Opc.Ua.Security.Certificates

Converts a buffer to a hexadecimal string.

Converts a hexadecimal string to an array of bytes.

Writer for Public Key parameters.

https://www.itu.int/rec/T-REC-X.690-201508-I/en section 8.3 (Encoding of an integer value). The writer The key parameter

Oid constants defined for ASN encoding/decoding.

The Oid string of the Digital Signature Algorithm (DSA) subject public key.

The Oid string for the RSA encryption scheme with PKCS#1.

The Oid string for the RSA encryption scheme with OAEP.

The Oid string for the RSA encryption scheme with PSS.

The Oid string for RSA signature, PKCS#1 padding with SHA1 hash.

The Oid string for RSA signature, PKCS#1 padding with SHA256 hash.

The Oid string for RSA signature, PKCS#1 padding with SHA384 hash.

The Oid string for RSA signature, PKCS#1 padding with SHA512 hash.

The Oid string for a EC public key.

The Oid string for ECDsa signature with SHA1 hash.

The Oid string for ECDsa signature with SHA256 hash.

The Oid string for ECDsa signature with SHA384 hash.

The Oid string for ECDsa signature with SHA512 hash.

The Oid string for the CRL extension of a CRL Number.

The Oid string for the CRL extension of a CRL Reason Code.

The Oid string for Transport Layer Security(TLS) World Wide Web(WWW) server authentication.

The Oid string for Transport Layer Security(TLS) World Wide Web(WWW) client authentication.

The Oid string for Authority Information access.

The Oid string for Online Certificate Status Protocol.

The Oid string for Certificate Authority Issuer.

The Oid string for CRL Distribution Point.

Get the RSA oid for a hash algorithm signature.

The hash algorithm name.

Get the ECDsa oid for a hash algorithm signature.

The hash algorithm name.

Get the hash algorithm used to sign a certificate.

The signature algorithm oid.

The defaults used in the library for Certificates.

The default key size for RSA certificates in bits.

Supported values are 1024(deprecated), 2048, 3072 or 4096.

The min supported size for a RSA key.

The max supported size for a RSA key.

The default hash algorithm to use for signatures.

Supported values are SHA-1(deprecated) or 256, 384 and 512 for SHA-2.

The default lifetime of certificates in months.

The recommended min serial numbers length in octets.

The max serial numbers length in octets.

The Opc.Ua.Security.Certificates namespace defines classes which can be used to implement functions to create X509 certificates, to encode and decode X509 Certificate Revocation Lists (CRL), X509 Certificate Signing Requests (CSR) and related X509 extensions needed for the OPC UA certificate specification.

Stores the authority key identifier extension.

id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } AuthorityKeyIdentifier ::= SEQUENCE { keyIdentifier[0] KeyIdentifier OPTIONAL, authorityCertIssuer[1] GeneralNames OPTIONAL, authorityCertSerialNumber[2] CertificateSerialNumber OPTIONAL } KeyIdentifier::= OCTET STRING

Creates an empty extension.

Creates an extension from ASN.1 encoded data.

Creates an extension from ASN.1 encoded data.

Build the X509 Authority Key extension.

The subject key identifier

Build the X509 Authority Key extension.

The subject key identifier as a byte array. The distinguished name of the issuer. The serial number of the issuer certificate as little endian byte array.

Creates an extension from ASN.1 encoded data.

Returns a formatted version of the Authority Key Identifier as a string.

Initializes the extension from ASN.1 encoded data.

The OID for a Authority Key Identifier extension.

The alternate OID for a Authority Key Identifier extension.

The identifier for the key as a little endian hexadecimal string.

The identifier for the key as a byte array.

A list of distinguished names for the issuer.

The serial number of the authority key as a big endian hexadecimal string.

The serial number of the authority key as a byte array in little endian order.

Authority Key Identifier extension string definitions see RFC 5280 4.2.1.1

The CRL Number extension.

id-ce-cRLNumber OBJECT IDENTIFIER::= { id-ce 20 } CRLNumber::= INTEGER(0..MAX)

Creates an empty extension.

Creates an extension from ASN.1 encoded data.

Creates an extension from an Oid and ASN.1 encoded raw data.

Creates an extension from ASN.1 encoded data.

Build the CRL Number extension (for CRL extensions).

Returns a formatted version of the Abstract Syntax Notation One (ASN.1)-encoded data as a string.

Initializes the extension from ASN.1 encoded data.

The OID for a CRL Number extension.

Gets the CRL Number.

The uris.

Encode the CRL Number extension.

Decode CRL Number.

