internal static void ResetCertificateGenerator(ResourceRequestContext context)
        {
            var config = context.BridgeConfiguration;

            if (s_certificateGenerator == null)
            {
                lock (s_certificateHelperLock)
                {
                    if (s_certificateGenerator == null)
                    {
                        s_certificateGenerator = new CertificateGenerator()
                        {
                            CertificatePassword = config.BridgeCertificatePassword,
                            CrlUriBridgeHost = string.Format("http://{0}:{1}", config.BridgeHost, config.BridgePort),
                            CrlUriRelativePath = s_crlUriRelativePath,
                            ValidityPeriod = config.BridgeCertificateValidityPeriod
                        };

                        // Upon creation, we want to immediately get the authority certificate and install it 
                        // as it means we are about to run a test requiring certs
                        CertificateManager.InstallCertificateToRootStore(s_certificateGenerator.AuthorityCertificate.Certificate);
                    }
                }
            }
        }
        public static void RevokeCertificate(CertificateGenerator certificateGenerator, string serialNum)
        {
            if (certificateGenerator == null)
            {
                throw new ArgumentNullException("certificateGenerator");
            }

            lock (s_certificateLock)
            {
                certificateGenerator.RevokeCertificateBySerialNumber(serialNum);
            }
        }
        // When called, generates the a cert for the machine DNS name with SAN localhost, and installs both certs
        // returns thumbprint of the machine certs
        public static X509Certificate2 CreateAndInstallLocalMachineCertificates(CertificateGenerator certificateGenerator)
        {
            if (certificateGenerator == null)
            {
                throw new ArgumentNullException("certificateGenerator");
            }

            lock (s_certificateLock)
            {
                if (s_localCertificate != null)
                {
                    return(s_localCertificate);
                }

                Trace.WriteLine("[CertificateManager] Installing Root and Machine certificates to machine store.");

                // At this point, we know we haven't generated the certs yet, or the operation is completing on another thread
                // Certificate generation is time-consuming, so we want to make sure that we don't unnecessarily generate a cert

                var rootCertificate = certificateGenerator.AuthorityCertificate.Certificate;

                var fqdn     = Dns.GetHostEntry("127.0.0.1").HostName;
                var hostname = fqdn.Split('.')[0];

                // always create a certificate locally for the current machine's fully qualified domain name,
                // hostname, and "localhost".
                CertificateCreationSettings certificateCreationSettings = new CertificateCreationSettings()
                {
                    FriendlyName            = "WCF Bridge - Machine certificate generated by the CertificateManager",
                    Subject                 = fqdn,
                    SubjectAlternativeNames = new string[] { fqdn, hostname, "localhost" }
                };
                var hostCert = certificateGenerator.CreateMachineCertificate(certificateCreationSettings).Certificate;

                // Since s_myCertificates keys by subject name, we won't install a cert for the same subject twice
                // only the first-created cert will win
                InstallCertificateToRootStore(rootCertificate);
                InstallCertificateToMyStore(hostCert, certificateCreationSettings.ValidityType == CertificateValidityType.Valid);
                s_localCertificate = hostCert;

                // Create the PeerTrust cert
                certificateCreationSettings = new CertificateCreationSettings()
                {
                    FriendlyName            = "WCF Bridge - UserPeerTrustCertificateResource",
                    Subject                 = fqdn,
                    SubjectAlternativeNames = new string[] { fqdn, hostname, "localhost" }
                };
                var peerCert = certificateGenerator.CreateMachineCertificate(certificateCreationSettings).Certificate;
                InstallCertificateToTrustedPeopleStore(peerCert, certificateCreationSettings.ValidityType == CertificateValidityType.Valid);
            }

            return(s_localCertificate);
        }
        // We generate a local machine certificate for common usage. This method is usded to generate certs for non common usage, such as an expired cert.
        public static X509Certificate2 CreateAndInstallNonDefaultMachineCertificates(CertificateGenerator certificateGenerator, CertificateCreationSettings certificateCreationSettings, string resourceAddress)
        {
            if (certificateCreationSettings == null)
            {
                throw new ArgumentException("certificateCreationSettings cannot be null as we are creating a non default certificate");
            }

            if (certificateGenerator == null)
            {
                throw new ArgumentNullException("certificateGenerator");
            }

            lock (s_certificateLock)
            {
                Trace.WriteLine("[CertificateManager] Installing Non default Machine certificates to machine store.");

                var rootCertificate = certificateGenerator.AuthorityCertificate.Certificate;
                var hostCert        = certificateGenerator.CreateMachineCertificate(certificateCreationSettings).Certificate;
                InstallCertificateToRootStore(rootCertificate);
                InstallCertificateToMyStore(hostCert, certificateCreationSettings.ValidityType == CertificateValidityType.Valid, resourceAddress);
                return(hostCert);
            }
        }
Exemple #5
0
        // When called, generates the a cert for the machine DNS name with SAN localhost, and installs both certs
        // returns thumbprint of the machine certs
        public static X509Certificate2 CreateAndInstallLocalMachineCertificates(CertificateGenerator certificateGenerator)
        {
            if (certificateGenerator == null)
            {
                throw new ArgumentNullException("certificateGenerator");
            }

            lock (s_certificateLock)
            {
                if (s_localCertificate != null)
                {
                    return(s_localCertificate);
                }

