Esempio n. 1
0
        public void Uninstall(PrivateKey pk, Crt crt, IEnumerable <PKI.Crt> chain,
                              IPkiTool cp)
        {
            AssertNotDisposed();

            throw new NotImplementedException();
        }
        public void Install(PrivateKey pk, Crt crt, IEnumerable <Crt> chain, IPkiTool cp)
        {
            var store = new X509Store(StoreName, StoreLocation);

            try
            {
                store.Open(OpenFlags.ReadWrite);
                var crtChain = new[] { crt }.Concat(chain);
                using (var ms = new MemoryStream())
                {
                    cp.ExportArchive(pk, crtChain, ArchiveFormat.PKCS12, ms);

                    var flag = X509KeyStorageFlags.UserKeySet;
                    if (StoreLocation == StoreLocation.LocalMachine)
                    {
                        flag = X509KeyStorageFlags.MachineKeySet;
                    }

                    var cert = new X509Certificate2(ms.ToArray(), string.Empty,
                                                    X509KeyStorageFlags.PersistKeySet | flag |
                                                    X509KeyStorageFlags.Exportable);

                    if (!string.IsNullOrEmpty(FriendlyName))
                    {
                        cert.FriendlyName = FriendlyName;
                    }

                    store.Add(cert);
                }
            }
            finally
            {
                store.Close();
            }
        }
        public void Install(PrivateKey pk, Crt crt, IEnumerable <Crt> chain, IPkiTool cp)
        {
            var bindings = IisHelper.ResolveSiteBindings(WebSiteRef);
            var existing = IisHelper.ResolveSiteBindings(
                BindingAddress, BindingPort, BindingHost, bindings).ToArray();

            if (existing?.Length > 0 && !Force)
            {
                throw new InvalidOperationException(
                          "found existing conflicting bindings for target site;"
                          + " use Force parameter to overwrite");
            }

            // TODO: should we expose these as optional params to be overridden by user?
            var storeLocation = StoreLocation.LocalMachine;
            var storeName     = StoreName.My;
            var cert          = ImportCertificate(pk, crt, chain, cp,
                                                  storeName, storeLocation, CertificateFriendlyName);

            var certStore = Enum.GetName(typeof(StoreName), storeName);
            var certHash  = cert.GetCertHash();


            if (existing?.Length > 0)
            {
                foreach (var oldBinding in existing)
                {
                    if (BindingHostRequired.HasValue)
                    {
                        oldBinding.BindingHostRequired = BindingHostRequired;
                    }
                    IisHelper.UpdateSiteBinding(oldBinding, certStore, certHash);
                }
            }
            else
            {
                var firstBinding = bindings.First();
                var newBinding   = new IisWebSiteBinding
                {
                    // Copy over some existing site info
                    SiteId   = firstBinding.SiteId,
                    SiteName = firstBinding.SiteName,
                    SiteRoot = firstBinding.SiteRoot,

                    // New binding specifics
                    BindingProtocol     = "https",
                    BindingAddress      = this.BindingAddress,
                    BindingPort         = this.BindingPort.ToString(),
                    BindingHost         = this.BindingHost,
                    BindingHostRequired = this.BindingHostRequired,
                };

                IisHelper.CreateSiteBinding(newBinding, certStore, certHash);
            }
        }
Esempio n. 4
0
        public void Install(PrivateKey pk, Crt crt, IEnumerable <PKI.Crt> chain,
                            IPkiTool cp)
        {
            AssertNotDisposed();

            string pkPem;

            using (var ms = new MemoryStream())
            {
                cp.ExportPrivateKey(pk, EncodingFormat.PEM, ms);
                pkPem = Encoding.UTF8.GetString(ms.ToArray());
            }

            string crtPem;

            using (var ms = new MemoryStream())
            {
                cp.ExportCertificate(crt, EncodingFormat.PEM, ms);
                crtPem = Encoding.UTF8.GetString(ms.ToArray());
            }

            string chainPem = null;

            if (chain != null)
            {
                using (var ms = new MemoryStream())
                {
                    foreach (var c in chain)
                    {
                        cp.ExportCertificate(c, EncodingFormat.PEM, ms);
                    }
                    chainPem = Encoding.UTF8.GetString(ms.ToArray());
                }
            }

            using (var client = new AmazonIdentityManagementServiceClient(
                       CommonParams.ResolveCredentials(),
                       CommonParams.RegionEndpoint))
            {
                var iamRequ = new UploadServerCertificateRequest
                {
                    PrivateKey       = pkPem,
                    CertificateBody  = crtPem,
                    CertificateChain = chainPem,

