public void LoadCertificateWithPublicKey()
{
using X509Certificate2 certificate = PemReader.LoadCertificate(RsaPemPrivateKey.AsSpan(), s_rsaCertificateBytes, keyType: PemReader.KeyType.RSA);
Assert.AreEqual("CN=Azure SDK", certificate.Subject);
Assert.IsTrue(certificate.HasPrivateKey);
Assert.AreEqual(2048, certificate.PrivateKey.KeySize);
}
public void LoadCertificateAutomatically()
{
using X509Certificate2 certificate = PemReader.LoadCertificate(RsaPem.AsSpan());
Assert.AreEqual("CN=Azure SDK", certificate.Subject);
Assert.IsTrue(certificate.HasPrivateKey);
Assert.AreEqual(2048, certificate.PrivateKey.KeySize);
}
public void LoadCertificateWithPublicKey()
{
using X509Certificate2 certificate = PemReader.LoadCertificate(PEMPrivateKey.AsSpan(), CertificateBytes);
Assert.AreEqual("CN=Azure SDK", certificate.Subject);
Assert.IsTrue(certificate.HasPrivateKey);
Assert.AreEqual(2048, certificate.PrivateKey.KeySize);
}
public void LoadCertificatePemOverridesCer()
{
using X509Certificate2 certificate = PemReader.LoadCertificate(RsaPem.AsSpan(), Encoding.UTF8.GetBytes("This is not a certificate"), keyType: PemReader.KeyType.RSA);
Assert.AreEqual("CN=Azure SDK", certificate.Subject);
Assert.IsTrue(certificate.HasPrivateKey);
Assert.AreEqual(2048, certificate.PrivateKey.KeySize);
}
private async ValueTask <X509Certificate2> LoadCertificateFromPemFileAsync(bool async, string clientCertificatePath, CancellationToken cancellationToken)
{
if (!(Certificate is null))
{
return(Certificate);
}
string certficateText;
try
{
if (!async)
{
certficateText = File.ReadAllText(clientCertificatePath);
}
else
{
cancellationToken.ThrowIfCancellationRequested();
using (StreamReader sr = new StreamReader(clientCertificatePath))
{
certficateText = await sr.ReadToEndAsync().ConfigureAwait(false);
}
}
Certificate = PemReader.LoadCertificate(certficateText.AsSpan(), keyType: PemReader.KeyType.RSA);
return(Certificate);
}
catch (Exception e) when(!(e is OperationCanceledException))
{
throw new CredentialUnavailableException("Could not load certificate file", e);
}
}
public void LoadCertificate()
{
using X509Certificate2 certificate = PemReader.LoadCertificate(RsaPem.AsSpan(), keyType: PemReader.KeyType.RSA);
Assert.AreEqual("CN=Azure SDK", certificate.Subject);
Assert.IsTrue(certificate.HasPrivateKey);
Assert.AreEqual(2048, certificate.GetRSAPrivateKey().KeySize);
}
public void LoadCertificateReversed()
{
string pem = PEMPublicKey + "\n" + PEMPrivateKey;
using X509Certificate2 certificate = PemReader.LoadCertificate(pem.AsSpan());
Assert.AreEqual("CN=Azure SDK", certificate.Subject);
Assert.IsTrue(certificate.HasPrivateKey);
Assert.AreEqual(2048, certificate.PrivateKey.KeySize);
}
public void LoadCertificateReversed()
{
string pem = RsaPemCertificate + "\n" + RsaPemPrivateKey;
using X509Certificate2 certificate = PemReader.LoadCertificate(pem.AsSpan(), keyType: PemReader.KeyType.RSA);
Assert.AreEqual("CN=Azure SDK", certificate.Subject);
Assert.IsTrue(certificate.HasPrivateKey);
Assert.AreEqual(2048, certificate.PrivateKey.KeySize);
}
public void LoadCertificateAutomatically()
{
#if NET461
Assert.Ignore("Loading X509Certificate2 with private EC key not supported on this platform");
#endif
using X509Certificate2 certificate = PemReader.LoadCertificate(s_ecdsaFullCertificate.AsSpan());
Assert.AreEqual("CN=Azure SDK", certificate.Subject);
Assert.IsTrue(certificate.HasPrivateKey);
}
