private static RenewCertificateResponse RenewCertificates(PKIClient client, CertStore store)
{
var myLoadedCryptoCert = store.GetCertificate(CertStore.Certificiates.ClientIssuedEncryption);
var myLoadedSigningCert = store.GetCertificate(CertStore.Certificiates.ClientIssuedSigning);
var myGeneratedCryptoCert = store.GetCertificate(CertStore.Certificiates.ClientGeneratedEncryption);
var myGeneratedSigningCert = store.GetCertificate(CertStore.Certificiates.ClientGeneratedSigning);
// This issues a new set of certificates without revoking the old ones.
var res = client.RenewCertificate(myLoadedSigningCert, myLoadedCryptoCert, KeyGeneratorTypeType.software);
if (!CheckForError(res))
{
return(null);
}
// Read the x509 certificates returned from the server and attach the private keys
X509Certificate2 issuedCryptoCertificate = new X509Certificate2(res.Response.RenewCertificateResponse.EncryptionCert);
X509Certificate2 issuedSigningCertificate = new X509Certificate2(res.Response.RenewCertificateResponse.SigningCert);
// Set the private key on the X509Certificate2 instances, so we can easiliy store them
issuedCryptoCertificate.PrivateKey = myGeneratedCryptoCert.PrivateKey;
issuedSigningCertificate.PrivateKey = myGeneratedSigningCert.PrivateKey;
// Save the newly issued certificates in the certificate store
store.SetCertificate(CertStore.Certificiates.ClientIssuedEncryption, issuedCryptoCertificate.Export(X509ContentType.Pkcs12));
store.SetCertificate(CertStore.Certificiates.ClientIssuedSigning, issuedSigningCertificate.Export(X509ContentType.Pkcs12));
return(res.Response.RenewCertificateResponse);
}
private static void CertificateStatus(string[] serials = null)
{
if (serials == null || serials.Length == 0)
{
Console.WriteLine("Checking status of issued certificates ...");
var myEncryptionCert = CertStore.GetCertificate(CertStore.Certificiates.ClientIssuedEncryption);
var mySigningCert = CertStore.GetCertificate(CertStore.Certificiates.ClientIssuedSigning);
serials = new string[] { HexToDec(myEncryptionCert.SerialNumber), HexToDec(mySigningCert.SerialNumber) };
}
else
{
Console.WriteLine("Checking status of provided serials certificates ...");
}
var res = PKIClient.CertificateStatus(serials, KeyGeneratorTypeType.software);
if (!CheckForError(res))
{
exitProgram(Int32.Parse(res.Error.ReturnCode));
return;
}
foreach (var certStatus in res.Response.CertificateStatusResponse.CertificateStatus)
{
PrintCertInfo(certStatus);
}
}
private static void RevokeCertificates(string[] serials)
{
if (serials == null || serials.Length == 0)
{
var myEncryptionCert = CertStore.GetCertificate(CertStore.Certificiates.ClientIssuedEncryption);
var mySigningCert = CertStore.GetCertificate(CertStore.Certificiates.ClientIssuedSigning);
Console.WriteLine("Revoking issued certificates ...");
serials = new string[]
{
HexToDec(myEncryptionCert.SerialNumber),
HexToDec(mySigningCert.SerialNumber)
};
}
else
{
Console.WriteLine("Revoking provided serials certificates ...");
}
var res = PKIClient.RevokeCertificates(KeyGeneratorTypeType.software, serials);
if (!CheckForError(res))
{
exitProgram(Int32.Parse(res.Error.ReturnCode));
return;
}
Console.WriteLine(" Revoke was successful.");
}
private static void RevokeAllCertificates(string[] excludedSerials)
{
if (excludedSerials == null || excludedSerials.Length == 0)
{
var myEncryptionCert = CertStore.GetCertificate(CertStore.Certificiates.ClientIssuedEncryption);
var mySigningCert = CertStore.GetCertificate(CertStore.Certificiates.ClientIssuedSigning);
Console.WriteLine("Revoking all certificates EXCEPT issued ones ...");
excludedSerials = new string[]
{
HexToDec(myEncryptionCert.SerialNumber),
HexToDec(mySigningCert.SerialNumber)
};
}
else
{
Console.WriteLine("Revoking all not excluded certificates ...");
}
// Revoke all certificates except our initial ones.
var res = PKIClient.RevokeAllCertificates(KeyGeneratorTypeType.software, excludedSerials);
if (!CheckForError(res))
{
exitProgram(Int32.Parse(res.Error.ReturnCode));
return;
}
Console.WriteLine(" Revoke was successful.");
}
private static void ObtainLatestBankCertificates()
{
/*
* This obtains the latest certificates used by the bank.
