public static MultiValuedProperty <CredentialRecord> Load(Server edgeServer)
{
ITopologyConfigurationSession configurationSession = DirectorySessionFactory.Default.CreateTopologyConfigurationSession(false, ConsistencyMode.PartiallyConsistent, ADSessionSettings.FromRootOrgScopeSet(), 103, "Load", "f:\\15.00.1497\\sources\\dev\\EdgeSync\\src\\Common\\Validation\\CredentialRecord.cs");
MultiValuedProperty <CredentialRecord> credentialRecords = new MultiValuedProperty <CredentialRecord>();
ADNotificationAdapter.TryReadConfigurationPaged <Server>(() => configurationSession.FindAllServersWithVersionNumber(Server.E2007MinVersion), delegate(Server server)
{
if (server.IsHubTransportServer && server.EdgeSyncCredentials != null && server.EdgeSyncCredentials.Count != 0)
{
foreach (byte[] data in server.EdgeSyncCredentials)
{
EdgeSyncCredential edgeSyncCredential = EdgeSyncCredential.DeserializeEdgeSyncCredential(data);
if (edgeSyncCredential.EdgeServerFQDN.Equals(edgeServer.Fqdn, StringComparison.OrdinalIgnoreCase))
{
CredentialRecord credentialRecord = new CredentialRecord();
credentialRecord.TargetEdgeServerFQDN = edgeSyncCredential.EdgeServerFQDN;
credentialRecord.ESRAUsername = edgeSyncCredential.ESRAUsername;
credentialRecord.EffectiveDate = new DateTime(edgeSyncCredential.EffectiveDate).ToLocalTime();
credentialRecord.Duration = new TimeSpan(edgeSyncCredential.Duration);
credentialRecord.IsBootStrapAccount = edgeSyncCredential.IsBootStrapAccount;
credentialRecords.Add(credentialRecord);
}
}
}
});
return(credentialRecords);
}
public static NetworkCredential ExtractNetworkCredential(Server hubServer, string edgeServerFqdn, EdgeSyncLogSession logSession)
{
EdgeSyncCredential edgeSyncCredential = new EdgeSyncCredential();
edgeSyncCredential.EffectiveDate = 0L;
edgeSyncCredential.ESRAUsername = string.Empty;
edgeSyncCredential.EncryptedESRAPassword = null;
bool flag = false;
foreach (byte[] data in hubServer.EdgeSyncCredentials)
{
EdgeSyncCredential edgeSyncCredential2 = EdgeSyncCredential.DeserializeEdgeSyncCredential(data);
if (edgeServerFqdn.Equals(edgeSyncCredential2.EdgeServerFQDN, StringComparison.OrdinalIgnoreCase) && edgeSyncCredential2.EffectiveDate < DateTime.UtcNow.Ticks && edgeSyncCredential2.EffectiveDate > edgeSyncCredential.EffectiveDate)
{
edgeSyncCredential = edgeSyncCredential2;
flag = true;
}
}
if (!flag)
{
EdgeSyncEvents.Log.LogEvent(EdgeSyncEventLogConstants.Tuple_NoCredentialsFound, hubServer.Name, new object[]
{
hubServer.Fqdn,
edgeServerFqdn
});
return(null);
}
return(Util.DecryptEdgeSyncCredential(hubServer, edgeSyncCredential, logSession));
}
private static void ReEncryptEdgeSyncCredentials(Server server, X509Certificate2 oldCertificate, X509Certificate2 newCertificate)
{
if (server.EdgeSyncCredentials == null || server.EdgeSyncCredentials.Count == 0)
{
return;
}
if (oldCertificate == null)
{
throw new InvalidOperationException(Strings.InternalTransportCertificateCorruptedInADOnHub);
}
if (TlsCertificateInfo.IsCNGProvider(newCertificate))
{
throw new InvalidOperationException(Strings.InternalTransportCertificateMustBeCAPICertificate(newCertificate.Thumbprint));
}
oldCertificate = ExchangeCertificate.GetCertificateFromStore(StoreName.My, oldCertificate.Thumbprint);
if (oldCertificate == null)
{
throw new InvalidOperationException(Strings.InternalTransportCertificateCorruptedInADOnHub);
}
EdgeSyncCredential[] array = new EdgeSyncCredential[server.EdgeSyncCredentials.Count];
using (RSACryptoServiceProvider rsacryptoServiceProvider = (RSACryptoServiceProvider)oldCertificate.PrivateKey)
{
for (int i = 0; i < server.EdgeSyncCredentials.Count; i++)
{
array[i] = EdgeSyncCredential.DeserializeEdgeSyncCredential(server.EdgeSyncCredentials[i]);
try
{
array[i].EncryptedESRAPassword = rsacryptoServiceProvider.Decrypt(array[i].EncryptedESRAPassword, false);
}
catch (CryptographicException)
{
throw new InvalidOperationException(Strings.InternalTransportCertificateCorruptedInADOnHub);
}