public void LoadCertificatePemOverridesCer()
{
#if NET461
Assert.Ignore("Loading X509Certificate2 with private EC key not supported on this platform");
#endif
using X509Certificate2 certificate = PemReader.LoadCertificate(s_ecdsaFullCertificate.AsSpan(), cer: Encoding.UTF8.GetBytes("This is not a certificate"), keyType: PemReader.KeyType.ECDsa);
Assert.AreEqual("CN=Azure SDK", certificate.Subject);
Assert.IsTrue(certificate.HasPrivateKey);
}
public void LoadCertificateWithPublicKey()
{
#if NET461
Assert.Ignore("Loading X509Certificate2 with private EC key not supported on this platform");
#endif
using X509Certificate2 certificate = PemReader.LoadCertificate(ECDsaPrivateKey.AsSpan(), cer: s_ecdsaCertificateBytes, keyType: PemReader.KeyType.ECDsa);
Assert.AreEqual("CN=Azure SDK", certificate.Subject);
Assert.IsTrue(certificate.HasPrivateKey);
}
public void LoadRSACertificate()
{
#if NET461
// Compatible with previous release. Goes through the LightweightPkcs8Decoder.DecodeECDsaPkcs8().
Assert.Throws <InvalidDataException>(() => PemReader.LoadCertificate(RSACertificate.AsSpan(), keyType: PemReader.KeyType.ECDsa));
#else
// Compatible with the previous release. Goes through RSA.ImportPKcs8PrivateKey().
Assert.That(() => PemReader.LoadCertificate(RSACertificate.AsSpan(), keyType: PemReader.KeyType.ECDsa), Throws.InstanceOf <CryptographicException>());
#endif
}
public void LoadECDsaPrime256v1Certificate()
{
#if NET461
Assert.Ignore("Loading X509Certificate2 with private EC key not supported on this platform");
#elif NETCOREAPP2_1
Assert.Ignore("Different OIDs in the certificate and private key prevent this from passing currently");
#endif
using X509Certificate2 certificate = PemReader.LoadCertificate(ECDsaPrime256v1Certificate.AsSpan(), keyType: PemReader.KeyType.ECDsa);
Assert.AreEqual("CN=Azure SDK", certificate.Subject);
Assert.IsTrue(certificate.HasPrivateKey);
}
/// <summary>
/// Parses the response from <see cref="GetLedgerIdentity"/> or <see cref="GetLedgerIdentityAsync"/>.
/// </summary>
/// <param name="getIdentityResponse">The response from <see cref="GetLedgerIdentity"/> or <see cref="GetLedgerIdentityAsync"/>.</param>
/// <returns>The <see cref="X509Certificate2"/>.</returns>
public static X509Certificate2 ParseCertificate(Response getIdentityResponse)
{
var eccPem = JsonDocument.Parse(getIdentityResponse.Content)
.RootElement
.GetProperty("ledgerTlsCertificate")
.GetString();
// construct an X509Certificate2 with the ECC PEM value.
var span = new ReadOnlySpan <char>(eccPem.ToCharArray());
return(PemReader.LoadCertificate(span, null, PemReader.KeyType.Auto, true));
}
public void LoadedCertificateNotDisposed()
{
using X509Certificate2 certificate = PemReader.LoadCertificate(RsaPem.AsSpan(), keyType: PemReader.KeyType.RSA);
using RSA publicKey = certificate.GetRSAPublicKey();
using RSA privateKey = certificate.GetRSAPrivateKey();
byte[] plaintext = Encoding.UTF8.GetBytes("test");
byte[] ciphertext = publicKey.Encrypt(plaintext, RSAEncryptionPadding.Pkcs1);
byte[] decrypted = privateKey.Decrypt(ciphertext, RSAEncryptionPadding.Pkcs1);
Assert.AreEqual(plaintext, decrypted);
}
internal static HttpPipelineTransportOptions GetIdentityServerTlsCertAndTrust(Uri ledgerUri, ConfidentialLedgerClientOptions options)
{
var identityClient = new ConfidentialLedgerIdentityServiceClient(new Uri("https://identity.accledger.azure.com"), options);
// Get the ledger's TLS certificate for our ledger.
