public static bool AddCertificateToStore(uint httpsPort)
{
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
try {
store.Open(OpenFlags.ReadWrite);
} catch {
Out.Error(AuthenticationNeeded);
return false;
}
var cert = new X509Certificate2(
CreateSelfSignCertificatePfx(X509SubjectName, DateTime.Now.AddDays(-1), DateTime.Now.AddYears(1), CertificatePassword),
CertificatePassword,
X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
cert.FriendlyName = "Stubby4net Certificate";
var existingCerts = store.Certificates.Find(X509FindType.FindBySubjectDistinguishedName, cert.Subject, false);
if(existingCerts.Count == 0)
store.Add(cert);
else
cert = existingCerts[0];
store.Close();
var netshArgs = String.Format(NetshArgs, httpsPort, cert.GetCertHashString(), "{" + Stubby.Guid + "}");
var netsh = new ProcessStartInfo("netsh", netshArgs)
{
Verb = "runas",
CreateNoWindow = true,
WindowStyle = ProcessWindowStyle.Hidden,
UseShellExecute = true
};
try {
var process = Process.Start(netsh);
process.WaitForExit();
Console.Out.WriteLine(process.ExitCode);
if(process.ExitCode == 0)
return true;
} catch {
}
var httpcfgArgs = String.Format(HttpcfgArgs, httpsPort, cert.GetCertHashString());
var httpcfg = new ProcessStartInfo("httpcfg", httpcfgArgs)
{
Verb = "runas",
CreateNoWindow = true,
WindowStyle = ProcessWindowStyle.Hidden,
UseShellExecute = true
};
try {
var process = Process.Start(httpcfg);
process.WaitForExit();
return process.ExitCode == 0;
} catch {
return false;
}
}
// Helper methods
private static void IndexFolder(string folderName, StringBuilder sb, bool noProgress, bool verify)
{
// Process all file in folder
foreach (var fileName in Directory.GetFiles(folderName))
{
if (!_certExts.Contains(Path.GetExtension(fileName).ToLowerInvariant()))
{
continue;
}
// Get basic cert properties
var cert = new System.Security.Cryptography.X509Certificates.X509Certificate2(fileName);
var serialNumberHex = "0x" + cert.GetSerialNumberString();
var serialNumberDec = uint.Parse(cert.GetSerialNumberString(), System.Globalization.NumberStyles.HexNumber);
var email = cert.GetNameInfo(System.Security.Cryptography.X509Certificates.X509NameType.EmailName, false);
var domain = email.Substring(email.IndexOf('@') + 1);
var name = cert.GetNameInfo(System.Security.Cryptography.X509Certificates.X509NameType.SimpleName, false);
if (!noProgress)
{
Console.Write($"0x{serialNumberHex,-8} {email,-40} {name,-30} ");
}
// Verify certificate
var status = "Unknown";
if (verify)
{
var certValid = ValidateCertificate(cert);
status = certValid ? "OK" : "Revoked";
}
if (!noProgress)
{
Console.WriteLine(status);
}
// Add line to index
sb.AppendLine(string.Join(CSV_SEPARATOR,
serialNumberHex,
serialNumberDec,
cert.GetCertHashString(),
cert.NotBefore.ToString("yyyy-MM-dd"),
cert.NotAfter.ToString("yyyy-MM-dd"),
cert.PublicKey.Key.KeySize,
status,
domain,
name,
email,
cert.Issuer,
cert.Subject));
}
// Crafl subfolders
foreach (var subFolderName in Directory.GetDirectories(folderName))
{
IndexFolder(subFolderName, sb, noProgress, verify);
}
}
public static Dictionary <string, string> ParseCert(byte[] certDER)
{
var ret = new Dictionary <string, string>();
try {
var x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certDER);
//logger.Debug("X.509v3証明書の発行先であるプリンシパルの名前(古い形式)");
//logger.Debug(x509.GetName());
ret.Add("X.509v3証明書の形式の名前", x509.GetFormat());
ret.Add("バージョン", $"{x509.Version}");
ret.Add("シリアル番号", x509.GetSerialNumberString());
ret.Add("署名アルゴリズム", x509.SignatureAlgorithm.FriendlyName);
ret.Add("証明書を発行した証明機関の名前", x509.Issuer);
ret.Add("サブジェクトの識別名", x509.Subject);
ret.Add("証明書のハッシュ値の16進文字列", x509.GetCertHashString());
ret.Add("証明書の発効日", x509.GetEffectiveDateString());
ret.Add("証明書の失効日", x509.GetExpirationDateString());
ret.Add("キーアルゴリズム情報", x509.GetKeyAlgorithm());
ret.Add("キーアルゴリズムパラメータ", x509.GetKeyAlgorithmParametersString());
ret.Add("公開鍵", x509.GetPublicKeyString());
foreach (var extension in x509.Extensions)
{
/*
* if (extension.Oid.FriendlyName == "キー使用法") {
* var ext = (X509KeyUsageExtension)extension;
* ret.Add("Extension キー使用法", ext.KeyUsages.ToString());
* }
* if (extension.Oid.FriendlyName == "拡張キー使用法") {
* var ext = (X509EnhancedKeyUsageExtension)extension;
* string value = "";
* var oids = ext.EnhancedKeyUsages;
* foreach (var oid in oids) {
* value = value + oid.FriendlyName + "(" + oid.Value + ")";
* }
* ret.Add("Extension 拡張キー使用法", value);
* }
*/
ret.Add($"- Extension {extension.Oid.FriendlyName}", extension.Oid.Value);
}
//logger.Debug("X.509v3証明書を発行した証明機関の名前(古い形式)");
//logger.Debug(x509.GetIssuerName());
//logger.Debug("X.509証明書全体の生データ");
//logger.Debug(x509.GetRawCertDataString());
} catch (Exception ex) {
logger.Debug(ex);
}
return(ret);
}
public byte[] InstallCertificateWithPrivateKey(string certificatePath, string certificateStoreName, RSAParameters privateKey)
{
var certificateBytes = File.ReadAllBytes(certificatePath);
var x509 = new X509Certificate2(certificateBytes, (string)null, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
var csp = new CspParameters { KeyContainerName = x509.GetCertHashString(), Flags = CspProviderFlags.UseMachineKeyStore };
var rsa = new RSACryptoServiceProvider(csp);
rsa.ImportParameters(privateKey);
x509.PrivateKey = rsa;
Info($"Installing certificate private key to localmachine\\{certificateStoreName}, container name {csp.KeyContainerName}");
InstallCertificateToStore(x509, certificateStoreName);
return x509.GetCertHash();
}
public TlsServerSession (X509Certificate2 cert, bool mutual)
{
this.mutual = mutual;
stream = new MemoryStream ();
ssl = new SslServerStream (stream, cert, mutual, true, SecurityProtocolType.Tls);
ssl.PrivateKeyCertSelectionDelegate = delegate (X509Certificate c, string host) {
if (c.GetCertHashString () == cert.GetCertHashString ())
return cert.PrivateKey;
return null;
};
ssl.ClientCertValidationDelegate = delegate (X509Certificate certificate, int[] certificateErrors) {
// FIXME: use X509CertificateValidator
return true;
};
}
public void Should_install_a_x509_certificate_and_update_bindings()
{
// Arrange
var x509 = new X509Certificate2(Encoding.ASCII.GetBytes(TestCertificate), (string)null, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
var sut = new IISServerConfigurationProvider();
var asn1Parser = new Asn1Parser();
var rsaParser = new PrivateKeyParser(asn1Parser);
var privateKey = rsaParser.ParsePem(TestPrivateKey).Key;
var csp = new CspParameters { KeyContainerName = x509.GetCertHashString(), Flags = CspProviderFlags.UseMachineKeyStore };
var rsa2 = new RSACryptoServiceProvider(csp);
rsa2.ImportParameters(privateKey);
x509.PrivateKey = rsa2;
// Act
sut.ConfigureServer("test.startliste.info", x509.GetCertHash(), "my", null, null);
}
public bool AddCertificateFromPfxToIPPort(String host, String port, String pfxFile, System.Security.SecureString password)
{
if (!File.Exists(pfxFile))
{
throw new Exception($"File {pfxFile} does not exist");
}
System.Security.Cryptography.X509Certificates.X509Certificate2 pfx = null;
try
{
pfx = new System.Security.Cryptography.X509Certificates.X509Certificate2(pfxFile, password);
}
catch (Exception ex)
{
ServerComms.LogError($@"Unable to add the cert {pfxFile} to ipport={host}:{port} Error: {ex.Message}");
return(false);
}
return(AddCertificateToIPPort(host, port, pfx.GetCertHashString()));
}
public override void AssignSession(Session oS)
{
base.AssignSession(oS);
var dataItems = new List<DataItem>();
dataItems.Add(new DataItem("Is Https", oS.isHTTPS));
if (oS.isHTTPS && oS.oFlags.ContainsKey(CertificateStorage.CeritificateRequestPropertyName))
{
try
{
var thumbprint = oS.oFlags[CertificateStorage.CeritificateRequestPropertyName];
FiddlerApplication.Log.LogString(thumbprint);
if (CertificateStorage.Certificates.ContainsKey(thumbprint))
{
var certificate = CertificateStorage.Certificates[thumbprint];
var cert = new X509Certificate2(certificate);
_informationTab.Certificate = cert;
//most commonly desired information up top.
