public async Task When_a_wrong_merchant_id_is_sent_then_the_transaction_should_fail()
{
var idinUrl = new Uri("https://idintest.rabobank.nl/bvn-idx-bankid-rs/bankidGateway");
var client = new IdinClient(
idinUrl,
() => certificateStore.GetCertificate(
"BC2262A6F2E6DB3A63138A167A0E2AA114E2E3AD",
false),
() => new List <X509Certificate2> {
certificateStore.GetCertificate(
"ad96a0ce00209e56f536f0e017415e68460b2b22",
false),
},
() => new List <X509Certificate2> {
certificateStore.GetCertificate(
"4CC9A1382521DA468F657191EA9B6B996EFFFCF8",
false),
},
"Test");
var idinResult = await client.GetIssuersAsync(
new GetIssuersSettings {
SubId = 0,
});
idinResult.HasError.Should().BeTrue();
idinResult.ErrorDetails.ErrorMessage.Should().Contain("Value too short");
}
private async Task <X509Certificate2> GetOrCreateCertificate(CertificateFactory factory, CancellationToken cancellationToken)
{
var domainName = _options.Value.DomainNames[0];
var cert = _certificateStore.GetCertificate(domainName);
if (cert != null)
{
_logger.LogDebug("Certificate for {hostname} already found.", domainName);
return(cert);
}
if (!_hasRegistered)
{
_hasRegistered = true;
await factory.RegisterUserAsync(cancellationToken);
}
try
{
_logger.LogInformation("Creating certificate for {hostname} using ACME server {acmeServer}", domainName, _options.Value.GetAcmeServer(_hostEnvironment));
cert = await factory.CreateCertificateAsync(cancellationToken);
_logger.LogInformation("Created certificate {subjectName} ({thumbprint})", cert.Subject, cert.Thumbprint);
_certificateStore.Save(domainName, cert);
return(cert);
}
catch (Exception ex)
{
_logger.LogError(0, ex, "Failed to automatically create a certificate for {hostname}", domainName);
throw;
}
}
/// <summary>
/// Creates a IRestClient with a ClientCertificate.
/// </summary>
/// <returns></returns>
private IRestClient CreateRestClient()
{
var certificate = _certificateStore.GetCertificate();
var client = new RestClient(_config.BaseUrl)
{
// We need to add the clientCertificate in order to authenticate.
ClientCertificates = new X509CertificateCollection {
certificate
}
};
return(client);
}
public async Task <object> Get(string id)
{
CertificateId certId = new CertificateId(id);
ICertificate cert = null;
ICertificateStore store = _storeProvider.Stores.FirstOrDefault(s => s.Name.Equals(certId.StoreName, StringComparison.OrdinalIgnoreCase));
if (store != null)
{
cert = await store.GetCertificate(certId.Id);
}
if (cert == null)
{
return(NotFound());
}
return(CertificateHelper.ToJsonModel(cert, Context.Request.GetFields()));
}
public async Task Run(IAcmeDnsRequest acmeDnsRequest, int renewXNumberOfDaysBeforeExpiration)
{
try
{
CertificateInstallModel model = null;
string hostsPlusSeparated = AcmeClient.GetHostsPlusSeparated(acmeDnsRequest.Hosts);
var certname = $"{hostsPlusSeparated}-{acmeDnsRequest.AcmeEnvironment.Name}";
var cert = await certificateStore.GetCertificate(certname, acmeDnsRequest.PFXPassword);
if (cert == null || cert.Certificate.NotAfter < DateTime.UtcNow.AddDays(renewXNumberOfDaysBeforeExpiration)) //Cert doesnt exist or expires in less than renewXNumberOfDaysBeforeExpiration days, lets renew.
{
logger.LogInformation("Certificate store didn't contain certificate or certificate was expired starting renewing");
model = await acmeClient.RequestDnsChallengeCertificate(acmeDnsRequest);
model.CertificateInfo.Name = certname;
await certificateStore.SaveCertificate(model.CertificateInfo);
}
else
{
logger.LogInformation("Certificate expires in more than {renewXNumberOfDaysBeforeExpiration} days, reusing certificate from certificate store", renewXNumberOfDaysBeforeExpiration);
model = new CertificateInstallModel()
{
CertificateInfo = cert,
Hosts = acmeDnsRequest.Hosts
};
}
await certificateConsumer.Install(model);
logger.LogInformation("Removing expired certificates");
var expired = await certificateConsumer.CleanUp();
logger.LogInformation("The following certificates was removed {Thumbprints}", string.Join(", ", expired.ToArray()));
}
catch (Exception e)
{
logger.LogError(e, "Failed");
throw;
}
}
public async Task Run(AcmeDnsRequest acmeDnsRequest, int renewXNumberOfDaysBeforeExpiration)
{
try
{
CertificateInstallModel model = null;
var certname = acmeDnsRequest.Host + "-" + acmeDnsRequest.AcmeEnvironment.Name + ".pfx";
CertificateInfo cert = await certificateStore.GetCertificate(certname, acmeDnsRequest.PFXPassword);
if (cert == null || cert.Certificate.NotAfter < DateTime.UtcNow.AddDays(renewXNumberOfDaysBeforeExpiration)) //Cert doesnt exist or expires in less than 21 days, lets renew.
