public void CreateEcdsaKeyPair(int bits)
{
var ecdsaKeys = PkiKeyPair.GenerateEcdsaKeyPair(bits);
Assert.AreEqual(PkiAsymmetricAlgorithm.Ecdsa, ecdsaKeys.Algorithm);
Assert.IsFalse(ecdsaKeys.PublicKey.IsPrivate);
Assert.AreEqual(PkiAsymmetricAlgorithm.Ecdsa, ecdsaKeys.PublicKey.Algorithm);
Assert.IsTrue(ecdsaKeys.PrivateKey.IsPrivate);
Assert.AreEqual(PkiAsymmetricAlgorithm.Ecdsa, ecdsaKeys.PublicKey.Algorithm);
var pubOut = Path.Combine(_testTemp, $"ecdsa-pub-key-{bits}.pem");
var prvOut = Path.Combine(_testTemp, $"ecdsa-prv-key-{bits}.pem");
File.WriteAllBytes(pubOut, ecdsaKeys.PublicKey.Export(PkiEncodingFormat.Pem));
File.WriteAllBytes(prvOut, ecdsaKeys.PrivateKey.Export(PkiEncodingFormat.Pem));
using (var proc = OpenSsl.Start($"ec -in {pubOut} -pubin"))
{
proc.WaitForExit();
Assert.AreEqual(0, proc.ExitCode, "OpenSSL exit code checking EC public key");
}
using (var proc = OpenSsl.Start($"ec -in {prvOut} -check"))
{
proc.WaitForExit();
Assert.AreEqual(0, proc.ExitCode, "OpenSSL exit code checking EC private key");
}
}
public void ExportRsaKeyPairWithPassword(int bits)
{
var rsaKeys = PkiKeyPair.GenerateRsaKeyPair(bits);
Assert.AreEqual(PkiAsymmetricAlgorithm.Rsa, rsaKeys.Algorithm);
Assert.IsFalse(rsaKeys.PublicKey.IsPrivate);
Assert.AreEqual(PkiAsymmetricAlgorithm.Rsa, rsaKeys.PublicKey.Algorithm);
Assert.IsTrue(rsaKeys.PrivateKey.IsPrivate);
Assert.AreEqual(PkiAsymmetricAlgorithm.Rsa, rsaKeys.PrivateKey.Algorithm);
var pubOut = Path.Combine(_testTemp, $"keypair-rsa-pub{bits}-secure.pem");
var prvOut = Path.Combine(_testTemp, $"keypair-rsa-prv{bits}-secure.pem");
File.WriteAllBytes(pubOut, rsaKeys.PublicKey.Export(PkiEncodingFormat.Pem,
password: "******".ToCharArray()));
File.WriteAllBytes(prvOut, rsaKeys.PrivateKey.Export(PkiEncodingFormat.Pem,
password: "******".ToCharArray()));
using (var proc = OpenSsl.Start($"rsa -in {pubOut} -pubin"))
{
proc.WaitForExit();
Assert.AreEqual(0, proc.ExitCode);
}
using (var proc = OpenSsl.Start($"rsa -in {prvOut} -check -passin pass:123456"))
{
proc.WaitForExit();
Assert.AreEqual(0, proc.ExitCode);
}
}
public void CreateAndExportRsaCsr(int bits, PkiHashAlgorithm hashAlgor)
{
var sn = "CN=foo.example.com";
var keys = PkiKeyPair.GenerateRsaKeyPair(bits);
var csr = new PkiCertificateSigningRequest(sn, keys, hashAlgor);
var pemOut = Path.Combine(_testTemp,
$"csr-rsa-{bits}-{hashAlgor}.pem");
var derOut = Path.Combine(_testTemp,
$"csr-rsa-{bits}-{hashAlgor}.der");
Assert.AreEqual(sn, csr.SubjectName);
Assert.AreSame(keys.PublicKey, keys.PublicKey);
Assert.AreEqual(hashAlgor, csr.HashAlgorithm);
File.WriteAllBytes(pemOut, csr.ExportSigningRequest(PkiEncodingFormat.Pem));
File.WriteAllBytes(derOut, csr.ExportSigningRequest(PkiEncodingFormat.Der));
using (var proc = OpenSsl.Start($"req -text -noout -verify -in {pemOut}"))
{
proc.WaitForExit();
Assert.AreEqual(0, proc.ExitCode);
}
using (var proc = OpenSsl.Start($"req -text -noout -verify -inform DER -in {derOut}"))
{
proc.WaitForExit();
Assert.AreEqual(0, proc.ExitCode);
}
}
public void ExportSignedCert(PkiAsymmetricAlgorithm algor, int bits)
{
var hashAlgor = PkiHashAlgorithm.Sha256;
var isurName = "CN=SelfSigned";
var isurKeys = PkiKeyTests.GenerateKeyPair(algor, bits);
