static bool CanKeyDoKeyExchange(X509Certificate2 certificate) { bool canDoKeyExchange = false; X509KeyUsageExtension keyUsageExtension = null; for (int i = 0; i < certificate.Extensions.Count; i++) { keyUsageExtension = certificate.Extensions[i] as X509KeyUsageExtension; if (keyUsageExtension != null) { break; } } // No KeyUsage extension means most usages are permitted including key exchange. // See RFC 5280 section 4.2.1.3 (Key Usage) for details. If the extension is non-critical // then it's non-enforcing and meant as an aid in choosing the best certificate when // there are multiple certificates to choose from. if (keyUsageExtension == null || !keyUsageExtension.Critical) { return(true); } // One of KeyAgreement, KeyEncipherment or DigitalSignature need to be allowed depending on the cipher // being used. See RFC 5246 section 7.4.6 for more details. // Additionally, according to msdn docs for PFXImportCertStore, the key specification is set to AT_KEYEXCHANGE // when the data encipherment usage is set. canDoKeyExchange = (keyUsageExtension.KeyUsages & (X509KeyUsageFlags.KeyAgreement | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.DataEncipherment)) != X509KeyUsageFlags.None; return(canDoKeyExchange); }
public void X509CertificateCreationParametersPropertiesTest() { X500DistinguishedName dn = new X500DistinguishedName("CN=Test"); X509CertificateCreationParameters creationParams = new X509CertificateCreationParameters(dn); creationParams.SubjectName = new X500DistinguishedName("CN=Test2"); Assert.AreEqual(new X500DistinguishedName("CN=Test2").Name, creationParams.SubjectName.Name); creationParams.CertificateCreationOptions = X509CertificateCreationOptions.DoNotLinkKeyInformation | X509CertificateCreationOptions.DoNotSignCertificate; Assert.AreEqual(X509CertificateCreationOptions.DoNotLinkKeyInformation | X509CertificateCreationOptions.DoNotSignCertificate, creationParams.CertificateCreationOptions); DateTime newStart = new DateTime(2006, 08, 12); creationParams.StartTime = newStart; Assert.AreEqual(newStart, creationParams.StartTime); DateTime newEnd = new DateTime(2008, 09, 15); creationParams.EndTime = newEnd; Assert.AreEqual(newEnd, creationParams.EndTime); creationParams.SignatureAlgorithm = X509CertificateSignatureAlgorithm.RsaSha256; Assert.AreEqual(X509CertificateSignatureAlgorithm.RsaSha256, creationParams.SignatureAlgorithm); X509KeyUsageExtension keyUsage = new X509KeyUsageExtension(X509KeyUsageFlags.KeyAgreement, true); creationParams.Extensions.Add(keyUsage); Assert.AreEqual(1, creationParams.Extensions.Count); Assert.IsInstanceOfType(creationParams.Extensions[0], typeof(X509KeyUsageExtension)); Assert.AreEqual(X509KeyUsageFlags.KeyAgreement, ((X509KeyUsageExtension)creationParams.Extensions[0]).KeyUsages); }
public void WrongAsnEncodedData() { AsnEncodedData aed = new AsnEncodedData(new byte[0]); X509KeyUsageExtension ku = new X509KeyUsageExtension(X509KeyUsageFlags.CrlSign, true); ku.CopyFrom(aed); // note: not the same behaviour than using the constructor! }
public static void ReadInvalidExtension_KeyUsage() { X509KeyUsageExtension keyUsageExtension = new X509KeyUsageExtension(new AsnEncodedData(Array.Empty <byte>()), false); Assert.ThrowsAny <CryptographicException>(() => keyUsageExtension.KeyUsages); }
