From 15f16684b8e55777f9c2e49a56013d748169b20b Mon Sep 17 00:00:00 2001 From: damienbod Date: Thu, 31 Oct 2024 09:30:50 +0100 Subject: [PATCH] Update namespaces --- CHANGELOG.md | 2 +- README.md | 4 +- src/CertificateManager.sln | 2 +- src/CertificateManagerTests/BuildChainUtil.cs | 117 +++-- .../ClientServerAuthTests.cs | 229 +++++---- .../DistinguishedNameTests.cs | 217 ++++---- src/CertificateManagerTests/DnsNameTests.cs | 72 ++- .../ImportExportTests.cs | 477 +++++++++--------- .../RsaKeySizeTests.cs | 273 +++++----- .../SubjectAlternativeNameTests.cs | 197 ++++---- .../ValidityPeriodClientServerAuthTests.cs | 147 +++--- .../Program.cs | 47 +- .../LowLevel/DeviceCertConfig.cs | 61 ++- .../LowLevel/IntermediateCertConfig.cs | 65 ++- .../LowLevel/IntermediateLevel3CertConfig.cs | 65 ++- .../LowLevel/LowLevelApiExamples.cs | 221 ++++---- .../LowLevel/RootCertConfig.cs | 69 ++- src/CreateChainedCertsConsoleDemo/Program.cs | 93 ++-- ...> CreateIdentityServerCertificates.csproj} | 64 +-- .../Program.cs | 215 ++++---- .../Program.cs | 93 ++-- src/IoTHubCreateChainedCerts/Program.cs | 67 ++- src/IoTHubCreateDeviceCertificate/Program.cs | 47 +- src/IoTHubVerifyCertificate/Program.cs | 46 +- 24 files changed, 1434 insertions(+), 1456 deletions(-) rename src/CreateIdentityServer4Certificates/{CreateIdentityServer4Certificates.csproj => CreateIdentityServerCertificates.csproj} (96%) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1e63851..d40e354 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,7 +35,7 @@ Update serial conversion to use big endian only ## 2020-01-27 version 1.0.2 * Small fixes for RSA certificates KeySize -* IdentityServer4 example certificates +* IdentityServer example certificates ## 2020-01-24 version 1.0.1 * Support RSA certificates diff --git a/README.md b/README.md index 29090c6..d86da20 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,7 @@ Now the package is ready to use. See the [Documentation](https://github.com/dami - [Create verify certificate for Azure IoT Hub .pem or .cer](https://github.com/damienbod/AspNetCoreCertificates/tree/master/src/IoTHubVerifyCertificate) - [Create device (Leaf) certificate for Azure IoT Hub device](https://github.com/damienbod/AspNetCoreCertificates/tree/master/src/IoTHubCreateDeviceCertificate) - [Create development certificates for SPAs HTTPS development, like Vue.js, Angular](https://github.com/damienbod/AspNetCoreCertificates/tree/master/src/CreateAngularVueJsDevelopmentCertificates) -- [Create certificates for IdentityServer4 RSA and ECDsa](https://github.com/damienbod/AspNetCoreCertificates/tree/master/src/CreateIdentityServer4Certificates) +- [Create certificates for IdentityServer RSA and ECDsa](https://github.com/damienbod/AspNetCoreCertificates/tree/master/src/CreateIdentityServer4Certificates) # Examples Using Certificates: @@ -70,6 +70,6 @@ https://github.com/oocx/ReadX509CertificateFromPem - [Creating Certificates for X.509 security in Azure IoT Hub using .NET Core](https://damienbod.com/2020/01/29/creating-certificates-for-x-509-security-in-azure-iot-hub-using-net-core/) - [Creating Certificates in .NET Core for Vue.js development using HTTPS](https://damienbod.com/2020/02/04/creating-certificates-in-net-core-for-vue-js-development-using-https/) -- [Create Certificates for IdentityServer4 signing using .NET Core](https://damienbod.com/2020/02/10/create-certificates-for-identityserver4-signing-using-net-core/) +- [Create Certificates for IdentityServer signing using .NET Core](https://damienbod.com/2020/02/10/create-certificates-for-identityserver4-signing-using-net-core/) - [Provisioning X.509 Devices for Azure IoT Hub using .NET Core](https://damienbod.com/2020/02/20/provisioning-x-509-devices-for-azure-iot-hub-using-net-core) diff --git a/src/CertificateManager.sln b/src/CertificateManager.sln index 51cae36..d6aa45c 100644 --- a/src/CertificateManager.sln +++ b/src/CertificateManager.sln @@ -28,7 +28,7 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "IoTHubCreateDeviceCertifica EndProject Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "CreateAngularVueJsDevelopmentCertificates", "CreateAngularVueJsDevelopmentCertificates\CreateAngularVueJsDevelopmentCertificates.csproj", "{4761AF09-95B5-4632-92D6-872652C354C7}" EndProject -Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "CreateIdentityServer4Certificates", "CreateIdentityServer4Certificates\CreateIdentityServer4Certificates.csproj", "{C22EB3CB-0F6F-4F64-847B-63E0A75AA999}" +Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "CreateIdentityServerCertificates", "CreateIdentityServer4Certificates\CreateIdentityServerCertificates.csproj", "{C22EB3CB-0F6F-4F64-847B-63E0A75AA999}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution diff --git a/src/CertificateManagerTests/BuildChainUtil.cs b/src/CertificateManagerTests/BuildChainUtil.cs index 075e9ad..5c66fe7 100644 --- a/src/CertificateManagerTests/BuildChainUtil.cs +++ b/src/CertificateManagerTests/BuildChainUtil.cs @@ -2,78 +2,77 @@ using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; -namespace CertificateManagerTests +namespace CertificateManagerTests; + +public static class BuildChainUtil { - public static class BuildChainUtil - { - private static readonly Oid ServerCertificateOid = OidLookup.ServerAuthentication; - private static readonly Oid ClientCertificateOid = OidLookup.ClientAuthentication; + private static readonly Oid ServerCertificateOid = OidLookup.ServerAuthentication; + private static readonly Oid ClientCertificateOid = OidLookup.ClientAuthentication; - public static X509ChainPolicy BuildChainPolicySelfSigned( - X509Certificate2 certificate, - bool ValidateCertificateUse, - bool ValidateValidityPeriod) + public static X509ChainPolicy BuildChainPolicySelfSigned( + X509Certificate2 certificate, + bool ValidateCertificateUse, + bool ValidateValidityPeriod) + { + // Turn off chain validation, because we have a self signed certificate. + var revocationFlag = X509RevocationFlag.EntireChain; + var revocationMode = X509RevocationMode.NoCheck; + var chainPolicy = new X509ChainPolicy { - // Turn off chain validation, because we have a self signed certificate. - var revocationFlag = X509RevocationFlag.EntireChain; - var revocationMode = X509RevocationMode.NoCheck; - var chainPolicy = new X509ChainPolicy - { - RevocationFlag = revocationFlag, - RevocationMode = revocationMode, - }; - - if (ValidateCertificateUse) - { - chainPolicy.ApplicationPolicy.Add(ClientCertificateOid); - } + RevocationFlag = revocationFlag, + RevocationMode = revocationMode, + }; - chainPolicy.VerificationFlags |= X509VerificationFlags.AllowUnknownCertificateAuthority; - chainPolicy.VerificationFlags |= X509VerificationFlags.IgnoreEndRevocationUnknown; - chainPolicy.ExtraStore.Add(certificate); + if (ValidateCertificateUse) + { + chainPolicy.ApplicationPolicy.Add(ClientCertificateOid); + } - if (!ValidateValidityPeriod) - { - chainPolicy.VerificationFlags |= X509VerificationFlags.IgnoreNotTimeValid; - } + chainPolicy.VerificationFlags |= X509VerificationFlags.AllowUnknownCertificateAuthority; + chainPolicy.VerificationFlags |= X509VerificationFlags.IgnoreEndRevocationUnknown; + chainPolicy.ExtraStore.Add(certificate); - return chainPolicy; + if (!ValidateValidityPeriod) + { + chainPolicy.VerificationFlags |= X509VerificationFlags.IgnoreNotTimeValid; } - public static X509ChainPolicy BuildChainPolicyChained( - X509Certificate2 root, X509Certificate2 intermediate, - X509Certificate2 server, X509Certificate2 client, - X509RevocationFlag revocationFlag, - X509RevocationMode revocationMode, - bool ValidateCertificateUse, - bool ValidateValidityPeriod) - { - var chainPolicy = new X509ChainPolicy - { - RevocationFlag = revocationFlag, - RevocationMode = revocationMode, - }; + return chainPolicy; + } - if (ValidateCertificateUse) - { - chainPolicy.ApplicationPolicy.Add(ClientCertificateOid); - } + public static X509ChainPolicy BuildChainPolicyChained( + X509Certificate2 root, X509Certificate2 intermediate, + X509Certificate2 server, X509Certificate2 client, + X509RevocationFlag revocationFlag, + X509RevocationMode revocationMode, + bool ValidateCertificateUse, + bool ValidateValidityPeriod) + { + var chainPolicy = new X509ChainPolicy + { + RevocationFlag = revocationFlag, + RevocationMode = revocationMode, + }; - // This is NOT the default !!! - // Only set this to validate the other parts of the chained flow - chainPolicy.VerificationFlags |= X509VerificationFlags.AllowUnknownCertificateAuthority; + if (ValidateCertificateUse) + { + chainPolicy.ApplicationPolicy.Add(ClientCertificateOid); + } - chainPolicy.ExtraStore.Add(root); - chainPolicy.ExtraStore.Add(intermediate); - chainPolicy.ExtraStore.Add(server); - chainPolicy.ExtraStore.Add(client); + // This is NOT the default !!! + // Only set this to validate the other parts of the chained flow + chainPolicy.VerificationFlags |= X509VerificationFlags.AllowUnknownCertificateAuthority; - if (!ValidateValidityPeriod) - { - chainPolicy.VerificationFlags |= X509VerificationFlags.IgnoreNotTimeValid; - } + chainPolicy.ExtraStore.Add(root); + chainPolicy.ExtraStore.Add(intermediate); + chainPolicy.ExtraStore.Add(server); + chainPolicy.ExtraStore.Add(client); - return chainPolicy; + if (!ValidateValidityPeriod) + { + chainPolicy.VerificationFlags |= X509VerificationFlags.IgnoreNotTimeValid; } + + return chainPolicy; } } diff --git a/src/CertificateManagerTests/ClientServerAuthTests.cs b/src/CertificateManagerTests/ClientServerAuthTests.cs index fa248c0..3138c6d 100644 --- a/src/CertificateManagerTests/ClientServerAuthTests.cs +++ b/src/CertificateManagerTests/ClientServerAuthTests.cs @@ -7,144 +7,143 @@ using System.Security.Cryptography.X509Certificates; using Xunit; -namespace CertificateManagerTests +namespace CertificateManagerTests; + +public class ClientServerAuthTests { - public class ClientServerAuthTests + private static (X509Certificate2 root, X509Certificate2 intermediate, X509Certificate2 server, X509Certificate2 client) SetupCerts() { - private static (X509Certificate2 root, X509Certificate2 intermediate, X509Certificate2 server, X509Certificate2 client) SetupCerts() - { - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); - - var createClientServerAuthCerts = serviceProvider.GetService(); - - var rootCaL1 = createClientServerAuthCerts.NewRootCertificate( - new DistinguishedName { CommonName = "root dev", Country = "IT" }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - 3, "localhost"); - rootCaL1.FriendlyName = "developement root L1 certificate"; - - // Intermediate L2 chained from root L1 - var intermediateCaL2 = createClientServerAuthCerts.NewIntermediateChainedCertificate( - new DistinguishedName { CommonName = "intermediate dev", Country = "FR" }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - 2, "localhost", rootCaL1); - intermediateCaL2.FriendlyName = "developement Intermediate L2 certificate"; - - // Server, Client L3 chained from Intermediate L2 - var serverL3 = createClientServerAuthCerts.NewServerChainedCertificate( - new DistinguishedName { CommonName = "server", Country = "DE" }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - "localhost", intermediateCaL2); - - var clientL3 = createClientServerAuthCerts.NewClientChainedCertificate( - new DistinguishedName { CommonName = "client", Country = "IE" }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - "localhost", intermediateCaL2); - serverL3.FriendlyName = "developement server L3 certificate"; - clientL3.FriendlyName = "developement client L3 certificate"; - - return (rootCaL1, intermediateCaL2, serverL3, clientL3); - } + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); + + var createClientServerAuthCerts = serviceProvider.GetService(); + + var rootCaL1 = createClientServerAuthCerts.NewRootCertificate( + new DistinguishedName { CommonName = "root dev", Country = "IT" }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + 3, "localhost"); + rootCaL1.FriendlyName = "developement root L1 certificate"; + + // Intermediate L2 chained from root L1 + var intermediateCaL2 = createClientServerAuthCerts.NewIntermediateChainedCertificate( + new DistinguishedName { CommonName = "intermediate dev", Country = "FR" }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + 2, "localhost", rootCaL1); + intermediateCaL2.FriendlyName = "developement Intermediate L2 certificate"; + + // Server, Client L3 chained from Intermediate L2 + var serverL3 = createClientServerAuthCerts.NewServerChainedCertificate( + new DistinguishedName { CommonName = "server", Country = "DE" }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + "localhost", intermediateCaL2); + + var clientL3 = createClientServerAuthCerts.NewClientChainedCertificate( + new DistinguishedName { CommonName = "client", Country = "IE" }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + "localhost", intermediateCaL2); + serverL3.FriendlyName = "developement server L3 certificate"; + clientL3.FriendlyName = "developement client L3 certificate"; + + return (rootCaL1, intermediateCaL2, serverL3, clientL3); + } - [Fact] - public void ValidateSelfSigned() - { - var (root, intermediate, server, client) = SetupCerts(); - Assert.True(root.IsSelfSigned()); - Assert.False(intermediate.IsSelfSigned()); - Assert.False(server.IsSelfSigned()); - Assert.False(client.IsSelfSigned()); - } + [Fact] + public void ValidateSelfSigned() + { + var (root, intermediate, server, client) = SetupCerts(); + Assert.True(root.IsSelfSigned()); + Assert.False(intermediate.IsSelfSigned()); + Assert.False(server.IsSelfSigned()); + Assert.False(client.IsSelfSigned()); + } - [Fact] - public void ValidateSelfSignedValid() + [Fact] + public void ValidateSelfSignedValid() + { + var (root, _, _, _) = SetupCerts(); + + var