public async Task Account() { var acmeDir = await IntegrationHelper.GetAcmeUriV2(); var accountKey = Helper.GetKeyV2(KeyAlgorithm.RS256); var httpClient = IntegrationHelper.GetAcmeHttpClient(acmeDir); var acme = new AcmeContext(acmeDir, accountKey, httpClient); var account = await acme.Account(); var order = await acme.NewOrder(new[] { "www.certes-ci.dymetis.com" }); var authz = (await order.Authorizations()).First(); var httpChallenge = await authz.Http(); var token = httpChallenge.Token; var keyAuthz = httpChallenge.KeyAuthz; var orderUri = order.Location; await httpChallenge.Validate(); var res = await authz.Resource(); while (res.Status != AuthorizationStatus.Valid && res.Status != AuthorizationStatus.Invalid) { res = await authz.Resource(); } acme = new AcmeContext(acmeDir, accountKey, httpClient); order = acme.Order(orderUri); var privateKey = KeyFactory.NewKey(KeyAlgorithm.ES256); var cert = await order.Generate(new CsrInfo { CountryName = "CA", State = "Ontario", Locality = "Toronto", Organization = "Certes", OrganizationUnit = "Dev", CommonName = "www.certes-ci.dymetis.com", }, privateKey, null); var pfxBuilder = cert.ToPfx(privateKey); pfxBuilder.AddTestCerts(); var pfx = pfxBuilder.Build("my-cert", "abcd1234"); }
public async Task CanGenerateCertificateWhenOrderPending() { var pem = File.ReadAllText("./Data/cert-es256.pem"); var orderCtxMock = new Mock <IOrderContext>(); orderCtxMock.Setup(m => m.Download()).ReturnsAsync(new CertificateChain(pem)); orderCtxMock.Setup(m => m.Resource()).ReturnsAsync(new Order { Identifiers = new[] { new Identifier { Value = "www.certes.com", Type = IdentifierType.Dns }, }, Status = OrderStatus.Pending, }); orderCtxMock.Setup(m => m.Finalize(It.IsAny <byte[]>())) .ReturnsAsync(new Order { Identifiers = new[] { new Identifier { Value = "www.certes.com", Type = IdentifierType.Dns }, }, Status = OrderStatus.Valid, }); var key = KeyFactory.NewKey(KeyAlgorithm.RS256); var certInfo = await orderCtxMock.Object.Generate(new CsrInfo { CountryName = "C", CommonName = "www.certes.com", }, key); Assert.Equal( pem.Where(c => !char.IsWhiteSpace(c)), certInfo.Certificate.ToPem().Where(c => !char.IsWhiteSpace(c))); var certInfoNoCn = await orderCtxMock.Object.Generate(new CsrInfo { CountryName = "C", }, key); Assert.Equal( pem.Where(c => !char.IsWhiteSpace(c)), certInfoNoCn.Certificate.ToPem().Where(c => !char.IsWhiteSpace(c))); }
public async Task CanChangeAccountKey() { var dirUri = await GetAcmeUriV2(); var ctx = new AcmeContext(dirUri, http: GetAcmeHttpClient(dirUri)); var account = await ctx.NewAccount( new[] { $"mailto:certes-{DateTime.UtcNow.Ticks}@example.com" }, true); var location = await ctx.Account().Location(); var newKey = KeyFactory.NewKey(KeyAlgorithm.ES256); await ctx.ChangeKey(newKey); var ctxWithNewKey = new AcmeContext(dirUri, newKey, http: GetAcmeHttpClient(dirUri)); var locationWithNewKey = await ctxWithNewKey.Account().Location(); Assert.Equal(location, locationWithNewKey); }
/// <summary> /// Changes the account key. /// </summary> /// <param name="key">The new account key.</param> /// <returns>The account resource.</returns> public async Task <Account> ChangeKey(IKey key) { var endpoint = await this.GetResourceUri(d => d.KeyChange); var location = await Account().Location(); var newKey = key ?? KeyFactory.NewKey(defaultKeyType); var keyChange = new { account = location, oldKey = AccountKey.JsonWebKey, }; var jws = new JwsSigner(newKey); var body = jws.Sign(keyChange, url: endpoint); var resp = await HttpClient.Post <Account>(this, endpoint, body, true); AccountKey = newKey; return(resp.Resource); }