private static void PrintCert(PlatformLogLevel logLevel, X509Certificate2 cert, X509ChainStatus[] chainElementStatus, string chainElementInformation) { if (cert == null) { return; } StringBuilder stringBuilder = new StringBuilder(); stringBuilder.Append(string.Format("Issuer name: {0}\n", cert.Issuer ?? string.Empty)); stringBuilder.Append(string.Format("Subject: {0}\n", cert.Subject ?? string.Empty)); stringBuilder.Append(string.Format("Serial: {0}\n", cert.SerialNumber ?? string.Empty)); stringBuilder.Append(string.Format("Certificate valid until: {0}\n", cert.NotAfter)); stringBuilder.Append(string.Format("Error status length: {0}\n", (chainElementStatus == null) ? 0 : chainElementStatus.Length)); stringBuilder.Append(string.Format("Chain Information: {0}\n", chainElementInformation ?? string.Empty)); X509KeyUsageExtension x509KeyUsageExtension = (cert.Extensions == null) ? null : (cert.Extensions["2.5.29.15"] as X509KeyUsageExtension); if (x509KeyUsageExtension != null) { stringBuilder.Append(string.Format("Key Usage Extension flags={0:X}\n", x509KeyUsageExtension.KeyUsages)); } if (chainElementStatus != null) { for (int i = 0; i < chainElementStatus.Length; i++) { X509ChainStatus x509ChainStatus = chainElementStatus[i]; stringBuilder.Append(string.Format("Error status={0}, info={1}", x509ChainStatus.Status, x509ChainStatus.StatusInformation ?? string.Empty)); } } Services.Logging.LogMessage(logLevel, stringBuilder.ToString()); }
private static unsafe int VerifyCertificate(X509Certificate2 certificate, X509Certificate2Collection extraStore) { int num; int num2 = System.Security.Cryptography.X509Certificates.X509Utils.VerifyCertificate(System.Security.Cryptography.X509Certificates.X509Utils.GetCertContext(certificate), null, null, X509RevocationMode.Online, X509RevocationFlag.ExcludeRoot, DateTime.Now, new TimeSpan(0, 0, 0), extraStore, new IntPtr(1L), new IntPtr((void *)&num)); if (num2 != 0) { return(num); } X509ExtensionEnumerator enumerator = certificate.Extensions.GetEnumerator(); while (enumerator.MoveNext()) { X509Extension current = enumerator.Current; if (string.Compare(current.Oid.Value, "2.5.29.15", StringComparison.OrdinalIgnoreCase) == 0) { X509KeyUsageExtension extension2 = new X509KeyUsageExtension(); extension2.CopyFrom(current); if (((extension2.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.None) && ((extension2.KeyUsages & X509KeyUsageFlags.NonRepudiation) == X509KeyUsageFlags.None)) { return(-2146762480); } } } return(num2); }
public void WrongExtension_X509KeyUsageExtension() { X509KeyUsageExtension ku = new X509KeyUsageExtension(); X509SubjectKeyIdentifierExtension ski = new X509SubjectKeyIdentifierExtension(); ski.CopyFrom(ku); }
public void Certificate_CSR_TA_SelfSigned() { X500DistinguishedName dn = new X500DistinguishedName("CN=Secondary Trust Anchor,O=TNT,C=US"); AsymmetricCipherKeyPair keyPair = Certificate.CreateRSAKeyPair(); Extensions extensions = new Extensions(); extensions.Add(new TNT.Cryptography.Extension.KeyUsage(KeyUsage.CrlSign | KeyUsage.KeyCertSign | KeyUsage.DigitalSignature)); extensions.Add(new TNT.Cryptography.Extension.AuthorityKeyIdentifier(keyPair.Public)); extensions.Add(new TNT.Cryptography.Extension.SubjectKeyIdentifier(keyPair.Public)); extensions.Add(new TNT.Cryptography.Extension.BasicConstraints(new BasicConstraints(0))); List <Uri> uris = new List <Uri>(new Uri[] { new Uri("http://domain1.com"), new Uri("http://domain2.com") }); extensions.Add(new TNT.Cryptography.Extension.CrlDistributionPoints(uris)); Pkcs10CertificationRequest csr = Certificate.CreateCertificationRequest(dn.Name, keyPair, extensions); X509Certificate2 cert = Certificate.CreateCertificate(csr, keyPair, m_EffectiveDate, m_ExpirationDate, null); X509KeyUsageExtension keyUsageEx = cert.Extensions[0] as X509KeyUsageExtension; X509BasicConstraintsExtension basicConstraintEx = cert.Extensions[3] as X509BasicConstraintsExtension; System.Security.Cryptography.X509Certificates.X509Extension aki = cert.Extensions[1]; System.Security.Cryptography.X509Certificates.X509Extension ski = cert.Extensions[2]; Assert.AreEqual(X509KeyUsageFlags.CrlSign | X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.DigitalSignature, keyUsageEx.KeyUsages); Assert.IsTrue(basicConstraintEx.CertificateAuthority); Assert.AreEqual("C=US, O=TNT, CN=Secondary Trust Anchor", cert.Subject); Assert.AreEqual(cert.Subject, cert.Issuer); var skiCount = ski.Format(false).Length; Assert.AreEqual(ski.Format(false), aki.Format(false).Substring(6, skiCount)); File.WriteAllBytes("CSR_TA_SS.cer", cert.Export(X509ContentType.Cert)); File.WriteAllBytes("CSR_TA_SS.pfx", cert.Export(X509ContentType.Pfx, "P")); }
public void WrongExtension_X509EnhancedKeyUsageExtension() { X509EnhancedKeyUsageExtension eku = new X509EnhancedKeyUsageExtension(); X509KeyUsageExtension ku = new X509KeyUsageExtension(); ku.CopyFrom(eku); }
public static void VerifyWriteNamedBitList_KeyUsage_OneByte(AsnEncodingRules ruleSet) { // KeyUsage ::= BIT STRING { // digitalSignature (0), // nonRepudiation (1), // keyEncipherment (2), // dataEncipherment (3), // keyAgreement (4), // keyCertSign (5), // cRLSign (6), // encipherOnly (7), // decipherOnly (8) } X509KeyUsageExtension kuExt = new X509KeyUsageExtension( X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign, critical: false); BitArray array = new BitArray(7); array.Set(6, true); array.Set(5, true); AsnWriter writer = new AsnWriter(ruleSet); writer.WriteNamedBitList(array); Verify(writer, kuExt.RawData.ByteArrayToHex()); }
public void WrongExtension_X509KeyUsageExtension() { X509KeyUsageExtension ku = new X509KeyUsageExtension(); X509BasicConstraintsExtension bc = new X509BasicConstraintsExtension(); bc.CopyFrom(ku); }
static X509Certificate2 GenerateCertificate(DateTime?notBefore = null, DateTime?notAfter = null, bool addServerAuthentication = true, bool addClientAuthentication = true) { var name = Guid.NewGuid().ToString("N"); var builder = new SubjectAlternativeNameBuilder(); builder.AddDnsName(name); var dn = new X500DistinguishedName($"CN={name}"); using (var rsa = RSA.Create(2048)) { var request = new CertificateRequest(dn, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); var usage = new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyAgreement, true); request.CertificateExtensions.Add(usage); var oids = new OidCollection(); if (addServerAuthentication) { oids.Add(new Oid("1.3.6.1.5.5.7.3.1")); } if (addClientAuthentication) { oids.Add(new Oid("1.3.6.1.5.5.7.3.2")); } request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension(oids, false)); request.CertificateExtensions.Add(builder.Build()); return(request.CreateSelfSigned(new DateTimeOffset(notBefore ?? DateTime.UtcNow.AddMinutes(-5)), new DateTimeOffset(notAfter ?? DateTime.UtcNow.AddMinutes(5)))); } }
// Token: 0x06001C2C RID: 7212 RVA: 0x0006F7E8 File Offset: 0x0006D9E8 private bool IsValidUsage(X509Certificate2 cert, X509KeyUsageFlags expectedUsage) { for (int i = 0; i < cert.Extensions.Count; i++) { if (cert.Extensions[i].Oid.Value == WellKnownOid.KeyUsage.Value) { X509KeyUsageExtension x509KeyUsageExtension = (X509KeyUsageExtension)cert.Extensions[i]; if ((expectedUsage & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.DigitalSignature && x509KeyUsageExtension.KeyUsages.HasFlag(X509KeyUsageFlags.DigitalSignature)) { return(true); } if ((expectedUsage & X509KeyUsageFlags.NonRepudiation) == X509KeyUsageFlags.NonRepudiation && x509KeyUsageExtension.KeyUsages.HasFlag(X509KeyUsageFlags.NonRepudiation)) { return(true); } if ((expectedUsage & X509KeyUsageFlags.KeyEncipherment) == X509KeyUsageFlags.KeyEncipherment && x509KeyUsageExtension.KeyUsages.HasFlag(X509KeyUsageFlags.KeyEncipherment)) { return(true); } if ((expectedUsage & X509KeyUsageFlags.DataEncipherment) == X509KeyUsageFlags.DataEncipherment && x509KeyUsageExtension.KeyUsages.HasFlag(X509KeyUsageFlags.DataEncipherment)) { return(true); } } } return(false); }
