public void TestInvalidConstructorInputs()
{
X509Certificate2 tlsCertificate = CertificateHelper.GenerateSelfSignedCert("TestCert");
var transportSettings = new DefaultTransportSettings(Scheme, HostName, Port, tlsCertificate);
AmqpSettings amqpSettings = AmqpSettingsProvider.GetDefaultAmqpSettings(IotHubHostName, Mock.Of <IAuthenticator>(), Mock.Of <IClientCredentialsFactory>(), Mock.Of <ILinkHandlerProvider>(), Mock.Of <IConnectionProvider>(), new NullCredentialsStore());
var transportListenerProvider = new Mock <ITransportListenerProvider>();
Assert.Throws <ArgumentNullException>(() => new AmqpProtocolHead(null, amqpSettings, transportListenerProvider.Object));
Assert.Throws <ArgumentNullException>(() => new AmqpProtocolHead(transportSettings, null, transportListenerProvider.Object));
Assert.Throws <ArgumentNullException>(() => new AmqpProtocolHead(transportSettings, amqpSettings, null));
Assert.NotNull(new AmqpProtocolHead(transportSettings, amqpSettings, transportListenerProvider.Object));
}
public string Build(CertificateData data)
{
var userPath = GetUserPath();
var filePath = Path.Combine(
userPath,
$"Certificate-{data.Fullname.Replace(' ', '-')}-{DateTime.Now.ToString("yyyyMMddss")}.{FileFormat.Jpg}");
CertificateHelper.CreateCertificate(data, filePath);
return(filePath);
}
[Ignore] // TODO #582
public void X509CertificateMutipleClientAuthMechanism()
{
string hostName = "acme.azure-devices.net";
var amqpConnectionPoolSettings = new AmqpConnectionPoolSettings();
var transportSetting = new AmqpTransportSettings(TransportType.Amqp_Tcp_Only, 200, amqpConnectionPoolSettings);
var authMethod1 = new DeviceAuthenticationWithRegistrySymmetricKey("device1", "CQN2K33r45/0WeIjpqmErV5EIvX8JZrozt3NEHCEkG8=");
var deviceClient = DeviceClient.Create(hostName, authMethod1, new ITransportSettings[] { transportSetting });
var cert = CertificateHelper.InstallCertificateFromFile(LocalCertFilename, LocalCertPasswordFile);
var authMethod2 = new DeviceAuthenticationWithX509Certificate("device2", cert);
var device2Client = DeviceClient.Create(hostName, authMethod2, new ITransportSettings[] { new AmqpTransportSettings(TransportType.Amqp_Tcp_Only, 100) });
}
private static X509Certificate2 GetCertificate()
{
X509Certificate2 cert = CertificateHelper.FindCertificateByThumbprint(TestConstants.AutomationTestThumbprint);
if (cert == null)
{
throw new InvalidOperationException(
"Test setup error - cannot find a certificate in the My store for KeyVault. This is available for Microsoft employees only.");
}
return(cert);
}
/// <summary>
/// Initializes static members of the <see cref="TestConstants"/> class.