* They have a finite lifecycle, so they must be renewed a regular interval
* - Root certifiate: 10 years
* - Signing certificate: 2 years
* - Encryption certificate: 2 years
*/
Console.WriteLine("Requesting bank certificates ...");
// Obtain bank certificate
var res = PKIClient.GetBankCertificate();
if (!CheckForError(res))
{
exitProgram(Int32.Parse(res.Error.ReturnCode));
return;
}
Console.WriteLine(" Retrieved new certificates from bank.");
Console.WriteLine("Saving bank certificates ...");
// Save the bank certificates
CertStore.SetCertificate(CertStore.Certificiates.BankRoot, res.Response.GetBankCertificateResponse.BankRootCert);
CertStore.SetCertificate(CertStore.Certificiates.BankEncryption, res.Response.GetBankCertificateResponse.BankEncryptionCert);
CertStore.SetCertificate(CertStore.Certificiates.BankSigning, res.Response.GetBankCertificateResponse.BankSigningCert);
Console.WriteLine(" Bank certificates successfully saved.");
// Instruct the PKIClient to use the new certificates
PKIClient.BankRootCertificate = CertStore.GetCertificate(CertStore.Certificiates.BankRoot);
PKIClient.SetBankCertificates(CertStore.GetCertificate(CertStore.Certificiates.BankEncryption), CertStore.GetCertificate(CertStore.Certificiates.BankSigning));
Console.WriteLine(" Using new bank certificates.");
}
private static void UseIssuedCertificateForSigning()
{
Console.WriteLine("Using certificates issued to client ...");
var issuedSigningCertificate = CertStore.GetCertificate(CertStore.Certificiates.ClientIssuedSigning);
PKIClient.XmlSigningService.SetClientCertificate(issuedSigningCertificate, (RSACryptoServiceProvider)issuedSigningCertificate.PrivateKey);
Console.WriteLine(" Signing certificate successfully set.");
}
private static void SetBankRootCertificate()
{
X509Certificate2 rootCert = CertStore.GetCertificate(CertStore.Certificiates.BankRoot);
if (rootCert == null)
{
Console.WriteLine("Bank root certificate was not set in certificate store.");
Console.WriteLine("Please set the correct bank root certificate in the \"DanskeBank.PKIFactory\" store using the friendlyname \"" + CertStore.Certificiates.BankRoot.ToString() + "\".");
Console.ReadLine();
exitProgram(1);
return;
}
// Tell the client proxy to use the loaded root certificate
PKIClient.BankRootCertificate = rootCert;
}
private static void SaveClientCertificates(CreateCertificateOutType res, CertStore store)
{
// Read the x509 certificates returned from the server and attach the private keys
X509Certificate2 issuedCryptoCertificate = new X509Certificate2(res.CreateCertificateResponse.EncryptionCert);
X509Certificate2 issuedSigningCertificate = new X509Certificate2(res.CreateCertificateResponse.SigningCert);
// Set the private key on the X509Certificate2 instances, so we can easiliy store them
issuedCryptoCertificate.PrivateKey = store.GetCertificate(CertStore.Certificiates.ClientGeneratedEncryption).PrivateKey;
