示例#1
0
        public async Task Account()
        {
            var acmeDir = await IntegrationHelper.GetAcmeUriV2();

            var accountKey = Helper.GetKeyV2(KeyAlgorithm.RS256);
            var httpClient = IntegrationHelper.GetAcmeHttpClient(acmeDir);

            var acme    = new AcmeContext(acmeDir, accountKey, httpClient);
            var account = await acme.Account();

            var order = await acme.NewOrder(new[] { "www.certes-ci.dymetis.com" });

            var authz         = (await order.Authorizations()).First();
            var httpChallenge = await authz.Http();

            var token    = httpChallenge.Token;
            var keyAuthz = httpChallenge.KeyAuthz;

            var orderUri = order.Location;

            await httpChallenge.Validate();

            var res = await authz.Resource();

            while (res.Status != AuthorizationStatus.Valid && res.Status != AuthorizationStatus.Invalid)
            {
                res = await authz.Resource();
            }

            acme  = new AcmeContext(acmeDir, accountKey, httpClient);
            order = acme.Order(orderUri);
            var privateKey = KeyFactory.NewKey(KeyAlgorithm.ES256);
            var cert       = await order.Generate(new CsrInfo
            {
                CountryName      = "CA",
                State            = "Ontario",
                Locality         = "Toronto",
                Organization     = "Certes",
                OrganizationUnit = "Dev",
                CommonName       = "www.certes-ci.dymetis.com",
            }, privateKey, null);

            var pfxBuilder = cert.ToPfx(privateKey);

            pfxBuilder.AddTestCerts();
            var pfx = pfxBuilder.Build("my-cert", "abcd1234");
        }
        public async Task CanGenerateCertificateWhenOrderPending()
        {
            var pem = File.ReadAllText("./Data/cert-es256.pem");

            var orderCtxMock = new Mock <IOrderContext>();

            orderCtxMock.Setup(m => m.Download()).ReturnsAsync(new CertificateChain(pem));
            orderCtxMock.Setup(m => m.Resource()).ReturnsAsync(new Order
            {
                Identifiers = new[] {
                    new Identifier {
                        Value = "www.certes.com", Type = IdentifierType.Dns
                    },
                },
                Status = OrderStatus.Pending,
            });
            orderCtxMock.Setup(m => m.Finalize(It.IsAny <byte[]>()))
            .ReturnsAsync(new Order
            {
                Identifiers = new[] {
                    new Identifier {
                        Value = "www.certes.com", Type = IdentifierType.Dns
                    },
                },
                Status = OrderStatus.Valid,
            });

            var key      = KeyFactory.NewKey(KeyAlgorithm.RS256);
            var certInfo = await orderCtxMock.Object.Generate(new CsrInfo
            {
                CountryName = "C",
                CommonName  = "www.certes.com",
            }, key);

            Assert.Equal(
                pem.Where(c => !char.IsWhiteSpace(c)),
                certInfo.Certificate.ToPem().Where(c => !char.IsWhiteSpace(c)));

            var certInfoNoCn = await orderCtxMock.Object.Generate(new CsrInfo
            {
                CountryName = "C",
            }, key);

            Assert.Equal(
                pem.Where(c => !char.IsWhiteSpace(c)),
                certInfoNoCn.Certificate.ToPem().Where(c => !char.IsWhiteSpace(c)));
        }
            public async Task CanChangeAccountKey()
            {
                var dirUri = await GetAcmeUriV2();

                var ctx     = new AcmeContext(dirUri, http: GetAcmeHttpClient(dirUri));
                var account = await ctx.NewAccount(
                    new[] { $"mailto:certes-{DateTime.UtcNow.Ticks}@example.com" }, true);

                var location = await ctx.Account().Location();

                var newKey = KeyFactory.NewKey(KeyAlgorithm.ES256);
                await ctx.ChangeKey(newKey);

                var ctxWithNewKey      = new AcmeContext(dirUri, newKey, http: GetAcmeHttpClient(dirUri));
                var locationWithNewKey = await ctxWithNewKey.Account().Location();

