public static void ProvisionKeyInPrincipalDatabase(
BigIntegerRSAPublicKey serverPublicKey,
string host,
int port,
BigIntegerRSAPublicKey keyToProvision,
X509Certificate2 clientCert)
{
var aclDatabaseEntity = new BogusAuthorizeCouchDocument(keyToProvision);
var couchClient = GetCouchClient(serverPublicKey, host, port, clientCert);
var principalDatabase = couchClient.GetDatabase(ThaliCryptoUtilities.KeyDatabaseName);
var getResult =
principalDatabase.GetDocument(
BogusAuthorizeCouchDocument.GenerateRsaKeyId(keyToProvision));
if (getResult == null)
{
var createResult = principalDatabase.CreateDocument(aclDatabaseEntity);
if (createResult.StatusCode < 200 || createResult.StatusCode > 299)
{
throw new ApplicationException("Could not successfully put client's credentials in ACL Store: " + createResult.StatusCode);
}
}
}
private static BigIntegerRSAPublicKey ThaliServerCertificateValidationCallback(
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
if (certificate == null || (sslPolicyErrors & SslPolicyErrors.RemoteCertificateNotAvailable) != 0)
{
throw new ApplicationException();
}
if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) != 0)
{
const X509ChainStatusFlags AcceptableCertChainErrors = X509ChainStatusFlags.UntrustedRoot
| X509ChainStatusFlags.RevocationStatusUnknown
| X509ChainStatusFlags.OfflineRevocation
| X509ChainStatusFlags.NoError;
if (
chain.ChainStatus.Any(
chainStatus => (chainStatus.Status | AcceptableCertChainErrors) != AcceptableCertChainErrors))
{
throw new ApplicationException();
}
}
// TODO: Actually prove that the last entry in the chain is the root
var x509Certv2 = chain.ChainElements[chain.ChainElements.Count - 1].Certificate;
var serverPublicKeyParameters =
((RSACryptoServiceProvider)x509Certv2.PublicKey.Key).ExportParameters(false);
var serverPresentedRsaKey = new BigIntegerRSAPublicKey(serverPublicKeyParameters);
return(serverPresentedRsaKey);
}
/// <summary>
/// Creates a HttpKeyUri
/// </summary>
/// <param name="serverPublicKey"></param>
/// <param name="host"></param>
/// <param name="port"></param>
/// <param name="absolutePath">Expected to start with a /</param>
/// <param name="extraValue">Queries should start with ? and fragments with #</param>
/// <returns></returns>
public static HttpKeyUri BuildHttpKeyUri(BigIntegerRSAPublicKey serverPublicKey, string host, int port, string absolutePath, string extraValue)
{
Debug.Assert(string.IsNullOrWhiteSpace(host) == false && (string.IsNullOrEmpty(absolutePath) || absolutePath[0] == '/'));
var modulusAndExponent = serverPublicKey.GetModulusAndExponentAsString();
string httpKeyAbsolutePath = "/" + RsaKeyType + ":" + modulusAndExponent.Item2 + "." + modulusAndExponent.Item1 + absolutePath;
return new HttpKeyUri(new UriBuilder(HttpKeySchemeName, host, port, httpKeyAbsolutePath, extraValue).ToString());
}
public static CouchClient GetCouchClient(BigIntegerRSAPublicKey serverPublicKey, string host, int port, X509Certificate2 clientCert)
{
var configWebRequest = new ThaliConfigWebRequest(serverPublicKey, clientCert);
return(new CouchClient(
host, port, null, null, true, AuthenticationType.Cookie, configWebRequest));
}
/// <summary>
/// Creates a HttpKeyUri
/// </summary>
/// <param name="serverPublicKey"></param>
/// <param name="host"></param>
/// <param name="port"></param>
/// <param name="absolutePath">Expected to start with a /</param>
/// <param name="extraValue">Queries should start with ? and fragments with #</param>
/// <returns></returns>
public static HttpKeyUri BuildHttpKeyUri(BigIntegerRSAPublicKey serverPublicKey, string host, int port, string absolutePath, string extraValue)
