public CreatePrivateCertificateResult CreateCertificateWithPrivateKey(CreatePrivateCertificateModel model, ClaimsPrincipal user) { model.RequestDate = DateTime.Now; KeyUsage keyUsage = dataTransformation.ParseKeyUsage(model.KeyUsage); AdcsTemplate template = templateLogic.DiscoverTemplate(model.CipherAlgorithm, model.Provider, keyUsage); if (!templateLogic.ValidateTemplateWithRequest(model, template)) { throw new AdcsTemplateValidationException("Certificate request does not meet the requirements of the certificate template"); } if (authorizationLogic.IsAuthorized(template, user)) { CertificateRequest csr = certificateProvider.CreateCsrKeyPair(dataTransformation.NewCertificateSubjectFromModel(model), model.CipherAlgorithm, model.KeySize, model.Provider, SigningRequestProtocol.Pkcs10); MicrosoftCertificateAuthority ca = configurationRepository.GetPrivateCertificateAuthority(model.HashAlgorithm); CertificateAuthorityRequestResponse response = ca.Sign(csr, template.Name, template.KeyUsage); CreatePrivateCertificateResult result = ProcessCertificateAuthorityResponse(model, response, csr.Subject, user); this.Audit(result, user); return(result); } else { return(ProcessNewPendingCertificateWorkflow(model)); } }
public CreatePrivateCertificateResult IssuePendingCertificate(Guid id, ClaimsPrincipal user) { PendingCertificate pendingCertificate = certificateRepository.Get <PendingCertificate>(id); KeyUsage keyUsage = dataTransformation.ParseKeyUsage(pendingCertificate.KeyUsage); AdcsTemplate template = templateLogic.DiscoverTemplate(pendingCertificate.CipherAlgorithm, pendingCertificate.Provider, keyUsage); if (authorizationLogic.IsAuthorized(template, user)) { CertificateRequest csr = certificateProvider.CreateCsrKeyPair(dataTransformation.NewCertificateSubjectFromModel(pendingCertificate), pendingCertificate.CipherAlgorithm, pendingCertificate.KeySize, pendingCertificate.Provider, SigningRequestProtocol.Pkcs10); MicrosoftCertificateAuthority ca = configurationRepository.GetPrivateCertificateAuthority(pendingCertificate.HashAlgorithm); CertificateAuthorityRequestResponse response = ca.Sign(csr, template.Name, template.KeyUsage); CreatePrivateCertificateResult result = ProcessCertificateAuthorityResponse(pendingCertificate, response, csr.Subject, user); certificateRepository.Delete <PendingCertificate>(id); return(result); } else { throw new UnauthorizedAccessException("Current user is not authorized to issue pending certificates"); } }
public void MicrosoftCertificateAuthority_Sign_CngEcdh256_CertificateAuthorityRequestResponse_Issued() { string templateName = "ServerAuthentication-CngEcdh"; int keysize = 256; string commonName = "domain.com"; WindowsApi api = WindowsApi.Cng; CipherAlgorithm cipher = CipherAlgorithm.ECDH; KeyUsage keyUsage = KeyUsage.ServerAuthentication; CertificateSubject subject = new CertificateSubject(commonName); Win32CertificateProvider provider = new Win32CertificateProvider(); CertificateRequest csr = provider.CreateCsrKeyPair(subject, cipher, keysize, api, SigningRequestProtocol.Pkcs10); MicrosoftCertificateAuthority ca = new MicrosoftCertificateAuthority(new MicrosoftCertificateAuthorityOptions() { AuthenticationRealm = domain, AuthenticationType = MicrosoftCertificateAuthorityAuthenticationType.UsernamePassword, HashAlgorithm = HashAlgorithm.SHA256, ServerName = caServerName, CommonName = caCommonName, Username = username, Password = password }); CertificateAuthorityRequestResponse response = ca.Sign(csr, templateName, keyUsage); Assert.AreEqual(CertificateRequestStatus.Issued, response.CertificateRequestStatus); }