x509ChainPolicy = BuildChainUtil.BuildChainPolicySelfSigned(root, true, true); + var chain = new X509Chain { - var (root, _, _, _) = SetupCerts(); + ChainPolicy = x509ChainPolicy + }; - var x509ChainPolicy = BuildChainUtil.BuildChainPolicySelfSigned(root, true, true); - var chain = new X509Chain - { - ChainPolicy = x509ChainPolicy - }; + var certificateIsValid = chain.Build(root); + Assert.True(certificateIsValid); + } - var certificateIsValid = chain.Build(root); - Assert.True(certificateIsValid); - } + [Fact] + public void ValidateChainedValid() + { + var (root, intermediate, server, client) = SetupCerts(); - [Fact] - public void ValidateChainedValid() + var x509ChainPolicy = BuildChainUtil.BuildChainPolicyChained( + root, intermediate, server, client, + X509RevocationFlag.ExcludeRoot, + X509RevocationMode.NoCheck, + true, true); + + var chain = new X509Chain { - var (root, intermediate, server, client) = SetupCerts(); + ChainPolicy = x509ChainPolicy + }; - var x509ChainPolicy = BuildChainUtil.BuildChainPolicyChained( - root, intermediate, server, client, - X509RevocationFlag.ExcludeRoot, - X509RevocationMode.NoCheck, - true, true); + var certificateIsValid = chain.Build(client); + Assert.True(certificateIsValid); + } - var chain = new X509Chain - { - ChainPolicy = x509ChainPolicy - }; + [Fact] + public void ValidateChainedInValidEU() + { + var (root, intermediate, server, client) = SetupCerts(); - var certificateIsValid = chain.Build(client); - Assert.True(certificateIsValid); - } + // we only accept client certs when the ValidateCertificateUse is true + var x509ChainPolicy = BuildChainUtil.BuildChainPolicyChained( + root, intermediate, server, client, + X509RevocationFlag.ExcludeRoot, + X509RevocationMode.NoCheck, + true, true); - [Fact] - public void ValidateChainedInValidEU() + var chain = new X509Chain { - var (root, intermediate, server, client) = SetupCerts(); - - // we only accept client certs when the ValidateCertificateUse is true - var x509ChainPolicy = BuildChainUtil.BuildChainPolicyChained( - root, intermediate, server, client, - X509RevocationFlag.ExcludeRoot, - X509RevocationMode.NoCheck, - true, true); + ChainPolicy = x509ChainPolicy + }; - var chain = new X509Chain - { - ChainPolicy = x509ChainPolicy - }; - - var certificateIsValid = chain.Build(server); - Assert.False(certificateIsValid); + var certificateIsValid = chain.Build(server); + Assert.False(certificateIsValid); - if (!certificateIsValid) + if (!certificateIsValid) + { + var chainErrors = new List(); + foreach (var validationFailure in chain.ChainStatus) { - var chainErrors = new List(); - foreach (var validationFailure in chain.ChainStatus) - { - chainErrors.Add(validationFailure.Status); - } - Assert.True(chainErrors.Contains(X509ChainStatusFlags.NotValidForUsage), "expect NotValidForUsage"); + chainErrors.Add(validationFailure.Status); } - + Assert.True(chainErrors.Contains(X509ChainStatusFlags.NotValidForUsage), "expect NotValidForUsage"); } - [Fact] - public void ValidateChainedInValidIntermediate() - { - var (root, intermediate, server, client) = SetupCerts(); + } - // we only accept client certs when the ValidateCertificateUse is true - var x509ChainPolicy = BuildChainUtil.BuildChainPolicyChained( - root, intermediate, server, client, - X509RevocationFlag.ExcludeRoot, - X509RevocationMode.NoCheck, - true, true); + [Fact] + public void ValidateChainedInValidIntermediate() + { + var (root, intermediate, server, client) = SetupCerts(); - var chain = new X509Chain - { - ChainPolicy = x509ChainPolicy - }; + // we only accept client certs when the ValidateCertificateUse is true + var x509ChainPolicy = BuildChainUtil.BuildChainPolicyChained( + root, intermediate, server, client, + X509RevocationFlag.ExcludeRoot, + X509RevocationMode.NoCheck, + true, true); - var certificateIsValid = chain.Build(intermediate); - Assert.True(certificateIsValid); - } + var chain = new X509Chain + { + ChainPolicy = x509ChainPolicy + }; + var certificateIsValid = chain.Build(intermediate); + Assert.True(certificateIsValid); } + } diff --git a/src/CertificateManagerTests/DistinguishedNameTests.cs b/src/CertificateManagerTests/DistinguishedNameTests.cs index e86272b..5170359 100644 --- a/src/CertificateManagerTests/DistinguishedNameTests.cs +++ b/src/CertificateManagerTests/DistinguishedNameTests.cs @@ -4,129 +4,128 @@ using System; using Xunit; -namespace CertificateManagerTests +namespace CertificateManagerTests; + +public class DistinguishedNameTests { - public class DistinguishedNameTests + + [Fact] + public void DnCompleteValid() { + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); - [Fact] - public void DnCompleteValid() - { - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); - - var createClientServerAuthCerts = serviceProvider.GetService(); - - - var rootCaL1 = createClientServerAuthCerts.NewRootCertificate( - new DistinguishedName - { - CommonName = "root dev", - Country = "IT", - Locality = "DD", - Organisation = "SS", - OrganisationUnit = "unit", - StateProvince = "yes" - }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - 3, "localhost"); - - Assert.Equal("CN=root dev, C=IT, O=SS, OU=unit, L=DD, S=yes", rootCaL1.Subject); - Assert.Equal("CN=root dev, C=IT, O=SS, OU=unit, L=DD, S=yes", rootCaL1.Issuer); - } - - [Fact] - public void DnHalfCompleteValid() - { - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); + var createClientServerAuthCerts = serviceProvider.GetService(); - var createClientServerAuthCerts = serviceProvider.GetService(); + var rootCaL1 = createClientServerAuthCerts.NewRootCertificate( + new DistinguishedName + { + CommonName = "root dev", + Country = "IT", + Locality = "DD", + Organisation = "SS", + OrganisationUnit = "unit", + StateProvince = "yes" + }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + 3, "localhost"); + + Assert.Equal("CN=root dev, C=IT, O=SS, OU=unit, L=DD, S=yes", rootCaL1.Subject); + Assert.Equal("CN=root dev, C=IT, O=SS, OU=unit, L=DD, S=yes", rootCaL1.Issuer); + } - var rootCaL1 = createClientServerAuthCerts.NewRootCertificate( - new DistinguishedName - { - CommonName = "root dev", - Country = "IT", - Locality = "DD", - Organisation = "SS" + [Fact] + public void DnHalfCompleteValid() + { + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); - }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - 3, "localhost"); + var createClientServerAuthCerts = serviceProvider.GetService(); - Assert.Equal("CN=root dev, C=IT, O=SS, L=DD", rootCaL1.Subject); - Assert.Equal("CN=root dev, C=IT, O=SS, L=DD", rootCaL1.Issuer); - } - [Fact] - public void DnMissingCountry() - { - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); - - var createClientServerAuthCerts = serviceProvider.GetService(); - - var root = createClientServerAuthCerts.NewRootCertificate( - new DistinguishedName - { - CommonName = "root dev", - Locality = "DD", - Organisation = "SS", - OrganisationUnit = "unit", - StateProvince = "yes" - }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - 3, "localhost"); - - Assert.NotNull(root); - } - - [Fact] - public void DnMissingCommonName() - { - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); + var rootCaL1 = createClientServerAuthCerts.NewRootCertificate( + new DistinguishedName + { + CommonName = "root dev", + Country = "IT", + Locality = "DD", + Organisation = "SS" + + }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + 3, "localhost"); + + Assert.Equal("CN=root dev, C=IT, O=SS, L=DD", rootCaL1.Subject); + Assert.Equal("CN=root dev, C=IT, O=SS, L=DD", rootCaL1.Issuer); + } - var createClientServerAuthCerts = serviceProvider.GetService(); + [Fact] + public void DnMissingCountry() + { + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); + + var createClientServerAuthCerts = serviceProvider.GetService(); - var exception = Assert.Throws(() => + var root = createClientServerAuthCerts.NewRootCertificate( + new DistinguishedName { - createClientServerAuthCerts.NewRootCertificate( - new DistinguishedName - { - Country = "IT", - Locality = "DD", - Organisation = "SS", - OrganisationUnit = "unit", - StateProvince = "yes" - }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - 3, "localhost"); - }); - } - - [Fact] - public void DnNull() - { - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); + CommonName = "root dev", + Locality = "DD", + Organisation = "SS", + OrganisationUnit = "unit", + StateProvince = "yes" + }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + 3, "localhost"); + + Assert.NotNull(root); + } - var createClientServerAuthCerts = serviceProvider.GetService(); + [Fact] + public void DnMissingCommonName() + { + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); + + var createClientServerAuthCerts = serviceProvider.GetService(); - var exception = Assert.Throws(() => + var exception = Assert.Throws(() => + { + createClientServerAuthCerts.NewRootCertificate( + new DistinguishedName { - createClientServerAuthCerts.NewRootCertificate( - null, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - 3, "localhost"); - }); - } + Country = "IT", + Locality = "DD", + Organisation = "SS", + OrganisationUnit = "unit", + StateProvince = "yes" + }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + 3, "localhost"); + }); + } + + [Fact] + public void DnNull() + { + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); + + var createClientServerAuthCerts = serviceProvider.GetService(); + + var exception = Assert.Throws(() => + { + createClientServerAuthCerts.NewRootCertificate( + null, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + 3, "localhost"); + }); } } diff --git a/src/CertificateManagerTests/DnsNameTests.cs b/src/CertificateManagerTests/DnsNameTests.cs index 9791f22..de1d54c 100644 --- a/src/CertificateManagerTests/DnsNameTests.cs +++ b/src/CertificateManagerTests/DnsNameTests.cs @@ -4,55 +4,53 @@ using System; using Xunit; -namespace CertificateManagerTests +namespace CertificateManagerTests; + +public class DnsNameTests { - public class DnsNameTests + [Fact] + public void DnsNameValid() { + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); - [Fact] - public void DnsNameValid() - { - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); - - var createClientServerAuthCerts = serviceProvider.GetService(); + var createClientServerAuthCerts = serviceProvider.GetService(); - var rootCaL1 = createClientServerAuthCerts.NewRootCertificate( - new DistinguishedName { CommonName = "root dev", Country = "IT" }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - 3, "localhost"); + var rootCaL1 = createClientServerAuthCerts.NewRootCertificate( + new DistinguishedName { CommonName = "root dev", Country = "IT" }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + 3, "localhost"); - Assert.Equal("CN=root dev, C=IT", rootCaL1.Subject); - } + Assert.Equal("CN=root dev, C=IT", rootCaL1.Subject); + } - [Fact] - public void DnsNameInvalid() - { - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); + [Fact] + public void DnsNameInvalid() + { + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); - var createClientServerAuthCerts = serviceProvider.GetService(); + var createClientServerAuthCerts = serviceProvider.GetService(); - var exception = Assert.Throws(() => + var exception = Assert.Throws(() => + { + createClientServerAuthCerts.NewRootCertificate( + new DistinguishedName { - createClientServerAuthCerts.NewRootCertificate( - new DistinguishedName - { - CommonName = "root dev", - Country = "IT", - Locality = "DD", - Organisation = "SS" + CommonName = "root dev", + Country = "IT", + Locality = "DD", + Organisation = "SS" - }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - 3, "local _ host"); - }); + }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + 3, "local _ host"); + }); - } - } + } diff --git a/src/CertificateManagerTests/ImportExportTests.cs b/src/CertificateManagerTests/ImportExportTests.cs index 0c6873e..8e7ba2f 100644 --- a/src/CertificateManagerTests/ImportExportTests.cs +++ b/src/CertificateManagerTests/ImportExportTests.cs @@ -5,256 +5,256 @@ using System.Security.Cryptography.X509Certificates; using Xunit; -namespace CertificateManagerTests +namespace CertificateManagerTests; + +public class ImportExportTests { - public class ImportExportTests + private (X509Certificate2 root, X509Certificate2 intermediate, X509Certificate2 server, X509Certificate2 client) SetupCerts() + { + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); + + var createClientServerAuthCerts = serviceProvider.GetService(); + + var rootCaL1 = createClientServerAuthCerts.NewRootCertificate( + new DistinguishedName { CommonName = "root dev", Country = "IT" }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + 3, "localhost"); + rootCaL1.FriendlyName = "developement root L1 certificate"; + + // Intermediate L2 chained from root L1 + var intermediateCaL2 = createClientServerAuthCerts.NewIntermediateChainedCertificate( + new DistinguishedName { CommonName = "intermediate dev", Country = "FR" }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + 2, "localhost", rootCaL1); + intermediateCaL2.FriendlyName = "developement Intermediate L2 certificate"; + + // Server, Client L3 chained from Intermediate L2 + var serverL3 = createClientServerAuthCerts.NewServerChainedCertificate( + new DistinguishedName { CommonName = "server", Country = "DE" }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + "localhost", intermediateCaL2); + + var clientL3 = createClientServerAuthCerts.NewClientChainedCertificate( + new DistinguishedName { CommonName = "client", Country = "IE" }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + "localhost", intermediateCaL2); + serverL3.FriendlyName = "developement server L3 certificate"; + clientL3.FriendlyName = "developement