public void Setup()
{
AdcsTemplate result = null;
try
{
result = configDb.Get <AdcsTemplate>(x => x.Cipher == CipherAlgorithm.RSA && x.WindowsApi == WindowsApi.CryptoApi && x.KeyUsage == KeyUsage.ServerAuthentication).First();
//result = configDb.GetAdcsTemplate(HashAlgorithm.SHA256, CipherAlgorithm.RSA, WindowsApi.CryptoApi, KeyUsage.ServerAuthentication);
}
catch
{
if (result == null)
{
configDb.Insert <AdcsTemplate>(new AdcsTemplate()
{
WindowsApi = WindowsApi.CryptoApi,
Cipher = CipherAlgorithm.RSA,
//Hash = HashAlgorithm.SHA256,
KeyUsage = KeyUsage.ServerAuthentication,
Name = "ServerAuthentication-CapiRsa"
});
}
}
ActiveDirectoryMetadata idp = configDb.GetAll <ActiveDirectoryMetadata>().FirstOrDefault();
configDb.DropCollection <PrivateCertificateAuthorityConfig>();
PrivateCertificateAuthorityConfig caConfig = new PrivateCertificateAuthorityConfig()
{
CommonName = caCommonName,
ServerName = caServerName,
HashAlgorithm = HashAlgorithm.SHA256,
IdentityProviderId = idp.Id
};
}
public bool IsAuthorized(AdcsTemplate template, ClaimsPrincipal user)
{
if (template == null || template.RolesAllowedToIssue == null)
{
throw new ArgumentNullException(nameof(template));
}
if (user == null)
{
throw new ArgumentNullException(nameof(user));
}
if (template.RolesAllowedToIssue.Count < 1)
{
throw new UnauthorizedAccessException();
}
foreach (Guid roleId in template.RolesAllowedToIssue)
{
if (IncludesRole(user, roleId))
{
return(true);
}
}
return(false);
}
public CreatePrivateCertificateResult CreateCertificateWithPrivateKey(CreatePrivateCertificateModel model, ClaimsPrincipal user)
{
model.RequestDate = DateTime.Now;
KeyUsage keyUsage = dataTransformation.ParseKeyUsage(model.KeyUsage);
AdcsTemplate template = templateLogic.DiscoverTemplate(model.CipherAlgorithm, model.Provider, keyUsage);
if (!templateLogic.ValidateTemplateWithRequest(model, template))
{
throw new AdcsTemplateValidationException("Certificate request does not meet the requirements of the certificate template");
}
if (authorizationLogic.IsAuthorized(template, user))
{
CertificateRequest csr = certificateProvider.CreateCsrKeyPair(dataTransformation.NewCertificateSubjectFromModel(model), model.CipherAlgorithm, model.KeySize, model.Provider, SigningRequestProtocol.Pkcs10);
MicrosoftCertificateAuthority ca = configurationRepository.GetPrivateCertificateAuthority(model.HashAlgorithm);
CertificateAuthorityRequestResponse response = ca.Sign(csr, template.Name, template.KeyUsage);
CreatePrivateCertificateResult result = ProcessCertificateAuthorityResponse(model, response, csr.Subject, user);
this.Audit(result, user);
return(result);
}
else
{
return(ProcessNewPendingCertificateWorkflow(model));
}
}
public AdcsTemplate DiscoverTemplate(CipherAlgorithm cipher, WindowsApi api, KeyUsage keyUsage)
{
Expression <Func <AdcsTemplate, bool> > query = template => template.Cipher == cipher && template.WindowsApi == api && template.KeyUsage.ToString() == keyUsage.ToString();
AdcsTemplate results = configurationRepository.Get <AdcsTemplate>(query).First();
return(results);
}
public CreatePrivateCertificateResult IssuePendingCertificate(Guid id, ClaimsPrincipal user)
{
PendingCertificate pendingCertificate = certificateRepository.Get <PendingCertificate>(id);
KeyUsage keyUsage = dataTransformation.ParseKeyUsage(pendingCertificate.KeyUsage);
AdcsTemplate template = templateLogic.DiscoverTemplate(pendingCertificate.CipherAlgorithm, pendingCertificate.Provider, keyUsage);
if (authorizationLogic.IsAuthorized(template, user))
{
CertificateRequest csr = certificateProvider.CreateCsrKeyPair(dataTransformation.NewCertificateSubjectFromModel(pendingCertificate), pendingCertificate.CipherAlgorithm, pendingCertificate.KeySize, pendingCertificate.Provider, SigningRequestProtocol.Pkcs10);
MicrosoftCertificateAuthority ca = configurationRepository.GetPrivateCertificateAuthority(pendingCertificate.HashAlgorithm);