                Trace.WriteLine("[CertificateManager] Installing Root and Machine certificates to machine store.");

                // At this point, we know we haven't generated the certs yet, or the operation is completing on another thread
                // Certificate generation is time-consuming, so we want to make sure that we don't unnecessarily generate a cert

                var rootCertificate = certificateGenerator.AuthorityCertificate.Certificate;

                var fqdn     = Dns.GetHostEntry("127.0.0.1").HostName;
                var hostname = fqdn.Split('.')[0];

                // always create a certificate locally for the current machine's fully qualified domain name,
                // hostname, and "localhost".
                var hostCert = certificateGenerator.CreateMachineCertificate(fqdn, hostname, "localhost").Certificate;

                // Since s_myCertificates keys by subject name, we won't install a cert for the same subject twice
                // only the first-created cert will win
                InstallCertificateToRootStore(rootCertificate);
                InstallCertificateToMyStore(hostCert);
                s_localCertificate = hostCert;
            }

            return(s_localCertificate);
        }
 private static void OnResourceFolderChanged(object sender, EventArgs args)
 {
     lock (s_certificateHelperLock)
     {
         s_certificateGenerator = null;
     }
 }
Exemple #7
0
        private static int Main(string[] args)
        {
            ApplyAppSettings();

            if (args.Length > 0)
            {
                if (string.Compare(args[0], "-Uninstall", true) == 0)
                {
                    UninstallAllCerts();
                    return 0;
                }
                else if (string.Compare(args[0], "-help", true) == 0)
                {
                    Usage();
                    return 0;
                }
                else
                {
                    Usage();
                    return 1;
                }
            }

            UninstallAllCerts();

            CertificateGenerator certificateGenerate = new CertificateGenerator();
            certificateGenerate.CertificatePassword = "******";
            certificateGenerate.CrlUriBridgeHost = s_fqdn;
            certificateGenerate.ValidityPeriod = s_ValidatePeriod;

            if (!string.IsNullOrEmpty(s_testserverbase))
            {
                certificateGenerate.CrlUriRelativePath += "/" + s_testserverbase;
            }
            certificateGenerate.CrlUriRelativePath += "/CrlService.svc/GetCrl";

            //Create and install root and server cert
            CertificateManager.CreateAndInstallLocalMachineCertificates(certificateGenerate);

            //Create and Install expired cert
            CertificateCreationSettings certificateCreationSettings = new CertificateCreationSettings()
            {
                FriendlyName = "WCF Bridge - TcpExpiredServerCertResource",
                ValidityType = CertificateValidityType.Expired,
                ValidityNotBefore = DateTime.UtcNow - TimeSpan.FromDays(4),
                ValidityNotAfter = DateTime.UtcNow - TimeSpan.FromDays(2),
                //If you specify multiple subjects, the first one becomes the subject, and all of them become Subject Alt Names.
                //In this case, the certificate subject is  CN=fqdn, OU=..., O=... , and SANs will be  fqdn, hostname, localhost
                //We do this so that a single bridge setup can deal with all the possible addresses that a client might use.
                //If we don't put "localhost' here, a long-running bridge will not be able to receive requests from both fqdn  and  localhost
                //because the certs won't match.
                Subject = s_fqdn,
                SubjectAlternativeNames = new string[] { s_fqdn, s_hostname, "localhost" }
            };
            CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings);


            //Create and Install TcpCertificateWithServerAltNameResource
            certificateCreationSettings = new CertificateCreationSettings()
            {
                FriendlyName = "WCF Bridge - TcpCertificateWithServerAltNameResource",
                Subject = "not-real-subject-name",
                SubjectAlternativeNames = new string[] { "not-real-subject-name", "not-real-subject-name.example.com", s_fqdn, s_hostname, "localhost" }
            };
            CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings);

            //TcpCertificateWithSubjectCanonicalNameDomainNameResource
            certificateCreationSettings = new CertificateCreationSettings()
            {
                FriendlyName = "WCF Bridge - TcpCertificateWithSubjectCanonicalNameDomainNameResource",
                Subject = s_hostname,
                SubjectAlternativeNames = new string[0],
                ValidityType = CertificateValidityType.NonAuthoritativeForMachine
            };
            CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings);

            //WCF Bridge - TcpCertificateWithSubjectCanonicalNameFqdnResource
            certificateCreationSettings = new CertificateCreationSettings()
            {
                FriendlyName = "WCF Bridge - TcpCertificateWithSubjectCanonicalNameFqdnResource",
                Subject = s_fqdn,
                SubjectAlternativeNames = new string[0],
                ValidityType = CertificateValidityType.NonAuthoritativeForMachine
            };
            CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings);

