// Installs the root certificate from the bridge
// Needed for all tests so we trust the incoming certificate coming from the service/bridge
// We do our best to detect if we're running on the same box as the bridge; if so, we don't try to install the cert
// as that operation requires admin privileges
public static void InstallRootCertificateFromBridge()
{
// PUT the Authority to the Bridge (returns thumbprint)
var response = BridgeClient.MakeResourcePutRequest(CertificateAuthorityResourceName, null);
string thumbprint;
X509Certificate2 certificateToInstall = null;
bool rootCertificateAlreadyInstalled = false;
lock (s_certificateLock)
{
if (response.TryGetValue(ThumbprintKeyName, out thumbprint))
{
rootCertificateAlreadyInstalled = s_rootCertificates.ContainsKey(thumbprint);
}
if (rootCertificateAlreadyInstalled)
{
// Cert's been installed already, bail out
return;
}
else
{
using (X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine))
{
store.Open(OpenFlags.ReadOnly);
var collection = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false);
if (collection.Count > 0)
{
// We don't need to add the cert ourselves, because this cert has previously been installed
// Likely BridgeClient is running on the same machine as the Bridge and the Bridge has done the work already.
return;
}
}
// Request the certificate from the Bridge
string base64Cert = string.Empty;
response = BridgeClient.MakeResourceGetRequest(CertificateAuthorityResourceName, null);
string certificateAsBase64;
if (response.TryGetValue(CertificateKeyName, out certificateAsBase64))
{
// Root cert coming from Bridge doesn't have a password or private key
certificateToInstall = new X509Certificate2(Convert.FromBase64String(certificateAsBase64));
}
else
{
StringBuilder sb = new StringBuilder();
foreach (var pair in response)
{
sb.AppendFormat("{0} {1} : {2}", Environment.NewLine, pair.Key, pair.Value);
}
throw new Exception(
string.Format("Error retrieving Authority certificate from Bridge. Expected '{0}' key in response. Response contents:{1}{2}",
CertificateKeyName,
Environment.NewLine,
sb.ToString()));
}
}
}
// We return or throw before this point if there is no certificateToInstall
InstallCertificateToRootStore(certificateToInstall);
}
// Installs the local certificate provided by the bridge
// Root is installed as part of this call so we trust the incoming certificate coming from the service/bridge
// We supply this certificate for bidirectional (tcp) communication
//
// The request to the bridge with the local FQDN concurrently asks the bridge if we are running locally.
// if so, we don't try to install the cert as that operation requires admin privileges
public static void InstallLocalCertificateFromBridge()
{
X509Certificate2 certificateToInstall = null;
// PUT the Client Certificate Subject to the Bridge (returns thumbprint)
Dictionary <string, string> requestParams = new Dictionary <string, string>();
requestParams.Add(SubjectKeyName, ClientCertificateSubject);
var response = BridgeClient.MakeResourcePutRequest(UserCertificateResourceName, requestParams);
string thumbprint;
bool foundUserCertificate = false;
lock (s_certificateLock)
{
if (response.TryGetValue(ThumbprintKeyName, out thumbprint))
{
foundUserCertificate = s_myCertificates.ContainsKey(thumbprint);
// The Bridge tells us if the request has been made for a local certificate local to the bridge.
// If it has, then the Bridge itself has already installed that cert as part of the PUT request
// There's no need for us to do this in the BridgeClient.
string isLocalString;
if (response.TryGetValue(IsLocalKeyName, out isLocalString))
{
bool isLocal = false;
if (bool.TryParse(isLocalString, out isLocal) && isLocal)
{
return;
}
}
}
if (!foundUserCertificate)
{
// GET the cert with thumbprint from the Bridge (returns cert in base64 format)
requestParams = new Dictionary <string, string>();
requestParams.Add(ThumbprintKeyName, thumbprint);
string base64Cert = string.Empty;
response = BridgeClient.MakeResourceGetRequest(UserCertificateResourceName, requestParams);
string certificateAsBase64;
if (response.TryGetValue(CertificateKeyName, out certificateAsBase64))
{
certificateToInstall = new X509Certificate2(Convert.FromBase64String(certificateAsBase64), ClientCertificatePassword);
}
else
{
StringBuilder sb = new StringBuilder();
foreach (var pair in response)
{
sb.AppendFormat("{0} {1} : {2}", Environment.NewLine, pair.Key, pair.Value);
}
throw new Exception(
string.Format("Error retrieving '{0}' certificate from Bridge, thumbprint '{1}'.\r\nExpected '{2}' key in response. Response contents:{3}{4}",
ClientCertificateSubject,
thumbprint,
CertificateKeyName,
Environment.NewLine,
sb.ToString()));
}
}
}
// certificateToInstall could be null in the case the user certification exists
if (certificateToInstall != null)
{
InstallCertificateToMyStore(certificateToInstall);
// We also need to install the root cert if we install a local cert
InstallRootCertificateFromBridge();
}
}
