public TClass ExecuteSymKeyEncryption <TClass>(RestRequest request, string body) where TClass : new()
{
request.AddHeader("client", DtoGobalSettings.ClientIdentity.Name);
request.AddHeader("identifier", DtoGobalSettings.ClientIdentity.Guid);
var serviceSetting = new ServiceSetting();
var entropy = serviceSetting.GetSetting("entropy");
var encryptedKey = serviceSetting.GetSetting("encryption_key");
var decryptedKey = ServiceDP.DecryptData(Convert.FromBase64String(encryptedKey.Value), true,
Convert.FromBase64String(entropy.Value));
if (!string.IsNullOrEmpty(body))
{
var encryptedContent = new ServiceSymmetricEncryption().EncryptData(decryptedKey, body);
request.AddParameter("text/xml", encryptedContent, ParameterType.RequestBody);
}
var deviceThumbprint = new ServiceSetting().GetSetting("device_thumbprint");
var deviceCert = ServiceCertificate.GetCertificateFromStore(deviceThumbprint.Value, StoreName.My);
if (deviceCert == null)
{
return(default(TClass));
}
var encryptedCert = new ServiceSymmetricEncryption().EncryptData(decryptedKey,
Convert.ToBase64String(deviceCert.RawData));
request.AddHeader("device_cert", Convert.ToBase64String(encryptedCert));
return(SubmitRequest <TClass>(request, decryptedKey));
}
public bool DownloadFile(RestRequest request, string body, string destination)
{
if (string.IsNullOrEmpty(body))
{
throw new ArgumentException("body");
}
request.AddHeader("client", DtoGobalSettings.ClientIdentity.Name);
request.AddHeader("identifier", DtoGobalSettings.ClientIdentity.Guid);
var serviceSetting = new ServiceSetting();
var entropy = serviceSetting.GetSetting("entropy");
var encryptedKey = serviceSetting.GetSetting("encryption_key");
var decryptedKey = ServiceDP.DecryptData(Convert.FromBase64String(encryptedKey.Value), true,
Convert.FromBase64String(entropy.Value));
var encryptedContent = new ServiceSymmetricEncryption().EncryptData(decryptedKey, body);
request.AddParameter("text/xml", encryptedContent, ParameterType.RequestBody);
var deviceThumbprint = new ServiceSetting().GetSetting("device_thumbprint");
var deviceCert = ServiceCertificate.GetCertificateFromStore(deviceThumbprint.Value, StoreName.My);
if (deviceCert == null)
{
return(false);
}
var encryptedCert = new ServiceSymmetricEncryption().EncryptData(decryptedKey,
Convert.ToBase64String(deviceCert.RawData));
request.AddHeader("device_cert", Convert.ToBase64String(encryptedCert));
try
{
_log.Debug(request.Resource);
using (var stream = File.Create(destination, 4096))
{
request.ResponseWriter = (responseStream) => responseStream.CopyTo(stream);
_client.DownloadData(request);
if (stream.Length == 0)
{
//something went wrong, rest sharp can't display any other info with downloaddata, so we don't know why
return(false);
}
}
return(true);
}
catch (Exception ex)
{
_log.Error("Could Not Save File: " + destination);
_log.Error(ex.Message);
return(false);
}
}
public StringContent ResponseHandler(Task <HttpResponseMessage> task, byte[] key, EntityComputer computer)
{
//encrypt the response back to the client
//var headers = task.Result.ToString();
if (task.Result.Content != null)
{
Logger.Debug($"ID: {logId} - Encrypting response body");
var body = task.Result.Content.ReadAsStringAsync().Result;
Logger.Debug($"ID: {logId} - {body}");
var encryptedContent = new ServiceSymmetricEncryption().EncryptData(key, body);
var signature = new ServiceCertificate().SignMessage(Convert.ToBase64String(encryptedContent),
computer);