                Assert.Equal(location, locationWithNewKey);
            }
示例#4
0
        /// <summary>
        /// Changes the account key.
        /// </summary>
        /// <param name="key">The new account key.</param>
        /// <returns>The account resource.</returns>
        public async Task <Account> ChangeKey(IKey key)
        {
            var endpoint = await this.GetResourceUri(d => d.KeyChange);

            var location = await Account().Location();

            var newKey    = key ?? KeyFactory.NewKey(defaultKeyType);
            var keyChange = new
            {
                account = location,
                oldKey  = AccountKey.JsonWebKey,
            };

            var jws  = new JwsSigner(newKey);
            var body = jws.Sign(keyChange, url: endpoint);

            var resp = await HttpClient.Post <Account>(this, endpoint, body, true);

            AccountKey = newKey;
            return(resp.Resource);
        }
        public async Task ThrowWhenOrderNotReady()
        {
            var orderCtxMock = new Mock <IOrderContext>();

            orderCtxMock.Setup(m => m.Resource()).ReturnsAsync(new Order
            {
                Identifiers = new[] {
                    new Identifier {
                        Value = "www.certes.com", Type = IdentifierType.Dns
                    },
                },
                Status = OrderStatus.Valid,
            });

            var key = KeyFactory.NewKey(KeyAlgorithm.RS256);
            await Assert.ThrowsAsync <AcmeException>(() =>
                                                     orderCtxMock.Object.Generate(new CsrInfo
            {
                CountryName = "C",
                CommonName  = "www.certes.com",
            }, key));
        }
示例#6
0
            public async Task CanGenerateWildcard()
            {
                var dirUri = await GetAcmeUriV2();

                var hosts = new[] { $"wildcard-{DomainSuffix}.es256.certes-ci.dymetis.com" };
                var ctx   = new AcmeContext(dirUri, GetKeyV2(), http: GetAcmeHttpClient(dirUri));

                var orderCtx = await AuthzDns(ctx, hosts);

                var certKey        = KeyFactory.NewKey(KeyAlgorithm.RS256);
                var finalizedOrder = await orderCtx.Finalize(new CsrInfo
                {
                    CountryName      = "CA",
                    State            = "Ontario",
                    Locality         = "Toronto",
                    Organization     = "Certes",
                    OrganizationUnit = "Dev",
                    CommonName       = hosts[0],
                }, certKey);

                var pem = await orderCtx.Download();
            }
            public async Task CanGenerateCertificateHttp()
            {
                var dirUri = await GetAcmeUriV2();

                var hosts    = new[] { $"www-http-{DomainSuffix}.es256.certes-ci.dymetis.com", $"mail-http-{DomainSuffix}.es256.certes-ci.dymetis.com" };
                var ctx      = new AcmeContext(dirUri, GetKeyV2(), http: GetAcmeHttpClient(dirUri));
                var orderCtx = await AuthorizeHttp(ctx, hosts);

                var certKey        = KeyFactory.NewKey(KeyAlgorithm.RS256);
                var finalizedOrder = await orderCtx.Finalize(new CsrInfo
                {
                    CountryName      = "CA",
                    State            = "Ontario",
                    Locality         = "Toronto",
                    Organization     = "Certes",
                    OrganizationUnit = "Dev",
                    CommonName       = hosts[0],
                }, certKey);

                var certChain = await orderCtx.Download(null);

                var pfxBuilder = certChain.ToPfx(certKey);

                pfxBuilder.AddIssuers(IntegrationHelper.TestCertificates);

                var pfx = pfxBuilder.Build("my-pfx", "abcd1234");

                // revoke certificate
                var certParser  = new X509CertificateParser();
                var certificate = certParser.ReadCertificate(certChain.Certificate.ToDer());
                var der         = certificate.GetEncoded();

                await ctx.RevokeCertificate(der, RevocationReason.Unspecified, null);

