public void CreateEcdsaKeyPair(int bits) { var ecdsaKeys = PkiKeyPair.GenerateEcdsaKeyPair(bits); Assert.AreEqual(PkiAsymmetricAlgorithm.Ecdsa, ecdsaKeys.Algorithm); Assert.IsFalse(ecdsaKeys.PublicKey.IsPrivate); Assert.AreEqual(PkiAsymmetricAlgorithm.Ecdsa, ecdsaKeys.PublicKey.Algorithm); Assert.IsTrue(ecdsaKeys.PrivateKey.IsPrivate); Assert.AreEqual(PkiAsymmetricAlgorithm.Ecdsa, ecdsaKeys.PublicKey.Algorithm); var pubOut = Path.Combine(_testTemp, $"ecdsa-pub-key-{bits}.pem"); var prvOut = Path.Combine(_testTemp, $"ecdsa-prv-key-{bits}.pem"); File.WriteAllBytes(pubOut, ecdsaKeys.PublicKey.Export(PkiEncodingFormat.Pem)); File.WriteAllBytes(prvOut, ecdsaKeys.PrivateKey.Export(PkiEncodingFormat.Pem)); using (var proc = OpenSsl.Start($"ec -in {pubOut} -pubin")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode, "OpenSSL exit code checking EC public key"); } using (var proc = OpenSsl.Start($"ec -in {prvOut} -check")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode, "OpenSSL exit code checking EC private key"); } }
public void ExportRsaKeyPairWithPassword(int bits) { var rsaKeys = PkiKeyPair.GenerateRsaKeyPair(bits); Assert.AreEqual(PkiAsymmetricAlgorithm.Rsa, rsaKeys.Algorithm); Assert.IsFalse(rsaKeys.PublicKey.IsPrivate); Assert.AreEqual(PkiAsymmetricAlgorithm.Rsa, rsaKeys.PublicKey.Algorithm); Assert.IsTrue(rsaKeys.PrivateKey.IsPrivate); Assert.AreEqual(PkiAsymmetricAlgorithm.Rsa, rsaKeys.PrivateKey.Algorithm); var pubOut = Path.Combine(_testTemp, $"keypair-rsa-pub{bits}-secure.pem"); var prvOut = Path.Combine(_testTemp, $"keypair-rsa-prv{bits}-secure.pem"); File.WriteAllBytes(pubOut, rsaKeys.PublicKey.Export(PkiEncodingFormat.Pem, password: "******".ToCharArray())); File.WriteAllBytes(prvOut, rsaKeys.PrivateKey.Export(PkiEncodingFormat.Pem, password: "******".ToCharArray())); using (var proc = OpenSsl.Start($"rsa -in {pubOut} -pubin")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } using (var proc = OpenSsl.Start($"rsa -in {prvOut} -check -passin pass:123456")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } }
public void CreateAndExportRsaCsr(int bits, PkiHashAlgorithm hashAlgor) { var sn = "CN=foo.example.com"; var keys = PkiKeyPair.GenerateRsaKeyPair(bits); var csr = new PkiCertificateSigningRequest(sn, keys, hashAlgor); var pemOut = Path.Combine(_testTemp, $"csr-rsa-{bits}-{hashAlgor}.pem"); var derOut = Path.Combine(_testTemp, $"csr-rsa-{bits}-{hashAlgor}.der"); Assert.AreEqual(sn, csr.SubjectName); Assert.AreSame(keys.PublicKey, keys.PublicKey); Assert.AreEqual(hashAlgor, csr.HashAlgorithm); File.WriteAllBytes(pemOut, csr.ExportSigningRequest(PkiEncodingFormat.Pem)); File.WriteAllBytes(derOut, csr.ExportSigningRequest(PkiEncodingFormat.Der)); using (var proc = OpenSsl.Start($"req -text -noout -verify -in {pemOut}")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } using (var proc = OpenSsl.Start($"req -text -noout -verify -inform DER -in {derOut}")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } }
