private void Empty (BasicConstraintsExtension bce) { Assert.IsFalse (bce.Critical, "Critical"); Assert.AreEqual ("2.5.29.19", bce.Oid, "Oid"); Assert.IsNotNull (bce.Name, "Name"); Assert.IsFalse (bce.Name == bce.Oid, "Name!=Oid"); Assert.IsFalse (bce.CertificateAuthority, "CertificateAuthority"); Assert.AreEqual (BasicConstraintsExtension.NoPathLengthConstraint, bce.PathLenConstraint, "PathLenConstraint"); }
public void CertificateAuthority_NoPathLengthConstraint () { BasicConstraintsExtension bce = new BasicConstraintsExtension (); bce.CertificateAuthority = true; bce.PathLenConstraint = BasicConstraintsExtension.NoPathLengthConstraint; Assert.AreEqual ("30-0C-06-03-55-1D-13-04-05-30-03-01-01-FF", BitConverter.ToString (bce.GetBytes ()), "GetBytes"); BasicConstraintsExtension bce2 = new BasicConstraintsExtension (bce.ASN1); Assert.IsFalse (bce2.Critical, "Critical"); Assert.IsTrue (bce2.CertificateAuthority, "CertificateAuthority"); Assert.AreEqual (BasicConstraintsExtension.NoPathLengthConstraint, bce2.PathLenConstraint, "PathLenConstraint"); }
public void CertificateAuthority_Critical () { BasicConstraintsExtension bce = new BasicConstraintsExtension (); bce.Critical = true; bce.CertificateAuthority = true; bce.PathLenConstraint = 0; Assert.AreEqual ("30-12-06-03-55-1D-13-01-01-FF-04-08-30-06-01-01-FF-02-01-00", BitConverter.ToString (bce.GetBytes ()), "GetBytes"); BasicConstraintsExtension bce2 = new BasicConstraintsExtension (bce.ASN1); Assert.IsTrue (bce2.Critical, "Critical"); Assert.IsTrue (bce2.CertificateAuthority, "CertificateAuthority"); Assert.AreEqual (0, bce2.PathLenConstraint, "PathLenConstraint"); }
internal MSX509.X509Certificate2 GetCertificate(string name) { List<X509Extension> extensions = new List<X509Extension>(); BasicConstraintsExtension constraints = new BasicConstraintsExtension(); constraints.CertificateAuthority = false; constraints.Critical = true; extensions.Add(constraints); KeyUsageExtension keyUsage = new KeyUsageExtension(); keyUsage.KeyUsage = KeyUsages.digitalSignature | KeyUsages.nonRepudiation | KeyUsages.keyEncipherment; extensions.Add(keyUsage); ExtendedKeyUsageExtension extendedUsage = new ExtendedKeyUsageExtension(); extendedUsage.KeyPurpose.Add("1.3.6.1.5.5.7.3.1"); extendedUsage.KeyPurpose.Add("1.3.6.1.5.5.7.3.2"); extensions.Add(extendedUsage); return CreateCertificate(name, extensions, GetRootCertificate(), state_.Config.X509.AuthorityName, MSX509.StoreName.My, state_.Config.X509.RootValidity); }
private bool IsParent (X509Certificate child, X509Certificate parent) { if (child.IssuerName != parent.SubjectName) return false; // parent MUST have the Basic Constraint CA=true (except for trusted roots) // see why at http://www.microsoft.com/technet/security/bulletin/MS02-050.asp if ((parent.Version > 2) && (!IsTrusted (parent))) { // TODO: we do not support pathLenConstraint X509Extension ext = parent.Extensions ["2.5.29.19"]; if (ext != null) { BasicConstraintsExtension bc = new BasicConstraintsExtension (ext); if (!bc.CertificateAuthority) _status = X509ChainStatusFlags.InvalidBasicConstraints; } else _status = X509ChainStatusFlags.InvalidBasicConstraints; } if (!child.VerifySignature (parent.RSA)) { _status = X509ChainStatusFlags.NotSignatureValid; return false; } return true; }