public async Task ThrowWhenOrderNotReady() { var orderCtxMock = new Mock <IOrderContext>(); orderCtxMock.Setup(m => m.Resource()).ReturnsAsync(new Order { Identifiers = new[] { new Identifier { Value = "www.certes.com", Type = IdentifierType.Dns }, }, Status = OrderStatus.Valid, }); var key = KeyFactory.NewKey(KeyAlgorithm.RS256); await Assert.ThrowsAsync <AcmeException>(() => orderCtxMock.Object.Generate(new CsrInfo { CountryName = "C", CommonName = "www.certes.com", }, key)); }
public async Task CanGenerateWildcard() { var dirUri = await GetAcmeUriV2(); var hosts = new[] { $"wildcard-{DomainSuffix}.es256.certes-ci.dymetis.com" }; var ctx = new AcmeContext(dirUri, GetKeyV2(), http: GetAcmeHttpClient(dirUri)); var orderCtx = await AuthzDns(ctx, hosts); var certKey = KeyFactory.NewKey(KeyAlgorithm.RS256); var finalizedOrder = await orderCtx.Finalize(new CsrInfo { CountryName = "CA", State = "Ontario", Locality = "Toronto", Organization = "Certes", OrganizationUnit = "Dev", CommonName = hosts[0], }, certKey); var pem = await orderCtx.Download(); }
public async Task CanGenerateCertificateHttp() { var dirUri = await GetAcmeUriV2(); var hosts = new[] { $"www-http-{DomainSuffix}.es256.certes-ci.dymetis.com", $"mail-http-{DomainSuffix}.es256.certes-ci.dymetis.com" }; var ctx = new AcmeContext(dirUri, GetKeyV2(), http: GetAcmeHttpClient(dirUri)); var orderCtx = await AuthorizeHttp(ctx, hosts); var certKey = KeyFactory.NewKey(KeyAlgorithm.RS256); var finalizedOrder = await orderCtx.Finalize(new CsrInfo { CountryName = "CA", State = "Ontario", Locality = "Toronto", Organization = "Certes", OrganizationUnit = "Dev", CommonName = hosts[0], }, certKey); var certChain = await orderCtx.Download(null); var pfxBuilder = certChain.ToPfx(certKey); pfxBuilder.AddIssuers(IntegrationHelper.TestCertificates); var pfx = pfxBuilder.Build("my-pfx", "abcd1234"); // revoke certificate var certParser = new X509CertificateParser(); var certificate = certParser.ReadCertificate(certChain.Certificate.ToDer()); var der = certificate.GetEncoded(); await ctx.RevokeCertificate(der, RevocationReason.Unspecified, null); // deactivate authz so the subsequence can trigger challenge validation await ClearAuthorizations(orderCtx); }
public async Task CanGenerateCertificateTlsAlpn() { var dirUri = await GetAcmeUriV2(); var hosts = new[] { $"{DomainSuffix}.tls-alpn.certes-ci.dymetis.com" }; var ctx = new AcmeContext(dirUri, GetKeyV2(), http: GetAcmeHttpClient(dirUri)); var orderCtx = await ctx.NewOrder(hosts); var order = await orderCtx.Resource(); Assert.NotNull(order); Assert.Equal(hosts.Length, order.Authorizations?.Count); Assert.True( OrderStatus.Ready == order.Status || OrderStatus.Pending == order.Status || OrderStatus.Processing == order.Status, $"Invalid order status: {order.Status}"); var authrizations = await orderCtx.Authorizations(); foreach (var authzCtx in authrizations) { var authz = await authzCtx.Resource(); var tlsAlpnChallenge = await authzCtx.TlsAlpn(); var alpnCertKey = KeyFactory.NewKey(KeyAlgorithm.ES256); var alpnCert = ctx.AccountKey.TlsAlpnCertificate(tlsAlpnChallenge.Token, authz.Identifier.Value, alpnCertKey); await SetupValidationResponder(authz, alpnCert, alpnCertKey); await tlsAlpnChallenge.Validate(); } while (true) { await Task.Delay(100); var statuses = new List <AuthorizationStatus>(); foreach (var authz in authrizations) { var a = await authz.Resource(); statuses.Add(a.Status ?? AuthorizationStatus.Pending); } if (statuses.All(s => s == AuthorizationStatus.Valid || s == AuthorizationStatus.Invalid)) { break; } } var certKey = KeyFactory.NewKey(KeyAlgorithm.RS256); var finalizedOrder = await