public void ExportSignedCert(PkiAsymmetricAlgorithm algor, int bits) { var hashAlgor = PkiHashAlgorithm.Sha256; var isurName = "CN=SelfSigned"; var isurKeys = PkiKeyTests.GenerateKeyPair(algor, bits); var subjName = "CN=foo.example.com"; var subjKeys = PkiKeyTests.GenerateKeyPair(algor, bits); var isurCsr = new PkiCertificateSigningRequest(isurName, isurKeys, hashAlgor); var subjCsr = new PkiCertificateSigningRequest(subjName, subjKeys, hashAlgor); subjCsr.CertificateExtensions.Add( PkiCertificateExtension.CreateDnsSubjectAlternativeNames( new[] { "foo-alt1.example.com", "foo-alt2.example.com", })); var pemOut = Path.Combine(_testTemp, $"cert-{algor}-{bits}-{hashAlgor}.pem"); var derOut = Path.Combine(_testTemp, $"cert-{algor}-{bits}-{hashAlgor}.der"); var isurCert = isurCsr.CreateCa( DateTime.Now.AddMonths(-5), DateTime.Now.AddMonths(5)); Assert.AreEqual(isurName, isurCert.SubjectName, "Issuer Name on Issuer Certificate"); var subjCert = subjCsr.Create(isurCert, isurKeys.PrivateKey, DateTime.Now.AddMonths(-1), DateTime.Now.AddMonths(1), new[] { (byte)0x2b }); Assert.AreEqual(isurName, isurCert.SubjectName, "Subject Name on Subject Certificate"); File.WriteAllBytes(pemOut, subjCert.Export(PkiEncodingFormat.Pem)); File.WriteAllBytes(derOut, subjCert.Export(PkiEncodingFormat.Der)); using (var proc = OpenSsl.Start($"x509 -text -noout -in {pemOut}")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } using (var proc = OpenSsl.Start($"x509 -text -noout -inform DER -in {derOut}")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } }
public void ExportSelfSignedCert(PkiAsymmetricAlgorithm algor, int bits) { var hashAlgor = PkiHashAlgorithm.Sha256; var sn = "CN=foo.example.com"; var keys = PkiKeyTests.GenerateKeyPair(algor, bits); var csr = new PkiCertificateSigningRequest(sn, keys, hashAlgor); var pemOut = Path.Combine(_testTemp, $"certself-{algor}-{bits}-{hashAlgor}.pem"); var derOut = Path.Combine(_testTemp, $"certself-{algor}-{bits}-{hashAlgor}.der"); Assert.AreEqual(sn, csr.SubjectName); Assert.AreSame(keys.PublicKey, keys.PublicKey); Assert.AreEqual(hashAlgor, csr.HashAlgorithm); var cert = csr.CreateSelfSigned( DateTime.Now.AddMonths(-1), DateTime.Now.AddMonths(1)); Assert.AreEqual(sn, cert.SubjectName, "Subject Name on PKI Certificate"); var bclCert = cert.ToBclCertificate(); Assert.AreEqual(sn, bclCert.Subject, "Subject Name on BCL Certificate"); Assert.IsFalse(bclCert.HasPrivateKey); Assert.IsNull(bclCert.PrivateKey); File.WriteAllBytes(pemOut, cert.Export(PkiEncodingFormat.Pem)); File.WriteAllBytes(derOut, cert.Export(PkiEncodingFormat.Der)); using (var proc = OpenSsl.Start($"x509 -text -noout -in {pemOut}")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } using (var proc = OpenSsl.Start($"x509 -text -noout -inform DER -in {derOut}")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } }
public void CreateAndExportEcdsaSansCsr(int bits, PkiHashAlgorithm hashAlgor) { var sn = "CN=foo.example.com"; var sans = new[] { "foo-alt1.example.com", "foo-alt2.example.com", }; var keys = PkiKeyPair.GenerateEcdsaKeyPair(bits); var csr = new PkiCertificateSigningRequest(sn, keys, hashAlgor); csr.CertificateExtensions.Add( PkiCertificateExtension.CreateDnsSubjectAlternativeNames(sans)); var pemOut = Path.Combine(_testTemp, $"csr-ecdsa-{bits}-{hashAlgor}-sans.pem"); var derOut = Path.Combine(_testTemp, $"csr-ecdsa-{bits}-{hashAlgor}-sans.der"); Assert.AreEqual(sn, csr.SubjectName); Assert.AreSame(keys.PublicKey, keys.PublicKey); Assert.AreEqual(hashAlgor, csr.HashAlgorithm); Assert.AreEqual(1, csr.CertificateExtensions.Count); File.WriteAllBytes(pemOut, csr.ExportSigningRequest(PkiEncodingFormat.Pem)); File.WriteAllBytes(derOut, csr.ExportSigningRequest(PkiEncodingFormat.Der)); using (var proc = OpenSsl.Start($"req -text -noout -verify -in {pemOut}")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } using (var proc = OpenSsl.Start($"req -text -noout -verify -inform DER -in {derOut}")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } }
public void ExportSelfSignedPemChain(PkiAsymmetricAlgorithm algor, int bits) { var hashAlgor = PkiHashAlgorithm.Sha256; var sn = "CN=foo.example.com"; var keys = PkiKeyTests.GenerateKeyPair(algor, bits); var csr = new PkiCertificateSigningRequest(sn, keys, hashAlgor); var pemSansKey = Path.Combine(_testTemp, $"certselfexp-{algor}-{bits}-{hashAlgor}-sanskey.pem"); var pemWithKey = Path.Combine(_testTemp, $"certselfexp-{algor}-{bits}-{hashAlgor}-withkey.pem"); Assert.AreEqual(sn, csr.SubjectName); Assert.AreSame(keys.PublicKey, keys.PublicKey); Assert.AreEqual(hashAlgor, csr.HashAlgorithm); var cert = csr.CreateSelfSigned( DateTime.Now.AddMonths(-1), DateTime.Now.AddMonths(1)); Assert.AreEqual(sn, cert.SubjectName, "Subject Name on PKI Certificate"); var bclCert = cert.ToBclCertificate(); Assert.AreEqual(sn, bclCert.Subject, "Subject Name on BCL Certificate"); Assert.IsFalse(bclCert.HasPrivateKey); Assert.IsNull(bclCert.PrivateKey); File.WriteAllBytes(pemSansKey, cert.Export(PkiArchiveFormat.Pem)); File.WriteAllBytes(pemWithKey, cert.Export(PkiArchiveFormat.Pem, keys.PrivateKey)); // Check Cert using (var proc = OpenSsl.Start($"x509 -text -noout -in {pemSansKey}")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } // Check Cert using (var proc = OpenSsl.Start($"x509 -text -noout -in {pemWithKey}")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } // Check Private Key var opensslCmd = "rsa"; if (algor == PkiAsymmetricAlgorithm.Ecdsa) { opensslCmd = "ec"; } using (var proc = OpenSsl.Start($"{opensslCmd} -in {pemWithKey} -check")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } var certSansKey = new System.Security.Cryptography.X509Certificates.X509Certificate2(File.ReadAllBytes(pemSansKey)); Assert.IsFalse(certSansKey.HasPrivateKey); Assert.IsNull(certSansKey.PrivateKey); }
public void ExportSignedPkcs12(PkiAsymmetricAlgorithm algor, int bits) { var hashAlgor = PkiHashAlgorithm.Sha256; var isurName = "CN=SelfSigned"; var isurKeys = PkiKeyTests.GenerateKeyPair(algor, bits); var subjName = "CN=foo.example.com"; var subjKeys = PkiKeyTests.GenerateKeyPair(algor, bits); var isurCsr = new PkiCertificateSigningRequest(isurName, isurKeys, hashAlgor); var subjCsr = new PkiCertificateSigningRequest(subjName, subjKeys, hashAlgor); subjCsr.CertificateExtensions.Add( PkiCertificateExtension.CreateDnsSubjectAlternativeNames( new[] { "foo-alt1.example.com", "foo-alt2.example.com", })); var pfxSansKey = Path.Combine(_testTemp, $"certexp-{algor}-{bits}-{hashAlgor}-sanskey.pfx"); var pfxWithKey = Path.Combine(_testTemp, $"certexp-{algor}-{bits}-{hashAlgor}-withkey.pfx"); var