public bool VerifySignature (X509Certificate x509) { if (x509 == null) throw new ArgumentNullException ("x509"); // 1. x509 certificate must be a CA certificate (unknown for v1 or v2 certs) if (x509.Version >= 3) { BasicConstraintsExtension basicConstraints = null; // 1.2. Check for ca = true in BasicConstraint X509Extension ext = x509.Extensions ["2.5.29.19"]; if (ext != null) { basicConstraints = new BasicConstraintsExtension (ext); if (!basicConstraints.CertificateAuthority) return false; } // 1.1. Check for "cRLSign" bit in KeyUsage extension ext = x509.Extensions ["2.5.29.15"]; if (ext != null) { KeyUsageExtension keyUsage = new KeyUsageExtension (ext); if (!keyUsage.Support (KeyUsages.cRLSign)) { // 2nd chance if basicConstraints is CertificateAuthority // and KeyUsage support digitalSignature if ((basicConstraints == null) || !keyUsage.Support (KeyUsages.digitalSignature)) return false; } } } // 2. CRL issuer must match CA subject name if (issuer != x509.SubjectName) return false; // 3. Check the CRL signature with the CA certificate public key switch (signatureOID) { case "1.2.840.10040.4.3": return VerifySignature (x509.DSA); default: return VerifySignature (x509.RSA); } }
static int Main (string[] args) { if (args.Length < 1) { Header (); Console.WriteLine ("ERROR: Missing output filename {0}", Environment.NewLine); Help (); return -1; } string fileName = args [args.Length - 1]; // default values byte[] sn = Guid.NewGuid ().ToByteArray (); string subject = defaultSubject; string issuer = defaultIssuer; DateTime notBefore = DateTime.Now; DateTime notAfter = new DateTime (643445675990000000); // 12/31/2039 23:59:59Z RSA issuerKey = (RSA)RSA.Create (); issuerKey.FromXmlString (MonoTestRootAgency); RSA subjectKey = (RSA)RSA.Create (); bool selfSigned = false; string hashName = "SHA1"; CspParameters subjectParams = new CspParameters (); CspParameters issuerParams = new CspParameters (); BasicConstraintsExtension bce = null; ExtendedKeyUsageExtension eku = null; SubjectAltNameExtension alt = null; string p12file = null; string p12pwd = null; X509Certificate issuerCertificate = null; Header(); try { int i=0; while (i < args.Length) { switch (args [i++]) { // Basic options case "-#": // Serial Number sn = BitConverter.GetBytes (Convert.ToInt32 (args [i++])); break; case "-n": // Subject Distinguish Name subject = args [i++]; break; case "-$": // (authenticode) commercial or individual // CRITICAL KeyUsageRestriction extension // hash algorithm string usageRestriction = args [i++].ToLower (); switch (usageRestriction) { case "commercial": case "individual": Console.WriteLine ("WARNING: Unsupported deprecated certification extension KeyUsageRestriction not included"); // Console.WriteLine ("WARNING: ExtendedKeyUsage for codesigning has been included."); break; default: Console.WriteLine ("Unsupported restriction " + usageRestriction); return -1; } break; // Extended Options case "-a": // hash algorithm switch (args [i++].ToLower ()) { case "sha1": hashName = "SHA1"; break; case "md5": Console.WriteLine ("WARNING: MD5 is no more safe for this usage."); hashName = "MD5"; break; default: Console.WriteLine ("Unsupported hash algorithm"); break; } break; case "-b": // Validity / notBefore notBefore = DateTime.Parse (args [i++] + " 23:59:59", CultureInfo.InvariantCulture); break; case "-cy": // basic constraints - autority or end-entity switch (args [i++].ToLower ()) { case "authority": if (bce == null) bce = new BasicConstraintsExtension (); bce.CertificateAuthority = true; break; case "end": // do not include extension bce = null; break; case "both": Console.WriteLine ("ERROR: No more supported in X.509"); return -1; default: Console.WriteLine ("Unsupported certificate type"); return -1; } break; case "-d": // CN private extension ? Console.WriteLine ("Unsupported option"); break; case "-e": // Validity / notAfter notAfter = DateTime.Parse (args [i++] + " 23:59:59", CultureInfo.InvariantCulture); break; case "-eku": // extendedKeyUsage extension char[] sep = { ',' }; string[] purposes = args [i++].Split (sep); if (eku == null) eku = new ExtendedKeyUsageExtension (); foreach (string purpose in purposes) { eku.KeyPurpose.Add (purpose); } break; case "-h": // pathLength (basicConstraints) // MS use an old basicConstrains (2.5.29.10) which // allows