/// </summary>
static TestConstants()
{
#if OBA_DEV_ALEC
string environmentName = "oba-dev-alec";
ConfigFileName = environmentName + ".config";
#endif
#if OBA_DEV_SHARAD
string environmentName = "oba-dev-sharad";
ConfigFileName = environmentName + ".config";
#endif
#if OBA_PPE
string environmentName = "oba-ppe";
ConfigFileName = environmentName + ".config";
#endif
#if OBA_PROD
string environmentName = "oba-prod";
ConfigFileName = environmentName + ".config";
#endif
// use the fsr to read values that are not secrets
var fsr = new FileSettingsReader(ConfigurationManager.AppSettings["ConfigRelativePath"] + Path.DirectorySeparatorChar + ConfigFileName);
EmbeddedSocialAdminUserHandle = fsr.ReadValue("EmbeddedSocialAdminUserHandle");
EmbeddedSocialAppKey = fsr.ReadValue("EmbeddedSocialAppKey");
EmbeddedSocialUri = new Uri(fsr.ReadValue("EmbeddedSocialUri"));
AADOBAAppId = fsr.ReadValue("AADOBAAppId");
AADOBAHomePage = fsr.ReadValue("AADOBAHomePage");
AADTenantId = fsr.ReadValue("AADTenantId");
KeyVaultUri = fsr.ReadValue("KeyVaultUri");
OBACertThumbprint = fsr.ReadValue("OBACertThumbprint");
OBARegionsListUri = fsr.ReadValue("OBARegionsListUri");
// use the kvr to read secrets
ICertificateHelper cert = new CertificateHelper(OBACertThumbprint, AADOBAAppId, StoreLocation.CurrentUser);
IKeyVaultClient kvClient = new AzureKeyVaultClient(cert);
var log = new Log(LogDestination.Debug, Log.DefaultCategoryName);
var kv = new KV(log, AADOBAAppId, KeyVaultUri, OBACertThumbprint, StoreLocation.CurrentUser, kvClient);
var kvr = new KVSettingsReader(fsr, kv);
AzureStorageConnectionString = kvr.ReadValueAsync("AzureStorageConnectionString").Result;
OBAApiKey = kvr.ReadValueAsync("OBAApiKey").Result;
SendGridEmailAddr = kvr.ReadValueAsync("SendGridEmailAddr").Result;
SendGridKey = kvr.ReadValueAsync("SendGridKey").Result;
ServiceBusConnectionString = kvr.ReadValueAsync("ServiceBusConnectionString").Result;
// Obtain an AAD token using a cert from the local store for the current user
AADSettings aadSettings = new AADSettings(TestConstants.AADTenantId, TestConstants.AADOBAAppId, TestConstants.AADOBAHomePage, TestConstants.OBACertThumbprint);
CertificateHelper certHelper = new CertificateHelper(TestConstants.OBACertThumbprint, TestConstants.AADOBAAppId, StoreLocation.CurrentUser);
EmbeddedSocialAADToken = certHelper.GetAccessToken(aadSettings.Authority, aadSettings.AppUri).Result;
}
/// <summary>
/// Initializes static members of the <see cref="KVTests"/> class.
/// </summary>
static KVTests()
{
FileSettingsReader = new FileSettingsReader(ConfigurationManager.AppSettings["ConfigRelativePath"] + Path.DirectorySeparatorChar + TestConstants.ConfigFileName);
SigningKey = FileSettingsReader.ReadValue(BearerTokenSigningKey);
ClientId = FileSettingsReader.ReadValue(EmbeddedSocialClientIdSetting);
VaultUrl = FileSettingsReader.ReadValue(SocialPlusVaultUrlSetting);
CertThumbprint = FileSettingsReader.ReadValue(SocialPlusCertThumbprint);
StoreLoc = StoreLocation.CurrentUser;
var cert = new CertificateHelper(CertThumbprint, ClientId, StoreLoc);
Client = new AzureKeyVaultClient(cert);
TestLog = new Log(LogDestination.Debug, Log.DefaultCategoryName);
}
public void Expect_CryptographicException_when_a_invalid_certificate_is_used_to_encrypt_credentials()
{
var certificate = new CertificateHelper().GetCertificateOfServerByName("LocalhostCertificate.pfx");
var cryptoProvider = new CollectServiceCryptoProvider();
var encryptedCredentials =
cryptoProvider
.EncryptCredentialBasedOnCertificateOfServer(new CredentialFactory().GetCredential(), certificate);
var plainCredentials =
cryptoProvider
.DecryptCredentialBasedOnCertificateOfServer(encryptedCredentials, certificate);
}
[Ignore] // TODO #582
public void DeviceClient_ValidCertHttp()
{
// arrange
const string hostName = "acme.azure-devices.net";
var authMethod = new DeviceAuthenticationWithX509Certificate(
"device1",
CertificateHelper.InstallCertificateFromFile(LocalCertFilename, LocalCertPasswordFile));
// act
_ = DeviceClient.Create(hostName, authMethod, new ITransportSettings[] { new Http1TransportSettings() });
// assert?