}
}
using (RSACryptoServiceProvider rsacryptoServiceProvider2 = newCertificate.PublicKey.Key as RSACryptoServiceProvider)
{
if (rsacryptoServiceProvider2 != null)
{
for (int j = 0; j < array.Length; j++)
{
if (array[j].EncryptedESRAPassword != null)
{
array[j].EncryptedESRAPassword = rsacryptoServiceProvider2.Encrypt(array[j].EncryptedESRAPassword, false);
server.EdgeSyncCredentials[j] = EdgeSyncCredential.SerializeEdgeSyncCredential(array[j]);
}
}
}
}
}
public static NetworkCredential DecryptEdgeSyncCredential(Server localServer, EdgeSyncCredential cred, EdgeSyncLogSession logSession)
{
X509Certificate2 x509Certificate = null;
X509Store x509Store = null;
try
{
if (localServer.InternalTransportCertificate == null)
{
logSession.LogCredential(cred.EdgeServerFQDN, "Failed to retrieve the default certificate. Unable to decrypt credentials.");
EdgeSyncEvents.Log.LogEvent(EdgeSyncEventLogConstants.Tuple_NoCredentialsFound, null, new object[]
{
cred.EdgeServerFQDN
});
return(null);
}
X509Certificate2 x509Certificate2 = new X509Certificate2(localServer.InternalTransportCertificate);
x509Store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
x509Store.Open(OpenFlags.OpenExistingOnly);
X509Certificate2Collection x509Certificate2Collection = x509Store.Certificates.Find(X509FindType.FindByThumbprint, x509Certificate2.Thumbprint, false);
if (x509Certificate2Collection.Count <= 0)
{
logSession.LogCredential(cred.EdgeServerFQDN, "Failed to retrieve the certificate from the local store.");
EdgeSyncEvents.Log.LogEvent(EdgeSyncEventLogConstants.Tuple_NoCredentialsFound, null, new object[]
{
cred.EdgeServerFQDN
});
return(null);
}
x509Certificate = x509Certificate2Collection[0];
}
catch (ArgumentException)
{
logSession.LogCredential(cred.EdgeServerFQDN, "Failed to retrieve certificate.");
EdgeSyncEvents.Log.LogEvent(EdgeSyncEventLogConstants.Tuple_NoCredentialsFound, null, new object[]
{
cred.EdgeServerFQDN
});
return(null);
}
catch (CryptographicException)
{
logSession.LogCredential(cred.EdgeServerFQDN, "Failed to retrieve certificate because of Corrupt or mismatched keys.");
EdgeSyncEvents.Log.LogEvent(EdgeSyncEventLogConstants.Tuple_NoCredentialsFound, null, new object[]
{
cred.EdgeServerFQDN
});
return(null);
}
catch (SecurityException)
{
logSession.LogCredential(cred.EdgeServerFQDN, "Failed to retrieve certificate because we don't have permission.");
EdgeSyncEvents.Log.LogEvent(EdgeSyncEventLogConstants.Tuple_NoCredentialsFound, null, new object[]
{
cred.EdgeServerFQDN
});
return(null);
}
finally
{
if (x509Store != null)
{
x509Store.Close();
}
}
byte[] bytes;
try
{
AsymmetricAlgorithm privateKey = x509Certificate.PrivateKey;
if (privateKey == null)
{
logSession.LogCredential(cred.EdgeServerFQDN, "Failed to retrieve certificate because it doesn't have private key.");
logSession.LogCertificate(EdgeSyncLoggingLevel.Low, EdgeSyncEvent.TargetConnection, x509Certificate);
EdgeSyncEvents.Log.LogEvent(EdgeSyncEventLogConstants.Tuple_CredentialDecryptionException, null, new object[]
{
cred.EdgeServerFQDN,
SystemStrings.NoPrivateKey,
x509Certificate.Thumbprint,
x509Certificate.Subject
});
return(null);
}
RSACryptoServiceProvider rsacryptoServiceProvider = (RSACryptoServiceProvider)privateKey;
bytes = rsacryptoServiceProvider.Decrypt(cred.EncryptedESRAPassword, false);
}
catch (CryptographicException ex)
{
logSession.LogException(EdgeSyncLoggingLevel.Low, EdgeSyncEvent.TargetConnection, ex, "Failed to decrypt the credential.");
logSession.LogCertificate(EdgeSyncLoggingLevel.Low, EdgeSyncEvent.TargetConnection, x509Certificate);
EdgeSyncEvents.Log.LogEvent(EdgeSyncEventLogConstants.Tuple_CredentialDecryptionException, null, new object[]
{
cred.EdgeServerFQDN,
ex.Message,
x509Certificate.Thumbprint,
x509Certificate.Subject
});
return(null);
}
logSession.LogCredentialDetail(cred.ESRAUsername, new DateTime(cred.EffectiveDate));
return(new NetworkCredential(cred.ESRAUsername, Encoding.ASCII.GetString(bytes)));
}