internal X509Certificate2 InstallCertificate(string certFile)
{
SecurityIdentifier sid;
try
{
sid = (SecurityIdentifier) new NTAccount("IME_SYSTEM").Translate(typeof(SecurityIdentifier));
}
catch
{
logger.Fatal("Could not get SID for IME_SYSTEM user.");
return(null);
}
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
foreach (var c in store.Certificates)
{
if (c.GetNameInfo(X509NameType.DnsName, false) == Properties.Settings.Default.MainDomain)
{
logger.Debug("Removing old certificate from store");
store.Remove(c);
}
}
store.Close();
store.Open(OpenFlags.ReadWrite);
X509Certificate2 cert = new X509Certificate2(certFile, "", X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet)
{
FriendlyName = mainDomain
};
logger.Debug("Adding new certificate to store");
store.Add(cert);
RSACryptoServiceProvider certRsa = cert.PrivateKey as RSACryptoServiceProvider;
var cspParams = new CspParameters(certRsa.CspKeyContainerInfo.ProviderType, certRsa.CspKeyContainerInfo.ProviderName, certRsa.CspKeyContainerInfo.KeyContainerName)
{
Flags = CspProviderFlags.UseExistingKey | CspProviderFlags.UseMachineKeyStore,
CryptoKeySecurity = certRsa.CspKeyContainerInfo.CryptoKeySecurity
};
var rule = new CryptoKeyAccessRule(sid, CryptoKeyRights.GenericRead, AccessControlType.Allow);
cspParams.CryptoKeySecurity.AddAccessRule(rule);
logger.Debug("Granting IME_SYSTEM access to certificate.");
new RSACryptoServiceProvider(cspParams).Dispose();
store.Close();
return(cert);
}
private static void AclCert(CertId certId, string accountName)
{
X509Store store = null;
try
{
store = new X509Store(certId.StoreName, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite | OpenFlags.OpenExistingOnly);
X509Certificate2Collection certs = store.Certificates.Find(ConvertToX509FindType(certId.FindType), certId.FindValue, validOnly: false);
if (certs == null || certs.Count == 0)
{
DeployerTrace.WriteInfo("AclCert is skipped for {0} because it's not installed", certId);
return;
}
foreach (X509Certificate2 cert in certs)
{
if (cert.PrivateKey == null)
{
DeployerTrace.WriteWarning("AclCert is skipped for {0} because its private key is null", certId);
continue;
}
RSACryptoServiceProvider privateKey = cert.PrivateKey as RSACryptoServiceProvider;
if (privateKey == null)
{
DeployerTrace.WriteWarning("AclCert is skipped for {0} because its private key type {1} is not supported ", certId, cert.PrivateKey.GetType());
continue;
}
CspParameters csp = new CspParameters(privateKey.CspKeyContainerInfo.ProviderType, privateKey.CspKeyContainerInfo.ProviderName, privateKey.CspKeyContainerInfo.KeyContainerName);
csp.Flags = CspProviderFlags.UseExistingKey | CspProviderFlags.UseMachineKeyStore;
csp.KeyNumber = (int)privateKey.CspKeyContainerInfo.KeyNumber;
#if !DotNetCoreClr
csp.CryptoKeySecurity = privateKey.CspKeyContainerInfo.CryptoKeySecurity;
CryptoKeyAccessRule accessRule = new CryptoKeyAccessRule(accountName, CryptoKeyRights.FullControl, AccessControlType.Allow);
csp.CryptoKeySecurity.AddAccessRule(accessRule);
#endif
using (RSACryptoServiceProvider newCsp = new RSACryptoServiceProvider(csp))
{
DeployerTrace.WriteInfo("AclCert success: {0}", certId);
}
}
}
catch (Exception ex)
{
DeployerTrace.WriteError("AclCert error with {0}: {1}", certId, ex);
}
finally
{
if (store != null)
{
store.Close();
}
}
}
public void StringOverloadIsNotSID()
{
CryptoKeyAccessRule rule;
