public void TestEncryptPFXFileOaepSha512() { string hashAlgorithm = PaddingHashAlgorithmNames.SHA512; int paddingFlags = PaddingFlags.OAEPPadding; ProviderKeyInitialize(TestProviderName1, TestKeyName1, TestAlgorithmName); Command encryptCommand = GenerateSetUserPFXCertificatesCommand( TestFilePath1, TestUPN1, securePassword, TestProviderName1, TestKeyName1, UserPfxPaddingScheme.OaepSha512, UserPfxIntendedPurpose.SmimeEncryption); powershell.Commands.AddCommand(encryptCommand); var pfxResults = powershell.Invoke <UserPFXCertificate>(); Assert.AreEqual(pfxResults.Count(), 1); UserPFXCertificate userPFXResult = pfxResults.First(); Assert.AreEqual(userPFXResult.PaddingScheme, UserPfxPaddingScheme.OaepSha512); ValidatePasswordDecryptable(userPFXResult, testPassword, hashAlgorithm, paddingFlags); ProviderKeyCleanup(TestProviderName1, TestKeyName1); }
public void TestEncryptPFXFile() { ProviderKeyInitialize(TestProviderName1, TestKeyName1, TestAlgorithmName); Command encryptCommand = GenerateSetUserPFXCertificatesCommand( TestFilePath1, TestUPN1, securePassword, TestProviderName1, TestKeyName1, UserPfxPaddingScheme.None, UserPfxIntendedPurpose.SmimeEncryption); powershell.Commands.AddCommand(encryptCommand); var pfxResults = powershell.Invoke <UserPFXCertificate>(); Assert.AreEqual(pfxResults.Count(), 1); UserPFXCertificate userPFXResult = pfxResults.First(); Assert.AreEqual(userPFXResult.KeyName, TestKeyName1); Assert.AreEqual(userPFXResult.ProviderName, TestProviderName1); Assert.AreNotEqual(userPFXResult.EncryptedPfxPassword, testPassword); Assert.AreEqual(userPFXResult.UserPrincipalName, TestUPN1); Assert.AreEqual(userPFXResult.PaddingScheme, UserPfxPaddingScheme.None); Assert.AreEqual(userPFXResult.IntendedPurpose, UserPfxIntendedPurpose.SmimeEncryption); Assert.IsNotNull(userPFXResult.EncryptedPfxBlob); ValidatePasswordDecryptable(userPFXResult, testPassword, PaddingHashAlgorithmNames.SHA512, PaddingFlags.OAEPPadding); ProviderKeyCleanup(TestProviderName1, TestKeyName1); }
private void ProcessSingleResponse(HttpWebRequest request, string filter) { bool needsRetry = false; TimeSpan waitTime = TimeSpan.Zero; double retryAfter = 60; // TODO: get a good default wait time. try { using (var response = (HttpWebResponse)request.GetResponse()) { if (response.StatusCode == HttpStatusCode.OK) { string responseMessage = string.Empty; using (StreamReader rs = new StreamReader(response.GetResponseStream())) { responseMessage = rs.ReadToEnd(); } UserPFXCertificate cert = SerializationHelpers.DeserializeUserPFXCertificate(responseMessage); this.WriteObject(cert); } else { this.WriteError(new ErrorRecord(new InvalidOperationException(response.StatusDescription), response.StatusCode.ToString(), ErrorCategory.InvalidResult, filter)); } } } catch (WebException we) { HttpWebResponse response = we.Response as HttpWebResponse; if (we.Status == WebExceptionStatus.ProtocolError && response.StatusCode == (HttpStatusCode)429) { needsRetry = true; if (response.Headers["x-ms-retry-after-ms"] != null) { retryAfter = double.Parse(response.Headers["x-ms-retry-after-ms"]); } if (response.Headers["Retry-After"] != null) { retryAfter = double.Parse(response.Headers["Retry-After"]); } } else { this.WriteError(new ErrorRecord(we, we.Message + " request-id:" + we.Response.Headers["request-id"], ErrorCategory.InvalidResult, filter)); } } // Waiting until response is closed to re-use request if (needsRetry) { this.WriteWarning(string.Format(LogMessages.GetUserPfxTooManyRequests, retryAfter)); Thread.Sleep(TimeSpan.FromSeconds(retryAfter)); ProcessSingleResponse(request, filter); } }
