private static void ObtainLatestBankCertificates()
{
/*
* This obtains the latest certificates used by the bank.
* They have a finite lifecycle, so they must be renewed a regular interval
* - Root certifiate: 10 years
* - Signing certificate: 2 years
* - Encryption certificate: 2 years
*/
Console.WriteLine("Requesting bank certificates ...");
// Obtain bank certificate
var res = PKIClient.GetBankCertificate();
if (!CheckForError(res))
{
exitProgram(Int32.Parse(res.Error.ReturnCode));
return;
}
Console.WriteLine(" Retrieved new certificates from bank.");
Console.WriteLine("Saving bank certificates ...");
// Save the bank certificates
CertStore.SetCertificate(CertStore.Certificiates.BankRoot, res.Response.GetBankCertificateResponse.BankRootCert);
CertStore.SetCertificate(CertStore.Certificiates.BankEncryption, res.Response.GetBankCertificateResponse.BankEncryptionCert);
CertStore.SetCertificate(CertStore.Certificiates.BankSigning, res.Response.GetBankCertificateResponse.BankSigningCert);
Console.WriteLine(" Bank certificates successfully saved.");
// Instruct the PKIClient to use the new certificates
PKIClient.BankRootCertificate = CertStore.GetCertificate(CertStore.Certificiates.BankRoot);
PKIClient.SetBankCertificates(CertStore.GetCertificate(CertStore.Certificiates.BankEncryption), CertStore.GetCertificate(CertStore.Certificiates.BankSigning));
Console.WriteLine(" Using new bank certificates.");
}
static void Main(string[] args)
{
var client = new PKIClient(Customer_Id);
/*
* Create a software based XML signing strategy
* A custom implementation backed by a hardware security module could be used here instead
*/
SoftwareBasedXmlSigningService xmlSigningStrategy = new SoftwareBasedXmlSigningService();
client.SetXmlSigningService(xmlSigningStrategy);
// Create a utility class for accessing the windows certificate store
var store = new CertStore();
X509Certificate2 rootCert = store.GetCertificate(CertStore.Certificiates.BankRoot);
if (rootCert == null)
{
Console.WriteLine("Bank root certificate was not set in certificate store.");
Console.WriteLine("Please set the correct bank root certificate in the \"DanskeBank.PKIFactory\" store using the friendlyname \"" + CertStore.Certificiates.BankRoot.ToString() + "\".");
Console.ReadLine();
return;
}
// Tell the client proxy to use the loaded root certificate
client.SetBankRootCertificate(rootCert);
#region Obtain bank certificates
/*
* This obtains the latest certificates used by the bank.
* They have a finite lifecycle, so they must be renewed a regular interval
* - Root certifiate: 10 years
* - Signing certificate: 2 years
* - Encryption certificate: 2 years
*/
Console.WriteLine("Requesting bank certificates ...");
// Obtain bank certificate
var res = ObtainLatestBankCertificates(client);
if (res.IsSuccessful)
{
Console.WriteLine(" Retrieved new certificates from bank.");
// Save the bank certificates
Console.WriteLine(" Saving bank certificates ...");
SaveBankCertificates(res.Response, store);
}
// Instruct the client to use the new certificates
client.SetBankCertificates(store.GetCertificate(CertStore.Certificiates.BankEncryption), store.GetCertificate(CertStore.Certificiates.BankSigning));
#endregion
// Determine whether we have already been issued certificates from the bank by querying the key store
bool mustRequestCertificates = store.GetCertificate(CertStore.Certificiates.ClientIssuedSigning) == null ||
store.GetCertificate(CertStore.Certificiates.ClientIssuedEncryption) == null;
if (mustRequestCertificates)
{
if (store.GetCertificate(CertStore.Certificiates.ClientGeneratedEncryption) == null ||
store.GetCertificate(CertStore.Certificiates.ClientGeneratedEncryption) == null)
{
Console.WriteLine("Client generated certificates and private keys were not set in certificate store.");
Console.WriteLine("Please set the encryption and signing certificates in the \"DanskeBank.PKIFactory\" store using the friendlyname names:");
Console.WriteLine(" Signing: \"" + CertStore.Certificiates.ClientGeneratedSigning.ToString() + "\".");
Console.WriteLine(" Encryption: \"" + CertStore.Certificiates.ClientGeneratedEncryption.ToString() + "\".");
Console.ReadLine();
return;
}
Console.WriteLine("Sending certificate signing requests for own certificates ...");
var createCertRes = CreateCertificates(client, Customer_PIN, store);
SaveClientCertificates(createCertRes.Response, store);
}
// Use the (potentially newly) issued certificates
Console.WriteLine("Using certificates issued to client ...");
xmlSigningStrategy.SetClientCertificate(store.GetCertificate(CertStore.Certificiates.ClientIssuedSigning), (RSACryptoServiceProvider)store.GetCertificate(CertStore.Certificiates.ClientGeneratedSigning).PrivateKey);
// Check status of the certificates we're using
Console.WriteLine("Checking status of own certificates ...");
CertificateStatus(client, store.GetCertificate(CertStore.Certificiates.ClientIssuedSigning));
CertificateStatus(client, store.GetCertificate(CertStore.Certificiates.ClientIssuedEncryption));
/*
* Console.WriteLine("Getting all our own certificates");
* GetOwnCertificiateList(client);
*/
Console.WriteLine("Renewing own certificates");
var renewedCerts = RenewCertificates(client, store);
Console.WriteLine("Using certificates issued to client ...");
xmlSigningStrategy.SetClientCertificate(new X509Certificate2(renewedCerts.SigningCert), (RSACryptoServiceProvider)store.GetCertificate(CertStore.Certificiates.ClientGeneratedSigning).PrivateKey);
// Revoke the newly renew'ed certificates
// Note: Revoking this certificate will force you to request new certificates based on the locally generated ones
// client.RevokeCertificates(KeyGeneratorTypeType.software, new[] { HexToDec(new X509Certificate2(renewedCerts.EncryptionCert).SerialNumber) });
/*
* // Revoke all certificates except our initial ones.
* client.RevokeAllCertificates(KeyGeneratorTypeType.software, new[] {
* new X509Certificate2(ownInitialEncryptionCert).SerialNumber,
* new X509Certificate2(ownInitialigningCert).SerialNumber,
* });
*/
Console.WriteLine("Press enter to close.");
Console.ReadLine();
}