client L3 certificate"; + + return (rootCaL1, intermediateCaL2, serverL3, clientL3); + } + + [Fact] + public void ImportExportCrtSelfSignedPem() + { + var (root, intermediate, server, client) = SetupCerts(); + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); + var importExport = serviceProvider.GetService(); + + var crtPem = importExport.PemExportPfxFullCertificate(root); + var roundTripCertificate = importExport.PemImportCertificate(crtPem); + + Assert.Equal(root.Subject, roundTripCertificate.Subject); + Assert.True(roundTripCertificate.HasPrivateKey); + + } + + [Fact] + public void ImportExportPasswordCrtPem() { - private (X509Certificate2 root, X509Certificate2 intermediate, X509Certificate2 server, X509Certificate2 client) SetupCerts() - { - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); - - var createClientServerAuthCerts = serviceProvider.GetService(); - - var rootCaL1 = createClientServerAuthCerts.NewRootCertificate( - new DistinguishedName { CommonName = "root dev", Country = "IT" }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - 3, "localhost"); - rootCaL1.FriendlyName = "developement root L1 certificate"; - - // Intermediate L2 chained from root L1 - var intermediateCaL2 = createClientServerAuthCerts.NewIntermediateChainedCertificate( - new DistinguishedName { CommonName = "intermediate dev", Country = "FR" }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - 2, "localhost", rootCaL1); - intermediateCaL2.FriendlyName = "developement Intermediate L2 certificate"; - - // Server, Client L3 chained from Intermediate L2 - var serverL3 = createClientServerAuthCerts.NewServerChainedCertificate( - new DistinguishedName { CommonName = "server", Country = "DE" }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - "localhost", intermediateCaL2); - - var clientL3 = createClientServerAuthCerts.NewClientChainedCertificate( - new DistinguishedName { CommonName = "client", Country = "IE" }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - "localhost", intermediateCaL2); - serverL3.FriendlyName = "developement server L3 certificate"; - clientL3.FriendlyName = "developement client L3 certificate"; - - return (rootCaL1, intermediateCaL2, serverL3, clientL3); - } - - [Fact] - public void ImportExportCrtSelfSignedPem() - { - var (root, intermediate, server, client) = SetupCerts(); - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); - var importExport = serviceProvider.GetService(); - - var crtPem = importExport.PemExportPfxFullCertificate(root); - var roundTripCertificate = importExport.PemImportCertificate(crtPem); - - Assert.Equal(root.Subject, roundTripCertificate.Subject); - Assert.True(roundTripCertificate.HasPrivateKey); - - } - - [Fact] - public void ImportExportPasswordCrtPem() - { - var (root, intermediate, server, client) = SetupCerts(); - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); - var importExport = serviceProvider.GetService(); - - var crtPem = importExport.PemExportPfxFullCertificate(intermediate, "23456"); - var roundTripCertificate = importExport.PemImportCertificate(crtPem, "23456"); - - Assert.Equal(intermediate.Subject, roundTripCertificate.Subject); - Assert.True(intermediate.HasPrivateKey); - Assert.True(roundTripCertificate.HasPrivateKey); - } - - [Fact] - public void ExportEDAsaPublicKeyCertificatePem() - { - var (root, intermediate, server, client) = SetupCerts(); - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); - var importExport = serviceProvider.GetService(); - - var crtPem = importExport.PemExportPublicKeyCertificate(intermediate); - var roundTripCertificate = importExport.PemImportCertificate(crtPem); - - Assert.Equal(intermediate.Subject, roundTripCertificate.Subject); - Assert.True(intermediate.HasPrivateKey); - Assert.False(roundTripCertificate.HasPrivateKey); - } - - [Fact] - public void ImportExportIncorrectPasswordCrtPem() - { - var (root, intermediate, server, client) = SetupCerts(); - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); - var importExport = serviceProvider.GetService(); - - var exception = Assert.Throws(() => + var (root, intermediate, server, client) = SetupCerts(); + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); + var importExport = serviceProvider.GetService(); + + var crtPem = importExport.PemExportPfxFullCertificate(intermediate, "23456"); + var roundTripCertificate = importExport.PemImportCertificate(crtPem, "23456"); + + Assert.Equal(intermediate.Subject, roundTripCertificate.Subject); + Assert.True(intermediate.HasPrivateKey); + Assert.True(roundTripCertificate.HasPrivateKey); + } + + [Fact] + public void ExportEDAsaPublicKeyCertificatePem() + { + var (root, intermediate, server, client) = SetupCerts(); + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); + var importExport = serviceProvider.GetService(); + + var crtPem = importExport.PemExportPublicKeyCertificate(intermediate); + var roundTripCertificate = importExport.PemImportCertificate(crtPem); + + Assert.Equal(intermediate.Subject, roundTripCertificate.Subject); + Assert.True(intermediate.HasPrivateKey); + Assert.False(roundTripCertificate.HasPrivateKey); + } + + [Fact] + public void ImportExportIncorrectPasswordCrtPem() + { + var (root, intermediate, server, client) = SetupCerts(); + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); + var importExport = serviceProvider.GetService(); + + var exception = Assert.Throws(() => + { + try { - try - { - var crtPem = importExport.PemExportPfxFullCertificate(intermediate, "23HHHH456"); - var roundTripCertificate = importExport.PemImportCertificate(crtPem, "23456"); - } - catch (Exception ex) - { - // internal Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException : The specified network password is not correct. - Assert.Equal("The specified network password is not correct.", ex.Message); - throw new ArgumentException(); - } - }); - - } - - [Fact] - public void ImportExportExportFullPfxPem() - { - var (root, intermediate, server, client) = SetupCerts(); - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); - var importExport = serviceProvider.GetService(); - - var pfxPem = importExport.PemExportPfxFullCertificate(intermediate); - - var roundTripPfxPem = importExport.PemImportCertificate(pfxPem); - - Assert.Equal(intermediate.Subject, roundTripPfxPem.Subject); - Assert.True(intermediate.HasPrivateKey); - Assert.True(roundTripPfxPem.HasPrivateKey); - } - - [Fact] - public void ImportExportRsaCertPublicKeyPem() - { - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); - - var ccRsa = serviceProvider.GetService(); - var importExport = serviceProvider.GetService(); - - var rsaCert = ccRsa.CreateDevelopmentCertificate("localhost", 2, 2048); - - var publicKeyPem = importExport.PemExportPublicKeyCertificate(rsaCert); - var roundTripPublicKeyPem = importExport.PemImportCertificate(publicKeyPem); - - Assert.Equal(rsaCert.Subject, roundTripPublicKeyPem.Subject); - Assert.True(rsaCert.HasPrivateKey); - Assert.False(roundTripPublicKeyPem.HasPrivateKey); - } - - [Fact] - public void ImportExportRsaPrivateKeyPublicKeyPairPem() - { - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); - - var ccRsa = serviceProvider.GetService(); - var importExport = serviceProvider.GetService(); - - var rsaCert = ccRsa.CreateDevelopmentCertificate("localhost", 2, 2048); - - var publicKeyPem = importExport.PemExportPublicKeyCertificate(rsaCert); - var rsaPrivateKeyPem = importExport.PemExportRsaPrivateKey(rsaCert); - - var roundTripPublicKeyPem = importExport.PemImportCertificate(publicKeyPem); - var roundTripRsaPrivateKeyPem = importExport.PemImportPrivateKey(rsaPrivateKeyPem); - - var roundTripFullCert = - importExport.CreateCertificateWithPrivateKey(roundTripPublicKeyPem, roundTripRsaPrivateKeyPem, "1234"); - - Assert.Equal(rsaCert.Subject, roundTripPublicKeyPem.Subject); - Assert.Equal(rsaCert.Thumbprint, roundTripFullCert.Thumbprint); - Assert.True(roundTripFullCert.HasPrivateKey); - Assert.Equal("sha256RSA", roundTripFullCert.SignatureAlgorithm.FriendlyName); - } - - [Fact] - public void ImportExportECPrivateKeyPublicKeyPairPem() - { - var (root, intermediate, server, client) = SetupCerts(); - - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); - - var importExport = serviceProvider.GetService(); - - var publicKeyPem = importExport.PemExportPublicKeyCertificate(root); - var ecPrivateKeyPem = importExport.PemExportECPrivateKey(root); - - var roundTripPublicKeyPem = importExport.PemImportCertificate(publicKeyPem); - var roundTripRsaPrivateKeyPem = importExport.PemImportPrivateKey(ecPrivateKeyPem); - - var roundTripFullCert = - importExport.CreateCertificateWithPrivateKey( - roundTripPublicKeyPem, - roundTripRsaPrivateKeyPem, "1234"); - - Assert.Equal(root.Subject, roundTripPublicKeyPem.Subject); - Assert.Equal(root.Thumbprint, roundTripFullCert.Thumbprint); - Assert.True(roundTripFullCert.HasPrivateKey); - Assert.Equal("sha256ECDSA", roundTripFullCert.SignatureAlgorithm.FriendlyName); - } + var crtPem = importExport.PemExportPfxFullCertificate(intermediate, "23HHHH456"); + var roundTripCertificate = importExport.PemImportCertificate(crtPem, "23456"); + } + catch (Exception ex) + { + // internal Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException : The specified network password is not correct. + Assert.Equal("The specified network password is not correct.", ex.Message); + throw new ArgumentException(); + } + }); - [Fact] - public void ImportExportSingleChainedECPrivateKeyPublicKeyPairPem() - { - var (root, intermediate, server, client) = SetupCerts(); + } - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); + [Fact] + public void ImportExportExportFullPfxPem() + { + var (root, intermediate, server, client) = SetupCerts(); + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); + var importExport = serviceProvider.GetService(); - var importExport = serviceProvider.GetService(); + var pfxPem = importExport.PemExportPfxFullCertificate(intermediate); - var publicKeyPem = importExport.PemExportPublicKeyCertificate(server); - var ecPrivateKeyPem = importExport.PemExportECPrivateKey(server); + var roundTripPfxPem = importExport.PemImportCertificate(pfxPem); - var roundTripPublicKeyPem = importExport.PemImportCertificate(publicKeyPem); - var roundTripRsaPrivateKeyPem = importExport.PemImportPrivateKey(ecPrivateKeyPem); + Assert.Equal(intermediate.Subject, roundTripPfxPem.Subject); + Assert.True(intermediate.HasPrivateKey); + Assert.True(roundTripPfxPem.HasPrivateKey); + } - var roundTripFullCert = - importExport.CreateCertificateWithPrivateKey( - roundTripPublicKeyPem, - roundTripRsaPrivateKeyPem); + [Fact] + public void ImportExportRsaCertPublicKeyPem() + { + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); - Assert.Equal(server.Subject, roundTripPublicKeyPem.Subject); - Assert.Equal(server.Thumbprint, roundTripFullCert.Thumbprint); - Assert.True(roundTripFullCert.HasPrivateKey); - Assert.Equal("sha256ECDSA", roundTripFullCert.SignatureAlgorithm.FriendlyName); - } + var ccRsa = serviceProvider.GetService(); + var importExport = serviceProvider.GetService(); + + var rsaCert = ccRsa.CreateDevelopmentCertificate("localhost", 2, 2048); + + var publicKeyPem = importExport.PemExportPublicKeyCertificate(rsaCert); + var roundTripPublicKeyPem = importExport.PemImportCertificate(publicKeyPem); + + Assert.Equal(rsaCert.Subject, roundTripPublicKeyPem.Subject); + Assert.True(rsaCert.HasPrivateKey); + Assert.False(roundTripPublicKeyPem.HasPrivateKey); + } + + [Fact] + public void ImportExportRsaPrivateKeyPublicKeyPairPem() + { + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); - [Fact] - public void ImportDerPem() - { + var ccRsa = serviceProvider.GetService(); + var importExport = serviceProvider.GetService(); + + var rsaCert = ccRsa.CreateDevelopmentCertificate("localhost", 2, 2048); + + var publicKeyPem = importExport.PemExportPublicKeyCertificate(rsaCert); + var rsaPrivateKeyPem = importExport.PemExportRsaPrivateKey(rsaCert); + + var roundTripPublicKeyPem = importExport.PemImportCertificate(publicKeyPem); + var roundTripRsaPrivateKeyPem = importExport.PemImportPrivateKey(rsaPrivateKeyPem); + + var roundTripFullCert = + importExport.CreateCertificateWithPrivateKey(roundTripPublicKeyPem, roundTripRsaPrivateKeyPem, "1234"); + + Assert.Equal(rsaCert.Subject, roundTripPublicKeyPem.Subject); + Assert.Equal(rsaCert.Thumbprint, roundTripFullCert.Thumbprint); + Assert.True(roundTripFullCert.HasPrivateKey); + Assert.Equal("sha256RSA", roundTripFullCert.SignatureAlgorithm.FriendlyName); + } + + [Fact] + public void ImportExportECPrivateKeyPublicKeyPairPem() + { + var (root, intermediate, server, client) = SetupCerts(); + + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); + + var importExport = serviceProvider.GetService(); + + var publicKeyPem = importExport.PemExportPublicKeyCertificate(root); + var ecPrivateKeyPem = importExport.PemExportECPrivateKey(root); + + var roundTripPublicKeyPem = importExport.PemImportCertificate(publicKeyPem); + var roundTripRsaPrivateKeyPem = importExport.PemImportPrivateKey(ecPrivateKeyPem); + + var roundTripFullCert = + importExport.CreateCertificateWithPrivateKey( + roundTripPublicKeyPem, + roundTripRsaPrivateKeyPem, "1234"); + + Assert.Equal(root.Subject, roundTripPublicKeyPem.Subject); + Assert.Equal(root.Thumbprint, roundTripFullCert.Thumbprint); + Assert.True(roundTripFullCert.HasPrivateKey); + Assert.Equal("sha256ECDSA", roundTripFullCert.SignatureAlgorithm.FriendlyName); + } + + [Fact] + public void ImportExportSingleChainedECPrivateKeyPublicKeyPairPem() + { + var (root, intermediate, server, client) = SetupCerts(); + + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); + + var importExport = serviceProvider.GetService(); + + var publicKeyPem = importExport.PemExportPublicKeyCertificate(server); + var ecPrivateKeyPem = importExport.PemExportECPrivateKey(server); + + var roundTripPublicKeyPem = importExport.PemImportCertificate(publicKeyPem); + var roundTripRsaPrivateKeyPem = importExport.PemImportPrivateKey(ecPrivateKeyPem); + + var roundTripFullCert = + importExport.CreateCertificateWithPrivateKey( + roundTripPublicKeyPem, + roundTripRsaPrivateKeyPem); + + Assert.Equal(server.Subject, roundTripPublicKeyPem.Subject); + Assert.Equal(server.Thumbprint, roundTripFullCert.Thumbprint); + Assert.True(roundTripFullCert.HasPrivateKey); + Assert.Equal("sha256ECDSA", roundTripFullCert.SignatureAlgorithm.FriendlyName); + } + + [Fact] + public void ImportDerPem() + { - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); - var importExport = serviceProvider.GetService(); + var importExport = serviceProvider.GetService(); - var certstring = @"-----BEGIN CERTIFICATE----- + var certstring = @"-----BEGIN CERTIFICATE----- MIIEBzCCAu+gAwIBAgIQLlpk6CS8R0Z09GPVciC2qjANBgkqhkiG9w0BAQsFADAyMTAwLgYDVQQD EydEaWVnbyBJbnN0YW5jZSBJZGVudGl0eSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjAwMjE5MTkzMjQy WhcNMjAwMjIwMTkzMjQyWjCByDGBnjA4BgNVBAsTMW9yZ2FuaXphdGlvbjpkN2FmZTVjYi0yZDQy @@ -277,9 +277,8 @@ public void ImportDerPem() -----END CERTIFICATE-----"; - var pemCertImported = importExport.PemImportCertificate(certstring); + var pemCertImported = importExport.PemImportCertificate(certstring); - Assert.Equal("sha256RSA", pemCertImported.SignatureAlgorithm.FriendlyName); - } + Assert.Equal("sha256RSA", pemCertImported.SignatureAlgorithm.FriendlyName); } } diff --git a/src/CertificateManagerTests/RsaKeySizeTests.cs b/src/CertificateManagerTests/RsaKeySizeTests.cs index 32c914d..d9f1a0b 100644 --- a/src/CertificateManagerTests/RsaKeySizeTests.cs +++ b/src/CertificateManagerTests/RsaKeySizeTests.cs @@ -7,162 +7,161 @@ using System.Security.Cryptography.X509Certificates; using Xunit; -namespace CertificateManagerTests +namespace CertificateManagerTests; + +public class RsaKeySizeTests { - public class RsaKeySizeTests + [Fact] + public void CreateChainedCertificatesRsaKeySizeTest() { - [Fact] - public void CreateChainedCertificatesRsaKeySizeTest() - { - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); - - var cc = serviceProvider.GetService(); - var cert2048 = CreateRsaCertificate(cc, 2048); - var cert4096 = CreateRsaCertificate(cc, 4096); - - var chained1024 = CreateRsaCertificateChained(cc, 1024, cert2048); - var chained4096 = CreateRsaCertificateChained(cc, 4096, cert2048); - Assert.Equal(1024, chained1024.GetRSAPrivateKey().KeySize); - Assert.Equal(4096, chained4096.GetRSAPrivateKey().KeySize); - } - - [Fact] - public void CreateCertificatesRsaKeySizeTest() - { - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); + + var cc = serviceProvider.GetService(); + var cert2048 = CreateRsaCertificate(cc, 2048); + var cert4096 = CreateRsaCertificate(cc, 4096); + + var chained1024 = CreateRsaCertificateChained(cc, 1024, cert2048); + var chained4096 = CreateRsaCertificateChained(cc, 4096, cert2048); + Assert.Equal(1024, chained1024.GetRSAPrivateKey().KeySize); + Assert.Equal(4096, chained4096.GetRSAPrivateKey().KeySize); + } - var ccRsa = serviceProvider.GetService(); - var cert2048 = ccRsa.CreateDevelopmentCertificate("localhost", 2, 2048); - Assert.Equal(2048, cert2048.GetRSAPrivateKey().KeySize); + [Fact] + public void CreateCertificatesRsaKeySizeTest() + { + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); - var cert1024 = ccRsa.CreateDevelopmentCertificate("localhost", 2); - Assert.Equal(1024, cert1024.GetRSAPrivateKey().KeySize); - } + var ccRsa = serviceProvider.GetService(); + var cert2048 = ccRsa.CreateDevelopmentCertificate("localhost", 2, 2048); + Assert.Equal(2048, cert2048.GetRSAPrivateKey().KeySize); - [Fact] - public void RsaKeySizeTest() - { - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); + var cert1024 = ccRsa.CreateDevelopmentCertificate("localhost", 2); + Assert.Equal(1024, cert1024.GetRSAPrivateKey().KeySize); + } + + [Fact] + public void RsaKeySizeTest() + { + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); - var cc = serviceProvider.GetService(); + var cc = serviceProvider.GetService(); - var cert2048 = CreateRsaCertificate(cc, 2048); - Assert.Equal(2048, cert2048.GetRSAPrivateKey().KeySize); + var cert2048 = CreateRsaCertificate(cc, 2048); + Assert.Equal(2048, cert2048.GetRSAPrivateKey().KeySize); - var cert4096 = CreateRsaCertificate(cc, 4096); - Assert.Equal(4096, cert4096.GetRSAPrivateKey().KeySize); - } + var cert4096 = CreateRsaCertificate(cc, 4096); + Assert.Equal(4096, cert4096.GetRSAPrivateKey().KeySize); + } - public static X509Certificate2 CreateRsaCertificate(CreateCertificates createCertificates, int keySize) + public static X509Certificate2 CreateRsaCertificate(CreateCertificates createCertificates, int keySize) + { + var basicConstraints = new BasicConstraints { - var basicConstraints = new BasicConstraints - { - CertificateAuthority = true, - HasPathLengthConstraint = true, - PathLengthConstraint = 2, - Critical = false - }; + CertificateAuthority = true, + HasPathLengthConstraint = true, + PathLengthConstraint = 2, + Critical = false + }; - var subjectAlternativeName = new SubjectAlternativeName - { - DnsName = new List - { - "localhost", - } - }; - - var x509KeyUsageFlags = X509KeyUsageFlags.KeyCertSign - | X509KeyUsageFlags.DigitalSignature - | X509KeyUsageFlags.KeyEncipherment - | X509KeyUsageFlags.CrlSign - | X509KeyUsageFlags.DataEncipherment - | X509KeyUsageFlags.NonRepudiation - | X509KeyUsageFlags.KeyAgreement; - - // only if mtls is used - var enhancedKeyUsages = new OidCollection + var subjectAlternativeName = new SubjectAlternativeName + { + DnsName = new List { - OidLookup.ClientAuthentication, - OidLookup.ServerAuthentication - // OidLookup.CodeSigning, - // OidLookup.SecureEmail, - // OidLookup.TimeStamping - }; - - var certificate = createCertificates.NewRsaSelfSignedCertificate( - new DistinguishedName { CommonName = "localhost" }, - basicConstraints, - new ValidityPeriod - { - ValidFrom = DateTimeOffset.UtcNow, - ValidTo = DateTimeOffset.UtcNow.AddYears(1) - }, - subjectAlternativeName, - enhancedKeyUsages, - x509KeyUsageFlags, - new RsaConfiguration - { - KeySize = keySize - }); - - return certificate; - } - - public static X509Certificate2 CreateRsaCertificateChained(CreateCertificates createCertificates, int keySize, X509Certificate2 parentCert) + "localhost", + } + }; + + var x509KeyUsageFlags = X509KeyUsageFlags.KeyCertSign + | X509KeyUsageFlags.DigitalSignature + | X509KeyUsageFlags.KeyEncipherment + | X509KeyUsageFlags.CrlSign + | X509KeyUsageFlags.DataEncipherment + | X509KeyUsageFlags.NonRepudiation + | X509KeyUsageFlags.KeyAgreement; + + // only if mtls is used + var enhancedKeyUsages = new OidCollection { - var basicConstraints = new BasicConstraints + OidLookup.ClientAuthentication, + OidLookup.ServerAuthentication + // OidLookup.CodeSigning, + // OidLookup.SecureEmail, + // OidLookup.TimeStamping + }; + + var certificate = createCertificates.NewRsaSelfSignedCertificate( + new DistinguishedName { CommonName = "localhost" }, + basicConstraints, + new ValidityPeriod + { + ValidFrom = DateTimeOffset.UtcNow, + ValidTo = DateTimeOffset.UtcNow.AddYears(1) + }, + subjectAlternativeName, + enhancedKeyUsages, + x509KeyUsageFlags, + new RsaConfiguration { - CertificateAuthority = false, - HasPathLengthConstraint = false, - PathLengthConstraint = 0, - Critical = false - }; + KeySize = keySize + }); + + return certificate; + } + + public static X509Certificate2 CreateRsaCertificateChained(CreateCertificates createCertificates, int keySize, X509Certificate2 parentCert) + { + var basicConstraints = new BasicConstraints + { + CertificateAuthority = false, + HasPathLengthConstraint = false, + PathLengthConstraint = 0, + Critical = false + }; - var subjectAlternativeName = new SubjectAlternativeName + var subjectAlternativeName = new SubjectAlternativeName + { + DnsName = new List { - DnsName = new List - { - "localhost", - } - }; + "localhost", + } + }; - var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature; + var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature; - // only if mtls is used - var enhancedKeyUsages = new OidCollection + // only if mtls is used + var enhancedKeyUsages = new OidCollection + { + OidLookup.ClientAuthentication, + OidLookup.ServerAuthentication + // OidLookup.CodeSigning, + // OidLookup.SecureEmail, + // OidLookup.TimeStamping + }; + + var certificate = createCertificates.NewRsaChainedCertificate( + new DistinguishedName { CommonName = "localhost" }, + basicConstraints, + new ValidityPeriod + { + ValidFrom = DateTimeOffset.UtcNow, + ValidTo = DateTimeOffset.UtcNow.AddYears(1) + }, + subjectAlternativeName, + parentCert, + enhancedKeyUsages, + x509KeyUsageFlags, + new RsaConfiguration { - OidLookup.ClientAuthentication, - OidLookup.ServerAuthentication - // OidLookup.CodeSigning, - // OidLookup.SecureEmail, - // OidLookup.TimeStamping - }; - - var certificate = createCertificates.NewRsaChainedCertificate( - new DistinguishedName { CommonName = "localhost" }, - basicConstraints, - new ValidityPeriod - { - ValidFrom = DateTimeOffset.UtcNow, - ValidTo = DateTimeOffset.UtcNow.AddYears(1) - }, - subjectAlternativeName, - parentCert, - enhancedKeyUsages, - x509KeyUsageFlags, - new RsaConfiguration - { - KeySize = keySize - }); - - return certificate; - } + KeySize = keySize + }); + return certificate; } + } diff --git a/src/CertificateManagerTests/SubjectAlternativeNameTests.cs b/src/CertificateManagerTests/SubjectAlternativeNameTests.cs index a23badd..ddd315e 100644 --- a/src/CertificateManagerTests/SubjectAlternativeNameTests.cs +++ b/src/CertificateManagerTests/SubjectAlternativeNameTests.cs @@ -8,119 +8,118 @@ using System.Security.Cryptography.X509Certificates; using Xunit; -namespace CertificateManagerTests +namespace CertificateManagerTests; + +public class SubjectAlternativeNameTests { - public class SubjectAlternativeNameTests + [Fact] + public void SubjectAlternativeNameValidAll() { - [Fact] - public void SubjectAlternativeNameValidAll() + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); + + var createCertificates = serviceProvider.GetService(); + + var testCertificate = CreateSubjectAlternativeNameDetails( + new SubjectAlternativeName + { + DnsName = new List { "testones", "testtwos" }, + IpAddress = new IPAddress(2414), + Uri = new Uri("https://damienbod.com"), + UserPrincipalName = "myNameIsBob", + Email = "mick@jones.be" + }, + createCertificates); + + foreach (X509Extension extension in testCertificate.Extensions) { - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); - - var createCertificates = serviceProvider.GetService(); - - var testCertificate = CreateSubjectAlternativeNameDetails( - new SubjectAlternativeName - { - DnsName = new List { "testones", "testtwos" }, - IpAddress = new IPAddress(2414), - Uri = new Uri("https://damienbod.com"), - UserPrincipalName = "myNameIsBob", - Email = "mick@jones.be" - }, - createCertificates); - - foreach (X509Extension extension in testCertificate.Extensions) + if (extension.Oid.FriendlyName == "Subject Alternative Name") { - if (extension.Oid.FriendlyName == "Subject Alternative Name") - { - var asndata = new AsnEncodedData(extension.Oid, extension.RawData); - var data = asndata.Format(false); - var expected = "DNS Name=testones, DNS Name=testtwos, RFC822 Name=mick@jones.be, IP Address=110.9.0.0, Other Name:Principal Name=myNameIsBob, URL=https://damienbod.com/"; - - Assert.Equal(expected, data); - return; - } - } + var asndata = new AsnEncodedData(extension.Oid, extension.RawData); + var data = asndata.Format(false); + var expected = "DNS Name=testones, DNS Name=testtwos, RFC822 Name=mick@jones.be, IP Address=110.9.0.0, Other Name:Principal Name=myNameIsBob, URL=https://damienbod.com/"; - throw new Exception("no SubjectAlternativeName found"); + Assert.Equal(expected, data); + return; + } } - [Fact] - public void SubjectAlternativeNameValidSomeValues() - { - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); + throw new Exception("no SubjectAlternativeName found"); + } - var createCertificates = serviceProvider.GetService(); + [Fact] + public void SubjectAlternativeNameValidSomeValues() + { + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); - var testCertificate = CreateSubjectAlternativeNameDetails( - new SubjectAlternativeName - { - DnsName = new List { "testones" }, - IpAddress = new IPAddress(2414) - }, - createCertificates); + var createCertificates = serviceProvider.GetService(); - foreach (X509Extension extension in testCertificate.Extensions) + var testCertificate = CreateSubjectAlternativeNameDetails( + new SubjectAlternativeName { - if (extension.Oid.FriendlyName == "Subject Alternative Name") - { - var asndata = new AsnEncodedData(extension.Oid, extension.RawData); - var data = asndata.Format(false); - var expected = "DNS Name=testones, IP Address=110.9.0.0"; - - Assert.Equal(expected, data); - return; - } - } + DnsName = new List { "testones" }, + IpAddress = new IPAddress(2414) + }, + createCertificates); - throw new Exception("no SubjectAlternativeName found"); - } - - public static X509Certificate2 CreateSubjectAlternativeNameDetails( - SubjectAlternativeName subjectAlternativeName, - CreateCertificates createCertificates) + foreach (X509Extension extension in testCertificate.Extensions) { - var distinguishedName = new DistinguishedName - { - CommonName = "root dev", - Country = "IT", - Locality = "DD", - Organisation = "SS", - OrganisationUnit = "unit", - StateProvince = "yes" - }; - var enhancedKeyUsages = new OidCollection { - OidLookup.ClientAuthentication, - OidLookup.ServerAuthentication - }; - - var basicConstraints = new BasicConstraints + if (extension.Oid.FriendlyName == "Subject Alternative Name") { - CertificateAuthority = true, - HasPathLengthConstraint = true, - PathLengthConstraint = 3, - Critical = true - }; - - var validityPeriod = new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }; - - var x509KeyUsageFlags = X509KeyUsageFlags.KeyCertSign; - - var rootCert = createCertificates.NewECDsaSelfSignedCertificate( - distinguishedName, - basicConstraints, - validityPeriod, - subjectAlternativeName, - enhancedKeyUsages, - x509KeyUsageFlags, - new ECDsaConfiguration()); - - return rootCert; + var asndata = new AsnEncodedData(extension.Oid, extension.RawData); + var data = asndata.Format(false); + var expected = "DNS Name=testones, IP Address=110.9.0.0"; + + Assert.Equal(expected, data); + return; + } } + + throw new Exception("no SubjectAlternativeName found"); + } + + public static X509Certificate2 CreateSubjectAlternativeNameDetails( + SubjectAlternativeName subjectAlternativeName, + CreateCertificates createCertificates) + { + var distinguishedName = new DistinguishedName + { + CommonName = "root dev", + Country = "IT", + Locality = "DD", + Organisation = "SS", + OrganisationUnit = "unit", + StateProvince = "yes" + }; + var enhancedKeyUsages = new OidCollection { + OidLookup.ClientAuthentication, + OidLookup.ServerAuthentication + }; + + var basicConstraints = new BasicConstraints + { + CertificateAuthority = true, + HasPathLengthConstraint = true, + PathLengthConstraint = 3, + Critical = true + }; + + var validityPeriod = new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }; + + var x509KeyUsageFlags = X509KeyUsageFlags.KeyCertSign; + + var rootCert = createCertificates.NewECDsaSelfSignedCertificate( + distinguishedName, + basicConstraints, + validityPeriod, + subjectAlternativeName, + enhancedKeyUsages, + x509KeyUsageFlags, + new ECDsaConfiguration()); + + return rootCert; } } diff --git a/src/CertificateManagerTests/ValidityPeriodClientServerAuthTests.cs b/src/CertificateManagerTests/ValidityPeriodClientServerAuthTests.cs index 4decaf0..0fd3ece 100644 --- a/src/CertificateManagerTests/ValidityPeriodClientServerAuthTests.cs +++ b/src/CertificateManagerTests/ValidityPeriodClientServerAuthTests.cs @@ -6,94 +6,93 @@ using System.Security.Cryptography.X509Certificates; using Xunit; -namespace CertificateManagerTests +namespace CertificateManagerTests; + +public class ValidityPeriodClientServerAuthTests { - public class ValidityPeriodClientServerAuthTests + private (X509Certificate2 root, X509Certificate2 intermediate, X509Certificate2 server, X509Certificate2 client) SetupCerts() { - private (X509Certificate2 root, X509Certificate2 intermediate, X509Certificate2 server, X509Certificate2 client) SetupCerts() - { - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); - - var createClientServerAuthCerts = serviceProvider.GetService(); - - var rootCaL1 = createClientServerAuthCerts.NewRootCertificate( - new DistinguishedName { CommonName = "root dev", Country = "IT" }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow.AddMonths(3), ValidTo = DateTime.UtcNow.AddMonths(6) }, - 3, "localhost"); - rootCaL1.FriendlyName = "developement root L1 certificate"; - - // Intermediate L2 chained from root L1 - var intermediateCaL2 = createClientServerAuthCerts.NewIntermediateChainedCertificate( - new DistinguishedName { CommonName = "intermediate dev", Country = "FR" }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow.AddMonths(2), ValidTo = DateTime.UtcNow.AddYears(1) }, - 2, "localhost", rootCaL1); - intermediateCaL2.FriendlyName = "developement Intermediate L2 certificate"; - - // Server, Client L3 chained from Intermediate L2 - var serverL3 = createClientServerAuthCerts.NewServerChainedCertificate( - new DistinguishedName { CommonName = "server", Country = "DE" }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - "localhost", intermediateCaL2); - - var clientL3 = createClientServerAuthCerts.NewClientChainedCertificate( - new DistinguishedName { CommonName = "client", Country = "IE" }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - "localhost", intermediateCaL2); - serverL3.FriendlyName = "developement server L3 certificate"; - clientL3.FriendlyName = "developement client L3 certificate"; - - return (rootCaL1, intermediateCaL2, serverL3, clientL3); - } + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); + + var createClientServerAuthCerts = serviceProvider.GetService(); + + var rootCaL1 = createClientServerAuthCerts.NewRootCertificate( + new DistinguishedName { CommonName = "root dev", Country = "IT" }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow.AddMonths(3), ValidTo = DateTime.UtcNow.AddMonths(6) }, + 3, "localhost"); + rootCaL1.FriendlyName = "developement root L1 certificate"; + + // Intermediate L2 chained from root L1 + var intermediateCaL2 = createClientServerAuthCerts.NewIntermediateChainedCertificate( + new DistinguishedName { CommonName = "intermediate dev", Country = "FR" }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow.AddMonths(2), ValidTo = DateTime.UtcNow.AddYears(1) }, + 2, "localhost", rootCaL1); + intermediateCaL2.FriendlyName = "developement Intermediate L2 certificate"; + + // Server, Client L3 chained from Intermediate L2 + var serverL3 = createClientServerAuthCerts.NewServerChainedCertificate( + new DistinguishedName { CommonName = "server", Country = "DE" }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + "localhost", intermediateCaL2); + + var clientL3 = createClientServerAuthCerts.NewClientChainedCertificate( + new DistinguishedName { CommonName = "client", Country = "IE" }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + "localhost", intermediateCaL2); + serverL3.FriendlyName = "developement server L3 certificate"; + clientL3.FriendlyName = "developement client L3 certificate"; + + return (rootCaL1, intermediateCaL2, serverL3, clientL3); + } - [Fact] - public void ClientServerCertCorrectValidityPeriod() - { - // ValidityPeriod definitions - // client/server t <= intermediate <= root <= intermediate <= client/server - var (root, intermediate, server, client) = SetupCerts(); + [Fact] + public void ClientServerCertCorrectValidityPeriod() + { + // ValidityPeriod definitions + // client/server t <= intermediate <= root <= intermediate <= client/server + var (root, intermediate, server, client) = SetupCerts(); - Assert.Equal(root.NotBefore, intermediate.NotBefore); - Assert.Equal(root.NotAfter, intermediate.NotAfter); + Assert.Equal(root.NotBefore, intermediate.NotBefore); + Assert.Equal(root.NotAfter, intermediate.NotAfter); - Assert.Equal(intermediate.NotBefore, client.NotBefore); - Assert.Equal(intermediate.NotAfter, client.NotAfter); + Assert.Equal(intermediate.NotBefore, client.NotBefore); + Assert.Equal(intermediate.NotAfter, client.NotAfter); - Assert.Equal(intermediate.NotBefore, server.NotBefore); - Assert.Equal(intermediate.NotAfter, server.NotAfter); + Assert.Equal(intermediate.NotBefore, server.NotBefore); + Assert.Equal(intermediate.NotAfter, server.NotAfter); - } + } - [Fact] - public void ValidateChainedValidityPeriodNotActive() - { - // certs are not active till the future - var (root, intermediate, server, client) = SetupCerts(); + [Fact] + public void ValidateChainedValidityPeriodNotActive() + { + // certs are not active till the future + var (root, intermediate, server, client) = SetupCerts(); - var x509ChainPolicy = BuildChainUtil.BuildChainPolicyChained( - root, intermediate, server, client, - X509RevocationFlag.ExcludeRoot, - X509RevocationMode.NoCheck, - true, true); + var x509ChainPolicy = BuildChainUtil.BuildChainPolicyChained( + root, intermediate, server, client, + X509RevocationFlag.ExcludeRoot, + X509RevocationMode.NoCheck, + true, true); - var chain = new X509Chain - { - ChainPolicy = x509ChainPolicy - }; + var chain = new X509Chain + { + ChainPolicy = x509ChainPolicy + }; - var certificateIsValid = chain.Build(client); - Assert.False(certificateIsValid); + var certificateIsValid = chain.Build(client); + Assert.False(certificateIsValid); - if (!certificateIsValid) + if (!certificateIsValid) + { + var chainErrors = new List(); + foreach (var validationFailure in chain.ChainStatus) { - var chainErrors = new List(); - foreach (var validationFailure in chain.ChainStatus) - { - chainErrors.Add(validationFailure.Status); - } - Assert.True(chainErrors.Contains(X509ChainStatusFlags.NotTimeValid), "expect NotValidForUsage"); + chainErrors.Add(validationFailure.Status); } + Assert.True(chainErrors.Contains(X509ChainStatusFlags.NotTimeValid), "expect NotValidForUsage"); } } } diff --git a/src/CreateAngularVueJsDevelopmentCertificates/Program.cs b/src/CreateAngularVueJsDevelopmentCertificates/Program.cs index c0ae862..5d929d0 100644 --- a/src/CreateAngularVueJsDevelopmentCertificates/Program.cs +++ b/src/CreateAngularVueJsDevelopmentCertificates/Program.cs @@ -2,38 +2,37 @@ using Microsoft.Extensions.DependencyInjection; using System.IO; -namespace CreateAngularVueJsDevelopmentCertificates +namespace CreateAngularVueJsDevelopmentCertificates; + +class Program { - class Program + static void Main(string[] args) { - static void Main(string[] args) - { - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); - var _createCertificatesRsa = serviceProvider.GetService(); + var _createCertificatesRsa = serviceProvider.GetService(); - // Create development certificate for localhost - var devCertificate = _createCertificatesRsa - .CreateDevelopmentCertificate("localhost", 10); + // Create development certificate for localhost + var devCertificate = _createCertificatesRsa + .CreateDevelopmentCertificate("localhost", 10); - devCertificate.FriendlyName = "localhost development"; + devCertificate.FriendlyName = "localhost development"; - string password = "1234"; - var importExportCertificate = serviceProvider.GetService(); + string password = "1234"; + var importExportCertificate = serviceProvider.GetService(); - // full pfx with password - var rootCertInPfxBtyes = importExportCertificate.ExportRootPfx(password, devCertificate); - File.WriteAllBytes("dev_localhost.pfx", rootCertInPfxBtyes); + // full pfx with password + var rootCertInPfxBtyes = importExportCertificate.ExportRootPfx(password, devCertificate); + File.WriteAllBytes("dev_localhost.pfx", rootCertInPfxBtyes); - // private key - var exportRsaPrivateKeyPem = importExportCertificate.PemExportRsaPrivateKey(devCertificate); - File.WriteAllText($"dev_localhost.key", exportRsaPrivateKeyPem); + // private key + var exportRsaPrivateKeyPem = importExportCertificate.PemExportRsaPrivateKey(devCertificate); + File.WriteAllText($"dev_localhost.key", exportRsaPrivateKeyPem); - // public key certificate as pem - var exportPublicKeyCertificatePem = importExportCertificate.PemExportPublicKeyCertificate(devCertificate); - File.WriteAllText($"dev_localhost.pem", exportPublicKeyCertificatePem); - } + // public key certificate as pem + var exportPublicKeyCertificatePem = importExportCertificate.PemExportPublicKeyCertificate(devCertificate); + File.WriteAllText($"dev_localhost.pem", exportPublicKeyCertificatePem); } } diff --git a/src/CreateChainedCertsConsoleDemo/LowLevel/DeviceCertConfig.cs b/src/CreateChainedCertsConsoleDemo/LowLevel/DeviceCertConfig.cs index b1ccd35..f6f8cb9 100644 --- a/src/CreateChainedCertsConsoleDemo/LowLevel/DeviceCertConfig.cs +++ b/src/CreateChainedCertsConsoleDemo/LowLevel/DeviceCertConfig.cs @@ -3,42 +3,41 @@ using System.Collections.Generic; using System.Security.Cryptography.X509Certificates; -namespace CreateChainedCertsConsoleDemo +namespace CreateChainedCertsConsoleDemo; + +public static class DeviceCertConfig { - public static class DeviceCertConfig + public static DistinguishedName DistinguishedName = new DistinguishedName { - public static DistinguishedName DistinguishedName = new DistinguishedName - { - CommonName = "localhost", - Country = "CH", - Locality = "CH", - Organisation = "firma x", - OrganisationUnit = "skills" - }; + CommonName = "localhost", + Country = "CH", + Locality = "CH", + Organisation = "firma x", + OrganisationUnit = "skills" + }; - public static BasicConstraints BasicConstraints = new BasicConstraints - { - CertificateAuthority = false, - HasPathLengthConstraint = false, - PathLengthConstraint = 0, - Critical = true - }; + public static BasicConstraints BasicConstraints = new BasicConstraints + { + CertificateAuthority = false, + HasPathLengthConstraint = false, + PathLengthConstraint = 0, + Critical = true + }; - public static ValidityPeriod ValidityPeriod = new ValidityPeriod - { - ValidFrom = DateTime.UtcNow, - ValidTo = DateTime.UtcNow.AddYears(10) - }; + public static ValidityPeriod ValidityPeriod = new ValidityPeriod + { + ValidFrom = DateTime.UtcNow, + ValidTo = DateTime.UtcNow.AddYears(10) + }; - public static SubjectAlternativeName SubjectAlternativeName = new SubjectAlternativeName + public static SubjectAlternativeName SubjectAlternativeName = new SubjectAlternativeName + { + DnsName = new List { - DnsName = new List - { - "localhost" - } - }; + "localhost" + } + }; - public static X509KeyUsageFlags X509KeyUsageFlags = - X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment; - } + public static X509KeyUsageFlags X509KeyUsageFlags = + X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment; } diff --git a/src/CreateChainedCertsConsoleDemo/LowLevel/IntermediateCertConfig.cs b/src/CreateChainedCertsConsoleDemo/LowLevel/IntermediateCertConfig.cs index d079894..6554dfe 100644 --- a/src/CreateChainedCertsConsoleDemo/LowLevel/IntermediateCertConfig.cs +++ b/src/CreateChainedCertsConsoleDemo/LowLevel/IntermediateCertConfig.cs @@ -3,44 +3,43 @@ using System.Collections.Generic; using System.Security.Cryptography.X509Certificates; -namespace