private void ValidatePasswordDecryptable(UserPFXCertificate userPFXResult, string expectedPassword, string hashAlgorithm, int paddingFlags) { ManagedRSAEncryption encryptionUtility = new ManagedRSAEncryption(); byte[] passwordBytes = Convert.FromBase64String(userPFXResult.EncryptedPfxPassword); byte[] unencryptedPassword = encryptionUtility.DecryptWithLocalKey(userPFXResult.ProviderName, userPFXResult.KeyName, passwordBytes, hashAlgorithm, paddingFlags); string clearTextPassword = Encoding.ASCII.GetString(unencryptedPassword); Assert.AreEqual(clearTextPassword, expectedPassword); }
public static List <UserPFXCertificate> DeserializeUserPFXCertificateList(string value) { JsonArrayWrapper arrayWrapper = JsonConvert.DeserializeObject <JsonArrayWrapper>(value); IEnumerable <JObject> jsonArray = arrayWrapper.Value; JsonSerializer jsonSerializer = JsonSerializer.Create(jSONSettings); List <UserPFXCertificate> entityList = new List <UserPFXCertificate>(); foreach (JObject jObject in jsonArray) { string entityJson = jObject.ToString(); UserPFXCertificate entity = DeserializeUserPFXCertificate(entityJson); entityList.Add(entity); } return(entityList); }
/// <summary> /// ProcessRecord. /// </summary> protected override void ProcessRecord() { if (!Authenticate.AuthTokenIsValid(AuthenticationResult)) { this.ThrowTerminatingError( new ErrorRecord( new AuthenticationException("Cannot get Authentication Token"), "Authentication Failure", ErrorCategory.AuthenticationError, AuthenticationResult)); } Hashtable modulePrivateData = this.MyInvocation.MyCommand.Module.PrivateData as Hashtable; string graphURI = Authenticate.GetGraphURI(modulePrivateData); string schemaVersion = Authenticate.GetSchemaVersion(modulePrivateData); if ((CertificateList == null || CertificateList.Count == 0) && (UserThumbprintList == null || UserThumbprintList.Count == 0) && (UserList == null || UserList.Count == 0)) { this.ThrowTerminatingError( new ErrorRecord( new ArgumentException("No Certificates specified"), "Date Input Failure", ErrorCategory.InvalidArgument, AuthenticationResult)); } if (UserThumbprintList == null) { UserThumbprintList = new List <UserThumbprint>(); } if (UserList != null) { PowerShell ps = PowerShell.Create(); ps.AddCommand("Import-Module").AddParameter("ModuleInfo", this.MyInvocation.MyCommand.Module); ps.Invoke(); ps.Commands.Clear(); ps.AddCommand("Get-IntuneUserPfxCertificate"); ps.AddParameter("AuthenticationResult", AuthenticationResult); ps.AddParameter("UserList", UserList); foreach (PSObject result in ps.Invoke()) { UserPFXCertificate cert = result.BaseObject as UserPFXCertificate; string userId = GetUserPFXCertificate.GetUserIdFromUpn(cert.UserPrincipalName, graphURI, schemaVersion, AuthenticationResult); UserThumbprintList.Add(new UserThumbprint() { User = userId, Thumbprint = cert.Thumbprint }); } } if (CertificateList != null && CertificateList.Count > 0) { foreach (UserPFXCertificate cert in CertificateList) { string userId = GetUserPFXCertificate.GetUserIdFromUpn(cert.UserPrincipalName, graphURI, schemaVersion, AuthenticationResult); UserThumbprintList.Add(new