Opc.Ua.Security.Certificates

Converts a buffer to a hexadecimal string.

Converts a hexadecimal string to an array of bytes.

Writer for Public Key parameters.

https://www.itu.int/rec/T-REC-X.690-201508-I/en section 8.3 (Encoding of an integer value). The writer The key parameter

Oid constants defined for ASN encoding/decoding.

The Oid string of the Digital Signature Algorithm (DSA) subject public key.

The Oid string for the RSA encryption scheme with PKCS#1.

The Oid string for the RSA encryption scheme with OAEP.

The Oid string for the RSA encryption scheme with PSS.

The Oid string for RSA signature, PKCS#1 padding with SHA1 hash.

The Oid string for RSA signature, PKCS#1 padding with SHA256 hash.

The Oid string for RSA signature, PKCS#1 padding with SHA384 hash.

The Oid string for RSA signature, PKCS#1 padding with SHA512 hash.

The Oid string for ECDsa signature with SHA1 hash.

The Oid string for ECDsa signature with SHA256 hash.

The Oid string for ECDsa signature with SHA384 hash.

The Oid string for ECDsa signature with SHA512 hash.

The Oid string for the CRL extension of a CRL Number.

The Oid string for the CRL extension of a CRL Reason Code.

The Oid string for Transport Layer Security(TLS) World Wide Web(WWW) server authentication.

The Oid string for Transport Layer Security(TLS) World Wide Web(WWW) client authentication.

The Oid string for Authority Information access.

The Oid string for Online Certificate Status Protocol.

The Oid string for Certificate Authority Issuer.

The Oid string for CRL Distribution Point.

Get the RSA oid for a hash algorithm signature.

The hash algorithm name.

Get the ECDsa oid for a hash algorithm signature.

The hash algorithm name.

Get the hash algorithm used to sign a certificate.

The signature algorithm oid.

Defines internal helper functions to implement RSA cryptography.

Dispose RSA object only if not running on Mono runtime. Workaround due to a Mono bug in the X509Certificate2 implementation of RSA. see also: https://github.com/mono/mono/issues/6306 On Mono GetRSAPrivateKey/GetRSAPublickey returns a reference instead of a disposable object. Calling Dispose on RSA makes the X509Certificate2 keys unusable on Mono. Only call dispose when using .Net and .Net Core runtimes.

RSA object returned by GetRSAPublicKey/GetRSAPrivateKey

Lazy helper to allow runtime check for Mono.

Determine if assembly uses mono runtime.

true if running on Mono runtime

The defaults used in the library for Certificates.

The default key size for RSA certificates in bits.

Supported values are 1024(deprecated), 2048, 3072 or 4096.

The min supported size for a RSA key.

The max supported size for a RSA key.

The default hash algorithm to use for signatures.

Supported values are SHA-1(deprecated) or 256, 384 and 512 for SHA-2.

The default lifetime of certificates in months.

The recommended min serial numbers length in octets.

The max serial numbers length in octets.

The Opc.Ua.Security.Certificates namespace defines classes which can be used to implement functions to create X509 certificates, to encode and decode X509 Certificate Revocation Lists (CRL), X509 Certificate Signing Requests (CSR) and related X509 extensions needed for the OPC UA certificate specification.

Stores the authority key identifier extension.

id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } AuthorityKeyIdentifier ::= SEQUENCE { keyIdentifier[0] KeyIdentifier OPTIONAL, authorityCertIssuer[1] GeneralNames OPTIONAL, authorityCertSerialNumber[2] CertificateSerialNumber OPTIONAL } KeyIdentifier::= OCTET STRING

Creates an empty extension.

Creates an extension from ASN.1 encoded data.

Creates an extension from ASN.1 encoded data.

Build the X509 Authority Key extension.

The subject key identifier

Build the X509 Authority Key extension.

The subject key identifier as a byte array. The distinguished name of the issuer. The serial number of the issuer certificate as little endian byte array.