CreateChainedCertsConsoleDemo +namespace CreateChainedCertsConsoleDemo; + +public static class IntermediateCertConfig { - public static class IntermediateCertConfig + public static DistinguishedName DistinguishedName = new DistinguishedName { - public static DistinguishedName DistinguishedName = new DistinguishedName - { - CommonName = "localhost", - Country = "CH", - Locality = "CH", - Organisation = "damienbod", - OrganisationUnit = "region europe" - }; + CommonName = "localhost", + Country = "CH", + Locality = "CH", + Organisation = "damienbod", + OrganisationUnit = "region europe" + }; - public static BasicConstraints BasicConstraints = new BasicConstraints - { - CertificateAuthority = true, - HasPathLengthConstraint = true, - PathLengthConstraint = 2, - Critical = true - }; + public static BasicConstraints BasicConstraints = new BasicConstraints + { + CertificateAuthority = true, + HasPathLengthConstraint = true, + PathLengthConstraint = 2, + Critical = true + }; - public static ValidityPeriod ValidityPeriod = new ValidityPeriod - { - ValidFrom = DateTime.UtcNow, - ValidTo = DateTime.UtcNow.AddYears(10) - }; + public static ValidityPeriod ValidityPeriod = new ValidityPeriod + { + ValidFrom = DateTime.UtcNow, + ValidTo = DateTime.UtcNow.AddYears(10) + }; - public static SubjectAlternativeName SubjectAlternativeName = new SubjectAlternativeName + public static SubjectAlternativeName SubjectAlternativeName = new SubjectAlternativeName + { + DnsName = new List { - DnsName = new List - { - "localhost" - } - }; + "localhost" + } + }; - // Only X509KeyUsageFlags.KeyCertSign required for client server auth - public static X509KeyUsageFlags X509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature - | X509KeyUsageFlags.KeyEncipherment - | X509KeyUsageFlags.KeyCertSign; - } + // Only X509KeyUsageFlags.KeyCertSign required for client server auth + public static X509KeyUsageFlags X509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature + | X509KeyUsageFlags.KeyEncipherment + | X509KeyUsageFlags.KeyCertSign; } diff --git a/src/CreateChainedCertsConsoleDemo/LowLevel/IntermediateLevel3CertConfig.cs b/src/CreateChainedCertsConsoleDemo/LowLevel/IntermediateLevel3CertConfig.cs index d31deea..7eca0c5 100644 --- a/src/CreateChainedCertsConsoleDemo/LowLevel/IntermediateLevel3CertConfig.cs +++ b/src/CreateChainedCertsConsoleDemo/LowLevel/IntermediateLevel3CertConfig.cs @@ -3,44 +3,43 @@ using System.Collections.Generic; using System.Security.Cryptography.X509Certificates; -namespace CreateChainedCertsConsoleDemo +namespace CreateChainedCertsConsoleDemo; + +public static class IntermediateLevel3CertConfig { - public static class IntermediateLevel3CertConfig + public static DistinguishedName DistinguishedName = new DistinguishedName { - public static DistinguishedName DistinguishedName = new DistinguishedName - { - CommonName = "localhost", - Country = "DE", - Locality = "DE", - Organisation = "damienbod", - OrganisationUnit = "region germany" - }; + CommonName = "localhost", + Country = "DE", + Locality = "DE", + Organisation = "damienbod", + OrganisationUnit = "region germany" + }; - public static BasicConstraints BasicConstraints = new BasicConstraints - { - CertificateAuthority = true, - HasPathLengthConstraint = true, - PathLengthConstraint = 1, - Critical = true - }; + public static BasicConstraints BasicConstraints = new BasicConstraints + { + CertificateAuthority = true, + HasPathLengthConstraint = true, + PathLengthConstraint = 1, + Critical = true + }; - public static ValidityPeriod ValidityPeriod = new ValidityPeriod - { - ValidFrom = DateTime.UtcNow, - ValidTo = DateTime.UtcNow.AddYears(10) - }; + public static ValidityPeriod ValidityPeriod = new ValidityPeriod + { + ValidFrom = DateTime.UtcNow, + ValidTo = DateTime.UtcNow.AddYears(10) + }; - public static SubjectAlternativeName SubjectAlternativeName = new SubjectAlternativeName + public static SubjectAlternativeName SubjectAlternativeName = new SubjectAlternativeName + { + DnsName = new List { - DnsName = new List - { - "localhost" - } - }; + "localhost" + } + }; - // Only X509KeyUsageFlags.KeyCertSign required for client server auth - public static X509KeyUsageFlags X509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature - | X509KeyUsageFlags.KeyEncipherment - | X509KeyUsageFlags.KeyCertSign; - } + // Only X509KeyUsageFlags.KeyCertSign required for client server auth + public static X509KeyUsageFlags X509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature + | X509KeyUsageFlags.KeyEncipherment + | X509KeyUsageFlags.KeyCertSign; } diff --git a/src/CreateChainedCertsConsoleDemo/LowLevel/LowLevelApiExamples.cs b/src/CreateChainedCertsConsoleDemo/LowLevel/LowLevelApiExamples.cs index a058483..4909679 100644 --- a/src/CreateChainedCertsConsoleDemo/LowLevel/LowLevelApiExamples.cs +++ b/src/CreateChainedCertsConsoleDemo/LowLevel/LowLevelApiExamples.cs @@ -6,118 +6,117 @@ using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; -namespace CreateChainedCertsConsoleDemo +namespace CreateChainedCertsConsoleDemo; + +public static class LowLevelApiExamples { - public static class LowLevelApiExamples + public static void Run() { - public static void Run() - { - Console.WriteLine("Create Root Certificate"); - - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); - - // OidLookup.ClientAuthentication - // OidLookup.ServerAuthentication - // OidLookup.CodeSigning, - // OidLookup.SecureEmail, - // OidLookup.TimeStamping - var enhancedKeyUsages = new OidCollection { - OidLookup.ClientAuthentication, - OidLookup.ServerAuthentication - }; - - var createCertificates = serviceProvider.GetService(); - - // Create the root self signed cert - var rootCert = createCertificates.NewECDsaSelfSignedCertificate( - RootCertConfig.DistinguishedName, - RootCertConfig.BasicConstraints, - RootCertConfig.ValidityPeriod, - RootCertConfig.SubjectAlternativeName, - enhancedKeyUsages, - RootCertConfig.X509KeyUsageFlags, - new ECDsaConfiguration()); - - rootCert.FriendlyName = "localhost root l1"; - - // Create an intermediate chained cert - var intermediateCertificate = createCertificates.NewECDsaChainedCertificate( - IntermediateCertConfig.DistinguishedName, - IntermediateCertConfig.BasicConstraints, - IntermediateCertConfig.ValidityPeriod, - IntermediateCertConfig.SubjectAlternativeName, - rootCert, - enhancedKeyUsages, - IntermediateCertConfig.X509KeyUsageFlags, - new ECDsaConfiguration()); - - intermediateCertificate.FriendlyName = "intermediate from root l2"; - - // Create a second intermediate chained cert - var intermediateCertificateLevel3 = createCertificates.NewECDsaChainedCertificate( - IntermediateLevel3CertConfig.DistinguishedName, - IntermediateLevel3CertConfig.BasicConstraints, - IntermediateLevel3CertConfig.ValidityPeriod, - IntermediateLevel3CertConfig.SubjectAlternativeName, - intermediateCertificate, - enhancedKeyUsages, - IntermediateLevel3CertConfig.X509KeyUsageFlags, - new ECDsaConfiguration()); - - intermediateCertificateLevel3.FriendlyName = "intermediate l3 from intermediate"; - - // Create a device chained cert - var deviceCertificate = createCertificates.NewECDsaChainedCertificate( - DeviceCertConfig.DistinguishedName, - DeviceCertConfig.BasicConstraints, - DeviceCertConfig.ValidityPeriod, - DeviceCertConfig.SubjectAlternativeName, - intermediateCertificateLevel3, - enhancedKeyUsages, - DeviceCertConfig.X509KeyUsageFlags, - new ECDsaConfiguration()); - - deviceCertificate.FriendlyName = "device cert l4"; - - string password = "1234"; - var importExportCertificate = serviceProvider.GetService(); - - var rootCertInPfxBtyes = importExportCertificate.ExportRootPfx(password, rootCert); - File.WriteAllBytes("localhost_root_l1.pfx", rootCertInPfxBtyes); - - var rootPublicKey = importExportCertificate.ExportCertificatePublicKey(rootCert); - var rootPublicKeyBytes = rootPublicKey.Export(X509ContentType.Cert); - File.WriteAllBytes($"localhost_root_l1.cer", rootPublicKeyBytes); - - var intermediateCertInPfxBtyes = importExportCertificate.ExportChainedCertificatePfx(password, intermediateCertificate, rootCert); - File.WriteAllBytes("localhost_intermediate_l2.pfx", intermediateCertInPfxBtyes); - - var intermediateCertL3InPfxBtyes = importExportCertificate.ExportChainedCertificatePfx(password, intermediateCertificateLevel3, intermediateCertificate); - File.WriteAllBytes("localhost_intermediate_l3.pfx", intermediateCertL3InPfxBtyes); - - var deviceCertL4InPfxBtyes = importExportCertificate.ExportChainedCertificatePfx(password, deviceCertificate, intermediateCertificateLevel3); - File.WriteAllBytes("devicel4.pfx", deviceCertL4InPfxBtyes); - - // Create a device validation cert - var deviceVerificationCert = createCertificates.NewECDsaChainedCertificate( - DeviceCertConfig.DistinguishedName, - DeviceCertConfig.BasicConstraints, - DeviceCertConfig.ValidityPeriod, - DeviceCertConfig.SubjectAlternativeName, - rootCert, - enhancedKeyUsages, - DeviceCertConfig.X509KeyUsageFlags, - new ECDsaConfiguration()); - - deviceVerificationCert.FriendlyName = "device verification cert l4"; - - var publicKeyBytes = deviceVerificationCert.Export(X509ContentType.Cert); - File.WriteAllBytes("deviceVerificationCert.cer", publicKeyBytes); - - Console.WriteLine($"Exported Certificates"); - - } + Console.WriteLine("Create Root Certificate"); + + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); + + // OidLookup.ClientAuthentication + // OidLookup.ServerAuthentication + // OidLookup.CodeSigning, + // OidLookup.SecureEmail, + // OidLookup.TimeStamping + var enhancedKeyUsages = new OidCollection { + OidLookup.ClientAuthentication, + OidLookup.ServerAuthentication + }; + + var createCertificates = serviceProvider.GetService(); + + // Create the root self signed cert + var rootCert = createCertificates.NewECDsaSelfSignedCertificate( + RootCertConfig.DistinguishedName, + RootCertConfig.BasicConstraints, + RootCertConfig.ValidityPeriod, + RootCertConfig.SubjectAlternativeName, + enhancedKeyUsages, + RootCertConfig.X509KeyUsageFlags, + new ECDsaConfiguration()); + + rootCert.FriendlyName = "localhost root l1"; + + // Create an intermediate chained cert + var intermediateCertificate = createCertificates.NewECDsaChainedCertificate( + IntermediateCertConfig.DistinguishedName, + IntermediateCertConfig.BasicConstraints, + IntermediateCertConfig.ValidityPeriod, + IntermediateCertConfig.SubjectAlternativeName, + rootCert, + enhancedKeyUsages, + IntermediateCertConfig.X509KeyUsageFlags, + new ECDsaConfiguration()); + + intermediateCertificate.FriendlyName = "intermediate from root l2"; + + // Create a second intermediate chained cert + var intermediateCertificateLevel3 = createCertificates.NewECDsaChainedCertificate( + IntermediateLevel3CertConfig.DistinguishedName, + IntermediateLevel3CertConfig.BasicConstraints, + IntermediateLevel3CertConfig.ValidityPeriod, + IntermediateLevel3CertConfig.SubjectAlternativeName, + intermediateCertificate, + enhancedKeyUsages, + IntermediateLevel3CertConfig.X509KeyUsageFlags, + new ECDsaConfiguration()); + + intermediateCertificateLevel3.FriendlyName = "intermediate l3 from intermediate"; + + // Create a device chained cert + var deviceCertificate = createCertificates.NewECDsaChainedCertificate( + DeviceCertConfig.DistinguishedName, + DeviceCertConfig.BasicConstraints, + DeviceCertConfig.ValidityPeriod, + DeviceCertConfig.SubjectAlternativeName, + intermediateCertificateLevel3, + enhancedKeyUsages, + DeviceCertConfig.X509KeyUsageFlags, + new ECDsaConfiguration()); + + deviceCertificate.FriendlyName = "device cert l4"; + + string password = "1234"; + var importExportCertificate = serviceProvider.GetService(); + + var rootCertInPfxBtyes = importExportCertificate.ExportRootPfx(password, rootCert); + File.WriteAllBytes("localhost_root_l1.pfx", rootCertInPfxBtyes); + + var rootPublicKey = importExportCertificate.ExportCertificatePublicKey(rootCert); + var rootPublicKeyBytes = rootPublicKey.Export(X509ContentType.Cert); + File.WriteAllBytes($"localhost_root_l1.cer", rootPublicKeyBytes); + + var intermediateCertInPfxBtyes = importExportCertificate.ExportChainedCertificatePfx(password, intermediateCertificate, rootCert); + File.WriteAllBytes("localhost_intermediate_l2.pfx", intermediateCertInPfxBtyes); + + var intermediateCertL3InPfxBtyes = importExportCertificate.ExportChainedCertificatePfx(password, intermediateCertificateLevel3, intermediateCertificate); + File.WriteAllBytes("localhost_intermediate_l3.pfx", intermediateCertL3InPfxBtyes); + + var deviceCertL4InPfxBtyes = importExportCertificate.ExportChainedCertificatePfx(password, deviceCertificate, intermediateCertificateLevel3); + File.WriteAllBytes("devicel4.pfx", deviceCertL4InPfxBtyes); + + // Create a device validation cert + var deviceVerificationCert = createCertificates.NewECDsaChainedCertificate( + DeviceCertConfig.DistinguishedName, + DeviceCertConfig.BasicConstraints, + DeviceCertConfig.ValidityPeriod, + DeviceCertConfig.SubjectAlternativeName, + rootCert, + enhancedKeyUsages, + DeviceCertConfig.X509KeyUsageFlags, + new ECDsaConfiguration()); + + deviceVerificationCert.FriendlyName = "device verification cert l4"; + + var publicKeyBytes = deviceVerificationCert.Export(X509ContentType.Cert); + File.WriteAllBytes("deviceVerificationCert.cer", publicKeyBytes); + + Console.WriteLine($"Exported Certificates"); + } } diff --git a/src/CreateChainedCertsConsoleDemo/LowLevel/RootCertConfig.cs b/src/CreateChainedCertsConsoleDemo/LowLevel/RootCertConfig.cs index 51fbf6e..4438ee8 100644 --- a/src/CreateChainedCertsConsoleDemo/LowLevel/RootCertConfig.cs +++ b/src/CreateChainedCertsConsoleDemo/LowLevel/RootCertConfig.cs @@ -3,46 +3,45 @@ using System.Collections.Generic; using System.Security.Cryptography.X509Certificates; -namespace