public static void VerifyReadNamedBitList_KeyUsage_OneByte(AsnEncodingRules ruleSet) { // KeyUsage ::= BIT STRING { // digitalSignature (0), // nonRepudiation (1), // keyEncipherment (2), // dataEncipherment (3), // keyAgreement (4), // keyCertSign (5), // cRLSign (6), // encipherOnly (7), // decipherOnly (8) } X509KeyUsageExtension kuExt = new X509KeyUsageExtension( X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign, critical: false); BitArray expected = new BitArray(7); expected.Set(6, true); expected.Set(5, true); AsnReader reader = new AsnReader(kuExt.RawData, ruleSet); BitArray actual = reader.ReadNamedBitList(); Assert.Equal(expected.Cast <bool>(), actual.Cast <bool>()); }
public X509Certificate2 GenerateCertificate(DateTime? notBefore = null, DateTime? notAfter = null) { var name = Guid.NewGuid().ToString("N"); var builder = new SubjectAlternativeNameBuilder(); builder.AddDnsName(name); var dn = new X500DistinguishedName($"CN={name}"); using (var rsa = RSA.Create(2048)) { var request = new CertificateRequest(dn, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); var usage = new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyAgreement, true); request.CertificateExtensions.Add(usage); var oids = new OidCollection { new Oid("1.3.6.1.5.5.7.3.1"), // Server authentication new Oid("1.3.6.1.5.5.7.3.2") // Client authentication }; request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension(oids, false)); request.CertificateExtensions.Add(builder.Build()); var certificate = request.CreateSelfSigned(new DateTimeOffset(notBefore ?? DateTime.UtcNow.AddMinutes(-5)), new DateTimeOffset(notAfter ?? DateTime.UtcNow.AddMinutes(5))); var bytes = certificate.Export(X509ContentType.Pfx); return new X509Certificate2(bytes, null as string, X509KeyStorageFlags.Exportable); // don't ask me why, but this is required for some tests to work; i.e. Mtls tests } }
public void WrongExtension_X509Extension_KeyUsages() { X509Extension ex = new X509Extension("1.2.3", new byte[0], true); X509KeyUsageExtension ku = new X509KeyUsageExtension(); ku.CopyFrom(ex); Assert.AreEqual(0, ku.KeyUsages, "KeyUsages"); }
/// <summary> /// Metodo para escribir el certificado de seguridad /// </summary> /// <param name="xCertificate"></param> ///<remarks> /// Autor: José Faustino Posas /// Company: Ssoft Colombia /// Fecha: 2012-01-16 /// ------------------- /// Control de Cambios /// ------------------- /// Autor: /// Fecha: /// Descripción: /// </remarks> public string setCertificateWriten(X509Certificate2 xCertificate) { string sCertificate = null; try { X509Certificate2 objCert = xCertificate; //Acá tenemos que poner el certificado StringBuilder objSB = new StringBuilder("Detalle del certificado: \n\n"); SymmetricAlgorithm algoritmo = SymmetricAlgorithm.Create("Rijndael"); //Detalle objSB.AppendLine("Persona = " + objCert.Subject); objSB.AppendLine("Emisor = " + objCert.Issuer); objSB.AppendLine("Válido desde = " + objCert.NotBefore.ToString()); objSB.AppendLine("Válido hasta = " + objCert.NotAfter.ToString()); objSB.AppendLine("Tamaño de