Merge pull request #14 from damienbod/devSigning

Fix RSA KeySize
damienbod · Jan 27, 2020 · e934e14 · e934e14
2 parents 0b171d3 + 3aa36d1
commit e934e14
Show file tree

Hide file tree

Showing 10 changed files with 348 additions and 14 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Certificate Manager change log
 
+<a name="2020-01-27"></a>
+## 2020-01-27 version 1.0.2
+* Small fixes for RSA certificates KeySize
+* IdentityServer4 example certificates
+
 <a name="2020-01-24"></a>
 ## 2020-01-24 version 1.0.1
 * Support RSA certificates

diff --git a/README.md b/README.md
@@ -13,7 +13,7 @@
 Add the NuGet package to the your project file
 
 ```
-<PackageReference Include="CertificateManager" Version="1.0.1" />
+<PackageReference Include="CertificateManager" Version="1.0.2" />
 ```
 
 The NuGet packages uses dependency injection to setup. In a console application initialize the package as follows:

diff --git a/src/CertificateManager.sln b/src/CertificateManager.sln
@@ -28,6 +28,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "IoTHubCreateDeviceCertifica
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "CreateAngularVueJsDevelopmentCertificates", "CreateAngularVueJsDevelopmentCertificates\CreateAngularVueJsDevelopmentCertificates.csproj", "{4761AF09-95B5-4632-92D6-872652C354C7}"
 EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "CreateIdentityServer4Certificates", "CreateIdentityServer4Certificates\CreateIdentityServer4Certificates.csproj", "{C22EB3CB-0F6F-4F64-847B-63E0A75AA999}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -66,6 +68,10 @@ Global
 		{4761AF09-95B5-4632-92D6-872652C354C7}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{4761AF09-95B5-4632-92D6-872652C354C7}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{4761AF09-95B5-4632-92D6-872652C354C7}.Release|Any CPU.Build.0 = Release|Any CPU
+		{C22EB3CB-0F6F-4F64-847B-63E0A75AA999}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{C22EB3CB-0F6F-4F64-847B-63E0A75AA999}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{C22EB3CB-0F6F-4F64-847B-63E0A75AA999}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{C22EB3CB-0F6F-4F64-847B-63E0A75AA999}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

diff --git a/src/CertificateManager/CertificateManager.csproj b/src/CertificateManager/CertificateManager.csproj
@@ -11,11 +11,11 @@
     <Description>Certificate Manager is a package which makes it easy to create certificates (chained and self signed) which can be used to in client server authentication and IoT Devices like Azure IoT Hub
 </Description>
     <PackageTags>certificate authentication mtls pfx cer pem cert crt</PackageTags>
-    <PackageReleaseNotes>first release, certificate creation, export certificates chained and self signed</PackageReleaseNotes>
+    <PackageReleaseNotes>small fixes for RSA certificates</PackageReleaseNotes>
     <Copyright>2020 damienbod</Copyright>
     <GeneratePackageOnBuild>true</GeneratePackageOnBuild>
     <Authors>damienbod</Authors>
-    <Version>1.0.1</Version>
+    <Version>1.0.2</Version>
   </PropertyGroup>
 
   <ItemGroup>

diff --git a/src/CertificateManager/CreateCertificates.cs b/src/CertificateManager/CreateCertificates.cs
@@ -75,8 +75,7 @@ public X509Certificate2 NewRsaSelfSignedCertificate(
             X509KeyUsageFlags x509KeyUsageFlags,
             RsaConfiguration rsaConfiguration)
         {
-            using var rsa = RSA.Create("RSA");
-            rsa.KeySize = rsaConfiguration.KeySize; // 1024, 2048 or 4096
+            using var rsa = RSA.Create(rsaConfiguration.KeySize); // 1024, 2048 or 4096
             var request = new CertificateRequest(
                 _certificateUtility.CreateIssuerOrSubject(distinguishedName),
                 rsa,
@@ -113,8 +112,7 @@ public X509Certificate2 NewRsaChainedCertificate(
                 throw new Exception("Signing cert must have private key");
             }
 