var jsonResp = new DtoApiStringResponse();
jsonResp.Value = Convert.ToBase64String(encryptedContent);
task.Result.Headers.Add("client_signature", Convert.ToBase64String(signature));
return(new StringContent(JsonConvert.SerializeObject(jsonResp), Encoding.UTF8, "application/json"));
}
else
{
return(null);
}
}
private TClass SubmitRequest <TClass>(RestRequest request, byte[] encKey = null) where TClass : new()
{
if (request == null)
{
_log.Error("Could Not Execute API Request. The Request was empty." + new TClass().GetType());
return(default(TClass));
}
_log.Debug(request.Resource);
var response = _client.Execute <TClass>(request);
if (response == null)
{
_log.Error("Could Not Complete API Request. The Response was empty." + request.Resource);
return(default(TClass));
}
if (response.StatusCode == HttpStatusCode.InternalServerError)
{
_log.Error("Could Not Complete API Request. The Response Produced An Error." + request.Resource);
_log.Error(response.Content);
try
{
if (encKey != null)
{
var encryptedresponse = JsonConvert.DeserializeObject <DtoStringResponse>(response.Content);
var content = new ServiceSymmetricEncryption().Decrypt(encKey,
Convert.FromBase64String(encryptedresponse.Value));
_log.Error(content);
}
}
catch
{
//ignore
}
return(default(TClass));
}
if (response.StatusCode == HttpStatusCode.Unauthorized)
{
_log.Error("The Request Was Unauthorized " + request.Resource);
return(default(TClass));
}
if (response.StatusCode == HttpStatusCode.NotFound)
{
_log.Error("Error Retrieving API Response: Not Found " + request.Resource);
return(default(TClass));
}
if (response.ErrorException != null && encKey == null)
{
_log.Error("Error Retrieving API Response: " + response.ErrorException);
return(default(TClass));
}
if (response.Data == null && encKey == null)
{
_log.Error("Response Data Was Null For Resource: " + request.Resource);
return(default(TClass));
}
if (encKey != null)
{
if (response.Headers.Any(t => t.Name.Equals("client_signature")))
{
var firstOrDefault = response.Headers.FirstOrDefault(t => t.Name.Equals("client_signature"));
if (firstOrDefault == null)
{
_log.Error("The Response Signature Is Not Valid For This Device: " + request.Resource);
return(default(TClass));
}
var deviceThumbprint = new ServiceSetting().GetSetting("device_thumbprint");
var deviceCert = ServiceCertificate.GetCertificateFromStore(deviceThumbprint.Value, StoreName.My);
if (deviceCert == null)
{
_log.Error("Could Not Find The Device Certificate: " + request.Resource);
return(default(TClass));
}
var signature = firstOrDefault.Value.ToString();
var encryptedresponse = JsonConvert.DeserializeObject <DtoStringResponse>(response.Content);
if (
!ServiceCertificate.VerifySignature(deviceCert, Convert.FromBase64String(signature),
encryptedresponse.Value))
{
_log.Error("Response Signature Verification Failed: " + request.Resource);
return(default(TClass));
}
var content = new ServiceSymmetricEncryption().Decrypt(encKey,
Convert.FromBase64String(encryptedresponse.Value));
return(JsonConvert.DeserializeObject <TClass>(content));
}
_log.Error("Invalid Reponse, Signature Missing: " + request.Resource);
return(default(TClass));
}
return(response.Data);
}
private EnumProvisionStatus.Status ProvisionStage2()
{
var intermediateThumbprint = _serviceSetting.GetSetting("intermediate_thumbprint");
if (string.IsNullOrEmpty(intermediateThumbprint.Value))
{
//assume stage 1 didn't finish
return(EnumProvisionStatus.Status.NotStarted);
