private void OnCertRefresh(CertificateOptions cert)
{
if (CloudFoundryInstanceCertificate.TryParse(cert.Certificate, out var cfCert, _logger))
{
_cloudFoundryCertificate = cfCert;
}
}
/// <summary>
/// Returns a <see cref="ConfigServerConfigurationProvider"/> configured using the values from this <see cref="ConfigServerConfigurationSource"/>
/// </summary>
/// <param name="builder">not required</param>
/// <returns>configuration provider</returns>
public virtual IConfigurationProvider Build(IConfigurationBuilder builder)
{
if (Configuration == null)
{
// Create our own builder to build sources
ConfigurationBuilder configBuilder = new ConfigurationBuilder();
foreach (IConfigurationSource s in _sources)
{
configBuilder.Add(s);
}
// Use properties provided
foreach (var p in _properties)
{
configBuilder.Properties.Add(p);
}
// Create configuration
Configuration = configBuilder.Build();
}
var certificateSource = _sources.FirstOrDefault(cSource => cSource is ICertificateSource);
if (certificateSource != null && DefaultSettings.ClientCertificate == null)
{
var certConfigurer = Activator.CreateInstance((certificateSource as ICertificateSource).OptionsConfigurer, Configuration) as IConfigureNamedOptions <CertificateOptions>;
var certOptions = new CertificateOptions();
certConfigurer.Configure(certOptions);
DefaultSettings.ClientCertificate = certOptions.Certificate;
}
return(new ConfigServerConfigurationProvider(this));
}
internal override int TrustAllCertificates(SafeHandle ld, CertificateOptions certificateType)
{
var value = (int)Native.LdapOption.LDAP_OPT_X_TLS_ALLOW;
return(ldap_set_option(new LdapHandle(IntPtr.Zero), (int)Native.LdapOption.LDAP_OPT_X_TLS_REQUIRE_CERT,
ref value));
}
private static X509Certificate2 LoadCertificate(CertificateOptions options)
{
if (options != null)
{
if (options.Store != null && options.Location != null)
{
using (var store = new X509Store(options.Store, Enum.Parse <StoreLocation>(options.Location)))
{
store.Open(OpenFlags.ReadOnly);
var certificate = store.Certificates.Find(
X509FindType.FindBySubjectName,
options.Subject,
validOnly: !options.AllowInvalid);
if (certificate.Count == 0)
{
throw new InvalidOperationException($"Certificate not found for {options.Subject}.");
}
return(certificate[0]);
}
}
if (options.Path != null && options.Password != null)
{
return(new X509Certificate2(options.Path, options.Password));
}
}
throw new InvalidOperationException("No valid certificate configuration found for the current endpoint.");
}
private CertificateOptions DefineCertificateCommand(ArgumentSyntax syntax)
{
var options = new CertificateOptions();
syntax.DefineCommand("cert", ref command, Command.Certificate, "Authorization");
syntax.DefineOption("n|name", ref options.Name, "Friendly name of the cert.");
syntax.DefineOption("dn|distinguished-name", ref options.DistinguishedName, $"The distinguished name of the cert.");
syntax.DefineOptionList("v|value", ref options.Values, $"The distinguished name of the cert.");
syntax.DefineOption("value-path", ref options.ValuesFile, $"The subject alt names.");
syntax.DefineOption("cer|export-cer", ref options.ExportCer, "Path to export PEM cer.");
syntax.DefineOption("export-key", ref options.ExportKey, "Path to export PEM key.");
syntax.DefineOption("pfx|export-pfx", ref options.ExportPfx, "Path to export pfx.");
syntax.DefineOption("revoke", ref options.RevokeCer, "Revoke certificate.");
syntax.DefineOption("pw|password", ref options.Password, "Password for the pfx.");
syntax.DefineOption("full-chain-off", ref options.NoChain, "Skip full cert chain.");
syntax.DefineOption("server", ref options.Server, s => new Uri(s), $"ACME Directory Resource URI. (default: {options.Server})");
syntax.DefineOption("p|path", ref options.Path, $"File path used to load/save the registration. (default: {options.Path})");
syntax.DefineOption("f|force", ref options.Force, $"Force");
return(options);
}
public static X509Certificate2 LoadCertificate(IServiceCollection services)
{
var openIdOptions = services.BuildServiceProvider().GetRequiredService <OIDCAuthorizationServerOptions>();
