Пример #1
0
        internal static void ValidateCertificate(ExchangeCertificate certificate, bool skipAutomatedDeploymentChecks)
        {
            ExchangeCertificateValidity exchangeCertificateValidity = ManageExchangeCertificate.ValidateExchangeCertificate(certificate, true);

            if (exchangeCertificateValidity != ExchangeCertificateValidity.Valid)
            {
                throw new FederationCertificateInvalidException(Strings.CertificateNotValidForExchange(certificate.Thumbprint, exchangeCertificateValidity.ToString()));
            }
            if (string.IsNullOrEmpty(certificate.SubjectKeyIdentifier))
            {
                throw new FederationCertificateInvalidException(Strings.ErrorCertificateNoSKI(certificate.Thumbprint));
            }
            if (!skipAutomatedDeploymentChecks && !certificate.PrivateKeyExportable)
            {
                throw new FederationCertificateInvalidException(Strings.ErrorCertificateNotExportable(certificate.Thumbprint));
            }
            if (!string.Equals(certificate.GetKeyAlgorithm(), WellKnownOid.RsaRsa.Value, StringComparison.OrdinalIgnoreCase))
            {
                throw new FederationCertificateInvalidException(Strings.ErrorCertificateNotRSA(certificate.Thumbprint));
            }
            if (TlsCertificateInfo.IsCNGProvider(certificate))
            {
                throw new FederationCertificateInvalidException(Strings.ErrorCertificateNotCAPI(certificate.Thumbprint));
            }
            if ((ExDateTime)certificate.NotAfter < ExDateTime.UtcNow && (ExDateTime)certificate.NotBefore > ExDateTime.UtcNow)
            {
                throw new FederationCertificateInvalidException(Strings.ErrorCertificateHasExpired(certificate.Thumbprint));
            }
        }
Пример #2
0
 private static void ReEncryptEdgeSyncCredentials(Server server, X509Certificate2 oldCertificate, X509Certificate2 newCertificate)
 {
     if (server.EdgeSyncCredentials == null || server.EdgeSyncCredentials.Count == 0)
     {
         return;
     }
     if (oldCertificate == null)
     {
         throw new InvalidOperationException(Strings.InternalTransportCertificateCorruptedInADOnHub);
     }
     if (TlsCertificateInfo.IsCNGProvider(newCertificate))
     {
         throw new InvalidOperationException(Strings.InternalTransportCertificateMustBeCAPICertificate(newCertificate.Thumbprint));
     }
     oldCertificate = ExchangeCertificate.GetCertificateFromStore(StoreName.My, oldCertificate.Thumbprint);
     if (oldCertificate == null)
     {
         throw new InvalidOperationException(Strings.InternalTransportCertificateCorruptedInADOnHub);
     }
     EdgeSyncCredential[] array = new EdgeSyncCredential[server.EdgeSyncCredentials.Count];
     using (RSACryptoServiceProvider rsacryptoServiceProvider = (RSACryptoServiceProvider)oldCertificate.PrivateKey)
     {
         for (int i = 0; i < server.EdgeSyncCredentials.Count; i++)
         {
             array[i] = EdgeSyncCredential.DeserializeEdgeSyncCredential(server.EdgeSyncCredentials[i]);
             try
             {
                 array[i].EncryptedESRAPassword = rsacryptoServiceProvider.Decrypt(array[i].EncryptedESRAPassword, false);
             }
             catch (CryptographicException)
             {
                 throw new InvalidOperationException(Strings.InternalTransportCertificateCorruptedInADOnHub);
             }
         }
     }
     using (RSACryptoServiceProvider rsacryptoServiceProvider2 = newCertificate.PublicKey.Key as RSACryptoServiceProvider)
     {
         if (rsacryptoServiceProvider2 != null)
         {
             for (int j = 0; j < array.Length; j++)
             {
                 if (array[j].EncryptedESRAPassword != null)
                 {
                     array[j].EncryptedESRAPassword = rsacryptoServiceProvider2.Encrypt(array[j].EncryptedESRAPassword, false);
                     server.EdgeSyncCredentials[j]  = EdgeSyncCredential.SerializeEdgeSyncCredential(array[j]);
                 }
             }
         }
     }
 }
Пример #3
0
        internal static ExchangeCertificateValidity ValidateExchangeCertificate(X509Certificate2 cert, bool ignoreAccessible)
        {
            if (cert == null)
            {
                throw new ArgumentNullException("cert");
            }
            if (!cert.HasPrivateKey)
            {
                return(ExchangeCertificateValidity.PrivateKeyMissing);
            }
            string keyAlgorithm = cert.GetKeyAlgorithm();
            bool   flag         = string.Equals(keyAlgorithm, WellKnownOid.X957Sha1Dsa.Value, StringComparison.OrdinalIgnoreCase);

