert; m_crlChain[0] = CertificateFactory.RevokeCertificate(rootCert, null, null); m_caDupeChain[0] = CertificateFactory.CreateCertificate( null, null, null, null, null, "CN=Root CA Test Cert", null, keySize, rootCABaseTime, 25 * 12, hashSize, true, pathLengthConstraint: -1); m_crlDupeChain[0] = CertificateFactory.RevokeCertificate(m_caDupeChain[0], null, null); m_crlRevokedChain[0] = null; var signingCert = rootCert; DateTime subCABaseTime = DateTime.UtcNow; subCABaseTime = new DateTime(subCABaseTime.Year, subCABaseTime.Month, subCABaseTime.Day); for (int i = 1; i < kCaChainCount; i++) { if (keySize > 2048) { keySize -= 1024; } if (hashSize > 256) { hashSize -= 128; } var subject = $"CN=Sub CA {i} Test Cert"; var subCACert = CertificateFactory.CreateCertificate( null, null, null, null, null, subject, null, keySize, subCABaseTime, 5 * 12, hashSize, true, signingCert, pathLengthConstraint: kCaChainCount - 1 - i); m_caChain[i] = subCACert; m_crlChain[i] = CertificateFactory.RevokeCertificate(subCACert, null, null, subCABaseTime, subCABaseTime + TimeSpan.FromDays(10)); var subCADupeCert = CertificateFactory.CreateCertificate( null, null, null, null, null, subject, null, keySize, subCABaseTime, 5 * 12, hashSize, true, signingCert, pathLengthConstraint: kCaChainCount - 1 - i); m_caDupeChain[i] = subCADupeCert; m_crlDupeChain[i] = CertificateFactory.RevokeCertificate(subCADupeCert, null, null, subCABaseTime, subCABaseTime + TimeSpan.FromDays(10)); m_crlRevokedChain[i] = null; signingCert = subCACert; } // create a CRL with a revoked Sub CA for (int i = 0; i < kCaChainCount - 1; i++) { m_crlRevokedChain[i] = CertificateFactory.RevokeCertificate( m_caChain[i], new List <X509CRL>() { m_crlChain[i] }, new X509Certificate2Collection { m_caChain[i + 1] }); } // create self signed app certs DateTime appBaseTime = DateTime.UtcNow - TimeSpan.FromDays(1); foreach (var app in m_goodApplicationTestSet) { var subject = app.Subject; var appCert = CertificateFactory.CreateCertificate( null, null, null, app.ApplicationUri, app.ApplicationName, subject, app.DomainNames, CertificateFactory.DefaultKeySize, appBaseTime, 2 * 12, CertificateFactory.DefaultHashSize); m_appSelfSignedCerts.Add(appCert); } // create signed app certs foreach (var app in m_goodApplicationTestSet) { var subject = app.Subject; var appCert = CertificateFactory.CreateCertificate( null, null, null, app.ApplicationUri, app.ApplicationName, subject, app.DomainNames, CertificateFactory.DefaultKeySize, appBaseTime, 2 * 12, CertificateFactory.DefaultHashSize, false, signingCert); app.Certificate = appCert.RawData; m_appCerts.Add(appCert); } // create a CRL with all apps revoked m_crlRevokedChain[kCaChainCount - 1] = CertificateFactory.RevokeCertificate( m_caChain[kCaChainCount - 1], new List <X509CRL>() { m_crlChain[kCaChainCount - 1] }, m_appCerts); }
protected void OneTimeSetUp() { // set max RSA key size and max SHA-2 hash size ushort keySize = 4096; ushort hashSize = 512; // pki directory root for test runs. m_pkiRoot = "%LocalApplicationData%/OPC/CertValidatorTest/" + ((DateTime.UtcNow.Ticks / 10000) % 3600000).ToString() + "/"; m_issuerStore = new DirectoryCertificateStore(); m_issuerStore.Open(m_pkiRoot + "issuer"); m_trustedStore = new DirectoryCertificateStore(); m_trustedStore.Open(m_pkiRoot + "trusted"); // good applications test set var appTestDataGenerator = new ApplicationTestDataGenerator(1); m_goodApplicationTestSet = appTestDataGenerator.ApplicationTestSet(kGoodApplicationsTestCount); // create