dataItems.InsertRange(0, new[] { new DataItem("FriendlyName", cert.FriendlyName),
new DataItem("Subject", cert.Subject),
new DataItem("Issuer", cert.Issuer),
new DataItem("Effective Date", cert.GetEffectiveDateString()),
new DataItem("Expiration Date", cert.GetExpirationDateString()),
new DataItem("Thumbprint", cert.Thumbprint),
new DataItem("------------------------", "------------------------")});
//alphabatized data properties below
dataItems.Add(new DataItem("Archived", cert.Archived));
dataItems.Add(new DataItem("FriendlyName", cert.FriendlyName));
dataItems.Add(new DataItem("Certficate Hash", cert.GetCertHashString()));
dataItems.Add(new DataItem("Certificate Format", cert.GetFormat()));
dataItems.Add(new DataItem("Effective Date", cert.GetEffectiveDateString()));
dataItems.Add(new DataItem("Expiration Date", cert.GetExpirationDateString()));
dataItems.Add(new DataItem("Full Issuer Name", cert.IssuerName.Format(true)));
dataItems.Add(new DataItem("Full Subject Name", cert.SubjectName.Format(true)));
dataItems.Add(new DataItem("Has Private Key", cert.HasPrivateKey));
dataItems.Add(new DataItem("Issuer", cert.Issuer));
dataItems.Add(new DataItem("Key Algorithm", cert.GetKeyAlgorithm()));
dataItems.Add(new DataItem("Key Algorithm Parameters", cert.GetKeyAlgorithmParametersString()));
dataItems.Add(new DataItem("Public Key", cert.GetPublicKeyString()));
dataItems.Add(new DataItem("Raw Certificate Data", cert.GetRawCertDataString()));
dataItems.Add(new DataItem("SerialNumberString", cert.GetSerialNumberString()));
dataItems.Add(new DataItem("Subject", cert.Subject));
dataItems.Add(new DataItem("Thumbprint", cert.Thumbprint));
dataItems.Add(new DataItem("Version", cert.Version));
dataItems.Add(new DataItem("------------------------", "------------------------"));
dataItems.Add(new DataItem("Extensions", string.Empty));
dataItems.Add(new DataItem("------------------------", "------------------------"));
foreach (var extension in cert.Extensions)
{
dataItems.Add(new DataItem(extension.Oid.FriendlyName, extension.Format(true)));
}
}
}
catch (Exception ex)
{
FiddlerApplication.Log.LogString("Unexpected error loading the assigned certificate." + ex.Message);
}
}
_informationTab.DataGrid.DataSource = dataItems;
}
public static string GetIssuerCertificate(CertificateRequest certificate, CertificateProvider cp)
{
var linksEnum = certificate.Links;
if (linksEnum != null)
{
var links = new LinkCollection(linksEnum);
var upLink = links.GetFirstOrDefault("up");
if (upLink != null)
{
var tmp = Path.GetTempFileName();
try
{
using (var web = new WebClient())
{
var uri = new Uri(new Uri(BaseURI), upLink.Uri);
web.DownloadFile(uri, tmp);
}
var cacert = new X509Certificate2(tmp);
var sernum = cacert.GetSerialNumberString();
var tprint = cacert.Thumbprint;
var sigalg = cacert.SignatureAlgorithm?.FriendlyName;
var sigval = cacert.GetCertHashString();
var cacertDerFile = Path.Combine(certificatePath, $"ca-{sernum}-crt.der");
var cacertPemFile = Path.Combine(certificatePath, $"ca-{sernum}-crt.pem");
if (!File.Exists(cacertDerFile))
File.Copy(tmp, cacertDerFile, true);
Console.WriteLine($" Saving Issuer Certificate to {cacertPemFile}");
Log.Information("Saving Issuer Certificate to {cacertPemFile}", cacertPemFile);
if (!File.Exists(cacertPemFile))
using (FileStream source = new FileStream(cacertDerFile, FileMode.Open),
target = new FileStream(cacertPemFile, FileMode.Create))
{
var caCrt = cp.ImportCertificate(EncodingFormat.DER, source);
cp.ExportCertificate(caCrt, EncodingFormat.PEM, target);
}
return cacertPemFile;
}
finally
{
if (File.Exists(tmp))
File.Delete(tmp);
}
}
}
return null;
}
protected override void ProcessRecord()
{
using (var vp = InitializeVault.GetVaultProvider(VaultProfile))
{
vp.OpenStorage();
var v = vp.LoadVault();
if (v.Registrations == null || v.Registrations.Count < 1)
throw new InvalidOperationException("No registrations found");
var ri = v.Registrations[0];
var r = ri.Registration;
if (v.Certificates == null || v.Certificates.Count < 1)
throw new InvalidOperationException("No certificates found");
var ci = v.Certificates.GetByRef(Ref);
if (ci == null)
throw new Exception("Unable to find a Certificate for the given reference");
if (!LocalOnly)
{
if (ci.CertificateRequest == null)
throw new Exception("Certificate has not been submitted yet; cannot update status");
using (var c = ClientHelper.GetClient(v, ri))
{
c.Init();
c.GetDirectory(true);
c.RefreshCertificateRequest(ci.CertificateRequest, UseBaseURI);
}
if ((Repeat || string.IsNullOrEmpty(ci.CrtPemFile))
&& !string.IsNullOrEmpty(ci.CertificateRequest.CertificateContent))
{
var crtDerFile = $"{ci.Id}-crt.der";
var crtPemFile = $"{ci.Id}-crt.pem";
var crtDerAsset = vp.ListAssets(crtDerFile, VaultAssetType.CrtDer).FirstOrDefault();
var crtPemAsset = vp.ListAssets(crtPemFile, VaultAssetType.CrtPem).FirstOrDefault();
if (crtDerAsset == null)
crtDerAsset = vp.CreateAsset(VaultAssetType.CrtDer, crtDerFile);
if (crtPemAsset == null)
crtPemAsset = vp.CreateAsset(VaultAssetType.CrtPem, crtPemFile);
using (var s = vp.SaveAsset(crtDerAsset))
{
ci.CertificateRequest.SaveCertificate(s);
ci.CrtDerFile = crtDerFile;
}
using (Stream source = vp.LoadAsset(crtDerAsset), target = vp.SaveAsset(crtPemAsset))
