public async Task VerifyNotAfterInvalid(bool trusted) { var cert = CertificateFactory.CreateCertificate( null, null, "CN=App Test Cert", null, CertificateFactory.DefaultKeySize, new DateTime(2010, 1, 1), 12, CertificateFactory.DefaultHashSize); TestContext.Out.WriteLine($"{cert}:"); Assert.NotNull(cert); cert = new X509Certificate2(cert); Assert.NotNull(cert); Assert.True(X509Utils.CompareDistinguishedName("CN=App Test Cert", cert.Subject)); CleanupValidatorAndStores(); if (trusted) { await m_issuerStore.Add(cert); } else { await m_trustedStore.Add(cert); } var certValidator = InitValidatorWithStores(); var serviceResultException = Assert.Throws <ServiceResultException>(() => { certValidator.Validate(cert); }); Assert.AreEqual(StatusCodes.BadCertificateTimeInvalid, serviceResultException.StatusCode, serviceResultException.Message); }
public void VerifyCACerts( KeyHashPair keyHashPair ) { var subject = "CN=CA Test Cert"; int pathLengthConstraint = (keyHashPair.KeySize / 512) - 3; var cert = CertificateFactory.CreateCertificate( null, null, null, null, null, subject, null, keyHashPair.KeySize, DateTime.UtcNow, 25 * 12, keyHashPair.HashSize, isCA: true, pathLengthConstraint: pathLengthConstraint); Assert.NotNull(cert); Assert.NotNull(cert.RawData); Assert.True(cert.HasPrivateKey); var plainCert = new X509Certificate2(cert.RawData); Assert.NotNull(plainCert); VerifyCACert(plainCert, subject, pathLengthConstraint); CertificateFactory.VerifySelfSigned(cert); CertificateFactory.VerifyRSAKeyPair(cert, cert); }
public virtual async Task <X509Certificate2> CreateCACertificateAsync( string subjectName ) { DateTime yesterday = DateTime.UtcNow.AddDays(-1); X509Certificate2 newCertificate = CertificateFactory.CreateCertificate( m_authoritiesStoreType, m_authoritiesStorePath, null, null, null, subjectName, null, Configuration.CACertificateKeySize, yesterday, Configuration.CACertificateLifetime, Configuration.CACertificateHashSize, true, null, null); // save only public key Certificate = new X509Certificate2(newCertificate.RawData); // initialize revocation list await CertificateFactory.RevokeCertificateAsync(m_authoritiesStorePath, newCertificate, null); await UpdateAuthorityCertInTrustedList(); return(Certificate); }
/// <summary> /// Creates the application instance certificate. /// </summary> /// <param name="configuration">The configuration.</param> /// <param name="keySize">Size of the key.</param> /// <param name="lifeTimeInMonths">The lifetime in months.</param> /// <returns>The new certificate</returns> private static async Task <X509Certificate2> CreateApplicationInstanceCertificate( ApplicationConfiguration configuration, ushort keySize, ushort lifeTimeInMonths ) { Utils.Trace(Utils.TraceMasks.Information, "Creating application instance certificate."); // delete any existing certificate. await DeleteApplicationInstanceCertificate(configuration).ConfigureAwait(false); CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate; // get the domains from the configuration file. IList <string> serverDomainNames = configuration.GetServerDomainNames(); if (serverDomainNames.Count == 0) { serverDomainNames.Add(Utils.GetHostName()); } // ensure the certificate store directory exists. if (id.StoreType == CertificateStoreType.Directory) { Utils.GetAbsoluteDirectoryPath(id.StorePath, true, true, true); } X509Certificate2 certificate = CertificateFactory.CreateCertificate( configuration.ApplicationUri, configuration.ApplicationName, id.SubjectName, serverDomainNames) .SetLifeTime(lifeTimeInMonths) .SetRSAKeySize(keySize) .CreateForRSA(); id.Certificate = certificate; var passwordProvider = configuration.SecurityConfiguration.CertificatePasswordProvider; certificate.AddToStore( id.StoreType, id.StorePath, passwordProvider?.GetPassword(id) ); // ensure the certificate is trusted. if (configuration.SecurityConfiguration.AddAppCertToTrustedStore) { await AddToTrustedStore(configuration, certificate).ConfigureAwait(false); } await configuration.CertificateValidator.Update(configuration.SecurityConfiguration).ConfigureAwait(false); Utils.Trace(Utils.TraceMasks.Information, "Certificate created. Thumbprint={0}", certificate.Thumbprint); // reload the certificate from disk. await configuration.SecurityConfiguration.ApplicationCertificate.LoadPrivateKeyEx(passwordProvider).ConfigureAwait(false); return(certificate); }
