private void SetPrivateKeyFileSystemAccess(ICertificateRequestPublicPrivateKeyPair model, X509Certificate2 cert, ClaimsPrincipal user)
{
audit.LogOpsSuccess(user, cert.Thumbprint, EventCategory.CertificateAccess, "SetPrivateKeyFileSystemAccess");
string uniqueName = string.Empty;
audit.LogOpsSuccess(user, cert.Thumbprint, EventCategory.CertificateAccess, model.Provider.ToString());
if (model.Provider == WindowsApi.Cng)
{
uniqueName = cert.GetCngKey().UniqueName;
audit.LogOpsSuccess(user, cert.Thumbprint, EventCategory.CertificateAccess, uniqueName);
string keyPath = string.Empty;
//string searchDir = System.IO.Path.Combine(System.Environment.GetEnvironmentVariable("ProgramData"), @"Microsoft\Crypto");
//System.IO.Directory.GetFiles(searchDir, uniqueName, System.IO.SearchOption.AllDirectories);
foreach (string dir in searchDirs)
{
string[] keyPaths = Directory.GetFiles(dir, uniqueName, SearchOption.AllDirectories);
if (keyPaths.Any())
{
keyPath = keyPaths.First();
continue;
}
}
audit.LogOpsSuccess(user, cert.Thumbprint, EventCategory.CertificateAccess, keyPath);
DirectoryInfo directoryInfo = new DirectoryInfo(keyPath);
DirectorySecurity acl = directoryInfo.GetAccessControl();
FileSystemAccessRule ace = new FileSystemAccessRule
(
new NTAccount(WindowsIdentity.GetCurrent().Name),
FileSystemRights.FullControl,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow
);
acl.AddAccessRule(ace);
Directory.SetAccessControl(keyPath, acl);
}
}
private CreatePrivateCertificateResult ProcessCertificateAuthorityResponse(ICertificateRequestPublicPrivateKeyPair model, CertificateAuthorityRequestResponse response, CertificateSubject subject, ClaimsPrincipal user)
{
CreatePrivateCertificateResult result;
switch (response.CertificateRequestStatus)
{
case CertificateRequestStatus.Issued:
result = ProcessCertificateAuthoritySuccessResponse(model, response, subject, user);
break;
case CertificateRequestStatus.Pending:
throw new CertificateAuthorityDeniedRequestException(string.Format("Error while processing request id {0}", response.RequestId));
break;
default:
throw new CertificateAuthorityDeniedRequestException(string.Format("Error while processing request id {0}", response.RequestId));
break;
}
return(result);
}
private CreatePrivateCertificateResult ProcessCertificateAuthoritySuccessResponse(ICertificateRequestPublicPrivateKeyPair model, CertificateAuthorityRequestResponse response, CertificateSubject subject, ClaimsPrincipal user)
{
string nonce = secrets.NewSecretBase64(16);
string password = secrets.NewSecret(64);
X509Certificate2 cert = certificateProvider.InstallIssuedCertificate(response.IssuedCertificate);
SetPrivateKeyFileSystemAccess(model, cert, user);
byte[] certContent = cert.Export(X509ContentType.Pfx, password);
CreatePrivateCertificateResult result = new CreatePrivateCertificateResult()
{
Password = password,
Pfx = Convert.ToBase64String(certContent),
Status = PrivateCertificateRequestStatus.Success,
Thumbprint = cert.Thumbprint,
Id = Guid.NewGuid(),
};
List <AccessControlEntry> defaultAcl = authorizationLogic.GetDefaultCertificateAcl(user);
Certificate storedCert = new Certificate()
{
Id = result.Id,
Thumbprint = cert.Thumbprint,
PfxPassword = cipher.Encrypt(password, nonce),
WindowsApi = model.Provider,
Content = certContent,
CertificateStorageFormat = CertificateStorageFormat.Pfx,
HashAlgorithm = model.HashAlgorithm,
CipherAlgorithm = model.CipherAlgorithm,
DisplayName = model.SubjectCommonName,
HasPrivateKey = true,
ValidTo = cert.NotAfter,
ValidFrom = cert.NotBefore,
KeySize = model.KeySize,
KeyUsage = dataTransformation.ParseKeyUsage(model.KeyUsage),
Subject = subject,
Acl = defaultAcl,
PasswordNonce = nonce,
ContentDigest = hashProvider.ComputeHash(certContent)
};
certificateRepository.Insert(storedCert);
return(result);
}