            if (!string.Equals(keyAlgorithm, WellKnownOid.RsaRsa.Value, StringComparison.OrdinalIgnoreCase) && !flag)
            {
                return(ExchangeCertificateValidity.KeyAlgorithmUnsupported);
            }
            foreach (X509Extension x509Extension in cert.Extensions)
            {
                try
                {
                    X509KeyUsageExtension x509KeyUsageExtension = x509Extension as X509KeyUsageExtension;
                    if (x509KeyUsageExtension != null)
                    {
                        X509KeyUsageFlags keyUsages = x509KeyUsageExtension.KeyUsages;
                        bool flag2 = false;
                        if (keyUsages == X509KeyUsageFlags.None)
                        {
                            flag2 = true;
                        }
                        else if ((keyUsages & (X509KeyUsageFlags.NonRepudiation | X509KeyUsageFlags.DigitalSignature)) != X509KeyUsageFlags.None)
                        {
                            flag2 = true;
                        }
                        if (!flag2)
                        {
                            return(ExchangeCertificateValidity.SigningNotSupported);
                        }
                    }
                }
                catch (CryptographicException)
                {
                    return(ExchangeCertificateValidity.KeyUsageCorrupted);
                }
                try
                {
                    X509EnhancedKeyUsageExtension x509EnhancedKeyUsageExtension = x509Extension as X509EnhancedKeyUsageExtension;
                    if (x509EnhancedKeyUsageExtension != null && x509EnhancedKeyUsageExtension.EnhancedKeyUsages.Count > 0 && x509EnhancedKeyUsageExtension.EnhancedKeyUsages[WellKnownOid.PkixKpServerAuth.Value] == null)
                    {
                        return(ExchangeCertificateValidity.PkixKpServerAuthNotFoundInEnhancedKeyUsage);
                    }
                }
                catch (CryptographicException)
                {
                    return(ExchangeCertificateValidity.EnhancedKeyUsageCorrupted);
                }
            }
            if (TlsCertificateInfo.IsCNGProvider(cert))
            {
                return(ManageExchangeCertificate.CheckCNGSettings(cert));
            }
            AsymmetricAlgorithm privateKey;

            try
            {
                privateKey = cert.PrivateKey;
            }
            catch (CryptographicException)
            {
                return(ExchangeCertificateValidity.PrivateKeyNotAccessible);
            }
            ICspAsymmetricAlgorithm cspAsymmetricAlgorithm = privateKey as ICspAsymmetricAlgorithm;

            if (cspAsymmetricAlgorithm == null)
            {
                return(ExchangeCertificateValidity.PrivateKeyUnsupportedAlgorithm);
            }
            CspKeyContainerInfo cspKeyContainerInfo = cspAsymmetricAlgorithm.CspKeyContainerInfo;

            if (cspKeyContainerInfo.Protected)
            {
                return(ExchangeCertificateValidity.CspKeyContainerInfoProtected);
            }
            if (cspKeyContainerInfo.HardwareDevice && cspKeyContainerInfo.Removable)
            {
                return(ExchangeCertificateValidity.CspKeyContainerInfoRemovableDevice);
            }
            if (!ignoreAccessible && !cspKeyContainerInfo.Accessible)
            {
                return(ExchangeCertificateValidity.CspKeyContainerInfoNotAccessible);
            }
            switch (cspKeyContainerInfo.KeyNumber)
            {
            case KeyNumber.Exchange:
            case KeyNumber.Signature:
            {
                AsymmetricAlgorithm key = cert.PublicKey.Key;
                if (key.KeySize < 1024)
                {
                    return(ExchangeCertificateValidity.PublicKeyUnsupportedSize);
                }
                return(ExchangeCertificateValidity.Valid);
            }

            default:
                return(ExchangeCertificateValidity.CspKeyContainerInfoUnknownKeyNumber);
            }
        }