/// <inheritdoc/>
public async Task ValidateSubscription(int subscriptionId)
{
try
{
string endpointUrl = "subscriptions/validate/" + subscriptionId;
string certBase64 = await _keyVaultService.GetCertificateAsync(_keyVaultSettings.KeyVaultURI, _keyVaultSettings.PlatformCertSecretId);
string accessToken = _accessTokenGenerator.GenerateAccessToken(
"platform",
"events",
new X509Certificate2(Convert.FromBase64String(certBase64), (string)null, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable));
HttpResponseMessage response = await _client.PutAsync(endpointUrl, null, accessToken);
if (response.StatusCode != HttpStatusCode.OK)
{
_logger.LogError($"// Validate subscription with id {subscriptionId} failed with statuscode {response.StatusCode}");
throw new Exception($"// Validate subscription with id {subscriptionId} failed with statuscode {response.StatusCode}");
}
}
catch (Exception e)
{
_logger.LogError(e, $"// Validate subscription with id {subscriptionId} failed with errormessage {e.Message}");
throw e;
}
}
public async Task Submit(HashMode hashMode, string name, string description, string descriptionUrl, IList <string> files, string filter)
{
logger.LogInformation("Editing AppInstaller job {0} with {1} files", name, files.Count());
var cert = await keyVaultService.GetCertificateAsync().ConfigureAwait(false);
var publisher = cert.SubjectName.Name;
// We need to open the files, and update the publisher value
foreach (var file in files)
{
XDocument manifest;
using (var fs = File.OpenRead(file))
{
manifest = XDocument.Load(fs, LoadOptions.PreserveWhitespace);
XNamespace ns = "http://schemas.microsoft.com/appx/appinstaller/2017/2";
var idElement = manifest.Root?.Element(ns + "MainBundle");
idElement?.SetAttributeValue("Publisher", publisher);
}
using (var fs = File.Create(file))
{
manifest.Save(fs);
}
}
}
/// <inheritdoc/>
public async Task SendToPushController(CloudEvent item)
{
StringContent httpContent = new StringContent(JsonSerializer.Serialize(item), Encoding.UTF8, "application/json");
try
{
string endpointUrl = "push";
string certBase64 = await _keyVaultService.GetCertificateAsync(_keyVaultSettings.KeyVaultURI, _keyVaultSettings.PlatformCertSecretId);
string accessToken = _accessTokenGenerator.GenerateAccessToken(
"platform",
"events",
new X509Certificate2(Convert.FromBase64String(certBase64), (string)null, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable));
HttpResponseMessage response = await _client.PostAsync(endpointUrl, httpContent, accessToken);
if (response.StatusCode != HttpStatusCode.OK)
{
_logger.LogError($"// Push event with id {item.Id} failed with statuscode {response.StatusCode}");
throw new Exception($"// Push event with id {item.Id} failed with statuscode {response.StatusCode}");
}
}
catch (Exception e)
{
_logger.LogError(e, $"// Push event with id {item.Id} failed with errormessage {e.Message}");
throw e;
}
}
async Task SubmitInternal(HashMode hashMode, string name, string description, string descriptionUrl, IList <string> files)
{
logger.LogInformation("Signing OpenVsixSignTool job {0} with {1} files", name, files.Count());
// Dual isn't supported, use sha256
var alg = hashMode == HashMode.Sha1 ? HashAlgorithmName.SHA1 : HashAlgorithmName.SHA256;
var config = new RsaSignConfigurationSet
{
FileDigestAlgorithm = alg,
PkcsDigestAlgorithm = alg,
SigningCertificate = await keyVaultService.GetCertificateAsync(),
Rsa = await keyVaultService.ToRSA()
};
try
{
var tasks = files.Select(file =>
{
telemetryLogger.OnSignFile(file, signToolName);
return(Sign(file, config, keyVaultService.CertificateInfo.TimestampUrl, alg));
});
await Task.WhenAll(tasks);
}
finally
{
config.Rsa?.Dispose();
}
}
/// <inheritdoc />