rule = new CryptoKeyAccessRule(@"S-1-5-32-545", CryptoKeyRights.FullControl, AccessControlType.Allow);
Assert.AreNotEqual(new SecurityIdentifier("S-1-5-32-545"), rule.IdentityReference);
Assert.AreEqual(new NTAccount(@"S-1-5-32-545"), rule.IdentityReference);
}
void RemoveCertificatePrivateKeyAccess(X509Certificate2 cert)
{
if (cert != null && cert.HasPrivateKey)
{
try
{
AsymmetricAlgorithm key = cert.PrivateKey;
// Only RSA provider is supported here
if (key is RSACryptoServiceProvider)
{
RSACryptoServiceProvider prov = key as RSACryptoServiceProvider;
CspKeyContainerInfo info = prov.CspKeyContainerInfo;
CryptoKeySecurity keySec = info.CryptoKeySecurity;
SecurityIdentifier ns = new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null);
AuthorizationRuleCollection rules = keySec.GetAccessRules(true, false, typeof(SecurityIdentifier));
foreach (AuthorizationRule rule in rules)
{
CryptoKeyAccessRule keyAccessRule = (CryptoKeyAccessRule)rule;
if (keyAccessRule.AccessControlType == AccessControlType.Allow &&
(int)(keyAccessRule.CryptoKeyRights & CryptoKeyRights.GenericRead) != 0)
{
SecurityIdentifier sid = keyAccessRule.IdentityReference as SecurityIdentifier;
if (ns.Equals(sid))
{
CryptoKeyAccessRule nsReadRule = new CryptoKeyAccessRule(ns,
CryptoKeyRights.GenericRead,
AccessControlType.Allow);
keySec.RemoveAccessRule(nsReadRule);
CommitCryptoKeySecurity(info, keySec);
break;
}
}
}
}
}
#pragma warning suppress 56500
catch (Exception e)
{
// CommitCryptoKeySecurity can actually throw any exception,
// so the safest way here is to catch a generic exception while throw on critical ones
if (Utilities.IsCriticalException(e))
{
throw;
}
throw new WsatAdminException(WsatAdminErrorCode.CANNOT_UPDATE_PRIVATE_KEY_PERM,
SR.GetString(SR.ErrorUpdateCertPrivateKeyPerm), e);
}
}
}
public AsymmetricAlgorithm getPrivateKeyForXML()
{
if (!this.hasPrivateKey)
{
this.error.setError("PK0021", "No private key loaded");
return(null);
}
string algorithm = getPrivateKeyAlgorithm();
if (SecurityUtils.compareStrings("RSA", algorithm))
{
byte[] serializedPrivateBytes = this.privateKeyInfo.ToAsn1Object().GetDerEncoded();
string serializedPrivate = Convert.ToBase64String(serializedPrivateBytes);
RsaPrivateCrtKeyParameters privateKey = (RsaPrivateCrtKeyParameters)PrivateKeyFactory.CreateKey(Convert.FromBase64String(serializedPrivate));
#if NETCORE
return(DotNetUtilities.ToRSA(privateKey));
#else
/****System.Security.Cryptography.CryptographicException: The system cannot find the file specified.****/
/****HACK****/
//https://social.msdn.microsoft.com/Forums/vstudio/en-US/7ea48fd0-8d6b-43ed-b272-1a0249ae490f/systemsecuritycryptographycryptographicexception-the-system-cannot-find-the-file-specified?forum=clr#37d4d83d-0eb3-497a-af31-030f5278781a
CspParameters cspParameters = new CspParameters();
cspParameters.Flags = CspProviderFlags.UseMachineKeyStore;
if (SecurityUtils.compareStrings(Config.Global.GLOBAL_KEY_COONTAINER_NAME, ""))
{
string uid = Guid.NewGuid().ToString();
cspParameters.KeyContainerName = uid;
Config.Global.GLOBAL_KEY_COONTAINER_NAME = uid;
System.Security.Principal.SecurityIdentifier userId = new System.Security.Principal.SecurityIdentifier(System.Security.Principal.WindowsIdentity.GetCurrent().User.ToString());
CryptoKeyAccessRule rule = new CryptoKeyAccessRule(userId, CryptoKeyRights.FullControl, AccessControlType.Allow);