}
public void Should_be_possible_to_encrypt_credential_based_on_public_part_of_certificate_of_server()
{
var certificateInBytes = new CertificateHelper().GetCertificateOfServer().Export(X509ContentType.Cert);
var otherCertificate = new X509Certificate2(certificateInBytes);
Assert.IsNotNull(otherCertificate);
var credentialInBytes =
new CollectServiceCryptoProvider()
.EncryptCredentialBasedOnCertificateOfServer(new CredentialFactory().GetCredential(), otherCertificate);
Assert.IsNotNull(credentialInBytes);
}
protected override void OnExecute(CertificateOptions option)
{
Option.Verbose = true;
var certificates = CertificateHelper.GetCertificates();
Info("Информация о сертификатах");
foreach (var cert in certificates)
{
Info(string.Format("Субъект: {0}", cert.Subject));
Info(string.Format("Отпечаток: {0}", cert.Thumbprint));
Console.WriteLine();
}
}
public static void AddSharedKestrelOptions(this KestrelServerOptions options, HostingConfiguration config)
{
options.AddServerHeader = false;
if (!config.IsSslEnabled)
{
return;
}
var certificate = CertificateHelper.GetCertificate(config.CertificateFile, config.CertificatePassword, config.CertificateThumbprint);
options.UseHttps(certificate);
}
public static async Task <EdgeHubCertificates> LoadAsync(IConfigurationRoot configuration)
{
Preconditions.CheckNotNull(configuration, nameof(configuration));
EdgeHubCertificates result;
string edgeHubDevCertPath = configuration.GetValue <string>(Constants.ConfigKey.EdgeHubDevServerCertificateFile);
string edgeHubDevPrivateKeyPath = configuration.GetValue <string>(Constants.ConfigKey.EdgeHubDevServerPrivateKeyFile);
string edgeHubDockerCertPFXPath = configuration.GetValue <string>(Constants.ConfigKey.EdgeHubServerCertificateFile);
string edgeHubDockerCaChainCertPath = configuration.GetValue <string>(Constants.ConfigKey.EdgeHubServerCAChainCertificateFile);
string edgeHubConnectionString = configuration.GetValue <string>(Constants.ConfigKey.IotHubConnectionString);
if (string.IsNullOrEmpty(edgeHubConnectionString))
{
// When connection string is not set it is edged mode as iotedgd is expected to set this.
// In this case we reach out to the iotedged via the workload interface.
(X509Certificate2 ServerCertificate, IEnumerable <X509Certificate2> CertificateChain)certificates;
var workloadUri = new Uri(configuration.GetValue <string>(Constants.ConfigKey.WorkloadUri));
string edgeHubHostname = configuration.GetValue <string>(Constants.ConfigKey.EdgeDeviceHostName);
string moduleId = configuration.GetValue <string>(Constants.ConfigKey.ModuleId);
string generationId = configuration.GetValue <string>(Constants.ConfigKey.ModuleGenerationId);
DateTime expiration = DateTime.UtcNow.AddDays(Constants.CertificateValidityDays);
certificates = await CertificateHelper.GetServerCertificatesFromEdgelet(workloadUri, Constants.WorkloadApiVersion, moduleId, generationId, edgeHubHostname, expiration);
InstallCertificates(certificates.CertificateChain);
result = new EdgeHubCertificates(certificates.ServerCertificate, certificates.CertificateChain?.ToList());
}
else if (!string.IsNullOrEmpty(edgeHubDevCertPath) &&
!string.IsNullOrEmpty(edgeHubDevPrivateKeyPath))
{
// If no connection string was set and we use iotedged workload style certificates for development
(X509Certificate2 ServerCertificate, IEnumerable <X509Certificate2> CertificateChain)certificates;
certificates = CertificateHelper.GetServerCertificateAndChainFromFile(edgeHubDevCertPath, edgeHubDevPrivateKeyPath);
InstallCertificates(certificates.CertificateChain);
result = new EdgeHubCertificates(certificates.ServerCertificate, certificates.CertificateChain?.ToList());
}
else if (!string.IsNullOrEmpty(edgeHubDockerCertPFXPath) &&
