public void CreateCACertForRSA(
KeyHashPair keyHashPair
)
{
// create a CA cert
var cert = CertificateBuilder.Create(Subject)
.SetCAConstraint(-1)
.SetHashAlgorithm(keyHashPair.HashAlgorithmName)
.AddExtension(X509Extensions.BuildX509CRLDistributionPoints("http://myca/mycert.crl"))
.SetRSAKeySize(keyHashPair.KeySize)
.CreateForRSA();
Assert.NotNull(cert);
WriteCertificate(cert, "Default cert with RSA {keyHashPair.KeySize} {keyHashPair.HashAlgorithmName} and CRL distribution points");
Assert.AreEqual(keyHashPair.KeySize, cert.GetRSAPublicKey().KeySize);
Assert.AreEqual(keyHashPair.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value));
var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions);
Assert.NotNull(basicConstraintsExtension);
Assert.True(basicConstraintsExtension.CertificateAuthority);
Assert.False(basicConstraintsExtension.HasPathLengthConstraint);
X509Utils.VerifyRSAKeyPair(cert, cert, true);
Assert.True(X509Utils.VerifySelfSigned(cert));
CheckPEMWriter(cert);
}
public void VerifyOneSelfSignedAppCertForAll()
{
var builder = CertificateBuilder.Create(Subject)
.SetNotBefore(DateTime.Today.AddYears(-1))
.SetNotAfter(DateTime.Today.AddYears(25))
.AddExtension(new X509SubjectAltNameExtension("urn:opcfoundation.org:mypc", new string[] { "mypc", "mypc.opcfoundation.org", "192.168.1.100" }));
byte[] previousSerialNumber = null;
foreach (var eCCurveHash in ECCurveHashPairs)
{
if (!eCCurveHash.Curve.IsNamed)
{
continue;
}
using (var cert = builder
.SetHashAlgorithm(eCCurveHash.HashAlgorithmName)
.SetECCurve(eCCurveHash.Curve)
.CreateForECDsa())
{
Assert.NotNull(cert);
WriteCertificate(cert, $"Default cert with ECDsa {eCCurveHash.Curve.Oid.FriendlyName} {eCCurveHash.HashAlgorithmName} signature.");
Assert.AreEqual(eCCurveHash.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value));
// ensure serial numbers are different
Assert.AreNotEqual(previousSerialNumber, cert.GetSerialNumber());
X509PfxUtils.VerifyECDsaKeyPair(cert, cert, true);
Assert.True(X509Utils.VerifySelfSigned(cert));
}
}
}
public void CreateIssuerRSAWithSuppliedKeyPair()
{
X509Certificate2 issuer = null;
using (RSA rsaKeyPair = RSA.Create())
{
// create cert with supplied keys
var generator = X509SignatureGenerator.CreateForRSA(rsaKeyPair, RSASignaturePadding.Pkcs1);
using (var cert = CertificateBuilder.Create("CN=Root Cert")
.SetCAConstraint(-1)
.SetRSAPublicKey(rsaKeyPair)
.CreateForRSA(generator))
{
Assert.NotNull(cert);
issuer = new X509Certificate2(cert.RawData);
WriteCertificate(cert, "Default root cert with supplied RSA cert");
CheckPEMWriter(cert);
}
// now sign a cert with supplied private key
using (var appCert = CertificateBuilder.Create("CN=App Cert")
.SetIssuer(issuer)
.CreateForRSA(generator))
{
Assert.NotNull(appCert);
WriteCertificate(appCert, "Signed RSA app cert");
CheckPEMWriter(appCert);
}
}
}
private void MainForm_Load(object sender, EventArgs e)
{
Log.Form = this;
var rootCertificate = new X509Certificate2(@"C:\projects\PassiveX\PassiveX\Resources\ca.pfx", "", X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
CertificateBuilder.Initialize(rootCertificate);
CertificateBuilder.Install();
GlobalKeyboardHook.Install();
Task.Run(() =>
{
var runners = new[]
{
new ServiceRunner <ASTxHandler>().Run(),
new ServiceRunner <AnySignHandler>().Run(),
new ServiceRunner <VeraportHandler>().Run(),
new ServiceRunner <NProtectHandler>().Run(),
new ServiceRunner <KDefenseHandler>().Run(),
new ServiceRunner <CrossWebHandler>().Run(),