public void VerifySignedAppCerts( KeyHashPair keyHashPair ) { X509Certificate2 issuerCertificate = GetIssuer(keyHashPair); Assert.NotNull(issuerCertificate); Assert.NotNull(issuerCertificate.RawData); Assert.True(issuerCertificate.HasPrivateKey); var appTestGenerator = new ApplicationTestDataGenerator(keyHashPair.KeySize); ApplicationTestData app = appTestGenerator.ApplicationTestSet(1).First(); var cert = CertificateFactory.CreateCertificate( app.ApplicationUri, app.ApplicationName, app.Subject, app.DomainNames) .SetHashAlgorithm(keyHashPair.HashAlgorithmName) .SetIssuer(issuerCertificate) .SetRSAKeySize(keyHashPair.KeySize) .CreateForRSA(); Assert.NotNull(cert); Assert.NotNull(cert.RawData); Assert.True(cert.HasPrivateKey); using (var plainCert = new X509Certificate2(cert.RawData)) { Assert.NotNull(plainCert); VerifyApplicationCert(app, plainCert, issuerCertificate); X509Utils.VerifyRSAKeyPair(plainCert, cert, true); } }
public void VerifySelfSignedAppCerts( KeyHashPair keyHashPair ) { var appTestGenerator = new ApplicationTestDataGenerator(keyHashPair.KeySize); ApplicationTestData app = appTestGenerator .ApplicationTestSet(1) .First(); var cert = CertificateFactory.CreateCertificate(app.ApplicationUri, app.ApplicationName, app.Subject, app.DomainNames) .SetHashAlgorithm(keyHashPair.HashAlgorithmName) .SetRSAKeySize(keyHashPair.KeySize) .CreateForRSA(); Assert.NotNull(cert); Assert.NotNull(cert.RawData); Assert.True(cert.HasPrivateKey); using (RSA rsa = cert.GetRSAPrivateKey()) { rsa.ExportParameters(true); } using (RSA rsa = cert.GetRSAPublicKey()) { rsa.ExportParameters(false); } var plainCert = new X509Certificate2(cert.RawData); Assert.NotNull(plainCert); VerifyApplicationCert(app, plainCert); X509Utils.VerifyRSAKeyPair(cert, cert, true); Assert.True(X509Utils.VerifySelfSigned(cert), "Verify Self signed."); }
public virtual async Task <X509Certificate2> SigningRequestAsync( ApplicationRecordDataType application, string[] domainNames, byte[] certificateRequest) { Pkcs10CertificationRequest pkcs10CertificationRequest = new Pkcs10CertificationRequest(certificateRequest); CertificationRequestInfo info = pkcs10CertificationRequest.GetCertificationRequestInfo(); DateTime yesterday = DateTime.UtcNow.AddDays(-1); return(CertificateFactory.CreateCertificate( null, null, null, application.ApplicationUri ?? "urn:ApplicationURI", application.ApplicationNames.Count > 0 ? application.ApplicationNames[0].Text : "ApplicationName", info.Subject.ToString(), domainNames, Configuration.DefaultCertificateKeySize, yesterday, Configuration.DefaultCertificateLifetime, Configuration.DefaultCertificateHashSize, false, await LoadSigningKeyAsync(Certificate, string.Empty), info.SubjectPublicKeyInfo.GetEncoded())); }
public async Task VerifyNotBeforeInvalid(bool trusted) { var cert = CertificateFactory.CreateCertificate( null, null, null, null, "App Test Cert", null, null, CertificateFactory.DefaultKeySize, DateTime.UtcNow + TimeSpan.FromDays(14), 12, CertificateFactory.DefaultHashSize); Assert.NotNull(cert); cert = new X509Certificate2(cert); Assert.NotNull(cert); Assert.True(Utils.CompareDistinguishedName("CN=App Test Cert", cert.Subject)); CleanupValidatorAndStores(); if (trusted) { await m_issuerStore.Add(cert); } else { await m_trustedStore.Add(cert); } var certValidator = InitValidatorWithStores(); var serviceResultException = Assert.Throws <ServiceResultException>(() => { certValidator.Validate(cert); }); Assert.AreEqual(StatusCodes.BadCertificateTimeInvalid, serviceResultException.StatusCode, serviceResultException.Message); }
/// <summary> /// Create CA test certificates. /// </summary> private void CreateCATestCerts(string tempStorePath) { Assert.IsTrue(EraseStore(tempStorePath)); string subjectName = "CN=CA Test Cert, O=OPC Foundation"; X509Certificate2 newCACert = CertificateFactory.CreateCertificate( CertificateStoreType.Directory, tempStorePath, null, null, null, subjectName, null, CertificateFactory.defaultKeySize, DateTime.UtcNow, CertificateFactory.defaultLifeTime, CertificateFactory.defaultHashSize, true, null, null); _caCert = newCACert; // initialize cert revocation list (CRL) X509CRL newCACrl = CertificateFactory.RevokeCertificateAsync(tempStorePath, newCACert).Result; _caCrl = newCACrl; }
public virtual async Task <X509Certificate2> CreateCACertificateAsync( string subjectName ) { DateTime yesterday = DateTime.Today.AddDays(-1); X509Certificate2 newCertificate = CertificateFactory.CreateCertificate(subjectName) .SetNotBefore(yesterday) .SetLifeTime(Configuration.CACertificateLifetime) .SetHashAlgorithm(X509Utils.GetRSAHashAlgorithmName(Configuration.CACertificateHashSize)) .SetCAConstraint() .SetRSAKeySize(Configuration.CACertificateKeySize) .CreateForRSA() .AddToStore( AuthoritiesStoreType, AuthoritiesStorePath); // save only public key Certificate = new X509Certificate2(newCertificate.RawData); // initialize revocation list await RevokeCertificateAsync(AuthoritiesStorePath, newCertificate, null).ConfigureAwait(false); await UpdateAuthorityCertInTrustedList().ConfigureAwait(false); return(Certificate); }