all certs and CRL m_caChain = new X509Certificate2[kCaChainCount]; m_caDupeChain = new X509Certificate2[kCaChainCount]; m_crlChain = new X509CRL[kCaChainCount]; m_crlDupeChain = new X509CRL[kCaChainCount]; m_crlRevokedChain = new X509CRL[kCaChainCount]; m_appCerts = new X509Certificate2Collection(); m_appSelfSignedCerts = new X509Certificate2Collection(); DateTime rootCABaseTime = DateTime.UtcNow; rootCABaseTime = new DateTime(rootCABaseTime.Year - 1, 1, 1); var rootCert = CertificateFactory.CreateCertificate(RootCASubject) .SetNotBefore(rootCABaseTime) .SetLifeTime(25 * 12) .SetCAConstraint() .SetHashAlgorithm(CertificateFactory.GetRSAHashAlgorithmName(hashSize)) .SetRSAKeySize(keySize) .CreateForRSA(); m_caChain[0] = rootCert; m_crlChain[0] = CertificateFactory.RevokeCertificate(rootCert, null, null); // to save time, the dupe chain uses just the default key size/hash m_caDupeChain[0] = CertificateFactory.CreateCertificate(RootCASubject) .SetNotBefore(rootCABaseTime) .SetLifeTime(25 * 12) .SetCAConstraint() .CreateForRSA(); m_crlDupeChain[0] = CertificateFactory.RevokeCertificate(m_caDupeChain[0], null, null); m_crlRevokedChain[0] = null; var signingCert = rootCert; DateTime subCABaseTime = DateTime.UtcNow; subCABaseTime = new DateTime(subCABaseTime.Year, subCABaseTime.Month, subCABaseTime.Day, 0, 0, 0, DateTimeKind.Utc); for (int i = 1; i < kCaChainCount; i++) { if (keySize > 2048) { keySize -= 1024; } if (hashSize > 256) { hashSize -= 128; } var subject = $"CN=Sub CA {i} Test Cert"; var subCACert = CertificateFactory.CreateCertificate(subject) .SetNotBefore(subCABaseTime) .SetLifeTime(5 * 12) .SetHashAlgorithm(CertificateFactory.GetRSAHashAlgorithmName(hashSize)) .SetCAConstraint(kCaChainCount - 1 - i) .SetIssuer(signingCert) .SetRSAKeySize(keySize) .CreateForRSA(); m_caChain[i] = subCACert; m_crlChain[i] = CertificateFactory.RevokeCertificate(subCACert, null, null, subCABaseTime, subCABaseTime + TimeSpan.FromDays(10)); var subCADupeCert = CertificateFactory.CreateCertificate(subject) .SetNotBefore(subCABaseTime) .SetLifeTime(5 * 12) .SetCAConstraint(kCaChainCount - 1 - i) .SetIssuer(signingCert) .CreateForRSA(); m_caDupeChain[i] = subCADupeCert; m_crlDupeChain[i] = CertificateFactory.RevokeCertificate(subCADupeCert, null, null, subCABaseTime, subCABaseTime + TimeSpan.FromDays(10)); m_crlRevokedChain[i] = null; signingCert = subCACert; } // create a CRL with a revoked Sub CA for (int i = 0; i < kCaChainCount - 1; i++) { m_crlRevokedChain[i] = CertificateFactory.RevokeCertificate( m_caChain[i], new List <X509CRL>() { m_crlChain[i] }, new X509Certificate2Collection { m_caChain[i + 1] }); } // create self signed app certs foreach (var app in m_goodApplicationTestSet) { var subject = app.Subject; var appCert = CertificateFactory.CreateCertificate( app.ApplicationUri, app.ApplicationName, subject, app.DomainNames) .CreateForRSA(); m_appSelfSignedCerts.Add(appCert); } // create signed app certs foreach (var app in m_goodApplicationTestSet) { var subject = app.Subject; var appCert = CertificateFactory.CreateCertificate( app.ApplicationUri, app.ApplicationName, subject, app.DomainNames) .SetIssuer(signingCert) .CreateForRSA(); app.Certificate = appCert.RawData; m_appCerts.Add(appCert); } // create a CRL with all apps revoked m_crlRevokedChain[kCaChainCount - 1] = CertificateFactory.RevokeCertificate( m_caChain[kCaChainCount - 1], new List <X509CRL>() { m_crlChain[kCaChainCount - 1] }, m_appCerts); }