new ServiceRunner <MagicLineHandler>().Run(),
new ServiceRunner <TouchEnNxHandler>().Run(),
};
Task.WaitAll(runners);
});
}
public void CreateForRSAWithGeneratorTest(
KeyHashPair keyHashPair
)
{
// default signing cert with custom key
X509Certificate2 signingCert = CertificateBuilder.Create(Subject)
.SetCAConstraint()
.SetHashAlgorithm(HashAlgorithmName.SHA512)
.SetRSAKeySize(2048)
.CreateForRSA();
WriteCertificate(signingCert, $"Signing RSA {signingCert.GetRSAPublicKey().KeySize} cert");
using (RSA rsaPrivateKey = signingCert.GetRSAPrivateKey())
{
var generator = X509SignatureGenerator.CreateForRSA(rsaPrivateKey, RSASignaturePadding.Pkcs1);
var cert = CertificateBuilder.Create("CN=App Cert")
.SetIssuer(new X509Certificate2(signingCert.RawData))
.CreateForRSA(generator);
Assert.NotNull(cert);
WriteCertificate(cert, $"Default signed RSA cert");
}
using (RSA rsaPrivateKey = signingCert.GetRSAPrivateKey())
using (RSA rsaPublicKey = signingCert.GetRSAPublicKey())
{
var generator = X509SignatureGenerator.CreateForRSA(rsaPrivateKey, RSASignaturePadding.Pkcs1);
var cert = CertificateBuilder.Create("CN=App Cert")
.SetHashAlgorithm(keyHashPair.HashAlgorithmName)
.SetIssuer(new X509Certificate2(signingCert.RawData))
.SetRSAPublicKey(rsaPublicKey)
.CreateForRSA(generator);
Assert.NotNull(cert);
WriteCertificate(cert, $"Default signed RSA cert with Public Key");
}
using (RSA rsaPrivateKey = signingCert.GetRSAPrivateKey())
{
var generator = X509SignatureGenerator.CreateForRSA(rsaPrivateKey, RSASignaturePadding.Pkcs1);
var cert = CertificateBuilder.Create("CN=App Cert")
.SetHashAlgorithm(keyHashPair.HashAlgorithmName)
.SetIssuer(new X509Certificate2(signingCert.RawData))
.SetRSAKeySize(keyHashPair.KeySize)
.CreateForRSA(generator);
Assert.NotNull(cert);
WriteCertificate(cert, $"Default signed RSA cert");
}
// ensure invalid path throws argument exception
Assert.Throws <NotSupportedException>(() => {
using (RSA rsaPrivateKey = signingCert.GetRSAPrivateKey())
{
var generator = X509SignatureGenerator.CreateForRSA(rsaPrivateKey, RSASignaturePadding.Pkcs1);
var cert = CertificateBuilder.Create("CN=App Cert")
.SetHashAlgorithm(keyHashPair.HashAlgorithmName)
.SetRSAKeySize(keyHashPair.KeySize)
.CreateForRSA(generator);
}
});
}
public void CreateECDsaDefaultWithSerialTest()
{
var eccurve = ECCurve.NamedCurves.nistP256;
// default cert
Assert.Throws <ArgumentOutOfRangeException>(
() => {
CertificateBuilder.Create(Subject)
.SetSerialNumberLength(0)
.SetECCurve(eccurve)
.CreateForECDsa();
}
);
Assert.Throws <ArgumentOutOfRangeException>(
() => {
CertificateBuilder.Create(Subject)
.SetSerialNumberLength(X509Defaults.SerialNumberLengthMax + 1)
.SetECCurve(eccurve)
.CreateForECDsa();
}
);
var builder = CertificateBuilder.Create(Subject)
.SetSerialNumberLength(X509Defaults.SerialNumberLengthMax)
.SetECCurve(eccurve);
// ensure every cert has a different serial number
var cert1 = builder.CreateForECDsa();
var cert2 = builder.CreateForECDsa();
WriteCertificate(cert1, "Cert1 with max length serial number");
WriteCertificate(cert2, "Cert2 with max length serial number");
Assert.GreaterOrEqual(X509Defaults.SerialNumberLengthMax, cert1.GetSerialNumber().Length);
Assert.GreaterOrEqual(X509Defaults.SerialNumberLengthMax, cert2.GetSerialNumber().Length);
Assert.AreNotEqual(cert1.SerialNumber, cert2.SerialNumber);
}
public void CreateSelfSignedForRSADefaultTest()
{
// default cert
X509Certificate2 cert = CertificateBuilder.Create(Subject).CreateForRSA();