/// <summary> /// Synchronous helper implementation of CheckApplicationInstanceCertificate for C++ Proxy /// </summary> public static void CheckApplicationInstanceCertificate(ApplicationConfiguration configuration) { // create a default certificate id none specified. CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate; if (id == null) { id = new CertificateIdentifier(); id.StoreType = Utils.DefaultStoreType; id.StorePath = Utils.DefaultStorePath; id.SubjectName = configuration.ApplicationName; } // check for certificate with a private key. X509Certificate2 certificate = id.Find(true).Result; if (certificate != null) { return; } // construct the subject name from the List <string> hostNames = new List <string>(); hostNames.Add(Utils.GetHostName()); string commonName = Utils.Format("CN={0}", configuration.ApplicationName); string domainName = Utils.Format("DC={0}", hostNames[0]); string subjectName = Utils.Format("{0}, {1}", commonName, domainName); // create a new certificate with a new public key pair. certificate = CertificateFactory.CreateCertificate( configuration.ApplicationUri, configuration.ApplicationName, subjectName, hostNames) .CreateForRSA() .AddToStore( id.StoreType, id.StorePath); id.Certificate = certificate; // update and save the configuration file. configuration.SaveToFile(configuration.SourceFilePath); // add certificate to the trusted peer store so other applications will trust it. using (ICertificateStore store = configuration.SecurityConfiguration.TrustedPeerCertificates.OpenStore()) { X509Certificate2Collection certificateCollection = store.FindByThumbprint(certificate.Thumbprint).Result; if (certificateCollection != null) { store.Add(certificateCollection[0]).Wait(); } } // tell the certificate validator about the new certificate. configuration.CertificateValidator.Update(configuration.SecurityConfiguration).Wait(); }
public async Task <X509CertificateCollection> KeyVaultSigningRequestAsync() { Skip.If(!_fixture.KeyVaultInitOk); var certCollection = new X509CertificateCollection(); var groups = await _registry.ListGroupIdsAsync(null, null); foreach (var group in groups.Groups) { var certificateGroupConfiguration = await _registry.GetGroupInfoAsync(group); var randomApp = _fixture.RandomGenerator.RandomApplicationTestData(); var csrCertificate = CertificateFactory.CreateCertificate( null, null, null, randomApp.ApplicationRecord.ApplicationUri, null, randomApp.Subject, randomApp.DomainNames.ToArray(), certificateGroupConfiguration.DefaultCertificateKeySize, DateTime.UtcNow.AddDays(-10), certificateGroupConfiguration.DefaultCertificateLifetime, certificateGroupConfiguration.DefaultCertificateHashSize ); var certificateRequest = CertificateFactory.CreateSigningRequest( csrCertificate, randomApp.DomainNames); var newCert = await _services.ProcessSigningRequestAsync( "cert", new Registry.Models.ApplicationInfoModel { ApplicationUri = randomApp.ApplicationRecord.ApplicationUri, }, certificateRequest); // get issuer cert used for signing var issuerCerts = await _services.GetIssuerCACertificateChainAsync(group); #if WRITECERT // save cert for debugging using (var store = Opc.Ua.CertificateStoreIdentifier.CreateStore( Opc.Ua.CertificateStoreType.Directory)) { Assert.NotNull(store); store.Open("d:\\unittest"); await store.Add(newCert.ToStackModel()); foreach (var cert in issuerCerts.ToStackModel()) { await store.Add(cert); } } #endif Assert.NotNull(issuerCerts); Assert.True(issuerCerts.Chain.Count >= 1); X509TestUtils.VerifySignedApplicationCert( randomApp, newCert.ToStackModel(), issuerCerts.ToStackModel()); certCollection.Add(newCert.ToStackModel()); } return(certCollection); }
/// <summary> /// Create application configuration /// </summary> /// <param name="opcConfig"></param> /// <param name="handler"></param> /// <param name="createSelfSignedCertIfNone"></param> /// <returns></returns> public static ApplicationConfiguration ToApplicationConfiguration( this IClientServicesConfig2 opcConfig, bool createSelfSignedCertIfNone, CertificateValidationEventHandler handler) { if (string.IsNullOrWhiteSpace(opcConfig.ApplicationName)) { throw new ArgumentNullException(nameof(opcConfig.ApplicationName)); } var applicationConfiguration = new ApplicationConfiguration { ApplicationName = opcConfig.ApplicationName, ApplicationUri = opcConfig.ApplicationUri, ProductUri = opcConfig.ProductUri, ApplicationType = ApplicationType.Client, TransportQuotas = opcConfig.ToTransportQuotas(), SecurityConfiguration = opcConfig.ToSecurityConfiguration(), ClientConfiguration = new ClientConfiguration(), CertificateValidator = new CertificateValidator() }; applicationConfiguration.CertificateValidator.CertificateValidation += handler; X509Certificate2 certificate = null; // use existing certificate, if it is there certificate = applicationConfiguration.SecurityConfiguration.ApplicationCertificate.Find(true).Result; // create a self signed certificate if there is none if (certificate == null && createSelfSignedCertIfNone) { certificate = CertificateFactory.CreateCertificate( applicationConfiguration.SecurityConfiguration.ApplicationCertificate.StoreType, applicationConfiguration.SecurityConfiguration.ApplicationCertificate.StorePath, null, applicationConfiguration.ApplicationUri, applicationConfiguration.ApplicationName, applicationConfiguration.ApplicationName, null, CertificateFactory.defaultKeySize, DateTime.UtcNow - TimeSpan.FromDays(1), CertificateFactory.defaultLifeTime, CertificateFactory.defaultHashSize ); // update security information applicationConfiguration.SecurityConfiguration.ApplicationCertificate.Certificate = certificate ?? throw new Exception( "OPC UA application certificate can not be created! Cannot continue without it!"); //await applicationConfiguration.CertificateValidator.UpdateCertificate( //applicationConfiguration.SecurityConfiguration).ConfigureAwait(false); } applicationConfiguration.ApplicationUri = Utils.GetApplicationUriFromCertificate(certificate); return(applicationConfiguration); }
private async Task SigningRequestAllApplications() { Skip.If(!_fixture.RegistrationOk); int count = 0; foreach (var application in _applicationTestSet) { string[] groups = await _certificateGroup.GetCertificateGroupIds(); foreach (var group in groups) { var applicationId = application.Model.ApplicationId.ToString(); var certificateGroupConfiguration = await _certificateGroup.GetCertificateGroupConfiguration(group); X509Certificate2 csrCertificate = CertificateFactory.CreateCertificate( null, null, null, application.ApplicationRecord.ApplicationUri, null, application.Subject, application.DomainNames.ToArray(), certificateGroupConfiguration.DefaultCertificateKeySize, DateTime.UtcNow.AddDays(-20), certificateGroupConfiguration.DefaultCertificateLifetime, certificateGroupConfiguration.DefaultCertificateHashSize ); byte[] csr = CertificateFactory.CreateSigningRequest( csrCertificate, application.DomainNames); string requestId = await _certificateRequest.StartSigningRequestAsync( applicationId, group, null, csr, "*****@*****.**"); Assert.NotNull(requestId); // read request var request = await _certificateRequest.ReadAsync(requestId); Assert.Equal(CertificateRequestState.New, request.State); Assert.Null(request.PrivateKeyFormat); Assert.True(request.SigningRequest); Assert.Equal(requestId, request.RequestId); Assert.Equal(applicationId, request.ApplicationId); Assert.Null(request.SubjectName); Assert.Equal(group, request.CertificateGroupId); //Assert.Equal(null, fullRequest.CertificateTypeId); //Assert.Equal(application.DomainNames.ToArray(), fullRequest.DomainNames); Assert.Null(request.PrivateKeyFormat); // add to list application.RequestIds.Add(requestId); count++; } } Assert.True(count > 0); }
public async Task <X509CertificateCollection> KeyVaultSigningRequestAsync() { Skip.If(!_fixture.KeyVaultInitOk); X509CertificateCollection certCollection = new X509CertificateCollection(); string[] groups = await _keyVault.GetCertificateGroupIds(); foreach (string group in groups) { var certificateGroupConfiguration = await _keyVault.GetCertificateGroupConfiguration(group); ApplicationTestData randomApp = _fixture.RandomGenerator.RandomApplicationTestData(); X509Certificate2 csrCertificate = CertificateFactory.CreateCertificate( null, null, null, randomApp.ApplicationRecord.ApplicationUri, null, randomApp.Subject, randomApp.DomainNames.ToArray(), certificateGroupConfiguration.DefaultCertificateKeySize, DateTime.UtcNow.AddDays(-10), certificateGroupConfiguration.DefaultCertificateLifetime, certificateGroupConfiguration.DefaultCertificateHashSize ); byte[] certificateRequest = CertificateFactory.CreateSigningRequest(csrCertificate, randomApp.DomainNames); X509Certificate2 newCert = await _keyVault.SigningRequestAsync( group, randomApp.ApplicationRecord.ApplicationUri, certificateRequest); // get issuer cert used for signing X509Certificate2Collection issuerCerts = await _keyVault.GetIssuerCACertificateChainAsync(group); #if WRITECERT // save cert for debugging using (ICertificateStore store = CertificateStoreIdentifier.CreateStore(CertificateStoreType.Directory)) { Assert.NotNull(store); store.Open("d:\\unittest"); await store.Add(newCert); foreach (var cert in issuerCerts) { await store.Add(cert); } } #endif Assert.NotNull(issuerCerts); Assert.True(issuerCerts.Count >= 1); X509TestUtils.VerifySignedApplicationCert(randomApp, newCert, issuerCerts); certCollection.Add(newCert); } return(certCollection); }