CertificateOptions options = openIdOptions.SigningCertificate;
if (options != null)
{
if (options.Store != null && options.Location != null)
{
using (var store = new X509Store(options.Store, (StoreLocation)Enum.Parse(typeof(StoreLocation), options.Location)))
{
store.Open(OpenFlags.ReadOnly);
var certificate = store.Certificates.Find(
X509FindType.FindBySubjectName,
options.Subject,
validOnly: !options.AllowInvalid);
if (certificate.Count == 0)
{
throw new InvalidOperationException($"Certificate not found for {options.Subject}.");
}
return(certificate[0]);
}
}
}
throw new InvalidOperationException("No valid certificate configuration found for the current endpoint.");
}
public async Task <Certificate> Select(CertificateOptions certificate)
{
var param = new DynamicParameters();
param.Add("@Number", certificate.Number);
param.Add("@Status", certificate.Status);
param.Add("@Scheme", certificate.Number);
param.Add("@SubScheme", certificate.SubScheme);
param.Add("@CustomerID", certificate.CustomerID);
param.Add("@PremiseID", certificate.PremiseID);
var mapper = new CertificateMapper();
return((await SqlMapper.QueryAsync(_unitOfWork.Connection,
"SelectCertificateFull",
new[]
{
typeof(Certificate),
typeof(Premise),
typeof(Customer)
},
obj =>
{
Certificate ce = obj[0] as Certificate;
Premise pr = obj[1] as Premise;
Customer cu = obj[2] as Customer;
return mapper.Map(ce, pr, cu);
},
param,
splitOn: "PremiseID,CustomerID",
commandType: CommandType.StoredProcedure,
transaction: _unitOfWork.Transaction)).FirstOrDefault());
}
public IOfferInfrastructure FromStore(X509FindType findType, string findValue, Action <IOfferCertificateOptions> options)
{
var certOpt = new CertificateOptions();
options(certOpt);
var certOp = new CertificateFromStoreOperation(findType, findValue, certOpt);
var compositeSequence = _infrastructureSequence.NewCompositeSequence(certOp);
certOp.Configure(new RemoteCompositeBuilder(compositeSequence, _webDeploy));
return(_infrastructureBuilder);
}
/// <summary>
/// Will deploy certificate found by find type and find value from the local certificate store, to remote certificate store on server with provided options.
/// </summary>
/// <param name="findType"></param>
/// <param name="findValue"></param>
/// <param name="options"></param>
/// <returns></returns>
public static IOfferRemoteConfiguration FromStore(this IOfferSslInfrastructure sslInfra, X509FindType findType, string findValue, Action <IOfferCertificateOptions> options)
{
var infraBuilder = ((SslInfrastructureBuilder)sslInfra).InfrastructureBuilder;
var certOpt = new CertificateOptions();
options(certOpt);
var certOp = new CertificateFromStoreOperation(findType, findValue, certOpt);
Configure.Operation(infraBuilder, certOp);
return(infraBuilder);
}
public IOfferInfrastructure FromFile(string path, string password, Action <IOfferCertificateOptions> options)
{
var certOpt = new CertificateOptions();
options(certOpt);
var certOp = new CertificateFromFileOperation(path, password, certOpt);
var compositeSequence = _infrastructureSequence.NewCompositeSequence(certOp);
certOp.Configure(new RemoteCompositeBuilder(compositeSequence, _webDeploy));
return(_infrastructureBuilder);
}
/// <summary>
/// Will deploy certificate from local file path given correct password for private key, and deploy to certificate store on remote server with provided options.
/// </summary>
/// <param name="path"></param>
/// <param name="password"></param>
/// <param name="options"></param>
/// <returns></returns>
public static IOfferRemoteConfiguration FromFile(this IOfferSslInfrastructure sslInfra, string path, string password, Action <IOfferCertificateOptions> options)
{
var infraBuilder = ((SslInfrastructureBuilder)sslInfra).InfrastructureBuilder;
var certOpt = new CertificateOptions();
options(certOpt);
var certOp = new CertificateFromFileOperation(path, password, certOpt);
Configure.Operation(infraBuilder, certOp);
return(infraBuilder);
}
/// <summary>
/// Will deploy certificate from local file path given correct password for private key, and deploy to certificate store on remote server with provided options.