                // deactivate authz so the subsequence can trigger challenge validation
                await ClearAuthorizations(orderCtx);
            }
示例#8
0
            public async Task CanGenerateCertificateTlsAlpn()
            {
                var dirUri = await GetAcmeUriV2();

                var hosts    = new[] { $"{DomainSuffix}.tls-alpn.certes-ci.dymetis.com" };
                var ctx      = new AcmeContext(dirUri, GetKeyV2(), http: GetAcmeHttpClient(dirUri));
                var orderCtx = await ctx.NewOrder(hosts);

                var order = await orderCtx.Resource();

                Assert.NotNull(order);
                Assert.Equal(hosts.Length, order.Authorizations?.Count);
                Assert.True(
                    OrderStatus.Ready == order.Status || OrderStatus.Pending == order.Status || OrderStatus.Processing == order.Status,
                    $"Invalid order status: {order.Status}");

                var authrizations = await orderCtx.Authorizations();

                foreach (var authzCtx in authrizations)
                {
                    var authz = await authzCtx.Resource();

                    var tlsAlpnChallenge = await authzCtx.TlsAlpn();

                    var alpnCertKey = KeyFactory.NewKey(KeyAlgorithm.ES256);
                    var alpnCert    = ctx.AccountKey.TlsAlpnCertificate(tlsAlpnChallenge.Token, authz.Identifier.Value, alpnCertKey);

                    await SetupValidationResponder(authz, alpnCert, alpnCertKey);

                    await tlsAlpnChallenge.Validate();
                }

                while (true)
                {
                    await Task.Delay(100);

                    var statuses = new List <AuthorizationStatus>();
                    foreach (var authz in authrizations)
                    {
                        var a = await authz.Resource();

                        statuses.Add(a.Status ?? AuthorizationStatus.Pending);
                    }

                    if (statuses.All(s => s == AuthorizationStatus.Valid || s == AuthorizationStatus.Invalid))
                    {
                        break;
                    }
                }

                var certKey        = KeyFactory.NewKey(KeyAlgorithm.RS256);
                var finalizedOrder = await orderCtx.Finalize(new CsrInfo
                {
                    CountryName      = "CA",
                    State            = "Ontario",
                    Locality         = "Toronto",
                    Organization     = "Certes",
                    OrganizationUnit = "Dev",
                    CommonName       = hosts[0],
                }, certKey);

                var certChain = await orderCtx.Download(null);

                var pfxBuilder = certChain.ToPfx(certKey);

                pfxBuilder.AddTestCerts();

                var pfx = pfxBuilder.Build("my-pfx", "abcd1234");

                // revoke certificate
                var certParser  = new X509CertificateParser();
                var certificate = certParser.ReadCertificate(certChain.Certificate.ToDer());
                var der         = certificate.GetEncoded();

                await ctx.RevokeCertificate(der, RevocationReason.Unspecified, null);

                // deactivate authz so the subsequence can trigger challenge validation
                foreach (var authz in authrizations)
                {
                    var authzRes = await authz.Deactivate();

                    Assert.Equal(AuthorizationStatus.Deactivated, authzRes.Status);
                }
            }
示例#9
0
        protected async Task CanGenerateCertificateWithEC(KeyAlgorithm algo)
        {
            var dirUri = await GetAcmeUriV2();

            var hosts    = new[] { $"www-ec-{DomainSuffix}.{algo}.certes-ci.dymetis.com".ToLower() };
            var ctx      = new AcmeContext(dirUri, GetKeyV2(algo), http: GetAcmeHttpClient(dirUri));
            var orderCtx = await ctx.NewOrder(hosts);

            var order = await orderCtx.Resource();