public SignPrivateCertificateResult SignCertificate(SignPrivateCertificateModel model, ClaimsPrincipal user) { CertificateRequest csr = certificateProvider.InitializeFromEncodedCsr(model.EncodedCsr); AdcsTemplate template = templateLogic.DiscoverTemplate(csr.CipherAlgorithm, WindowsApi.Cng, KeyUsage.ServerAuthentication); if (authorizationLogic.IsAuthorized(template, user)) { MicrosoftCertificateAuthority ca = configurationRepository.GetPrivateCertificateAuthority(model.HashAlgorithm); CertificateAuthorityRequestResponse response = ca.Sign(csr, template.Name, template.KeyUsage); return(HandleCertificateAuthorityResponse(model, response, csr.Subject)); } else { return(ProcessPendingSigningWorkflow(model)); } }
private SignPrivateCertificateResult ProcessCertificateAuthoritySigningResponse(SignPrivateCertificateModel model, CertificateAuthorityRequestResponse response, CertificateSubject subject) { return(null); }
private SignPrivateCertificateResult HandleCertificateAuthorityResponse(SignPrivateCertificateModel model, CertificateAuthorityRequestResponse response, CertificateSubject subject) { SignPrivateCertificateResult result; switch (response.CertificateRequestStatus) { case CertificateRequestStatus.Issued: result = ProcessCertificateAuthoritySigningResponse(model, response, subject); break; case CertificateRequestStatus.Pending: throw new CertificateAuthorityDeniedRequestException(string.Format("Error while processing request id {0}", response.RequestId)); break; default: throw new CertificateAuthorityDeniedRequestException(string.Format("Error while processing request id {0}", response.RequestId)); break; } return(result); }
private CreatePrivateCertificateResult ProcessCertificateAuthorityResponse(ICertificateRequestPublicPrivateKeyPair model, CertificateAuthorityRequestResponse response, CertificateSubject subject, ClaimsPrincipal user) { CreatePrivateCertificateResult result; switch (response.CertificateRequestStatus) { case CertificateRequestStatus.Issued: result = ProcessCertificateAuthoritySuccessResponse(model, response, subject, user); break; case CertificateRequestStatus.Pending: throw new CertificateAuthorityDeniedRequestException(string.Format("Error while processing request id {0}", response.RequestId)); break; default: throw new CertificateAuthorityDeniedRequestException(string.Format("Error while processing request id {0}", response.RequestId)); break; } return(result); }
private CreatePrivateCertificateResult ProcessCertificateAuthoritySuccessResponse(ICertificateRequestPublicPrivateKeyPair model, CertificateAuthorityRequestResponse response, CertificateSubject subject, ClaimsPrincipal user) { string nonce = secrets.NewSecretBase64(16); string password = secrets.NewSecret(64); X509Certificate2 cert = certificateProvider.InstallIssuedCertificate(response.IssuedCertificate); SetPrivateKeyFileSystemAccess(model, cert, user); byte[] certContent = cert.Export(X509ContentType.Pfx, password); CreatePrivateCertificateResult result = new CreatePrivateCertificateResult() { Password = password, Pfx = Convert.ToBase64String(certContent), Status = PrivateCertificateRequestStatus.Success, Thumbprint = cert.Thumbprint, Id = Guid.NewGuid(), }; List <AccessControlEntry> defaultAcl = authorizationLogic.GetDefaultCertificateAcl(user); Certificate storedCert = new Certificate() { Id = result.Id, Thumbprint = cert.Thumbprint, PfxPassword = cipher.Encrypt(password, nonce), WindowsApi = model.Provider, Content = certContent, CertificateStorageFormat = CertificateStorageFormat.Pfx, HashAlgorithm = model.HashAlgorithm, CipherAlgorithm = model.CipherAlgorithm, DisplayName = model.SubjectCommonName, HasPrivateKey = true, ValidTo = cert.NotAfter, ValidFrom = cert.NotBefore, KeySize = model.KeySize, KeyUsage = dataTransformation.ParseKeyUsage(model.KeyUsage), Subject = subject, Acl = defaultAcl, PasswordNonce = nonce, ContentDigest = hashProvider.ComputeHash(certContent) }; certificateRepository.Insert(storedCert); return(result); }