            //TcpCertificateWithSubjectCanonicalNameLocalhostResource
            certificateCreationSettings = new CertificateCreationSettings()
            {
                FriendlyName = "WCF Bridge - TcpCertificateWithSubjectCanonicalNameLocalhostResource",
                Subject = "localhost",
                SubjectAlternativeNames = new string[0],
                ValidityType = CertificateValidityType.NonAuthoritativeForMachine
            };
            CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings);

            //TcpRevokedServerCertResource
            certificateCreationSettings = new CertificateCreationSettings()
            {
                FriendlyName = "WCF Bridge - TcpRevokedServerCertResource",
                ValidityType = CertificateValidityType.Revoked,
                Subject = s_fqdn,
                SubjectAlternativeNames = new string[] { s_fqdn, s_hostname, "localhost" }
            };
            CreateAndInstallMachineCertificate(certificateGenerate, certificateCreationSettings);

            //Create and install client cert
            certificateCreationSettings = new CertificateCreationSettings()
            {
                FriendlyName = "WCF Bridge - UserCertificateResource",
                Subject = "WCF Client Certificate",
            };
            X509Certificate2 certificate = certificateGenerate.CreateUserCertificate(certificateCreationSettings).Certificate;
            CertificateManager.AddToStoreIfNeeded(StoreName.TrustedPeople, StoreLocation.LocalMachine, certificate);
            CertificateManager.AddToStoreIfNeeded(StoreName.My, StoreLocation.LocalMachine, certificate);


            //Create CRL and save it
            File.WriteAllBytes(s_CrlFileLocation, certificateGenerate.CrlEncoded);

            return 0;
        }
Exemple #8
0
 private static void CreateAndInstallMachineCertificate(CertificateGenerator certificateGenerate, CertificateCreationSettings certificateCreationSettings)
 {
     X509Certificate2 certificate = certificateGenerate.CreateMachineCertificate(certificateCreationSettings).Certificate;
     CertificateManager.AddToStoreIfNeeded(StoreName.My, StoreLocation.LocalMachine, certificate);
 }
Exemple #9
0
        // We generate a local machine certificate for common usage. This method is usded to generate certs for non common usage, such as an expired cert.
        public static X509Certificate2 CreateAndInstallNonDefaultMachineCertificates(CertificateGenerator certificateGenerator, CertificateCreationSettings certificateCreationSettings, string resourceAddress)
        {
            if (certificateCreationSettings == null)
            {
                throw new ArgumentException("certificateCreationSettings cannot be null as we are creating a non default certificate");
            }

            if (certificateGenerator == null)
            {
                throw new ArgumentNullException("certificateGenerator");
            }

            lock (s_certificateLock)
            {
                Trace.WriteLine("[CertificateManager] Installing Non default Machine certificates to machine store.");

                var rootCertificate = certificateGenerator.AuthorityCertificate.Certificate;
                var hostCert = certificateGenerator.CreateMachineCertificate(certificateCreationSettings).Certificate;
                InstallCertificateToRootStore(rootCertificate);
                InstallCertificateToMyStore(hostCert, certificateCreationSettings.IsValidCert, resourceAddress);
                return hostCert;
            }
        }
Exemple #10
0
        // When called, generates the a cert for the machine DNS name with SAN localhost, and installs both certs
        // returns thumbprint of the machine certs
        public static X509Certificate2 CreateAndInstallLocalMachineCertificates(CertificateGenerator certificateGenerator)
        {
            if (certificateGenerator == null)
            {
                throw new ArgumentNullException("certificateGenerator");
            }

            lock (s_certificateLock)
            {
                if (s_localCertificate != null)
                {
                    return s_localCertificate;
                }

                Trace.WriteLine("[CertificateManager] Installing Root and Machine certificates to machine store.");

                // At this point, we know we haven't generated the certs yet, or the operation is completing on another thread
                // Certificate generation is time-consuming, so we want to make sure that we don't unnecessarily generate a cert

                var rootCertificate = certificateGenerator.AuthorityCertificate.Certificate;

                var fqdn = Dns.GetHostEntry("127.0.0.1").HostName;
                var hostname = fqdn.Split('.')[0];

                // always create a certificate locally for the current machine's fully qualified domain name, 
                // hostname, and "localhost". 
                CertificateCreationSettings certificateCreationSettings = new CertificateCreationSettings() { Subjects = new string[] { fqdn, hostname, "localhost" } };
                var hostCert = certificateGenerator.CreateMachineCertificate(certificateCreationSettings).Certificate;

                // Since s_myCertificates keys by subject name, we won't install a cert for the same subject twice
                // only the first-created cert will win
                InstallCertificateToRootStore(rootCertificate);
                InstallCertificateToMyStore(hostCert, certificateCreationSettings.IsValidCert);
                s_localCertificate = hostCert;
            }

            return s_localCertificate;
        }
        public static void RevokeCertificate(CertificateGenerator certificateGenerator, string serialNum)
        {
            if (certificateGenerator == null)
            {
                throw new ArgumentNullException("certificateGenerator");
            }

            lock (s_certificateLock)
            {
                certificateGenerator.RevokeCertificateBySerialNumber(serialNum);
            }
        }