var subjName = "CN=foo.example.com";
var subjKeys = PkiKeyTests.GenerateKeyPair(algor, bits);
var isurCsr = new PkiCertificateSigningRequest(isurName, isurKeys, hashAlgor);
var subjCsr = new PkiCertificateSigningRequest(subjName, subjKeys, hashAlgor);
subjCsr.CertificateExtensions.Add(
PkiCertificateExtension.CreateDnsSubjectAlternativeNames(
new[] {
"foo-alt1.example.com",
"foo-alt2.example.com",
}));
var pemOut = Path.Combine(_testTemp,
$"cert-{algor}-{bits}-{hashAlgor}.pem");
var derOut = Path.Combine(_testTemp,
$"cert-{algor}-{bits}-{hashAlgor}.der");
var isurCert = isurCsr.CreateCa(
DateTime.Now.AddMonths(-5),
DateTime.Now.AddMonths(5));
Assert.AreEqual(isurName, isurCert.SubjectName,
"Issuer Name on Issuer Certificate");
var subjCert = subjCsr.Create(isurCert, isurKeys.PrivateKey,
DateTime.Now.AddMonths(-1),
DateTime.Now.AddMonths(1), new[] { (byte)0x2b });
Assert.AreEqual(isurName, isurCert.SubjectName,
"Subject Name on Subject Certificate");
File.WriteAllBytes(pemOut, subjCert.Export(PkiEncodingFormat.Pem));
File.WriteAllBytes(derOut, subjCert.Export(PkiEncodingFormat.Der));
using (var proc = OpenSsl.Start($"x509 -text -noout -in {pemOut}"))
{
proc.WaitForExit();
Assert.AreEqual(0, proc.ExitCode);
}
using (var proc = OpenSsl.Start($"x509 -text -noout -inform DER -in {derOut}"))
{
proc.WaitForExit();
Assert.AreEqual(0, proc.ExitCode);
}
}
public void ExportSelfSignedCert(PkiAsymmetricAlgorithm algor, int bits)
{
var hashAlgor = PkiHashAlgorithm.Sha256;
var sn = "CN=foo.example.com";
var keys = PkiKeyTests.GenerateKeyPair(algor, bits);
var csr = new PkiCertificateSigningRequest(sn, keys, hashAlgor);
var pemOut = Path.Combine(_testTemp,
$"certself-{algor}-{bits}-{hashAlgor}.pem");
var derOut = Path.Combine(_testTemp,
$"certself-{algor}-{bits}-{hashAlgor}.der");
Assert.AreEqual(sn, csr.SubjectName);
Assert.AreSame(keys.PublicKey, keys.PublicKey);
Assert.AreEqual(hashAlgor, csr.HashAlgorithm);
var cert = csr.CreateSelfSigned(
DateTime.Now.AddMonths(-1),
DateTime.Now.AddMonths(1));
Assert.AreEqual(sn, cert.SubjectName,
"Subject Name on PKI Certificate");
var bclCert = cert.ToBclCertificate();
Assert.AreEqual(sn, bclCert.Subject,
"Subject Name on BCL Certificate");
Assert.IsFalse(bclCert.HasPrivateKey);
Assert.IsNull(bclCert.PrivateKey);
File.WriteAllBytes(pemOut, cert.Export(PkiEncodingFormat.Pem));
File.WriteAllBytes(derOut, cert.Export(PkiEncodingFormat.Der));
using (var proc = OpenSsl.Start($"x509 -text -noout -in {pemOut}"))
{
proc.WaitForExit();
Assert.AreEqual(0, proc.ExitCode);
}
using (var proc = OpenSsl.Start($"x509 -text -noout -inform DER -in {derOut}"))
{
proc.WaitForExit();
Assert.AreEqual(0, proc.ExitCode);
}
}
public void CreateAndExportEcdsaSansCsr(int bits, PkiHashAlgorithm hashAlgor)
{
var sn = "CN=foo.example.com";
var sans = new[] {
"foo-alt1.example.com",
"foo-alt2.example.com",
};
var keys = PkiKeyPair.GenerateEcdsaKeyPair(bits);
var csr = new PkiCertificateSigningRequest(sn, keys, hashAlgor);
csr.CertificateExtensions.Add(
PkiCertificateExtension.CreateDnsSubjectAlternativeNames(sans));
var pemOut = Path.Combine(_testTemp,
$"csr-ecdsa-{bits}-{hashAlgor}-sans.pem");
var derOut = Path.Combine(_testTemp,
$"csr-ecdsa-{bits}-{hashAlgor}-sans.der");