{
CsrHelper.Crt.ConvertDerToPem(source, target);
ci.CrtPemFile = crtPemFile;
}
var crt = new X509Certificate2(ci.CertificateRequest.GetCertificateContent());
ci.SerialNumber = crt.SerialNumber;
ci.Thumbprint = crt.Thumbprint;
ci.SignatureAlgorithm = crt.SignatureAlgorithm?.FriendlyName;
ci.Signature = crt.GetCertHashString();
}
if (Repeat || string.IsNullOrEmpty(ci.IssuerSerialNumber))
{
var linksEnum = ci.CertificateRequest.Links;
if (linksEnum != null)
{
var links = new LinkCollection(linksEnum);
var upLink = links.GetFirstOrDefault("up");
if (upLink != null)
{
var tmp = Path.GetTempFileName();
try
{
using (var web = new WebClient())
{
if (v.Proxy != null)
web.Proxy = v.Proxy.GetWebProxy();
var uri = new Uri(new Uri(v.BaseURI), upLink.Uri);
web.DownloadFile(uri, tmp);
}
var cacert = new X509Certificate2(tmp);
var sernum = cacert.GetSerialNumberString();
var tprint = cacert.Thumbprint;
var sigalg = cacert.SignatureAlgorithm?.FriendlyName;
var sigval = cacert.GetCertHashString();
if (v.IssuerCertificates == null)
v.IssuerCertificates = new OrderedNameMap<IssuerCertificateInfo>();
if (Repeat || !v.IssuerCertificates.ContainsKey(sernum))
{
var cacertDerFile = $"ca-{sernum}-crt.der";
var cacertPemFile = $"ca-{sernum}-crt.pem";
var issuerDerAsset = vp.ListAssets(cacertDerFile,
VaultAssetType.IssuerDer).FirstOrDefault();
var issuerPemAsset = vp.ListAssets(cacertPemFile,
VaultAssetType.IssuerPem).FirstOrDefault();
if (Repeat || issuerDerAsset == null)
{
if (issuerDerAsset == null)
issuerDerAsset = vp.CreateAsset(VaultAssetType.IssuerDer, cacertDerFile);
using (Stream fs = new FileStream(tmp, FileMode.Open),
s = vp.SaveAsset(issuerDerAsset))
{
fs.CopyTo(s);
}
}
if (Repeat || issuerPemAsset == null)
{
if (issuerPemAsset == null)
issuerPemAsset = vp.CreateAsset(VaultAssetType.IssuerPem, cacertPemFile);
using (Stream source = vp.LoadAsset(issuerDerAsset),
target = vp.SaveAsset(issuerPemAsset))
{
CsrHelper.Crt.ConvertDerToPem(source, target);
}
}
v.IssuerCertificates[sernum] = new IssuerCertificateInfo
{
SerialNumber = sernum,
Thumbprint = tprint,
SignatureAlgorithm = sigalg,
Signature = sigval,
CrtDerFile = cacertDerFile,
CrtPemFile = cacertPemFile,
};
}
ci.IssuerSerialNumber = sernum;
}
finally
{
if (File.Exists(tmp))
File.Delete(tmp);
}
}
}
}
}
v.Alias = StringHelper.IfNullOrEmpty(Alias);
v.Label = StringHelper.IfNullOrEmpty(Label);
v.Memo = StringHelper.IfNullOrEmpty(Memo);
vp.SaveVault(v);
WriteObject(ci);
}
}
static string GetIssuerCertificate(CertificateRequest certificate)
{
var linksEnum = certificate.Links;
if (linksEnum != null)
{
var links = new LinkCollection(linksEnum);
var upLink = links.GetFirstOrDefault("up");
if (upLink != null)
{
var tmp = Path.GetTempFileName();
try
{
using (var web = new WebClient())
{
//if (v.Proxy != null)
// web.Proxy = v.Proxy.GetWebProxy();
var uri = new Uri(new Uri(BaseURI), upLink.Uri);
web.DownloadFile(uri, tmp);
}
var cacert = new X509Certificate2(tmp);
var sernum = cacert.GetSerialNumberString();
var tprint = cacert.Thumbprint;
var sigalg = cacert.SignatureAlgorithm?.FriendlyName;
var sigval = cacert.GetCertHashString();
var cacertDerFile = Path.Combine(configPath, $"ca-{sernum}-crt.der");
var cacertPemFile = Path.Combine(configPath, $"ca-{sernum}-crt.pem");
if (!File.Exists(cacertDerFile))
File.Copy(tmp, cacertDerFile, true);
Console.WriteLine($" Saving Issuer Certificate to {cacertPemFile}");
if (!File.Exists(cacertPemFile))
CsrHelper.Crt.ConvertDerToPem(cacertDerFile, cacertPemFile);
return cacertPemFile;
}
finally
{
if (File.Exists(tmp))
File.Delete(tmp);
}
}
}
return null;
}
//
// SECURITY: we open a private key container on behalf of the caller
// and we require the caller to have permission associated with that operation.
// After discussing with X509Certificate2 owners decided to demand KeyContainerPermission (Open)
// At the same time we assert StorePermission on the caller frame since for consistency
// we cannot predict when it will be demanded (SSL session reuse feature)
//
X509Certificate2 EnsurePrivateKey(X509Certificate certificate)
{
if (certificate == null)
return null;
if (Logging.On) Logging.PrintInfo(Logging.Web, this, SR.GetString(SR.net_log_locating_private_key_for_certificate, certificate.ToString(true)));
try {
X509Certificate2 certEx = certificate as X509Certificate2;
Type t = certificate.GetType();
string certHash = null;
// Protecting from X509Certificate2 derived classes
if (t != typeof(X509Certificate2) && t != typeof(X509Certificate))
{
if (certificate.Handle != IntPtr.Zero)
{
certEx = new X509Certificate2(certificate);
certHash = certEx.GetCertHashString();
}
}
else
{
certHash = certificate.GetCertHashString();
}
if (certEx != null)
{
if (certEx.HasPrivateKey)
{
if (Logging.On) Logging.PrintInfo(Logging.Web, this, SR.GetString(SR.net_log_cert_is_of_type_2));
return certEx;
}
if ((object)certificate != (object) certEx)
certEx.Reset();
}
//
// The certificate doesn't have a private key, so we need
// to open the store and search for it there. Demand the
// KeyContainerPermission with Open access before opening
// the store. If store.Open() or store.Cert.Find()
// demand the same permissions, then we should remove our
// demand here.