                    ServerCertificateName = this.ServerCertificateName,
                    Path = this.Path
                };

                var iamResp = client.UploadServerCertificate(iamRequ);
                // TODO:  any checks we should do?
            }
        }
Esempio n. 5
0
        public void Uninstall(PrivateKey pk, Crt crt, IEnumerable <PKI.Crt> chain,
                              IPkiTool cp)
        {
            AssertNotDisposed();

            using (var client = new AmazonIdentityManagementServiceClient(
                       CommonParams.ResolveCredentials(),
                       CommonParams.RegionEndpoint))
            {
                var iamRequ = new DeleteServerCertificateRequest
                {
                    ServerCertificateName = this.ServerCertificateName,
                };

                var iamResp = client.DeleteServerCertificate(iamRequ);
                // TODO:  any checks we should do?
            }
        }
        public void Install(PrivateKey pk, Crt crt, IEnumerable<PKI.Crt> chain,
                IPkiTool cp)
        {
            AssertNotDisposed();

            string pkPem;
            using (var ms = new MemoryStream())
            {
                cp.ExportPrivateKey(pk, EncodingFormat.PEM, ms);
                pkPem = Encoding.UTF8.GetString(ms.ToArray());
            }

            string crtPem;
            using (var ms = new MemoryStream())
            {
                cp.ExportCertificate(crt, EncodingFormat.PEM, ms);
                crtPem = Encoding.UTF8.GetString(ms.ToArray());
            }

            string chainPem = null;
            if (chain != null)
            {
                using (var ms = new MemoryStream())
                {
                    foreach (var c in chain)
                    {
                        cp.ExportCertificate(c, EncodingFormat.PEM, ms);
                    }
                    chainPem = Encoding.UTF8.GetString(ms.ToArray());
                }
            }

            using (var client = new AmazonIdentityManagementServiceClient(
                CommonParams.ResolveCredentials(),
                CommonParams.RegionEndpoint))
            {
                var iamRequ = new UploadServerCertificateRequest
                {
                    PrivateKey = pkPem,
                    CertificateBody = crtPem,
                    CertificateChain = chainPem,

                    ServerCertificateName = this.ServerCertificateName,
                    Path = this.Path
                };

                var iamResp = client.UploadServerCertificate(iamRequ);
                // TODO:  any checks we should do?
            }
        }
        public void Uninstall(PrivateKey pk, Crt crt, IEnumerable<PKI.Crt> chain,
                IPkiTool cp)
        {
            AssertNotDisposed();

            using (var client = new AmazonIdentityManagementServiceClient(
                CommonParams.ResolveCredentials(),
                CommonParams.RegionEndpoint))
            {
                var iamRequ = new DeleteServerCertificateRequest
                {
                    ServerCertificateName = this.ServerCertificateName,
                };

                var iamResp = client.DeleteServerCertificate(iamRequ);
                // TODO:  any checks we should do?
            }
        }
 public void Uninstall(PrivateKey pk, Crt crt, IEnumerable <Crt> chain, IPkiTool cp)
 {
     throw new NotImplementedException();
 }
Esempio n. 9
0
        private string GetIssuerCertificate(CertificateRequest certificate, IPkiTool cp,
                                            string certificateFolder, TargetApplication targetApplication)
        {
            var linksEnum = certificate.Links;

            if (linksEnum == null)
            {
                return(null);
            }

            var links  = new LinkCollection(linksEnum);
            var upLink = links.GetFirstOrDefault("up");

            if (upLink == null)
            {
                return(null);
            }

            var temporaryFileName = Path.GetTempFileName();

            try
            {
                using (var web = new WebClient())
                {
                    var acmeServerBaseUri = _configuration.GetAcmeServerBaseUri(targetApplication);
                    var uri = new Uri(acmeServerBaseUri, upLink.Uri);
                    web.DownloadFile(uri, temporaryFileName);
                }

                var cacert = new X509Certificate2(temporaryFileName);
                var sernum = cacert.GetSerialNumberString();

                var cacertDerFile = Path.Combine(certificateFolder, $"ca-{sernum}-crt.der");
                var cacertPemFile = Path.Combine(certificateFolder, $"ca-{sernum}-crt.pem");

                if (!File.Exists(cacertDerFile))
                {
                    File.Copy(temporaryFileName, cacertDerFile, true);
                }

