public async Task AuthenticateAsyncWithModuleThumbprintX509InScopeCacheFails()
{
string deviceId = "d1";
string moduleId = "m1";
string identity = FormattableString.Invariant($"{deviceId}/{moduleId}");
var primaryCertificate = TestCertificateHelper.GenerateSelfSignedCert("primo");
var primaryClientCertChain = new List <X509Certificate2>()
{
primaryCertificate
};
var secondaryCertificate = TestCertificateHelper.GenerateSelfSignedCert("secondo");
var secondaryClientCertChain = new List <X509Certificate2>()
{
secondaryCertificate
};
var deviceScopeIdentitiesCache = new Mock <IDeviceScopeIdentitiesCache>();
IList <X509Certificate2> trustBundle = new List <X509Certificate2>();
var primaryCredentials = Mock.Of <ICertificateCredentials>(
c =>
c.Identity == Mock.Of <IModuleIdentity>(
i => i.DeviceId == deviceId && i.ModuleId == moduleId &&
i.Id == identity) &&
c.AuthenticationType == AuthenticationType.X509Cert &&
c.ClientCertificate == primaryCertificate && c.ClientCertificateChain == primaryClientCertChain);
var secondaryCredentials = Mock.Of <ICertificateCredentials>(
c =>
c.Identity == Mock.Of <IModuleIdentity>(
i => i.DeviceId == deviceId && i.ModuleId == moduleId &&
i.Id == identity) &&
c.AuthenticationType == AuthenticationType.X509Cert &&
c.ClientCertificate == secondaryCertificate && c.ClientCertificateChain == secondaryClientCertChain);
var serviceIdentity = new ServiceIdentity(
deviceId,
moduleId,
"e1",
new List <string>(),
"1234",
new string[0],
new ServiceAuthentication(new X509ThumbprintAuthentication(primaryCertificate.Thumbprint, secondaryCertificate.Thumbprint)),
ServiceIdentityStatus.Enabled);
var authenticator = new DeviceScopeCertificateAuthenticator(deviceScopeIdentitiesCache.Object, UnderlyingAuthenticator, trustBundle, true);
deviceScopeIdentitiesCache.Setup(d => d.GetServiceIdentity(It.Is <string>(i => i == identity))).ReturnsAsync(Option.Some(serviceIdentity));
// Assert
Assert.False(await authenticator.AuthenticateAsync(primaryCredentials));
Assert.False(await authenticator.AuthenticateAsync(secondaryCredentials));
}
public async Task AuthenticateAsyncWithModuleCAX509InScopeCacheFails()
{
var notBefore = DateTime.Now.Subtract(TimeSpan.FromDays(2));
var notAfter = DateTime.Now.AddYears(1);
var(caCert, caKeyPair) = TestCertificateHelper.GenerateSelfSignedCert("MyTestCA", notBefore, notAfter, true);
var(issuedClientCert, issuedClientKeyPair) = TestCertificateHelper.GenerateCertificate("MyIssuedTestClient", notBefore, notAfter, caCert, caKeyPair, false, null, null);
IList <X509Certificate2> issuedClientCertChain = new List <X509Certificate2>()
{
caCert
};
IList <X509Certificate2> trustBundle = new List <X509Certificate2>()
{
caCert
};
string deviceId = "d1";
string moduleId = "MyIssuedTestClient";
string identity = FormattableString.Invariant($"{deviceId}/{moduleId}");
var deviceScopeIdentitiesCache = new Mock <IDeviceScopeIdentitiesCache>();
var clientCredentials = Mock.Of <ICertificateCredentials>(c =>
c.Identity == Mock.Of <IModuleIdentity>(i => i.DeviceId == deviceId && i.ModuleId == moduleId &&
i.Id == identity) &&
c.AuthenticationType == AuthenticationType.X509Cert &&
c.ClientCertificate == issuedClientCert && c.ClientCertificateChain == issuedClientCertChain);
var serviceIdentity = new ServiceIdentity(deviceId, moduleId, "1234", new string[0],
new ServiceAuthentication(ServiceAuthenticationType.CertificateAuthority), ServiceIdentityStatus.Enabled);
var authenticator = new DeviceScopeCertificateAuthenticator(deviceScopeIdentitiesCache.Object, UnderlyingAuthenticator, trustBundle, true);
deviceScopeIdentitiesCache.Setup(d => d.GetServiceIdentity(It.Is <string>(i => i == identity), false)).ReturnsAsync(Option.Some(serviceIdentity));
Assert.False(await authenticator.AuthenticateAsync(clientCredentials));
}
public async Task AuthenticateAsyncWithEmptyChainDeviceCAX509InScopeCacheFails()
{