issuedSigningCertificate.PrivateKey = store.GetCertificate(CertStore.Certificiates.ClientGeneratedSigning).PrivateKey;
// The certificate used by the bank for issuing certificates for our signing requests
X509Certificate2 bankCACertificate = new X509Certificate2(res.CreateCertificateResponse.CACert);
// Save the issued certificataes
store.SetCertificate(CertStore.Certificiates.ClientIssuedEncryption, issuedCryptoCertificate.Export(X509ContentType.Pkcs12));
store.SetCertificate(CertStore.Certificiates.ClientIssuedSigning, issuedSigningCertificate.Export(X509ContentType.Pkcs12));
}
private static CreateCertificateResponse CreateCertificates()
{
Console.WriteLine("Loading own certificates ...");
var myLoadedCryptoCert = CertStore.GetCertificate(CertStore.Certificiates.ClientGeneratedEncryption);
var myLoadedSigningCert = CertStore.GetCertificate(CertStore.Certificiates.ClientGeneratedSigning);
if (myLoadedCryptoCert == null || myLoadedSigningCert == null)
{
Console.WriteLine("Client generated certificates and private keys were not set in certificate CertStore.");
Console.WriteLine("Please set the encryption and signing certificates in the \"DanskeBank.PKIFactory\" CertStore using the friendlyname names:");
Console.WriteLine(" Signing: \"" + CertStore.Certificiates.ClientGeneratedSigning.ToString() + "\".");
Console.WriteLine(" Encryption: \"" + CertStore.Certificiates.ClientGeneratedEncryption.ToString() + "\".");
exitProgram(1);
return(null);
}
Console.WriteLine("Sending certificate signing requests for own certificates ...");
var res = PKIClient.CreateCertificate(myLoadedSigningCert, myLoadedCryptoCert, CustomerPIN, KeyGeneratorTypeType.software);
if (!CheckForError(res))
{
exitProgram(Int32.Parse(res.Error.ReturnCode));
return(null);
}
// Read the x509 certificates returned from the server
var issuedCryptoCert = new X509Certificate2(res.Response.CreateCertificateResponse.EncryptionCert);
var issuedSigningCert = new X509Certificate2(res.Response.CreateCertificateResponse.SigningCert);
// Set the private key on the X509Certificate2 instances, so we can easily CertStore them
issuedCryptoCert.PrivateKey = myLoadedCryptoCert.PrivateKey;
issuedSigningCert.PrivateKey = myLoadedSigningCert.PrivateKey;
// Save the issued certificataes
CertStore.SetCertificate(CertStore.Certificiates.ClientIssuedEncryption, issuedCryptoCert.Export(X509ContentType.Pkcs12));
CertStore.SetCertificate(CertStore.Certificiates.ClientIssuedSigning, issuedSigningCert.Export(X509ContentType.Pkcs12));
Console.WriteLine(" Certificates created successfully.");
return(res.Response.CreateCertificateResponse);
}
private static RenewCertificateResponse RenewCertificates()
{
Console.WriteLine("Renewing own certificates ...");
var myIssuedCryptoCert = CertStore.GetCertificate(CertStore.Certificiates.ClientIssuedEncryption);
var myIssuedSigningCert = CertStore.GetCertificate(CertStore.Certificiates.ClientIssuedSigning);
// This issues a new set of certificates without revoking the old ones.
