/// <summary>
/// Returns the token from the cert in the given cert store.
/// </summary>
public async static Task <string> ReadAsync(string name, string storeType, string storePath)
{
string token = null;
// handle each store type differently
switch (storeType)
{
case CertificateStoreType.Directory:
{
// search a non expired cert with the given subject in the directory cert store and return the token
using (DirectoryCertificateStore store = new DirectoryCertificateStore())
{
store.Open(storePath);
X509CertificateCollection certificates = await store.Enumerate();
foreach (X509Certificate2 cert in certificates)
{
if ((token = CheckForToken(cert, name)) != null)
{
return(token);
}
}
}
break;
}
case CertificateStoreType.X509Store:
{
// search a non expired cert with the given subject in the X509 cert store and return the token
using (X509Store store = new X509Store(storePath, StoreLocation.CurrentUser))
{
store.Open(OpenFlags.ReadOnly);
foreach (X509Certificate2 cert in store.Certificates)
{
if ((token = CheckForToken(cert, name)) != null)
{
return(token);
}
}
}
break;
}
default:
{
throw new Exception($"The requested store type '{storeType}' is not supported. Please change.");
}
}
return(null);
}
/// <summary>
/// Ctor of the store, creates the random path name in a OS temp folder.
/// </summary>
private TemporaryCertValidator(bool rejectedStore)
{
// pki directory root for test runs.
m_pkiRoot = Path.GetTempPath() + Path.GetRandomFileName() + Path.DirectorySeparatorChar;
m_issuerStore = new DirectoryCertificateStore();
m_issuerStore.Open(m_pkiRoot + "issuer");
m_trustedStore = new DirectoryCertificateStore();
m_trustedStore.Open(m_pkiRoot + "trusted");
if (rejectedStore)
{
m_rejectedStore = new DirectoryCertificateStore();
m_rejectedStore.Open(m_pkiRoot + "rejected");
}
}
/// <summary>
/// Creates a cert with the connectionstring (token) and stores it in the given cert store.
/// </summary>
public async static Task WriteAsync(string name, string connectionString, string storeType, string storePath)
{
if (string.IsNullOrEmpty(connectionString))
{
throw new ArgumentException("Token not found in X509Store and no new token provided!");
}
SecureRandom random = new SecureRandom();
KeyGenerationParameters keyGenerationParameters = new KeyGenerationParameters(random, 2048);
RsaKeyPairGenerator keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
AsymmetricCipherKeyPair keys = keyPairGenerator.GenerateKeyPair();
ArrayList nameOids = new ArrayList();
nameOids.Add(X509Name.CN);
ArrayList nameValues = new ArrayList();
nameValues.Add(name);
X509Name subjectDN = new X509Name(nameOids, nameValues);
X509Name issuerDN = subjectDN;
X509V3CertificateGenerator cg = new X509V3CertificateGenerator();
cg.SetSerialNumber(BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random));
cg.SetIssuerDN(issuerDN);
cg.SetSubjectDN(subjectDN);
cg.SetNotBefore(DateTime.Now);
cg.SetNotAfter(DateTime.Now.AddMonths(12));
cg.SetPublicKey(keys.Public);
cg.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DataEncipherment));
// encrypt the token with the public key so only the owner of the assoc. private key can decrypt it and
// "hide" it in the instruction code cert extension
RSA rsa = RSA.Create();
RSAParameters rsaParams = new RSAParameters();
RsaKeyParameters keyParams = (RsaKeyParameters)keys.Public;
rsaParams.Modulus = new byte[keyParams.Modulus.ToByteArrayUnsigned().Length];
keyParams.Modulus.ToByteArrayUnsigned().CopyTo(rsaParams.Modulus, 0);
rsaParams.Exponent = new byte[keyParams.Exponent.ToByteArrayUnsigned().Length];
keyParams.Exponent.ToByteArrayUnsigned().CopyTo(rsaParams.Exponent, 0);