public void UpdateCertificateSelfSigned(string keyFormat) { ConnectPushClient(true); var keyFormats = _pushClient.PushClient.GetSupportedKeyFormats(); if (!keyFormats.Contains(keyFormat)) { Assert.Ignore("Push server doesn't support {0} key update", keyFormat); } X509Certificate2 newCert = CertificateFactory.CreateCertificate( null, null, null, _applicationRecord.ApplicationUri, _applicationRecord.ApplicationNames[0].Text, _selfSignedServerCert.Subject, null, CertificateFactory.defaultKeySize, DateTime.UtcNow, CertificateFactory.defaultLifeTime, CertificateFactory.defaultHashSize); byte[] privateKey = null; if (keyFormat == "PFX") { Assert.IsTrue(newCert.HasPrivateKey); privateKey = newCert.Export(X509ContentType.Pfx); } else if (keyFormat == "PEM") { Assert.IsTrue(newCert.HasPrivateKey); privateKey = CertificateFactory.ExportPrivateKeyAsPEM(newCert); } else { Assert.Fail("Testing unsupported key format {0}.", keyFormat); } var success = _pushClient.PushClient.UpdateCertificate( _pushClient.PushClient.DefaultApplicationGroup, _pushClient.PushClient.ApplicationCertificateType, newCert.RawData, keyFormat, privateKey, null); if (success) { _pushClient.PushClient.ApplyChanges(); } VerifyNewPushServerCert(newCert.RawData); }
public async Task SigningRequestAllApplications() { Skip.If(!_fixture.RegistrationOk); var count = 0; foreach (var application in _applicationTestSet) { var groups = await _groupRegistry.ListGroupIdsAsync(); foreach (var group in groups.Groups) { var applicationId = application.Model.ApplicationId; var certificateGroupConfiguration = await _groupRegistry.GetGroupAsync(group); var csrCertificate = CertificateFactory.CreateCertificate( null, null, null, application.ApplicationRecord.ApplicationUri, null, application.Subject, application.DomainNames.ToArray(), /* certificateGroupConfiguration.Policy.IssuedKeySize ?? */ 2048, DateTime.UtcNow.AddDays(-20), 1, 256); // certificateGroupConfiguration.Policy.IssuedLifetime, //certificateGroupConfiguration.Policy.IssuedSignatureAlgorithm // ); var csr = CertificateFactory.CreateSigningRequest( csrCertificate, application.DomainNames); var requestId = await _ca.StartSigningRequestAsync(new StartSigningRequestModel { EntityId = applicationId, GroupId = group, CertificateRequest = csr, }, "*****@*****.**"); Assert.NotNull(requestId); // read request var request = await _requests.GetRequestAsync(requestId); Assert.Equal(CertificateRequestState.New, request.State); Assert.True(request.SigningRequest); Assert.Equal(requestId, request.RequestId); Assert.Equal(applicationId, request.ApplicationId); Assert.Null(request.SubjectName); Assert.Equal(group, request.GroupId); //Assert.Equal(null, fullRequest.CertificateType); //Assert.Equal(application.DomainNames.ToArray(), fullRequest.DomainNames); // add to list application.RequestIds.Add(requestId); count++; } } Assert.True(count > 0); }
// Create a certificate store for the Akri Broker static void CreateClientCertificate(string storeType, string storePath, X509Certificate2 caCert, string caStorePath) { Console.WriteLine("Creating a certificate for the Akri Broker"); ushort keySize = 2048; DateTime startTime = DateTime.UtcNow - TimeSpan.FromDays(1); ushort lifetimeInMonths = 6; ushort hashSizeInBits = CertificateFactory.DefaultHashSize; bool isCA = false; string applicationUri = "urn:AkriBroker"; string applicationName = "AkriBroker"; string clientStorePath = Path.Combine(storePath, applicationName); CertificateFactory.CreateCertificate(storeType, clientStorePath, null, applicationUri, applicationName, null, null, keySize, startTime, lifetimeInMonths, hashSizeInBits, isCA, caCert); RearrangeCertificateStore(clientStorePath, caStorePath); }
// Create a CA cert static X509Certificate2 CreateCACert(string storeType, string storePath) { string applicationUri = "urn:SomeCA"; string applicationName = "SomeCA"; Console.WriteLine("Creating a CA with name " + applicationName); ushort keySize = 2048; DateTime startTime = DateTime.UtcNow - TimeSpan.FromDays(1); ushort lifetimeInMonths = 6; ushort hashSizeInBits = CertificateFactory.DefaultHashSize; bool isCA = true; X509Certificate2 certificateAuthorityCert = CertificateFactory.CreateCertificate(storeType, storePath, null, applicationUri, applicationName, null, null, keySize, startTime, lifetimeInMonths, hashSizeInBits, isCA, null); return(certificateAuthorityCert); }