Assert.NotNull(cert);
WriteCertificate(cert, "Default RSA cert");
using (var privateKey = cert.GetRSAPrivateKey())
{
Assert.NotNull(privateKey);
privateKey.ExportParameters(false);
privateKey.ExportParameters(true);
}
using (var publicKey = cert.GetRSAPublicKey())
{
Assert.NotNull(publicKey);
Assert.AreEqual(X509Defaults.RSAKeySize, publicKey.KeySize);
publicKey.ExportParameters(false);
}
Assert.AreEqual(X509Defaults.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value));
Assert.GreaterOrEqual(DateTime.UtcNow, cert.NotBefore);
Assert.GreaterOrEqual(DateTime.UtcNow.AddMonths(X509Defaults.LifeTime), cert.NotAfter.ToUniversalTime());
var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions);
Assert.NotNull(basicConstraintsExtension);
Assert.True(basicConstraintsExtension.CertificateAuthority);
X509Utils.VerifyRSAKeyPair(cert, cert, true);
Assert.True(X509Utils.VerifySelfSigned(cert));
}
public JsonResult Deploy(string azure, string data)
{
string dt = null;
try
{
dynamic json = (new JsonReader()).Read(data);
dynamic az = (new JsonReader()).Read(azure);
var app = OdpiAppRepo.Apps.Where(a => a.Name == json.name).FirstOrDefault();
var cfgName = CloudBackedStore.RootDir + "\\" + az.key + "\\Temp\\" + app.Name + "\\" + "ServiceConfiguration.cscfg";
dt = AzureManagement.Deploy(az.subscriptionId, az.service, CertificateBuilder.GetPrivateKey(az.key), az.file, cfgName);
}
catch (Exception ex)
{
return(Json(new DeployStatusModel()
{
Status = DeployStatusModelStatus.Error,
Stage = ODPI.Resources.Controllers.DeployResource.Error,
LogMessage = ex.Message,
StackTrace = ex.StackTrace
}));
}
var ret = new DeployStatusModel()
{
Status = DeployStatusModelStatus.Ok,
Stage = ODPI.Resources.Controllers.DeployResource.DeployingApplication,
LogMessage = ODPI.Resources.Controllers.DeployResource.BeginningToUploadTheApplication,
Data = dt
};
return(Json(ret));
}
public void CreateIssuerRSACngWithSuppliedKeyPair()
{
if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
Assert.Ignore("Cng provider only available on windows");
}
X509Certificate2 issuer = null;
CngKey cngKey = CngKey.Create(CngAlgorithm.Rsa);
using (RSA rsaKeyPair = new RSACng(cngKey))
{
// create cert with supplied keys
var generator = X509SignatureGenerator.CreateForRSA(rsaKeyPair, RSASignaturePadding.Pkcs1);
using (var cert = CertificateBuilder.Create("CN=Root Cert")
.SetCAConstraint(-1)
.SetRSAPublicKey(rsaKeyPair)
.CreateForRSA(generator))
{
Assert.NotNull(cert);
issuer = new X509Certificate2(cert.RawData);
WriteCertificate(cert, "Default root cert with supplied RSA cert");
}
// now sign a cert with supplied private key
using (var appCert = CertificateBuilder.Create("CN=App Cert")
.SetIssuer(issuer)
.CreateForRSA(generator))
{
Assert.NotNull(appCert);
WriteCertificate(appCert, "Signed RSA app cert");
}
}
}
public void CreateSelfSignedForRSAAllFields(
KeyHashPair keyHashPair
)
{
// set dates and extension
var applicationUri = "urn:opcfoundation.org:mypc";
var domains = new string[] { "mypc", "mypc.opcfoundation.org", "192.168.1.100" };
var cert = CertificateBuilder.Create(Subject)
.SetNotBefore(DateTime.Today.AddYears(-1))
.SetNotAfter(DateTime.Today.AddYears(25))
.AddExtension(new X509SubjectAltNameExtension(applicationUri, domains))
.SetHashAlgorithm(keyHashPair.HashAlgorithmName)
.SetRSAKeySize(keyHashPair.KeySize)
.CreateForRSA();
Assert.NotNull(cert);
WriteCertificate(cert, $"Default cert RSA {keyHashPair.KeySize} with modified lifetime and alt name extension");