-            using var rsa = RSA.Create("rsa");
-            rsa.KeySize = rsaConfiguration.KeySize;
+            using var rsa = RSA.Create(rsaConfiguration.KeySize);
             var request = new CertificateRequest(
                 _certificateUtility.CreateIssuerOrSubject(distinguishedName),
                 rsa,

diff --git a/src/CertificateManager/CreateCertificatesRsa.cs b/src/CertificateManager/CreateCertificatesRsa.cs
@@ -15,7 +15,14 @@ public CreateCertificatesRsa(CreateCertificates createCertificates)
             _createCertificates = createCertificates;
         }
 
-        public X509Certificate2 CreateDevelopmentCertificate(string dnsName, int validityPeriodInYears)
+        /// <summary>
+        /// creates a development certificate
+        /// </summary>
+        /// <param name="dnsName">DNS name ie localhost etc</param>
+        /// <param name="validityPeriodInYears">valid time in years</param>
+        /// <param name="keySize">1024 2048 4096</param>
+        /// <returns></returns>
+        public X509Certificate2 CreateDevelopmentCertificate(string dnsName, int validityPeriodInYears, int keySize = 1024)
         {
             var basicConstraints = new BasicConstraints
             {
@@ -57,7 +64,10 @@ public X509Certificate2 CreateDevelopmentCertificate(string dnsName, int validit
                 subjectAlternativeName,
                 enhancedKeyUsages,
                 x509KeyUsageFlags,
-                new RsaConfiguration());
+                new RsaConfiguration
+                {
+                    KeySize = keySize
+                });
 