}
var intermediate = ServiceCertificate.GetCertificateFromStore(intermediateThumbprint.Value,
StoreName.CertificateAuthority);
if (intermediate == null)
{
return(EnumProvisionStatus.Status.NotStarted);
}
var key = GenerateSymmKey();
var provisionRequest = new DtoProvisionRequest();
provisionRequest.Name = DtoGobalSettings.ClientIdentity.Name;
provisionRequest.AdGuid = new ServiceAD().GetADGuid(provisionRequest.Name);
provisionRequest.SymmKey = EncryptDataWithIntermediate(intermediate.PublicKey.Key, key);
provisionRequest.InstallationId = DtoGobalSettings.ClientIdentity.InstallationId;
//include some hardware details
Logger.Debug("Gathering Hardware Details");
var inventoryCollection = new DtoInventoryCollection();
new ComputerSystem().Search(inventoryCollection);
new Bios().Search(inventoryCollection);
new Processor().Search(inventoryCollection);
new Nic().Search(inventoryCollection);
try
{
var m = Convert.ToInt64(inventoryCollection.ComputerSystem.TotalPhysicalMemory);
provisionRequest.Memory = Convert.ToInt32(m / 1024 / 1024);
}
catch
{
provisionRequest.Memory = 0;
}
try
{
provisionRequest.Processor = inventoryCollection.Processor.Name;
}
catch
{
provisionRequest.Processor = string.Empty;
}
try
{
provisionRequest.SerialNumber = inventoryCollection.Bios.SerialNumber;
}
catch
{
provisionRequest.SerialNumber = string.Empty;
}
try
{
provisionRequest.Model = inventoryCollection.ComputerSystem.Model;
}
catch
{
provisionRequest.Model = string.Empty;
}
try
{
foreach (var nic in inventoryCollection.NetworkAdapters)
{
provisionRequest.Macs.Add(nic.Mac);
}
}
catch
{
//do nothing
}
inventoryCollection = null;
var response = new APICall().ProvisionApi.ProvisionClient(provisionRequest);
if (response == null)
{
return(EnumProvisionStatus.Status.Error);
}
if (response.ProvisionStatus == EnumProvisionStatus.Status.Reset)
{
Logger.Info("Client Reset Approved. Starting Reset Process.");
return(EnumProvisionStatus.Status.Reset);
}
if (response.ProvisionStatus == EnumProvisionStatus.Status.FullReset)
{
Logger.Info("Client Full Reset Requested. Starting Full Reset Process.");
return(EnumProvisionStatus.Status.FullReset);
}
if (response.ProvisionStatus == EnumProvisionStatus.Status.PendingReset)
{
Logger.Info("Client Is Pending Reset Approval.");
return(EnumProvisionStatus.Status.PendingReset);
}
if (response.ProvisionStatus == EnumProvisionStatus.Status.PendingProvisionApproval)
{
Logger.Info("Client Is Pending Provisioning Approval");
return(EnumProvisionStatus.Status.PendingProvisionApproval);
}
if (response.ProvisionStatus == EnumProvisionStatus.Status.PendingPreProvision)
{
Logger.Info("Client Has Not Been Pre-Provisioned And The Current Security Policy Requires It.");
return(EnumProvisionStatus.Status.PendingPreProvision);
}
if (response.ProvisionStatus != EnumProvisionStatus.Status.PendingConfirmation)
{
return(EnumProvisionStatus.Status.Error);
}
var byteCert = Convert.FromBase64String(response.Certificate);
var base64Cert = new ServiceSymmetricEncryption().Decrypt(key, byteCert);
var deviceCert = new X509Certificate2(Convert.FromBase64String(base64Cert));
if (ServiceCertificate.StoreLocalMachine(deviceCert, StoreName.My))
{
var deviceThumbprint = _serviceSetting.GetSetting("device_thumbprint");
deviceThumbprint.Value = deviceCert.Thumbprint;
_serviceSetting.UpdateSettingValue(deviceThumbprint);
var computerIdentifier = _serviceSetting.GetSetting("computer_identifier");
