public X509SecurityTokenProvider(StoreLocation storeLocation, StoreName storeName, X509FindType findType, object findValue)
{
if (findValue == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("findValue");
}
X509Store store = new X509Store(storeName, storeLocation);
X509Certificate2Collection certificates = null;
try
{
store.Open(OpenFlags.ReadOnly);
certificates = store.Certificates.Find(findType, findValue, false);
if (certificates.Count < 1)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.Format(SR.CannotFindCert, storeName, storeLocation, findType, findValue)));
}
if (certificates.Count > 1)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.Format(SR.FoundMultipleCerts, storeName, storeLocation, findType, findValue)));
}
_certificate = new X509Certificate2(certificates[0].Handle);
}
finally
{
System.ServiceModel.Security.SecurityUtils.ResetAllCertificates(certificates);
store.Dispose();
}
}
/// <summary>
/// Finds the cert having thumbprint supplied from store location supplied
/// </summary>
/// <param name="storeName"></param>
/// <param name="storeLocation"></param>
/// <param name="thumbprint"></param>
/// <param name="validationRequired"></param>
/// <returns>X509Certificate2</returns>
public static X509Certificate2 FindCertificateByThumbprint(StoreName storeName, StoreLocation storeLocation, string thumbprint, bool validationRequired)
{
Guard.ArgumentNotNullOrWhiteSpace(thumbprint, nameof(thumbprint));
var store = new X509Store(storeName, storeLocation);
try
{
store.Open(OpenFlags.ReadOnly);
var col = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, validationRequired);
if (col == null || col.Count == 0)
{
throw new ArgumentException("certificate was not found in store");
}
return col[0];
}
finally
{
#if NET451
// IDisposable not implemented in NET451
store.Close();
#else
// Close is private in DNXCORE, but Dispose calls close internally
store.Dispose();
#endif
}
}
public static RsaCipher LoadFromX509Store(string friendlyName)
{
System.Security.Cryptography.X509Certificates.X509Store store = new System.Security.Cryptography.X509Certificates.X509Store(StoreName.My);
try
{
store.Open(OpenFlags.ReadOnly);
foreach (var x509 in store.Certificates)
{
var cn = x509.FriendlyName;
if (cn == friendlyName)
{
var key = new RsaCipherKey();
try
{
#if NETSTANDARD2_0
key.Public = x509.GetRSAPublicKey();
key.Private = x509.GetRSAPrivateKey();
#endif
#if NETFX
key.Public = (RSACryptoServiceProvider)x509.PublicKey.Key;
key.Private = (RSACryptoServiceProvider)x509.PrivateKey;
#endif
}
catch (Exception)
{
key.Dispose();
throw;
}
RsaCipher rsaCipher = new RsaCipher();
rsaCipher._key = key;
return(rsaCipher);
}
}
}
finally
{
#if NETSTANDARD2_0
store.Dispose();
#endif
}
throw new InternalErrorException("Certificate not found: " + friendlyName);
}
internal static X509Certificate2 GetCertificate(StoreName name, StoreLocation location, string thumbprint) {
var store = new X509Store(name, location);
try {
store.Open(OpenFlags.ReadOnly);
var certificates = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, validOnly: false);
return certificates.OfType<X509Certificate2>().SingleOrDefault();
}
finally {
#if DNXCORE50
store.Dispose();
#else
store.Close();
#endif
}
}
/// <summary>
/// Searches the stores for certificate with subject name matching the host and path extracted from the applicationUri.
/// </summary>
/// <param name="description">The <see cref="ApplicationDescription"/>.</param>
/// <param name="createIfNotFound">Creates a new self-signed certificate if one not found.</param>
/// <returns>The certificate. </returns>
public static X509Certificate2 GetCertificate(this ApplicationDescription description, bool createIfNotFound = true)
{
if (description == null)
{
throw new ArgumentNullException(nameof(description));
}
if (string.IsNullOrEmpty(description.ApplicationUri))
{
throw new ArgumentOutOfRangeException(nameof(description), "Expecting ApplicationUri in the form of 'http://{hostname}/{appname}'.");
}
string subjectName = null;
UriBuilder appUri = new UriBuilder(description.ApplicationUri);
if (appUri.Scheme == "http" && !string.IsNullOrEmpty(appUri.Host))
{
var path = appUri.Path.Trim('/');
if (!string.IsNullOrEmpty(path))
{
subjectName = $"CN={path}, DC={appUri.Host}";
}
}
if (appUri.Scheme == "urn")
{
var parts = appUri.Path.Split(new[] { ':' }, 2);
if (parts.Length == 2)
{
subjectName = $"CN={parts[1]}, DC={parts[0]}";
}
}
if (subjectName == null)
{
throw new ArgumentOutOfRangeException(nameof(description), "Expecting ApplicationUri in the form of 'http://{hostname}/{appname}' -or- 'urn:{hostname}:{appname}'.");
}
X509Certificate2 clientCertificate = null;
X509Store store = null;
List<X509Certificate2> foundCerts = new List<X509Certificate2>();
// First check the Local Machine store.
