public static void ValidateLocalCertificate(string thumbprint, DateTime?futurePublishDate, bool skipAutomatedDeploymentChecks, Task.TaskErrorLoggingDelegate writeError) { if (writeError == null) { throw new ArgumentNullException("writeError"); } if (string.IsNullOrEmpty(thumbprint)) { return; } X509Store x509Store = null; try { x509Store = new X509Store(StoreLocation.LocalMachine); x509Store.Open(OpenFlags.ReadOnly); X509Certificate2Collection x509Certificate2Collection = x509Store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false); if (x509Certificate2Collection.Count == 0) { writeError(new TaskException(Strings.ErrorThumbprintNotFound(thumbprint)), ErrorCategory.InvalidArgument, null); } ExchangeCertificate certificate = new ExchangeCertificate(x509Certificate2Collection[0]); OAuthTaskHelper.ValidateCertificate(certificate, futurePublishDate, skipAutomatedDeploymentChecks, writeError); } finally { if (x509Store != null) { x509Store.Close(); } } }
internal static LocalizedString UpdateActiveDirectory(X509Certificate2 certificate, IConfigurationSession systemConfiguration, Server server, List <LocalizedString> warningList, bool allowConfirmation) { X509Certificate2 internalTransportCertificate = ExchangeCertificate.GetInternalTransportCertificate(server); if (internalTransportCertificate != null) { if (string.Equals(internalTransportCertificate.Thumbprint, certificate.Thumbprint, StringComparison.OrdinalIgnoreCase)) { return(LocalizedString.Empty); } if (allowConfirmation) { return(Strings.ConfirmOverwriteInternalTransportCertificate(internalTransportCertificate.Thumbprint, internalTransportCertificate.NotAfter, certificate.Thumbprint, certificate.NotAfter)); } } server.InternalTransportCertificate = certificate.Export(X509ContentType.SerializedCert); systemConfiguration.Save(server); if (server.IsHubTransportServer) { ManageExchangeCertificate.ReEncryptEdgeSyncCredentials(server, internalTransportCertificate, certificate); systemConfiguration.Save(server); } else if (server.IsEdgeServer && warningList != null) { warningList.Add(Strings.InternalTransportCertificateUpdatedOnEdge); } return(LocalizedString.Empty); }
private static ExchangeCertificate GetCertificateFromStore(X509Store store, string thumbprint) { if (thumbprint == null) { throw new ArgumentNullException("thumbprint"); } try { store.Open(OpenFlags.OpenExistingOnly); } catch (CryptographicException) { return(null); } ExchangeCertificate result; try { X509Certificate2Collection x509Certificate2Collection = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false); if (x509Certificate2Collection.Count == 0) { result = null; } else { result = new ExchangeCertificate(x509Certificate2Collection[0]); } } finally { store.Close(); } return(result); }
private void ValidateNextCertificate() { this.Thumbprint = FederationCertificate.UnifyThumbprintFormat(this.Thumbprint); this.nextCertificate = FederationCertificate.GetExchangeFederationCertByThumbprint(this.Thumbprint, new WriteVerboseDelegate(base.WriteVerbose)); ExchangeCertificate exchangeCertificate = new ExchangeCertificate(this.nextCertificate); FederationCertificate.ValidateCertificate(exchangeCertificate, this.IsDatacenter); this.ValidateUniqueSki(exchangeCertificate, this.DataObject.OrgPrevCertificate); this.ValidateUniqueSki(exchangeCertificate, this.DataObject.OrgCertificate); }
private void ValidateUniqueSki(ExchangeCertificate nextExchangeCertificate, X509Certificate2 otherCertificate) { if (otherCertificate != null) { ExchangeCertificate exchangeCertificate = new ExchangeCertificate(otherCertificate); if (StringComparer.InvariantCultureIgnoreCase.Equals(nextExchangeCertificate.SubjectKeyIdentifier, exchangeCertificate.SubjectKeyIdentifier)) { throw new FederationCertificateInvalidException(Strings.ErrorCertificateSKINotUnique(nextExchangeCertificate.Thumbprint, exchangeCertificate.Thumbprint, nextExchangeCertificate.SubjectKeyIdentifier)); } } }
