Beispiel #1
0
        private static void CertificateStatus(string[] serials = null)
        {
            if (serials == null || serials.Length == 0)
            {
                Console.WriteLine("Checking status of issued certificates ...");
                var myEncryptionCert = CertStore.GetCertificate(CertStore.Certificiates.ClientIssuedEncryption);
                var mySigningCert    = CertStore.GetCertificate(CertStore.Certificiates.ClientIssuedSigning);
                serials = new string[] { HexToDec(myEncryptionCert.SerialNumber), HexToDec(mySigningCert.SerialNumber) };
            }
            else
            {
                Console.WriteLine("Checking status of provided serials certificates ...");
            }

            var res = PKIClient.CertificateStatus(serials, KeyGeneratorTypeType.software);

            if (!CheckForError(res))
            {
                exitProgram(Int32.Parse(res.Error.ReturnCode));
                return;
            }

            foreach (var certStatus in res.Response.CertificateStatusResponse.CertificateStatus)
            {
                PrintCertInfo(certStatus);
            }
        }
        private static RenewCertificateResponse RenewCertificates(PKIClient client, CertStore store)
        {
            var myLoadedCryptoCert     = store.GetCertificate(CertStore.Certificiates.ClientIssuedEncryption);
            var myLoadedSigningCert    = store.GetCertificate(CertStore.Certificiates.ClientIssuedSigning);
            var myGeneratedCryptoCert  = store.GetCertificate(CertStore.Certificiates.ClientGeneratedEncryption);
            var myGeneratedSigningCert = store.GetCertificate(CertStore.Certificiates.ClientGeneratedSigning);

            // This issues a new set of certificates without revoking the old ones.
            var res = client.RenewCertificate(myLoadedSigningCert, myLoadedCryptoCert, KeyGeneratorTypeType.software);

            if (!CheckForError(res))
            {
                return(null);
            }

            // Read the x509 certificates returned from the server and attach the private keys
            X509Certificate2 issuedCryptoCertificate  = new X509Certificate2(res.Response.RenewCertificateResponse.EncryptionCert);
            X509Certificate2 issuedSigningCertificate = new X509Certificate2(res.Response.RenewCertificateResponse.SigningCert);

            // Set the private key on the X509Certificate2 instances, so we can easiliy store them
            issuedCryptoCertificate.PrivateKey  = myGeneratedCryptoCert.PrivateKey;
            issuedSigningCertificate.PrivateKey = myGeneratedSigningCert.PrivateKey;

            // Save the newly issued certificates in the certificate store
            store.SetCertificate(CertStore.Certificiates.ClientIssuedEncryption, issuedCryptoCertificate.Export(X509ContentType.Pkcs12));
            store.SetCertificate(CertStore.Certificiates.ClientIssuedSigning, issuedSigningCertificate.Export(X509ContentType.Pkcs12));

            return(res.Response.RenewCertificateResponse);
        }
Beispiel #3
0
        private static void RevokeAllCertificates(string[] excludedSerials)
        {
            if (excludedSerials == null || excludedSerials.Length == 0)
            {
                var myEncryptionCert = CertStore.GetCertificate(CertStore.Certificiates.ClientIssuedEncryption);
                var mySigningCert    = CertStore.GetCertificate(CertStore.Certificiates.ClientIssuedSigning);

                Console.WriteLine("Revoking all certificates EXCEPT issued ones ...");
                excludedSerials = new string[]
                {
                    HexToDec(myEncryptionCert.SerialNumber),
                    HexToDec(mySigningCert.SerialNumber)
                };
            }
            else
            {
                Console.WriteLine("Revoking all not excluded certificates ...");
            }

            // Revoke all certificates except our initial ones.
            var res = PKIClient.RevokeAllCertificates(KeyGeneratorTypeType.software, excludedSerials);

            if (!CheckForError(res))
            {
                exitProgram(Int32.Parse(res.Error.ReturnCode));
                return;
            }

            Console.WriteLine("  Revoke was successful.");
        }
Beispiel #4
0
        private static void RevokeCertificates(string[] serials)
        {
            if (serials == null || serials.Length == 0)
            {
                var myEncryptionCert = CertStore.GetCertificate(CertStore.Certificiates.ClientIssuedEncryption);
                var mySigningCert    = CertStore.GetCertificate(CertStore.Certificiates.ClientIssuedSigning);