public async Task <string> GetAccessToken()
{
await Semaphore.WaitAsync();
try
{
if (_accessToken == null || _cacheTokenUntil < DateTime.UtcNow)
{
string certBase64 = await _keyVaultService.GetCertificateAsync(_keyVaultSettings.KeyVaultUri, _keyVaultSettings.PlatformCertSecretId);
_accessToken = _accessTokenGenerator.GenerateAccessToken(
_platformSettings.AccessTokenIssuer,
"platform.authorization",
new X509Certificate2(Convert.FromBase64String(certBase64), (string)null, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable));
_cacheTokenUntil = DateTime.UtcNow.AddSeconds(_accessTokenSettings.TokenLifetimeInSeconds - 2); // Add some slack to avoid tokens expiring in transit
}
return(_accessToken);
}
finally
{
Semaphore.Release();
}
}
public async Task <string> RunGetFacturaeSignedActivity([ActivityTrigger] string facturae)
{
var certificate = await keyvaultService.GetCertificateAsync(configuration["AppSettings:KeyVault:Certificate:Name"]);
var signedDocument = new MemoryStream();
SignatureParameters parameters = new SignatureParameters
{
// Política de firma de factura-e 3.1
SignaturePolicyInfo = new SignaturePolicyInfo
{
PolicyIdentifier = "http://www.facturae.es/politica_de_firma_formato_facturae/politica_de_firma_formato_facturae_v3_1.pdf",
PolicyHash = "Ohixl6upD6av8N7pEvDABhEL6hM="
},
SignaturePackaging = SignaturePackaging.ENVELOPED,
DataFormat = new DataFormat
{
MimeType = "text/xml"
},
SignerRole = new SignerRole()
};
parameters.SignerRole.ClaimedRoles.Add("emisor");
using (parameters.Signer = new Signer(certificate))
{
var xmlDocument = new XmlDocument();
xmlDocument.LoadXml(facturae);
var signed = xadesService.Sign(xmlDocument, parameters);
signed.Save(signedDocument);
}
return(System.Convert.ToBase64String(signedDocument.ToArray()));
}
public AppxFile Create(string inputFileName)
{
if (publisher == null) // don't care about this race
{
var cert = keyVaultService.GetCertificateAsync().Result;
publisher = cert.SubjectName.Name;
}
return(new AppxFile(inputFileName, publisher, logger, makeappxPath));
}
public async Task <AppxFile> Create(string inputFileName, string filter)
{
if (publisher == null) // don't care about this race
{
var cert = await keyVaultService.GetCertificateAsync();
publisher = cert.SubjectName.Name;
}
return(new AppxFile(inputFileName, publisher, logger, makeappxPath, filter));
}
void SubmitInternal(HashMode hashMode, string name, string description, string descriptionUrl, IList <string> files)
{
logger.LogInformation("Signing SignTool job {0} with {1} files", name, files.Count());
var certificate = keyVaultService.GetCertificateAsync().Result;
using var rsa = keyVaultService.ToRSA().Result;
using var signer = new AuthenticodeKeyVaultSigner(rsa, certificate, HashAlgorithmName.SHA256, new TimeStampConfiguration(keyVaultService.CertificateInfo.TimestampUrl, HashAlgorithmName.SHA256, TimeStampType.RFC3161));
// loop through all of the files here, looking for appx/eappx
// mark each as being signed and strip appx
Parallel.ForEach(files, (file, state) =>
{
telemetryLogger.OnSignFile(file, signToolName);
if (!Sign(signer, file, description, descriptionUrl))
{
throw new Exception($"Could not append sign {file}");
}
});
}
void SubmitInternal(HashMode hashMode, string name, string description, string descriptionUrl, IList <string> files, string filter)
{
logger.LogInformation("Signing Mage job {0} with {1} files", name, files.Count());
var args = "-a sha256RSA";
if (!string.IsNullOrWhiteSpace(name))
{
args += $@" -n ""{name}""";
}
var certificate = keyVaultService.GetCertificateAsync().Result;
var timeStampUrl = keyVaultService.CertificateInfo.TimestampUrl;
using (var rsaPrivateKey = keyVaultService.ToRSA()