Assert.AreEqual(Subject, cert.Subject);
Assert.AreEqual(keyHashPair.KeySize, cert.GetRSAPublicKey().KeySize);
Assert.AreEqual(keyHashPair.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value));
var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions);
Assert.NotNull(basicConstraintsExtension);
Assert.True(basicConstraintsExtension.CertificateAuthority);
X509Utils.VerifyRSAKeyPair(cert, cert);
X509Utils.VerifySelfSigned(cert);
}
public void CreateForECDsaWithGeneratorTest(
ECCurveHashPair ecCurveHashPair
)
{
// default signing cert with custom key
X509Certificate2 signingCert = CertificateBuilder.Create(Subject)
.SetCAConstraint()
.SetHashAlgorithm(HashAlgorithmName.SHA512)
.SetECCurve(ecCurveHashPair.Curve)
.CreateForECDsa();
WriteCertificate(signingCert, $"Signing ECDsa {signingCert.GetECDsaPublicKey().KeySize} cert");
using (ECDsa ecdsaPrivateKey = signingCert.GetECDsaPrivateKey())
{
var generator = X509SignatureGenerator.CreateForECDsa(ecdsaPrivateKey);
var cert = CertificateBuilder.Create("CN=App Cert")
.SetIssuer(new X509Certificate2(signingCert.RawData))
.CreateForRSA(generator);
Assert.NotNull(cert);
WriteCertificate(cert, "Default signed ECDsa cert");
}
using (ECDsa ecdsaPrivateKey = signingCert.GetECDsaPrivateKey())
using (ECDsa ecdsaPublicKey = signingCert.GetECDsaPublicKey())
{
var generator = X509SignatureGenerator.CreateForECDsa(ecdsaPrivateKey);
var cert = CertificateBuilder.Create("CN=App Cert")
.SetHashAlgorithm(ecCurveHashPair.HashAlgorithmName)
.SetIssuer(new X509Certificate2(signingCert.RawData))
.SetECDsaPublicKey(ecdsaPublicKey)
.CreateForECDsa(generator);
Assert.NotNull(cert);
WriteCertificate(cert, "Default signed ECDsa cert with Public Key");
}
using (ECDsa ecdsaPrivateKey = signingCert.GetECDsaPrivateKey())
{
var generator = X509SignatureGenerator.CreateForECDsa(ecdsaPrivateKey);
var cert = CertificateBuilder.Create("CN=App Cert")
.SetHashAlgorithm(ecCurveHashPair.HashAlgorithmName)
.SetIssuer(new X509Certificate2(signingCert.RawData))
.SetECCurve(ecCurveHashPair.Curve)
.CreateForECDsa(generator);
Assert.NotNull(cert);
WriteCertificate(cert, "Default signed RSA cert");
}
// ensure invalid path throws argument exception
Assert.Throws <NotSupportedException>(() => {
using (ECDsa ecdsaPrivateKey = signingCert.GetECDsaPrivateKey())
{
var generator = X509SignatureGenerator.CreateForECDsa(ecdsaPrivateKey);
var cert = CertificateBuilder.Create("CN=App Cert")
.SetHashAlgorithm(ecCurveHashPair.HashAlgorithmName)
.SetECCurve(ecCurveHashPair.Curve)
.CreateForECDsa(generator);
}
});
}
/// <summary>
/// Create a X509Certificate2 with a private key by combining
/// the new certificate with a private key from an existing certificate
/// </summary>
public static X509Certificate2 CreateCertificateWithPrivateKey(
X509Certificate2 certificate,
X509Certificate2 certificateWithPrivateKey)
{
if (!certificateWithPrivateKey.HasPrivateKey)
{
throw new NotSupportedException("Need a certificate with a private key.");
}
if (!X509Utils.VerifyRSAKeyPair(certificate, certificateWithPrivateKey))
{
throw new NotSupportedException("The public and the private key pair doesn't match.");
}
string passcode = Guid.NewGuid().ToString();
RSA rsaPrivateKey = null;
try
{
rsaPrivateKey = certificateWithPrivateKey.GetRSAPrivateKey();
byte[] pfxData = CertificateBuilder.CreatePfxWithRSAPrivateKey(
certificate, certificate.FriendlyName, rsaPrivateKey, passcode);
return(X509Utils.CreateCertificateFromPKCS12(pfxData, passcode));
}
finally
{