                Console.WriteLine("Revoking issued certificates ...");
                serials = new string[]
                {
                    HexToDec(myEncryptionCert.SerialNumber),
                    HexToDec(mySigningCert.SerialNumber)
                };
            }
            else
            {
                Console.WriteLine("Revoking provided serials certificates ...");
            }

            var res = PKIClient.RevokeCertificates(KeyGeneratorTypeType.software, serials);

            if (!CheckForError(res))
            {
                exitProgram(Int32.Parse(res.Error.ReturnCode));
                return;
            }

            Console.WriteLine("  Revoke was successful.");
        }
Beispiel #5
0
        private static void ObtainLatestBankCertificates()
        {
            /*
             * This obtains the latest certificates used by the bank.
             * They have a finite lifecycle, so they must be renewed a regular interval
             *  - Root certifiate: 10 years
             *  - Signing certificate: 2 years
             *  - Encryption certificate: 2 years
             */
            Console.WriteLine("Requesting bank certificates ...");

            // Obtain bank certificate
            var res = PKIClient.GetBankCertificate();

            if (!CheckForError(res))
            {
                exitProgram(Int32.Parse(res.Error.ReturnCode));
                return;
            }

            Console.WriteLine("  Retrieved new certificates from bank.");
            Console.WriteLine("Saving bank certificates ...");

            // Save the bank certificates
            CertStore.SetCertificate(CertStore.Certificiates.BankRoot, res.Response.GetBankCertificateResponse.BankRootCert);
            CertStore.SetCertificate(CertStore.Certificiates.BankEncryption, res.Response.GetBankCertificateResponse.BankEncryptionCert);
            CertStore.SetCertificate(CertStore.Certificiates.BankSigning, res.Response.GetBankCertificateResponse.BankSigningCert);
            Console.WriteLine(" Bank certificates successfully saved.");

            // Instruct the PKIClient to use the new certificates
            PKIClient.BankRootCertificate = CertStore.GetCertificate(CertStore.Certificiates.BankRoot);
            PKIClient.SetBankCertificates(CertStore.GetCertificate(CertStore.Certificiates.BankEncryption), CertStore.GetCertificate(CertStore.Certificiates.BankSigning));
            Console.WriteLine(" Using new bank certificates.");
        }
        private static WrappedResponse <CreateCertificateOutType> CreateCertificates(PKIClient client, string pin, CertStore store)
        {
            var myLoadedCryptoCert  = store.GetCertificate(CertStore.Certificiates.ClientGeneratedEncryption);
            var myLoadedSigningCert = store.GetCertificate(CertStore.Certificiates.ClientGeneratedSigning);


            var res = client.CreateCertificate(myLoadedSigningCert, myLoadedCryptoCert, pin, KeyGeneratorTypeType.software);

            if (!CheckForError(res))
            {
                return(null);
            }

            return(res);
        }
        private static void CertificateStatus(PKIClient client, X509Certificate2 queryCert)
        {
            var res = client.CertificateStatus(new[] { HexToDec(queryCert.SerialNumber) }, KeyGeneratorTypeType.software);

            if (!CheckForError(res))
            {
                return;
            }

            foreach (var x in res.Response.CertificateStatusResponse.CertificateStatus)
            {
                Console.WriteLine(" - " + x.CertificateType);
                Console.WriteLine(" - " + x.Status.Item);
            }
        }
Beispiel #8
0
        private static void AllCertificiateStatus()
        {
            Console.WriteLine("Getting all our own certificates ...");
            var res = PKIClient.GetClientCertificateList(KeyGeneratorTypeType.software);

            if (!CheckForError(res))
            {
                exitProgram(Int32.Parse(res.Error.ReturnCode));
            }

            foreach (var certStatus in res.Response.GetOwnCertificateListResponse.CertificateStatus)
            {
                PrintCertInfo(certStatus);
            }