Creates an extension from ASN.1 encoded data.

Returns a formatted version of the Authority Key Identifier as a string.

Initializes the extension from ASN.1 encoded data.

The OID for a Authority Key Identifier extension.

The alternate OID for a Authority Key Identifier extension.

The identifier for the key as a little endian hexadecimal string.

The identifier for the key as a byte array.

A list of distinguished names for the issuer.

The serial number of the authority key as a big endian hexadecimal string.

The serial number of the authority key as a byte array in little endian order.

Authority Key Identifier extension string definitions see RFC 5280 4.2.1.1

The CRL Number extension.

id-ce-cRLNumber OBJECT IDENTIFIER::= { id-ce 20 } CRLNumber::= INTEGER(0..MAX)

Creates an empty extension.

Creates an extension from ASN.1 encoded data.

Creates an extension from an Oid and ASN.1 encoded raw data.

Creates an extension from ASN.1 encoded data.

Build the CRL Number extension (for CRL extensions).

Returns a formatted version of the Abstract Syntax Notation One (ASN.1)-encoded data as a string.

Initializes the extension from ASN.1 encoded data.

The OID for a CRL Number extension.

Gets the CRL Number.

The uris.

Encode the CRL Number extension.

Decode CRL Number.

CRL Number extension string definitions see RFC 5280 5.2.3

Supporting functions for X509 extensions.

Find a typed extension in a certificate.

The type of the extension. The certificate with extensions.

Find a typed extension in a extension collection.

The type of the extension. The extensions to search.

Build the Authority information Access extension.

Array of CA Issuer Urls optional, the OCSP responder

Build the CRL Distribution Point extension.

The CRL distribution point

Read an ASN.1 extension sequence as X509Extension object.

The ASN reader.

Write an extension object as ASN.1.

Build the CRL Reason extension.

Build the Authority Key Identifier from an Issuer CA certificate.

The issuer CA certificate

Build the CRL number.

Patch serial number in a Url. byte version.

Patch serial number in a Url. string version.

The subject alternate name extension.

id-ce-subjectAltName OBJECT IDENTIFIER::= { id-ce 17 } SubjectAltName::= GeneralNames GeneralNames::= SEQUENCE SIZE(1..MAX) OF GeneralName GeneralName ::= CHOICE { otherName [0] OtherName, rfc822Name[1] IA5String, dNSName[2] IA5String, x400Address[3] ORAddress, directoryName[4] Name, ediPartyName[5] EDIPartyName, uniformResourceIdentifier[6] IA5String, iPAddress[7] OCTET STRING, registeredID[8] OBJECT IDENTIFIER } OtherName::= SEQUENCE { type-id OBJECT IDENTIFIER, value[0] EXPLICIT ANY DEFINED BY type - id } EDIPartyName::= SEQUENCE { nameAssigner[0] DirectoryString OPTIONAL, partyName[1] DirectoryString }

Creates an empty extension.

Creates an extension from ASN.1 encoded data.

Creates an extension from an Oid and ASN.1 encoded raw data.

Creates an extension from ASN.1 encoded data.

Build the Subject Alternative name extension (for OPC UA application certs).

The application Uri The domain names. DNS Hostnames, IPv4 or IPv6 addresses

Returns a formatted version of the Abstract Syntax Notation One (ASN.1)-encoded data as a string.

Initializes the extension from ASN.1 encoded data.

The OID for a Subject Alternate Name extension.

The OID for a Subject Alternate Name 2 extension.

Gets the uris.

The uris.

Gets the domain names.

The domain names.

Gets the IP addresses.

The IP addresses.

Create a normalized IPv4 or IPv6 address from a 4 byte or 16 byte array.

Encode the Subject Alternative name extension.

Decode if RawData is yet undecoded.

Decode URI, DNS and IP from Subject Alternative Name.