.Result)
{
// This outer loop is for a .clickonce file
Parallel.ForEach(files, options, (file, state) =>
{
// We need to be explicit about the order these files are signed in. The data files must be signed first
// Then the .manifest file
// Then the nested clickonce/vsto file
// finally the top-level clickonce/vsto file
using (var zip = new TemporaryZipFile(file, filter, logger))
{
// Look for the data files first - these are .deploy files
// we need to rename them, sign, then restore the name
var deployFilesToSign = zip.FilteredFilesInDirectory.Where(f => ".deploy".Equals(Path.GetExtension(f), StringComparison.OrdinalIgnoreCase))
.ToList();
var contentFiles = new List <string>();
foreach (var dfile in deployFilesToSign)
{
// Rename to file without extension
var dest = dfile.Replace(".deploy", "");
File.Move(dfile, dest);
contentFiles.Add(dest);
}
var filesToSign = contentFiles.ToList(); // copy it since we may add setup.exe
var setupExe = zip.FilteredFilesInDirectory.Where(f => ".exe".Equals(Path.GetExtension(f), StringComparison.OrdinalIgnoreCase));
filesToSign.AddRange(setupExe);
// Safe to call Wait here because we're in a Parallel.ForEach()
// sign the inner files
signToolAggregate.Value.Submit(hashMode, name, description, descriptionUrl, filesToSign, filter).Wait();
// rename the rest of the deploy files since signing the manifest will need them
var deployFiles = zip.FilesExceptFiltered.Where(f => ".deploy".Equals(Path.GetExtension(f), StringComparison.OrdinalIgnoreCase))
.ToList();
foreach (var dfile in deployFiles)
{
// Rename to file without extension
var dest = dfile.Replace(".deploy", "");
File.Move(dfile, dest);
contentFiles.Add(dest);
}
// at this point contentFiles has all deploy files renamed
// Inner files are now signed
// now look for the manifest file and sign that
var manifestFile = zip.FilteredFilesInDirectory.Single(f => ".manifest".Equals(Path.GetExtension(f), StringComparison.OrdinalIgnoreCase));
var fileArgs = $@"-update ""{manifestFile}"" {args}";
telemetryLogger.OnSignFile(manifestFile, signToolName);
if (!Sign(fileArgs, manifestFile, hashMode, rsaPrivateKey, certificate, timeStampUrl))
{
throw new Exception($"Could not sign {manifestFile}");
}
// Read the publisher name from the manifest for use below
var manifestDoc = XDocument.Load(manifestFile);
var ns = manifestDoc.Root.GetDefaultNamespace();
var publisherEle = manifestDoc.Root.Element(ns + "publisherIdentity");
var pubName = publisherEle.Attribute("name").Value;
var publisherParam = "";
var dict = DistinguishedNameParser.Parse(pubName);
if (dict.TryGetValue("CN", out var cns))
{
// get the CN. it may be quoted
publisherParam = $@"-pub ""{string.Join("+", cns.Select(s => s.Replace("\"", "")))}"" ";
}
// Now sign the inner vsto/clickonce file
// Order by desending length to put the inner one first
var clickOnceFilesToSign = zip.FilteredFilesInDirectory
.Where(f => ".vsto".Equals(Path.GetExtension(f), StringComparison.OrdinalIgnoreCase) ||
".application".Equals(Path.GetExtension(f), StringComparison.OrdinalIgnoreCase))
.Select(f => new { file = f, f.Length })
.OrderByDescending(f => f.Length)
.Select(f => f.file)
.ToList();
foreach (var f in clickOnceFilesToSign)
{
fileArgs = $@"-update ""{f}"" {args} -appm ""{manifestFile}"" {publisherParam}";
if (!string.IsNullOrWhiteSpace(descriptionUrl))
{
fileArgs += $@" -SupportURL {descriptionUrl}";
}
telemetryLogger.OnSignFile(f, signToolName);
if (!Sign(fileArgs, f, hashMode, rsaPrivateKey, certificate, timeStampUrl))
{
throw new Exception($"Could not sign {f}");
}
}
// restore the deploy files
foreach (var dfile in contentFiles)
{
File.Move(dfile, $"{dfile}.deploy");
}
zip.Save();
}
});
}
}