la clave = " + objCert.PublicKey.Key.KeySize.ToString()); objSB.AppendLine("Valor de la clave = " + objCert.GetPublicKeyString().ToString()); objSB.AppendLine("Algoritmo de la clave = " + objCert.GetKeyAlgorithm().ToString()); objSB.AppendLine("Número de serie = " + objCert.SerialNumber); objSB.AppendLine("Hash = " + objCert.Thumbprint); //Extensiones objSB.AppendLine("\nExtensiones:\n"); foreach (X509Extension objExt in objCert.Extensions) { objSB.AppendLine(objExt.Oid.FriendlyName + " (" + objExt.Oid.Value + ')'); if (objExt.Oid.FriendlyName == "Key Usage") { X509KeyUsageExtension ext = (X509KeyUsageExtension)objExt; objSB.AppendLine(" " + ext.KeyUsages); } if (objExt.Oid.FriendlyName == "Basic Constraints") { X509BasicConstraintsExtension ext = (X509BasicConstraintsExtension)objExt; objSB.AppendLine(" " + ext.CertificateAuthority); objSB.AppendLine(" " + ext.HasPathLengthConstraint); objSB.AppendLine(" " + ext.PathLengthConstraint); } if (objExt.Oid.FriendlyName == "Subject Key Identifier") { X509SubjectKeyIdentifierExtension ext = (X509SubjectKeyIdentifierExtension)objExt; objSB.AppendLine(" " + ext.SubjectKeyIdentifier); } if (objExt.Oid.FriendlyName == "Enhanced Key Usage") //2.5.29.37 { X509EnhancedKeyUsageExtension ext = (X509EnhancedKeyUsageExtension)objExt; OidCollection objOids = ext.EnhancedKeyUsages; foreach (Oid oid in objOids) { objSB.AppendLine(" " + oid.FriendlyName + " (" + oid.Value + ')'); } } } sCertificate = objSB.ToString(); //Debug.Print(objSB.ToString()); } catch { } return(sCertificate); }
public TestResult Validate(IReadOnlyList <ICmsSignature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration) { var signatures = graph.VisitAll(SignatureKind.AnySignature); var pass = false; foreach (var signature in signatures) { string serialNumber = ""; string KU = ""; Boolean KUCritical = false; int KU_extension = 0; string thumbprint = signature.Certificate.Thumbprint; serialNumber = signature.Certificate.SerialNumber; X509ExtensionCollection extensions = signature.Certificate.Extensions; foreach (X509Extension extension in extensions) { //extension.Oid.FriendlyName Console.WriteLine(extension.Oid.FriendlyName + "(" + extension.Oid.Value + ")"); if (extension.Oid.FriendlyName == "Key Usage") { X509KeyUsageExtension ext = (X509KeyUsageExtension)extension; KUCritical = ext.Critical; KU = ext.KeyUsages.ToString(); Console.WriteLine(KU); KU_extension++; } } if (KU_extension == 1) { if (KUCritical) { verboseWriter.LogSignatureMessage(signature, "Key Usage extension is marked critical."); pass = true; } else { verboseWriter.LogSignatureMessage(signature, "Key Usage extension is not marked critical."); pass = false; } } else if (KU_extension == 0) { verboseWriter.LogSignatureMessage(signature, "Signature does not have Key Usage extension."); pass = false; } else if (KU_extension > 1) { verboseWriter.LogSignatureMessage(signature, "Signature has duplicate Key Usage extension."); pass = false; } } return(pass ? TestResult.Pass : TestResult.Fail); }
static void Main(string[] args) { //Fetch certificates in the currently connected card List <X509Certificate2> cardCertificates = new List <X509Certificate2>(); try { cardCertificates.AddRange(BaseSmartCardCryptoProvider.GetCertificates()); } catch (Win32Exception ex) { Console.WriteLine(ex.Message); } X509Certificate2 digitalSignatureCertificate = null; //Get the certificate that has non repudiation key usage as it is the digital signature key for the Kuwaiti civil id foreach (X509Certificate2 x509 in cardCertificates) { foreach (X509Extension extension in