rsa.ImportParameters(rsaParams);
if (rsa != null)
{
byte[] bytes = rsa.Encrypt(Encoding.ASCII.GetBytes(connectionString), RSAEncryptionPadding.OaepSHA1);
if (bytes != null)
{
cg.AddExtension(X509Extensions.InstructionCode, false, bytes);
}
else
{
RsaUtils.RSADispose(rsa);
throw new CryptographicException("Can not encrypt IoTHub security token using generated public key!");
}
}
RsaUtils.RSADispose(rsa);
// sign the cert with the private key
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA256WITHRSA", keys.Private, random);
Org.BouncyCastle.X509.X509Certificate x509 = cg.Generate(signatureFactory);
// create a PKCS12 store for the cert and its private key
X509Certificate2 certificate = null;
using (MemoryStream pfxData = new MemoryStream())
{
Pkcs12StoreBuilder builder = new Pkcs12StoreBuilder();
builder.SetUseDerEncoding(true);
Pkcs12Store pkcsStore = builder.Build();
X509CertificateEntry[] chain = new X509CertificateEntry[1];
string passcode = Guid.NewGuid().ToString();
chain[0] = new X509CertificateEntry(x509);
pkcsStore.SetKeyEntry(name, new AsymmetricKeyEntry(keys.Private), chain);
pkcsStore.Save(pfxData, passcode.ToCharArray(), random);
// create X509Certificate2 object from PKCS12 file
certificate = CertificateFactory.CreateCertificateFromPKCS12(pfxData.ToArray(), passcode);
// handle each store type differently
switch (storeType)
{
case CertificateStoreType.Directory:
{
// Add to DirectoryStore
using (DirectoryCertificateStore store = new DirectoryCertificateStore())
{
store.Open(storePath);
X509CertificateCollection certificates = await store.Enumerate();
// remove any existing cert with our name from the store
foreach (X509Certificate2 cert in certificates)
{
if (cert.SubjectName.Decode(X500DistinguishedNameFlags.None | X500DistinguishedNameFlags.DoNotUseQuotes).Equals("CN=" + name, StringComparison.OrdinalIgnoreCase))
{
await store.Delete(cert.Thumbprint);
}
}
// add new one
await store.Add(certificate);
}
break;
}
case CertificateStoreType.X509Store:
{
// Add to X509Store
using (X509Store store = new X509Store(storePath, StoreLocation.CurrentUser))
{
store.Open(OpenFlags.ReadWrite);
// remove any existing cert with our name from the store
foreach (X509Certificate2 cert in store.Certificates)
{
if (cert.SubjectName.Decode(X500DistinguishedNameFlags.None | X500DistinguishedNameFlags.DoNotUseQuotes).Equals("CN=" + name, StringComparison.OrdinalIgnoreCase))
{
store.Remove(cert);
}
}
// add new cert to store
try
{
store.Add(certificate);
}
catch (Exception e)
{
throw new Exception($"Not able to add cert to the requested store type '{storeType}' (exception message: '{e.Message}'.");
}
}
break;
}
default:
{
throw new Exception($"The requested store type '{storeType}' is not supported. Please change.");
}
}
return;
}
}
protected void OneTimeSetUp()
{
// set max RSA key size and max SHA-2 hash size
ushort keySize = 4096;
ushort hashSize = 512;
// pki directory root for test runs.
m_pkiRoot = "%LocalApplicationData%/OPC/CertValidatorTest/" + ((DateTime.UtcNow.Ticks / 10000) % 3600000).ToString() + "/";
m_issuerStore = new DirectoryCertificateStore();
m_issuerStore.Open(m_pkiRoot + "issuer");
m_trustedStore = new DirectoryCertificateStore();
m_trustedStore.Open(m_pkiRoot + "trusted");
// good applications test set
var appTestDataGenerator = new ApplicationTestDataGenerator(1);
m_goodApplicationTestSet = appTestDataGenerator.ApplicationTestSet(kGoodApplicationsTestCount);
// create all certs and CRL
m_caChain = new X509Certificate2[kCaChainCount];
m_caDupeChain = new X509Certificate2[kCaChainCount];