UserThumbprint() { User = userId, Thumbprint = cert.Thumbprint }); } } successCnt = 0; failureCnt = 0; foreach (UserThumbprint userThumbprint in UserThumbprintList) { string url = string.Format(CultureInfo.InvariantCulture, "{0}/{1}/deviceManagement/userPfxCertificates/{2}-{3}", graphURI, schemaVersion, userThumbprint.User, userThumbprint.Thumbprint); HttpWebRequest request; request = CreateWebRequest(url, AuthenticationResult); ProcessResponse(request, userThumbprint.User + "-" + userThumbprint.Thumbprint); } this.WriteCommandDetail(string.Format(LogMessages.RemoveCertificateSuccess, successCnt)); if (failureCnt > 0) { this.WriteWarning(string.Format(LogMessages.RemoveCertificateFailure, successCnt)); } }
private void ProcessResponse(HttpWebRequest request, UserPFXCertificate cert) { bool needsRetry = false; TimeSpan waitTime = TimeSpan.Zero; double retryAfter = 60; // TODO: get a good default wait time. try { using (var response = (HttpWebResponse)request.GetResponse()) { if ((int)response.StatusCode >= 200 && (int)response.StatusCode <= 299) { successCnt++; } else { string responseMessage; using (var rawStream = response.GetResponseStream()) using (var responseReader = new StreamReader(rawStream, Encoding.UTF8)) { responseMessage = responseReader.ReadToEnd(); } failureCnt++; this.WriteError( new ErrorRecord( new InvalidOperationException(string.Format(LogMessages.ImportCertificateFailureWithThumbprint, cert.Thumbprint, response.StatusCode, Environment.NewLine, responseMessage)), "Import Failure:" + responseMessage, ErrorCategory.WriteError, cert)); } } } catch (WebException we) { HttpWebResponse response = we.Response as HttpWebResponse; if (we.Status == WebExceptionStatus.ProtocolError && response.StatusCode == (HttpStatusCode)429) { needsRetry = true; if (response.Headers["x-ms-retry-after-ms"] != null) { retryAfter = double.Parse(response.Headers["x-ms-retry-after-ms"]); } if (response.Headers["Retry-After"] != null) { retryAfter = double.Parse(response.Headers["Retry-After"]); } } else { failureCnt++; var resp = new StreamReader(we.Response.GetResponseStream()).ReadToEnd(); dynamic obj = JsonConvert.DeserializeObject(resp); string messageFromServer; if (obj.error != null) { messageFromServer = obj.error.message.ToString(); } else { messageFromServer = String.Format("Failed to deserialize response {0}", resp); } this.WriteDebug(string.Format("Error Message: {0}", messageFromServer)); this.WriteError( new ErrorRecord( we, "\n\n Error Message" + messageFromServer + "\n\n request-id:" + we.Response.Headers["request-id"], ErrorCategory.WriteError, cert)); } } // Waiting until response is closed to re-use request if (needsRetry) { this.WriteWarning(string.Format(LogMessages.GetUserPfxTooManyRequests, retryAfter)); Thread.Sleep(TimeSpan.FromSeconds(retryAfter)); ProcessResponse(request, cert); } }
public static string SerializeUserPFXCertificate(UserPFXCertificate cert) { string json = JsonConvert.SerializeObject(cert, Formatting.Indented, jSONSettings); return(json); }