x509.Extensions) { //OID 2.5.29.15 is for key usage if (extension.Oid.Value.Equals("2.5.29.15")) { X509KeyUsageExtension ext = (X509KeyUsageExtension)extension; if (((ext.KeyUsages & X509KeyUsageFlags.NonRepudiation) | (ext.KeyUsages & X509KeyUsageFlags.DigitalSignature)) == (X509KeyUsageFlags.NonRepudiation | X509KeyUsageFlags.DigitalSignature)) { digitalSignatureCertificate = x509; } } } } //See if digital signature certificate was found if (digitalSignatureCertificate != null) { //Export the public key which will be used in validation X509Certificate2 publicKeySigning = new X509Certificate2(digitalSignatureCertificate.Export(X509ContentType.Cert)); //Read the pin Console.Write("Please enter your pin: "); string pin = Console.ReadLine(); //Load XML document to be signed string xmlData = File.ReadAllText(@"XMLDocuments\cd_catalog.xml"); //Sign the XML document string signedXMLData = Crypto.SignXml(xmlData, digitalSignatureCertificate, true, pin); //Output the signed XML to file File.WriteAllText(@"XMLDocuments\cd_catalog_SIGNED.xml", signedXMLData); //Read a signed XML document signedXMLData = File.ReadAllText(@"XMLDocuments\cd_catalog_SIGNED.xml"); //Validate the signed XML document using the embedded key in it Console.WriteLine("Verifying XML using internal signature STATUS = " + Crypto.VerifyXml(signedXMLData)); //Validate the signed XML document using external certificate Console.WriteLine("Verifying XML using publicKey STATUS = " + Crypto.VerifyXml(signedXMLData, publicKeySigning)); } Console.ReadKey(); }
public void ConstructorAsnEncodedData_BadAsn() { AsnEncodedData aed = new AsnEncodedData("1.2.3", new byte[0]); X509KeyUsageExtension ku = new X509KeyUsageExtension(aed, true); Assert.AreEqual(String.Empty, ku.Format(true), "Format(true)"); Assert.AreEqual(String.Empty, ku.Format(false), "Format(false)"); X509KeyUsageFlags kuf = ku.KeyUsages; }
public void ConstructorAsnEncodedData_BadAsnTag() { AsnEncodedData aed = new AsnEncodedData("1.2.3", new byte[] { 0x05, 0x00 }); X509KeyUsageExtension ku = new X509KeyUsageExtension(aed, true); Assert.AreEqual("0500", ku.Format(true), "Format(true)"); Assert.AreEqual("0500", ku.Format(false), "Format(false)"); X509KeyUsageFlags kuf = ku.KeyUsages; }
public X509Certificate2 CreateAspNetCoreHttpsDevelopmentCertificate(DateTimeOffset notBefore, DateTimeOffset notAfter, string subjectOverride, DiagnosticInformation diagnostics = null) { var subject = new X500DistinguishedName(subjectOverride ?? LocalhostHttpsDistinguishedName); var extensions = new List <X509Extension>(); var sanBuilder = new SubjectAlternativeNameBuilder(); sanBuilder.AddDnsName(LocalhostHttpsDnsName); var keyUsage = new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, critical: true); var enhancedKeyUsage = new X509EnhancedKeyUsageExtension( new OidCollection() { new Oid( ServerAuthenticationEnhancedKeyUsageOid, ServerAuthenticationEnhancedKeyUsageOidFriendlyName) }, critical: true); var basicConstraints = new X509BasicConstraintsExtension( certificateAuthority: false, hasPathLengthConstraint: false, pathLengthConstraint: 0, critical: true); byte[] bytePayload; if (AspNetHttpsCertificateVersion != 0) { bytePayload = new byte[1]; bytePayload[0] = (byte)AspNetHttpsCertificateVersion; } else { bytePayload = Encoding.ASCII.GetBytes(AspNetHttpsOidFriendlyName); } var aspNetHttpsExtension = new X509Extension( new AsnEncodedData( new Oid(AspNetHttpsOid, AspNetHttpsOidFriendlyName), bytePayload), critical: false); extensions.Add(basicConstraints); extensions.Add(keyUsage); extensions.Add(enhancedKeyUsage); extensions.Add(sanBuilder.Build(critical: true)); extensions.Add(aspNetHttpsExtension); var certificate = CreateSelfSignedCertificate(subject, extensions, notBefore, notAfter); if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) { certificate.FriendlyName = AspNetHttpsOidFriendlyName; } return(certificate); }