Only general names relevant for Opc.Ua are decoded.

Initialize the Subject Alternative name extension.

The application Uri The general names. DNS Hostnames, IPv4 or IPv6 addresses

Subject Alternate Name extension string definitions see RFC 5280 4.2.1.7

Builds a Certificate.

Create a Certificate builder.

Create a Certificate builder.

Initialize a Certificate builder.

Initialize a Certificate builder.

Create a Pfx with a private key by combining an existing X509Certificate2 and a RSA private key.

Creates a certificate signing request from an existing certificate with a private key.

Create a new serial number and validate lifetime.

Set all mandatory fields.

The cert generator

Create the extensions.

The cert generator. The public key to use for the extensions.

Create the RSA certificate with a given public key.

The signed certificate.

Create the RSA certificate as Pfx byte array with a private key.

Returns the Pfx with certificate and private key.

Create a new random serial number.

Secure .Net Core Random Number generator wrapper for Bounce Castle. Creates an instance of RNGCryptoServiceProvider or an OpenSSL based version on other OS.

Creates an instance of a crypthographic secure random number generator.

Dispose the random number generator.

Add more seed material to the generator. Not needed here.

Add more seed material to the generator. Not needed here.

Fills an array of bytes with a cryptographically strong random sequence of values.

Array to be filled.

Fills an array of bytes with a cryptographically strong random sequence of values.

Array to receive bytes. Index to start filling at. Length of segment to fill.

A converter class to create a X509Name object from a X509Certificate subject.

Handles subtle differences in the string representation of the .NET and the Bouncy Castle implementation.

Create the X509Name from a distinguished name.

The distinguished name.

Create the X509Name from a distinguished name.

Reverse the order of the names. The distinguished name.

Helper functions for X509 extensions using Org.BouncyCastle.

Build the Subject Alternate Name.

helper to build alternate name domains list for certs.

The signature factory for Bouncy Castle to sign a digest with a KeyVault key.

Constructor which also specifies a source of randomness to be used if one is required.

The name of the signature algorithm to use. The signature generator.

Signs a Bouncy Castle digest stream with the .Net X509SignatureGenerator.

Ctor for the stream calculator.

The X509SignatureGenerator to sign the digest. The hash algorithm to use for the signature.

The digest stream (MemoryStream).

Callback signs the digest with X509SignatureGenerator.

Helper for Bouncy Castle signing operation to store the result in a memory block.

Helpers to create certificates, CRLs and extensions.

Create a Pfx blob with a private key by combining a bouncy castle X509Certificate and a private key.

Helper to get the Bouncy Castle hash algorithm name by .NET name .

Get public key parameters from a X509Certificate2

Get public key parameters from a RSA.

Get private key parameters from a X509Certificate2. The private key must be exportable.

Get private key parameters from a RSA private key. The private key must be exportable.

Get the serial number from a certificate as BigInteger.

Read the Common Name from a certificate.

Methods or read PEM data.

Import a private key from PEM.

Wrapper for a password string.

Write certificate data in PEM format.

Returns a byte array containing the CSR in PEM format.

Returns a byte array containing the cert in PEM format.

Returns a byte array containing the private key in PEM format.

Builds a Certificate.

Initialize a Certificate builder.

Initialize a Certificate builder.

Default constructor.

The issuer CA certificate.

Validate and adjust settings to avoid creation of invalid certificates.

Create a new cryptographic random serial number.

If the certificate is a CA.

The path length constraint to sue for a CA.

The serial number length in octets.

If the serial number is preset by the user.

The serial number as a little endian byte array.

The collection of X509Extension to add to the certificate.

The RSA public to use when if a certificate is signed.

The size of a RSA key pair to create.

The certificate builder interface.

The interface to set an issuer.

The interface to set a public key.

The interface to set key parameters.

The interface to create a certificate.

The interface to use a signature generator.

The interface to create a RSA based certifcate.