//
#if FEATURE_MONO_CAS
ExceptionHelper.KeyContainerPermissionOpen.Demand();
#endif
X509Certificate2Collection collectionEx;
// ELSE Try MY user and machine stores for private key check
// For server side mode MY machine store takes priority
X509Store store = EnsureStoreOpened(m_ServerMode);
if (store != null)
{
collectionEx = store.Certificates.Find(X509FindType.FindByThumbprint, certHash, false);
if (collectionEx.Count > 0 && collectionEx[0].HasPrivateKey)
{
if (Logging.On) Logging.PrintInfo(Logging.Web, this, SR.GetString(SR.net_log_found_cert_in_store, (m_ServerMode ? "LocalMachine" : "CurrentUser")));
return collectionEx[0];
}
}
store = EnsureStoreOpened(!m_ServerMode);
if (store != null)
{
collectionEx = store.Certificates.Find(X509FindType.FindByThumbprint, certHash, false);
if (collectionEx.Count > 0 && collectionEx[0].HasPrivateKey)
{
if (Logging.On) Logging.PrintInfo(Logging.Web, this, SR.GetString(SR.net_log_found_cert_in_store, (m_ServerMode ? "CurrentUser" : "LocalMachine")));
return collectionEx[0];
}
}
}
catch (CryptographicException) {
}
if (Logging.On) Logging.PrintInfo(Logging.Web, this, SR.GetString(SR.net_log_did_not_find_cert_in_store));
return null;
}
public override void Validate(X509Certificate2 certificate)
{
if(!_certs.ContainsKey(certificate.GetCertHashString()))
{
throw new SecurityTokenException("invalid certificate");
}
}
public X509Certificate2Collection Find(X509FindType findType, object findValue, bool validOnly)
{
if (findValue == null)
{
throw new ArgumentNullException("findValue");
}
string text = string.Empty;
string text2 = string.Empty;
X509KeyUsageFlags x509KeyUsageFlags = X509KeyUsageFlags.None;
DateTime t = DateTime.MinValue;
switch (findType)
{
case X509FindType.FindByThumbprint:
case X509FindType.FindBySubjectName:
case X509FindType.FindBySubjectDistinguishedName:
case X509FindType.FindByIssuerName:
case X509FindType.FindByIssuerDistinguishedName:
case X509FindType.FindBySerialNumber:
case X509FindType.FindByTemplateName:
case X509FindType.FindBySubjectKeyIdentifier:
try
{
text = (string)findValue;
}
catch (Exception inner)
{
string text3 = Locale.GetText("Invalid find value type '{0}', expected '{1}'.", new object[]
{
findValue.GetType(),
"string"
});
throw new CryptographicException(text3, inner);
}
break;
case X509FindType.FindByTimeValid:
case X509FindType.FindByTimeNotYetValid:
case X509FindType.FindByTimeExpired:
try
{
t = (DateTime)findValue;
}
catch (Exception inner2)
{
string text4 = Locale.GetText("Invalid find value type '{0}', expected '{1}'.", new object[]
{
findValue.GetType(),
"X509DateTime"
});
throw new CryptographicException(text4, inner2);
}
break;
case X509FindType.FindByApplicationPolicy:
case X509FindType.FindByCertificatePolicy:
case X509FindType.FindByExtension:
try
{
text2 = (string)findValue;
}
catch (Exception inner3)
{
string text5 = Locale.GetText("Invalid find value type '{0}', expected '{1}'.", new object[]
{
findValue.GetType(),
"X509KeyUsageFlags"
});
throw new CryptographicException(text5, inner3);
}
try
{
CryptoConfig.EncodeOID(text2);
}
catch (CryptographicUnexpectedOperationException)
{
string text6 = Locale.GetText("Invalid OID value '{0}'.", new object[]
{
text2
});
throw new ArgumentException("findValue", text6);
}
break;
case X509FindType.FindByKeyUsage:
try
{
x509KeyUsageFlags = (X509KeyUsageFlags)((int)findValue);
}
catch (Exception inner4)
{
string text7 = Locale.GetText("Invalid find value type '{0}', expected '{1}'.", new object[]
{
findValue.GetType(),
"X509KeyUsageFlags"
});
throw new CryptographicException(text7, inner4);
}
break;
default:
{
string text8 = Locale.GetText("Invalid find type '{0}'.", new object[]
{
findType
});
throw new CryptographicException(text8);
}
}
CultureInfo invariantCulture = CultureInfo.InvariantCulture;
X509Certificate2Collection x509Certificate2Collection = new X509Certificate2Collection();
foreach (object obj in base.InnerList)
{
X509Certificate2 x509Certificate = (X509Certificate2)obj;
bool flag = false;
switch (findType)
{
case X509FindType.FindByThumbprint:
flag = (string.Compare(text, x509Certificate.Thumbprint, true, invariantCulture) == 0 || string.Compare(text, x509Certificate.GetCertHashString(), true, invariantCulture) == 0);
break;
case X509FindType.FindBySubjectName:
{
string nameInfo = x509Certificate.GetNameInfo(X509NameType.SimpleName, false);
flag = (nameInfo.IndexOf(text, StringComparison.InvariantCultureIgnoreCase) >= 0);
break;
}
case X509FindType.FindBySubjectDistinguishedName:
flag = (string.Compare(text, x509Certificate.Subject, true, invariantCulture) == 0);
break;
case X509FindType.FindByIssuerName:
{
string nameInfo2 = x509Certificate.GetNameInfo(X509NameType.SimpleName, true);
flag = (nameInfo2.IndexOf(text, StringComparison.InvariantCultureIgnoreCase) >= 0);
break;
}
case X509FindType.FindByIssuerDistinguishedName:
flag = (string.Compare(text, x509Certificate.Issuer, true, invariantCulture) == 0);
break;
case X509FindType.FindBySerialNumber:
flag = (string.Compare(text, x509Certificate.SerialNumber, true, invariantCulture) == 0);
break;
case X509FindType.FindByTimeValid:
flag = (t >= x509Certificate.NotBefore && t <= x509Certificate.NotAfter);
break;
case X509FindType.FindByTimeNotYetValid:
flag = (t < x509Certificate.NotBefore);
break;
case X509FindType.FindByTimeExpired:
flag = (t > x509Certificate.NotAfter);
break;
case X509FindType.FindByApplicationPolicy:
flag = (x509Certificate.Extensions.Count == 0);
break;
case X509FindType.FindByExtension:
flag = (x509Certificate.Extensions[text2] != null);
break;
case X509FindType.FindByKeyUsage:
{
X509KeyUsageExtension x509KeyUsageExtension = x509Certificate.Extensions["2.5.29.15"] as X509KeyUsageExtension;
flag = (x509KeyUsageExtension == null || (x509KeyUsageExtension.KeyUsages & x509KeyUsageFlags) == x509KeyUsageFlags);
break;
}
case X509FindType.FindBySubjectKeyIdentifier:
{
X509SubjectKeyIdentifierExtension x509SubjectKeyIdentifierExtension = x509Certificate.Extensions["2.5.29.14"] as X509SubjectKeyIdentifierExtension;
if (x509SubjectKeyIdentifierExtension != null)
{
