static Uri getOcspUrl(IEnumerable <X509Certificate2> certs)
{
foreach (X509Certificate2 cert in certs)
{
if (cert.Handle.Equals(IntPtr.Zero))
{
continue;
}
X509Extension aiaExtension = cert.Extensions[X509CertExtensions.X509AuthorityInformationAccess];
if (aiaExtension == null)
{
continue;
}
X509AuthorityInformationAccessExtension aia = new X509AuthorityInformationAccessExtension(aiaExtension.RawData, false);
if (aia.OnlineCertificateStatusProtocol == null || aia.OnlineCertificateStatusProtocol.Length == 0)
{
continue;
}
return(new Uri(aia.OnlineCertificateStatusProtocol[0]));
}
return(null);
}
static Uri getOcspUrl(IEnumerable <X509Certificate2> certs)
{
foreach (X509Certificate2 cert in certs)
{
if (cert.Handle.Equals(IntPtr.Zero))
{
continue;
}
X509Extension aiaExtension = cert.Extensions
.Cast <X509Extension>()
.FirstOrDefault(x => x.Oid.Value == "1.3.6.1.5.5.7.1.1");
if (aiaExtension == null)
{
continue;
}
X509AuthorityInformationAccessExtension aia = new X509AuthorityInformationAccessExtension(aiaExtension.RawData, false);
if (aia.OnlineCertificateStatusProtocol == null || aia.OnlineCertificateStatusProtocol.Length == 0)
{
continue;
}
return(new Uri(aia.OnlineCertificateStatusProtocol[0]));
}
return(null);
}
public static void NoProtocolFilter()
{
// While most of the callers of the various EnumerateUri methods will be interested in only the
// http(non-S) values, this test is just a quick sanity check that the built-in methods don't
// apply that filter internally.
using (X509Certificate2 cert = new X509Certificate2(TestFiles.MicrosoftRootCertFile))
{
X509AuthorityInformationAccessExtension aia =
cert.Extensions.OfType <X509AuthorityInformationAccessExtension>().Single();
string[] caIssuersValues =
{
"ldap:///CN=Microsoft%20Corporate%20Root%20Authority,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Corp,DC=Microsoft,DC=Com?cACertificate?base?objectclass=certificationAuthority",
"ldap://corp.microsoft.com/CN=Microsoft%20Corporate%20Root%20Authority,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Corp,DC=Microsoft,DC=Com?cACertificate?base?objectclass=certificationAuthority",
"http://www.microsoft.com/pki/mscorp/mscra1.crt",
};
const string CertificateAuthorityIssuers = "1.3.6.1.5.5.7.48.2";
Assert.Equal(caIssuersValues, aia.EnumerateCAIssuersUris());
Assert.Equal(caIssuersValues, aia.EnumerateUris(CertificateAuthorityIssuers));
Assert.Equal(caIssuersValues, aia.EnumerateUris(new Oid(CertificateAuthorityIssuers)));
}
}
public static void ReadExtensions()
{
using (X509Certificate2 c = new X509Certificate2(TestData.MsCertificate))
{
X509ExtensionCollection exts = c.Extensions;
int count = exts.Count;
Assert.Equal(6, count);
X509Extension[] extensions = new X509Extension[count];
exts.CopyTo(extensions, 0);
extensions = extensions.OrderBy(e => e.Oid.Value).ToArray();
// There are an awful lot of magic-looking values in this large test.
// These values are embedded within the certificate, and the test is
// just verifying the object interpretation. In the event the test data
// (TestData.MsCertificate) is replaced, this whole body will need to be
// redone.