The interface to set the mandatory certificate fields for a certificate builder.

Set the length of the serial number.

The length of the serial number shall not exceed octets.

Set the value of the serial number directly using a byte array.

The length of the serial number shall not exceed octets. The serial number as an array of bytes in little endian order.

Create a new serial number and preserve it until the certificate is created.

The serial number may be needed to create an extension. This function makes it available before the cert is created.

Set the date when the certificate becomes valid.

The date.

Set the certificate expiry date.

The date after which the certificate is expired.

Set the lifetime of the certificate using Timespan.

The lifetime as .

Set the lifetime of the certificate in month starting now.

The lifetime in months.

Set the hash algorithm to use for the signature.

The hash algorithm name.

Set the CA flag and the path length constraints of the certificate.

The path length constraint to use. -1 corresponds to None, other values constrain the chain length.

Add an extension to the certificate in addition to the default extensions.

By default the following X509 extensions are added to a certificate, some depending on certificate type: CA/SubCA/OPC UA application: X509BasicConstraintsExtension X509SubjectKeyIdentifierExtension X509AuthorityKeyIdentifierExtension X509KeyUsageExtension OPC UA application: X509SubjectAltNameExtension X509EnhancedKeyUsageExtension Adding a default extension to the list overrides the default value of the extensions. Adding an extension with a already existing Oid overrides the existing extension in the list. The extension to add

The interface to select an issuer for the cert builder.

Set the issuer certificate which is used to sign the certificate.

The issuer certificate must contain a private key which matches the selected sign algorithm if no generator is avilable. If a is used for signing the the issuer certificate can be set with a public key to create the X509 extensions. The issuer certificate.

The interface to select the RSA key size parameter.

Set the RSA key size in bits.

The size of the RSA key.

The interface to set a RSA public key for a certificate.

Set the public key using a ASN.1 encoded byte array.

The public key as encoded byte array.

Set the public key using a RSA public key.

The RSA public key.

The interface to create a certificate using the RSA algorithm.

Create the RSA certificate with signature.

The signed certificate.

The interface to create a certificate using a signature generator.

Create the RSA certificate with signature using an external generator.

The signed certificate.

Properties of a X.509v3 certificate.

The subject distinguished name from a certificate.

The distinguished name of the certificate issuer.

The date in UTC time on which a certificate becomes valid.

The date in UTC time after which a certificate is no longer valid.

The serial number of the certificate as a big-endian hexadecimal string.

The serial number of the certificate as an array of bytes in little-endian order.

The hash algorithm used to create the signature.

A collection of X509 extensions.

Utilities to create a Pfx.

The size of the block used to test a sign or encrypt operation.

Return the key usage flags of a certificate.

Verify RSA key pair of two certificates.

Creates a certificate from a PKCS #12 store with a private key.

The raw PKCS #12 store data. The password to use to access the store. The certificate with a private key.

Verify a RSA key pair using a encryption.

Verify a RSA key pair using a signature.

Builds a CRL.

Create a CRL builder initialized with a decoded CRL.

The decoded CRL

Initialize the CRL builder with Issuer.

Issuer name

Initialize the CRL builder with Issuer and hash algorithm.

Issuer distinguished name The signing algorithm to use.

Create a CRL builder initialized with a decoded CRL.

The decoded CRL

Initialize the CRL builder with Issuer.

Issuer name

Initialize the CRL builder with Issuer and hash algorithm.

Issuer distinguished name The signing algorithm to use.

Default constructor.

Set this update time.

Set next update time (optional).

Set the hash algorithm.

Add array of serialnumbers of revoked certificates.

The array of serial numbers to revoke. The revocation reason

Add a revoked certificate.

The certificate to revoke. The revocation reason

Add a revoked certificate.

Add a list of revoked certificate.

Add a revoked certificate.

Create the CRL with signature generator.

The RSA or ECDsa signature generator to use. The signed CRL.