{
Debug.Assert(string.IsNullOrWhiteSpace(host) == false && (string.IsNullOrEmpty(absolutePath) || absolutePath[0] == '/'));
var modulusAndExponent = serverPublicKey.GetModulusAndExponentAsString();
string httpKeyAbsolutePath = "/" + RsaKeyType + ":" + modulusAndExponent.Item2 + "." + modulusAndExponent.Item1 + absolutePath;
return(new HttpKeyUri(new UriBuilder(HttpKeySchemeName, host, port, httpKeyAbsolutePath, extraValue).ToString()));
}
public BogusAuthorizeCouchDocument(BigIntegerRSAPublicKey publicKey)
{
Id = GenerateRsaKeyId(publicKey);
var modulusAndExponent = publicKey.GetModulusAndExponentAsString();
modulus = modulusAndExponent.Item1;
exponent = modulusAndExponent.Item2;
keyType = RSAKeyType;
}
public BogusAuthorizeCouchDocument(BigIntegerRSAPublicKey publicKey)
{
Id = GenerateRsaKeyId(publicKey);
var modulusAndExponent = publicKey.GetModulusAndExponentAsString();
modulus = modulusAndExponent.Item1;
exponent = modulusAndExponent.Item2;
keyType = RSAKeyType;
}
protected HttpKeyUri(string httpKeyUrlString)
: base(httpKeyUrlString)
{
if (HttpKeySchemeName.Equals(this.Scheme, StringComparison.Ordinal) == false)
{
throw new ArgumentException("Scheme must be" + HttpKeySchemeName + " and not " + this.Scheme);
}
var publicKeyAndPath = ExtractKeyAndPath(this.AbsolutePath);
this.ServerPublicKey = GenerateServerPublicKey(publicKeyAndPath.Item1);
this.PathWithoutPublicKey = publicKeyAndPath.Item2;
}
/// <summary>
/// Generates a server certificate validator for web requests involving Thali servers
/// </summary>
/// <param name="expectedServerRsaKey"></param>
/// <returns></returns>
private static RemoteCertificateValidationCallback ServerCertificateValidationCallbackGenerator(
BigIntegerRSAPublicKey expectedServerRsaKey)
{
return((sender, certificate, chain, sslPolicyErrors) =>
{
var serverPresentedRsaKey = ThaliServerCertificateValidationCallback(
certificate,
chain,
sslPolicyErrors);
return serverPresentedRsaKey.Equals(expectedServerRsaKey);
});
}
protected HttpKeyUri(string httpKeyUrlString)
: base(httpKeyUrlString)
{
if (HttpKeySchemeName.Equals(this.Scheme, StringComparison.Ordinal) == false)
{
throw new ArgumentException("Scheme must be" + HttpKeySchemeName + " and not " + this.Scheme);
}
var publicKeyAndPath = ExtractKeyAndPath(this.AbsolutePath);
this.ServerPublicKey = GenerateServerPublicKey(publicKeyAndPath.Item1);
this.PathWithoutPublicKey = publicKeyAndPath.Item2;
}
public void TestKeyStoreMethods()
{
var keyPair = ThaliCryptoUtilities.GenerateThaliAcceptablePublicPrivateKeyPair();
var keyStoreBinary = ThaliCryptoUtilities.CreatePKCS12KeyStoreWithPublicPrivateKeyPair(keyPair, ThaliCryptoUtilities.DefaultPassPhrase);
var x509cert = ThaliCryptoUtilities.GetX509Certificate(keyStoreBinary, ThaliCryptoUtilities.DefaultPassPhrase);
var retrievedKeyParams = ((RSACryptoServiceProvider)x509cert.PrivateKey).ExportParameters(true);
var originalBigIntegerRsaPublicKey = new BigIntegerRSAPublicKey((RsaKeyParameters)keyPair.Public);
var retrievedBigIntegerRsaPublicKey = new BigIntegerRSAPublicKey(retrievedKeyParams);
Assert.IsTrue(originalBigIntegerRsaPublicKey.Equals(retrievedBigIntegerRsaPublicKey));
var originalKeyParams = (RsaPrivateCrtKeyParameters)keyPair.Private;
Assert.IsTrue(
originalKeyParams.DP.Equals(new BigInteger(1, retrievedKeyParams.DP))
&& originalKeyParams.DQ.Equals(new BigInteger(1, retrievedKeyParams.DQ))
&& originalKeyParams.P.Equals(new BigInteger(1, retrievedKeyParams.P))
&& originalKeyParams.Q.Equals(new BigInteger(1, retrievedKeyParams.Q)));
}
/// <summary>
/// Connects to a server and returns its root public key value.