orderCtx.Finalize(new CsrInfo { CountryName = "CA", State = "Ontario", Locality = "Toronto", Organization = "Certes", OrganizationUnit = "Dev", CommonName = hosts[0], }, certKey); var certChain = await orderCtx.Download(null); var pfxBuilder = certChain.ToPfx(certKey); pfxBuilder.AddTestCerts(); var pfx = pfxBuilder.Build("my-pfx", "abcd1234"); // revoke certificate var certParser = new X509CertificateParser(); var certificate = certParser.ReadCertificate(certChain.Certificate.ToDer()); var der = certificate.GetEncoded(); await ctx.RevokeCertificate(der, RevocationReason.Unspecified, null); // deactivate authz so the subsequence can trigger challenge validation foreach (var authz in authrizations) { var authzRes = await authz.Deactivate(); Assert.Equal(AuthorizationStatus.Deactivated, authzRes.Status); } }
protected async Task CanGenerateCertificateWithEC(KeyAlgorithm algo) { var dirUri = await GetAcmeUriV2(); var hosts = new[] { $"www-ec-{DomainSuffix}.{algo}.certes-ci.dymetis.com".ToLower() }; var ctx = new AcmeContext(dirUri, GetKeyV2(algo), http: GetAcmeHttpClient(dirUri)); var orderCtx = await ctx.NewOrder(hosts); var order = await orderCtx.Resource(); Assert.NotNull(order); Assert.Equal(hosts.Length, order.Authorizations?.Count); Assert.True(OrderStatus.Pending == order.Status || OrderStatus.Processing == order.Status); var authrizations = await orderCtx.Authorizations(); foreach (var authz in authrizations) { var httpChallenge = await authz.Http(); await httpChallenge.Validate(); } while (true) { await Task.Delay(100); var statuses = new List <AuthorizationStatus>(); foreach (var authz in authrizations) { var a = await authz.Resource(); statuses.Add(a.Status ?? AuthorizationStatus.Pending); } if (statuses.All(s => s == AuthorizationStatus.Valid || s == AuthorizationStatus.Invalid)) { break; } } var certKey = KeyFactory.NewKey(algo); var finalizedOrder = await orderCtx.Finalize(new CsrInfo { CountryName = "CA", State = "Ontario", Locality = "Toronto", Organization = "Certes", OrganizationUnit = "Dev", CommonName = hosts[0], }, certKey); var cert = await orderCtx.Download(); var x509 = new X509Certificate2(cert.Certificate.ToDer()); Assert.Contains(hosts[0], x509.Subject); // deactivate authz so the subsequence can trigger challenge validation foreach (var authz in authrizations) { var authzRes = await authz.Deactivate(); Assert.Equal(AuthorizationStatus.Deactivated, authzRes.Status); } }
/// <summary> /// Initializes a new instance of the <see cref="AcmeContext" /> class. /// </summary> /// <param name="directoryUri">The directory URI.</param> /// <param name="accountKey">The account key.</param> /// <param name="http">The HTTP client.</param> /// <exception cref="ArgumentNullException"> /// If <paramref name="directoryUri"/> is <c>null</c>. /// </exception> public AcmeContext(Uri directoryUri, IKey accountKey = null, IAcmeHttpClient http = null) { DirectoryUri = directoryUri ?? throw new ArgumentNullException(nameof(directoryUri)); AccountKey = accountKey ?? KeyFactory.NewKey(defaultKeyType); HttpClient = http ?? new AcmeHttpClient(directoryUri); }