both CA and End-Entity. This is no // more supported with 2.5.29.19. if (bce == null) { bce = new BasicConstraintsExtension (); bce.CertificateAuthority = true; } bce.PathLenConstraint = Convert.ToInt32 (args [i++]); break; case "-alt": if (alt == null) { string [] dnsNames = File.ReadAllLines (args [i++]); alt = new SubjectAltNameExtension (null, dnsNames, null, null); } break; case "-ic": issuerCertificate = LoadCertificate (args [i++]); issuer = issuerCertificate.SubjectName; break; case "-in": issuer = args [i++]; break; case "-iv": // TODO password PrivateKey pvk = PrivateKey.CreateFromFile (args [i++]); issuerKey = pvk.RSA; break; case "-l": // link (URL) // spcSpAgencyInfo private extension Console.WriteLine ("Unsupported option"); break; case "-m": // validity period (in months) notAfter = notBefore.AddMonths (Convert.ToInt32 (args [i++])); break; case "-nscp": // Netscape's private extensions - NetscapeCertType // BasicContraints - End Entity Console.WriteLine ("Unsupported option"); break; case "-r": selfSigned = true; break; case "-sc": // subject certificate ? renew ? Console.WriteLine ("Unsupported option"); break; // Issuer CspParameters options case "-ik": issuerParams.KeyContainerName = args [i++]; break; case "-iky": // select a key in the provider string ikn = args [i++].ToLower (); switch (ikn) { case "signature": issuerParams.KeyNumber = 0; break; case "exchange": issuerParams.KeyNumber = 1; break; default: issuerParams.KeyNumber = Convert.ToInt32 (ikn); break; } break; case "-ip": issuerParams.ProviderName = args [i++]; break; case "-ir": switch (args [i++].ToLower ()) { case "localmachine": issuerParams.Flags = CspProviderFlags.UseMachineKeyStore; break; case "currentuser": issuerParams.Flags = CspProviderFlags.UseDefaultKeyContainer; break; default: Console.WriteLine ("Unknown key store for issuer"); return -1; } break; case "-is": Console.WriteLine ("Unsupported option"); return -1; case "-iy": issuerParams.ProviderType = Convert.ToInt32 (args [i++]); break; // Subject CspParameters Options case "-sk": subjectParams.KeyContainerName = args [i++]; break; case "-sky": // select a key in the provider string skn = args [i++].ToLower (); switch (skn) { case "signature": subjectParams.KeyNumber = 0; break; case "exchange": subjectParams.KeyNumber = 1; break; default: subjectParams.KeyNumber = Convert.ToInt32 (skn); break; } break; case "-sp": subjectParams.ProviderName = args [i++]; break; case "-sr": switch (args [i++].ToLower ()) { case "localmachine": subjectParams.Flags = CspProviderFlags.UseMachineKeyStore; break; case "currentuser": subjectParams.Flags = CspProviderFlags.UseDefaultKeyContainer; break; default: Console.WriteLine ("Unknown key store for subject"); return -1; } break; case "-ss": Console.WriteLine ("Unsupported option"); return -1; case "-sv": string pvkFile = args [i++]; if (File.Exists (pvkFile)) { PrivateKey key = PrivateKey.CreateFromFile (pvkFile); subjectKey = key.RSA; } else { PrivateKey key = new PrivateKey (); key.RSA = subjectKey; key.Save (pvkFile); } break; case "-sy": subjectParams.ProviderType = Convert.ToInt32 (args [i++]); break; // Mono Specific Options case "-p12": p12file = args [i++]; p12pwd = args [i++]; break; // Other options case "-?": Help (); return 0; case "-!": ExtendedHelp (); return 0; default: if (i != args.Length) { Console.WriteLine ("ERROR: Unknown parameter"); Help (); return -1; } break; } } // serial number MUST be positive if ((sn [0] & 0x80) == 0x80) sn [0] -= 0x80; if (selfSigned) { if (subject != defaultSubject) { issuer = subject; issuerKey = subjectKey; } else { subject = issuer; subjectKey = issuerKey; } } if (subject == null) throw new Exception ("Missing Subject Name"); X509CertificateBuilder cb = new X509CertificateBuilder (3); cb.SerialNumber = sn; cb.IssuerName = issuer; cb.NotBefore = notBefore; cb.NotAfter = notAfter; cb.SubjectName = subject; cb.SubjectPublicKey = subjectKey; // extensions if (bce != null) cb.Extensions.Add (bce); if (eku != null) cb.Extensions.Add (eku); if (alt != null) cb.Extensions.Add (alt); // signature cb.Hash = hashName; byte[] rawcert = cb.Sign (issuerKey); if (p12file == null) { WriteCertificate (fileName, rawcert); } else { PKCS12 p12 = new PKCS12 (); p12.Password = p12pwd; ArrayList list = new ArrayList (); // we use a fixed array to avoid endianess issues // (in case some tools requires the ID to be 1). list.Add (new byte [4] { 1, 0, 0, 0 }); Hashtable attributes = new Hashtable (1); attributes.Add (PKCS9.localKeyId, list); p12.AddCertificate (new X509Certificate (rawcert), attributes); if (issuerCertificate != null) p12.AddCertificate (issuerCertificate); p12.AddPkcs8ShroudedKeyBag (subjectKey, attributes); p12.SaveToFile (p12file); } Console.WriteLine ("Success"); return 0; } catch (Exception e) { Console.WriteLine ("ERROR: " + e.ToString ()); Help (); } return 1; }
private MSX509.X509Certificate2 GetRootCertificate() { List<X509Extension> extensions = new List<X509Extension>(); BasicConstraintsExtension constraints = new BasicConstraintsExtension(); constraints.CertificateAuthority = true; constraints.Critical = true; extensions.Add(constraints); KeyUsageExtension keyUsage = new KeyUsageExtension(); keyUsage.KeyUsage = KeyUsages.keyCertSign | KeyUsages.cRLSign; extensions.Add(keyUsage); return CreateCertificate(state_.Config.X509.AuthorityName, extensions, null, state_.Config.X509.AuthorityName, MSX509.StoreName.Root, state_.Config.X509.RootValidity); }
public void NotCertificateAuthority () { BasicConstraintsExtension bce = new BasicConstraintsExtension (); bce.CertificateAuthority = false; // CertificateAuthority isn't encoded (default value is false) bce.PathLenConstraint = Int32.MaxValue; // PathLenConstraint is ignored (per RFC3280) Assert.AreEqual ("30-09-06-03-55-1D-13-04-02-30-00", BitConverter.ToString (bce.GetBytes ()), "GetBytes"); BasicConstraintsExtension bce2 = new BasicConstraintsExtension (bce.ASN1); Assert.IsFalse (bce2.Critical, "Critical"); Assert.IsFalse (bce2.CertificateAuthority, "CertificateAuthority"); Assert.AreEqual (BasicConstraintsExtension.NoPathLengthConstraint, bce2.PathLenConstraint, "PathLenConstraint"); }
public void Constructor_ASN1 () { BasicConstraintsExtension ext = new BasicConstraintsExtension (); BasicConstraintsExtension bce = new BasicConstraintsExtension (ext.ASN1); Empty (bce); }
public void Constructor_Empty () { BasicConstraintsExtension bce = new BasicConstraintsExtension (); Empty (bce); }
public void NegativePathLenConstraint () { BasicConstraintsExtension bce = new BasicConstraintsExtension (); bce.PathLenConstraint = Int32.MinValue; }
static void Main(string[] args) { var assembly = Assembly.GetExecutingAssembly(); var title = (AssemblyTitleAttribute)Attribute.GetCustomAttribute(assembly, typeof(AssemblyTitleAttribute)); Console.WriteLine("{0} version {1}", title.Title, assembly.GetName().Version); var copyright = (AssemblyCopyrightAttribute)Attribute.GetCustomAttribute(assembly, typeof(AssemblyCopyrightAttribute)); Console.WriteLine(copyright.Copyright); Console.WriteLine("More information can be found at https://Jexus.codeplex.com"); Console.WriteLine(); var baseAddress = args.Length > 0 ? args[0] : "https://*****:*****@"Remote services must be run as root on Linux."); return; } if (!File.Exists("jws")) { Console.WriteLine(@"Remote services must be running in Jexus installation folder."); return; } var loc = baseAddress.LastIndexOf(':'); var port = "443"; if (loc != -1) { port = baseAddress.Substring(loc + 1); } string dirname = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData); string