var res = PKIClient.RenewCertificate(myIssuedSigningCert, myIssuedCryptoCert, KeyGeneratorTypeType.software);
if (!CheckForError(res))
{
exitProgram(Int32.Parse(res.Error.ReturnCode));
return(null);
}
// backup old certificates
CertStore.SetCertificate(CertStore.Certificiates.BackupClientIssuedEncryption, myIssuedCryptoCert.Export(X509ContentType.Pkcs12));
CertStore.SetCertificate(CertStore.Certificiates.BackupClientIssuedSigning, myIssuedSigningCert.Export(X509ContentType.Pkcs12));
// Read the x509 certificates returned from the server and attach the private keys
X509Certificate2 newIssuedCryptoCert = new X509Certificate2(res.Response.RenewCertificateResponse.EncryptionCert);
X509Certificate2 newIssuedSigningCert = new X509Certificate2(res.Response.RenewCertificateResponse.SigningCert);
// Set the private key on the X509Certificate2 instances, so we can easily store them
newIssuedCryptoCert.PrivateKey = myIssuedCryptoCert.PrivateKey;
newIssuedSigningCert.PrivateKey = myIssuedSigningCert.PrivateKey;
// Save the newly issued certificates in the certificate store
CertStore.SetCertificate(CertStore.Certificiates.ClientIssuedEncryption, newIssuedCryptoCert.Export(X509ContentType.Pkcs12));
CertStore.SetCertificate(CertStore.Certificiates.ClientIssuedSigning, newIssuedSigningCert.Export(X509ContentType.Pkcs12));
Console.WriteLine(" Renewal was successful.");
return(res.Response.RenewCertificateResponse);
}
private static WrappedResponse <CreateCertificateOutType> CreateCertificates(PKIClient client, string pin, CertStore store)
{
var myLoadedCryptoCert = store.GetCertificate(CertStore.Certificiates.ClientGeneratedEncryption);
var myLoadedSigningCert = store.GetCertificate(CertStore.Certificiates.ClientGeneratedSigning);
var res = client.CreateCertificate(myLoadedSigningCert, myLoadedCryptoCert, pin, KeyGeneratorTypeType.software);
if (!CheckForError(res))
{
return(null);
}
return(res);
}
private static void SaveBankCertificates(GetBankCertificateOutType certRes, CertStore store)
{
store.SetCertificate(CertStore.Certificiates.BankRoot, certRes.GetBankCertificateResponse.BankRootCert);
store.SetCertificate(CertStore.Certificiates.BankEncryption, certRes.GetBankCertificateResponse.BankEncryptionCert);
store.SetCertificate(CertStore.Certificiates.BankSigning, certRes.GetBankCertificateResponse.BankSigningCert);
}
static void Main(string[] args)
{
var client = new PKIClient(Customer_Id);
/*
* Create a software based XML signing strategy
* A custom implementation backed by a hardware security module could be used here instead
*/
SoftwareBasedXmlSigningService xmlSigningStrategy = new SoftwareBasedXmlSigningService();
client.SetXmlSigningService(xmlSigningStrategy);
// Create a utility class for accessing the windows certificate store
var store = new CertStore();
X509Certificate2 rootCert = store.GetCertificate(CertStore.Certificiates.BankRoot);
if (rootCert == null)
{
Console.WriteLine("Bank root certificate was not set in certificate store.");
Console.WriteLine("Please set the correct bank root certificate in the \"DanskeBank.PKIFactory\" store using the friendlyname \"" + CertStore.Certificiates.BankRoot.ToString() + "\".");
Console.ReadLine();
return;
}
// Tell the client proxy to use the loaded root certificate
client.SetBankRootCertificate(rootCert);
#region Obtain bank certificates
/*
* This obtains the latest certificates used by the bank.
* They have a finite lifecycle, so they must be renewed a regular interval
* - Root certifiate: 10 years
* - Signing certificate: 2 years
* - Encryption certificate: 2 years
*/
Console.WriteLine("Requesting bank certificates ...");
// Obtain bank certificate
var res = ObtainLatestBankCertificates(client);
if (res.IsSuccessful)
{
Console.WriteLine(" Retrieved new certificates from bank.");
// Save the bank certificates
Console.WriteLine(" Saving bank certificates ...");
SaveBankCertificates(res.Response, store);
}
// Instruct the client to use the new certificates
client.SetBankCertificates(store.GetCertificate(CertStore.Certificiates.BankEncryption), store.GetCertificate(CertStore.Certificiates.BankSigning));
#endregion
// Determine whether we have already been issued certificates from the bank by querying the key store
bool mustRequestCertificates = store.GetCertificate(CertStore.Certificiates.ClientIssuedSigning) == null ||