CreateChainedCertsConsoleDemo +namespace CreateChainedCertsConsoleDemo; + +public static class RootCertConfig { - public static class RootCertConfig + public static DistinguishedName DistinguishedName = new DistinguishedName { - public static DistinguishedName DistinguishedName = new DistinguishedName - { - CommonName = "localhost", - Country = "CH", - Locality = "CH", - Organisation = "damienbod", - OrganisationUnit = "developement" - }; + CommonName = "localhost", + Country = "CH", + Locality = "CH", + Organisation = "damienbod", + OrganisationUnit = "developement" + }; - public static BasicConstraints BasicConstraints = new BasicConstraints - { - CertificateAuthority = true, - HasPathLengthConstraint = true, - PathLengthConstraint = 3, - Critical = true - }; + public static BasicConstraints BasicConstraints = new BasicConstraints + { + CertificateAuthority = true, + HasPathLengthConstraint = true, + PathLengthConstraint = 3, + Critical = true + }; - public static ValidityPeriod ValidityPeriod = new ValidityPeriod - { - ValidFrom = DateTime.UtcNow, - ValidTo = DateTime.UtcNow.AddYears(10) - }; + public static ValidityPeriod ValidityPeriod = new ValidityPeriod + { + ValidFrom = DateTime.UtcNow, + ValidTo = DateTime.UtcNow.AddYears(10) + }; - public static SubjectAlternativeName SubjectAlternativeName = new SubjectAlternativeName + public static SubjectAlternativeName SubjectAlternativeName = new SubjectAlternativeName + { + Email = "damienbod@damienbod.ch", + DnsName = new List { - Email = "damienbod@damienbod.ch", - DnsName = new List - { - "localhost", - "test.damienbod.ch" - } - }; + "localhost", + "test.damienbod.ch" + } + }; - // Only X509KeyUsageFlags.KeyCertSign required for client server auth - public static X509KeyUsageFlags X509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature - | X509KeyUsageFlags.KeyEncipherment - | X509KeyUsageFlags.KeyCertSign; - } + // Only X509KeyUsageFlags.KeyCertSign required for client server auth + public static X509KeyUsageFlags X509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature + | X509KeyUsageFlags.KeyEncipherment + | X509KeyUsageFlags.KeyCertSign; } diff --git a/src/CreateChainedCertsConsoleDemo/Program.cs b/src/CreateChainedCertsConsoleDemo/Program.cs index 5d0dcff..6f6bb2c 100644 --- a/src/CreateChainedCertsConsoleDemo/Program.cs +++ b/src/CreateChainedCertsConsoleDemo/Program.cs @@ -5,68 +5,67 @@ using System.IO; using System.Security.Cryptography.X509Certificates; -namespace CreateChainedCertsConsoleDemo +namespace CreateChainedCertsConsoleDemo; + +class Program { - class Program + static void Main(string[] args) { - static void Main(string[] args) - { - //LowLevelApiExamples.Run(); + //LowLevelApiExamples.Run(); - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); - var createClientServerAuthCerts = serviceProvider.GetService(); + var createClientServerAuthCerts = serviceProvider.GetService(); - var rootCaL1 = createClientServerAuthCerts.NewRootCertificate( - new DistinguishedName { CommonName = "root dev", Country = "IT" }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - 3, "localhost"); - rootCaL1.FriendlyName = "developement root L1 certificate"; + var rootCaL1 = createClientServerAuthCerts.NewRootCertificate( + new DistinguishedName { CommonName = "root dev", Country = "IT" }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + 3, "localhost"); + rootCaL1.FriendlyName = "developement root L1 certificate"; - // Intermediate L2 chained from root L1 - var intermediateCaL2 = createClientServerAuthCerts.NewIntermediateChainedCertificate( - new DistinguishedName { CommonName = "intermediate dev", Country = "FR" }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - 2, "localhost", rootCaL1); - intermediateCaL2.FriendlyName = "developement Intermediate L2 certificate"; + // Intermediate L2 chained from root L1 + var intermediateCaL2 = createClientServerAuthCerts.NewIntermediateChainedCertificate( + new DistinguishedName { CommonName = "intermediate dev", Country = "FR" }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + 2, "localhost", rootCaL1); + intermediateCaL2.FriendlyName = "developement Intermediate L2 certificate"; - // Server, Client L3 chained from Intermediate L2 - var serverL3 = createClientServerAuthCerts.NewServerChainedCertificate( - new DistinguishedName { CommonName = "server", Country = "DE" }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - "localhost", intermediateCaL2); + // Server, Client L3 chained from Intermediate L2 + var serverL3 = createClientServerAuthCerts.NewServerChainedCertificate( + new DistinguishedName { CommonName = "server", Country = "DE" }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + "localhost", intermediateCaL2); - var clientL3 = createClientServerAuthCerts.NewClientChainedCertificate( - new DistinguishedName { CommonName = "client", Country = "IE" }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - "localhost", intermediateCaL2); - serverL3.FriendlyName = "developement server L3 certificate"; - clientL3.FriendlyName = "developement client L3 certificate"; + var clientL3 = createClientServerAuthCerts.NewClientChainedCertificate( + new DistinguishedName { CommonName = "client", Country = "IE" }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + "localhost", intermediateCaL2); + serverL3.FriendlyName = "developement server L3 certificate"; + clientL3.FriendlyName = "developement client L3 certificate"; - Console.WriteLine($"Created Client, Server L3 Certificates {clientL3.FriendlyName}"); + Console.WriteLine($"Created Client, Server L3 Certificates {clientL3.FriendlyName}"); - string password = "1234"; - var importExportCertificate = serviceProvider.GetService(); + string password = "1234"; + var importExportCertificate = serviceProvider.GetService(); - var rootCertInPfxBtyes = importExportCertificate.ExportRootPfx(password, rootCaL1); - File.WriteAllBytes("localhost_root_l1.pfx", rootCertInPfxBtyes); + var rootCertInPfxBtyes = importExportCertificate.ExportRootPfx(password, rootCaL1); + File.WriteAllBytes("localhost_root_l1.pfx", rootCertInPfxBtyes); - var rootPublicKey = importExportCertificate.ExportCertificatePublicKey(rootCaL1); - var rootPublicKeyBytes = rootPublicKey.Export(X509ContentType.Cert); - File.WriteAllBytes($"localhost_root_l1.cer", rootPublicKeyBytes); + var rootPublicKey = importExportCertificate.ExportCertificatePublicKey(rootCaL1); + var rootPublicKeyBytes = rootPublicKey.Export(X509ContentType.Cert); + File.WriteAllBytes($"localhost_root_l1.cer", rootPublicKeyBytes); - var intermediateCertInPfxBtyes = importExportCertificate.ExportChainedCertificatePfx(password, intermediateCaL2, rootCaL1); - File.WriteAllBytes("localhost_intermediate_l2.pfx", intermediateCertInPfxBtyes); + var intermediateCertInPfxBtyes = importExportCertificate.ExportChainedCertificatePfx(password, intermediateCaL2, rootCaL1); + File.WriteAllBytes("localhost_intermediate_l2.pfx", intermediateCertInPfxBtyes); - var serverCertL3InPfxBtyes = importExportCertificate.ExportChainedCertificatePfx(password, serverL3, intermediateCaL2); - File.WriteAllBytes("serverl3.pfx", serverCertL3InPfxBtyes); + var serverCertL3InPfxBtyes = importExportCertificate.ExportChainedCertificatePfx(password, serverL3, intermediateCaL2); + File.WriteAllBytes("serverl3.pfx", serverCertL3InPfxBtyes); - var clientCertL3InPfxBtyes = importExportCertificate.ExportChainedCertificatePfx(password, clientL3, intermediateCaL2); - File.WriteAllBytes("clientl3.pfx", clientCertL3InPfxBtyes); + var clientCertL3InPfxBtyes = importExportCertificate.ExportChainedCertificatePfx(password, clientL3, intermediateCaL2); + File.WriteAllBytes("clientl3.pfx", clientCertL3InPfxBtyes); - Console.WriteLine("Certificates exported to pfx and cer files"); - } + Console.WriteLine("Certificates exported to pfx and cer files"); } } diff --git a/src/CreateIdentityServer4Certificates/CreateIdentityServer4Certificates.csproj b/src/CreateIdentityServer4Certificates/CreateIdentityServerCertificates.csproj similarity index 96% rename from src/CreateIdentityServer4Certificates/CreateIdentityServer4Certificates.csproj rename to src/CreateIdentityServer4Certificates/CreateIdentityServerCertificates.csproj index 1577704..1b8b689 100644 --- a/src/CreateIdentityServer4Certificates/CreateIdentityServer4Certificates.csproj +++ b/src/CreateIdentityServer4Certificates/CreateIdentityServerCertificates.csproj @@ -1,32 +1,32 @@ - - - - Exe - net8.0 - true - true - snupkg - - - - 1701;1702;CA1416 - - - - 1701;1702;CA1416 - - - - - - - - - - - - - - - - + + + + Exe + net8.0 + true + true + snupkg + + + + 1701;1702;CA1416 + + + + 1701;1702;CA1416 + + + + + + + + + + + + + + + + diff --git a/src/CreateIdentityServer4Certificates/Program.cs b/src/CreateIdentityServer4Certificates/Program.cs index 9298f78..5342eba 100644 --- a/src/CreateIdentityServer4Certificates/Program.cs +++ b/src/CreateIdentityServer4Certificates/Program.cs @@ -7,131 +7,130 @@ using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; -namespace CreateIdentityServer4Certificates +namespace CreateIdentityServerCertificates; + +class Program { - class Program + static CreateCertificates _cc; + static void Main(string[] args) { - static CreateCertificates _cc; - static void Main(string[] args) - { - var sp = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); + var sp = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); - _cc = sp.GetService(); + _cc = sp.GetService(); - var rsaCert = CreateRsaCertificate("localhost", 10); - var ecdsaCert = CreateECDsaCertificate("localhost", 10); + var rsaCert = CreateRsaCertificate("localhost", 10); + var ecdsaCert = CreateECDsaCertificate("localhost", 10); - string password = "1234"; - var iec = sp.GetService(); + string password = "1234"; + var iec = sp.GetService(); - var rsaCertPfxBytes = iec.ExportSelfSignedCertificatePfx(password, rsaCert); - File.WriteAllBytes("cert_rsa512.pfx", rsaCertPfxBytes); + var rsaCertPfxBytes = iec.ExportSelfSignedCertificatePfx(password, rsaCert); + File.WriteAllBytes("cert_rsa512.pfx", rsaCertPfxBytes); - var ecdsaCertPfxBytes = iec.ExportSelfSignedCertificatePfx(password, ecdsaCert); - File.WriteAllBytes("cert_ecdsa384.pfx", ecdsaCertPfxBytes); + var ecdsaCertPfxBytes = iec.ExportSelfSignedCertificatePfx(password, ecdsaCert); + File.WriteAllBytes("cert_ecdsa384.pfx", ecdsaCertPfxBytes); - Console.WriteLine("created"); - } + Console.WriteLine("created"); + } - public static X509Certificate2 CreateRsaCertificate(string dnsName, int validityPeriodInYears) + public static X509Certificate2 CreateRsaCertificate(string dnsName, int validityPeriodInYears) + { + var basicConstraints = new BasicConstraints { - var basicConstraints = new BasicConstraints - { - CertificateAuthority = false, - HasPathLengthConstraint = false, - PathLengthConstraint = 0, - Critical = false - }; + CertificateAuthority = false, + HasPathLengthConstraint = false, + PathLengthConstraint = 0, + Critical = false + }; - var subjectAlternativeName = new SubjectAlternativeName + var subjectAlternativeName = new SubjectAlternativeName + { + DnsName = new List { - DnsName = new List - { - dnsName, - } - }; + dnsName, + } + }; - var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature; + var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature; - // only if certification authentication is used - var enhancedKeyUsages = new OidCollection - { - OidLookup.ClientAuthentication, - OidLookup.ServerAuthentication - // OidLookup.CodeSigning, - // OidLookup.SecureEmail, - // OidLookup.TimeStamping - }; - - var certificate = _cc.NewRsaSelfSignedCertificate( - new DistinguishedName { CommonName = dnsName }, - basicConstraints, - new ValidityPeriod - { - ValidFrom = DateTimeOffset.UtcNow, - ValidTo = DateTimeOffset.UtcNow.AddYears(validityPeriodInYears) - }, - subjectAlternativeName, - enhancedKeyUsages, - x509KeyUsageFlags, - new RsaConfiguration - { - KeySize = 2048, - HashAlgorithmName = HashAlgorithmName.SHA512 - }); - - return certificate; - } - - public static X509Certificate2 CreateECDsaCertificate(string dnsName, int validityPeriodInYears) + // only if certification authentication is used + var enhancedKeyUsages = new OidCollection { - var basicConstraints = new BasicConstraints + OidLookup.ClientAuthentication, + OidLookup.ServerAuthentication + // OidLookup.CodeSigning, + // OidLookup.SecureEmail, + // OidLookup.TimeStamping + }; + + var certificate = _cc.NewRsaSelfSignedCertificate( + new DistinguishedName { CommonName = dnsName }, + basicConstraints, + new ValidityPeriod { - CertificateAuthority = false, - HasPathLengthConstraint = false, - PathLengthConstraint = 0, - Critical = false - }; + ValidFrom = DateTimeOffset.UtcNow, + ValidTo = DateTimeOffset.UtcNow.AddYears(validityPeriodInYears) + }, + subjectAlternativeName, + enhancedKeyUsages, + x509KeyUsageFlags, + new RsaConfiguration + { + KeySize = 2048, + HashAlgorithmName = HashAlgorithmName.SHA512 + }); - var subjectAlternativeName = new SubjectAlternativeName + return certificate; + } + + public static X509Certificate2 CreateECDsaCertificate(string dnsName, int validityPeriodInYears) + { + var basicConstraints = new BasicConstraints + { + CertificateAuthority = false, + HasPathLengthConstraint = false, + PathLengthConstraint = 0, + Critical = false + }; + + var subjectAlternativeName = new SubjectAlternativeName + { + DnsName = new List + { + dnsName, + } + }; + + var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature; + + // only if certification authentication is used + var enhancedKeyUsages = new OidCollection { + OidLookup.ClientAuthentication, + OidLookup.ServerAuthentication + // OidLookup.CodeSigning, + // OidLookup.SecureEmail, + // OidLookup.TimeStamping + }; + + var