/// </summary>
/// <param name="remoteCert"></param>
/// <param name="path"></param>
/// <param name="password"></param>
/// <param name="options"></param>
/// <returns></returns>
public static IOfferRemoteDeployment FromFile(this IOfferRemoteCertDeployment remoteCert, string path, string password, Action <IOfferCertificateOptions> options)
{
var certOptions = new CertificateOptions();
if (options != null)
{
options(certOptions);
}
var certOp = new CertificateFromFileOperation(path, password, certOptions);
OperationExecutor.Execute((RemoteBuilder)remoteCert, certOp);
return(((RemoteCertDeploymentBuilder)remoteCert).RemoteDeployment);
}
/// <summary>
/// Will deploy certificate found by find type and find value from the local certificate store, to remote certificate store on server with provided options.
/// </summary>
/// <param name="remoteCert"></param>
/// <param name="findType"></param>
/// <param name="findValue"></param>
/// <param name="options"></param>
/// <returns></returns>
public static IOfferRemoteDeployment FromStore(this IOfferRemoteCertDeployment remoteCert, X509FindType findType, string findValue, Action <IOfferCertificateOptions> options)
{
var certOptions = new CertificateOptions();
if (options != null)
{
options(certOptions);
}
var certOp = new CertificateFromStoreOperation(findType, findValue, certOptions);
OperationExecutor.Execute((RemoteBuilder)remoteCert, certOp);
return(((RemoteCertDeploymentBuilder)remoteCert).RemoteDeployment);
}
/// <summary>
/// Will deploy certificate from local file path given correct password for private key, and deploy to certificate store on remote server with provided options.
/// </summary>
/// <param name="path"></param>
/// <param name="password"></param>
/// <param name="options"></param>
/// <returns></returns>
public static IOfferRemoteDeployment FromFile(this IOfferRemoteCertDeployment remoteCert, string path, string password, Action <IOfferCertificateOptions> options)
{
var certOptions = new CertificateOptions();
if (options != null)
{
options(certOptions);
}
var remoteCertBuilder = ((RemoteCertDeploymentBuilder)remoteCert).RemoteDeployment;
var certOp = new CertificateFromFileOperation(path, password, certOptions);
Configure.Operation(remoteCertBuilder, certOp);
return(remoteCertBuilder);
}
public IOfferRemoteDeployment FromStore(X509FindType findType, string findValue, Action <IOfferCertificateOptions> options)
{
var certOptions = new CertificateOptions();
if (options != null)
{
options(certOptions);
}
var certOp = new CertificateFromStoreOperation(findType, findValue, certOptions);
var compositeSequence = _remoteSequence.NewCompositeSequence(certOp);
certOp.Configure(new RemoteCompositeBuilder(compositeSequence, _webDeploy));
return(_remoteDeploymentBuilder);
}
public IOfferRemoteDeployment FromFile(string path, string password, Action <IOfferCertificateOptions> options)
{
var certOptions = new CertificateOptions();
if (options != null)
{
options(certOptions);
}
var certOp = new CertificateFromFileOperation(path, password, certOptions);
var compositeSequence = _remoteSequence.NewCompositeSequence(certOp);
certOp.Configure(new RemoteCompositeBuilder(compositeSequence, _webDeploy));
return(_remoteDeploymentBuilder);
}
internal override int TrustAllCertificates(SafeHandle ld, CertificateOptions certificateType)
{
var sslEnabled = 0;
ThrowIfError(ldap_get_option(ld, (int)Native.LdapOption.LDAP_OPT_SSL, ref sslEnabled),
nameof(ldap_get_option));
if (sslEnabled == 0 && certificateType == CertificateOptions.SslTls)
{
sslEnabled = 1;
ThrowIfError(ldap_set_option(ld, (int)Native.LdapOption.LDAP_OPT_SSL, ref sslEnabled),
nameof(ldap_set_option));
}
return(ldap_set_option(ld, (int)Native.LdapOption.LDAP_OPT_SERVER_CERTIFICATE,
Marshal.GetFunctionPointerForDelegate <VERIFYSERVERCERT>((connection, serverCert) => true)));