flag = (string.Compare(text, x509SubjectKeyIdentifierExtension.SubjectKeyIdentifier, true, invariantCulture) == 0);
}
break;
}
}
if (flag)
{
if (validOnly)
{
try
{
if (x509Certificate.Verify())
{
x509Certificate2Collection.Add(x509Certificate);
}
}
catch
{
}
}
else
{
x509Certificate2Collection.Add(x509Certificate);
}
}
}
return(x509Certificate2Collection);
}
static void Main(string[] args)
{
if (args.Length > 1 && args[0].EndsWith(".pfx"))
{
var cert = new System.Security.Cryptography.X509Certificates.X509Certificate2(args[0], args[1]);
Console.WriteLine(cert.GetCertHashString());
return;
}
//固定当前工作目录
System.IO.Directory.SetCurrentDirectory(AppDomain.CurrentDomain.BaseDirectory);
var builder = new ConfigurationBuilder();
builder.AddJsonFile("appsettings.json", optional: true, reloadOnChange: true);
var configuration = builder.Build();
var port = configuration.GetValue <int>("Port");
CommandArgParser cmdArg = new CommandArgParser(args);
port = cmdArg.TryGetValue <int>("port", port);
var datafolder = configuration.GetValue <string>("DataFolder");
if (!System.IO.Directory.Exists(datafolder))
{
System.IO.Directory.CreateDirectory(datafolder);
}
datafolder = cmdArg.TryGetValue <string>("DataFolder", datafolder);
ServiceCollection services = new ServiceCollection();
services.AddLogging(loggingBuilder =>
{
loggingBuilder.AddConfiguration(configuration.GetSection("Logging"));
loggingBuilder.AddConsole(); // 将日志输出到控制台
});
services.AddSingleton <IConfiguration>(configuration);
services.AddSingleton <GatewayRefereeClient>();
services.AddSingleton <IRequestReception, RequestReception>();
services.AddSingleton <ICommandHandlerManager, CommandHandlerManager>();
services.AddSingleton <Gateway>();
services.AddSingleton <LockKeyManager>();
services.AddTransient <IMicroServiceReception, MicroServiceReception>();
services.AddSingleton <TransactionIdBuilder>();
services.AddSingleton <FileChangeWatcher>();
services.AddTransient <ListenFileChangeReception>();
var assembly = Assembly.Load(configuration.GetValue <string>("ServiceProviderAllocator:Assembly"));
var serviceProviderAllocatorType = assembly.GetType(configuration.GetValue <string>("ServiceProviderAllocator:FullName"));
var serviceProviderAllocator = (IServiceProviderAllocator)Activator.CreateInstance(serviceProviderAllocatorType);
services.AddSingleton <IServiceProviderAllocator>(serviceProviderAllocator);
var serviceProvider = services.BuildServiceProvider();
serviceProvider.GetService <LockKeyManager>();
serviceProvider.GetService <FileChangeWatcher>();
//启动GatewayRefereeClient,申请成为主网关
serviceProvider.GetService <GatewayRefereeClient>();
var gateway = serviceProvider.GetService <Gateway>();
//SSL
var certPath = configuration.GetValue <string>("SSL:Cert");
if (!string.IsNullOrEmpty(certPath))
{
gateway.ServerCert = new System.Security.Cryptography.X509Certificates.X509Certificate2(certPath, configuration.GetValue <string>("SSL:Password"));
gateway.AcceptCertHash = configuration.GetSection("SSL:AcceptCertHash").Get <string[]>();
}
gateway.ServiceProvider = serviceProvider;
gateway.Run(port);
}
protected override void ProcessRecord()
{
using (var vp = InitializeVault.GetVaultProvider(VaultProfile))
{
vp.OpenStorage();
var v = vp.LoadVault();
if (v.Registrations == null || v.Registrations.Count < 1)
throw new InvalidOperationException("No registrations found");
var ri = v.Registrations[0];
var r = ri.Registration;
if (v.Certificates == null || v.Certificates.Count < 1)
throw new InvalidOperationException("No certificates found");
var ci = v.Certificates.GetByRef(Ref);
if (ci == null)
throw new Exception("Unable to find a Certificate for the given reference");
using (var cp = CertificateProvider.GetProvider())
{
if (!string.IsNullOrEmpty(ci.GenerateDetailsFile))
{
// Generate a private key and CSR:
// Key: RSA 2048-bit
// MD: SHA 256
// CSR: Details pulled from CSR Details JSON file
CsrDetails csrDetails;
var csrDetailsAsset = vp.GetAsset(VaultAssetType.CsrDetails, ci.GenerateDetailsFile);
using (var s = vp.LoadAsset(csrDetailsAsset))
{
csrDetails = JsonHelper.Load<CsrDetails>(s);
}
var keyGenFile = $"{ci.Id}-gen-key.json";
var keyPemFile = $"{ci.Id}-key.pem";
var csrGenFile = $"{ci.Id}-gen-csr.json";
var csrPemFile = $"{ci.Id}-csr.pem";
var keyGenAsset = vp.CreateAsset(VaultAssetType.KeyGen, keyGenFile);
var keyPemAsset = vp.CreateAsset(VaultAssetType.KeyPem, keyPemFile);
var csrGenAsset = vp.CreateAsset(VaultAssetType.CsrGen, csrGenFile);
var csrPemAsset = vp.CreateAsset(VaultAssetType.CsrPem, csrPemFile);
var genKeyParams = new RsaPrivateKeyParams();
var genKey = cp.GeneratePrivateKey(genKeyParams);
using (var s = vp.SaveAsset(keyGenAsset))
{
cp.SavePrivateKey(genKey, s);
}
using (var s = vp.SaveAsset(keyPemAsset))
{
cp.ExportPrivateKey(genKey, EncodingFormat.PEM, s);
}
// TODO: need to surface details of the CSR params up higher
var csrParams = new CsrParams
{
Details = csrDetails
};
var genCsr = cp.GenerateCsr(csrParams, genKey, Crt.MessageDigest.SHA256);
using (var s = vp.SaveAsset(csrGenAsset))
{
cp.SaveCsr(genCsr, s);
}
using (var s = vp.SaveAsset(csrPemAsset))
{
cp.ExportCsr(genCsr, EncodingFormat.PEM, s);
}
ci.KeyPemFile = keyPemFile;
ci.CsrPemFile = csrPemFile;
}
byte[] derRaw;
var asset = vp.GetAsset(VaultAssetType.CsrPem, ci.CsrPemFile);
// Convert the stored CSR in PEM format to DER
using (var source = vp.LoadAsset(asset))
{
var csr = cp.ImportCsr(EncodingFormat.PEM, source);
using (var target = new MemoryStream())
{
cp.ExportCsr(csr, EncodingFormat.DER, target);
derRaw = target.ToArray();
}
}
var derB64u = JwsHelper.Base64UrlEncode(derRaw);
using (var c = ClientHelper.GetClient(v, ri))
{
c.Init();
c.GetDirectory(true);
ci.CertificateRequest = c.RequestCertificate(derB64u);
}
if (!string.IsNullOrEmpty(ci.CertificateRequest.CertificateContent))
{
var crtDerFile = $"{ci.Id}-crt.der";
var crtPemFile = $"{ci.Id}-crt.pem";
var crtDerBytes = ci.CertificateRequest.GetCertificateContent();
var crtDerAsset = vp.CreateAsset(VaultAssetType.CrtDer, crtDerFile);
var crtPemAsset = vp.CreateAsset(VaultAssetType.CrtPem, crtPemFile);
using (Stream source = new MemoryStream(crtDerBytes),
derTarget = vp.SaveAsset(crtDerAsset),