cspParameters.CryptoKeySecurity = new CryptoKeySecurity();
cspParameters.CryptoKeySecurity.SetAccessRule(rule);
}
else
{
cspParameters.KeyContainerName = Config.Global.GLOBAL_KEY_COONTAINER_NAME;
}
/****System.Security.Cryptography.CryptographicException: The system cannot find the file specified.****/
/****HACK****/
return(DotNetUtilities.ToRSA(privateKey, cspParameters));
#endif
}
else
{
this.error.setError("PK002", "XML signature with ECDSA keys is not implemented on Net Framework");
return(null);
//https://stackoverflow.com/questions/27420789/sign-xml-with-ecdsa-and-sha256-in-net?rq=1
// https://www.powershellgallery.com/packages/Posh-ACME/2.6.0/Content/Private%5CConvertFrom-BCKey.ps1
}
}
private static void setServiceUserPermissions(CspParameters cspParams)
{
//Copied to do not delete any permission
cspParams.CryptoKeySecurity =
new RSACryptoServiceProvider(cspParams)
.CspKeyContainerInfo.CryptoKeySecurity;
var serviceUser = new CryptoKeyAccessRule(
ServiceUser.Get(),
CryptoKeyRights.FullControl,
AccessControlType.Allow
);
cspParams.CryptoKeySecurity.AddAccessRule(serviceUser);
}
/// <summary>
/// Returns a new CspParameters object configured for the specified keystore and key container name.
/// </summary>
/// <param name="keystore">Specify which keystore should be used.</param>
/// <param name="keyContainerName">A string which uniquely identifies this encryption key among all other keys in the keystore.</param>
/// <returns></returns>
private static CspParameters CreateCspParameters(Keystore keystore, string keyContainerName)
{
CspParameters cspParams = new CspParameters(1); // 1 for RSA. This is also the default if omitted.
cspParams.KeyContainerName = keyContainerName;
cspParams.Flags = CspProviderFlags.NoFlags;
if (keystore == Keystore.Machine)
{
cspParams.Flags |= CspProviderFlags.UseMachineKeyStore;
CryptoKeyAccessRule rule = new CryptoKeyAccessRule("everyone", CryptoKeyRights.FullControl, AccessControlType.Allow);
cspParams.CryptoKeySecurity = new CryptoKeySecurity();
cspParams.CryptoKeySecurity.SetAccessRule(rule);
}
return(cspParams);
}
internal static bool IsCertEnabledForNetworkService(ExchangeCertificate cert)
{
if (cert.AccessRules != null)
{
foreach (AccessRule accessRule in cert.AccessRules)
{
CryptoKeyAccessRule cryptoKeyAccessRule = (CryptoKeyAccessRule)accessRule;
if (cryptoKeyAccessRule.IdentityReference == ManageExchangeCertificate.NetworkServiceIdentityReference && cryptoKeyAccessRule.AccessControlType == AccessControlType.Allow && (cryptoKeyAccessRule.CryptoKeyRights & CryptoKeyRights.GenericRead) != (CryptoKeyRights)0)
{
return(true);
}
}
return(false);
}
return(false);
}
void AddCertificatePrivateKeyAccess(X509Certificate2 cert)
{
if (cert != null && cert.HasPrivateKey)
{
try
{
AsymmetricAlgorithm key = cert.PrivateKey;
// Only RSA provider is supported here
if (key is RSACryptoServiceProvider)
{
RSACryptoServiceProvider prov = key as RSACryptoServiceProvider;
CspKeyContainerInfo info = prov.CspKeyContainerInfo;
CryptoKeySecurity keySec = info.CryptoKeySecurity;
SecurityIdentifier ns = new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null);
// Just add a rule, exisitng settings will be merged
CryptoKeyAccessRule rule = new CryptoKeyAccessRule(ns,
CryptoKeyRights.GenericRead,
AccessControlType.Allow);
keySec.AddAccessRule(rule);
CommitCryptoKeySecurity(info, keySec);
}
}