}
public void AddPemFiles_ReadsFiles_CreatesCertificate()
{
var config = new ConfigurationBuilder()
.AddPemFiles("instance.crt", "instance.key")
.Build();
Assert.NotNull(config["certificate"]);
Assert.NotNull(config["privateKey"]);
var pemConfig = new PemConfigureCertificateOptions(config);
var opts = new CertificateOptions();
pemConfig.Configure(opts);
Assert.NotNull(opts.Certificate);
Assert.Equal(Microsoft.Extensions.Options.Options.DefaultName, opts.Name);
Assert.True(opts.Certificate.HasPrivateKey);
}
public void ConfigureCertificateOptions_NoPath_NoCertificate()
{
var config = new ConfigurationBuilder()
.AddInMemoryCollection(new Dictionary <string, string> {
{ "certificate", string.Empty }
})
.Build();
Assert.NotNull(config["certificate"]);
var pkcs12Config = new ConfigureCertificateOptions(config);
var opts = new CertificateOptions();
pkcs12Config.Configure(opts);
Assert.Null(opts.Certificate);
Assert.Equal(Microsoft.Extensions.Options.Options.DefaultName, opts.Name);
}
public void ConfigureCertificateOptions_ReadsFile_CreatesCertificate()
{
// Skipped on Mac due to inability to open a PKCS#12 with no password
// https://github.com/dotnet/runtime/issues/23635
var config = new ConfigurationBuilder()
.AddCertificateFile("instance.p12")
.Build();
Assert.NotNull(config["certificate"]);
var pkcs12Config = new ConfigureCertificateOptions(config);
var opts = new CertificateOptions();
pkcs12Config.Configure(opts);
Assert.NotNull(opts.Certificate);
Assert.Equal(Microsoft.Extensions.Options.Options.DefaultName, opts.Name);
Assert.True(opts.Certificate.HasPrivateKey);
}
public StartupCertificateLoader(string named, IServiceProvider sp)
{
_httpChallenge = sp.GetRequiredService <HttpChallenge>();
_certificateValidator = sp.GetRequiredService <ICertificateValidator>();
_accountOptions = sp.GetRequiredService <IOptionsMonitor <AcmeAccountOptions> >().Get(named);
_certificateOptions = sp.GetRequiredService <IOptionsMonitor <CertificateOptions> >().Get(named);
_developmentCertificate = sp.GetRequiredService <DevelopmentCertificate>();
_stores = sp.GetRequiredService <IEnumerable <ICertificateStore> >();
_certificateSelector = sp.GetRequiredService <KestrelCertificateSelector>();
_server = sp.GetRequiredService <IServer>();
_config = sp.GetRequiredService <IConfiguration>();
_logger = sp.GetRequiredService <ILogger <StartupCertificateLoader> >();
}
public async Task <IEnumerable <Certificate> > Select(CertificateOptions options)
{
var param = new DynamicParameters();
param.Add("@Number", options.Number);
param.Add("@Status", options.Status);
param.Add("@Scheme", options.Scheme);
param.Add("@SubScheme", options.SubScheme);
param.Add("@CustomerID", options.CustomerID);
param.Add("@PremiseID", options.PremiseID);
param.Add("@IsDeleted", options.IsDeleted);
return((await SqlMapper.QueryAsync <Certificate>(_unitOfWork.Connection,
"SelectCertificateBasic",
param,
commandType: CommandType.StoredProcedure,
transaction: _unitOfWork.Transaction)).ToList());
}
private async Task <X509Certificate2?> CreateAcmeOrder(
string domainName,
HttpChallenge httpChallenge,
CertificateOptions certificateOptions,
ICertificateStore store,
CancellationToken cancellationToken)
{
var certificateBytes = await httpChallenge.GetCertificateAsync(store.NamedOption, cancellationToken);
if (certificateBytes == null)
{
return(await Task.FromResult <X509Certificate2?>(null));
}
await store.SaveAsync(certificateBytes, domainName, cancellationToken);
#pragma warning disable CA2000 // Dispose objects before losing scope
return(await Task.FromResult(new X509Certificate2(certificateBytes, certificateOptions?.CertificatePassword ?? string.Empty)));
#pragma warning restore CA2000 // Dispose objects before losing scope
}
private async Task <byte[]> AcquireCertificateBytesFromOrderAsync(
IOrderContext order,