RsaUtils.RSADispose(rsaPrivateKey);
}
}
public async Task UnboundCertificateCommitAndRefreshWorks()
{
using (BatchClient batchClient = ClientUnitTestCommon.CreateDummyClient())
{
string pfxFilePath = TestCommon.GetTemporaryCertificateFilePath("unboundcertificateunittest.pfx");
try
{
CertificateBuilder.CreateSelfSignedInFile("test", pfxFilePath, CommonResources.CertificatePassword);
const string expectedThumbprint = "ABC";
var protoCertificate = new Protocol.Models.Certificate(thumbprint: expectedThumbprint);
Certificate certificate = batchClient.CertificateOperations.CreateCertificate(
pfxFilePath,
CommonResources.CertificatePassword);
Assert.NotNull(certificate.ThumbprintAlgorithm);
await certificate.CommitAsync(additionalBehaviors : InterceptorFactory.CreateAddCertificateRequestInterceptor());
await certificate.RefreshAsync(additionalBehaviors : InterceptorFactory.CreateGetCertificateRequestInterceptor(protoCertificate));
Assert.Equal(expectedThumbprint, certificate.Thumbprint);
Assert.Null(certificate.ThumbprintAlgorithm);
}
finally
{
File.Delete(pfxFilePath);
}
}
}
public void CreateSelfSignedForECDsaTests(ECCurve eccurve)
{
// default cert
X509Certificate2 cert = CertificateBuilder.Create(Subject).SetECCurve(eccurve).CreateForECDsa();
WriteCertificate(cert, "Default ECDsa cert");
// set dates
cert = CertificateBuilder.Create(Subject)
.SetNotBefore(DateTime.Today.AddYears(-1))
.SetNotAfter(DateTime.Today.AddYears(25))
.AddExtension(new X509SubjectAltNameExtension("urn:opcfoundation.org:mypc", new string[] { "mypc", "mypc.opcfoundation.org", "192.168.1.100" }))
.SetECCurve(eccurve)
.CreateForECDsa();
WriteCertificate(cert, "Default cert with modified lifetime and alt name extension");
// set hash alg
cert = CertificateBuilder.Create(Subject)
.SetHashAlgorithm(HashAlgorithmName.SHA512)
.SetECCurve(eccurve)
.CreateForECDsa();
WriteCertificate(cert, "Default cert with SHA512 signature.");
// set CA constraints
cert = CertificateBuilder.Create(Subject)
.SetCAConstraint(-1)
.AddExtension(X509Extensions.BuildX509CRLDistributionPoints("http://myca/mycert.crl"))
.SetECCurve(eccurve)
.CreateForECDsa();
WriteCertificate(cert, "Default cert with CA constraints None and CRL distribution points");
}
public void CreateSelfSignedForECDsaDefaultTest(ECCurveHashPair eccurveHashPair)
{
// default cert
X509Certificate2 cert = CertificateBuilder.Create(Subject)
.SetECCurve(eccurveHashPair.Curve)
.CreateForECDsa();
Assert.NotNull(cert);
WriteCertificate(cert, "Default ECDsa cert");
using (var privateKey = cert.GetECDsaPrivateKey())
{
Assert.NotNull(privateKey);
privateKey.ExportParameters(false);
privateKey.ExportParameters(true);
}
using (var publicKey = cert.GetECDsaPublicKey())
{
Assert.NotNull(publicKey);
publicKey.ExportParameters(false);
}
Assert.AreEqual(X509Defaults.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value));
Assert.GreaterOrEqual(DateTime.UtcNow, cert.NotBefore);
Assert.GreaterOrEqual(DateTime.UtcNow.AddMonths(X509Defaults.LifeTime), cert.NotAfter.ToUniversalTime());
var basicConstraintsExtension = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert.Extensions);
Assert.NotNull(basicConstraintsExtension);
Assert.True(basicConstraintsExtension.CertificateAuthority);
Assert.AreEqual(0, basicConstraintsExtension.PathLengthConstraint);
var keyUsage = X509Extensions.FindExtension <X509KeyUsageExtension>(cert.Extensions);
Assert.NotNull(keyUsage);
X509PfxUtils.VerifyECDsaKeyPair(cert, cert, true);