             return certificate;
         }

diff --git a/src/CertificateManagerTests/RsaKeySizeTests.cs b/src/CertificateManagerTests/RsaKeySizeTests.cs
@@ -0,0 +1,169 @@
+using CertificateManager;
+using CertificateManager.Models;
+using Microsoft.Extensions.DependencyInjection;
+using System;
+using System.Collections.Generic;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using System.Text;
+using Xunit;
+
+namespace CertificateManagerTests
+{
+    public class RsaKeySizeTests
+    {
+        [Fact]
+        public void CreateChainedCertificatesRsaKeySizeTest()
+        {
+            var serviceProvider = new ServiceCollection()
+                .AddCertificateManager()
+                .BuildServiceProvider();
+
+            var cc = serviceProvider.GetService<CreateCertificates>();
+            var cert2048 = CreateRsaCertificate(cc, 2048);
+            var cert4096 = CreateRsaCertificate(cc, 4096);
+
+            var chained1024 = CreateRsaCertificateChained(cc, 1024, cert2048);
+            var chained4096 = CreateRsaCertificateChained(cc, 4096, cert2048);
+            Assert.Equal(1024, chained1024.PrivateKey.KeySize);
+            Assert.Equal(4096, chained4096.PrivateKey.KeySize);
+        }
+
+        [Fact]
+        public void CreateCertificatesRsaKeySizeTest()
+        {
+            var serviceProvider = new ServiceCollection()
+                .AddCertificateManager()
+                .BuildServiceProvider();
+
+            var ccRsa = serviceProvider.GetService<CreateCertificatesRsa>();
+            var cert2048 = ccRsa.CreateDevelopmentCertificate("localhost", 2, 2048);
+            Assert.Equal(2048, cert2048.PrivateKey.KeySize);
+
+            var cert1024 = ccRsa.CreateDevelopmentCertificate("localhost", 2);
+            Assert.Equal(1024, cert1024.PrivateKey.KeySize);
+        }
+
+        [Fact]
+        public void RsaKeySizeTest()
+        {
+            var serviceProvider = new ServiceCollection()
+                .AddCertificateManager()
+                .BuildServiceProvider();
+
+            var cc = serviceProvider.GetService<CreateCertificates>();
+
+            var cert2048 = CreateRsaCertificate(cc, 2048);
+            Assert.Equal(2048, cert2048.PrivateKey.KeySize);
+
+            var cert4096= CreateRsaCertificate(cc, 4096);
+            Assert.Equal(4096, cert4096.PrivateKey.KeySize);
+        }
+
+        public static X509Certificate2 CreateRsaCertificate(CreateCertificates createCertificates, int keySize)
+        {
+            var basicConstraints = new BasicConstraints
+            {
+                CertificateAuthority = true,
+                HasPathLengthConstraint = true,
+                PathLengthConstraint = 2,
+                Critical = false
+            };
+
+            var subjectAlternativeName = new SubjectAlternativeName
+            {
+                DnsName = new List<string>
+                {
+                    "localhost",
+                }
+            };
+
+            var x509KeyUsageFlags = X509KeyUsageFlags.KeyCertSign
+               | X509KeyUsageFlags.DigitalSignature
+               | X509KeyUsageFlags.KeyEncipherment
+               | X509KeyUsageFlags.CrlSign
+               | X509KeyUsageFlags.DataEncipherment
+               | X509KeyUsageFlags.NonRepudiation
+               | X509KeyUsageFlags.KeyAgreement;
+
+            // only if mtls is used
+            var enhancedKeyUsages = new OidCollection
+            {
+                new Oid("1.3.6.1.5.5.7.3.1"),  // TLS Server auth
+                new Oid("1.3.6.1.5.5.7.3.2"),  // TLS Client auth
+                //new Oid("1.3.6.1.5.5.7.3.3"),  // Code signing 
+                //new Oid("1.3.6.1.5.5.7.3.4"),  // Email
+                //new Oid("1.3.6.1.5.5.7.3.8")   // Timestamping  
+            };
+
+            var certificate = createCertificates.NewRsaSelfSignedCertificate(
+                new DistinguishedName { CommonName = "localhost" },
+                basicConstraints,
+                new ValidityPeriod
+                {
+                    ValidFrom = DateTimeOffset.UtcNow,
+                    ValidTo = DateTimeOffset.UtcNow.AddYears(1)
+                },
+                subjectAlternativeName,
+                enhancedKeyUsages,
+                x509KeyUsageFlags,
+                new RsaConfiguration
+                {
+                    KeySize = keySize
+                });
+
+            return certificate;
+        }
+
+        public static X509Certificate2 CreateRsaCertificateChained(CreateCertificates createCertificates, int keySize, X509Certificate2 parentCert)
+        {
+            var basicConstraints = new BasicConstraints
+            {
+                CertificateAuthority = false,
+                HasPathLengthConstraint = false,
+                PathLengthConstraint = 0,
+                Critical = false
+            };
+
+            var subjectAlternativeName = new SubjectAlternativeName
+            {
+                DnsName = new List<string>
+                {
+                    "localhost",
+                }
+            };
+
+            var x509KeyUsageFlags = X509KeyUsageFlags.DigitalSignature;
+
+            // only if mtls is used
+            var enhancedKeyUsages = new OidCollection
+            {
+                new Oid("1.3.6.1.5.5.7.3.1"),  // TLS Server auth
+                new Oid("1.3.6.1.5.5.7.3.2"),  // TLS Client auth
+                //new Oid("1.3.6.1.5.5.7.3.3"),  // Code signing 
+                //new Oid("1.3.6.1.5.5.7.3.4"),  // Email
+                //new Oid("1.3.6.1.5.5.7.3.8")   // Timestamping  
+            };
+
+            var certificate = createCertificates.NewRsaChainedCertificate(
+                new DistinguishedName { CommonName = "localhost" },
+                basicConstraints,
+                new ValidityPeriod
+                {
+                    ValidFrom = DateTimeOffset.UtcNow,
+                    ValidTo = DateTimeOffset.UtcNow.AddYears(1)
+                },
+                subjectAlternativeName,
+                parentCert,
+                enhancedKeyUsages,
+                x509KeyUsageFlags,
+                new RsaConfiguration
+                {
+                    KeySize = keySize
+                });
+
+            return certificate;
+        }
+
+    }
+}
diff --git a/src/CreateAngularVueJsDevelopmentCertificates/Program.cs b/src/CreateAngularVueJsDevelopmentCertificates/Program.cs
@@ -1,11 +1,6 @@
 using CertificateManager;
-using CertificateManager.Models;
 using Microsoft.Extensions.DependencyInjection;
-using System;
-using System.Collections.Generic;
 using System.IO;
-using System.Security.Cryptography;
-using System.Security.Cryptography.X509Certificates;
 
 namespace CreateAngularVueJsDevelopmentCertificates
 {

diff --git a/src/CreateIdentityServer4Certificates/CreateIdentityServer4Certificates.csproj b/src/CreateIdentityServer4Certificates/CreateIdentityServer4Certificates.csproj
@@ -0,0 +1,16 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>netcoreapp3.1</TargetFramework>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="3.1.1" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\CertificateManager\CertificateManager.csproj" />
+  </ItemGroup>
+
+</Project>