            Console.WriteLine("Total certificates: " + res.Response.GetOwnCertificateListResponse.CertificateStatus.Length);
        }
        private static void GetOwnCertificiateList(PKIClient client)
        {
            var res = client.GetClientCertificateList(KeyGeneratorTypeType.software);

            if (!CheckForError(res))
            {
                return;
            }

            foreach (var certStatus in res.Response.GetOwnCertificateListResponse.CertificateStatus)
            {
                Console.WriteLine("Certificate:");
                Console.WriteLine(" - Serial: " + certStatus.CertificateSerialNo);
                Console.WriteLine(" - CertificateType: " + certStatus.CertificateType);
                Console.WriteLine(" - MatchingSerial: " + certStatus.MatchingCertificateSerialNo);
                Console.WriteLine(" - Status: " + certStatus.Status);
            }
        }
Beispiel #10
0
        private static CreateCertificateResponse CreateCertificates()
        {
            Console.WriteLine("Loading own certificates ...");
            var myLoadedCryptoCert  = CertStore.GetCertificate(CertStore.Certificiates.ClientGeneratedEncryption);
            var myLoadedSigningCert = CertStore.GetCertificate(CertStore.Certificiates.ClientGeneratedSigning);

            if (myLoadedCryptoCert == null || myLoadedSigningCert == null)
            {
                Console.WriteLine("Client generated certificates and private keys were not set in certificate CertStore.");
                Console.WriteLine("Please set the encryption and signing certificates in the \"DanskeBank.PKIFactory\" CertStore using the friendlyname names:");
                Console.WriteLine("  Signing: \"" + CertStore.Certificiates.ClientGeneratedSigning.ToString() + "\".");
                Console.WriteLine("  Encryption: \"" + CertStore.Certificiates.ClientGeneratedEncryption.ToString() + "\".");
                exitProgram(1);
                return(null);
            }

            Console.WriteLine("Sending certificate signing requests for own certificates ...");
            var res = PKIClient.CreateCertificate(myLoadedSigningCert, myLoadedCryptoCert, CustomerPIN, KeyGeneratorTypeType.software);

            if (!CheckForError(res))
            {
                exitProgram(Int32.Parse(res.Error.ReturnCode));
                return(null);
            }

            // Read the x509 certificates returned from the server
            var issuedCryptoCert  = new X509Certificate2(res.Response.CreateCertificateResponse.EncryptionCert);
            var issuedSigningCert = new X509Certificate2(res.Response.CreateCertificateResponse.SigningCert);

            // Set the private key on the X509Certificate2 instances, so we can easily CertStore them
            issuedCryptoCert.PrivateKey  = myLoadedCryptoCert.PrivateKey;
            issuedSigningCert.PrivateKey = myLoadedSigningCert.PrivateKey;

            // Save the issued certificataes
            CertStore.SetCertificate(CertStore.Certificiates.ClientIssuedEncryption, issuedCryptoCert.Export(X509ContentType.Pkcs12));
            CertStore.SetCertificate(CertStore.Certificiates.ClientIssuedSigning, issuedSigningCert.Export(X509ContentType.Pkcs12));

            Console.WriteLine("  Certificates created successfully.");
            return(res.Response.CreateCertificateResponse);
        }
Beispiel #11
0
        private static RenewCertificateResponse RenewCertificates()
        {
            Console.WriteLine("Renewing own certificates ...");

            var myIssuedCryptoCert  = CertStore.GetCertificate(CertStore.Certificiates.ClientIssuedEncryption);
            var myIssuedSigningCert = CertStore.GetCertificate(CertStore.Certificiates.ClientIssuedSigning);

            // This issues a new set of certificates without revoking the old ones.
            var res = PKIClient.RenewCertificate(myIssuedSigningCert, myIssuedCryptoCert, KeyGeneratorTypeType.software);

            if (!CheckForError(res))
            {
                exitProgram(Int32.Parse(res.Error.ReturnCode));
                return(null);
            }

            // backup old certificates
            CertStore.SetCertificate(CertStore.Certificiates.BackupClientIssuedEncryption, myIssuedCryptoCert.Export(X509ContentType.Pkcs12));
            CertStore.SetCertificate(CertStore.Certificiates.BackupClientIssuedSigning, myIssuedSigningCert.Export(X509ContentType.Pkcs12));

