/// <summary>
/// Overrides the certificates given in app.config with the ones set programatically
/// </summary>
protected void OverrideConfig()
{
if (pListenerIdentity != null)
{
// Override certificate
// TOOD: what is going on here? why only override the servicehost cridentials one time ?
if (pListenerIdentity.ListenerCertificate != null && pServiceHost != null)
{
pServiceHost.Credentials.ServiceCertificate.Certificate = pListenerIdentity.ListenerCertificate.Certificate;
}
else
{
pListenerIdentity.ListenerCertificate = new OcesX509Certificate(pServiceHost.Credentials.ServiceCertificate.Certificate);
}
}
else
{
CustomBinding customBinding = (CustomBinding)pServiceHost.Description.Endpoints[0].Binding;
TransportBindingElement transportBinding = customBinding.Elements.Find <TransportBindingElement>();
EmailTransport emailTransport = new EmailTransport(transportBinding);
OcesX509Certificate ocesCertificate = new OcesX509Certificate(pServiceHost.Credentials.ServiceCertificate.Certificate);
pListenerIdentity = new ListenerIdentity(emailTransport, ocesCertificate);
}
//Override transport binding
pEmailBinding = GetEmailBinding();
if (pListenerIdentity.Transport != null)
{
pEmailBinding.CopyElement((EmailBindingElement)pListenerIdentity.Transport.TransportBinding);
}
else
{
pListenerIdentity.Transport = new EmailTransport(pEmailBinding);
}
}
public void DocumentIdMustBeAddedAsCustomHeader()
{
var documentId = "678";
OiosiMessage oiosiMessage = GetInvoiceOiosiMessage();
// Call private method
Type raspRequestType = typeof(RaspRequest);
MethodInfo addCustomHeadersMethod = raspRequestType.GetMethod("AddCustomHeaders", BindingFlags.NonPublic | BindingFlags.Instance);
OcesX509Certificate client = new OcesX509Certificate(new X509Certificate2(TestConstants.PATH_CERTIFICATE_EMPLOYEE, TestConstants.PASSWORD_CERTIFICATE_EMPLOYEE));
OcesX509Certificate server = new OcesX509Certificate(new X509Certificate2(TestConstants.PATH_CERTIFICATE_EMPLOYEE, TestConstants.PASSWORD_CERTIFICATE_EMPLOYEE));
Credentials c1 = new Credentials(client, server);
RaspRequest raspRequest = new RaspRequest(new Request(new Uri("http://test.dk"), c1));
addCustomHeadersMethod.Invoke(raspRequest, new object[] { oiosiMessage, documentId });
bool headerValueAdded = false;
foreach (var messageHeader in oiosiMessage.MessageHeaders)
{
var headerValue = messageHeader.Value.ToString();
if (headerValue.Contains(documentId))
{
headerValueAdded = true;
}
}
Assert.IsTrue(headerValueAdded, "DocumentId not found in header.");
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="clientCertificate">the client certificate</param>
/// <param name="serverCertificate">the server certificate</param>
public Credentials(
OcesX509Certificate clientCertificate,
OcesX509Certificate serverCertificate
)
{
_clientCertificate = clientCertificate;
_serverCertificate = serverCertificate;
}
protected OcesX509Certificate GetEndpointCertificateFromLdap(CertificateSubject certificateSubject)
{
LdapLookupFactory ldapClientFactory = new LdapLookupFactory();
ICertificateLookup ldapClient = ldapClientFactory.CreateLdapLookupClient();
X509Certificate2 endpointCertificate = ldapClient.GetCertificate(certificateSubject);
OcesX509Certificate endpointOcesCertificate = new OcesX509Certificate(endpointCertificate);
return(endpointOcesCertificate);
}
public void DeviceTypeTest()
{
//ConfigurationHandler.ConfigFilePath = "Resources/RaspConfigurationOcesX509.xml";
string deviceCertificatePath = TestConstants.PATH_CERTIFICATE_DEVICE;