Assert.True(X509Utils.VerifySelfSigned(cert), "Verify self signed.");
}
public void VerifyOneSelfSignedAppCertForAll()
{
var builder = CertificateBuilder.Create(Subject)
.SetNotBefore(DateTime.Today.AddYears(-1))
.SetNotAfter(DateTime.Today.AddYears(25))
.AddExtension(new X509SubjectAltNameExtension("urn:opcfoundation.org:mypc", new string[] { "mypc", "mypc.opcfoundation.org", "192.168.1.100" }));
byte[] previousSerialNumber = null;
foreach (var keyHash in KeyHashPairs)
{
using (var cert = builder
.SetHashAlgorithm(keyHash.HashAlgorithmName)
.SetRSAKeySize(keyHash.KeySize)
.CreateForRSA())
{
Assert.NotNull(cert);
WriteCertificate(cert, $"Default cert with RSA {keyHash.KeySize} {keyHash.HashAlgorithmName} signature.");
Assert.AreEqual(keyHash.HashAlgorithmName, Oids.GetHashAlgorithmName(cert.SignatureAlgorithm.Value));
// ensure serial numbers are different
Assert.AreNotEqual(previousSerialNumber, cert.GetSerialNumber());
X509PfxUtils.VerifyRSAKeyPair(cert, cert, true);
Assert.True(X509Utils.VerifySelfSigned(cert));
Assert.AreEqual(cert.SubjectName.Name, cert.IssuerName.Name);
Assert.AreEqual(cert.SubjectName.RawData, cert.IssuerName.RawData);
CheckPEMWriter(cert);
}
}
}
public void TestCreatePfxFileFromRawData()
{
string filePath = TestCommon.GetTemporaryCertificateFilePath(string.Format("{0}.pfx", CertificateFilePrefix));
CertificateBuilder.CreateSelfSignedInFile("Foo", filePath, CommonResources.CertificatePassword);
TestCertificateFromRawData(filePath, CommonResources.CertificatePassword);
}
public void TestCreateCerFileFromRawData()
{
string filePath = IntegrationTestCommon.GetTemporaryCertificateFilePath(string.Format("{0}.cer", CertificateFilePrefix));
CertificateBuilder.CreateSelfSignedInFile("Foo", filePath, CertificateBuilder.Sha1Algorithm);
TestCertificateFromRawData(filePath, CertificateBuilder.Sha1Algorithm);
}
public void TestCreateSha256Pfx()
{
string filePath = IntegrationTestCommon.GetTemporaryCertificateFilePath(string.Format("{0}.pfx", CertificateFilePrefix));
CertificateBuilder.CreateSelfSignedInFile("Foo", filePath, CertificateBuilder.Sha256Algorithm, password: CommonResources.CertificatePassword);
TestCertificateFromRawData(filePath, CertificateBuilder.Sha256Algorithm, CommonResources.CertificatePassword);
}
/// <summary>
/// Creates a certificate signing request from an existing certificate.
/// </summary>
public static byte[] CreateSigningRequest(
X509Certificate2 certificate,
IList <String> domainNames = null
)
{
return(CertificateBuilder.CreateSigningRequest(
certificate,
domainNames));
}
private int RunInternal(string subjectName, string issuerName)
{
// Builder path for normal certificate.
var storeCertificate = LoadCACertificate(Options.IssuerName);
var builder = new CertificateBuilder(Options.KeyStrength, Options.SignatureAlgorithm, Logger);
if (!ValidateIssuer(storeCertificate))
{
Logger.Error("Provided issuer is not a valid CA and therefore cannot issue other certificates.");
throw new CertificateException(
"Provided issuer is not a valid CA and therefore cannot issue other certificates.");
}
var issuingKeyPair = DotNetUtilities.GetKeyPair(storeCertificate.PrivateKey);
string[] dpUrls = Options.DistributionPoints.Count() > 0 ? Options.DistributionPoints.ToArray() : MenuInterupts.GetCrlDistributionPoints();
var bcCertificate = builder
.AddSKID()
.AddSerialNumber()
.AddValidityTime()
.AddExtendedKeyUsages()
.AddSubjectCommonName(Options.CommonName)
.AddIssuerCommonName(Options.IssuerName) // Generate from CA.
