public void ConstructorAsnEncodedData_BadAsnTag()
{
AsnEncodedData aed = new AsnEncodedData("1.2.3", new byte[] { 0x05, 0x00 });
X509KeyUsageExtension ku = new X509KeyUsageExtension(aed, true);
Assert.AreEqual("0500", ku.Format(true), "Format(true)");
Assert.AreEqual("0500", ku.Format(false), "Format(false)");
X509KeyUsageFlags kuf = ku.KeyUsages;
}
public void ConstructorAsnEncodedData_BadAsn()
{
AsnEncodedData aed = new AsnEncodedData("1.2.3", new byte[0]);
X509KeyUsageExtension ku = new X509KeyUsageExtension(aed, true);
Assert.AreEqual(String.Empty, ku.Format(true), "Format(true)");
Assert.AreEqual(String.Empty, ku.Format(false), "Format(false)");
X509KeyUsageFlags kuf = ku.KeyUsages;
}
public void ConstructorEmpty()
{
X509KeyUsageExtension ku = new X509KeyUsageExtension();
Assert.IsFalse(ku.Critical, "Critical");
Assert.IsNull(ku.RawData, "RawData");
Assert.AreEqual(oid, ku.Oid.Value, "Oid.Value");
// FIXME: Don't expect that FriendlyName is English. This test fails under non-English Windows.
//Assert.AreEqual (fname, ku.Oid.FriendlyName, "Oid.FriendlyName");
Assert.AreEqual(String.Empty, ku.Format(true), "Format(true)");
Assert.AreEqual(String.Empty, ku.Format(false), "Format(false)");
Assert.AreEqual(0, (int)ku.KeyUsages, "KeyUsages");
}
public void ConstructorKeyUsage_CRLSign()
{
X509KeyUsageExtension ku = ValidateKeyUsage(X509KeyUsageFlags.CrlSign, "03-02-01-02");
Assert.AreEqual("Off-line CRL Signing, CRL Signing (02)", ku.Format(false), "CRLSign");
ku = ValidateKeyUsage(X509KeyUsageFlags.DataEncipherment, "03-02-04-10");
Assert.AreEqual("Data Encipherment (10)", ku.Format(false), "DataEncipherment");
ku = ValidateKeyUsage(X509KeyUsageFlags.DecipherOnly, "03-03-07-00-80");
Assert.AreEqual("Decipher Only (00 80)", ku.Format(false), "DecipherOnly");
ku = ValidateKeyUsage(X509KeyUsageFlags.DigitalSignature, "03-02-07-80");
Assert.AreEqual("Digital Signature (80)", ku.Format(false), "DigitalSignature");
ku = ValidateKeyUsage(X509KeyUsageFlags.EncipherOnly, "03-02-00-01");
Assert.AreEqual("Encipher Only (01)", ku.Format(false), "EncipherOnly");
ku = ValidateKeyUsage(X509KeyUsageFlags.KeyAgreement, "03-02-03-08");
Assert.AreEqual("Key Agreement (08)", ku.Format(false), "KeyAgreement");
ku = ValidateKeyUsage(X509KeyUsageFlags.KeyCertSign, "03-02-02-04");
Assert.AreEqual("Certificate Signing (04)", ku.Format(false), "KeyCertSign");
ku = ValidateKeyUsage(X509KeyUsageFlags.KeyEncipherment, "03-02-05-20");
Assert.AreEqual("Key Encipherment (20)", ku.Format(false), "KeyEncipherment");
ku = ValidateKeyUsage(X509KeyUsageFlags.NonRepudiation, "03-02-06-40");
Assert.AreEqual("Non-Repudiation (40)", ku.Format(false), "NonRepudiation");
ValidateKeyUsage(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.DecipherOnly, "03-03-07-10-80");
ValidateKeyUsage(X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.DecipherOnly, "03-03-07-80-80");
ValidateKeyUsage(X509KeyUsageFlags.EncipherOnly | X509KeyUsageFlags.DecipherOnly, "03-03-07-01-80");
ValidateKeyUsage(X509KeyUsageFlags.NonRepudiation | X509KeyUsageFlags.DataEncipherment, "03-02-04-50");
ku = ValidateKeyUsage(X509KeyUsageFlags.CrlSign | X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.DecipherOnly |
X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.EncipherOnly | X509KeyUsageFlags.KeyAgreement |
X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.NonRepudiation, "03-03-07-FF-80");
Assert.AreEqual("Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Signing, Off-line CRL Signing, CRL Signing, Encipher Only, Decipher Only (ff 80)" + Environment.NewLine,
ku.Format(true), "All");
}
private static void TestKeyUsageExtension(X509KeyUsageFlags flags, bool critical, byte[] expectedDer)
{
X509KeyUsageExtension ext = new X509KeyUsageExtension(flags, critical);
byte[] rawData = ext.RawData;
Assert.Equal(expectedDer, rawData);
// Assert that format doesn't crash
string s = ext.Format(false);
// Rebuild it from the RawData.