isurCert = isurCsr.CreateCa( DateTime.Now.AddMonths(-5), DateTime.Now.AddMonths(5)); Assert.AreEqual(isurName, isurCert.SubjectName, "Issuer Name on Issuer Certificate"); var subjCert = subjCsr.Create(isurCert, isurKeys.PrivateKey, DateTime.Now.AddMonths(-1), DateTime.Now.AddMonths(1), new[] { (byte)0x2b }); Assert.AreEqual(isurName, isurCert.SubjectName, "Subject Name on Subject Certificate"); File.WriteAllBytes(pfxSansKey, subjCert.Export(PkiArchiveFormat.Pkcs12, chain: new[] { isurCert })); File.WriteAllBytes(pfxWithKey, subjCert.Export(PkiArchiveFormat.Pkcs12, subjKeys.PrivateKey, new[] { isurCert })); using (var proc = OpenSsl.Start($"pkcs12 -info -in {pfxSansKey} -passin pass:"******"pkcs12 -info -in {pfxWithKey} -passin pass: -nokeys")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } var certSansKey = new System.Security.Cryptography.X509Certificates.X509Certificate2(File.ReadAllBytes(pfxSansKey)); Assert.IsFalse(certSansKey.HasPrivateKey); Assert.IsNull(certSansKey.PrivateKey); var certWithKey = new System.Security.Cryptography.X509Certificates.X509Certificate2(File.ReadAllBytes(pfxWithKey)); Assert.IsTrue(certWithKey.HasPrivateKey); if (algor != PkiAsymmetricAlgorithm.Ecdsa) { // This throws: System.NotSupportedException: The certificate key algorithm is not supported. Assert.IsNotNull(certWithKey.PrivateKey); } }
public void ExportSelfSignedPkcs12(PkiAsymmetricAlgorithm algor, int bits) { var hashAlgor = PkiHashAlgorithm.Sha256; var sn = "CN=foo.example.com"; var keys = PkiKeyTests.GenerateKeyPair(algor, bits); var csr = new PkiCertificateSigningRequest(sn, keys, hashAlgor); var pfxSansKey = Path.Combine(_testTemp, $"certselfexp-{algor}-{bits}-{hashAlgor}-sanskey.pfx"); var pfxWithKey = Path.Combine(_testTemp, $"certselfexp-{algor}-{bits}-{hashAlgor}-withkey.pfx"); Assert.AreEqual(sn, csr.SubjectName); Assert.AreSame(keys.PublicKey, keys.PublicKey); Assert.AreEqual(hashAlgor, csr.HashAlgorithm); var cert = csr.CreateSelfSigned( DateTime.Now.AddMonths(-1), DateTime.Now.AddMonths(1)); Assert.AreEqual(sn, cert.SubjectName, "Subject Name on PKI Certificate"); var bclCert = cert.ToBclCertificate(); Assert.AreEqual(sn, bclCert.Subject, "Subject Name on BCL Certificate"); Assert.IsFalse(bclCert.HasPrivateKey); Assert.IsNull(bclCert.PrivateKey); File.WriteAllBytes(pfxSansKey, cert.Export(PkiArchiveFormat.Pkcs12)); File.WriteAllBytes(pfxWithKey, cert.Export(PkiArchiveFormat.Pkcs12, keys.PrivateKey)); using (var proc = OpenSsl.Start($"pkcs12 -info -in {pfxSansKey} -passin pass:"******"pkcs12 -info -in {pfxWithKey} -passin pass: -nokeys")) { proc.WaitForExit(); Assert.AreEqual(0, proc.ExitCode); } var certSansKey = new System.Security.Cryptography.X509Certificates.X509Certificate2(File.ReadAllBytes(pfxSansKey)); Assert.IsFalse(certSansKey.HasPrivateKey); Assert.IsNull(certSansKey.PrivateKey); var certWithKey = new System.Security.Cryptography.X509Certificates.X509Certificate2(File.ReadAllBytes(pfxWithKey)); Assert.IsTrue(certWithKey.HasPrivateKey); if (algor != PkiAsymmetricAlgorithm.Ecdsa) { // This throws: System.NotSupportedException: The certificate key algorithm is not supported. Assert.IsNotNull(certWithKey.PrivateKey); } }