!string.IsNullOrEmpty(edgeHubDockerCaChainCertPath))
{
// If no connection string was set and we use iotedge devdiv style certificates for development
List <X509Certificate2> certificateChain = CertificateHelper.GetServerCACertificatesFromFile(edgeHubDockerCaChainCertPath)?.ToList();
InstallCertificates(certificateChain);
result = new EdgeHubCertificates(new X509Certificate2(edgeHubDockerCertPFXPath), certificateChain);
}
else
{
throw new InvalidOperationException("Edge Hub certificate files incorrectly configured");
}
return(result);
}
private static async Task RenewCore(RenewalParameters renewalParams)
{
Trace.TraceInformation("Generating SSL certificate with parameters: {0}", renewalParams);
var acmeConfig = GetAcmeConfig(renewalParams);
var webAppEnvironment = GetWebAppEnvironment(renewalParams);
var certificateServiceSettings = new CertificateServiceSettings {
UseIPBasedSSL = renewalParams.UseIpBasedSsl
};
var azureDnsEnvironment = GetAzureDnsEnvironment(renewalParams);
var manager = azureDnsEnvironment == null
? CertificateManager.CreateKuduWebAppCertificateManager(webAppEnvironment, acmeConfig, certificateServiceSettings, new AuthProviderConfig())
: CertificateManager.CreateAzureDnsWebAppCertificateManager(webAppEnvironment, acmeConfig, certificateServiceSettings, azureDnsEnvironment);
Trace.TraceInformation("Adding SSL cert for '{0}'...", GetWebAppFullName(renewalParams));
bool addNewCert = true;
if (renewalParams.RenewXNumberOfDaysBeforeExpiration > 0)
{
var staging = acmeConfig.BaseUri.Contains("staging", StringComparison.OrdinalIgnoreCase);
var letsEncryptHostNames = await CertificateHelper.GetLetsEncryptHostNames(webAppEnvironment, staging);
Trace.TraceInformation("Let's Encrypt host names (staging: {0}): {1}", staging, String.Join(", ", letsEncryptHostNames));
ICollection <string> missingHostNames = acmeConfig.Hostnames.Except(letsEncryptHostNames, StringComparer.OrdinalIgnoreCase).ToArray();
if (missingHostNames.Count > 0)
{
Trace.TraceInformation(
"Detected host name(s) with no associated Let's Encrypt certificates, will add a new certificate: {0}",
String.Join(", ", missingHostNames));
}
else
{
Trace.TraceInformation("All host names associated with Let's Encrypt certificates, will perform cert renewal");
addNewCert = false;
}
}
if (addNewCert)
{
await manager.AddCertificate();
}
else
{
await manager.RenewCertificate(false, renewalParams.RenewXNumberOfDaysBeforeExpiration);
}
Trace.TraceInformation("Let's Encrypt SSL certs & bindings renewed for '{0}'", renewalParams.WebApp);
}
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.UseStartup <Startup>();
webBuilder.UseSerilog();
webBuilder.ConfigureKestrel(kestrel =>
{
kestrel.ConfigureHttpsDefaults(https =>
{
https.ServerCertificate = CertificateHelper.CreateCertificate(Configuration);
});
});
});
// GET: Certificate
public ActionResult Index()
{
var listOfEvent = EventHelper.GetAllEventCertificate();
for (var i = 0; i < listOfEvent.Count; i++)
{
var certificate = CertificateHelper.GetAllCertificatesByEvent(listOfEvent[i].ID.ToString());
if (certificate != null)
{
listOfEvent[i].CertificateTemplate = true;
}
}
return(View(listOfEvent));
}
/// <summary>
/// 对XmlDocument执行解密
/// </summary>
/// <param name="doc"> XmlDocument对象 </param>
/// <param name="cername"> 证书名称 </param>
/// <param name="cersn"> 证书的序列号(已被Asn1IntegerConverter转换过的) </param>
/// <param name="keyname"> 加密的标签名 </param>
public static void DecryptDocument(XmlDocument doc, string cername, string cersn, string keyname)
{
X509Certificate2 x = CertificateHelper.GetCertificate(StoreName.My, StoreLocation.LocalMachine, cername);
string thisSN = Asn1IntegerConverter.Asn1IntegerToDecimalString(x.GetSerialNumber());