Assert.AreEqual(sn, csr.SubjectName);
Assert.AreSame(keys.PublicKey, keys.PublicKey);
Assert.AreEqual(hashAlgor, csr.HashAlgorithm);
Assert.AreEqual(1, csr.CertificateExtensions.Count);
File.WriteAllBytes(pemOut, csr.ExportSigningRequest(PkiEncodingFormat.Pem));
File.WriteAllBytes(derOut, csr.ExportSigningRequest(PkiEncodingFormat.Der));
using (var proc = OpenSsl.Start($"req -text -noout -verify -in {pemOut}"))
{
proc.WaitForExit();
Assert.AreEqual(0, proc.ExitCode);
}
using (var proc = OpenSsl.Start($"req -text -noout -verify -inform DER -in {derOut}"))
{
proc.WaitForExit();
Assert.AreEqual(0, proc.ExitCode);
}
}
public void ExportSelfSignedPemChain(PkiAsymmetricAlgorithm algor, int bits)
{
var hashAlgor = PkiHashAlgorithm.Sha256;
var sn = "CN=foo.example.com";
var keys = PkiKeyTests.GenerateKeyPair(algor, bits);
var csr = new PkiCertificateSigningRequest(sn, keys, hashAlgor);
var pemSansKey = Path.Combine(_testTemp,
$"certselfexp-{algor}-{bits}-{hashAlgor}-sanskey.pem");
var pemWithKey = Path.Combine(_testTemp,
$"certselfexp-{algor}-{bits}-{hashAlgor}-withkey.pem");
Assert.AreEqual(sn, csr.SubjectName);
Assert.AreSame(keys.PublicKey, keys.PublicKey);
Assert.AreEqual(hashAlgor, csr.HashAlgorithm);
var cert = csr.CreateSelfSigned(
DateTime.Now.AddMonths(-1),
DateTime.Now.AddMonths(1));
Assert.AreEqual(sn, cert.SubjectName,
"Subject Name on PKI Certificate");
var bclCert = cert.ToBclCertificate();
Assert.AreEqual(sn, bclCert.Subject,
"Subject Name on BCL Certificate");
Assert.IsFalse(bclCert.HasPrivateKey);
Assert.IsNull(bclCert.PrivateKey);
File.WriteAllBytes(pemSansKey, cert.Export(PkiArchiveFormat.Pem));
File.WriteAllBytes(pemWithKey, cert.Export(PkiArchiveFormat.Pem,
keys.PrivateKey));
// Check Cert
using (var proc = OpenSsl.Start($"x509 -text -noout -in {pemSansKey}"))
{
proc.WaitForExit();
Assert.AreEqual(0, proc.ExitCode);
}
// Check Cert
using (var proc = OpenSsl.Start($"x509 -text -noout -in {pemWithKey}"))
{
proc.WaitForExit();
Assert.AreEqual(0, proc.ExitCode);
}
// Check Private Key
var opensslCmd = "rsa";
if (algor == PkiAsymmetricAlgorithm.Ecdsa)
{
opensslCmd = "ec";
}
using (var proc = OpenSsl.Start($"{opensslCmd} -in {pemWithKey} -check"))
{
proc.WaitForExit();
Assert.AreEqual(0, proc.ExitCode);
}
var certSansKey = new System.Security.Cryptography.X509Certificates.X509Certificate2(File.ReadAllBytes(pemSansKey));
Assert.IsFalse(certSansKey.HasPrivateKey);
Assert.IsNull(certSansKey.PrivateKey);
}
public void ExportSignedPkcs12(PkiAsymmetricAlgorithm algor, int bits)
{
var hashAlgor = PkiHashAlgorithm.Sha256;
var isurName = "CN=SelfSigned";
var isurKeys = PkiKeyTests.GenerateKeyPair(algor, bits);
var subjName = "CN=foo.example.com";
var subjKeys = PkiKeyTests.GenerateKeyPair(algor, bits);
var isurCsr = new PkiCertificateSigningRequest(isurName, isurKeys, hashAlgor);
var subjCsr = new PkiCertificateSigningRequest(subjName, subjKeys, hashAlgor);
subjCsr.CertificateExtensions.Add(
PkiCertificateExtension.CreateDnsSubjectAlternativeNames(
new[] {
"foo-alt1.example.com",
"foo-alt2.example.com",
}));
var pfxSansKey = Path.Combine(_testTemp,
$"certexp-{algor}-{bits}-{hashAlgor}-sanskey.pfx");
var pfxWithKey = Path.Combine(_testTemp,
$"certexp-{algor}-{bits}-{hashAlgor}-withkey.pfx");