store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
try
{
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
var certs = store.Certificates.Find(X509FindType.FindBySubjectDistinguishedName, subjectName, false);
if (certs.Count > 0)
{
foundCerts.AddRange(certs.OfType<X509Certificate2>());
}
}
catch (Exception ex)
{
Log.Warn($"Error opening X509Store '{store}'. {ex.Message}");
}
finally
{
store.Dispose();
}
// Then check the Current User store.
store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
try
{
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
var certs = store.Certificates.Find(X509FindType.FindBySubjectDistinguishedName, subjectName, false);
if (certs.Count > 0)
{
foundCerts.AddRange(certs.OfType<X509Certificate2>());
}
}
catch (Exception ex)
{
Log.Warn($"Error opening X509Store '{store}'. {ex.Message}");
}
finally
{
store.Dispose();
}
// Select the certificate that was created last.
if (foundCerts.Count > 0)
{
clientCertificate = foundCerts.OrderBy(c => c.NotBefore).Last();
Log.Info($"Found certificate '{subjectName}'.");
return clientCertificate;
}
Log.Info($"Creating new certificate '{subjectName}'.");
try
{
var pfx = CertificateGenerator.CreateSelfSignCertificatePfx(
subjectName,
DateTime.UtcNow,
DateTime.UtcNow.AddYears(25),
new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.NonRepudiation | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyCertSign, true),
new X509EnhancedKeyUsageExtension(new OidCollection { new Oid(EnhancedKeyUsageOids.ServerAuthentication), new Oid(EnhancedKeyUsageOids.ClientAuthentication) }, false),
new X509SubjectAlternateNameExtension(new[] { new X509AlternativeName { Type = X509AlternateNameType.Url, Value = description.ApplicationUri } }, true));
clientCertificate = new X509Certificate2(pfx, (string)null, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.DefaultKeySet);
// add cert to Current User store.
store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
try
{
store.Open(OpenFlags.ReadWrite | OpenFlags.OpenExistingOnly);
store.Add(clientCertificate);
}
catch (Exception ex)
{
Log.Warn($"Error adding certificate to store '{store}'. {ex.Message}");
}
finally
{
store.Dispose();
}
}
catch (Exception ex)
{
Log.Warn($"Error creating certificate '{subjectName}'. {ex.Message}");
}
return clientCertificate;
}
static bool StoreContainsCertificate(StoreName storeName, X509Certificate2 certificate)
{
X509Store store = new X509Store(storeName, StoreLocation.CurrentUser);
X509Certificate2Collection certificates = null;
try
{
store.Open(OpenFlags.ReadOnly);
certificates = store.Certificates.Find(X509FindType.FindByThumbprint, certificate.Thumbprint, false);
return certificates.Count > 0;
}
finally
{
SecurityUtils.ResetAllCertificates(certificates);
store.Dispose();
}
}
static X509Certificate2 GetCertificate(string certFindValue)
{
StoreLocation[] locations = new StoreLocation[] { StoreLocation.LocalMachine, StoreLocation.CurrentUser };
foreach (StoreLocation location in locations)
{
X509Store store = new X509Store(StoreName.My, location);
store.Open(OpenFlags.OpenExistingOnly);
X509Certificate2Collection collection = store.Certificates.Find(
X509FindType.FindBySubjectName,
certFindValue,
false);
if (collection.Count == 0)
{
collection = store.Certificates.Find(
X509FindType.FindByThumbprint,
certFindValue,
false);
}
#if DOTNET_CORE
store.Dispose();
#else
store.Close();
#endif
if (collection.Count > 0)
{
return collection[0];
}
}
throw new ArgumentException("No certificate can be found using the find value.");
}
static X509Certificate2 GetCertificate(StoreLocation storeLocation, StoreName storeName, string certFindValue)
{
X509Store store = new X509Store(storeName, storeLocation);
store.Open(OpenFlags.OpenExistingOnly);
X509Certificate2Collection collection = store.Certificates.Find(
X509FindType.FindBySubjectName,
certFindValue,
false);
if (collection.Count == 0)
{
throw new ArgumentException("No certificate can be found using the find value " + certFindValue);
}
#if DOTNET
store.Dispose();
#else
store.Close();
#endif
return collection[0];
}
/// <summary>
/// Get X509 certificate from the certificate store.
/// </summary>
/// <param name="certificateName">Certificate name.</param>
/// <returns>Certificate with the specified name.</returns>
private static X509Certificate GetX509Certificate(string certificateName)
{
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var certs = store.Certificates.Find(X509FindType.FindBySubjectName, certificateName, false);
#if NETSTANDARD
store.Dispose();
#else
store.Close();
#endif
if (certs.Count == 0)
{
throw new DicomNetworkException("Unable to find certificate for " + certificateName);
}
return certs[0];
}
// Adds the given certificate to the given store unless it is
// already present. Returns 'true' if the certificate was added.
private static bool AddToStoreIfNeeded(StoreName storeName,
StoreLocation storeLocation,
X509Certificate2 certificate)
{
X509Store store = null;
X509Certificate2 existingCert = null;
lock(s_certificateLock)
{
try
{
store = new X509Store(storeName, storeLocation);
store.Open(OpenFlags.ReadWrite);
existingCert = CertificateFromThumbprint(store, certificate.Thumbprint);
if (existingCert == null)
{
store.Add(certificate);
}
}
finally
{
if (store != null)
{
store.Dispose();
}
}
return existingCert == null;
}
}