CRL Number extension string definitions see RFC 5280 5.2.3

Supporting functions for X509 extensions.

Find a typed extension in a certificate.

The type of the extension. The certificate with extensions.

Find a typed extension in a extension collection.

The type of the extension. The extensions to search.

Build the Authority information Access extension.

Array of CA Issuer Urls optional, the OCSP responder

Build the CRL Distribution Point extension.

The CRL distribution point

Build the CRL Distribution Point extension with multiple distribution points.

The CRL distribution points

Read an ASN.1 extension sequence as X509Extension object.

The ASN reader.

Write an extension object as ASN.1.

Build the CRL Reason extension.

Build the Authority Key Identifier from an Issuer CA certificate.

The issuer CA certificate

Build the CRL number.

Patch serial number in a Url. byte version.

Patch serial number in a Url. string version.

The subject alternate name extension.

id-ce-subjectAltName OBJECT IDENTIFIER::= { id-ce 17 } SubjectAltName::= GeneralNames GeneralNames::= SEQUENCE SIZE(1..MAX) OF GeneralName GeneralName ::= CHOICE { otherName [0] OtherName, rfc822Name[1] IA5String, dNSName[2] IA5String, x400Address[3] ORAddress, directoryName[4] Name, ediPartyName[5] EDIPartyName, uniformResourceIdentifier[6] IA5String, iPAddress[7] OCTET STRING, registeredID[8] OBJECT IDENTIFIER } OtherName::= SEQUENCE { type-id OBJECT IDENTIFIER, value[0] EXPLICIT ANY DEFINED BY type - id } EDIPartyName::= SEQUENCE { nameAssigner[0] DirectoryString OPTIONAL, partyName[1] DirectoryString }

Creates an empty extension.

Creates an extension from ASN.1 encoded data.

Creates an extension from an Oid and ASN.1 encoded raw data.

Creates an extension from ASN.1 encoded data.

Build the Subject Alternative name extension (for OPC UA application certs).

The application Uri The domain names. DNS Hostnames, IPv4 or IPv6 addresses

Returns a formatted version of the Abstract Syntax Notation One (ASN.1)-encoded data as a string.

Initializes the extension from ASN.1 encoded data.

The OID for a Subject Alternate Name extension.

The OID for a Subject Alternate Name 2 extension.

Gets the uris.

The uris.

Gets the domain names.

The domain names.

Gets the IP addresses.

The IP addresses.

Create a normalized IPv4 or IPv6 address from a 4 byte or 16 byte array.

Encode the Subject Alternative name extension.

Encode a list of general Names in a SAN builder.

The subject alternative name builder The general Names to add

Decode if RawData is yet undecoded.

Decode URI, DNS and IP from Subject Alternative Name.

Only general names relevant for Opc.Ua are decoded.

Initialize the Subject Alternative name extension.

The application Uri The general names. DNS Hostnames, IPv4 or IPv6 addresses

Subject Alternate Name extension string definitions see RFC 5280 4.2.1.7

Methods or read PEM data.

Import a PKCS#8 private key or RSA private key from PEM. The PKCS#8 private key may be encrypted using a password.

The PEM datablob as byte array. The password to use (optional). The RSA private key.

Write certificate/crl data in PEM format.

Returns a byte array containing the CRL in PEM format.

Returns a byte array containing the CSR in PEM format.

Returns a byte array containing the cert in PEM format.

Returns a byte array containing the public key in PEM format.

Returns a byte array containing the RSA private key in PEM format.

Returns a byte array containing the ECDsa private key in PEM format.

Returns a byte array containing the private key in PEM format.

Builds a Certificate.

Create a Certificate builder.

Create a Certificate builder.

Constructor of a Certificate builder.

Constructor of a Certificate builder.

Create some defaults needed to build the certificate.

Create the X509 extensions to build the certificate.

A certificate request. If the certificate is for ECDsa, not RSA.

Set the basic constraints for various cases.

Builds a Certificate.

Initialize a Certificate builder.

Initialize a Certificate builder.

Default constructor.

The issuer CA certificate.

Validate and adjust settings to avoid creation of invalid certificates.

Create a new cryptographic random serial number.

If the certificate is a CA.

The path length constraint to sue for a CA.

The serial number length in octets.

If the serial number is preset by the user.

The serial number as a little endian byte array.

The collection of X509Extension to add to the certificate.

The RSA public to use when if a certificate is signed.

The size of a RSA key pair to create.

The ECDsa public to use when if a certificate is signed.

The ECCurve to use.

The certificate builder interface.

The interface to set an issuer.