if (thisSN != cersn)
{
throw new Exception("无法分析文本");
}
EncryptedXml exml = new EncryptedXml(doc);
exml.AddKeyNameMapping(keyname, x.PrivateKey);
exml.DecryptDocument();
}
public void Configuration(IAppBuilder app)
{
app.UseCors(CorsOptions.AllowAll);
app.UseIdentityServer(new IdentityServerOptions
{
SiteName = "Embedded IdentityServer",
SigningCertificate = CertificateHelper.GetDefaultCertificate(),
RequireSsl = false,
Factory = new IdentityServerServiceFactory()
.UseInMemoryUsers(Users.Get())
.UseInMemoryClients(Clients.Get())
.UseInMemoryScopes(Scopes.Get())
});
}
private static List <X509Certificate> ReadCertificatesDirectory()
{
List <X509Certificate> certificates = new List <X509Certificate>();
string certificatesPath = GetCertificatesPath();
string[] files = Directory.GetFiles(certificatesPath, "*.cer");
foreach (string filePath in files)
{
byte[] fileBytes = File.ReadAllBytes(filePath);
X509Certificate certificate = CertificateHelper.GetCertificatesFromBytes(fileBytes);
certificates.Add(certificate);
}
return(certificates);
}
private void InitializeModule([NotNull] CustomModule module)
{
if (module == null)
{
throw new ArgumentNullException(nameof(module));
}
LogProvider.Log.Info($"Initializing {module.ModuleName} module.");
var moduleAssemblyPath = module.ModuleAssembly;
if (!File.Exists(moduleAssemblyPath))
{
moduleAssemblyPath = Path.Combine(StringFormatter.GetModulesFolderPath(), module.ModuleAssembly);
if (!File.Exists(moduleAssemblyPath))
{
LogProvider.Log.Error($"Module {module.ModuleName} has not been found at '{moduleAssemblyPath}'.");
return;
}
}
if (!CertificateHelper.Verify(moduleAssemblyPath))
{
LogProvider.Log.Error($"Module {module.ModuleName} isn't valid at '{moduleAssemblyPath}'.");
return;
}
try
{
var moduleAssembly = Assembly.LoadFrom(moduleAssemblyPath);
LogProvider.Log.Info($"Module {module.ModuleName} has been loaded.");
var moduleInterfaceType = typeof(IDHModule);
var moduleType = moduleAssembly.GetTypes()
.FirstOrDefault(t => t.GetInterfaces().Contains(moduleInterfaceType) && t.GetConstructor(Type.EmptyTypes) != null);
var moduleObject = Activator.CreateInstance(moduleType) as IDHModule;
moduleObject.ConfigureContainer(container);
LogProvider.Log.Info($"Module {module.ModuleName} has been configured.");
}
catch (Exception e)
{
LogProvider.Log.Error(this, $"Module {module.ModuleName} hasn't been loaded at '{moduleAssemblyPath}'.", e);
}
}
public static void ResignExecutable(MachObjectFile file, string bundleIdentifier, List <X509Certificate> certificateChain, AsymmetricKeyEntry privateKey, byte[] infoFileBytes, byte[] codeResourcesBytes, EntitlementsFile entitlements)
{
X509Certificate signingCertificate = certificateChain[certificateChain.Count - 1];
string certificateCN = CertificateHelper.GetCertificateCommonName(signingCertificate);
string teamID = CertificateHelper.GetCertificateOrganizationalUnit(signingCertificate);
SegmentCommand linkEditSegment = SegmentCommandHelper.FindLinkEditSegment(file.LoadCommands);
if (linkEditSegment == null)
{
throw new InvalidDataException("LinkEdit segment was not found");
}
if (file.LoadCommands[file.LoadCommands.Count - 1].CommandType != LoadCommandType.CodeSignature)
{
throw new NotImplementedException("The last LoadCommand entry is not CodeSignature");
}
CodeSignatureCommand command = (CodeSignatureCommand)file.LoadCommands[file.LoadCommands.Count - 1];
int codeLength = (int)command.DataOffset;
CodeDirectoryBlob codeDirectory = CreateCodeDirectoryBlob(codeLength, bundleIdentifier, teamID);
CodeRequirementsBlob codeRequirements = CreateCodeRequirementsBlob(bundleIdentifier, certificateCN);
EntitlementsBlob entitlementsBlob = CreateEntitlementsBlob(entitlements);