m_caAllSameIssuerChain = new X509Certificate2[kCaChainCount];
m_crlChain = new X509CRL[kCaChainCount];
m_crlDupeChain = new X509CRL[kCaChainCount];
m_crlRevokedChain = new X509CRL[kCaChainCount];
m_appCerts = new X509Certificate2Collection();
m_appSelfSignedCerts = new X509Certificate2Collection();
DateTime rootCABaseTime = DateTime.UtcNow;
rootCABaseTime = new DateTime(rootCABaseTime.Year - 1, 1, 1);
var rootCert = CertificateFactory.CreateCertificate(
null, null, null,
null, null, "CN=Root CA Test Cert",
null, keySize, rootCABaseTime, 25 * 12, hashSize, true,
pathLengthConstraint: -1);
m_caChain[0] = rootCert;
m_crlChain[0] = CertificateFactory.RevokeCertificate(rootCert, null, null);
m_caDupeChain[0] = CertificateFactory.CreateCertificate(
null, null, null,
null, null, "CN=Root CA Test Cert",
null, keySize, rootCABaseTime, 25 * 12, hashSize, true,
pathLengthConstraint: -1);
m_crlDupeChain[0] = CertificateFactory.RevokeCertificate(m_caDupeChain[0], null, null);
m_crlRevokedChain[0] = null;
var signingCert = rootCert;
DateTime subCABaseTime = DateTime.UtcNow;
subCABaseTime = new DateTime(subCABaseTime.Year, subCABaseTime.Month, subCABaseTime.Day);
for (int i = 1; i < kCaChainCount; i++)
{
if (keySize > 2048)
{
keySize -= 1024;
}
if (hashSize > 256)
{
hashSize -= 128;
}
var subject = $"CN=Sub CA {i} Test Cert";
var subCACert = CertificateFactory.CreateCertificate(
null, null, null,
null, null, subject,
null, keySize, subCABaseTime, 5 * 12, hashSize, true,
signingCert, pathLengthConstraint: kCaChainCount - 1 - i);
m_caChain[i] = subCACert;
m_crlChain[i] = CertificateFactory.RevokeCertificate(subCACert, null, null, subCABaseTime, subCABaseTime + TimeSpan.FromDays(10));
var subCADupeCert = CertificateFactory.CreateCertificate(
null, null, null,
null, null, subject,
null, keySize, subCABaseTime, 5 * 12, hashSize, true,
signingCert, pathLengthConstraint: kCaChainCount - 1 - i);
m_caDupeChain[i] = subCADupeCert;
m_crlDupeChain[i] = CertificateFactory.RevokeCertificate(subCADupeCert, null, null, subCABaseTime, subCABaseTime + TimeSpan.FromDays(10));
m_crlRevokedChain[i] = null;
signingCert = subCACert;
}
// create a CRL with a revoked Sub CA
for (int i = 0; i < kCaChainCount - 1; i++)
{
m_crlRevokedChain[i] = CertificateFactory.RevokeCertificate(
m_caChain[i],
new List <X509CRL>()
{
m_crlChain[i]
},
new X509Certificate2Collection {
m_caChain[i + 1]
});
}
// create self signed app certs
DateTime appBaseTime = DateTime.UtcNow - TimeSpan.FromDays(1);
foreach (var app in m_goodApplicationTestSet)
{
var subject = app.Subject;
var appCert = CertificateFactory.CreateCertificate(
null, null, null,
app.ApplicationUri,
app.ApplicationName,
subject,
app.DomainNames,
CertificateFactory.DefaultKeySize, appBaseTime, 2 * 12,
CertificateFactory.DefaultHashSize);
m_appSelfSignedCerts.Add(appCert);
}
// create signed app certs
foreach (var app in m_goodApplicationTestSet)
{
var subject = app.Subject;
var appCert = CertificateFactory.CreateCertificate(
null, null, null,
app.ApplicationUri,
app.ApplicationName,
subject,
app.DomainNames,
CertificateFactory.DefaultKeySize, appBaseTime, 2 * 12,
CertificateFactory.DefaultHashSize, false, signingCert);
app.Certificate = appCert.RawData;
m_appCerts.Add(appCert);
}
// create a CRL with all apps revoked
m_crlRevokedChain[kCaChainCount - 1] = CertificateFactory.RevokeCertificate(
m_caChain[kCaChainCount - 1],
new List <X509CRL>()
{
m_crlChain[kCaChainCount - 1]
},
m_appCerts);
}
protected void OneTimeSetUp()
{
// set max RSA key size and max SHA-2 hash size
ushort keySize = 4096;
ushort hashSize = 512;
// pki directory root for test runs.