.AddBasicConstraints()
.AddAKID(issuingKeyPair.Public)
.AddCRLDistributionPoints(dpUrls)
.Generate(issuingKeyPair.Private, out AsymmetricCipherKeyPair generatedKeyPair);
var convertedCertificate = GetWindowsCertFromGenerated(bcCertificate, Options.CommonName, generatedKeyPair.Private, builder.SecureRandom);
if (Options.Debug)
{
DisplayCertificateDebugInfo(convertedCertificate);
}
X509Chain chain = new X509Chain();
chain.Build(convertedCertificate);
if (!string.IsNullOrEmpty(Options.ExportLocation))
{
File.WriteAllBytes(Path.Combine(Options.ExportLocation, $"{Options.CommonName}.pfx"),
convertedCertificate.Export(X509ContentType.Pkcs12));
}
else
{
// Add CA certificate to Root store
var machineStore = new X509Store(StoreName.My, StoreLocation.LocalMachine);
machineStore.Open(OpenFlags.ReadWrite);
machineStore.Add(convertedCertificate);
machineStore.Close();
}
return(SUCCESS);
}
private static async Task CheckDomainsForValidCertificateAsync(ILogger log, CancellationToken cancellationToken,
ExecutionContext executionContext)
{
// internal storage (used for letsencrypt account metadata)
IStorageProvider storageProvider = new AzureBlobStorageProvider(Environment.GetEnvironmentVariable("AzureWebJobsStorage"), "letsencrypt");
IConfigurationProcessor processor = new ConfigurationProcessor();
var configurations = await AutoRenewal.LoadConfigFilesAsync(storageProvider, processor, log, cancellationToken, executionContext);
IAuthenticationService authenticationService = new AuthenticationService(storageProvider);
var az = new AzureHelper();
var tokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(tokenProvider.KeyVaultTokenCallback));
var storageFactory = new StorageFactory(az);
var renewalOptionsParser = new RenewalOptionParser(az, keyVaultClient, storageFactory, log);
var certificateBuilder = new CertificateBuilder();
IRenewalService renewalService = new RenewalService(authenticationService, renewalOptionsParser, certificateBuilder, log);
var errors = new List <Exception>();
var httpClient = new HttpClient();
foreach ((var name, var config) in configurations)
{
using (log.BeginScope($"Checking certificates from {name}"))
{
foreach (var cert in config.Certificates)
{
var hostNames = string.Join(";", cert.HostNames);
try
{
// check each domain to verify HTTPS certificate is valid
var request = WebRequest.CreateHttp($"https://{cert.HostNames.First()}");
request.ServerCertificateValidationCallback += ValidateTestServerCertificate;
using (HttpWebResponse response = (HttpWebResponse)request.GetResponse()) { }
}
catch (Exception e)
{
log.LogError(e, $"Certificate check failed for: {hostNames}!");
errors.Add(e);
continue;
}
log.LogInformation($"Certificate for {hostNames} looks valid");
}
}
}
if (!configurations.Any())
{
log.LogWarning("No configurations where processed, refere to the sample on how to set up configs!");
}
if (errors.Any())
{
throw new AggregateException("Failed to process all certificates", errors);
}
}
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
RegisterGlobalFilters(GlobalFilters.Filters);
RegisterRoutes(RouteTable.Routes);
CloudBackedStore.Initialize();
CertificateBuilder.Initialize();
PackageBuilder.Initialize();
}
/// <summary>
/// Build the samples certificate
/// </summary>
public bool Build(Action <string> log)
{
string errorMessage;
log("Creating sample certificate...");
if (!CertificateBuilder.CreateCertificate(this, Console.WriteLine, out thumbprint, out errorMessage))
{
log(errorMessage);
return(false);
}
return(true);
}
public void CreateECDsaManualSerialTest()
{
var eccurve = ECCurve.NamedCurves.nistP256;
// default cert
Assert.Throws <ArgumentOutOfRangeException>(
() => {
CertificateBuilder.Create(Subject)
.SetSerialNumber(Array.Empty <byte>())
.SetECCurve(eccurve)
.CreateForECDsa();
}
);
Assert.Throws <ArgumentOutOfRangeException>(
() => {
CertificateBuilder.Create(Subject)
.SetSerialNumber(new byte[X509Defaults.SerialNumberLengthMax + 1])
.SetECCurve(eccurve)
.CreateForECDsa();
}
);
var serial = new byte[X509Defaults.SerialNumberLengthMax];