store.GetCertificate(CertStore.Certificiates.ClientIssuedEncryption) == null;
if (mustRequestCertificates)
{
if (store.GetCertificate(CertStore.Certificiates.ClientGeneratedEncryption) == null ||
store.GetCertificate(CertStore.Certificiates.ClientGeneratedEncryption) == null)
{
Console.WriteLine("Client generated certificates and private keys were not set in certificate store.");
Console.WriteLine("Please set the encryption and signing certificates in the \"DanskeBank.PKIFactory\" store using the friendlyname names:");
Console.WriteLine(" Signing: \"" + CertStore.Certificiates.ClientGeneratedSigning.ToString() + "\".");
Console.WriteLine(" Encryption: \"" + CertStore.Certificiates.ClientGeneratedEncryption.ToString() + "\".");
Console.ReadLine();
return;
}
Console.WriteLine("Sending certificate signing requests for own certificates ...");
var createCertRes = CreateCertificates(client, Customer_PIN, store);
SaveClientCertificates(createCertRes.Response, store);
}
// Use the (potentially newly) issued certificates
Console.WriteLine("Using certificates issued to client ...");
xmlSigningStrategy.SetClientCertificate(store.GetCertificate(CertStore.Certificiates.ClientIssuedSigning), (RSACryptoServiceProvider)store.GetCertificate(CertStore.Certificiates.ClientGeneratedSigning).PrivateKey);
// Check status of the certificates we're using
Console.WriteLine("Checking status of own certificates ...");
CertificateStatus(client, store.GetCertificate(CertStore.Certificiates.ClientIssuedSigning));
CertificateStatus(client, store.GetCertificate(CertStore.Certificiates.ClientIssuedEncryption));
/*
* Console.WriteLine("Getting all our own certificates");
* GetOwnCertificiateList(client);
*/
Console.WriteLine("Renewing own certificates");
var renewedCerts = RenewCertificates(client, store);
Console.WriteLine("Using certificates issued to client ...");
xmlSigningStrategy.SetClientCertificate(new X509Certificate2(renewedCerts.SigningCert), (RSACryptoServiceProvider)store.GetCertificate(CertStore.Certificiates.ClientGeneratedSigning).PrivateKey);
// Revoke the newly renew'ed certificates
// Note: Revoking this certificate will force you to request new certificates based on the locally generated ones
// client.RevokeCertificates(KeyGeneratorTypeType.software, new[] { HexToDec(new X509Certificate2(renewedCerts.EncryptionCert).SerialNumber) });
/*
* // Revoke all certificates except our initial ones.
* client.RevokeAllCertificates(KeyGeneratorTypeType.software, new[] {
* new X509Certificate2(ownInitialEncryptionCert).SerialNumber,
* new X509Certificate2(ownInitialigningCert).SerialNumber,
* });
*/
Console.WriteLine("Press enter to close.");
Console.ReadLine();
}
public static void Main(string[] args)
{
var curAction = ParseAction(args);
if (curAction == ActionType.HELP)
{
displayHelpText();
exitProgram();
return;
}
// Create client that will perform calls to PKI factory
PKIClient = new PKIClient(CustomerId);
// Create a utility class for accessing the windows certificate store
CertStore = new CertStore();
/*
* Create a software based XML signing strategy
* A custom implementation backed by a hardware security module could be used here instead
*/
PKIClient.XmlSigningService = new SoftwareBasedXmlSigningService();
SetBankRootCertificate();
ObtainLatestBankCertificates();
if (curAction != ActionType.CREATE && curAction != ActionType.NONE)
{
UseIssuedCertificateForSigning();
}
switch (curAction)
{
case ActionType.NONE:
// Do it all
CreateCertificates();
UseIssuedCertificateForSigning();
RenewCertificates();
UseIssuedCertificateForSigning();
CertificateStatus(parseSerials(args));
break;
case ActionType.CREATE:
CreateCertificates();
break;
case ActionType.RENEW:
RenewCertificates();
break;
case ActionType.REVOKE:
// Revoke the specified certificates
// Note: Revoking latest issued certificate will force you to request new certificates based on the locally generated ones
RevokeCertificates(parseSerials(args));
break;
case ActionType.REVOKEALL:
// Revoke all certificates except with serials provided
// Note: Revoking latest issued certificate will force you to request new certificates based on the locally generated ones
RevokeAllCertificates(parseSerials(args));
break;
case ActionType.STATUS:
CertificateStatus(parseSerials(args));
break;
case ActionType.STATUSALL:
AllCertificiateStatus();
break;
}
exitProgram();
}
