internal static bool TryGetStepOne(
X509 currentCerts,
X509 targetCerts,
CertificateClusterUpgradeStep previousStep,
out CertificateClusterUpgradeStep step)
{
// step 1 adds all newly added certs and issuers (if any) to the white list
step = null;
List <string> currentThumbprints = CertificateClusterUpgradeFlow.GetThumbprints(currentCerts.ClusterCertificate);
List <string> addedThumbprints = CertificateClusterUpgradeFlow.GetAddedThumbprints(currentCerts.ClusterCertificate, targetCerts.ClusterCertificate);
Dictionary <string, string> currentCns = CertificateClusterUpgradeFlow.GetCns(currentCerts.ClusterCertificateCommonNames);
Dictionary <string, string> addedCnsAndIssuers = CertificateClusterUpgradeFlow.GetAddedCnsAndIssuers(currentCerts.ClusterCertificateCommonNames, targetCerts.ClusterCertificateCommonNames);
if (addedThumbprints.Any() || addedCnsAndIssuers.Any())
{
step = new CertificateClusterUpgradeStep(
thumbprintWhiteList: currentThumbprints.Concat(addedThumbprints).ToList(),
thumbprintLoadList: currentCerts.ClusterCertificate,
thumbprintFileStoreSvcList: currentCerts.ClusterCertificate,
commonNameWhiteList: CertificateClusterUpgradeFlow.MergeCnsAndIssuers(currentCns, addedCnsAndIssuers),
commonNameLoadList: currentCerts.ClusterCertificateCommonNames,
commonNameFileStoreSvcList: currentCerts.ClusterCertificateCommonNames);
}
return(true);
}
internal static int GetChangedThumbprintCount(CertificateDescription currentCerts, CertificateDescription targetCerts)
{
List <string> currentThumbprints = CertificateClusterUpgradeFlow.GetThumbprints(currentCerts);
List <string> targetThumbprints = CertificateClusterUpgradeFlow.GetThumbprints(targetCerts);
return(CertificateClusterUpgradeFlow.GetChangedCertCount(currentThumbprints, targetThumbprints, isThumbprint: true));
}
internal static int GetChangedCnCount(ServerCertificateCommonNames currentCerts, ServerCertificateCommonNames targetCerts)
{
List <string> currentCns = CertificateClusterUpgradeFlow.GetCns(currentCerts).Keys.ToList();
List <string> targetCns = CertificateClusterUpgradeFlow.GetCns(targetCerts).Keys.ToList();
return(CertificateClusterUpgradeFlow.GetChangedCertCount(currentCns, targetCns, isThumbprint: false));
}
public ClusterManifestType[] UpdateCertificateInClusterManifest(
ClusterManifestType existingClusterManifest,
Security currentSecurity,
FabricSettingsMetadata currentFabricSettingsMetadata)
{
List <NodeDescription> existingSeedNodes = this.OnGetExistingSeedNodes(existingClusterManifest);
List <CertificateClusterUpgradeStep> upgradeSteps = CertificateClusterUpgradeFlow.GetUpgradeFlow(
currentSecurity.CertificateInformation,
this.TargetCsmConfig.Security.CertificateInformation);
ClusterManifestType[] result = new ClusterManifestType[upgradeSteps.Count];
for (int i = 0; i < upgradeSteps.Count; i++)
{
result[i] = this.UpdateClusterManifest(
i == 0 ? existingClusterManifest : result[i - 1],
currentFabricSettingsMetadata,
this.VersionGenerator.GetNextClusterManifestVersion(),
upgradeSteps[i],
existingSeedNodes);
}
return(result);
}
internal static bool TryGetStepTwo(
X509 currentCerts,
X509 targetCerts,
CertificateClusterUpgradeStep previousStep,
out CertificateClusterUpgradeStep step)
{
// step 2:
// white list: inherit from the previous step
// load list: replace all current certs with target certs
// fss list: change if necessary
int changedThumbprintCount = CertificateClusterUpgradeFlow.GetChangedThumbprintCount(currentCerts.ClusterCertificate, targetCerts.ClusterCertificate);