certificate = _cc.NewECDsaSelfSignedCertificate( + new DistinguishedName { CommonName = dnsName }, + basicConstraints, + new ValidityPeriod { - DnsName = new List - { - dnsName, - } - }; - - var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature; - - // only if certification authentication is used - var enhancedKeyUsages = new OidCollection { - OidLookup.ClientAuthentication, - OidLookup.ServerAuthentication - // OidLookup.CodeSigning, - // OidLookup.SecureEmail, - // OidLookup.TimeStamping - }; - - var certificate = _cc.NewECDsaSelfSignedCertificate( - new DistinguishedName { CommonName = dnsName }, - basicConstraints, - new ValidityPeriod - { - ValidFrom = DateTimeOffset.UtcNow, - ValidTo = DateTimeOffset.UtcNow.AddYears(validityPeriodInYears) - }, - subjectAlternativeName, - enhancedKeyUsages, - x509KeyUsageFlags, - new ECDsaConfiguration - { - KeySize = 384, - HashAlgorithmName = HashAlgorithmName.SHA384 - }); - - return certificate; - } + ValidFrom = DateTimeOffset.UtcNow, + ValidTo = DateTimeOffset.UtcNow.AddYears(validityPeriodInYears) + }, + subjectAlternativeName, + enhancedKeyUsages, + x509KeyUsageFlags, + new ECDsaConfiguration + { + KeySize = 384, + HashAlgorithmName = HashAlgorithmName.SHA384 + }); + + return certificate; } } diff --git a/src/CreateSelfSignedCertsConsoleDemo/Program.cs b/src/CreateSelfSignedCertsConsoleDemo/Program.cs index 3e8e645..41e9674 100644 --- a/src/CreateSelfSignedCertsConsoleDemo/Program.cs +++ b/src/CreateSelfSignedCertsConsoleDemo/Program.cs @@ -4,54 +4,53 @@ using System; using System.IO; -namespace CreateSelfSignedCertsConsoleDemo +namespace CreateSelfSignedCertsConsoleDemo; + +class Program { - class Program + static void Main(string[] args) { - static void Main(string[] args) - { - var dnsName = "localhost"; - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); - - var createClientServerAuthCerts = serviceProvider.GetService(); - - // Server self signed certificate - var server = createClientServerAuthCerts.NewServerSelfSignedCertificate( - new DistinguishedName { CommonName = "server", Country = "CH" }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - dnsName); - - // Client self signed certificate - var client = createClientServerAuthCerts.NewClientSelfSignedCertificate( - new DistinguishedName { CommonName = "client", Country = "CH" }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - dnsName); - server.FriendlyName = "azure server certificate"; - client.FriendlyName = "azure client certificate"; - - Console.WriteLine($"Created server certificate {server.FriendlyName}"); - - string password = "1234"; - var importExportCertificate = serviceProvider.GetService(); - - var serverCertInPfxBtyes = - importExportCertificate.ExportSelfSignedCertificatePfx(password, server); - File.WriteAllBytes("server.pfx", serverCertInPfxBtyes); - - var clientCertInPfxBtyes = - importExportCertificate.ExportSelfSignedCertificatePfx(password, client); - File.WriteAllBytes("client.pfx", clientCertInPfxBtyes); - - var clientCertInPEMBtyes = importExportCertificate.PemExportPfxFullCertificate(client); - File.WriteAllText("client.pem", clientCertInPEMBtyes); - - //var rootPublicKey = importExportCertificate.ExportCertificatePublicKey(rootCaL1); - //var rootPublicKeyBytes = rootPublicKey.Export(X509ContentType.Cert); - //File.WriteAllBytes($"localhost_root_l1.cer", rootPublicKeyBytes); - - Console.WriteLine("Certificates exported to pfx and cer files"); - } + var dnsName = "localhost"; + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); + + var createClientServerAuthCerts = serviceProvider.GetService(); + + // Server self signed certificate + var server = createClientServerAuthCerts.NewServerSelfSignedCertificate( + new DistinguishedName { CommonName = "server", Country = "CH" }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + dnsName); + + // Client self signed certificate + var client = createClientServerAuthCerts.NewClientSelfSignedCertificate( + new DistinguishedName { CommonName = "client", Country = "CH" }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + dnsName); + server.FriendlyName = "azure server certificate"; + client.FriendlyName = "azure client certificate"; + + Console.WriteLine($"Created server certificate {server.FriendlyName}"); + + string password = "1234"; + var importExportCertificate = serviceProvider.GetService(); + + var serverCertInPfxBtyes = + importExportCertificate.ExportSelfSignedCertificatePfx(password, server); + File.WriteAllBytes("server.pfx", serverCertInPfxBtyes); + + var clientCertInPfxBtyes = + importExportCertificate.ExportSelfSignedCertificatePfx(password, client); + File.WriteAllBytes("client.pfx", clientCertInPfxBtyes); + + var clientCertInPEMBtyes = importExportCertificate.PemExportPfxFullCertificate(client); + File.WriteAllText("client.pem", clientCertInPEMBtyes); + + //var rootPublicKey = importExportCertificate.ExportCertificatePublicKey(rootCaL1); + //var rootPublicKeyBytes = rootPublicKey.Export(X509ContentType.Cert); + //File.WriteAllBytes($"localhost_root_l1.cer", rootPublicKeyBytes); + + Console.WriteLine("Certificates exported to pfx and cer files"); } } diff --git a/src/IoTHubCreateChainedCerts/Program.cs b/src/IoTHubCreateChainedCerts/Program.cs index ef9ce0f..b6d4a1f 100644 --- a/src/IoTHubCreateChainedCerts/Program.cs +++ b/src/IoTHubCreateChainedCerts/Program.cs @@ -5,50 +5,49 @@ using System.IO; using System.Security.Cryptography.X509Certificates; -namespace IoTHubCreateChainedCerts +namespace IoTHubCreateChainedCerts; + +/// +/// https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-security-x509-get-started +/// +class Program { - /// - /// https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-security-x509-get-started - /// - class Program + static void Main(string[] args) { - static void Main(string[] args) - { - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); - var createClientServerAuthCerts = serviceProvider.GetService(); + var createClientServerAuthCerts = serviceProvider.GetService(); - var root = createClientServerAuthCerts.NewRootCertificate( - new DistinguishedName { CommonName = "root dev", Country = "IT" }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - 3, "localhost"); - root.FriendlyName = "developement root certificate"; + var root = createClientServerAuthCerts.NewRootCertificate( + new DistinguishedName { CommonName = "root dev", Country = "IT" }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + 3, "localhost"); + root.FriendlyName = "developement root certificate"; - // Intermediate L2 chained from root L1 - var intermediate = createClientServerAuthCerts.NewIntermediateChainedCertificate( - new DistinguishedName { CommonName = "intermediate dev", Country = "FR" }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - 2, "localhost", root); - intermediate.FriendlyName = "developement Intermediate certificate"; + // Intermediate L2 chained from root L1 + var intermediate = createClientServerAuthCerts.NewIntermediateChainedCertificate( + new DistinguishedName { CommonName = "intermediate dev", Country = "FR" }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + 2, "localhost", root); + intermediate.FriendlyName = "developement Intermediate certificate"; - string password = "1234"; - var importExportCertificate = serviceProvider.GetService(); + string password = "1234"; + var importExportCertificate = serviceProvider.GetService(); - var rootCertInPfxBtyes = importExportCertificate.ExportRootPfx(password, root); - File.WriteAllBytes("root.pfx", rootCertInPfxBtyes); + var rootCertInPfxBtyes = importExportCertificate.ExportRootPfx(password, root); + File.WriteAllBytes("root.pfx", rootCertInPfxBtyes); - // https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-security-x509-get-started + // https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-security-x509-get-started - var rootPublicKey = importExportCertificate.ExportCertificatePublicKey(root); - var rootPublicKeyBytes = rootPublicKey.Export(X509ContentType.Cert); - File.WriteAllBytes($"root.cer", rootPublicKeyBytes); + var rootPublicKey = importExportCertificate.ExportCertificatePublicKey(root); + var rootPublicKeyBytes = rootPublicKey.Export(X509ContentType.Cert); + File.WriteAllBytes($"root.cer", rootPublicKeyBytes); - var intermediateCertInPfxBtyes = importExportCertificate.ExportChainedCertificatePfx(password, intermediate, root); - File.WriteAllBytes("intermediate.pfx", intermediateCertInPfxBtyes); + var intermediateCertInPfxBtyes = importExportCertificate.ExportChainedCertificatePfx(password, intermediate, root); + File.WriteAllBytes("intermediate.pfx", intermediateCertInPfxBtyes); - Console.WriteLine("Certificates exported to pfx and cer files"); - } + Console.WriteLine("Certificates exported to pfx and cer files"); } } diff --git a/src/IoTHubCreateDeviceCertificate/Program.cs b/src/IoTHubCreateDeviceCertificate/Program.cs index 8b24e1b..505ecbd 100644 --- a/src/IoTHubCreateDeviceCertificate/Program.cs +++ b/src/IoTHubCreateDeviceCertificate/Program.cs @@ -5,37 +5,36 @@ using System.IO; using System.Security.Cryptography.X509Certificates; -namespace IoTHubCreateDeviceCertificate +namespace IoTHubCreateDeviceCertificate; + +/// +/// https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-security-x509-get-started +/// +class Program { - /// - /// https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-security-x509-get-started - /// - class Program + static void Main(string[] args) { - static void Main(string[] args) - { - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); - var createClientServerAuthCerts = serviceProvider.GetService(); + var createClientServerAuthCerts = serviceProvider.GetService(); - var intermediate = new X509Certificate2("intermediate.pfx", "1234"); + var intermediate = new X509Certificate2("intermediate.pfx", "1234"); - // use lowercase for dps - var testDevice01 = createClientServerAuthCerts.NewDeviceChainedCertificate( - new DistinguishedName { CommonName = "testdevice01" }, - new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, - "testdevice01", intermediate); - testDevice01.FriendlyName = "IoT device testDevice01"; + // use lowercase for dps + var testDevice01 = createClientServerAuthCerts.NewDeviceChainedCertificate( + new DistinguishedName { CommonName = "testdevice01" }, + new ValidityPeriod { ValidFrom = DateTime.UtcNow, ValidTo = DateTime.UtcNow.AddYears(10) }, + "testdevice01", intermediate); + testDevice01.FriendlyName = "IoT device testDevice01"; - string password = "1234"; - var importExportCertificate = serviceProvider.GetService(); + string password = "1234"; + var importExportCertificate = serviceProvider.GetService(); - var deviceInPfxBytes = importExportCertificate.ExportChainedCertificatePfx(password, testDevice01, intermediate); - File.WriteAllBytes("testDevice01.pfx", deviceInPfxBytes); + var deviceInPfxBytes = importExportCertificate.ExportChainedCertificatePfx(password, testDevice01, intermediate); + File.WriteAllBytes("testDevice01.pfx", deviceInPfxBytes); - Console.WriteLine("Certificates exported to pfx file"); - } + Console.WriteLine("Certificates exported to pfx file"); } } diff --git a/src/IoTHubVerifyCertificate/Program.cs b/src/IoTHubVerifyCertificate/Program.cs index f4e1972..aa0d829 100644 --- a/src/IoTHubVerifyCertificate/Program.cs +++ b/src/IoTHubVerifyCertificate/Program.cs @@ -4,38 +4,36 @@ using System.IO; using System.Security.Cryptography.X509Certificates; -namespace IoTHubVerifyCertificate -{ +namespace IoTHubVerifyCertificate; - /// - /// https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-security-x509-get-started - /// - class Program +/// +/// https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-security-x509-get-started +/// +class Program +{ + static void Main(string[] args) { - static void Main(string[] args) - { - var serviceProvider = new ServiceCollection() - .AddCertificateManager() - .BuildServiceProvider(); + var serviceProvider = new ServiceCollection() + .AddCertificateManager() + .BuildServiceProvider(); - var createClientServerAuthCerts = serviceProvider.GetService(); + var createClientServerAuthCerts = serviceProvider.GetService(); - var importExportCertificate = serviceProvider.GetService(); + var importExportCertificate = serviceProvider.GetService(); - var root = new X509Certificate2("root.pfx", "1234"); + var root = new X509Certificate2("root.pfx", "1234"); - var deviceVerify = createClientServerAuthCerts.NewDeviceVerificationCertificate( - "4C8C754C6DA4280DBAB7FC7BB320E7FFFB7F411CBB7EAA7D", root); - deviceVerify.FriendlyName = "device verify"; + var deviceVerify = createClientServerAuthCerts.NewDeviceVerificationCertificate( + "4C8C754C6DA4280DBAB7FC7BB320E7FFFB7F411CBB7EAA7D", root); + deviceVerify.FriendlyName = "device verify"; - var deviceVerifyPEM = importExportCertificate.PemExportPublicKeyCertificate(deviceVerify); - File.WriteAllText("deviceVerify.pem", deviceVerifyPEM); + var deviceVerifyPEM = importExportCertificate.PemExportPublicKeyCertificate(deviceVerify); + File.WriteAllText("deviceVerify.pem", deviceVerifyPEM); - var deviceVerifyPublicKey = importExportCertificate.ExportCertificatePublicKey(deviceVerify); - var deviceVerifyPublicKeyBytes = deviceVerifyPublicKey.Export(X509ContentType.Cert); - File.WriteAllBytes($"deviceVerify.cer", deviceVerifyPublicKeyBytes); + var deviceVerifyPublicKey = importExportCertificate.ExportCertificatePublicKey(deviceVerify); + var deviceVerifyPublicKeyBytes = deviceVerifyPublicKey.Export(X509ContentType.Cert); + File.WriteAllBytes($"deviceVerify.cer", deviceVerifyPublicKeyBytes); - Console.WriteLine("Certificates exported to pfx and cer files"); - } + Console.WriteLine("Certificates exported to pfx and cer files"); } } \ No newline at end of file