var ledgerId = ledgerUri.Host.Substring(0, ledgerUri.Host.IndexOf('.'));
Response response = identityClient.GetLedgerIdentity(ledgerId, new());
// extract the ECC PEM value from the response.
var eccPem = JsonDocument.Parse(response.Content)
.RootElement
.GetProperty("ledgerTlsCertificate")
.GetString();
// construct an X509Certificate2 with the ECC PEM value.
var span = new ReadOnlySpan <char>(eccPem.ToCharArray());
var ledgerTlsCert = PemReader.LoadCertificate(span, null, PemReader.KeyType.Auto, true);
X509Chain certificateChain = new();
certificateChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
certificateChain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
certificateChain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
certificateChain.ChainPolicy.VerificationTime = DateTime.Now;
certificateChain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 0);
certificateChain.ChainPolicy.ExtraStore.Add(ledgerTlsCert);
// Define a validation function to ensure that the ledger certificate is trusted by the ledger identity TLS certificate.
bool CertValidationCheck(X509Certificate2 cert)
{
bool isChainValid = certificateChain.Build(cert);
if (!isChainValid)
{
return(false);
}
var isCertSignedByTheTlsCert = certificateChain.ChainElements.Cast <X509ChainElement>()
.Any(x => x.Certificate.Thumbprint == ledgerTlsCert.Thumbprint);
return(isCertSignedByTheTlsCert);
}
return(new HttpPipelineTransportOptions {
ServerCertificateCustomValidationCallback = args => CertValidationCheck(args.Certificate)
});
}
public void LoadCertificateWithNoKeys()
{
Exception ex = Assert.Throws <InvalidDataException>(() => PemReader.LoadCertificate(Span <char> .Empty, keyType: PemReader.KeyType.ECDsa));
Assert.AreEqual("The certificate is missing the public key", ex.Message);
}
public void LoadCertificateWithOnlyPublicKeyAllowed()
{
using X509Certificate2 certificate = PemReader.LoadCertificate(ECDsaCertificate.AsSpan(), allowCertificateOnly: true, keyType: PemReader.KeyType.ECDsa);
Assert.AreEqual("CN=Azure SDK", certificate.Subject);
Assert.IsFalse(certificate.HasPrivateKey);
}
public void LoadCertificateWithoutPrivateKey()
{
Exception ex = Assert.Throws <InvalidDataException>(() => PemReader.LoadCertificate(ECDsaCertificate.AsSpan(), keyType: PemReader.KeyType.ECDsa));
Assert.AreEqual("The certificate is missing the private key", ex.Message);
}
public void LoadECDsaCertificateAutomatically()
{
// Support for ECDsa certificates are not supported by default. See Azure.Security.KeyVault.Certificates for support.
Assert.Throws <NotSupportedException>(() => PemReader.LoadCertificate(ECDsaCertificate.AsSpan(), keyType: PemReader.KeyType.Auto));
}
public void LoadCertificateWithoutPublicKey()
{
Exception ex = Assert.Throws <InvalidDataException>(() => PemReader.LoadCertificate(PEMPrivateKey.AsSpan()));
Assert.AreEqual("The certificate is missing the public key", ex.Message);
}
public void LoadCertificateWithOnlyPublicKeyAllowed()
{
using X509Certificate2 certificate = PemReader.LoadCertificate(PEMPublicKey.AsSpan(), CertificateBytes, allowCertificateOnly: true);
Assert.AreEqual("CN=Azure SDK", certificate.Subject);
Assert.IsFalse(certificate.HasPrivateKey);
}