// Create a certificate store for a Server static void CreateServerCertificate(string storeType, string storePath, X509Certificate2 caCert, string caStorePath, int serverNumber, string ipAddress) { ushort keySize = 2048; DateTime startTime = DateTime.UtcNow - TimeSpan.FromDays(1); ushort lifetimeInMonths = 6; ushort hashSizeInBits = CertificateFactory.DefaultHashSize; bool isCA = false; IList <String> domainNames = new[] { ipAddress }; string applicationUri = "urn:SomeServer" + serverNumber; string applicationName = "SomeServer" + serverNumber; string serverStorePath = Path.Combine(storePath, applicationName); Console.WriteLine("Creating a certificate for server {0} with IP address {1}", applicationName, ipAddress); X509Certificate2 certificateAuthorityCert = CertificateFactory.CreateCertificate(storeType, serverStorePath, null, applicationUri, applicationName, null, domainNames, keySize, startTime, lifetimeInMonths, hashSizeInBits, isCA, caCert); RearrangeCertificateStore(serverStorePath, caStorePath); }
private X509Certificate2 CreateCertificateIn(StoreName storeName, StoreLocation storeLocation) { var store = new X509Store(StoreName.My, StoreLocation.CurrentUser); store.Open(OpenFlags.ReadWrite); var certificate = CertificateFactory.CreateCertificate(); store.Add(certificate); RegisterDisposable(() => { store.Remove(certificate); store.Close(); }); return(certificate); }
/// <summary> /// Creates the application instance certificate. /// </summary> /// <param name="configuration">The configuration.</param> /// <param name="keySize">Size of the key.</param> /// <param name="lifetimeInMonths">The lifetime in months.</param> /// <returns>The new certificate</returns> private static X509Certificate2 CreateApplicationInstanceCertificate( ApplicationConfiguration configuration, ushort keySize, ushort lifetimeInMonths) { Utils.Trace(Utils.TraceMasks.Information, "Creating application instance certificate. KeySize={0}, Lifetime={1}", keySize, lifetimeInMonths); // Delete existing certificate DeleteApplicationInstanceCertificate(configuration); CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate; // Get the domains from the configuration file. IList <string> serverDomainNames = configuration.GetServerDomainNames(); if (serverDomainNames.Count == 0) { GetLocalIpAddressAndDns().ForEach(x => serverDomainNames.Add(x)); } // ensure the certificate store directory exists. if (id.StoreType == CertificateStoreType.Directory) { Utils.GetAbsoluteDirectoryPath(id.StorePath, true, true, true); } X509Certificate2 certificate = CertificateFactory.CreateCertificate( id.StoreType, id.StorePath, configuration.ApplicationUri, configuration.ApplicationName, null, serverDomainNames, keySize, lifetimeInMonths); id.Certificate = certificate; AddToTrustedStore(configuration, certificate); configuration.CertificateValidator.Update(configuration.SecurityConfiguration); Utils.Trace(Utils.TraceMasks.Information, "Certificate created. Thumbprint={0}", certificate.Thumbprint); // reload the certificate from disk. return(configuration.SecurityConfiguration.ApplicationCertificate.LoadPrivateKey(null)); }
/// <summary> /// Create issuer CA cert and default Crl offline, then import in KeyVault. /// Note: Sample only for reference, importing the private key is unsecure! /// </summary> public async Task <bool> CreateImportedIssuerCACertificateAsync() { await _semaphoreSlim.WaitAsync(); try { DateTime notBefore = TrimmedNotBeforeDate(); using (var caCert = CertificateFactory.CreateCertificate( null, null, null, null, null, Configuration.SubjectName, null, Configuration.CACertificateKeySize, notBefore, Configuration.CACertificateLifetime, Configuration.CACertificateHashSize, true, null, null)) { // save only public key Certificate = new X509Certificate2(caCert.RawData); // initialize revocation list Crl = CertificateFactory.RevokeCertificate(caCert, null, null); if (Crl == null) { return(false); } // upload ca cert with private key await _keyVaultServiceClient.ImportIssuerCACertificate(Configuration.Id, new X509Certificate2Collection(caCert), true).ConfigureAwait(false); await _keyVaultServiceClient.ImportIssuerCACrl(Configuration.Id, Certificate, Crl).ConfigureAwait(false); } return(true); } finally { _semaphoreSlim.Release(); } }