                _logger.Information("Saving issuer certificate to {cacertPemFile}", cacertPemFile);
                if (File.Exists(cacertPemFile))
                {
                    return(cacertPemFile);
                }

                using (FileStream source = new FileStream(cacertDerFile, FileMode.Open),
                       target = new FileStream(cacertPemFile, FileMode.Create))
                {
                    var caCrt = cp.ImportCertificate(EncodingFormat.DER, source);
                    cp.ExportCertificate(caCrt, EncodingFormat.PEM, target);
                }

                return(cacertPemFile);
            }
            finally
            {
                if (File.Exists(temporaryFileName))
                {
                    File.Delete(temporaryFileName);
                }
            }
        }
Esempio n. 10
0
        public void Install(PrivateKey pk, Crt crt, IEnumerable <PKI.Crt> chain,
                            IPkiTool cp)
        {
            AssertNotDisposed();

            if (CertInstaller != null)
            {
                CertInstaller.Install(pk, crt, chain, cp);
                ExistingServerCertificateName = CertInstaller.ServerCertificateName;

                // Now that the cert has been installed in IAM, we need to
                // poll to see when it becomes effective because there could
                // be a slight delay till it's available for reference
                using (var client = new AmazonIdentityManagementServiceClient(
                           CommonParams.ResolveCredentials(),
                           CommonParams.RegionEndpoint))
                {
                    var iamRequ = new GetServerCertificateRequest
                    {
                        ServerCertificateName = ExistingServerCertificateName,
                    };
                    var    triesLeft = 10;
                    string arn       = null;
                    while (triesLeft-- > 0)
                    {
                        try
                        {
                            var iamResp = client.GetServerCertificate(iamRequ);
                            arn = iamResp?.ServerCertificate?.ServerCertificateMetadata?.Arn;
                            if (!string.IsNullOrEmpty(arn))
                            {
                                break;
                            }
                        }
                        catch (Exception)
                        {
                            // TODO:  integrate with logging to log some warnings
                        }
                        System.Threading.Thread.Sleep(10 * 1000);
                    }
                    if (string.IsNullOrEmpty(arn))
                    {
                        throw new InvalidOperationException("unable to resolve uploaded certificate");
                    }
                }
            }

            string certArn;

            using (var client = new AmazonIdentityManagementServiceClient(
                       CommonParams.ResolveCredentials(),
                       CommonParams.RegionEndpoint))
            {
                var iamRequ = new GetServerCertificateRequest
                {
                    ServerCertificateName = ExistingServerCertificateName,
                };

                var iamResp = client.GetServerCertificate(iamRequ);
                certArn = iamResp?.ServerCertificate?.ServerCertificateMetadata?.Arn;
            }

            if (string.IsNullOrEmpty(certArn))
            {
                throw new InvalidOperationException("unable to resolve server certificate against IAM store");
            }

            using (var client = new AmazonElasticLoadBalancingClient(
                       CommonParams.ResolveCredentials(),
                       CommonParams.RegionEndpoint))
            {
                // We've found through experience/experimentation that even if the
                // cert is successfully installed and retrievable up above, it can
                // still fail here temporarily till the ELB reference can resolve it
                int       triesLeft = 10;
                Exception lastEx    = null;
                while (triesLeft-- > 0)
                {
                    if (!string.IsNullOrEmpty(LoadBalancerProtocol))
                    {
                        var iamRequ = new CreateLoadBalancerListenersRequest
                        {
                            LoadBalancerName = this.LoadBalancerName,
                            Listeners        = new List <Listener>
                            {
                                new Listener
                                {
                                    LoadBalancerPort = this.LoadBalancerPort,
                                    Protocol         = this.LoadBalancerProtocol,
                                    InstancePort     = this.InstancePort,
                                    InstanceProtocol = this.InstanceProtocol,
                                    SSLCertificateId = certArn,
                                }
                            }
                        };

                        try
                        {
                            var iamResp = client.CreateLoadBalancerListeners(iamRequ);
                            // TODO:  any checks we should do?

                            // Break out of the outer retry loop
                            lastEx = null;
                            break;
                        }
                        catch (Exception ex)
                        {
                            // TODO:  integrate with logging to log some warnings
                            lastEx = ex;
                        }
                    }
                    else
                    {
                        var iamRequ = new SetLoadBalancerListenerSSLCertificateRequest
                        {
                            LoadBalancerName = this.LoadBalancerName,
                            LoadBalancerPort = this.LoadBalancerPort,
                            SSLCertificateId = certArn,
                        };

                        try
                        {
                            var iamResp = client.SetLoadBalancerListenerSSLCertificate(iamRequ);
                            // TODO:  any checks we should do?

                            // Break out of the outer retry loop
                            lastEx = null;
                            break;
                        }
                        catch (Exception ex)
                        {
                            // TODO:  integrate with logging to log some warnings
                            lastEx = ex;
                        }
                    }

                    System.Threading.Thread.Sleep(10 * 1000);
                }

                if (lastEx != null)
                {
                    throw new InvalidOperationException(
                              "valid to create/update ELB listener with certificate reference", lastEx);
                }
            }
        }