pemTarget = vp.SaveAsset(crtPemAsset))
{
var crt = cp.ImportCertificate(EncodingFormat.DER, source);
cp.ExportCertificate(crt, EncodingFormat.DER, derTarget);
ci.CrtDerFile = crtDerFile;
cp.ExportCertificate(crt, EncodingFormat.PEM, pemTarget);
ci.CrtPemFile = crtPemFile;
}
// Extract a few pieces of info from the issued
// cert that we like to have quick access to
var x509 = new X509Certificate2(ci.CertificateRequest.GetCertificateContent());
ci.SerialNumber = x509.SerialNumber;
ci.Thumbprint = x509.Thumbprint;
ci.SignatureAlgorithm = x509.SignatureAlgorithm?.FriendlyName;
ci.Signature = x509.GetCertHashString();
}
}
vp.SaveVault(v);
WriteObject(ci);
}
}
private static void SetupSecureEnvironment(X509Certificate2 certificate, string port)
{
SecurityHelper.PrepareEnvironment("serverCert.pfx", port, WindowsIdentity.GetCurrent().Name, "security");
ServicePointManager.ServerCertificateValidationCallback +=
(sender, cert, chan, sslPolicyErrors) => cert.GetCertHashString() == certificate.GetCertHashString();
}
protected override void ProcessRecord()
{
using (var vlt = Util.VaultHelper.GetVault(VaultProfile))
{
vlt.OpenStorage();
var v = vlt.LoadVault();
if (v.Registrations == null || v.Registrations.Count < 1)
throw new InvalidOperationException("No registrations found");
var ri = v.Registrations[0];
var r = ri.Registration;
if (v.Certificates == null || v.Certificates.Count < 1)
throw new InvalidOperationException("No certificates found");
var ci = v.Certificates.GetByRef(CertificateRef, throwOnMissing: false);
if (ci == null)
throw new Exception("Unable to find a Certificate for the given reference");
// If we're renaming the Alias, do that
// first in case there are any problems
if (NewAlias != null)
{
v.Certificates.Rename(CertificateRef, NewAlias);
ci.Alias = NewAlias == "" ? null : NewAlias;
}
if (!LocalOnly)
{
if (ci.CertificateRequest == null)
throw new Exception("Certificate has not been submitted yet; cannot update status");
using (var c = ClientHelper.GetClient(v, ri))
{
c.Init();
c.GetDirectory(true);
c.RefreshCertificateRequest(ci.CertificateRequest, UseBaseUri);
}
if ((Repeat || string.IsNullOrEmpty(ci.CrtPemFile))
&& !string.IsNullOrEmpty(ci.CertificateRequest.CertificateContent))
{
var crtDerFile = $"{ci.Id}-crt.der";
var crtPemFile = $"{ci.Id}-crt.pem";
var crtDerAsset = vlt.ListAssets(crtDerFile, VaultAssetType.CrtDer).FirstOrDefault();
var crtPemAsset = vlt.ListAssets(crtPemFile, VaultAssetType.CrtPem).FirstOrDefault();
if (crtDerAsset == null)
crtDerAsset = vlt.CreateAsset(VaultAssetType.CrtDer, crtDerFile);
if (crtPemAsset == null)
crtPemAsset = vlt.CreateAsset(VaultAssetType.CrtPem, crtPemFile);
using (var cp = PkiHelper.GetPkiTool(
StringHelper.IfNullOrEmpty(PkiTool, v.PkiTool)))
{
var bytes = ci.CertificateRequest.GetCertificateContent();
using (Stream source = new MemoryStream(bytes),
derTarget = vlt.SaveAsset(crtDerAsset),
pemTarget = vlt.SaveAsset(crtPemAsset))
{
var crt = cp.ImportCertificate(EncodingFormat.DER, source);
// We're saving the DER format cert "through"
// the CP in order to validate its content
cp.ExportCertificate(crt, EncodingFormat.DER, derTarget);
ci.CrtDerFile = crtDerFile;
cp.ExportCertificate(crt, EncodingFormat.PEM, pemTarget);
ci.CrtPemFile = crtPemFile;
}
}
var x509 = new X509Certificate2(ci.CertificateRequest.GetCertificateContent());
ci.SerialNumber = x509.SerialNumber;
ci.Thumbprint = x509.Thumbprint;
ci.SignatureAlgorithm = x509.SignatureAlgorithm?.FriendlyName;
ci.Signature = x509.GetCertHashString();
}
if (Repeat || string.IsNullOrEmpty(ci.IssuerSerialNumber))
{
var linksEnum = ci.CertificateRequest.Links;
if (linksEnum != null)
{
var links = new LinkCollection(linksEnum);
var upLink = links.GetFirstOrDefault("up");
if (upLink != null)
{
// We need to save the ICA certificate to a local
// temp file so that we can read it in and store
// it properly as a vault asset through a stream
var tmp = Path.GetTempFileName();
try
{
using (var web = new WebClient())
{
if (v.Proxy != null)
web.Proxy = v.Proxy.GetWebProxy();
var uri = new Uri(new Uri(v.BaseUri), upLink.Uri);
web.DownloadFile(uri, tmp);
}
var cacert = new X509Certificate2(tmp);
var sernum = cacert.GetSerialNumberString();
var tprint = cacert.Thumbprint;
var sigalg = cacert.SignatureAlgorithm?.FriendlyName;
var sigval = cacert.GetCertHashString();
if (v.IssuerCertificates == null)
v.IssuerCertificates = new OrderedNameMap<IssuerCertificateInfo>();
if (Repeat || !v.IssuerCertificates.ContainsKey(sernum))
{
var cacertDerFile = $"ca-{sernum}-crt.der";
var cacertPemFile = $"ca-{sernum}-crt.pem";
var issuerDerAsset = vlt.ListAssets(cacertDerFile,
VaultAssetType.IssuerDer).FirstOrDefault();
var issuerPemAsset = vlt.ListAssets(cacertPemFile,
VaultAssetType.IssuerPem).FirstOrDefault();
if (Repeat || issuerDerAsset == null)
{
if (issuerDerAsset == null)
issuerDerAsset = vlt.CreateAsset(VaultAssetType.IssuerDer, cacertDerFile);
using (Stream fs = new FileStream(tmp, FileMode.Open),
s = vlt.SaveAsset(issuerDerAsset))
{
fs.CopyTo(s);
}
}
if (Repeat || issuerPemAsset == null)
{
if (issuerPemAsset == null)
issuerPemAsset = vlt.CreateAsset(VaultAssetType.IssuerPem, cacertPemFile);
using (var cp = PkiHelper.GetPkiTool(
StringHelper.IfNullOrEmpty(PkiTool, v.PkiTool)))
{
using (Stream source = vlt.LoadAsset(issuerDerAsset),
target = vlt.SaveAsset(issuerPemAsset))
{
var crt = cp.ImportCertificate(EncodingFormat.DER, source);
cp.ExportCertificate(crt, EncodingFormat.PEM, target);
}
}
}
v.IssuerCertificates[sernum] = new IssuerCertificateInfo
{
SerialNumber = sernum,
Thumbprint = tprint,
SignatureAlgorithm = sigalg,
Signature = sigval,
CrtDerFile = cacertDerFile,
CrtPemFile = cacertPemFile,
};
}
ci.IssuerSerialNumber = sernum;
}
finally
{
if (File.Exists(tmp))
File.Delete(tmp);
}
}
}
}
}
ci.Label = StringHelper.IfNullOrEmpty(Label);
ci.Memo = StringHelper.IfNullOrEmpty(Memo);
vlt.SaveVault(v);
WriteObject(ci);
}
}
/// <summary>
/// Adds a certificate to the Azure certificate store
/// </summary>
private IAsyncAzureOperation AddCertificateToAzureStore(X509Certificate2 certificate, string password)
{