The interface to set a public key.

The interface to set key parameters.

The interface to create a certificate.

The interface to use a signature generator.

The interface to create a RSA based certifcate.

The interface to create a ECDSA based certifcate.

The interface to set the mandatory certificate fields for a certificate builder.

Set the length of the serial number.

The length of the serial number shall not exceed octets.

Set the value of the serial number directly using a byte array.

The length of the serial number shall not exceed octets. The serial number as an array of bytes in little endian order.

Create a new serial number and preserve it until the certificate is created.

The serial number may be needed to create an extension. This function makes it available before the cert is created.

Set the date when the certificate becomes valid.

The date.

Set the certificate expiry date.

The date after which the certificate is expired.

Set the lifetime of the certificate using Timespan.

The lifetime as .

Set the lifetime of the certificate in month starting now.

The lifetime in months.

Set the hash algorithm to use for the signature.

The hash algorithm name.

Set the CA flag and the path length constraints of the certificate.

The path length constraint to use. -1 corresponds to None, other values constrain the chain length.

Add an extension to the certificate in addition to the default extensions.

By default the following X509 extensions are added to a certificate, some depending on certificate type: CA/SubCA/OPC UA application: X509BasicConstraintsExtension X509SubjectKeyIdentifierExtension X509AuthorityKeyIdentifierExtension X509KeyUsageExtension OPC UA application: X509SubjectAltNameExtension X509EnhancedKeyUsageExtension Adding a default extension to the list overrides the default value of the extensions. Adding an extension with a already existing Oid overrides the existing extension in the list. The extension to add

The interface to select an issuer for the cert builder.

Set the issuer certificate which is used to sign the certificate.

The issuer certificate must contain a private key which matches the selected sign algorithm if no generator is avilable. If a is used for signing the the issuer certificate can be set with a public key to create the X509 extensions. The issuer certificate.

The interface to select the RSA key size parameter.

Set the RSA key size in bits.

The size of the RSA key.

The interface to select the ECCurve.

Set the ECC Curve parameter.

The ECCurve.

The interface to set a RSA public key for a certificate.

Set the public key using a ASN.1 encoded byte array.

The public key as encoded byte array.

Set the public key using a RSA public key.

The RSA public key.

The interface to set a ECDSA public key for a certificate.

Set the public key using a ASN.1 encoded byte array.

The public key as encoded byte array.

Set the public key using a ECDSA public key.

The ECDsa public key.

The interface to create a certificate using the RSA algorithm.

Create the RSA certificate with signature.

The signed certificate.

The interface to create a certificate using a signature generator.

Create the RSA certificate with signature using an external generator.

The signed certificate.

The interface to create a certificate using the ECDSA algorithm.

Create the ECC certificate with signature.

The signed certificate.

The interface to create a certificate using a signature generator for ECDSA.

Create the ECDSA certificate with signature using an external generator.

The signed certificate.

Properties of a X.509v3 certificate.

The subject distinguished name from a certificate.

The distinguished name of the certificate issuer.

The date in UTC time on which a certificate becomes valid.

The date in UTC time after which a certificate is no longer valid.

The serial number of the certificate as a big-endian hexadecimal string.

The serial number of the certificate as an array of bytes in little-endian order.

The hash algorithm used to create the signature.

A collection of X509 extensions.

Utilities to create a Pfx.

The size of the block used to test a sign or encrypt operation.

Return the key usage flags of a certificate.

Verify RSA key pair of two certificates.

Creates a certificate from a PKCS #12 store with a private key.

The raw PKCS #12 store data. The password to use to access the store. The certificate with a private key.

Verify a RSA key pair using a encryption.

Verify a RSA key pair using a signature.

Verify ECDsa key pair of two certificates.

Verify a ECDsa key pair using a signature.

Builds a CRL.

Create a CRL builder initialized with a decoded CRL.

The decoded CRL

Initialize the CRL builder with Issuer.

Issuer name

Initialize the CRL builder with Issuer and hash algorithm.

Issuer distinguished name The signing algorithm to use.

Create a CRL builder initialized with a decoded CRL.

The decoded CRL

Initialize the CRL builder with Issuer.

Issuer name

Initialize the CRL builder with Issuer and hash algorithm.

Issuer distinguished name The signing algorithm to use.

Default constructor.

Set this update time.

Set next update time (optional).

Set the hash algorithm.

Add array of serialnumbers of revoked certificates.

The array of serial numbers to revoke. The revocation reason

Add a revoked certificate.

The certificate to revoke. The revocation reason

Add a revoked certificate.

Add a list of revoked certificate.