            // Read the x509 certificates returned from the server and attach the private keys
            X509Certificate2 newIssuedCryptoCert  = new X509Certificate2(res.Response.RenewCertificateResponse.EncryptionCert);
            X509Certificate2 newIssuedSigningCert = new X509Certificate2(res.Response.RenewCertificateResponse.SigningCert);

            // Set the private key on the X509Certificate2 instances, so we can easily store them
            newIssuedCryptoCert.PrivateKey  = myIssuedCryptoCert.PrivateKey;
            newIssuedSigningCert.PrivateKey = myIssuedSigningCert.PrivateKey;

            // Save the newly issued certificates in the certificate store
            CertStore.SetCertificate(CertStore.Certificiates.ClientIssuedEncryption, newIssuedCryptoCert.Export(X509ContentType.Pkcs12));
            CertStore.SetCertificate(CertStore.Certificiates.ClientIssuedSigning, newIssuedSigningCert.Export(X509ContentType.Pkcs12));

            Console.WriteLine("  Renewal was successful.");

            return(res.Response.RenewCertificateResponse);
        }
        private static WrappedResponse <GetBankCertificateOutType> ObtainLatestBankCertificates(PKIClient client)
        {
            var res = client.GetBankCertificate();

            if (!CheckForError(res))
            {
                return(null);
            }

            return(res);
        }
        static void Main(string[] args)
        {
            var client = new PKIClient(Customer_Id);

            /*
             * Create a software based XML signing strategy
             * A custom implementation backed by a hardware security module could be used here instead
             */
            SoftwareBasedXmlSigningService xmlSigningStrategy = new SoftwareBasedXmlSigningService();

            client.SetXmlSigningService(xmlSigningStrategy);

            // Create a utility class for accessing the windows certificate store
            var store = new CertStore();

            X509Certificate2 rootCert = store.GetCertificate(CertStore.Certificiates.BankRoot);

            if (rootCert == null)
            {
                Console.WriteLine("Bank root certificate was not set in certificate store.");
                Console.WriteLine("Please set the correct bank root certificate in the \"DanskeBank.PKIFactory\" store using the friendlyname \"" + CertStore.Certificiates.BankRoot.ToString() + "\".");
                Console.ReadLine();
                return;
            }

            // Tell the client proxy to use the loaded root certificate
            client.SetBankRootCertificate(rootCert);

            #region Obtain bank certificates

            /*
             * This obtains the latest certificates used by the bank.
             * They have a finite lifecycle, so they must be renewed a regular interval
             *  - Root certifiate: 10 years
             *  - Signing certificate: 2 years
             *  - Encryption certificate: 2 years
             */
            Console.WriteLine("Requesting bank certificates ...");

            // Obtain bank certificate
            var res = ObtainLatestBankCertificates(client);
            if (res.IsSuccessful)
            {
                Console.WriteLine("  Retrieved new certificates from bank.");

                // Save the bank certificates
                Console.WriteLine("  Saving bank certificates ...");
                SaveBankCertificates(res.Response, store);
            }

            // Instruct the client to use the new certificates
            client.SetBankCertificates(store.GetCertificate(CertStore.Certificiates.BankEncryption), store.GetCertificate(CertStore.Certificiates.BankSigning));
            #endregion


            // Determine whether we have already been issued certificates from the bank by querying the key store
            bool mustRequestCertificates = store.GetCertificate(CertStore.Certificiates.ClientIssuedSigning) == null ||
                                           store.GetCertificate(CertStore.Certificiates.ClientIssuedEncryption) == null;

            if (mustRequestCertificates)
            {
                if (store.GetCertificate(CertStore.Certificiates.ClientGeneratedEncryption) == null ||
                    store.GetCertificate(CertStore.Certificiates.ClientGeneratedEncryption) == null)
                {
                    Console.WriteLine("Client generated certificates and private keys were not set in certificate store.");
                    Console.WriteLine("Please set the encryption and signing certificates in the \"DanskeBank.PKIFactory\" store using the friendlyname names:");
                    Console.WriteLine("  Signing: \"" + CertStore.Certificiates.ClientGeneratedSigning.ToString() + "\".");
                    Console.WriteLine("  Encryption: \"" + CertStore.Certificiates.ClientGeneratedEncryption.ToString() + "\".");
                    Console.ReadLine();
                    return;
                }