path = Path.Combine(dirname, ".mono", "httplistener"); if (false == Directory.Exists(path)) { Directory.CreateDirectory(path); } string target_cert = Path.Combine(path, string.Format("{0}.cer", port)); if (File.Exists(target_cert)) { Console.WriteLine("Use {0}", target_cert); } else { Console.WriteLine("Generating a self-signed certificate for Jexus Manager"); // Generate certificate string defaultIssuer = "CN=jexus.lextudio.com"; string defaultSubject = "CN=jexus.lextudio.com"; byte[] sn = Guid.NewGuid().ToByteArray(); string subject = defaultSubject; string issuer = defaultIssuer; DateTime notBefore = DateTime.Now; DateTime notAfter = new DateTime(643445675990000000); // 12/31/2039 23:59:59Z RSA issuerKey = new RSACryptoServiceProvider(2048); RSA subjectKey = null; bool selfSigned = true; string hashName = "SHA1"; CspParameters subjectParams = new CspParameters(); CspParameters issuerParams = new CspParameters(); BasicConstraintsExtension bce = new BasicConstraintsExtension { PathLenConstraint = BasicConstraintsExtension.NoPathLengthConstraint, CertificateAuthority = true }; ExtendedKeyUsageExtension eku = new ExtendedKeyUsageExtension(); eku.KeyPurpose.Add("1.3.6.1.5.5.7.3.1"); SubjectAltNameExtension alt = null; string p12file = Path.Combine(path, "temp.pfx"); string p12pwd = "test"; // serial number MUST be positive if ((sn[0] & 0x80) == 0x80) sn[0] -= 0x80; if (selfSigned) { if (subject != defaultSubject) { issuer = subject; issuerKey = subjectKey; } else { subject = issuer; subjectKey = issuerKey; } } if (subject == null) throw new Exception("Missing Subject Name"); X509CertificateBuilder cb = new X509CertificateBuilder(3); cb.SerialNumber = sn; cb.IssuerName = issuer; cb.NotBefore = notBefore; cb.NotAfter = notAfter; cb.SubjectName = subject; cb.SubjectPublicKey = subjectKey; // extensions if (bce != null) cb.Extensions.Add(bce); if (eku != null) cb.Extensions.Add(eku); if (alt != null) cb.Extensions.Add(alt); IDigest digest = new Sha1Digest(); byte[] resBuf = new byte[digest.GetDigestSize()]; var spki = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(DotNetUtilities.GetRsaPublicKey(issuerKey)); byte[] bytes = spki.PublicKeyData.GetBytes(); digest.BlockUpdate(bytes, 0, bytes.Length); digest.DoFinal(resBuf, 0); cb.Extensions.Add(new SubjectKeyIdentifierExtension { Identifier = resBuf }); cb.Extensions.Add(new AuthorityKeyIdentifierExtension { Identifier = resBuf }); // signature cb.Hash = hashName; byte[] rawcert = cb.Sign(issuerKey); PKCS12 p12 = new PKCS12(); p12.Password = p12pwd; ArrayList list = new ArrayList(); // we use a fixed array to avoid endianess issues // (in case some tools requires the ID to be 1). list.Add(new byte[4] { 1, 0, 0, 0 }); Hashtable attributes = new Hashtable(1); attributes.Add(PKCS9.localKeyId, list); p12.AddCertificate(new Mono.Security.X509.X509Certificate(rawcert), attributes); p12.AddPkcs8ShroudedKeyBag(subjectKey, attributes); p12.SaveToFile(p12file); var x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(p12file, p12pwd, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable); // Install certificate string target_pvk = Path.Combine(path, string.Format("{0}.pvk", port)); using (Stream cer = File.OpenWrite(target_cert)) { byte[] raw = x509.RawData; cer.Write(raw, 0, raw.Length); } PrivateKey pvk = new PrivateKey(); pvk.RSA = subjectKey; pvk.Save(target_pvk); } } JexusServer.Credentials = args.Length > 2 ? args[1] + "|" + args[2] : "jexus|lextudio.com"; JexusServer.Timeout = args.Length > 3 ? double.Parse(args[3]) : 30D; using (WebApp.Start<Startup>(url: baseAddress)) { Console.WriteLine("Remote services have started at {0}.", baseAddress); Console.WriteLine("Credentials is {0}", JexusServer.Credentials); Console.WriteLine("Press Enter to quit."); Console.ReadLine(); } }