private static void ReEncryptEdgeSyncCredentials(Server server, X509Certificate2 oldCertificate, X509Certificate2 newCertificate) { if (server.EdgeSyncCredentials == null || server.EdgeSyncCredentials.Count == 0) { return; } if (oldCertificate == null) { throw new InvalidOperationException(Strings.InternalTransportCertificateCorruptedInADOnHub); } if (TlsCertificateInfo.IsCNGProvider(newCertificate)) { throw new InvalidOperationException(Strings.InternalTransportCertificateMustBeCAPICertificate(newCertificate.Thumbprint)); } oldCertificate = ExchangeCertificate.GetCertificateFromStore(StoreName.My, oldCertificate.Thumbprint); if (oldCertificate == null) { throw new InvalidOperationException(Strings.InternalTransportCertificateCorruptedInADOnHub); } EdgeSyncCredential[] array = new EdgeSyncCredential[server.EdgeSyncCredentials.Count]; using (RSACryptoServiceProvider rsacryptoServiceProvider = (RSACryptoServiceProvider)oldCertificate.PrivateKey) { for (int i = 0; i < server.EdgeSyncCredentials.Count; i++) { array[i] = EdgeSyncCredential.DeserializeEdgeSyncCredential(server.EdgeSyncCredentials[i]); try { array[i].EncryptedESRAPassword = rsacryptoServiceProvider.Decrypt(array[i].EncryptedESRAPassword, false); } catch (CryptographicException) { throw new InvalidOperationException(Strings.InternalTransportCertificateCorruptedInADOnHub); } } } using (RSACryptoServiceProvider rsacryptoServiceProvider2 = newCertificate.PublicKey.Key as RSACryptoServiceProvider) { if (rsacryptoServiceProvider2 != null) { for (int j = 0; j < array.Length; j++) { if (array[j].EncryptedESRAPassword != null) { array[j].EncryptedESRAPassword = rsacryptoServiceProvider2.Encrypt(array[j].EncryptedESRAPassword, false); server.EdgeSyncCredentials[j] = EdgeSyncCredential.SerializeEdgeSyncCredential(array[j]); } } } } }
internal static bool IsCertEnabledForNetworkService(ExchangeCertificate cert) { if (cert.AccessRules != null) { foreach (AccessRule accessRule in cert.AccessRules) { CryptoKeyAccessRule cryptoKeyAccessRule = (CryptoKeyAccessRule)accessRule; if (cryptoKeyAccessRule.IdentityReference == ManageExchangeCertificate.NetworkServiceIdentityReference && cryptoKeyAccessRule.AccessControlType == AccessControlType.Allow && (cryptoKeyAccessRule.CryptoKeyRights & CryptoKeyRights.GenericRead) != (CryptoKeyRights)0) { return(true); } } return(false); } return(false); }
internal static int CompareByNotBefore(ExchangeCertificate x, ExchangeCertificate y) { if (x == null) { if (y == null) { return(0); } return(-1); } else { if (y == null) { return(1); } return(y.NotBefore.CompareTo(x.NotBefore)); } }
public static void ValidateCertificate(ExchangeCertificate certificate, DateTime?futurePublishDate, bool skipAutomatedDeploymentChecks, Task.TaskErrorLoggingDelegate writeError) { if (writeError == null) { throw new ArgumentNullException("writeError"); } if (certificate == null) { return; } try { ExchangeCertificateValidity exchangeCertificateValidity = ManageExchangeCertificate.ValidateExchangeCertificate(certificate, true); if (exchangeCertificateValidity != ExchangeCertificateValidity.Valid) { writeError(new TaskException(Strings.CertificateNotValidForExchange(certificate.Thumbprint, exchangeCertificateValidity.ToString())), ErrorCategory.InvalidArgument, null); } if (!skipAutomatedDeploymentChecks && !certificate.PrivateKeyExportable) { writeError(new TaskException(Strings.ErrorCertificateNotExportable(certificate.Thumbprint)), ErrorCategory.InvalidArgument, null); } if ((ExDateTime)certificate.NotAfter < ExDateTime.UtcNow) { writeError(new TaskException(Strings.ErrorCertificateHasExpired(certificate.Thumbprint)), ErrorCategory.InvalidArgument, null); } if ((ExDateTime)certificate.NotBefore > ExDateTime.UtcNow) { writeError(new TaskException(Strings.ErrorCertificateNotYetValid(certificate.Thumbprint)), ErrorCategory.InvalidArgument, null); } if (futurePublishDate != null && futurePublishDate != null && (ExDateTime)certificate.NotAfter <= (ExDateTime)futurePublishDate.Value.ToUniversalTime()) { writeError(new TaskException(Strings.ErrorAuthNewCertificateExpire(certificate.Thumbprint)), ErrorCategory.InvalidArgument, null); } } catch (CryptographicException innerException) { writeError(new TaskException(Strings.ErrorFailedToValidateCertificate(certificate.Thumbprint), innerException), ErrorCategory.InvalidArgument, null); } }