ext = new X509KeyUsageExtension(new AsnEncodedData(rawData), critical);
Assert.Equal(flags, ext.KeyUsages);
}
public static void VerifySignedApplicationCert(ApplicationTestData testApp, byte[] rawSignedCert, byte[][] rawIssuerCerts)
{
X509Certificate2 signedCert = new X509Certificate2(rawSignedCert);
X509Certificate2 issuerCert = new X509Certificate2(rawIssuerCerts[0]);
TestContext.Out.WriteLine($"Signed cert: {signedCert}");
TestContext.Out.WriteLine($"Issuer cert: {issuerCert}");
Assert.NotNull(signedCert);
Assert.False(signedCert.HasPrivateKey);
Assert.True(X509Utils.CompareDistinguishedName(testApp.Subject, signedCert.Subject));
Assert.False(X509Utils.CompareDistinguishedName(signedCert.Issuer, signedCert.Subject));
Assert.True(X509Utils.CompareDistinguishedName(signedCert.Issuer, issuerCert.Subject));
TestContext.Out.WriteLine($"Signed Subject: {signedCert.Subject}");
TestContext.Out.WriteLine($"Issuer Subject: {issuerCert.Subject}");
// test basic constraints
X509BasicConstraintsExtension constraints = X509Extensions.FindExtension <X509BasicConstraintsExtension>(signedCert);
Assert.NotNull(constraints);
TestContext.Out.WriteLine($"Constraints: {constraints.Format(true)}");
Assert.True(constraints.Critical);
Assert.False(constraints.CertificateAuthority);
Assert.False(constraints.HasPathLengthConstraint);
// key usage
X509KeyUsageExtension keyUsage = X509Extensions.FindExtension <X509KeyUsageExtension>(signedCert);
Assert.NotNull(keyUsage);
TestContext.Out.WriteLine($"KeyUsage: {keyUsage.Format(true)}");
Assert.True(keyUsage.Critical);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.CrlSign) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DataEncipherment) == X509KeyUsageFlags.DataEncipherment);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DecipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.DigitalSignature);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.EncipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyAgreement) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyCertSign) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyEncipherment) == X509KeyUsageFlags.KeyEncipherment);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.NonRepudiation) == X509KeyUsageFlags.NonRepudiation);
// enhanced key usage
X509EnhancedKeyUsageExtension enhancedKeyUsage = X509Extensions.FindExtension <X509EnhancedKeyUsageExtension>(signedCert);
Assert.NotNull(enhancedKeyUsage);
TestContext.Out.WriteLine($"Enhanced Key Usage: {enhancedKeyUsage.Format(true)}");
Assert.True(enhancedKeyUsage.Critical);
// test for authority key
X509AuthorityKeyIdentifierExtension authority = X509Extensions.FindExtension <X509AuthorityKeyIdentifierExtension>(signedCert);
Assert.NotNull(authority);
TestContext.Out.WriteLine($"Authority Key Identifier: {authority.Format(true)}");
Assert.NotNull(authority.SerialNumber);
Assert.NotNull(authority.KeyIdentifier);
Assert.NotNull(authority.Issuer);
Assert.AreEqual(issuerCert.SubjectName.RawData, authority.Issuer.RawData);
Assert.AreEqual(issuerCert.SubjectName.RawData, authority.Issuer.RawData);
// verify authority key in signed cert
X509SubjectKeyIdentifierExtension subjectKeyId = X509Extensions.FindExtension <X509SubjectKeyIdentifierExtension>(issuerCert);
TestContext.Out.WriteLine($"Issuer Subject Key Identifier: {subjectKeyId}");
Assert.AreEqual(subjectKeyId.SubjectKeyIdentifier, authority.KeyIdentifier);
Assert.AreEqual(issuerCert.SerialNumber, authority.SerialNumber);
X509SubjectAltNameExtension subjectAlternateName = X509Extensions.FindExtension <X509SubjectAltNameExtension>(signedCert);
Assert.NotNull(subjectAlternateName);
TestContext.Out.WriteLine($"Issuer Subject Alternate Name: {subjectAlternateName}");
Assert.False(subjectAlternateName.Critical);
var domainNames = X509Utils.GetDomainsFromCertficate(signedCert);
foreach (var domainName in testApp.DomainNames)
{
Assert.True(domainNames.Contains(domainName, StringComparer.OrdinalIgnoreCase));
}
Assert.True(subjectAlternateName.Uris.Count == 1);
var applicationUri = X509Utils.GetApplicationUriFromCertificate(signedCert);
Assert.True(testApp.ApplicationRecord.ApplicationUri == applicationUri);
}
public static void VerifyApplicationCert(ApplicationTestData testApp, X509Certificate2 cert, X509Certificate2 issuerCert = null)
{
bool signedCert = issuerCert != null;
if (issuerCert == null)
{
issuerCert = cert;
}
TestContext.Out.WriteLine($"{nameof(VerifyApplicationCert)}:");
Assert.NotNull(cert);
TestContext.Out.WriteLine(cert);
Assert.False(cert.HasPrivateKey);