protected override void ProcessRecord() { byte[] pfxData; if (this.ParameterSetName == PFXBase64String) { pfxData = Convert.FromBase64String(Base64EncodedPfx); } else { pfxData = File.ReadAllBytes(PathToPfxFile); } X509Certificate2 pfxCert = new X509Certificate2(); try { pfxCert.Import(pfxData, PfxPassword, X509KeyStorageFlags.DefaultKeySet); } catch (CryptographicException ex) { if (ex.HResult == ErrorCodeCantOpenFile) { ThrowTerminatingError( new ErrorRecord( new ArgumentException( string.Format("Could not Read Thumbprint on file at path: '{0}'. File must be a certificate.", PathToPfxFile), ex), Guid.NewGuid().ToString(), ErrorCategory.InvalidArgument, null)); } else if (ex.HResult == ErrorCodeNetworkPasswordIncorrect) { ThrowTerminatingError( new ErrorRecord( new ArgumentException("Could not Read Thumbprint. Verify Password is Correct.", ex), Guid.NewGuid().ToString(), ErrorCategory.InvalidArgument, null)); } else { ThrowTerminatingError( new ErrorRecord( new ArgumentException("Could not Read Thumbprint. Unknown Cause", ex), Guid.NewGuid().ToString(), ErrorCategory.InvalidArgument, null)); } } ManagedRSAEncryption encryptUtility = new ManagedRSAEncryption(); byte[] password = new byte[PfxPassword.Length]; GCHandle pinnedPasswordHandle = GCHandle.Alloc(password, GCHandleType.Pinned); byte[] encryptedPassword = null; try { ConvertSecureStringToByteArray(PfxPassword, ref password); string hashAlgorithm; int paddingFlags; switch (PaddingScheme) { case UserPfxPaddingScheme.Pkcs1: case UserPfxPaddingScheme.OaepSha1: ThrowTerminatingError( new ErrorRecord( new ArgumentException("Pkcs1 and OaepSha1 are no longer supported."), Guid.NewGuid().ToString(), ErrorCategory.InvalidArgument, null)); return; case UserPfxPaddingScheme.OaepSha256: hashAlgorithm = PaddingHashAlgorithmNames.SHA256; paddingFlags = PaddingFlags.OAEPPadding; break; case UserPfxPaddingScheme.OaepSha384: hashAlgorithm = PaddingHashAlgorithmNames.SHA384; paddingFlags = PaddingFlags.OAEPPadding; break; case UserPfxPaddingScheme.None: PaddingScheme = UserPfxPaddingScheme.OaepSha512; goto default; // Since C# doesn't allow switch-case fall-through! case UserPfxPaddingScheme.OaepSha512: default: hashAlgorithm = PaddingHashAlgorithmNames.SHA512; paddingFlags = PaddingFlags.OAEPPadding; break; } if (KeyFilePath != null) { encryptedPassword = encryptUtility.EncryptWithFileKey(KeyFilePath, password, hashAlgorithm, paddingFlags); } else { encryptedPassword = encryptUtility.EncryptWithLocalKey(ProviderName, KeyName, password, hashAlgorithm, paddingFlags); } } finally { if (password != null) { password.ZeroFill(); } if (pinnedPasswordHandle.IsAllocated) { pinnedPasswordHandle.Free(); } } string encryptedPasswordString = Convert.ToBase64String(encryptedPassword); UserPFXCertificate userPfxCertifiate = new UserPFXCertificate(); userPfxCertifiate.Thumbprint = pfxCert.Thumbprint.ToLowerInvariant(); userPfxCertifiate.IntendedPurpose = (UserPfxIntendedPurpose)IntendedPurpose; userPfxCertifiate.PaddingScheme = (UserPfxPaddingScheme)PaddingScheme; userPfxCertifiate.KeyName = KeyName; userPfxCertifiate.UserPrincipalName = UPN; userPfxCertifiate.ProviderName = ProviderName; userPfxCertifiate.StartDateTime = Convert.ToDateTime(pfxCert.GetEffectiveDateString(), CultureInfo.CurrentCulture); userPfxCertifiate.ExpirationDateTime = Convert.ToDateTime(pfxCert.GetExpirationDateString(), CultureInfo.CurrentCulture); userPfxCertifiate.CreatedDateTime = DateTime.Now; userPfxCertifiate.LastModifiedDateTime = DateTime.Now; userPfxCertifiate.EncryptedPfxPassword = encryptedPasswordString; userPfxCertifiate.EncryptedPfxBlob = pfxData; WriteObject(userPfxCertifiate); }