AzureManagementClient client = new AzureManagementClient(this.certificate, this.subscriptionId);
AzureManagementResponse response;
IEnumerable<X509Certificate2> currentCerts = this.EnumerateServiceCertificates(CertificateLocation.AzureManagement);
foreach (X509Certificate2 existingCert in currentCerts)
{
if (existingCert.Thumbprint == certificate.Thumbprint &&
existingCert.Thumbprint != null &&
existingCert.GetCertHashString() == certificate.GetCertHashString())
{
return new AsyncAzureOperation(this, string.Empty, true);
}
// If the certificate does not match, but has a matching name we should delete it
if (string.Equals(existingCert.SubjectName.Name, certificate.SubjectName.Name))
{
// Delete the certificate using Azure APIs
response = client.SubmitRequest(
RequestType.DELETE,
"2009-10-01",
"services/hostedservices/{0}/certificates/SHA1-{1}",
this.serviceName,
existingCert.Thumbprint
);
IAsyncAzureOperation op = new AsyncAzureOperation(this, response.OperationId, false);
op.WaitForCompletion(TimeSpan.FromSeconds(30));
}
}
string request =
"<?xml version=\"1.0\" encoding=\"utf-8\"?>" +
"<CertificateFile xmlns=\"http://schemas.microsoft.com/windowsazure\">" +
"<Data>{0}</Data>" +
"<CertificateFormat>pfx</CertificateFormat>" +
"<Password>{1}</Password>" +
"</CertificateFile>";
byte[] content = certificate.Export(X509ContentType.Pfx, password);
request = string.Format(request, Convert.ToBase64String(content), System.Security.SecurityElement.Escape(password));
response = client.SubmitRequestWithBody(
RequestType.POST,
request,
"2009-10-01",
"services/hostedservices/{0}/certificates",
this.serviceName
);
return new AsyncAzureOperation(this, response.OperationId, false);
}
protected override void ProcessRecord()
{
using (var vp = InitializeVault.GetVaultProvider(VaultProfile))
{
vp.OpenStorage();
var v = vp.LoadVault();
if (v.Registrations == null || v.Registrations.Count < 1)
throw new InvalidOperationException("No registrations found");
var ri = v.Registrations[0];
var r = ri.Registration;
if (v.Certificates == null || v.Certificates.Count < 1)
throw new InvalidOperationException("No certificates found");
var ci = v.Certificates.GetByRef(Ref);
if (ci == null)
throw new Exception("Unable to find a Certificate for the given reference");
if (!string.IsNullOrEmpty(ci.GenerateDetailsFile))
{
// Generate a private key and CSR:
// Key: RSA 2048-bit
// MD: SHA 256
// CSR: Details pulled from CSR Details JSON file
CsrHelper.CsrDetails csrDetails;
var csrDetailsAsset = vp.GetAsset(VaultAssetType.CsrDetails, ci.GenerateDetailsFile);
using (var s = vp.LoadAsset(csrDetailsAsset))
{
csrDetails = JsonHelper.Load<CsrHelper.CsrDetails>(s);
}
var keyGenFile = $"{ci.Id}-gen-key.json";
var keyPemFile = $"{ci.Id}-key.pem";
var csrGenFile = $"{ci.Id}-gen-csr.json";
var csrPemFile = $"{ci.Id}-csr.pem";
var keyGenAsset = vp.CreateAsset(VaultAssetType.KeyGen, keyGenFile);
var keyPemAsset = vp.CreateAsset(VaultAssetType.KeyPem, keyPemFile);
var csrGenAsset = vp.CreateAsset(VaultAssetType.CsrGen, csrGenFile);
var csrPemAsset = vp.CreateAsset(VaultAssetType.CsrPem, csrPemFile);
var genKey = CsrHelper.GenerateRsaPrivateKey();
using (var s = vp.SaveAsset(keyGenAsset))
{
genKey.Save(s);
}
using (var w = new StreamWriter(vp.SaveAsset(keyPemAsset)))
{
w.Write(genKey.Pem);
}
var genCsr = CsrHelper.GenerateCsr(csrDetails, genKey);
using (var s = vp.SaveAsset(csrGenAsset))
{
genCsr.Save(s);
}
using (var w = new StreamWriter(vp.SaveAsset(csrPemAsset)))
{
w.Write(genCsr.Pem);
}
ci.KeyPemFile = keyPemFile;
ci.CsrPemFile = csrPemFile;
}
var asset = vp.GetAsset(VaultAssetType.CsrPem, ci.CsrPemFile);
byte[] derRaw;
using (var s = vp.LoadAsset(asset))
{
using (var ms = new MemoryStream())
{
CsrHelper.Csr.ConvertPemToDer(s, ms);
derRaw = ms.ToArray();
}
}
var derB64u = JwsHelper.Base64UrlEncode(derRaw);
using (var c = ClientHelper.GetClient(v, ri))
{
c.Init();
c.GetDirectory(true);
ci.CertificateRequest = c.RequestCertificate(derB64u);
}
if (!string.IsNullOrEmpty(ci.CertificateRequest.CertificateContent))
{
var crtDerFile = $"{ci.Id}-crt.der";
var crtPemFile = $"{ci.Id}-crt.pem";
var crtDerAsset = vp.CreateAsset(VaultAssetType.CrtDer, crtDerFile);
var crtPemAsset = vp.CreateAsset(VaultAssetType.CrtPem, crtPemFile);
using (var s = vp.SaveAsset(crtDerAsset))
{
ci.CertificateRequest.SaveCertificate(s);
ci.CrtDerFile = crtDerFile;
}
using (Stream source = vp.LoadAsset(crtDerAsset), target = vp.SaveAsset(crtPemAsset))
{
CsrHelper.Crt.ConvertDerToPem(source, target);
ci.CrtPemFile = crtPemFile;
}
var crt = new X509Certificate2(ci.CertificateRequest.GetCertificateContent());
ci.SerialNumber = crt.SerialNumber;
ci.Thumbprint = crt.Thumbprint;
ci.SignatureAlgorithm = crt.SignatureAlgorithm?.FriendlyName;
ci.Signature = crt.GetCertHashString();
}
vp.SaveVault(v);
WriteObject(ci);
}
}
private void InstallCertificateToStore(X509Certificate2 certificate, string certificateStoreName)
{
var hash = certificate.GetCertHashString();
var store = new X509Store(certificateStoreName, StoreLocation.LocalMachine);
store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadWrite);
if (store.Certificates.OfType<X509Certificate2>()
.Any(
c =>
c.Subject == certificate.Subject &&
c.HasPrivateKey &&
string.Equals(c.GetCertHashString(), hash, StringComparison.OrdinalIgnoreCase)))
{
Info($"the certificate with subject {certificate.Subject} and hash {hash} is already installed in store LocalMachine\\{certificateStoreName}");
store.Close();
return;
}
Info($"Installing certificate with subject {certificate.Subject} and hash {hash} to store LocalMachine\\{certificateStoreName}");
store.Add(certificate);
store.Close();
}
private X509Certificate2 EnsurePrivateKey(X509Certificate certificate)
{
if (certificate != null)
{
if (Logging.On)
{
Logging.PrintInfo(Logging.Web, this, SR.GetString("net_log_locating_private_key_for_certificate", new object[] { certificate.ToString(true) }));
}
try
{
X509Certificate2Collection certificates;
X509Certificate2 certificate2 = certificate as X509Certificate2;
Type type = certificate.GetType();
string findValue = null;
if ((type != typeof(X509Certificate2)) && (type != typeof(X509Certificate)))