int changedCnCount = CertificateClusterUpgradeFlow.GetChangedCnCount(currentCerts.ClusterCertificateCommonNames, targetCerts.ClusterCertificateCommonNames);
List <string> removedThumbprints = CertificateClusterUpgradeFlow.GetAddedThumbprints(targetCerts.ClusterCertificate, currentCerts.ClusterCertificate);
List <string> removedCns = CertificateClusterUpgradeFlow.GetAddedCns(targetCerts.ClusterCertificateCommonNames, currentCerts.ClusterCertificateCommonNames);
CertificateDescription thumbprintFileStoreSvcCerts = null;
ServerCertificateCommonNames commonNameFileStoreSvcCerts = null;
bool shouldContinue = true;
switch (changedThumbprintCount + changedCnCount)
{
case 1:
{
if (removedThumbprints.Any() || removedCns.Any())
{
// cert removal
thumbprintFileStoreSvcCerts = currentCerts.ClusterCertificate;
commonNameFileStoreSvcCerts = currentCerts.ClusterCertificateCommonNames;
}
else
{
// cert add
thumbprintFileStoreSvcCerts = targetCerts.ClusterCertificate;
commonNameFileStoreSvcCerts = targetCerts.ClusterCertificateCommonNames;
shouldContinue = false;
}
break;
}
case 2:
{
if (CertificateClusterUpgradeFlow.IsSwap(currentCerts.ClusterCertificate, targetCerts.ClusterCertificate))
{
thumbprintFileStoreSvcCerts = new CertificateDescription()
{
Thumbprint = currentCerts.ClusterCertificate.Thumbprint,
ThumbprintSecondary = currentCerts.ClusterCertificate.Thumbprint,
X509StoreName = currentCerts.ClusterCertificate.X509StoreName,
};
}
else
{
if (changedThumbprintCount == 2)
{
// thumbprint replace
thumbprintFileStoreSvcCerts = new CertificateDescription()
{
Thumbprint = currentCerts.ClusterCertificate.Thumbprint,
ThumbprintSecondary = targetCerts.ClusterCertificate.Thumbprint,
X509StoreName = currentCerts.ClusterCertificate.X509StoreName,
};
}
else if (changedCnCount == 2)
{
// cn replace
commonNameFileStoreSvcCerts = new ServerCertificateCommonNames()
{
CommonNames = new List <CertificateCommonNameBase>()
{
currentCerts.ClusterCertificateCommonNames.CommonNames[0],
targetCerts.ClusterCertificateCommonNames.CommonNames[0]
},
X509StoreName = currentCerts.ClusterCertificateCommonNames.X509StoreName
};
}
else
{
// 1 thumbprint <-> 1 cn
CertificateClusterUpgradeFlow.GetFileStoreSvcListForCertTypeChange(
currentCerts,
targetCerts,
out thumbprintFileStoreSvcCerts,
out commonNameFileStoreSvcCerts);
}
}
break;
}
case 3:
case 4:
{
// 1 thumbprints <-> 2 cns, or 2 thumbprints <-> 1 cns, or 2 thumbprints <-> 2 cns
CertificateClusterUpgradeFlow.GetFileStoreSvcListForCertTypeChange(
currentCerts,
targetCerts,
out thumbprintFileStoreSvcCerts,
out commonNameFileStoreSvcCerts);
break;
}
default:
throw new NotSupportedException(string.Format("It's not supported that {0} certificate thumbprints and {1} certificate common names have changed", changedThumbprintCount, changedCnCount));
}
step = new CertificateClusterUpgradeStep(
thumbprintWhiteList: previousStep != null ? previousStep.ThumbprintWhiteList : CertificateClusterUpgradeFlow.GetThumbprints(currentCerts.ClusterCertificate),
thumbprintLoadList: targetCerts.ClusterCertificate,
thumbprintFileStoreSvcList: thumbprintFileStoreSvcCerts,
commonNameWhiteList: previousStep != null ? previousStep.CommonNameWhiteList : CertificateClusterUpgradeFlow.GetCns(currentCerts.ClusterCertificateCommonNames),
commonNameLoadList: targetCerts.ClusterCertificateCommonNames,
commonNameFileStoreSvcList: commonNameFileStoreSvcCerts);
return(shouldContinue);
}