{
logger.LogInformation("Certificate store didn't contain certificate or certificate was expired starting renewing");
model = await acmeClient.RequestDnsChallengeCertificate(acmeDnsRequest);
model.CertificateInfo.Name = certname;
await certificateStore.SaveCertificate(model.CertificateInfo);
}
else
{
logger.LogInformation("Certificate expires in more than {renewXNumberOfDaysBeforeExpiration} days, reusing certificate from certificate store", renewXNumberOfDaysBeforeExpiration);
model = new CertificateInstallModel()
{
CertificateInfo = cert,
Host = acmeDnsRequest.Host
};
}
await azureWebAppService.Install(model);
logger.LogInformation("Removing expired certificates");
System.Collections.Generic.List <string> expired = azureWebAppService.RemoveExpired();
logger.LogInformation("The following certificates was removed {Thumbprints}", string.Join(", ", expired.ToArray()));
}
catch (Exception e)
{
logger.LogError(e, "Failed");
throw;
}
}
private static object ToJsonModel(Binding binding)
{
dynamic obj = new ExpandoObject();
obj.protocol = binding.Protocol;
obj.binding_information = binding.BindingInformation;
bool isHttp = binding.Protocol.Equals("http") || binding.Protocol.Equals("https");
if (isHttp)
{
string ipAddress = null;
int? port = null;
if (binding.EndPoint != null && binding.EndPoint.Address != null)
{
port = binding.EndPoint.Port;
if (binding.EndPoint.Address != null)
{
ipAddress = binding.EndPoint.Address.Equals(IPAddress.Any) ? "*" : binding.EndPoint.Address.ToString();
}
}
obj.ip_address = ipAddress;
obj.port = port;
obj.hostname = binding.Host;
//
// HTTPS
if (binding.Protocol.Equals("https"))
{
ICertificateStore store = null;
// Windows store
if (binding.CertificateStoreName != null)
{
string thumbprint = binding.CertificateHash == null ? null : BitConverter.ToString(binding.CertificateHash)?.Replace("-", string.Empty);
store = CertificateStoreProviderAccessor.Instance?.Stores
.FirstOrDefault(s => s.Name.Equals(binding.CertificateStoreName, StringComparison.OrdinalIgnoreCase));
// Certificate
if (store != null)
{
obj.certificate = CertificateHelper.ToJsonModelRef(GetCertificate(() => store.GetCertificate(thumbprint).Result));
}
}
// IIS Central Certificate Store
else if (binding.Schema.HasAttribute(sslFlagsAttribute) && binding.SslFlags.HasFlag(SslFlags.CentralCertStore) && !string.IsNullOrEmpty(binding.Host))
{
ICentralCertificateStore centralStore = null;
if (PathUtil.IsValidFileName(binding.Host))
{
centralStore = CertificateStoreProviderAccessor.Instance?.Stores.FirstOrDefault(s => s is ICentralCertificateStore) as ICentralCertificateStore;
}
// Certificate
if (centralStore != null)
{
obj.certificate = CertificateHelper.ToJsonModelRef(GetCertificate(() => centralStore.GetCertificateByHostName(binding.Host.Replace('*', '_')).Result));
}
}
//
// Ssl Flags
if (binding.Schema.HasAttribute(sslFlagsAttribute))
{
obj.require_sni = binding.SslFlags.HasFlag(SslFlags.Sni);
}
}
}
return(obj);
}
private static void SetBinding(Binding binding, dynamic obj)
{
string protocol = DynamicHelper.Value(obj.protocol);
string bindingInformation = DynamicHelper.Value(obj.binding_information);
bool? requireSni = DynamicHelper.To <bool>(obj.require_sni);
if (protocol == null)
{
throw new ApiArgumentException("binding.protocol");
}
binding.Protocol = protocol;
bool isHttp = protocol.Equals("http") || protocol.Equals("https");
if (isHttp)
{
//
// HTTP Binding information provides port, ip address, and hostname
UInt16 port;
string hostname;
IPAddress ipAddress = null;
if (bindingInformation == null)
{
var ip = DynamicHelper.Value(obj.ip_address);
if (ip == "*")
{