var isurCert = isurCsr.CreateCa(
DateTime.Now.AddMonths(-5),
DateTime.Now.AddMonths(5));
Assert.AreEqual(isurName, isurCert.SubjectName,
"Issuer Name on Issuer Certificate");
var subjCert = subjCsr.Create(isurCert, isurKeys.PrivateKey,
DateTime.Now.AddMonths(-1),
DateTime.Now.AddMonths(1), new[] { (byte)0x2b });
Assert.AreEqual(isurName, isurCert.SubjectName,
"Subject Name on Subject Certificate");
File.WriteAllBytes(pfxSansKey, subjCert.Export(PkiArchiveFormat.Pkcs12,
chain: new[] { isurCert }));
File.WriteAllBytes(pfxWithKey, subjCert.Export(PkiArchiveFormat.Pkcs12,
subjKeys.PrivateKey, new[] { isurCert }));
using (var proc = OpenSsl.Start($"pkcs12 -info -in {pfxSansKey} -passin pass:"******"pkcs12 -info -in {pfxWithKey} -passin pass: -nokeys"))
{
proc.WaitForExit();
Assert.AreEqual(0, proc.ExitCode);
}
var certSansKey = new System.Security.Cryptography.X509Certificates.X509Certificate2(File.ReadAllBytes(pfxSansKey));
Assert.IsFalse(certSansKey.HasPrivateKey);
Assert.IsNull(certSansKey.PrivateKey);
var certWithKey = new System.Security.Cryptography.X509Certificates.X509Certificate2(File.ReadAllBytes(pfxWithKey));
Assert.IsTrue(certWithKey.HasPrivateKey);
if (algor != PkiAsymmetricAlgorithm.Ecdsa)
{
// This throws: System.NotSupportedException: The certificate key algorithm is not supported.
Assert.IsNotNull(certWithKey.PrivateKey);
}
}
public void ExportSelfSignedPkcs12(PkiAsymmetricAlgorithm algor, int bits)
{
var hashAlgor = PkiHashAlgorithm.Sha256;
var sn = "CN=foo.example.com";
var keys = PkiKeyTests.GenerateKeyPair(algor, bits);
var csr = new PkiCertificateSigningRequest(sn, keys, hashAlgor);
var pfxSansKey = Path.Combine(_testTemp,
$"certselfexp-{algor}-{bits}-{hashAlgor}-sanskey.pfx");
var pfxWithKey = Path.Combine(_testTemp,
$"certselfexp-{algor}-{bits}-{hashAlgor}-withkey.pfx");
Assert.AreEqual(sn, csr.SubjectName);
Assert.AreSame(keys.PublicKey, keys.PublicKey);
Assert.AreEqual(hashAlgor, csr.HashAlgorithm);
var cert = csr.CreateSelfSigned(
DateTime.Now.AddMonths(-1),
DateTime.Now.AddMonths(1));
Assert.AreEqual(sn, cert.SubjectName,
"Subject Name on PKI Certificate");
var bclCert = cert.ToBclCertificate();
Assert.AreEqual(sn, bclCert.Subject,
"Subject Name on BCL Certificate");
Assert.IsFalse(bclCert.HasPrivateKey);
Assert.IsNull(bclCert.PrivateKey);
File.WriteAllBytes(pfxSansKey, cert.Export(PkiArchiveFormat.Pkcs12));
File.WriteAllBytes(pfxWithKey, cert.Export(PkiArchiveFormat.Pkcs12,
keys.PrivateKey));
using (var proc = OpenSsl.Start($"pkcs12 -info -in {pfxSansKey} -passin pass:"******"pkcs12 -info -in {pfxWithKey} -passin pass: -nokeys"))
{
proc.WaitForExit();
Assert.AreEqual(0, proc.ExitCode);
}
var certSansKey = new System.Security.Cryptography.X509Certificates.X509Certificate2(File.ReadAllBytes(pfxSansKey));
Assert.IsFalse(certSansKey.HasPrivateKey);
Assert.IsNull(certSansKey.PrivateKey);
var certWithKey = new System.Security.Cryptography.X509Certificates.X509Certificate2(File.ReadAllBytes(pfxWithKey));
Assert.IsTrue(certWithKey.HasPrivateKey);
if (algor != PkiAsymmetricAlgorithm.Ecdsa)
{
// This throws: System.NotSupportedException: The certificate key algorithm is not supported.
Assert.IsNotNull(certWithKey.PrivateKey);
}
}