Create the CRL with signature for RSA.

The signed CRL.

Constructs Certificate Revocation List raw data in X509 ASN format.

CRL fields -- https://tools.ietf.org/html/rfc5280#section-5.1 CertificateList ::= SEQUENCE { tbsCertList TBSCertList, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } TBSCertList ::= SEQUENCE { version Version OPTIONAL, -- if present, MUST be v2 signature AlgorithmIdentifier, issuer Name, thisUpdate Time, nextUpdate Time OPTIONAL, revokedCertificates SEQUENCE OF SEQUENCE { userCertificate CertificateSerialNumber, revocationDate Time, crlEntryExtensions Extensions OPTIONAL -- if present, version MUST be v2 } OPTIONAL, crlExtensions [0] EXPLICIT Extensions OPTIONAL -- if present, version MUST be v2 }

CRL Reason codes.

id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 } -- reasonCode::= { CRLReason } CRLReason::= ENUMERATED { unspecified(0), keyCompromise(1), cACompromise(2), affiliationChanged(3), superseded(4), cessationOfOperation(5), certificateHold(6), --value 7 is not used removeFromCRL(8), privilegeWithdrawn(9), aACompromise(10) }

Provides access to an X509 CRL object.

The name of the issuer for the CRL.

The name of the issuer for the CRL.

When the CRL was last updated.

When the CRL is due for its next update.

The hash algorithm used to sign the CRL.

The revoked user certificates

The X509Extensions of the CRL.

The raw data for the CRL.

Represents a revoked certificate in the revoked certificates sequence of a CRL.

CRL fields -- https://tools.ietf.org/html/rfc5280#section-5.1 ... revokedCertificates SEQUENCE OF SEQUENCE { userCertificate CertificateSerialNumber, revocationDate Time, crlEntryExtensions Extensions OPTIONAL -- if present, version MUST be v2 } OPTIONAL, ...

Construct revoked certificate with serialnumber, actual UTC time and the CRL reason.

The serial number The reason for revocation

Construct revoked certificate with serialnumber, actual UTC time and the CRL reason.

The serial number The reason for revocation

Construct minimal revoked certificate with serialnumber and actual UTC time.

Construct minimal revoked certificate with serialnumber and actual UTC time.

The serial number of the revoked certificate as big endian hex string.

The serial number of the revoked user certificate as a little endian byte array.

The UTC time of the revocation event.

The list of crl entry extensions.

Decodes a X509 CRL and provides access to information.

Loads a CRL from a file.

Loads a CRL from a memory buffer.

Create CRL from IX509CRL interface.

Default constructor, also internal test hook.

Verifies the signature on the CRL.

Returns true if the certificate is revoked in the CRL.

Decode the complete CRL.

The raw signed CRL

Decode the Tbs of the CRL.

The raw TbsCertList of the CRL.

Decode if RawData is yet undecoded.

Describes the three required fields of a X509 Certificate and CRL.

The field contains the ASN.1 data to be signed.

The signature of the data.

The encoded signature algorithm that was used for signing.

The signature algorithm as Oid string.

The hash algorithm used for signing.

Initialize and decode the sequence with binary ASN.1 encoded CRL or certificate.

Initialize the X509 signature values.

The data to be signed. The signature of the data. The algorithm used to create the signature.

Encode Tbs with a signature in ASN format.

X509 ASN format of EncodedData+SignatureOID+Signature bytes.

Decoder for the signature sequence.

The encoded CRL or certificate sequence.

Verify the signature with the public key of the signer.

true if the signature is valid.

Verify the signature with the RSA public key of the signer.

Verify the signature with the ECC public key of the signer.

Decode the algorithm that was used for encoding.

The ASN.1 encoded algorithm oid.

Encode a ECDSA signature as ASN.1.

The signature to encode as ASN.1

Decode a ECDSA signature from ASN.1.

The signature to decode from ASN.1