/// </summary>
/// <param name="host">Server's host, an IP or DNS address</param>
/// <param name="port">Server's port</param>
/// <param name="clientCertificate">A, possibly null, cert to use to authenticate the client</param>
/// <returns>Returns the server key if it can be retrieved, otherwise throw an exception</returns>
public static BigIntegerRSAPublicKey GetServersRootPublicKey(string host, int port, X509Certificate2 clientCertificate)
{
Debug.Assert(string.IsNullOrWhiteSpace(host) == false && port >= MinimumTCPPortValue && port <= MaximumTCPPortValue);
var serverUri = new UriBuilder(HttpsScheme, host, port).Uri;
var httpWebRequest = WebRequest.CreateHttp(serverUri);
BigIntegerRSAPublicKey serverRsaPublicKey = null;
httpWebRequest.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) =>
{
serverRsaPublicKey = ThaliServerCertificateValidationCallback(certificate, chain, sslPolicyErrors);
return(true);
};
if (clientCertificate != null)
{
httpWebRequest.ClientCertificates.Add(clientCertificate);
}
httpWebRequest.Method = "GET";
httpWebRequest.GetResponse().Close();
return(serverRsaPublicKey);
}
public ThaliConfigWebRequest(BigIntegerRSAPublicKey serverKey, X509Certificate2 clientCert)
{
Debug.Assert(clientCert != null);
this.serverKey = serverKey;
this.clientCert = clientCert;
}
public Boolean Equals(BigIntegerRSAPublicKey value)
{
return this.modulus.Equals(value.modulus) && this.exponent.Equals(value.exponent);
}
/// <summary>
/// Enterprise in the public key database MUST have IDs of the following form of their entries won't be found
/// when the server does a lookup
/// </summary>
/// <param name="publicKey"></param>
/// <returns></returns>
public static string GenerateRsaKeyId(BigIntegerRSAPublicKey publicKey)
{
var modulusAndExponent = publicKey.GetModulusAndExponentAsString();
return RSAKeyType + ":" + modulusAndExponent.Item1 + ":" + modulusAndExponent.Item2;
}
/// <summary>
/// Generates a server certificate validator for web requests involving Thali servers
/// </summary>
/// <param name="expectedServerRsaKey"></param>
/// <returns></returns>
private static RemoteCertificateValidationCallback ServerCertificateValidationCallbackGenerator(
BigIntegerRSAPublicKey expectedServerRsaKey)
{
return (sender, certificate, chain, sslPolicyErrors) =>
{
var serverPresentedRsaKey = ThaliServerCertificateValidationCallback(
certificate,
chain,
sslPolicyErrors);
return serverPresentedRsaKey.Equals(expectedServerRsaKey);
};
}
public Boolean Equals(BigIntegerRSAPublicKey value)
{
return(this.modulus.Equals(value.modulus) && this.exponent.Equals(value.exponent));
}
private static BigIntegerRSAPublicKey ThaliServerCertificateValidationCallback(
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
if (certificate == null || (sslPolicyErrors & SslPolicyErrors.RemoteCertificateNotAvailable) != 0)
{
throw new ApplicationException();
}
if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) != 0)
{
const X509ChainStatusFlags AcceptableCertChainErrors = X509ChainStatusFlags.UntrustedRoot
| X509ChainStatusFlags.RevocationStatusUnknown
| X509ChainStatusFlags.OfflineRevocation
| X509ChainStatusFlags.NoError;
if (