#pragma warning suppress 56500
catch (Exception e)
{
// CommitCryptoKeySecurity can actually throw any exception,
// so the safest way here is to catch a generic exception while throw on critical ones
if (Utilities.IsCriticalException(e))
{
throw;
}
throw new WsatAdminException(WsatAdminErrorCode.CANNOT_UPDATE_PRIVATE_KEY_PERM,
SR.GetString(SR.ErrorUpdateCertPrivateKeyPerm), e);
}
}
}
public void RemoveAccessRuleSpecific(CryptoKeyAccessRule rule) {}
public void RemoveAccessRuleAll(CryptoKeyAccessRule rule) {}
public bool RemoveAccessRule(CryptoKeyAccessRule rule) {}
public void ResetAccessRule(CryptoKeyAccessRule rule) {}
public void AddAccessRule(CryptoKeyAccessRule rule) {}
public void SetAccessRule(CryptoKeyAccessRule rule)
{
SetAccessRule((AccessRule)rule);
}
public void AddAccessRule(CryptoKeyAccessRule rule)
{
AddAccessRule((AccessRule)rule);
}
public AsymmetricAlgorithm getPrivateKeyForJWT()
{
if (!this.hasPrivateKey)
{
this.error.setError("PK0020", "No private key loaded");
return(null);
}
AsymmetricAlgorithm alg;
string algorithm = getPrivateKeyAlgorithm();
if (SecurityUtils.compareStrings("RSA", algorithm))
{
byte[] serializedPrivateBytes = this.privateKeyInfo.ToAsn1Object().GetDerEncoded();
string serializedPrivate = Convert.ToBase64String(serializedPrivateBytes);
RsaPrivateCrtKeyParameters privateKey = (RsaPrivateCrtKeyParameters)PrivateKeyFactory.CreateKey(Convert.FromBase64String(serializedPrivate));
#if NETCORE
alg = DotNetUtilities.ToRSA(privateKey);
#else
/****System.Security.Cryptography.CryptographicException: The system cannot find the file specified.****/
/****HACK****/
//https://social.msdn.microsoft.com/Forums/vstudio/en-US/7ea48fd0-8d6b-43ed-b272-1a0249ae490f/systemsecuritycryptographycryptographicexception-the-system-cannot-find-the-file-specified?forum=clr#37d4d83d-0eb3-497a-af31-030f5278781a
CspParameters cspParameters = new CspParameters();
cspParameters.Flags = CspProviderFlags.UseMachineKeyStore;
if (SecurityUtils.compareStrings(Config.Global.GLOBAL_KEY_COONTAINER_NAME, ""))
{
string uid = Guid.NewGuid().ToString();
cspParameters.KeyContainerName = uid;
Config.Global.GLOBAL_KEY_COONTAINER_NAME = uid;
System.Security.Principal.SecurityIdentifier userId = new System.Security.Principal.SecurityIdentifier(System.Security.Principal.WindowsIdentity.GetCurrent().User.ToString());
CryptoKeyAccessRule rule = new CryptoKeyAccessRule(userId, CryptoKeyRights.FullControl, AccessControlType.Allow);
cspParameters.CryptoKeySecurity = new CryptoKeySecurity();
cspParameters.CryptoKeySecurity.SetAccessRule(rule);
}
else
{
cspParameters.KeyContainerName = Config.Global.GLOBAL_KEY_COONTAINER_NAME;
}
/****System.Security.Cryptography.CryptographicException: The system cannot find the file specified.****/
/****HACK****/
alg = DotNetUtilities.ToRSA(privateKey, cspParameters);
#endif
}
else if (SecurityUtils.compareStrings("ECDSA", algorithm))
{
string b64Encoded = this.ToBase64();
byte[] privKeyBytes8 = Convert.FromBase64String(b64Encoded); //Encoding.UTF8.GetBytes(privKeyEcc);
try
{
ECDsaCng pubCNG = new ECDsaCng(CngKey.Import(privKeyBytes8, CngKeyBlobFormat.Pkcs8PrivateBlob));
alg = pubCNG;
}catch (Exception e)
{
this.error.setError("PK022", e.Message);
return(null);
}
}
else
{
this.error.setError("PK019", "Unrecognized key type");
return(null);
}
if (alg != null)
{
this.error.cleanError();
}
return(alg);