CertificateAuthorityRequestResponse response = ca.Sign(csr, template.Name, template.KeyUsage);
CreatePrivateCertificateResult result = ProcessCertificateAuthorityResponse(pendingCertificate, response, csr.Subject, user);
certificateRepository.Delete <PendingCertificate>(id);
return(result);
}
else
{
throw new UnauthorizedAccessException("Current user is not authorized to issue pending certificates");
}
}
public void ValidateTemplatePublishedActiveDirectory(AdcsTemplate template)
{
IEnumerable <ActiveDirectoryMetadata> metadataList = configurationRepository.GetAll <ActiveDirectoryMetadata>();
if (metadataList == null)
{
throw new AdcsTemplateValidationException("There are no active directory domains configured.");
}
foreach (ActiveDirectoryMetadata metadata in metadataList)
{
List <AdcsCertificateTemplate> templates = this.GetActiveDirectoryTemplates(metadata);
if (!templates.Where(x => x.Name == template.Name).Any())
{
throw new AdcsTemplateValidationException("Adcs template is not published in Active Directory");
}
if (templates.Where(x => x.Name == template.Name).Count() > 1)
{
throw new AdcsTemplateValidationException("Search for Adcs templates by name in Active Directory returned more than one result, this is not allowed");
}
AdcsCertificateTemplate adTemplate = templates.Where(x => x.Name == template.Name).First();
if (template.WindowsApi != adTemplate.WindowsApi)
{
string msg = string.Format("Certificate Manager Template Windows API does not match the template in active directory. AD shows {0}, CertificateManager requested {1}", adTemplate.WindowsApi, template.WindowsApi);
throw new AdcsTemplateValidationException(msg);
}
if (template.Cipher != adTemplate.Cipher)
{
string msg = string.Format("Certificate Manager Template cipher algorithm does not match the template in active directory. AD shows {0}, CertificateManager requested {1}", adTemplate.Cipher, template.Cipher);
throw new AdcsTemplateValidationException(msg);
}
if (!adTemplate.AllowsClientProvidedSubject())
{
throw new AdcsTemplateValidationException("Adcs template was found in Active Directory, but the template does not allow the client to specify the subject");
}
if (adTemplate.RequiresStrongKeyProtection())
{
throw new AdcsTemplateValidationException("Adcs template in Active Directory requires strong key protection. Certificate Manager inplements strong key protection that is incompatible with Active Directory Certificate Services. ");
}
if (adTemplate.PendAllRequests())
{
throw new AdcsTemplateValidationException("Issuance requires pending the certificate for manager approval. This is not compatible with Certificate Manager");
}
if (adTemplate.RequireUserInteraction())
{
throw new AdcsTemplateValidationException("Issuance requires user interaction. This is not compatible with Certificate Manager");
}
}
}
public bool ValidateTemplateWithRequest(CreatePrivateCertificateModel model, AdcsTemplate template)
{
if (model.KeySize < template.MinimumKeySize)
{
return(false);
}
else
{
return(true);
}
}
public AdcsTemplateGetModel GetTemplate(Guid id)
{
AdcsTemplate template = configurationRepository.Get <AdcsTemplate>(id);
return(new AdcsTemplateGetModel()
{
Name = template.Name,
Cipher = template.Cipher,
KeyUsage = template.KeyUsage,
WindowsApi = template.WindowsApi,
Id = template.Id,
RolesAllowedToIssueSelectView = GetSecrityRoleListView(template.RolesAllowedToIssue)
});
}
public AdcsTemplate AddTemplate(string name, CipherAlgorithm cipher, KeyUsage keyUsage, WindowsApi api, List <Guid> rolesAllowedToIssue)
{
AdcsTemplate template = new AdcsTemplate()
{
Name = name,
Cipher = cipher,
KeyUsage = keyUsage,
WindowsApi = api,
RolesAllowedToIssue = rolesAllowedToIssue
};
configurationRepository.Insert <AdcsTemplate>(template);
return(template);
}
public AdcsTemplateGetModel AddTemplate(AdcsTemplate template)
{