CmsSignatureBlob cmsSignature = new CmsSignatureBlob();
// We create a dummy signature to determine the length required
cmsSignature.Data = CMSHelper.GenerateSignature(certificateChain, privateKey, codeDirectory.GetBytes());
CodeSignatureSuperBlob codeSignature = new CodeSignatureSuperBlob();
codeSignature.Entries.Add(CodeSignatureEntryType.CodeDirectory, codeDirectory);
codeSignature.Entries.Add(CodeSignatureEntryType.Requirements, codeRequirements);
codeSignature.Entries.Add(CodeSignatureEntryType.Entitlements, entitlementsBlob);
codeSignature.Entries.Add(CodeSignatureEntryType.CmsSignature, cmsSignature);
command.DataSize = (uint)codeSignature.Length;
uint finalFileSize = command.DataOffset + command.DataSize;
SegmentCommandHelper.SetEndOffset(linkEditSegment, finalFileSize);
byte[] codeToHash = ByteReader.ReadBytes(file.GetBytes(), 0, codeLength);
UpdateHashes(codeDirectory, codeToHash, infoFileBytes, codeRequirements, codeResourcesBytes, entitlementsBlob);
cmsSignature.Data = CMSHelper.GenerateSignature(certificateChain, privateKey, codeDirectory.GetBytes());
// Store updated code signature:
byte[] codeSignatureBytes = codeSignature.GetBytes();
Array.Resize <byte>(ref file.Data, (codeLength - file.DataOffset) + (int)command.DataSize);
ByteWriter.WriteBytes(file.Data, (int)command.DataOffset - file.DataOffset, codeSignatureBytes);
}
public async Task <IActionResult> CertificatePreview(long id, bool isPreview)
{
var batch = await _certificateService.GetCertificateBatchByID(id, true);
var data = batch.Certificates.OrderBy(e => e.SerialNo)
.Select(e => CertificateHelper.Convert(e))
.ToList();
return(View("Certificate", new CertificateModel
{
IsPreview = isPreview,
Title = batch.TemplateText,
Certificates = data
}));
}
[Ignore] // TODO #582
public void DeviceClient_InvalidX509Certificate()
{
// arrange
const string hostName = "acme.azure-devices.net";
var transportSetting = new AmqpTransportSettings(TransportType.Amqp_Tcp_Only, 200, new AmqpConnectionPoolSettings());
var authMethod1 = new DeviceAuthenticationWithRegistrySymmetricKey("device1", "dGVzdFN0cmluZzE=");
X509Certificate2 cert = CertificateHelper.InstallCertificateFromFile(LocalCertFilename, LocalCertPasswordFile);
var authMethod2 = new DeviceAuthenticationWithX509Certificate("device2", cert);
// act
_ = DeviceClient.Create(hostName, authMethod1, new ITransportSettings[] { transportSetting });
_ = DeviceClient.Create(hostName, authMethod2, new ITransportSettings[] { new AmqpTransportSettings(TransportType.Amqp_Tcp_Only, 100) });
// assert?
}
public void X509Certificate_MqttTransportSettingsTest()
{
string hostName = "acme.azure-devices.net";
var cert = CertificateHelper.InstallCertificateFromFile(LocalCertFilename, LocalCertPasswordFile);
var authMethod = new DeviceAuthenticationWithX509Certificate("device1", cert);
var deviceClient = DeviceClient.Create(hostName, authMethod, new ITransportSettings[]
{
new MqttTransportSettings(TransportType.Mqtt)
{
ClientCertificate = cert,
RemoteCertificateValidationCallback = (a, b, c, d) => true
}
});
}
public void should_fail_if_client_do_not_send_handshake_within_given_time_Frame()
{
var certificate = CertificateHelper.Create();
var clientServer = ClientServerHelper.Create();
var buffer = new BufferSlice(new byte[65535], 0, 65535);
var serverChannel = new TcpChannel(buffer, new FakeEncoder(), new FakeDecoder());
var sut = new ServerSideSslStreamBuilder(certificate);
sut.HandshakeTimeout = TimeSpan.FromMilliseconds(100);
Action actual = () => sut.Build(serverChannel, clientServer.Server);
actual.ShouldThrow <InvalidOperationException>();
}
public async Task <FileServiceJwt> VerifyJwt(AuthJwt auth)