X509Certificate2 certificate = new X509Certificate2(deviceCertificatePath, TestConstants.PASSWORD_CERTIFICATE_DEVICE);
OcesX509Certificate ocesCertificate = new OcesX509Certificate(certificate);
Assert.AreEqual(OcesCertificateType.OcesFunction, ocesCertificate.OcesCertificateType);
Assert.IsTrue(ocesCertificate.HasPrivateKey());
}
public void EmployeeTypeTest()
{
//ConfigurationHandler.ConfigFilePath = "Resources/RaspConfigurationOcesX509.xml";
string employeeCertificatePath = TestConstants.PATH_CERTIFICATE_EMPLOYEE;
X509Certificate2 certificate = new X509Certificate2(employeeCertificatePath, TestConstants.PASSWORD_CERTIFICATE_EMPLOYEE);
OcesX509Certificate ocesCertificate = new OcesX509Certificate(certificate);
Assert.AreEqual(OcesCertificateType.OcesEmployee, ocesCertificate.OcesCertificateType);
Assert.IsTrue(ocesCertificate.HasPrivateKey());
}
protected RaspRequest GetRaspRequest(OiosiMessage oiosiMessage)
{
DocumentTypeConfigSearcher documentTypeConfigSearcher = new DocumentTypeConfigSearcher();
DocumentTypeConfig documentTypeConfig = documentTypeConfigSearcher.FindUniqueDocumentType(oiosiMessage.MessageXml);
LookupParameters messageParameters = this.GetMessageParameters(oiosiMessage, documentTypeConfig);
UddiLookupResponse uddiResponse = this.PerformUddiLookup(messageParameters);
Uri endpointAddressUri = uddiResponse.EndpointAddress.GetAsUri();
OcesX509Certificate endpointCertificate = this.GetEndpointCertificateFromLdap(uddiResponse.CertificateSubjectSerialNumber);
this.ValidateEndpointCertificate(endpointCertificate);
//X509Certificate2 clientCertificate = CertificateUtil.InstallAndGetFunctionCertificateFromCertificateStore();
X509Certificate2 clientCertificate = this.ClientCertificate;
Credentials credentials = new Credentials(new OcesX509Certificate(clientCertificate), endpointCertificate);
Request request = new Request(endpointAddressUri, credentials);
RaspRequest raspRequest = new RaspRequest(request);
return(raspRequest);
}
protected void ValidateEndpointCertificate(OcesX509Certificate endpointOcesCertificate)
{
RevocationLookupFactory ocspLookupFactory = new RevocationLookupFactory();
IRevocationLookup ocspClient = ocspLookupFactory.CreateRevocationLookupClient();
RevocationResponse ocspStatus = endpointOcesCertificate.CheckRevocationStatus(ocspClient);
switch (ocspStatus.RevocationCheckStatus)
{
case RevocationCheckStatus.AllChecksPassed:
{
// all okay
break;
}
case RevocationCheckStatus.CertificateRevoked:
{
throw new Exception("Certificate validation error - CertificateRevoked");
//break;
}
case RevocationCheckStatus.NotChecked:
{
throw new Exception("Certificate validation error - NotChecked");
//break;
}
case RevocationCheckStatus.UnknownIssue:
{
throw new Exception("Certificate validation error - UnknownIssue");
// break;
}
default:
{
throw new Exception("Certificate validation error");
// break;
}
}
}
/* /// <summary>
* /// Overrides the method to validate the binding element order.
* /// </summary>
* /// <typeparam name="TChannel"></typeparam>
* /// <param name="context"></param>
* /// <returns></returns>
* public override IChannelListener<TChannel> BuildChannelListener<TChannel>(BindingContext context)
* {
* BindingElementCollection bindingElements = context.Binding.Elements;
* this.stackCheck.Check(bindingElements);
* return base.BuildChannelListener<TChannel>(context);
* }*/
/// <summary>
/// Intercept requests and creates the proof of validation interception before
/// attaching it to the message.