computerIdentifier.Value = response.ComputerIdentifier;
DtoGobalSettings.ClientIdentity.Guid = response.ComputerIdentifier;
_serviceSetting.UpdateSettingValue(computerIdentifier);
var entropy = _serviceSetting.GetSetting("entropy");
var entropyBytes = ServiceDP.CreateRandomEntropy();
entropy.Value = Convert.ToBase64String(entropyBytes);
_serviceSetting.UpdateSettingValue(entropy);
var encryptedKey = ServiceDP.EncryptData(key, true, entropyBytes);
var keySetting = _serviceSetting.GetSetting("encryption_key");
keySetting.Value = Convert.ToBase64String(encryptedKey);
_serviceSetting.UpdateSettingValue(keySetting);
var settingProvisionStatus = _serviceSetting.GetSetting("provision_status");
settingProvisionStatus.Value = Convert.ToInt16(response.ProvisionStatus).ToString();
_serviceSetting.UpdateSettingValue(settingProvisionStatus);
}
return(EnumProvisionStatus.Status.PendingConfirmation);
}
protected override System.Threading.Tasks.Task <HttpResponseMessage> SendAsync(HttpRequestMessage request, System.Threading.CancellationToken cancellationToken)
{
logId = logId = Guid.NewGuid().ToString("n").Substring(0, 8);
// CATCH THE REQUEST BEFORE SENDING TO THE ROUTING HANDLER
Logger.Debug($"ID: {logId} - Received decryption request for {request.Headers.GetValues("client").FirstOrDefault()} ");
Logger.Debug($"ID: {logId} - Request URI {request.RequestUri} ");
var clientIdentifier = request.Headers.GetValues("identifier").FirstOrDefault();
var encryptedCert = request.Headers.GetValues("device_cert").FirstOrDefault();
byte[] keyBytes = null;
var computerEntity = new ServiceComputer().GetByGuid(clientIdentifier);
if (computerEntity == null)
{
Logger.Debug($"ID: {logId} - Computer With Identity {clientIdentifier} Could Not Be Found.");
}
else
{
var symmKey = new EncryptionServices().DecryptText(computerEntity.SymmKeyEncrypted);
keyBytes = Convert.FromBase64String(symmKey);
var body = request.Content.ReadAsByteArrayAsync().Result;
if (body != null)
{
if (body.Length != 0)
{
var decryptedContent = new ServiceSymmetricEncryption().DecryptAsync(keyBytes, body);
if (decryptedContent.Status != TaskStatus.Faulted)
{
Logger.Debug($"ID: {logId} - Successfully decrypted message body");
request.Content = new StringContent(decryptedContent.Result, Encoding.UTF8, "application/json");
Logger.Debug($"ID: {logId} - Message content: " + decryptedContent.Result);
}
else
{
Logger.Debug($"ID: {logId} - Could not decrypt message body");
}
}
}
var decryptedCert = new ServiceSymmetricEncryption().DecryptAsync(keyBytes,
Convert.FromBase64String(encryptedCert));
request.Headers.Remove("device_cert");
if (decryptedCert.Status != TaskStatus.Faulted)
{
request.Headers.Add("device_cert", decryptedCert.Result);
Logger.Debug($"ID: {logId} - Successfully decrypted device certificate");
Logger.Debug($"ID: {logId} - Checking certificate authorization");
}
else
{
Logger.Debug($"ID: {logId} - Could not decrypt device certificate");
}
}
// SETUP A CALLBACK FOR CATCHING THE RESPONSE - AFTER ROUTING HANDLER, AND AFTER CONTROLLER ACTIVITY
return(base.SendAsync(request, cancellationToken).ContinueWith(
task =>
{
// RETURN THE ORIGINAL RESULT
var response = task.Result;
//Don't encrypt body if trying to download file
if (!request.RequestUri.ToString().EndsWith("GetFile/"))
{
var body = ResponseHandler(task, keyBytes, computerEntity);
if (body != null)
{
response.Content = body;
}
}
return response;
}, cancellationToken));
}