/// <summary> /// Create a certificate with a new key pair signed by the CA of the cert group. /// </summary> /// <param name="application">The application record.</param> /// <param name="subjectName">The subject of the certificate.</param> /// <param name="domainNames">The domain names for the subject alt name extension.</param> /// <param name="privateKeyFormat">The private key format as PFX or PEM.</param> /// <param name="privateKeyPassword">A password for the private key.</param> public virtual async Task <X509Certificate2KeyPair> NewKeyPairRequestAsync( ApplicationRecordDataType application, string subjectName, string[] domainNames, string privateKeyFormat, string privateKeyPassword) { if (application == null) { throw new ArgumentNullException(nameof(application)); } if (application.ApplicationUri == null) { throw new ArgumentNullException(nameof(application.ApplicationUri)); } if (application.ApplicationNames == null) { throw new ArgumentNullException(nameof(application.ApplicationNames)); } using (var signingKey = await LoadSigningKeyAsync(Certificate, string.Empty).ConfigureAwait(false)) using (var certificate = CertificateFactory.CreateCertificate( application.ApplicationUri, application.ApplicationNames.Count > 0 ? application.ApplicationNames[0].Text : "ApplicationName", subjectName, domainNames) .SetIssuer(signingKey) .CreateForRSA()) { byte[] privateKey; if (privateKeyFormat == "PFX") { privateKey = certificate.Export(X509ContentType.Pfx, privateKeyPassword); } else if (privateKeyFormat == "PEM") { privateKey = PEMWriter.ExportPrivateKeyAsPEM(certificate, privateKeyPassword); } else { throw new ServiceResultException(StatusCodes.BadInvalidArgument, "Invalid private key format"); } return(new X509Certificate2KeyPair(new X509Certificate2(certificate.RawData), privateKeyFormat, privateKey)); } }
/// <summary> /// Create CA test certificates. /// </summary> private async Task CreateCATestCerts(string tempStorePath) { Assert.IsTrue(EraseStore(tempStorePath)); string subjectName = "CN=CA Test Cert, O=OPC Foundation"; X509Certificate2 newCACert = CertificateFactory.CreateCertificate( null, null, subjectName, null) .SetCAConstraint() .CreateForRSA() .AddToStore(CertificateStoreType.Directory, tempStorePath); _caCert = newCACert; // initialize cert revocation list (CRL) X509CRL newCACrl = await CertificateGroup.RevokeCertificateAsync(tempStorePath, newCACert); _caCrl = newCACrl; }
/// <summary> /// Create client host services /// </summary> /// <param name="logger"></param> /// <param name="maxOpTimeout"></param> public ClientServices(ILogger logger, TimeSpan?maxOpTimeout = null) { _logger = logger ?? throw new ArgumentNullException(nameof(logger)); // Create discovery config and client certificate _maxOpTimeout = maxOpTimeout; _config = CreateApplicationConfiguration(TimeSpan.FromMinutes(2), TimeSpan.FromMinutes(2)); Certificate = CertificateFactory.CreateCertificate( _config.SecurityConfiguration.ApplicationCertificate.StoreType, _config.SecurityConfiguration.ApplicationCertificate.StorePath, null, _config.ApplicationUri, _config.ApplicationName, _config.SecurityConfiguration.ApplicationCertificate.SubjectName, null, CertificateFactory.defaultKeySize, DateTime.UtcNow - TimeSpan.FromDays(1), CertificateFactory.defaultLifeTime, CertificateFactory.defaultHashSize, false, null, null); _timer = new Timer(_ => OnTimer(), null, kEvictionCheck, Timeout.InfiniteTimeSpan); }
public void AddRemoveCert() { using (X509Certificate2 trustedCert = CertificateFactory.CreateCertificate(null, null, null, "uri:x:y:z", "TrustedCert", "CN=Push Server Test", null, 2048, DateTime.UtcNow, 1, 256)) using (X509Certificate2 issuerCert = CertificateFactory.CreateCertificate(null, null, null, "uri:x:y:z", "IssuerCert", "CN=Push Server Test", null, 2048, DateTime.UtcNow, 1, 256)) { ConnectPushClient(true); TrustListDataType beforeTrustList = _pushClient.PushClient.ReadTrustList(); _pushClient.PushClient.AddCertificate(trustedCert, true); _pushClient.PushClient.AddCertificate(issuerCert, false); TrustListDataType afterAddTrustList = _pushClient.PushClient.ReadTrustList(); Assert.Greater(afterAddTrustList.TrustedCertificates.Count, beforeTrustList.TrustedCertificates.Count); Assert.Greater(afterAddTrustList.IssuerCertificates.Count, beforeTrustList.IssuerCertificates.Count); Assert.IsFalse(Utils.IsEqual(beforeTrustList, afterAddTrustList)); _pushClient.PushClient.RemoveCertificate(trustedCert.Thumbprint, true); _pushClient.PushClient.RemoveCertificate(issuerCert.Thumbprint, false); TrustListDataType afterRemoveTrustList = _pushClient.PushClient.ReadTrustList(); Assert.IsTrue(Utils.IsEqual(beforeTrustList, afterRemoveTrustList)); } }