/// </summary>
/// <param name="interceptorMessage"></param>
public override void InterceptRequest(InterceptorMessage interceptorMessage)
{
this.logger.Trace("Security validate the foces certificate.");
try
{
Headers headers = new Headers(interceptorMessage);
if (interceptorMessage.IsFault)
{
// do nothing
}
else if (headers.IsCreateSequence)
{
// do nothing
}
else if (headers.SequenceHeader == null)
{
// do nothing
}
else if (headers.SequenceHeader.IsLastMessage)
{
// do nothing
}
else
{
// Get the certificate from the message
X509Certificate2 certificate;
try
{
certificate = interceptorMessage.Certificate;
}
catch
{
throw new FailedToGetCertificateSubjectException(interceptorMessage);
}
// now we must revocate check the certificate
OcesX509Certificate ocesCertificate = new OcesX509Certificate(certificate);
RevocationResponse response = ocesCertificate.CheckRevocationStatus(revocationLookup);
if (response.Exception != null)
{
string msg;
try
{
msg = response.Exception.Message;
}
catch (Exception ex)
{
this.logger.Debug("Error finding the correct error message.", ex);
msg = "unknown";
}
this.logger.Warn(string.Format("The certificate '{0}' revocation check failed. Reason is: ", ocesCertificate.Certificate.SubjectName.Name, msg));
// some error checking the certificate
// make sure the error is of the correct type, and throw it
// note - if the original exception was not a communikation exception, it is wraped in a communikation exception
if (response.Exception is CertificateRevokedTimeoutException)
{
throw new CertificateRevokedValidationFailedException(response.Exception);
}
else if (response.Exception is CertificateRevokedException)
{
throw response.Exception;
}
else if (response.Exception is CertificateRevokedValidationFailedException)
{
throw response.Exception;
}
else if (response.Exception is CheckCertificateOcspUnexpectedException)
{
throw new CertificateRevokedValidationFailedException(response.Exception);
}
else if (response.Exception is CheckCertificateRevokedUnexpectedException)
{
throw new CertificateRevokedValidationFailedException(response.Exception);
}
else
{
throw new CertificateRevokedValidationFailedException(response.Exception);
}
}
else
{
// no exception - all good so far
switch (response.RevocationCheckStatus)
{
case RevocationCheckStatus.AllChecksPassed:
{
// all good
this.logger.Debug(string.Format("Certificate '{0}' has parsed the revocation validate.", certificate.SubjectName.Name));
SignatureValidationProof signatureValidationProof = new SignatureValidationProof(certificate.Subject);
interceptorMessage.AddProperty(ServerSignatureValidationProofBindingExtensionElement.SignatureValidationProofKey, signatureValidationProof);
break;
}
case RevocationCheckStatus.CertificateRevoked:
{
this.logger.Warn(string.Format("The certificate '{0}' is revoked.", ocesCertificate.Certificate.SubjectName.Name));
throw new CertificateRevokedException();
//break;
}
default:
{
this.logger.Warn(string.Format("The certificate '{0}' failed in revocation check - reason unknown", ocesCertificate.Certificate.SubjectName.Name));
throw new CertificateRevokedValidationFailedException("The certificate failed in revocation check - reason unknown.");
//break;
}
}
}
}
}
catch (FailedToGetCertificateSubjectException)
{
// exception is of the correct type - rethrowing it
throw;
}
/* catch (CertificateRevokedTimeoutException e)
* {
* // exception is of the correct type - rethrowing it
* throw new CertificateRevokedValidationFailedException(e);
* }*/
catch (CertificateRevokedException)
{
// exception is of the correct type - rethrowing it
throw;
}
catch (CertificateRevokedValidationFailedException)
{
// exception is of the correct type - rethrowing it
throw;
}
/* catch (CheckCertificateOcspUnexpectedException)
* {
* // exception is of the correct type - rethrowing it
* throw;
* }*/
/* catch (CheckCertificateRevokedUnexpectedException)
* {
* // exception is of the correct type - rethrowing it
* throw;
* }*/
catch (Exception ex)
{
this.logger.Debug("Security validate the foces certificate", ex);
throw new CertificateRevokedValidationFailedException(ex);
}
this.logger.Trace("Security validate the foces certificate - Finish.");
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="ServiceType">The type of the service</param>
/// <param name="listenerCertificate">certificate of the listener</param>
public ListenerIdentity(Type ServiceType, OcesX509Certificate listenerCertificate)
{
this.pListenerCertificate = listenerCertificate;
this.pServiceType = ServiceType;
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="listenerCertificate">certificate of the listener</param>
public ListenerIdentity(OcesX509Certificate listenerCertificate)
{
this.pListenerCertificate = listenerCertificate;
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="transportBinding">binding transport</param>
/// <param name="listenerCertificate">certificate of the listener</param>
public ListenerIdentity(ITransport transportBinding, OcesX509Certificate listenerCertificate)
{
this.pTransport = transportBinding;
this.pListenerCertificate = listenerCertificate;
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="ServiceType">The type of the service</param>
/// <param name="transportBinding">binding transport</param>
/// <param name="listenerCertificate">certificate of the listener</param>
public ListenerIdentity(Type ServiceType, ITransport transportBinding, OcesX509Certificate listenerCertificate)
{
this.pTransport = transportBinding;
this.pListenerCertificate = listenerCertificate;
this.pServiceType = ServiceType;
}