var notBefore = DateTime.Now.Subtract(TimeSpan.FromDays(2));
var notAfter = DateTime.Now.AddYears(1);
var caCert = TestCertificateHelper.GenerateSelfSignedCert("MyTestCA", notBefore, notAfter, true);
var issuedClientCert = TestCertificateHelper.GenerateCertificate("MyIssuedTestClient", notBefore, notAfter, caCert, false, null, null);
IList <X509Certificate2> issuedClientCertChain = new List <X509Certificate2>()
{
}; // empty chain supplied
IList <X509Certificate2> trustBundle = new List <X509Certificate2>()
{
caCert
};
string deviceId = "different from CN";
var deviceScopeIdentitiesCache = new Mock <IDeviceScopeIdentitiesCache>();
var clientCredentials = Mock.Of <ICertificateCredentials>(
c =>
c.Identity == Mock.Of <IDeviceIdentity>(i => i.DeviceId == deviceId && i.Id == deviceId) &&
c.AuthenticationType == AuthenticationType.X509Cert &&
c.ClientCertificate == issuedClientCert && c.ClientCertificateChain == issuedClientCertChain);
var serviceIdentity = new ServiceIdentity(
deviceId,
"1234",
new string[0],
new ServiceAuthentication(ServiceAuthenticationType.CertificateAuthority),
ServiceIdentityStatus.Enabled);
var authenticator = new DeviceScopeCertificateAuthenticator(deviceScopeIdentitiesCache.Object, UnderlyingAuthenticator, trustBundle, true);
deviceScopeIdentitiesCache.Setup(d => d.GetServiceIdentity(It.Is <string>(i => i == deviceId))).ReturnsAsync(Option.Some(serviceIdentity));
Assert.False(await authenticator.AuthenticateAsync(clientCredentials));
}
public async Task AuthenticateAsyncWithNonX509CredsFails()
{
var deviceScopeIdentitiesCache = Mock.Of <IDeviceScopeIdentitiesCache>();
IList <X509Certificate2> trustBundle = new List <X509Certificate2>();
IClientCredentials clientCredentials = Mock.Of <IClientCredentials>();
var authenticator = new DeviceScopeCertificateAuthenticator(deviceScopeIdentitiesCache, UnderlyingAuthenticator, trustBundle, true);
Assert.False(await authenticator.AuthenticateAsync(clientCredentials));
}
public async Task AuthenticateAsyncWithDeviceThumbprintX509NotInScopeCacheFails()
{
string deviceId = "d1";
var primaryCertificate = TestCertificateHelper.GenerateSelfSignedCert("primo");
var primaryClientCertChain = new List <X509Certificate2>()
{
primaryCertificate
};
var secondaryCertificate = TestCertificateHelper.GenerateSelfSignedCert("secondo");
var secondaryClientCertChain = new List <X509Certificate2>()
{
secondaryCertificate
};
var deviceScopeIdentitiesCache = new Mock <IDeviceScopeIdentitiesCache>();
IList <X509Certificate2> trustBundle = new List <X509Certificate2>();
var primaryCredentials = Mock.Of <ICertificateCredentials>(
c =>
c.Identity == Mock.Of <IDeviceIdentity>(i => i.DeviceId == deviceId && i.Id == deviceId) &&
c.AuthenticationType == AuthenticationType.X509Cert &&
c.ClientCertificate == primaryCertificate && c.ClientCertificateChain == primaryClientCertChain);
var secondaryCredentials = Mock.Of <ICertificateCredentials>(
c =>
c.Identity == Mock.Of <IDeviceIdentity>(i => i.DeviceId == deviceId && i.Id == deviceId) &&
c.AuthenticationType == AuthenticationType.X509Cert &&
c.ClientCertificate == secondaryCertificate && c.ClientCertificateChain == secondaryClientCertChain);
// setup identity for another device id
var serviceIdentity = new ServiceIdentity(
"some_other_device",
"1234",
new string[0],
new ServiceAuthentication(new X509ThumbprintAuthentication(primaryCertificate.Thumbprint, secondaryCertificate.Thumbprint)),
ServiceIdentityStatus.Enabled);
var authenticator = new DeviceScopeCertificateAuthenticator(deviceScopeIdentitiesCache.Object, UnderlyingAuthenticator, trustBundle, true);
deviceScopeIdentitiesCache.Setup(d => d.GetServiceIdentity(It.Is <string>(i => i == "some_other_device"), false)).ReturnsAsync(Option.Some(serviceIdentity));
// Assert
Assert.False(await authenticator.AuthenticateAsync(primaryCredentials));
Assert.False(await authenticator.AuthenticateAsync(secondaryCredentials));
}