// Adapted to System 2.0+ from TlsServerCertificate.cs //------------------------------ // Note: this method only works for RSA certificates // DH certificates requires some changes - does anyone use one ? private static bool CheckCertificateUsage(X509Certificate2 cert) { try { // certificate extensions are required for this // we "must" accept older certificates without proofs if (cert.Version < 3) { return(true); } X509KeyUsageExtension kux = (cert.Extensions["2.5.29.15"] as X509KeyUsageExtension); X509EnhancedKeyUsageExtension eku = (cert.Extensions["2.5.29.37"] as X509EnhancedKeyUsageExtension); if (kux != null && eku != null) { // RFC3280 states that when both KeyUsageExtension and // ExtendedKeyUsageExtension are present then BOTH should // be valid if ((kux.KeyUsages & s_flags) == 0) { return(false); } return(eku.EnhancedKeyUsages["1.3.6.1.5.5.7.3.1"] != null || eku.EnhancedKeyUsages["2.16.840.1.113730.4.1"] != null); } else if (kux != null) { return((kux.KeyUsages & s_flags) != 0); } else if (eku != null) { // Server Authentication (1.3.6.1.5.5.7.3.1) or // Netscape Server Gated Crypto (2.16.840.1.113730.4) return(eku.EnhancedKeyUsages["1.3.6.1.5.5.7.3.1"] != null || eku.EnhancedKeyUsages["2.16.840.1.113730.4.1"] != null); } // last chance - try with older (deprecated) Netscape extensions X509Extension ext = cert.Extensions["2.16.840.1.113730.1.1"]; if (ext != null) { string text = ext.NetscapeCertType(false); return(text.IndexOf("SSL Server Authentication", StringComparison.Ordinal) != -1); } return(true); } catch (Exception e) { #if SSHARP ErrorLog.Error("ERROR processing certificate: {0}", e); ErrorLog.Error("Please, report this problem to the Mono team"); #else Console.Error.WriteLine("ERROR processing certificate: {0}", e); Console.Error.WriteLine("Please, report this problem to the Mono team"); #endif return(false); } }
internal string KeyUsageExtension(bool multiLine) { try { X509KeyUsageExtension ku = new X509KeyUsageExtension(this, false); return(ku.ToString(multiLine)); } catch { return(String.Empty); } }
public X509Certificate2Collection GetCertificates() { X509Certificate2Collection certs = new X509Certificate2Collection(); X509Store certificateStore = new X509Store(StoreName.My, StoreLocation.CurrentUser); try { certificateStore.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly); foreach (X509Certificate2 certificate in certificateStore.Certificates) { if (certificate.HasPrivateKey) { bool digitalSignatureUsage = false; bool clientAuthEnhancedUsage = false; bool enhancedKeyUsageSupported = false; foreach (X509Extension extension in certificate.Extensions) { X509KeyUsageExtension keyUsage = extension as X509KeyUsageExtension; if (keyUsage != null) { digitalSignatureUsage = (keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) != 0; } else { X509EnhancedKeyUsageExtension enhancedKeyUsage = extension as X509EnhancedKeyUsageExtension; if (enhancedKeyUsage != null && enhancedKeyUsage.EnhancedKeyUsages != null) { enhancedKeyUsageSupported = true; foreach (var oid in enhancedKeyUsage.EnhancedKeyUsages) { if (oid.Value == OidClientAuthValue) { clientAuthEnhancedUsage = true; break; } } } } } if (digitalSignatureUsage && (!enhancedKeyUsageSupported || clientAuthEnhancedUsage)) { certs.Add(certificate); } } } } finally { certificateStore.Dispose(); } return(certs); }