m_pkiRoot = "%LocalApplicationData%/OPC/CertValidatorTest/" + ((DateTime.UtcNow.Ticks / 10000) % 3600000).ToString() + "/";
m_issuerStore = new DirectoryCertificateStore();
m_issuerStore.Open(m_pkiRoot + "issuer");
m_trustedStore = new DirectoryCertificateStore();
m_trustedStore.Open(m_pkiRoot + "trusted");
// good applications test set
var appTestDataGenerator = new ApplicationTestDataGenerator(1);
m_goodApplicationTestSet = appTestDataGenerator.ApplicationTestSet(kGoodApplicationsTestCount);
// create all certs and CRL
m_caChain = new X509Certificate2[kCaChainCount];
m_caDupeChain = new X509Certificate2[kCaChainCount];
m_crlChain = new X509CRL[kCaChainCount];
m_crlDupeChain = new X509CRL[kCaChainCount];
m_crlRevokedChain = new X509CRL[kCaChainCount];
m_appCerts = new X509Certificate2Collection();
m_appSelfSignedCerts = new X509Certificate2Collection();
DateTime rootCABaseTime = DateTime.UtcNow;
rootCABaseTime = new DateTime(rootCABaseTime.Year - 1, 1, 1);
var rootCert = CertificateFactory.CreateCertificate(RootCASubject)
.SetNotBefore(rootCABaseTime)
.SetLifeTime(25 * 12)
.SetCAConstraint()
.SetHashAlgorithm(CertificateFactory.GetRSAHashAlgorithmName(hashSize))
.SetRSAKeySize(keySize)
.CreateForRSA();
m_caChain[0] = rootCert;
m_crlChain[0] = CertificateFactory.RevokeCertificate(rootCert, null, null);
// to save time, the dupe chain uses just the default key size/hash
m_caDupeChain[0] = CertificateFactory.CreateCertificate(RootCASubject)
.SetNotBefore(rootCABaseTime)
.SetLifeTime(25 * 12)
.SetCAConstraint()
.CreateForRSA();
m_crlDupeChain[0] = CertificateFactory.RevokeCertificate(m_caDupeChain[0], null, null);
m_crlRevokedChain[0] = null;
var signingCert = rootCert;
DateTime subCABaseTime = DateTime.UtcNow;
subCABaseTime = new DateTime(subCABaseTime.Year, subCABaseTime.Month, subCABaseTime.Day, 0, 0, 0, DateTimeKind.Utc);
for (int i = 1; i < kCaChainCount; i++)
{
if (keySize > 2048)
{
keySize -= 1024;
}
if (hashSize > 256)
{
hashSize -= 128;
}
var subject = $"CN=Sub CA {i} Test Cert";
var subCACert = CertificateFactory.CreateCertificate(subject)
.SetNotBefore(subCABaseTime)
.SetLifeTime(5 * 12)
.SetHashAlgorithm(CertificateFactory.GetRSAHashAlgorithmName(hashSize))
.SetCAConstraint(kCaChainCount - 1 - i)
.SetIssuer(signingCert)
.SetRSAKeySize(keySize)
.CreateForRSA();
m_caChain[i] = subCACert;
m_crlChain[i] = CertificateFactory.RevokeCertificate(subCACert, null, null, subCABaseTime, subCABaseTime + TimeSpan.FromDays(10));
var subCADupeCert = CertificateFactory.CreateCertificate(subject)
.SetNotBefore(subCABaseTime)
.SetLifeTime(5 * 12)
.SetCAConstraint(kCaChainCount - 1 - i)
.SetIssuer(signingCert)
.CreateForRSA();
m_caDupeChain[i] = subCADupeCert;
m_crlDupeChain[i] = CertificateFactory.RevokeCertificate(subCADupeCert, null, null, subCABaseTime, subCABaseTime + TimeSpan.FromDays(10));
m_crlRevokedChain[i] = null;
signingCert = subCACert;
}
// create a CRL with a revoked Sub CA
for (int i = 0; i < kCaChainCount - 1; i++)
{
m_crlRevokedChain[i] = CertificateFactory.RevokeCertificate(
m_caChain[i],
new List <X509CRL>()
{
m_crlChain[i]
},
new X509Certificate2Collection {
m_caChain[i + 1]
});
}
// create self signed app certs
foreach (var app in m_goodApplicationTestSet)
{
var subject = app.Subject;
var appCert = CertificateFactory.CreateCertificate(
app.ApplicationUri,
app.ApplicationName,
subject,
app.DomainNames)
.CreateForRSA();
m_appSelfSignedCerts.Add(appCert);
}
// create signed app certs
foreach (var app in m_goodApplicationTestSet)
{
var subject = app.Subject;
var appCert = CertificateFactory.CreateCertificate(
app.ApplicationUri,
app.ApplicationName,
subject,
app.DomainNames)
.SetIssuer(signingCert)
.CreateForRSA();
app.Certificate = appCert.RawData;
m_appCerts.Add(appCert);
}
// create a CRL with all apps revoked
m_crlRevokedChain[kCaChainCount - 1] = CertificateFactory.RevokeCertificate(
m_caChain[kCaChainCount - 1],
new List <X509CRL>()
{
m_crlChain[kCaChainCount - 1]
},
m_appCerts);
}