for (int i = 0; i < serial.Length; i++)
{
serial[i] = (byte)((i + 1) | 0x80);
}
// test if sign bit is cleared
var builder = CertificateBuilder.Create(Subject)
.SetSerialNumber(serial);
serial[serial.Length - 1] &= 0x7f;
Assert.AreEqual(serial, builder.GetSerialNumber());
var cert1 = builder.SetECCurve(eccurve).CreateForECDsa();
WriteCertificate(cert1, "Cert1 with max length serial number");
TestContext.Out.WriteLine($"Serial: {serial.ToHexString(true)}");
Assert.AreEqual(serial, cert1.GetSerialNumber());
Assert.AreEqual(X509Defaults.SerialNumberLengthMax, cert1.GetSerialNumber().Length);
// clear sign bit
builder.SetSerialNumberLength(X509Defaults.SerialNumberLengthMax);
var cert2 = builder.SetECCurve(eccurve).CreateForECDsa();
WriteCertificate(cert2, "Cert2 with max length serial number");
TestContext.Out.WriteLine($"Serial: {cert2.SerialNumber}");
Assert.GreaterOrEqual(X509Defaults.SerialNumberLengthMax, cert2.GetSerialNumber().Length);
Assert.AreNotEqual(cert1.SerialNumber, cert2.SerialNumber);
}
private static List <Certificate> GenerateCertificates(BatchClient batchClient, string cerFilePath, string pfxFilePath)
{
CertificateBuilder.CreateSelfSignedInFile("Foo", cerFilePath, CertificateBuilder.Sha1Algorithm);
CertificateBuilder.CreateSelfSignedInFile("Foo", pfxFilePath, CertificateBuilder.Sha1Algorithm, password: CommonResources.CertificatePassword);
Certificate cerCertificate = batchClient.CertificateOperations.CreateCertificate(cerFilePath);
Certificate pfxCertificate = batchClient.CertificateOperations.CreateCertificate(pfxFilePath, CommonResources.CertificatePassword);
return(new List <Certificate>
{
cerCertificate,
pfxCertificate
});
}
private X509Certificate2 CreateAddressBoundCertificate(X509Certificate2 issuer, string emailAddress)
{
var domain = issuer.GetNameInfo(X509NameType.DnsName, false);
var builder = new CertificateBuilder(issuer)
{
AuthorityInformationAccessUri = new Uri($"http://{domain}/pki/{domain}.cer"),
CrlDistributionPointUri = new Uri($"http://{domain}/pki/{domain}.crl"),
SubjectDN = new X509Name($"CN={emailAddress}")
};
builder.SetSubjectAlternativeNameToEmail(emailAddress);
builder.Policies.Add(DirectTrustCertificatePolicies.DTorgCPVersions);
return(builder.Generate());
}
/// <summary>
/// Create a certificate for an OPC UA application.
/// </summary>
/// <param name="applicationUri">The application Uri</param>
/// <param name="applicationName">The friendly name of the application</param>
/// <param name="subjectName">The subject of the certificate</param>
/// <param name="domainNames">The domain names for the alt name extension</param>
/// <returns>
/// Return the Certificate builder with X509 Subject Alt Name extension
/// to create the certificate.
/// </returns>
public static ICertificateBuilder CreateCertificate(
string applicationUri,
string applicationName,
string subjectName,
IList <string> domainNames)
{
SetSuitableDefaults(
ref applicationUri,
ref applicationName,
ref subjectName,
ref domainNames);
return(CertificateBuilder.Create(subjectName)
.AddExtension(new X509SubjectAltNameExtension(applicationUri, domainNames)));
}
// Use for Coyote.
/*********************************/
public async Task GetAndUpdateAtTheSameTime()
{
_context.Certificates.AddRange(CertificateBuilder.GetDefaultValues());
_context.SaveChanges();
_context.ChangeTracker.Clear();
var certificate = await _context.Certificates.AsNoTracking().FirstOrDefaultAsync();
// This code throws an DbUpdateConcurrencyException,
// so we add a check (try-catch) to the "Edit" methods of the controllers.
var deleteResult = _repository.DeleteAsync(certificate);
var updateResult = _repository.UpdateAsync(certificate);
await Task.WhenAll(deleteResult, updateResult);
}
private X509Certificate2 CreateCertificateAuthority(string domain)
{
if (_rootCA == null)
{
var builder = new CertificateBuilder(1)
{
SubjectDN = new X509Name($"CN={domain}")
};
builder.SetSubjectAlternativeNameToDomain(domain);
builder.Policies.Add(DirectTrustCertificatePolicies.DTorgCPVersions);
_rootCA = builder.Generate();
}
return(_rootCA);
}
