// Installs the root certificate from the bridge // Needed for all tests so we trust the incoming certificate coming from the service/bridge // We do our best to detect if we're running on the same box as the bridge; if so, we don't try to install the cert // as that operation requires admin privileges public static void InstallRootCertificateFromBridge() { // PUT the Authority to the Bridge (returns thumbprint) var response = BridgeClient.MakeResourcePutRequest(CertificateAuthorityResourceName, null); string thumbprint; X509Certificate2 certificateToInstall = null; bool rootCertificateAlreadyInstalled = false; lock (s_certificateLock) { if (response.TryGetValue(ThumbprintKeyName, out thumbprint)) { rootCertificateAlreadyInstalled = s_rootCertificates.ContainsKey(thumbprint); } if (rootCertificateAlreadyInstalled) { // Cert's been installed already, bail out return; } else { using (X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine)) { store.Open(OpenFlags.ReadOnly); var collection = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false); if (collection.Count > 0) { // We don't need to add the cert ourselves, because this cert has previously been installed // Likely BridgeClient is running on the same machine as the Bridge and the Bridge has done the work already. return; } } // Request the certificate from the Bridge string base64Cert = string.Empty; response = BridgeClient.MakeResourceGetRequest(CertificateAuthorityResourceName, null); string certificateAsBase64; if (response.TryGetValue(CertificateKeyName, out certificateAsBase64)) { // Root cert coming from Bridge doesn't have a password or private key certificateToInstall = new X509Certificate2(Convert.FromBase64String(certificateAsBase64)); } else { StringBuilder sb = new StringBuilder(); foreach (var pair in response) { sb.AppendFormat("{0} {1} : {2}", Environment.NewLine, pair.Key, pair.Value); } throw new Exception( string.Format("Error retrieving Authority certificate from Bridge. Expected '{0}' key in response. Response contents:{1}{2}", CertificateKeyName, Environment.NewLine, sb.ToString())); } } } // We return or throw before this point if there is no certificateToInstall InstallCertificateToRootStore(certificateToInstall); }
// Installs the local certificate provided by the bridge // Root is installed as part of this call so we trust the incoming certificate coming from the service/bridge // We supply this certificate for bidirectional (tcp) communication // // The request to the bridge with the local FQDN concurrently asks the bridge if we are running locally. // if so, we don't try to install the cert as that operation requires admin privileges public static void InstallLocalCertificateFromBridge() { X509Certificate2 certificateToInstall = null; // PUT the Client Certificate Subject to the Bridge (returns thumbprint) Dictionary <string, string> requestParams = new Dictionary <string, string>(); requestParams.Add(SubjectKeyName, ClientCertificateSubject); var response = BridgeClient.MakeResourcePutRequest(UserCertificateResourceName, requestParams); string thumbprint; bool foundUserCertificate = false; lock (s_certificateLock) { if (response.TryGetValue(ThumbprintKeyName, out thumbprint)) { foundUserCertificate = s_myCertificates.ContainsKey(thumbprint); // The Bridge tells us if the request has been made for a local certificate local to the bridge. // If it has, then the Bridge itself has already installed that cert as part of the PUT request // There's no need for us to do this in the BridgeClient. string isLocalString; if (response.TryGetValue(IsLocalKeyName, out isLocalString)) { bool isLocal = false; if (bool.TryParse(isLocalString, out isLocal) && isLocal) { return; } } } if (!foundUserCertificate) { // GET the cert with thumbprint from the Bridge (returns cert in base64 format) requestParams = new Dictionary <string, string>(); requestParams.Add(ThumbprintKeyName, thumbprint); string base64Cert = string.Empty; response = BridgeClient.MakeResourceGetRequest(UserCertificateResourceName, requestParams); string certificateAsBase64; if (response.TryGetValue(CertificateKeyName, out certificateAsBase64)) { certificateToInstall = new X509Certificate2(Convert.FromBase64String(certificateAsBase64), ClientCertificatePassword); } else { StringBuilder sb = new StringBuilder(); foreach (var pair in response) { sb.AppendFormat("{0} {1} : {2}", Environment.NewLine, pair.Key, pair.Value); } throw new Exception( string.Format("Error retrieving '{0}' certificate from Bridge, thumbprint '{1}'.\r\nExpected '{2}' key in response. Response contents:{3}{4}", ClientCertificateSubject, thumbprint, CertificateKeyName, Environment.NewLine, sb.ToString())); } } } // certificateToInstall could be null in the case the user certification exists if (certificateToInstall != null) { InstallCertificateToMyStore(certificateToInstall); // We also need to install the root cert if we install a local cert InstallRootCertificateFromBridge(); } }