ipAddress = IPAddress.Any;
}
else if (!IPAddress.TryParse(ip, out ipAddress))
{
throw new ApiArgumentException("binding.ip_address");
}
UInt16?p = (UInt16?)DynamicHelper.To(obj.port, 1, UInt16.MaxValue);
if (p == null)
{
throw new ApiArgumentException("binding.port");
}
port = p.Value;
hostname = DynamicHelper.Value(obj.hostname) ?? string.Empty;
}
else
{
var parts = bindingInformation.Split(':');
if (parts.Length != 3)
{
throw new ApiArgumentException("binding.binding_information");
}
if (parts[0] == "*")
{
ipAddress = IPAddress.Any;
}
else if (!IPAddress.TryParse(parts[0], out ipAddress))
{
throw new ApiArgumentException("binding.binding_information");
}
if (!UInt16.TryParse(parts[1], out port))
{
throw new ApiArgumentException("binding.binding_information");
}
hostname = parts[2];
}
binding.Protocol = protocol;
// HTTPS
if (protocol.Equals("https"))
{
if (string.IsNullOrEmpty(hostname) && requireSni.HasValue && requireSni.Value)
{
throw new ApiArgumentException("binding.require_sni");
}
if (obj.certificate == null || !(obj.certificate is JObject))
{
throw new ApiArgumentException("binding.certificate");
}
dynamic certificate = obj.certificate;
string uuid = DynamicHelper.Value(certificate.id);
if (string.IsNullOrEmpty(uuid))
{
throw new ApiArgumentException("binding.certificate.id");
}
CertificateId id = new CertificateId(uuid);
ICertificateStore store = CertificateStoreProviderAccessor.Instance?.Stores
.FirstOrDefault(s => s.Name.Equals(id.StoreName, StringComparison.OrdinalIgnoreCase));
ICertificate cert = null;
if (store != null)
{
cert = store.GetCertificate(id.Id).Result;
}
if (cert == null)
{
throw new NotFoundException("binding.certificate");
}
if (!cert.Purposes.Contains("Server Authentication", StringComparer.OrdinalIgnoreCase))
{
throw new ApiArgumentException("binding.certificate", "Certificate does not support server authentication");
}
//
// Windows builtin store
if (store is IWindowsCertificateStore)
{
// The specified certificate must be in the store with a private key or else there will be an exception when we commit
if (cert == null)
{
throw new NotFoundException("binding.certificate");
}
if (!cert.HasPrivateKey)
{
throw new ApiArgumentException("binding.certificate", "Certificate must have a private key");
}
List <byte> bytes = new List <byte>();
// Decode the hex string of the certificate hash into bytes
for (int i = 0; i < id.Id.Length; i += 2)
{
bytes.Add(Convert.ToByte(id.Id.Substring(i, 2), 16));
}
binding.CertificateStoreName = id.StoreName;
binding.CertificateHash = bytes.ToArray();
}
//
// IIS Central Certificate store
else if (store is ICentralCertificateStore)
{
string name = Path.GetFileNameWithoutExtension(cert.Alias);
if (string.IsNullOrEmpty(hostname) || !hostname.Replace('*', '_').Equals(name))
{
throw new ApiArgumentException("binding.hostname", "Hostname must match certificate file name for central certificate store");
}
binding.SslFlags |= SslFlags.CentralCertStore;
}
if (requireSni.HasValue)
{
if (!binding.Schema.HasAttribute(sslFlagsAttribute))
{
// throw on IIS 7.5 which does not have SNI support
throw new ApiArgumentException("binding.require_sni", "SNI not supported on this machine");
}
if (requireSni.Value)
{
binding.SslFlags |= SslFlags.Sni;
}
else
{
binding.SslFlags &= ~SslFlags.Sni;
}
}
}
var ipModel = ipAddress.Equals(IPAddress.Any) ? "*" : ipAddress.ToString();
binding.BindingInformation = $"{ipModel}:{port}:{hostname}";
}
else
{
//
// Custom protocol
if (string.IsNullOrEmpty(bindingInformation))
{
throw new ApiArgumentException("binding.binding_information");
}
binding.BindingInformation = bindingInformation;
}
}