Assert.True(X509Utils.CompareDistinguishedName(testApp.Subject, cert.Subject));
Assert.True(X509Utils.CompareDistinguishedName(issuerCert.Subject, cert.Issuer));
// test basic constraints
X509BasicConstraintsExtension constraints = X509Extensions.FindExtension <X509BasicConstraintsExtension>(cert);
Assert.NotNull(constraints);
TestContext.Out.WriteLine(constraints.Format(true));
Assert.True(constraints.Critical);
if (signedCert)
{
Assert.False(constraints.CertificateAuthority);
Assert.False(constraints.HasPathLengthConstraint);
}
else
{
Assert.True(constraints.CertificateAuthority);
Assert.True(constraints.HasPathLengthConstraint);
Assert.AreEqual(0, constraints.PathLengthConstraint);
}
// key usage
X509KeyUsageExtension keyUsage = X509Extensions.FindExtension <X509KeyUsageExtension>(cert);
Assert.NotNull(keyUsage);
TestContext.Out.WriteLine(keyUsage.Format(true));
Assert.True(keyUsage.Critical);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.CrlSign) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DataEncipherment) == X509KeyUsageFlags.DataEncipherment);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DecipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.DigitalSignature);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.EncipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyAgreement) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyCertSign) == (signedCert ? 0 : X509KeyUsageFlags.KeyCertSign));
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyEncipherment) == X509KeyUsageFlags.KeyEncipherment);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.NonRepudiation) == X509KeyUsageFlags.NonRepudiation);
// enhanced key usage
X509EnhancedKeyUsageExtension enhancedKeyUsage = X509Extensions.FindExtension <X509EnhancedKeyUsageExtension>(cert);
Assert.NotNull(enhancedKeyUsage);
TestContext.Out.WriteLine(enhancedKeyUsage.Format(true));
Assert.True(enhancedKeyUsage.Critical);
// test for authority key
X509AuthorityKeyIdentifierExtension authority = X509Extensions.FindExtension <X509AuthorityKeyIdentifierExtension>(cert);
Assert.NotNull(authority);
TestContext.Out.WriteLine(authority.Format(true));
Assert.NotNull(authority.SerialNumber);
Assert.NotNull(authority.KeyIdentifier);
Assert.NotNull(authority.Issuer);
if (issuerCert == null)
{
Assert.AreEqual(cert.SubjectName.RawData, authority.Issuer.RawData);
Assert.True(X509Utils.CompareDistinguishedName(cert.SubjectName.Name, authority.Issuer.Name), $"{cert.SubjectName.Name} != {authority.Issuer.Name}");
}
else
{
Assert.AreEqual(issuerCert.SubjectName.RawData, authority.Issuer.RawData);
Assert.True(X509Utils.CompareDistinguishedName(issuerCert.SubjectName.Name, authority.Issuer.Name), $"{cert.SubjectName.Name} != {authority.Issuer.Name}");
}
// verify authority key in signed cert
X509SubjectKeyIdentifierExtension subjectKeyId = X509Extensions.FindExtension <X509SubjectKeyIdentifierExtension>(cert);
TestContext.Out.WriteLine(subjectKeyId.Format(true));
if (signedCert)
{
var caCertSubjectKeyId = X509Extensions.FindExtension <X509SubjectKeyIdentifierExtension>(issuerCert);
Assert.NotNull(caCertSubjectKeyId);
Assert.AreEqual(caCertSubjectKeyId.SubjectKeyIdentifier, authority.KeyIdentifier);
}
else
{
Assert.AreEqual(subjectKeyId.SubjectKeyIdentifier, authority.KeyIdentifier);
}
Assert.AreEqual(issuerCert.GetSerialNumber(), authority.GetSerialNumber());
Assert.AreEqual(issuerCert.SerialNumber, authority.SerialNumber);
X509SubjectAltNameExtension subjectAlternateName = X509Extensions.FindExtension <X509SubjectAltNameExtension>(cert);
Assert.NotNull(subjectAlternateName);
TestContext.Out.WriteLine(subjectAlternateName.Format(true));
Assert.False(subjectAlternateName.Critical);
var domainNames = X509Utils.GetDomainsFromCertficate(cert);
foreach (var domainName in testApp.DomainNames)
{
Assert.True(domainNames.Contains(domainName, StringComparer.OrdinalIgnoreCase));
}
Assert.True(subjectAlternateName.Uris.Count == 1);
var applicationUri = X509Utils.GetApplicationUriFromCertificate(cert);
TestContext.Out.WriteLine("ApplicationUri: ");
TestContext.Out.WriteLine(applicationUri);
Assert.AreEqual(testApp.ApplicationUri, applicationUri);
}
private static void TestKeyUsageExtension(X509KeyUsageFlags flags, bool critical, byte[] expectedDer)
{
X509KeyUsageExtension ext = new X509KeyUsageExtension(flags, critical);
byte[] rawData = ext.RawData;
Assert.Equal(expectedDer, rawData);
// Assert that format doesn't crash
string s = ext.Format(false);
// Rebuild it from the RawData.
ext = new X509KeyUsageExtension(new AsnEncodedData(rawData), critical);
Assert.Equal(flags, ext.KeyUsages);
}