private X509Certificate2 CreateInvalidCert(InvalidCertType certType) { // reasonable defaults DateTime notBefore = DateTime.Today.AddDays(-30); DateTime notAfter = DateTime.Today.AddDays(30); ushort keySize = CertificateFactory.DefaultKeySize; string[] domainNames = new string[] { Utils.GetHostName() }; switch (certType) { case InvalidCertType.Expired: notBefore = DateTime.Today.AddMonths(-12); notAfter = DateTime.Today.AddDays(-7); break; case InvalidCertType.NotYetValid: notBefore = DateTime.Today.AddDays(7); notAfter = notBefore.AddMonths(12); break; case InvalidCertType.KeySize1024: keySize = 1024; break; case InvalidCertType.HostName: domainNames = new string[] { "myhost", "1.2.3.4" }; break; default: break; } return(CertificateFactory.CreateCertificate( ApplicationUri, ApplicationName, SubjectName, domainNames) .SetNotBefore(notBefore) .SetNotAfter(notAfter) .SetRSAKeySize(keySize) .CreateForRSA()); }
public void UpdateCertificateSelfSignedNoPrivateKey() { ConnectPushClient(true); using (X509Certificate2 invalidCert = CertificateFactory.CreateCertificate(null, null, null, "uri:x:y:z", "TestApp", "CN=Push Server Test", null, 2048, DateTime.UtcNow, 1, 256)) using (X509Certificate2 serverCert = new X509Certificate2(_pushClient.PushClient.Session.ConfiguredEndpoint.Description.ServerCertificate)) { if (!Utils.CompareDistinguishedName(serverCert.Subject, serverCert.Issuer)) { Assert.Ignore("Server has no self signed cert in use."); } byte[] invalidRawCert = { 0xba, 0xd0, 0xbe, 0xef, 3 }; // negative test all parameter combinations NodeId invalidCertGroup = new NodeId(333); NodeId invalidCertType = new NodeId(Guid.NewGuid()); Assert.That(() => { _pushClient.PushClient.UpdateCertificate(null, null, null, null, null, null); }, Throws.Exception); Assert.That(() => { _pushClient.PushClient.UpdateCertificate(invalidCertGroup, null, serverCert.RawData, null, null, null); }, Throws.Exception); Assert.That(() => { _pushClient.PushClient.UpdateCertificate(null, invalidCertType, serverCert.RawData, null, null, null); }, Throws.Exception); Assert.That(() => { _pushClient.PushClient.UpdateCertificate(invalidCertGroup, invalidCertType, serverCert.RawData, null, null, null); }, Throws.Exception); Assert.That(() => { _pushClient.PushClient.UpdateCertificate(null, null, invalidRawCert, null, null, null); }, Throws.Exception); Assert.That(() => { _pushClient.PushClient.UpdateCertificate(null, null, invalidCert.RawData, null, null, null); }, Throws.Exception); Assert.That(() => { _pushClient.PushClient.UpdateCertificate(null, null, serverCert.RawData, "XYZ", null, null); }, Throws.Exception); Assert.That(() => { _pushClient.PushClient.UpdateCertificate(null, null, serverCert.RawData, "XYZ", invalidCert.RawData, null); }, Throws.Exception); Assert.That(() => { _pushClient.PushClient.UpdateCertificate(null, null, invalidCert.RawData, null, null, new byte[][] { serverCert.RawData, invalidCert.RawData }); }, Throws.Exception); Assert.That(() => { _pushClient.PushClient.UpdateCertificate(null, null, null, null, null, new byte[][] { serverCert.RawData, invalidCert.RawData }); }, Throws.Exception); Assert.That(() => { _pushClient.PushClient.UpdateCertificate(null, null, invalidRawCert, null, null, new byte[][] { serverCert.RawData, invalidCert.RawData }); }, Throws.Exception); Assert.That(() => { _pushClient.PushClient.UpdateCertificate(null, null, serverCert.RawData, null, null, new byte[][] { serverCert.RawData, invalidRawCert }); }, Throws.Exception); Assert.That(() => { _pushClient.PushClient.UpdateCertificate(null, null, serverCert.RawData, null, null, null); }, Throws.Exception); var success = _pushClient.PushClient.UpdateCertificate( null, _pushClient.PushClient.ApplicationCertificateType, serverCert.RawData, null, null, null); if (success) { _pushClient.PushClient.ApplyChanges(); } VerifyNewPushServerCert(serverCert.RawData); } }
public void VerifySelfSignedAppCerts( KeyHashPair keyHashPair ) { var appTestGenerator = new ApplicationTestDataGenerator(keyHashPair.KeySize); ApplicationTestData app = appTestGenerator.ApplicationTestSet(1).First(); var cert = CertificateFactory.CreateCertificate(null, null, null, app.ApplicationUri, app.ApplicationName, app.Subject, app.DomainNames, keyHashPair.KeySize, DateTime.UtcNow, CertificateFactory.DefaultLifeTime, keyHashPair.HashSize); Assert.NotNull(cert); Assert.NotNull(cert.RawData); Assert.True(cert.HasPrivateKey); var plainCert = new X509Certificate2(cert.RawData); Assert.NotNull(plainCert); VerifySelfSignedApplicationCert(app, plainCert); CertificateFactory.VerifySelfSigned(cert); CertificateFactory.VerifyRSAKeyPair(cert, cert); }