private static void WarnIfNotBestMatch(ExchangeCertificate certificate, IConfigurationSession session, Server server, List <LocalizedString> warningList) { if (warningList == null) { return; } X509Store x509Store = new X509Store(StoreName.My, StoreLocation.LocalMachine); try { x509Store.Open(OpenFlags.ReadOnly); using (ChainEngine chainEngine = new ChainEngine()) { IEnumerable <ManageExchangeCertificate.FqdnConnectors> connectorFQDNs = ManageExchangeCertificate.GetConnectorFQDNs(session, server); foreach (ManageExchangeCertificate.FqdnConnectors fqdnConnectors in connectorFQDNs) { X509Certificate2 x509Certificate; if (ManageExchangeCertificate.CertificateHasLowerPrecedence(x509Store, chainEngine, fqdnConnectors.Fqdn, certificate, out x509Certificate)) { if (!new ExchangeCertificate(x509Certificate).IsSelfSigned) { warningList.Add(Strings.WarnCertificateWillNotBeUsedBestIsPKI(x509Certificate.Thumbprint, fqdnConnectors.Fqdn, fqdnConnectors.Connectors)); } else { warningList.Add(Strings.WarnCertificateWillNotBeUsed(x509Certificate.Thumbprint, fqdnConnectors.Fqdn, fqdnConnectors.Connectors)); } } } } } finally { if (x509Store != null) { x509Store.Close(); } } }
private byte[] SerializeListAsArray <TItem>(List <TItem> list) { int num = 0; if (list != null) { object[] array = new object[list.Count]; foreach (TItem titem in list) { if (typeof(TItem) == typeof(ExchangeCertificate)) { ExchangeCertificate exchangeCertificate = titem as ExchangeCertificate; array[num++] = ExchangeCertificateRpc.SerializeObject(exchangeCertificate.ExchangeCertificateAsArray()); } else { array[num++] = ExchangeCertificateRpc.SerializeObject(titem); } } return(ExchangeCertificateRpc.SerializeObject(array)); } return(null); }
private void ProcessRequestResults(ExchangeCertificate certificate, string request) { if (this.BinaryEncoded) { BinaryFileDataObject binaryFileDataObject = new BinaryFileDataObject(); binaryFileDataObject.FileData = Convert.FromBase64String(request); base.WriteObject(binaryFileDataObject); if (this.GenerateRequest && !string.IsNullOrEmpty(this.RequestFile)) { this.WriteRequest(binaryFileDataObject.FileData, string.Empty); return; } } else { string text = ManageExchangeCertificate.WrapCertificateRequestWithPemTags(request); base.WriteObject(text); if (this.GenerateRequest && !string.IsNullOrEmpty(this.RequestFile)) { this.WriteRequest(null, text); } } }
public static void ValidateRemoteCertificate(string server, string thumbprint, DateTime?futurePublishDate, bool skipAutomatedDeploymentChecks, Task.TaskErrorLoggingDelegate writeError) { if (writeError == null) { throw new ArgumentNullException("writeError"); } if (string.IsNullOrEmpty(thumbprint)) { return; } ExchangeCertificate certificate = null; FederationTrustCertificateState federationTrustCertificateState = FederationCertificate.TestForCertificate(server, thumbprint, out certificate); if (federationTrustCertificateState == FederationTrustCertificateState.ServerUnreachable) { writeError(new TaskException(Strings.ErrorCannotContactServerForCert(server, thumbprint)), ErrorCategory.InvalidArgument, null); } else if (federationTrustCertificateState != FederationTrustCertificateState.Installed) { writeError(new TaskException(Strings.ErrorThumbprintNotFound(thumbprint)), ErrorCategory.InvalidArgument, null); } OAuthTaskHelper.ValidateCertificate(certificate, futurePublishDate, skipAutomatedDeploymentChecks, writeError); }
internal static ExchangeCertificate GetInternalTransportCertificate(Server server) { if (server == null) { throw new ArgumentNullException("server"); } if (server.InternalTransportCertificate == null) { return(null); } ExchangeCertificate result; try { X509Certificate2 cert = new X509Certificate2(server.InternalTransportCertificate); result = new ExchangeCertificate(cert); } catch { result = null; } return(result); }
internal static ExchangeCertificate GetCertificateFromStore(StoreName storeName, string thumbprint) { X509Store store = new X509Store(storeName, StoreLocation.LocalMachine); return(ExchangeCertificate.GetCertificateFromStore(store, thumbprint)); }