{
// Authority Information Access
X509Extension aia = extensions[0];
Assert.Equal("1.3.6.1.5.5.7.1.1", aia.Oid.Value);
Assert.False(aia.Critical);
byte[] expectedDer = (
"304c304a06082b06010505073002863e687474703a2f2f7777772e6d" +
"6963726f736f66742e636f6d2f706b692f63657274732f4d6963436f" +
"645369675043415f30382d33312d323031302e637274").HexToByteArray();
Assert.Equal(expectedDer, aia.RawData);
X509AuthorityInformationAccessExtension rich = Assert.IsType <X509AuthorityInformationAccessExtension>(aia);
Assert.Empty(rich.EnumerateOcspUris());
Assert.Equal(
new[] { "http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt" },
rich.EnumerateCAIssuersUris());
}
{
// Subject Key Identifier
X509Extension skid = extensions[1];
Assert.Equal("2.5.29.14", skid.Oid.Value);
Assert.False(skid.Critical);
byte[] expected = "04145971a65a334dda980780ff841ebe87f9723241f2".HexToByteArray();
Assert.Equal(expected, skid.RawData);
X509SubjectKeyIdentifierExtension rich = Assert.IsType <X509SubjectKeyIdentifierExtension>(skid);
Assert.Equal("5971A65A334DDA980780FF841EBE87F9723241F2", rich.SubjectKeyIdentifier);
}
{
// Subject Alternative Names
X509Extension sans = extensions[2];
Assert.Equal("2.5.29.17", sans.Oid.Value);
Assert.False(sans.Critical);
byte[] expected = (
"3048a4463044310d300b060355040b13044d4f505231333031060355" +
"0405132a33313539352b34666166306237312d616433372d34616133" +
"2d613637312d373662633035323334346164").HexToByteArray();
Assert.Equal(expected, sans.RawData);
// This SAN only contains an alternate DirectoryName entry, so both the DNSNames and
// IPAddresses enumerations being empty is correct.
X509SubjectAlternativeNameExtension rich = Assert.IsType <X509SubjectAlternativeNameExtension>(sans);
Assert.Equal(Enumerable.Empty <string>(), rich.EnumerateDnsNames());
Assert.Equal(Enumerable.Empty <IPAddress>(), rich.EnumerateIPAddresses());
}
{
// CRL Distribution Points
X509Extension cdps = extensions[3];
Assert.Equal("2.5.29.31", cdps.Oid.Value);
Assert.False(cdps.Critical);
byte[] expected = (
"304d304ba049a0478645687474703a2f2f63726c2e6d6963726f736f" +
"66742e636f6d2f706b692f63726c2f70726f64756374732f4d696343" +
"6f645369675043415f30382d33312d323031302e63726c").HexToByteArray();
Assert.Equal(expected, cdps.RawData);
Assert.IsType <X509Extension>(cdps);
}
{
// Authority Key Identifier
X509Extension akid = extensions[4];
Assert.Equal("2.5.29.35", akid.Oid.Value);
Assert.False(akid.Critical);
byte[] expected = "30168014cb11e8cad2b4165801c9372e331616b94c9a0a1f".HexToByteArray();
Assert.Equal(expected, akid.RawData);
X509AuthorityKeyIdentifierExtension rich =
Assert.IsType <X509AuthorityKeyIdentifierExtension>(akid);
Assert.False(rich.RawIssuer.HasValue, "akid.RawIssuer.HasValue");
Assert.Null(rich.NamedIssuer);
Assert.False(rich.SerialNumber.HasValue, "akid.SerialNumber.HasValue");
Assert.True(rich.KeyIdentifier.HasValue, "akid.KeyIdentifier.HasValue");
Assert.Equal(
"CB11E8CAD2B4165801C9372E331616B94C9A0A1F",
rich.KeyIdentifier.GetValueOrDefault().ByteArrayToHex());
}
{
// Extended Key Usage (X.509/2000 says Extended, Win32/NetFX say Enhanced)
X509Extension eku = extensions[5];
Assert.Equal("2.5.29.37", eku.Oid.Value);
Assert.False(eku.Critical);
byte[] expected = "300a06082b06010505070303".HexToByteArray();
Assert.Equal(expected, eku.RawData);
X509EnhancedKeyUsageExtension rich = Assert.IsType <X509EnhancedKeyUsageExtension>(eku);
OidCollection usages = rich.EnhancedKeyUsages;
Assert.Equal(1, usages.Count);
Oid oid = usages[0];
// Code Signing
Assert.Equal("1.3.6.1.5.5.7.3.3", oid.Value);
}
}
}