IEnumerable <PrivateCertificateAuthorityConfig> ca = configurationRepository.GetAll <PrivateCertificateAuthorityConfig>();
if (ca == null)
{
throw new PrivateCertificateAuthorityDoesNotExistException("A certificate authority must exist before adding a template");
}
this.ValidateTemplatePublishedActiveDirectory(template);
List <AdcsCertificateTemplate> templatesFromAllRealms = this.GetTemplateInAllActiveDirectoryRealms(template.Name);
template.Id = Guid.NewGuid();
template.MinimumKeySize = templatesFromAllRealms.Select(x => x.MinimumKeySize).Max();
configurationRepository.Insert <AdcsTemplate>(template);
return(this.GetTemplate(template.Id));
}
public SignPrivateCertificateResult SignCertificate(SignPrivateCertificateModel model, ClaimsPrincipal user)
{
CertificateRequest csr = certificateProvider.InitializeFromEncodedCsr(model.EncodedCsr);
AdcsTemplate template = templateLogic.DiscoverTemplate(csr.CipherAlgorithm, WindowsApi.Cng, KeyUsage.ServerAuthentication);
if (authorizationLogic.IsAuthorized(template, user))
{
MicrosoftCertificateAuthority ca = configurationRepository.GetPrivateCertificateAuthority(model.HashAlgorithm);
CertificateAuthorityRequestResponse response = ca.Sign(csr, template.Name, template.KeyUsage);
return(HandleCertificateAuthorityResponse(model, response, csr.Subject));
}
else
{
return(ProcessPendingSigningWorkflow(model));
}
}
public AdcsTemplateGetModel UpdateTemplate(AdcsTemplateUpdateModel updateEntity)
{
if (updateEntity.Name == "error")
{
throw new PrivateCertificateAuthorityDoesNotExistException("A certificate authority must exist before adding a template");
}
AdcsTemplate template = configurationRepository.Get <AdcsTemplate>(updateEntity.Id);
template.Name = updateEntity.Name;
template.RolesAllowedToIssue = dataTransform.ParseGuidList(updateEntity.RolesAllowedToIssue);
template.KeyUsage = updateEntity.KeyUsage;
template.WindowsApi = updateEntity.WindowsApi;
template.Cipher = updateEntity.Cipher;
configurationRepository.Update <AdcsTemplate>(template);
AdcsTemplateGetModel response = new AdcsTemplateGetModel();
response.Name = template.Name;
response.Cipher = template.Cipher;
response.KeyUsage = template.KeyUsage;
response.WindowsApi = template.WindowsApi;
response.Id = template.Id;
response.RolesAllowedToIssueSelectView = new List <SecurityRoleSelectView>();
foreach (Guid roleId in template.RolesAllowedToIssue)
{
var role = configurationRepository.Get <SecurityRole>(roleId);
response.RolesAllowedToIssueSelectView.Add(
new SecurityRoleSelectView()
{
Id = roleId,
Name = role.Name
});
}
return(response);
}
public void Complete(InitialSetupConfigModel config)
{
ActiveDirectoryMetadata idp = idpLogic.Add(config.AdName, config.AdServer, config.AdSearchBase, config.AdServiceAccountUsername, config.AdServiceAccountPassword, config.AdUseAppPoolIdentity);
certificateAuthorityConfigurationLogic.AddPrivateCertificateAuthority(config.AdcsServerName, config.AdcsCommonName, config.AdcsHashAlgorithm, idp.Id);
AdcsTemplate adcsTemplate = templateLogic.AddTemplate(config.AdcsTemplateName, config.AdcsTemplateCipher, config.AdcsTemplateKeyUsage, config.AdcsTemplateWindowsApi, RoleManagementLogic.DefaultTemplateIssuerRoles);
AuthenticablePrincipal emergencyAccess = localIdpLogic.InitializeEmergencyAccess(config.EmergencyAccessKey);
AuthenticablePrincipal admin = localIdpLogic.InitializeLocalAdministrator(config.LocalAdminPassword);
authorizationLogic.InitializeScopes();
roleManagement.InitializeRoles(new List <Guid>()
{
emergencyAccess.Id, admin.Id
});
AppConfig appConfig = new AppConfig()
{
EncryptionKey = config.EncryptionKey,
Id = Guid.NewGuid()
};
configurationRepository.SetAppConfig(appConfig);
}
public bool IsAuthorized(AdcsTemplate template, ClaimsPrincipal user)
{
return(true);
}
public JsonResult AddAdcsTemplate(AdcsTemplate template)
{
return(http.RespondSuccess(adcsTemplateLogic.AddTemplate(template)));
}