{
try
{
// check signature
var publicKey = await this._configService.Get("JWTPublicKeys");
//var cer = new X509Certificate2(Convert.FromBase64String(publicKey));
var rsa = CertificateHelper.GetPublicKey(auth.Jwt, publicKey);// (RSA)(cer.PublicKey.Key);
var validationParameters = new TokenValidationParameters
{
ValidateAudience = false,
IssuerSigningKey = new RsaSecurityKey(rsa),
ValidateIssuer = false,
};
var result = new JwtSecurityTokenHandler().ValidateToken(auth.Jwt, validationParameters, out SecurityToken securityToken);
var validateToken = securityToken as JwtSecurityToken;
string scopeStr = validateToken.Claims.FirstOrDefault(c => c.Type == "scope")?.Value;
string jti = validateToken.Claims.FirstOrDefault(c => c.Type == "jti")?.Value;
string iss = validateToken.Claims.FirstOrDefault(c => c.Type == "iss")?.Value;
ScopeDto scope = new ScopeDto();
if (!string.IsNullOrEmpty(scopeStr))
{
scope = JsonConvert.DeserializeObject <ScopeDto>(scopeStr);
}
//LogHelper.Info($"Check ip: JWT->{scope.ip}, FileService->{auth.IP}");
//此处ip校验,在对部分域名使用vpn加速情况下,可能造成ip不一致,所以暂时去掉
/*
* if (scope.ip != auth.IP && scope.ip != "127.0.0.1")
* {
* throw new UnauthorizedException();
* }
*/
VerifyJti(jti);
return(new FileServiceJwt()
{
ExpireInDays = scope.fileExpireInDays,
SiteId = scope.siteId,
AppId = iss
});
}
catch (Exception ex)
{
LogHelper.Error(ex, ex.Message);
throw new UnauthorizedException();
}
}
static async Task <LeafDevice> CreateWithCaCertAsync(
string leafDeviceId,
string parentId,
CertificateAuthority ca,
IotHub iotHub,
ITransportSettings transport,
string edgeHostname,
CancellationToken token,
ClientOptions options)
{
Device edge = await GetEdgeDeviceIdentityAsync(parentId, iotHub, token);
Device leaf = new Device(leafDeviceId)
{
Authentication = new AuthenticationMechanism
{
Type = AuthenticationType.CertificateAuthority
},
Scope = edge.Scope
};
leaf = await iotHub.CreateDeviceIdentityAsync(leaf, token);
return(await DeleteIdentityIfFailedAsync(
leaf,
iotHub,
token,
async() =>
{
IdCertificates certFiles = await ca.GenerateIdentityCertificatesAsync(leafDeviceId, token);
(X509Certificate2 leafCert, IEnumerable <X509Certificate2> trustedCerts) =
CertificateHelper.GetServerCertificateAndChainFromFile(certFiles.CertificatePath, certFiles.KeyPath);
// .NET runtime requires that we install the chain of CA certs, otherwise it can't
// provide them to a server during authentication.
OsPlatform.Current.InstallTrustedCertificates(trustedCerts);
return await CreateLeafDeviceAsync(
leaf,
() => DeviceClient.Create(
iotHub.Hostname,
edgeHostname,
new DeviceAuthenticationWithX509Certificate(leaf.Id, leafCert),
new[] { transport },
options),
iotHub,
token);
}));
/// <summary>
/// Retrieves SendGrid key from KV
/// </summary>
/// <param name="configFile">config file path</param>
/// <returns>SendGrid key</returns>
public static string GetSendGridKey(string configFile)
{
var sr = new FileSettingsReader(configFile);
var certThumbprint = sr.ReadValue(TestConstants.SocialPlusCertThumbprint);
var clientID = sr.ReadValue(TestConstants.EmbeddedSocialClientIdSetting);
var storeLocation = StoreLocation.CurrentUser;
var vaultUrl = sr.ReadValue(TestConstants.SocialPlusVaultUrlSetting);
ICertificateHelper cert = new CertificateHelper(certThumbprint, clientID, storeLocation);
IKeyVaultClient client = new AzureKeyVaultClient(cert);
var log = new Log(LogDestination.Console, Log.DefaultCategoryName);
var kv = new KV(log, clientID, vaultUrl, certThumbprint, storeLocation, client);
var kvReader = new KVSettingsReader(sr, kv);
return(kvReader.ReadValueAsync("SendGridInstrumentationKey").Result);
}
protected void SetupMutualAuth()
{
if (_spineOptionsDelegate.CurrentValue.SdsUseMutualAuth)