public async Task ThrowWhenProcessintTooOften() { var pem = File.ReadAllText("./Data/cert-es256.pem"); var orderCtxMock = new Mock <IOrderContext>(); orderCtxMock.Setup(m => m.Download(null)).ReturnsAsync(new CertificateChain(pem)); orderCtxMock.SetupSequence(m => m.Resource()) .ReturnsAsync(new Order { Identifiers = new[] { new Identifier { Value = "www.certes.com", Type = IdentifierType.Dns }, }, Status = OrderStatus.Ready, }) .ReturnsAsync(new Order { Identifiers = new[] { new Identifier { Value = "www.certes.com", Type = IdentifierType.Dns }, }, Status = OrderStatus.Ready, }) .ReturnsAsync(new Order { Identifiers = new[] { new Identifier { Value = "www.certes.com", Type = IdentifierType.Dns }, }, Status = OrderStatus.Processing, }) .ReturnsAsync(new Order { Identifiers = new[] { new Identifier { Value = "www.certes.com", Type = IdentifierType.Dns }, }, Status = OrderStatus.Processing, }); orderCtxMock.Setup(m => m.Finalize(It.IsAny <byte[]>())) .ReturnsAsync(new Order { Identifiers = new[] { new Identifier { Value = "www.certes.com", Type = IdentifierType.Dns }, }, Status = OrderStatus.Processing, }); var key = KeyFactory.NewKey(KeyAlgorithm.RS256); await Assert.ThrowsAsync <AcmeException>(() => orderCtxMock.Object.Generate(new CsrInfo { CountryName = "C", CommonName = "www.certes.com", }, key)); }
public async Task CanGenerateWithAlternateLink() { var defaultpem = File.ReadAllText("./Data/defaultLeaf.pem"); var alternatepem = File.ReadAllText("./Data/alternateLeaf.pem"); var accountLoc = new System.Uri("http://acme.d/account/101"); var orderLoc = new System.Uri("http://acme.d/order/101"); var finalizeLoc = new System.Uri("http://acme.d/order/101/finalize"); var certDefaultLoc = new System.Uri("http://acme.d/order/101/cert/1234"); var certAlternateLoc = new System.Uri("http://acme.d/order/101/cert/1234/1"); var alternates = new [] { new { key = "alternate", value = certDefaultLoc }, new { key = "alternate", value = certAlternateLoc }, }.ToLookup(x => x.key, x => x.value); var httpClientMock = new Mock <IAcmeHttpClient>(); httpClientMock.Setup(m => m.Post <string>(certDefaultLoc, It.IsAny <object>())) .ReturnsAsync(new AcmeHttpResponse <string>( accountLoc, defaultpem, alternates, null)); httpClientMock.Setup(m => m.Post <string>(certAlternateLoc, It.IsAny <object>())) .ReturnsAsync(new AcmeHttpResponse <string>( accountLoc, alternatepem, alternates, null)); httpClientMock.Setup(m => m.Post <Order>(finalizeLoc, It.IsAny <object>())) .ReturnsAsync(new AcmeHttpResponse <Order>( accountLoc, new Order { Identifiers = new[] { new Identifier { Value = "www.certes.com", Type = IdentifierType.Dns }, }, Status = OrderStatus.Valid, }, null, null)); var acmeContextMock = new Mock <IAcmeContext>(); acmeContextMock.SetupGet(x => x.HttpClient) .Returns(httpClientMock.Object); var orderCtxMock = new Mock <OrderContext>(acmeContextMock.Object, orderLoc); orderCtxMock.Setup(m => m.Resource()).ReturnsAsync(new Order { Identifiers = new[] { new Identifier { Value = "www.certes.com", Type = IdentifierType.Dns }, }, Certificate = certDefaultLoc, Finalize = finalizeLoc, Status = OrderStatus.Pending, }); var key = KeyFactory.NewKey(KeyAlgorithm.RS256); var certInfoDefaultRoot = await orderCtxMock.Object.Generate(new CsrInfo { CountryName = "C", CommonName = "www.certes.com", }, key, null); Assert.Equal( defaultpem.Where(c => !char.IsWhiteSpace(c)), certInfoDefaultRoot.Certificate.ToPem().Where(c => !char.IsWhiteSpace(c))); var certInfoAlternateRoot = await orderCtxMock.Object.Generate(new CsrInfo { CountryName = "C", CommonName = "www.certes.com", }, key, "AlternateRoot"); Assert.Equal( alternatepem.Where(c => !char.IsWhiteSpace(c)), certInfoAlternateRoot.Certificate.ToPem().Where(c => !char.IsWhiteSpace(c))); var certInfoUnknownRoot = await orderCtxMock.Object.Generate(new CsrInfo { CountryName = "C", CommonName = "www.certes.com", }, key, "UnknownRoot"); Assert.Equal( defaultpem.Where(c => !char.IsWhiteSpace(c)), certInfoUnknownRoot.Certificate.ToPem().Where(c => !char.IsWhiteSpace(c))); }
public static IKey GetKeyV2(KeyAlgorithm algo = KeyAlgorithm.ES256) => KeyFactory.FromPem(algo.GetTestKey());