AcmeOrderOptions orderOptions,
AcmeAccountOptions accountOptions,
CertificateOptions certificateOptions)
{
_logger.LogInformation("[LetsEncrypt][Certificate] Acquiring certificate through signing request.");
var privateKey = KeyFactory.NewKey((Certes.KeyAlgorithm)orderOptions.KeyAlgorithm);
if (orderOptions?.CertificateSigningRequest == null)
{
var commonName = accountOptions.Domains[0];
_logger.LogDebug("Creating cert for {commonName}", commonName);
var csrInfo = new CsrInfo
{
CommonName = commonName,
};
if (orderOptions != null)
{
orderOptions.CertificateSigningRequest = csrInfo;
}
}
var certificateChain = await order.Generate(orderOptions?.CertificateSigningRequest, privateKey);
var pfxBuilder = certificateChain.ToPfx(privateKey);
pfxBuilder.FullChain = true;
var pfxBytes = pfxBuilder.Build(
$"Let's Encrypt - {accountOptions.Domains[0]} ",
certificateOptions?.CertificatePassword ?? string.Empty);
_logger.LogInformation("[LetsEncrypt][Certificate] Certificate acquired.");
return(pfxBytes);
}
private void RotateCert(CertificateOptions newCert)
{
if (newCert.Certificate == null)
{
return;
}
var personalCertStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
var authorityCertStore = new X509Store(StoreName.CertificateAuthority, StoreLocation.CurrentUser);
personalCertStore.Open(OpenFlags.ReadWrite);
authorityCertStore.Open(OpenFlags.ReadWrite);
if (_lastValue != null)
{
personalCertStore.Certificates.Remove(_lastValue.Certificate);
}
personalCertStore.Certificates.Add(newCert.Certificate);
personalCertStore.Close();
authorityCertStore.Close();
_lastValue = _certificateOptions.CurrentValue;
}
public CertificateFromFileOperation(string path, string password, CertificateOptions certOptions = null)
{
_path = path;
_password = password;
_certOptions = certOptions;
}
public CertificateFromStoreOperation(X509FindType findType, string findValue, CertificateOptions certOptions = null)
{
_findType = findType;
_findValue = findValue;
_certOptions = certOptions;
}
internal abstract int TrustAllCertificates(SafeHandle ld, CertificateOptions certificateType = CertificateOptions.SslTls);
public async Task <bool> Process(string[] args)
{
try
{
ArgumentSyntax.Parse(args, syntax =>
{
syntax.HandleErrors = false;
registerOptions = DefineRegisterCommand(syntax);
authorizationOptions = DefineAuthorizationCommand(syntax);
certificateOptions = DefineCertificateCommand(syntax);
});
}
catch (ArgumentSyntaxException ex)
{
consoleLogger.Error(ex.Message);
}
jsonSettings = new JsonSerializerSettings
{
ContractResolver = new CamelCasePropertyNamesContractResolver(),
NullValueHandling = NullValueHandling.Ignore
};
jsonSettings.Converters.Add(new StringEnumConverter());
#if DEBUG
formatting = Formatting.Indented;
#endif
try
{
switch (command)
{
case Command.Register:
await this.ProcessCommand <RegisterCommand, RegisterOptions>(new RegisterCommand(registerOptions, this.consoleLogger));
break;
case Command.Authorization:
await this.ProcessCommand <AuthorizationCommand, AuthorizationOptions>(new AuthorizationCommand(authorizationOptions, this.consoleLogger));
break;
case Command.Certificate:
await this.ProcessCommand <CertificateCommand, CertificateOptions>(new CertificateCommand(certificateOptions, this.consoleLogger));
break;
}
return(true);
}
catch (AggregateException ex)
{
foreach (var err in ex.InnerExceptions)
{
consoleLogger.Error(err, err.Message);
}
}
catch (Exception ex)
{
consoleLogger.Error(ex, ex.Message);
}
return(false);
}
/// <summary>Constructor.</summary>
/// <exception cref="ArgumentNullException"> Thrown when one or more required arguments are
/// null. </exception>
/// <param name="options"> Options for controlling the operation. </param>
public CertificateCredentialStore(CertificateOptions options)
{
_options = options ?? throw new ArgumentNullException(nameof(options));
}