            Assert.NotNull(order);
            Assert.Equal(hosts.Length, order.Authorizations?.Count);
            Assert.True(OrderStatus.Pending == order.Status || OrderStatus.Processing == order.Status);

            var authrizations = await orderCtx.Authorizations();

            foreach (var authz in authrizations)
            {
                var httpChallenge = await authz.Http();

                await httpChallenge.Validate();
            }

            while (true)
            {
                await Task.Delay(100);

                var statuses = new List <AuthorizationStatus>();
                foreach (var authz in authrizations)
                {
                    var a = await authz.Resource();

                    statuses.Add(a.Status ?? AuthorizationStatus.Pending);
                }

                if (statuses.All(s => s == AuthorizationStatus.Valid || s == AuthorizationStatus.Invalid))
                {
                    break;
                }
            }

            var certKey        = KeyFactory.NewKey(algo);
            var finalizedOrder = await orderCtx.Finalize(new CsrInfo
            {
                CountryName      = "CA",
                State            = "Ontario",
                Locality         = "Toronto",
                Organization     = "Certes",
                OrganizationUnit = "Dev",
                CommonName       = hosts[0],
            }, certKey);

            var cert = await orderCtx.Download();

            var x509 = new X509Certificate2(cert.Certificate.ToDer());

            Assert.Contains(hosts[0], x509.Subject);

            // deactivate authz so the subsequence can trigger challenge validation
            foreach (var authz in authrizations)
            {
                var authzRes = await authz.Deactivate();

                Assert.Equal(AuthorizationStatus.Deactivated, authzRes.Status);
            }
        }
示例#10
0
 /// <summary>
 /// Initializes a new instance of the <see cref="AcmeContext" /> class.
 /// </summary>
 /// <param name="directoryUri">The directory URI.</param>
 /// <param name="accountKey">The account key.</param>
 /// <param name="http">The HTTP client.</param>
 /// <exception cref="ArgumentNullException">
 /// If <paramref name="directoryUri"/> is <c>null</c>.
 /// </exception>
 public AcmeContext(Uri directoryUri, IKey accountKey = null, IAcmeHttpClient http = null)
 {
     DirectoryUri = directoryUri ?? throw new ArgumentNullException(nameof(directoryUri));
     AccountKey   = accountKey ?? KeyFactory.NewKey(defaultKeyType);
     HttpClient   = http ?? new AcmeHttpClient(directoryUri);
 }
        public async Task ThrowWhenProcessintTooOften()
        {
            var pem = File.ReadAllText("./Data/cert-es256.pem");

            var orderCtxMock = new Mock <IOrderContext>();

            orderCtxMock.Setup(m => m.Download(null)).ReturnsAsync(new CertificateChain(pem));
            orderCtxMock.SetupSequence(m => m.Resource())
            .ReturnsAsync(new Order
            {
                Identifiers = new[] {
                    new Identifier {
                        Value = "www.certes.com", Type = IdentifierType.Dns
                    },
                },
                Status = OrderStatus.Ready,
            })
            .ReturnsAsync(new Order
            {
                Identifiers = new[] {
                    new Identifier {
                        Value = "www.certes.com", Type = IdentifierType.Dns
                    },
                },
                Status = OrderStatus.Ready,
            })
            .ReturnsAsync(new Order
            {
                Identifiers = new[] {
                    new Identifier {
                        Value = "www.certes.com", Type = IdentifierType.Dns
                    },
                },
                Status = OrderStatus.Processing,
            })
            .ReturnsAsync(new Order
            {
                Identifiers = new[] {
                    new Identifier {
                        Value = "www.certes.com", Type = IdentifierType.Dns
                    },
                },
                Status = OrderStatus.Processing,
            });

            orderCtxMock.Setup(m => m.Finalize(It.IsAny <byte[]>()))
            .ReturnsAsync(new Order
            {
                Identifiers = new[] {
                    new Identifier {
                        Value = "www.certes.com", Type = IdentifierType.Dns
                    },
                },
                Status = OrderStatus.Processing,
            });

            var key = KeyFactory.NewKey(KeyAlgorithm.RS256);
            await Assert.ThrowsAsync <AcmeException>(() =>
                                                     orderCtxMock.Object.Generate(new CsrInfo
            {
                CountryName = "C",
                CommonName  = "www.certes.com",
            }, key));
        }
        public async Task CanGenerateWithAlternateLink()
        {
            var defaultpem   = File.ReadAllText("./Data/defaultLeaf.pem");
            var alternatepem = File.ReadAllText("./Data/alternateLeaf.pem");