}
public bool RemoveAccessRule(CryptoKeyAccessRule rule)
{
return(RemoveAccessRule((AccessRule)rule));
}
public void AddAccessRule(CryptoKeyAccessRule rule)
{
}
internal static Dictionary <AllowedServices, LocalizedString> EnableForServices(X509Certificate2 cert, AllowedServices services, string websiteName, bool requireSsl, ITopologyConfigurationSession dataSession, Server server, List <LocalizedString> warningList, bool allowConfirmation, bool forceNetworkService)
{
Dictionary <AllowedServices, LocalizedString> dictionary = new Dictionary <AllowedServices, LocalizedString>(3);
if (dataSession == null)
{
throw new ArgumentNullException("dataSession");
}
if (server == null)
{
throw new ArgumentNullException("server");
}
if ((services & AllowedServices.IIS) != AllowedServices.None)
{
if (allowConfirmation && !IisUtility.SslRequiredOnTheRoot(null) && requireSsl)
{
dictionary[AllowedServices.IIS] = Strings.ConfirmEnforceRequireSslOnRoot;
}
else
{
IisUtility.SetSslCertificateByName(websiteName, cert, requireSsl);
}
}
if ((services & AllowedServices.POP) != AllowedServices.None || (services & AllowedServices.IMAP) != AllowedServices.None || (services & AllowedServices.SMTP) != AllowedServices.None || forceNetworkService)
{
AccessRule rule = new CryptoKeyAccessRule(new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null), CryptoKeyRights.GenericRead, AccessControlType.Allow);
try
{
TlsCertificateInfo.AddAccessRule(cert, rule);
}
catch (CryptographicException innerException)
{
throw new AddAccessRuleCryptographicException(cert.Thumbprint, innerException);
}
catch (ArgumentException innerException2)
{
throw new AddAccessRuleArgumentException(cert.Thumbprint, innerException2);
}
catch (UnauthorizedAccessException innerException3)
{
throw new AddAccessRuleUnauthorizedAccessException(cert.Thumbprint, innerException3);
}
catch (COMException innerException4)
{
throw new AddAccessRuleCOMException(cert.Thumbprint, innerException4);
}
}
if ((services & AllowedServices.SMTP) != AllowedServices.None)
{
ManageExchangeCertificate.WarnIfNotBestMatch(new ExchangeCertificate(cert), dataSession, server, warningList);
LocalizedString localizedString = ManageExchangeCertificate.UpdateActiveDirectory(cert, dataSession, server, warningList, allowConfirmation);
if (localizedString != LocalizedString.Empty)
{
dictionary[AllowedServices.SMTP] = localizedString;
}
}
if ((services & AllowedServices.POP) != AllowedServices.None)
{
ManageExchangeCertificate.SetPop3Certificate(cert, dataSession, warningList);
}
if ((services & AllowedServices.IMAP) != AllowedServices.None)
{
ManageExchangeCertificate.SetImap4Certificate(cert, dataSession, warningList);
}
if ((services & AllowedServices.UM) != AllowedServices.None)
{
ManageExchangeCertificate.SetUMCertificate(cert, server, dataSession, allowConfirmation, dictionary, warningList);
}
if ((services & AllowedServices.UMCallRouter) != AllowedServices.None)
{
ManageExchangeCertificate.SetUMCallRouterCertificate(cert, server, dataSession, allowConfirmation, dictionary, warningList);
}
if (dictionary.Count <= 0)
{
return(null);
}
return(dictionary);
}
public void ResetAccessRule(CryptoKeyAccessRule rule)
{
}
public bool RemoveAccessRule(CryptoKeyAccessRule rule)
{
}
public void RemoveAccessRuleSpecific(CryptoKeyAccessRule rule)
{
}
public void RemoveAccessRuleAll(CryptoKeyAccessRule rule)
{
}