public static void DecodeFromBER() { // Extensions encoded inside PKCS#8 on Windows may use BER encoding that would be invalid DER. // Ensure that no exception is thrown and the value is decoded correctly. X509KeyUsageExtension ext; ext = new X509KeyUsageExtension(new AsnEncodedData("230403020080".HexToByteArray()), false); Assert.Equal(X509KeyUsageFlags.DigitalSignature, ext.KeyUsages); ext = new X509KeyUsageExtension(new AsnEncodedData("038200020080".HexToByteArray()), false); Assert.Equal(X509KeyUsageFlags.DigitalSignature, ext.KeyUsages); }
public static void DefaultConstructor() { X509KeyUsageExtension e = new X509KeyUsageExtension(); string oidValue = e.Oid.Value; Assert.Equal("2.5.29.15", oidValue); Assert.Empty(e.RawData); X509KeyUsageFlags keyUsages = e.KeyUsages; Assert.Equal(X509KeyUsageFlags.None, keyUsages); }
/// <summary> /// Gets the /// </summary> /// <param name="certificate"></param> /// <returns></returns> public static X509KeyUsageFlags GetKeyUsage(this X509Certificate2 certificate) { if (certificate == null) { return(X509KeyUsageFlags.None); } X509KeyUsageExtension kue = (certificate.Extensions[X509Extensions.KeyUsage.ToString()] as X509KeyUsageExtension); return(kue == null ? X509KeyUsageFlags.None : kue.KeyUsages); }
// [ExpectedException (typeof (...))] public void ConstructorKeyUsage_Invalid() { X509KeyUsageFlags kuf = (X509KeyUsageFlags)Int32.MinValue; X509KeyUsageExtension ku = new X509KeyUsageExtension(kuf, false); Assert.AreEqual(0, (int)ku.KeyUsages, "KeyUsages"); Assert.AreEqual("03-01-00", BitConverter.ToString(ku.RawData), "RawData"); // FIXME: Don't expect that FriendlyName is English. This test fails under non-English Windows. //Assert.AreEqual ("Information Not Available", ku.Format (true), "Format(true)"); //Assert.AreEqual ("Information Not Available", ku.Format (false), "Format(false)"); }
public void WrongExtension_X509Extension() { X509Extension ex = new X509Extension("1.2.3", new byte [0], true); X509KeyUsageExtension ku = new X509KeyUsageExtension(X509KeyUsageFlags.CrlSign, true); ku.CopyFrom(ex); Assert.IsTrue(ku.Critical, "Critical"); Assert.AreEqual(String.Empty, BitConverter.ToString(ku.RawData), "RawData"); Assert.AreEqual("1.2.3", ku.Oid.Value, "Oid.Value"); Assert.IsNull(ku.Oid.FriendlyName, "Oid.FriendlyName"); }
public static void ReadInvalidExtension_KeyUsage() { X509KeyUsageExtension keyUsageExtension = new X509KeyUsageExtension(new AsnEncodedData(Array.Empty<byte>()), false); Assert.ThrowsAny<CryptographicException>(() => keyUsageExtension.KeyUsages); }
internal string KeyUsageExtension (bool multiLine) { try { X509KeyUsageExtension ku = new X509KeyUsageExtension (this, false); return ku.ToString (multiLine); } catch { return String.Empty; } }
private static void TestKeyUsageExtension(X509KeyUsageFlags flags, bool critical, byte[] expectedDer) { X509KeyUsageExtension ext = new X509KeyUsageExtension(flags, critical); byte[] rawData = ext.RawData; Assert.Equal(expectedDer, rawData); // Assert that format doesn't crash string s = ext.Format(false); // Rebuild it from the RawData. ext = new X509KeyUsageExtension(new AsnEncodedData(rawData), critical); Assert.Equal(flags, ext.KeyUsages); }
public static void KeyUsageExtensionDefaultCtor() { X509KeyUsageExtension e = new X509KeyUsageExtension(); string oidValue = e.Oid.Value; Assert.Equal("2.5.29.15", oidValue); byte[] r = e.RawData; Assert.Null(r); X509KeyUsageFlags keyUsages = e.KeyUsages; Assert.Equal(X509KeyUsageFlags.None, keyUsages); }