            var accountLoc       = new System.Uri("http://acme.d/account/101");
            var orderLoc         = new System.Uri("http://acme.d/order/101");
            var finalizeLoc      = new System.Uri("http://acme.d/order/101/finalize");
            var certDefaultLoc   = new System.Uri("http://acme.d/order/101/cert/1234");
            var certAlternateLoc = new System.Uri("http://acme.d/order/101/cert/1234/1");

            var alternates = new [] {
                new { key = "alternate", value = certDefaultLoc },
                new { key = "alternate", value = certAlternateLoc },
            }.ToLookup(x => x.key, x => x.value);

            var httpClientMock = new Mock <IAcmeHttpClient>();

            httpClientMock.Setup(m => m.Post <string>(certDefaultLoc, It.IsAny <object>()))
            .ReturnsAsync(new AcmeHttpResponse <string>(
                              accountLoc,
                              defaultpem,
                              alternates,
                              null));

            httpClientMock.Setup(m => m.Post <string>(certAlternateLoc, It.IsAny <object>()))
            .ReturnsAsync(new AcmeHttpResponse <string>(
                              accountLoc,
                              alternatepem,
                              alternates,
                              null));

            httpClientMock.Setup(m => m.Post <Order>(finalizeLoc, It.IsAny <object>()))
            .ReturnsAsync(new AcmeHttpResponse <Order>(
                              accountLoc,
                              new Order
            {
                Identifiers = new[] {
                    new Identifier {
                        Value = "www.certes.com", Type = IdentifierType.Dns
                    },
                },
                Status = OrderStatus.Valid,
            },
                              null,
                              null));


            var acmeContextMock = new Mock <IAcmeContext>();

            acmeContextMock.SetupGet(x => x.HttpClient)
            .Returns(httpClientMock.Object);

            var orderCtxMock = new Mock <OrderContext>(acmeContextMock.Object, orderLoc);

            orderCtxMock.Setup(m => m.Resource()).ReturnsAsync(new Order
            {
                Identifiers = new[] {
                    new Identifier {
                        Value = "www.certes.com", Type = IdentifierType.Dns
                    },
                },
                Certificate = certDefaultLoc,
                Finalize    = finalizeLoc,
                Status      = OrderStatus.Pending,
            });

            var key = KeyFactory.NewKey(KeyAlgorithm.RS256);
            var certInfoDefaultRoot = await orderCtxMock.Object.Generate(new CsrInfo
            {
                CountryName = "C",
                CommonName  = "www.certes.com",
            }, key, null);

            Assert.Equal(
                defaultpem.Where(c => !char.IsWhiteSpace(c)),
                certInfoDefaultRoot.Certificate.ToPem().Where(c => !char.IsWhiteSpace(c)));

            var certInfoAlternateRoot = await orderCtxMock.Object.Generate(new CsrInfo
            {
                CountryName = "C",
                CommonName  = "www.certes.com",
            }, key, "AlternateRoot");

            Assert.Equal(
                alternatepem.Where(c => !char.IsWhiteSpace(c)),
                certInfoAlternateRoot.Certificate.ToPem().Where(c => !char.IsWhiteSpace(c)));

            var certInfoUnknownRoot = await orderCtxMock.Object.Generate(new CsrInfo
            {
                CountryName = "C",
                CommonName  = "www.certes.com",
            }, key, "UnknownRoot");

            Assert.Equal(
                defaultpem.Where(c => !char.IsWhiteSpace(c)),
                certInfoUnknownRoot.Certificate.ToPem().Where(c => !char.IsWhiteSpace(c)));
        }
示例#13
0
 public static IKey GetKeyV2(KeyAlgorithm algo = KeyAlgorithm.ES256)
 => KeyFactory.FromPem(algo.GetTestKey());