{
if (certificate.Handle != IntPtr.Zero)
{
certificate2 = new X509Certificate2(certificate);
findValue = certificate2.GetCertHashString();
}
}
else
{
findValue = certificate.GetCertHashString();
}
if (certificate2 != null)
{
if (certificate2.HasPrivateKey)
{
if (Logging.On)
{
Logging.PrintInfo(Logging.Web, this, SR.GetString("net_log_cert_is_of_type_2"));
}
return certificate2;
}
if (certificate != certificate2)
{
certificate2.Reset();
}
}
ExceptionHelper.KeyContainerPermissionOpen.Demand();
X509Store store = EnsureStoreOpened(this.m_ServerMode);
if (store != null)
{
certificates = store.Certificates.Find(X509FindType.FindByThumbprint, findValue, false);
if ((certificates.Count > 0) && (certificates[0].PrivateKey != null))
{
if (Logging.On)
{
Logging.PrintInfo(Logging.Web, this, SR.GetString("net_log_found_cert_in_store", new object[] { this.m_ServerMode ? "LocalMachine" : "CurrentUser" }));
}
return certificates[0];
}
}
store = EnsureStoreOpened(!this.m_ServerMode);
if (store != null)
{
certificates = store.Certificates.Find(X509FindType.FindByThumbprint, findValue, false);
if ((certificates.Count > 0) && (certificates[0].PrivateKey != null))
{
if (Logging.On)
{
Logging.PrintInfo(Logging.Web, this, SR.GetString("net_log_found_cert_in_store", new object[] { this.m_ServerMode ? "CurrentUser" : "LocalMachine" }));
}
return certificates[0];
}
}
}
catch (CryptographicException)
{
}
if (Logging.On)
{
Logging.PrintInfo(Logging.Web, this, SR.GetString("net_log_did_not_find_cert_in_store"));
}
}
return null;
}
private void OutputCertificate(X509Certificate2 x509Certificate)
{
System.Diagnostics.Debug.WriteLine("");
System.Diagnostics.Debug.WriteLine("Certificate Data: ******************************************************************");
System.Diagnostics.Debug.WriteLine("");
System.Diagnostics.Debug.WriteLine("Basic Certificate Information");
//System.Diagnostics.Debug.WriteLine("\t Content Type: " + X509Certificate2.GetCertContentType(x509Certificate.RawData));
System.Diagnostics.Debug.WriteLine("\t Format: " + x509Certificate.GetFormat());
System.Diagnostics.Debug.WriteLine("\t Version: " + x509Certificate.Version.ToString());
System.Diagnostics.Debug.WriteLine("\t Hash String: " + x509Certificate.GetCertHashString());
System.Diagnostics.Debug.WriteLine("\t Issuer Name: " + x509Certificate.IssuerName.Name);
System.Diagnostics.Debug.WriteLine("\t Issuer Name OID: " + x509Certificate.IssuerName.Oid.Value);
System.Diagnostics.Debug.WriteLine("\t Subject Name: " + x509Certificate.SubjectName.Name);
System.Diagnostics.Debug.WriteLine("\t Serial Number: " + x509Certificate.GetSerialNumberString());
System.Diagnostics.Debug.WriteLine("\t Thumb Print: " + x509Certificate.Thumbprint);
System.Diagnostics.Debug.WriteLine("\t Friendly Name: " + x509Certificate.FriendlyName);
System.Diagnostics.Debug.WriteLine("\t Signature Algorithm: " + x509Certificate.SignatureAlgorithm.FriendlyName);
if (null != x509Certificate.PrivateKey)
System.Diagnostics.Debug.WriteLine("\t Signature Key Exchange Algorithm: " + x509Certificate.PrivateKey.KeyExchangeAlgorithm);
else
System.Diagnostics.Debug.WriteLine("\t Signature Key Exchange Algorithm: ");
System.Diagnostics.Debug.WriteLine("\t Key Algorithm Parameters: " + x509Certificate.GetKeyAlgorithmParametersString());
System.Diagnostics.Debug.WriteLine("\t Not Valid Before: " + x509Certificate.NotBefore.ToString());
System.Diagnostics.Debug.WriteLine("\t Not Valid After: " + x509Certificate.NotAfter.ToString());
System.Diagnostics.Debug.WriteLine("\t Can Be Verified: " + x509Certificate.Verify());
System.Diagnostics.Debug.WriteLine("\t Is Archived: " + x509Certificate.Archived);
System.Diagnostics.Debug.WriteLine("");
System.Diagnostics.Debug.WriteLine("X509 Name Elements");
System.Diagnostics.Debug.WriteLine("\t X509 Simple Name: " + x509Certificate.GetNameInfo(X509NameType.SimpleName, false));
System.Diagnostics.Debug.WriteLine("\t X509 DNS From Alternative Name: " + x509Certificate.GetNameInfo(X509NameType.DnsFromAlternativeName, false));
System.Diagnostics.Debug.WriteLine("\t X509 DNS Name: " + x509Certificate.GetNameInfo(X509NameType.DnsName, false));
System.Diagnostics.Debug.WriteLine("\t X509 Email Name: " + x509Certificate.GetNameInfo(X509NameType.EmailName, false));
System.Diagnostics.Debug.WriteLine("\t X509 UPN Name: " + x509Certificate.GetNameInfo(X509NameType.UpnName, false));
System.Diagnostics.Debug.WriteLine("\t X509 URL Name: " + x509Certificate.GetNameInfo(X509NameType.UrlName, false));
System.Diagnostics.Debug.WriteLine("");
System.Diagnostics.Debug.WriteLine("X509 Name Elements for Issuer");
System.Diagnostics.Debug.WriteLine("\t X509 Simple Name: " + x509Certificate.GetNameInfo(X509NameType.SimpleName, true));
System.Diagnostics.Debug.WriteLine("\t X509 DNS From Alternative Name: " + x509Certificate.GetNameInfo(X509NameType.DnsFromAlternativeName, true));
System.Diagnostics.Debug.WriteLine("\t X509 DNS Name: " + x509Certificate.GetNameInfo(X509NameType.DnsName, true));
System.Diagnostics.Debug.WriteLine("\t X509 Email Name: " + x509Certificate.GetNameInfo(X509NameType.EmailName, true));
System.Diagnostics.Debug.WriteLine("\t X509 UPN Name: " + x509Certificate.GetNameInfo(X509NameType.UpnName, true));
System.Diagnostics.Debug.WriteLine("\t X509 URL Name: " + x509Certificate.GetNameInfo(X509NameType.UrlName, true));
System.Diagnostics.Debug.WriteLine("");
System.Diagnostics.Debug.WriteLine("Keys");
System.Diagnostics.Debug.WriteLine("\t Public Key: " + x509Certificate.PublicKey.Key.ToXmlString(false));
if (null != x509Certificate.PrivateKey)
System.Diagnostics.Debug.WriteLine("\t Private Key: " + x509Certificate.PrivateKey.ToXmlString(false));
else
System.Diagnostics.Debug.WriteLine("\t Private Key: ");
System.Diagnostics.Debug.WriteLine("");
System.Diagnostics.Debug.WriteLine("Raw Cert");
System.Diagnostics.Debug.WriteLine("\t " + x509Certificate.GetRawCertDataString());
System.Diagnostics.Debug.WriteLine("");
System.Diagnostics.Debug.WriteLine("************************************************************************************");
System.Diagnostics.Debug.WriteLine("");
}