private void CheckCertificateChainAndCacheProps() { if (this.status != CertificateStatus.Unknown) { return; } if (!string.IsNullOrEmpty(this.CertificateRequest)) { this.status = CertificateStatus.PendingRequest; this.selfSigned = false; this.rootCAType = CertificateAuthorityType.Unknown; return; } this.privateKeyExportable = TlsCertificateInfo.IsCertificateExportable(this); ChainPolicyParameters options = new BaseChainPolicyParameters(ChainPolicyOptions.None); ChainMatchIssuer pkixKpServerAuth = AndChainMatchIssuer.PkixKpServerAuth; ChainBuildParameter parameter = new ChainBuildParameter(pkixKpServerAuth, TimeSpan.FromSeconds(30.0), false, TimeSpan.Zero); using (ChainEngine chainEngine = new ChainEngine()) { using (ChainContext chainContext = chainEngine.Build(this, ChainBuildOptions.CacheEndCert | ChainBuildOptions.RevocationCheckChainExcludeRoot | ChainBuildOptions.RevocationAccumulativeTimeout, parameter)) { if (chainContext == null) { this.status = CertificateStatus.Unknown; this.selfSigned = false; this.rootCAType = CertificateAuthorityType.Unknown; } else { this.selfSigned = chainContext.IsSelfSigned; if (chainContext.Status == TrustStatus.IsUntrustedRoot) { if (chainContext.IsSelfSigned) { this.status = CertificateStatus.Valid; this.rootCAType = CertificateAuthorityType.None; } else { this.status = CertificateStatus.Untrusted; this.rootCAType = CertificateAuthorityType.Unknown; } } else { ChainSummary chainSummary = chainContext.Validate(options); ChainValidityStatus chainValidityStatus = chainSummary.Status; if (chainValidityStatus <= (ChainValidityStatus)2148081683U) { if (chainValidityStatus == ChainValidityStatus.Valid) { this.status = CertificateStatus.Valid; goto IL_168; } switch (chainValidityStatus) { case (ChainValidityStatus)2148081682U: case (ChainValidityStatus)2148081683U: break; default: goto IL_15A; } } else { if (chainValidityStatus == (ChainValidityStatus)2148204801U) { this.status = CertificateStatus.DateInvalid; goto IL_168; } switch (chainValidityStatus) { case (ChainValidityStatus)2148204812U: this.status = CertificateStatus.Revoked; goto IL_168; case (ChainValidityStatus)2148204813U: goto IL_15A; case (ChainValidityStatus)2148204814U: break; default: goto IL_15A; } } this.status = CertificateStatus.RevocationCheckFailure; goto IL_168; IL_15A: this.status = CertificateStatus.Invalid; this.rootCAType = CertificateAuthorityType.Unknown; IL_168: if (this.status != CertificateStatus.Invalid) { X509Certificate2 rootCertificate = chainContext.RootCertificate; if (rootCertificate == null) { throw new InvalidOperationException("Root certificate was null!"); } this.rootCAType = ExchangeCertificate.RootSource(rootCertificate.Thumbprint); } } } } } }
internal Dictionary <RpcOutput, object> BuildOutputParameters(byte[] blob) { Dictionary <RpcOutput, object> dictionary = new Dictionary <RpcOutput, object>(); object[] array = (object[])this.DeserializeObject(blob, false); for (int i = 0; i < array.Length; i += 2) { RpcOutput rpcOutput = (RpcOutput)this.DeserializeObject((byte[])array[i], true); object obj = this.DeserializeObject((byte[])array[i + 1], true); if (obj != null) { RpcOutput rpcOutput2 = rpcOutput; switch (rpcOutput2) { case RpcOutput.ExchangeCertList: { List <ExchangeCertificate> list = new List <ExchangeCertificate>(); foreach (object obj2 in (object[])obj) { list.Add(new ExchangeCertificate((object[])this.DeserializeObject((byte[])obj2, true))); } obj = list; break; } case RpcOutput.ExchangeCert: obj = new ExchangeCertificate((object[])obj); break; default: switch (rpcOutput2) { case RpcOutput.TaskWarningList: { List <LocalizedString> list2 = new List <LocalizedString>(); foreach (object obj3 in (object[])obj) { list2.Add((LocalizedString)this.DeserializeObject((byte[])obj3, true)); } obj = list2; break; } case RpcOutput.TaskConfirmationList: { object[] array4 = (object[])obj; Dictionary <AllowedServices, LocalizedString> dictionary2 = new Dictionary <AllowedServices, LocalizedString>(); for (int l = 0; l < array4.Length; l += 2) { AllowedServices key = (AllowedServices)this.DeserializeObject((byte[])array4[l], true); LocalizedString value = (LocalizedString)this.DeserializeObject((byte[])array4[l + 1], true); dictionary2[key] = value; } obj = dictionary2; break; } } break; } } dictionary[rpcOutput] = obj; } return(dictionary); }