chain.ChainStatus.Any(
chainStatus => (chainStatus.Status | AcceptableCertChainErrors) != AcceptableCertChainErrors))
{
throw new ApplicationException();
}
}
// TODO: Actually prove that the last entry in the chain is the root
var x509Certv2 = chain.ChainElements[chain.ChainElements.Count - 1].Certificate;
var serverPublicKeyParameters =
((RSACryptoServiceProvider)x509Certv2.PublicKey.Key).ExportParameters(false);
var serverPresentedRsaKey = new BigIntegerRSAPublicKey(serverPublicKeyParameters);
return serverPresentedRsaKey;
}
public bool Equals(BigIntegerRSAPublicKey value)
{
return this.Modulus.Equals(value.Modulus) && this.Exponent.Equals(value.Exponent);
}
public static void ProvisionThaliClient(BigIntegerRSAPublicKey serverPublicKey, string host, int port, X509Certificate2 clientCert)
{
var clientPublicKey = new BigIntegerRSAPublicKey(clientCert);
ProvisionKeyInPrincipalDatabase(serverPublicKey, host, port, clientPublicKey, clientCert);
}
public ThaliConfigWebRequest(BigIntegerRSAPublicKey serverKey, X509Certificate2 clientCert)
{
Debug.Assert(clientCert != null);
this.serverKey = serverKey;
this.clientCert = clientCert;
}
public static CouchClient GetCouchClient(BigIntegerRSAPublicKey serverPublicKey, string host, int port, X509Certificate2 clientCert)
{
var configWebRequest = new ThaliConfigWebRequest(serverPublicKey, clientCert);
return new CouchClient(
host, port, null, null, true, AuthenticationType.Cookie, configWebRequest);
}
/// <summary>
/// Enterprise in the public key database MUST have IDs of the following form of their entries won't be found
/// when the server does a lookup
/// </summary>
/// <param name="publicKey"></param>
/// <returns></returns>
public static string GenerateRsaKeyId(BigIntegerRSAPublicKey publicKey)
{
var modulusAndExponent = publicKey.GetModulusAndExponentAsString();
return(RSAKeyType + ":" + modulusAndExponent.Item1 + ":" + modulusAndExponent.Item2);
}
public static void ProvisionThaliClient(BigIntegerRSAPublicKey serverPublicKey, string host, int port, X509Certificate2 clientCert)
{
var clientPublicKey = new BigIntegerRSAPublicKey(clientCert);
ProvisionKeyInPrincipalDatabase(serverPublicKey, host, port, clientPublicKey, clientCert);
}
public bool Equals(BigIntegerRSAPublicKey value)
{
return(this.Modulus.Equals(value.Modulus) && this.Exponent.Equals(value.Exponent));
}
public static void ProvisionKeyInPrincipalDatabase(
BigIntegerRSAPublicKey serverPublicKey,
string host,
int port,
BigIntegerRSAPublicKey keyToProvision,
X509Certificate2 clientCert)
{
var aclDatabaseEntity = new BogusAuthorizeCouchDocument(keyToProvision);
var couchClient = GetCouchClient(serverPublicKey, host, port, clientCert);
var principalDatabase = couchClient.GetDatabase(ThaliCryptoUtilities.KeyDatabaseName);
var getResult =
principalDatabase.GetDocument(
BogusAuthorizeCouchDocument.GenerateRsaKeyId(keyToProvision));
if (getResult == null)
{
var createResult = principalDatabase.CreateDocument(aclDatabaseEntity);
if (createResult.StatusCode < 200 || createResult.StatusCode > 299)
{
throw new ApplicationException("Could not successfully put client's credentials in ACL Store: " + createResult.StatusCode);
}
}
}