{
var clientCertData = CertificateHelper.ExtractCertInstances(_spineOptionsDelegate.CurrentValue.ClientCert);
var clientPrivateKeyData = CertificateHelper.ExtractKeyInstance(_spineOptionsDelegate.CurrentValue.ClientPrivateKey);
var x509ClientCertificate = new X509Certificate2(clientCertData.FirstOrDefault());
var privateKey = RSA.Create();
privateKey.ImportRSAPrivateKey(clientPrivateKeyData, out _);
var x509CertificateWithPrivateKey = x509ClientCertificate.CopyWithPrivateKey(privateKey);
var pfxFormattedCertificate = new X509Certificate(x509CertificateWithPrivateKey.Export(X509ContentType.Pfx, string.Empty), string.Empty);
_clientCertificate = pfxFormattedCertificate;
}
}
public void Should_be_possible_to_use_ServerCertificate_to_do_assimetric_cryptography()
{
var certificate = new CertificateHelper().GetCertificateOfServer();
var cryptoProvider = new CollectServiceCryptoProvider();
var encryptedCredentials =
cryptoProvider
.EncryptCredentialBasedOnCertificateOfServer(new CredentialFactory().GetCredential(), certificate);
var plainCredentials =
cryptoProvider
.DecryptCredentialBasedOnCertificateOfServer(encryptedCredentials, certificate);
Assert.IsNotNull(plainCredentials, "The credentials after decryptation cannot be nuul.");
Assert.AreEqual("fake_domain", plainCredentials.Domain);
Assert.AreEqual("john_doe", plainCredentials.UserName);
Assert.AreEqual("******", plainCredentials.Password);
}
public void TestInvalidConstructorInputs()
{
const bool clientCertsAllowed = true;
X509Certificate2 tlsCertificate = CertificateHelper.GenerateSelfSignedCert("TestCert");
var transportSettings = new DefaultTransportSettings(Scheme, HostName, Port, tlsCertificate, clientCertsAllowed, Mock.Of <IAuthenticator>(), Mock.Of <IClientCredentialsFactory>(), SslProtocols.Tls12);
AmqpSettings amqpSettings = AmqpSettingsProvider.GetDefaultAmqpSettings(IotHubHostName, Mock.Of <IAuthenticator>(), Mock.Of <IClientCredentialsFactory>(), Mock.Of <ILinkHandlerProvider>(), Mock.Of <IConnectionProvider>(), new NullCredentialsCache());
var transportListenerProvider = new Mock <ITransportListenerProvider>();
var webSockerListenerRegistry = new Mock <IWebSocketListenerRegistry>();
Assert.Throws <ArgumentNullException>(() => new AmqpProtocolHead(null, amqpSettings, transportListenerProvider.Object, webSockerListenerRegistry.Object, Mock.Of <IAuthenticator>(), Mock.Of <IClientCredentialsFactory>()));
Assert.Throws <ArgumentNullException>(() => new AmqpProtocolHead(transportSettings, null, transportListenerProvider.Object, webSockerListenerRegistry.Object, Mock.Of <IAuthenticator>(), Mock.Of <IClientCredentialsFactory>()));
Assert.Throws <ArgumentNullException>(() => new AmqpProtocolHead(transportSettings, amqpSettings, null, webSockerListenerRegistry.Object, Mock.Of <IAuthenticator>(), Mock.Of <IClientCredentialsFactory>()));
Assert.Throws <ArgumentNullException>(() => new AmqpProtocolHead(transportSettings, amqpSettings, transportListenerProvider.Object, null, Mock.Of <IAuthenticator>(), Mock.Of <IClientCredentialsFactory>()));
Assert.Throws <ArgumentNullException>(() => new AmqpProtocolHead(transportSettings, amqpSettings, transportListenerProvider.Object, webSockerListenerRegistry.Object, null, Mock.Of <IClientCredentialsFactory>()));
Assert.Throws <ArgumentNullException>(() => new AmqpProtocolHead(transportSettings, amqpSettings, transportListenerProvider.Object, webSockerListenerRegistry.Object, Mock.Of <IAuthenticator>(), null));
Assert.NotNull(new AmqpProtocolHead(transportSettings, amqpSettings, transportListenerProvider.Object, webSockerListenerRegistry.Object, Mock.Of <IAuthenticator>(), Mock.Of <IClientCredentialsFactory>()));
}