Add a revoked certificate.

Create the CRL with signature generator.

The RSA or ECDsa signature generator to use. The signed CRL.

Create the CRL with signature for RSA.

The signed CRL.

Create the CRL with signature for ECDsa.

The signed CRL.

Constructs Certificate Revocation List raw data in X509 ASN format.

CRL fields -- https://tools.ietf.org/html/rfc5280#section-5.1 CertificateList ::= SEQUENCE { tbsCertList TBSCertList, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } TBSCertList ::= SEQUENCE { version Version OPTIONAL, -- if present, MUST be v2 signature AlgorithmIdentifier, issuer Name, thisUpdate Time, nextUpdate Time OPTIONAL, revokedCertificates SEQUENCE OF SEQUENCE { userCertificate CertificateSerialNumber, revocationDate Time, crlEntryExtensions Extensions OPTIONAL -- if present, version MUST be v2 } OPTIONAL, crlExtensions [0] EXPLICIT Extensions OPTIONAL -- if present, version MUST be v2 }

Write either a UTC time or a Generalized time depending if DataTime is before or after 2050.

The writer to write to. The date time to write.

CRL Reason codes.

id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 } -- reasonCode::= { CRLReason } CRLReason::= ENUMERATED { unspecified(0), keyCompromise(1), cACompromise(2), affiliationChanged(3), superseded(4), cessationOfOperation(5), certificateHold(6), --value 7 is not used removeFromCRL(8), privilegeWithdrawn(9), aACompromise(10) }

Provides access to an X509 CRL object.

The name of the issuer for the CRL.

The name of the issuer for the CRL.

When the CRL was last updated.

When the CRL is due for its next update.

The hash algorithm used to sign the CRL.

The revoked user certificates

The X509Extensions of the CRL.

The raw data for the CRL.

Represents a revoked certificate in the revoked certificates sequence of a CRL.

CRL fields -- https://tools.ietf.org/html/rfc5280#section-5.1 ... revokedCertificates SEQUENCE OF SEQUENCE { userCertificate CertificateSerialNumber, revocationDate Time, crlEntryExtensions Extensions OPTIONAL -- if present, version MUST be v2 } OPTIONAL, ...

Construct revoked certificate with serialnumber, actual UTC time and the CRL reason.

The serial number The reason for revocation

Construct revoked certificate with serialnumber, actual UTC time and the CRL reason.

The serial number The reason for revocation

Construct minimal revoked certificate with serialnumber and actual UTC time.

Construct minimal revoked certificate with serialnumber and actual UTC time.

The serial number of the revoked certificate as big endian hex string.

The serial number of the revoked user certificate as a little endian byte array.

The UTC time of the revocation event.

The list of crl entry extensions.

Decodes a X509 CRL and provides access to information.

Loads a CRL from a file.

Loads a CRL from a memory buffer.

Create CRL from IX509CRL interface.

Default constructor, also internal test hook.

Verifies the signature on the CRL.

Returns true if the certificate is revoked in the CRL.

Decode the complete CRL.

The raw signed CRL

Decode the Tbs of the CRL.

The raw TbsCertList of the CRL.

Read the time, UTC or local time

The DateTime representing the tag

Decode if RawData is yet undecoded.

A collection of X509CRL.

Gets or sets the element at the specified index.

The zero-based index of the element to get or set.

Create an empty X509CRL collection.

Create a crl collection from a single CRL.

Create a crl collection from a CRL collection.

Create a collection from an array.

Converts an array to a collection.

Converts an array to a collection.

Describes the three required fields of a X509 Certificate and CRL.

The field contains the ASN.1 data to be signed.

The signature of the data.

The encoded signature algorithm that was used for signing.

The signature algorithm as Oid string.

The hash algorithm used for signing.

Initialize and decode the sequence with binary ASN.1 encoded CRL or certificate.

Initialize the X509 signature values.

The data to be signed. The signature of the data. The algorithm used to create the signature.

Encode Tbs with a signature in ASN format.

X509 ASN format of EncodedData+SignatureOID+Signature bytes.

Decoder for the signature sequence.

The encoded CRL or certificate sequence.

Verify the signature with the public key of the signer.

true if the signature is valid.

Verify the signature with the RSA public key of the signer.

Verify the signature with the ECC public key of the signer.

Decode the algorithm that was used for encoding.

The ASN.1 encoded algorithm oid.

Encode a ECDSA signature as ASN.1.

The signature to encode as ASN.1

Decode a ECDSA signature from ASN.1.

The signature to decode from ASN.1 The keySize in bits.