                Console.WriteLine("Sending certificate signing requests for own certificates ...");
                var createCertRes = CreateCertificates(client, Customer_PIN, store);

                SaveClientCertificates(createCertRes.Response, store);
            }

            // Use the (potentially newly) issued certificates
            Console.WriteLine("Using certificates issued to client ...");
            xmlSigningStrategy.SetClientCertificate(store.GetCertificate(CertStore.Certificiates.ClientIssuedSigning), (RSACryptoServiceProvider)store.GetCertificate(CertStore.Certificiates.ClientGeneratedSigning).PrivateKey);

            // Check status of the certificates we're using
            Console.WriteLine("Checking status of own certificates ...");
            CertificateStatus(client, store.GetCertificate(CertStore.Certificiates.ClientIssuedSigning));
            CertificateStatus(client, store.GetCertificate(CertStore.Certificiates.ClientIssuedEncryption));

            /*
             * Console.WriteLine("Getting all our own certificates");
             * GetOwnCertificiateList(client);
             */
            Console.WriteLine("Renewing own certificates");
            var renewedCerts = RenewCertificates(client, store);

            Console.WriteLine("Using certificates issued to client ...");
            xmlSigningStrategy.SetClientCertificate(new X509Certificate2(renewedCerts.SigningCert), (RSACryptoServiceProvider)store.GetCertificate(CertStore.Certificiates.ClientGeneratedSigning).PrivateKey);


            // Revoke the newly renew'ed certificates
            // Note: Revoking this certificate will force you to request new certificates based on the locally generated ones
            // client.RevokeCertificates(KeyGeneratorTypeType.software, new[] { HexToDec(new X509Certificate2(renewedCerts.EncryptionCert).SerialNumber) });

            /*
             *  // Revoke all certificates except our initial ones.
             * client.RevokeAllCertificates(KeyGeneratorTypeType.software, new[] {
             *  new X509Certificate2(ownInitialEncryptionCert).SerialNumber,
             *  new X509Certificate2(ownInitialigningCert).SerialNumber,
             * });
             */


            Console.WriteLine("Press enter to close.");
            Console.ReadLine();
        }
Beispiel #14
0
        public static void Main(string[] args)
        {
            var curAction = ParseAction(args);

            if (curAction == ActionType.HELP)
            {
                displayHelpText();
                exitProgram();
                return;
            }

            // Create client that will perform calls to PKI factory
            PKIClient = new PKIClient(CustomerId);

            // Create a utility class for accessing the windows certificate store
            CertStore = new CertStore();

            /*
             * Create a software based XML signing strategy
             * A custom implementation backed by a hardware security module could be used here instead
             */
            PKIClient.XmlSigningService = new SoftwareBasedXmlSigningService();

            SetBankRootCertificate();
            ObtainLatestBankCertificates();

            if (curAction != ActionType.CREATE && curAction != ActionType.NONE)
            {
                UseIssuedCertificateForSigning();
            }

            switch (curAction)
            {
            case ActionType.NONE:
                // Do it all
                CreateCertificates();
                UseIssuedCertificateForSigning();
                RenewCertificates();
                UseIssuedCertificateForSigning();
                CertificateStatus(parseSerials(args));
                break;

            case ActionType.CREATE:
                CreateCertificates();
                break;

            case ActionType.RENEW:
                RenewCertificates();
                break;

            case ActionType.REVOKE:
                // Revoke the specified certificates
                // Note: Revoking latest issued certificate will force you to request new certificates based on the locally generated ones
                RevokeCertificates(parseSerials(args));
                break;

            case ActionType.REVOKEALL:
                // Revoke all certificates except with serials provided
                // Note: Revoking latest issued certificate will force you to request new certificates based on the locally generated ones
                RevokeAllCertificates(parseSerials(args));
                break;

            case ActionType.STATUS:
                CertificateStatus(parseSerials(args));
                break;

            case ActionType.STATUSALL:
                AllCertificiateStatus();
                break;
            }

            exitProgram();
        }