// Requests a certificate to be generated by the Bridge based on a user name and not machine name
public override ResourceResponse Put(ResourceRequestContext context)
{
X509Certificate2 certificate;
string subject;
if (!context.Properties.TryGetValue(subjectKeyName, out subject) || string.IsNullOrWhiteSpace(subject))
{
throw new ArgumentException("When PUTting to this resource, specify an non-empty 'subject'", "context.Properties");
}
// There can be multiple subjects, separated by ,
string[] subjects = subject.Split(',');
lock (s_certificateResourceLock)
{
if (!s_createdCertsBySubject.TryGetValue(subjects[0], out certificate))
{
CertificateGenerator generator = CertificateResourceHelpers.GetCertificateGeneratorInstance(context.BridgeConfiguration);
certificate = generator.CreateUserCertificate(subjects).Certificate;
// Cache the certificates
s_createdCertsBySubject.Add(subjects[0], certificate);
s_createdCertsByThumbprint.Add(certificate.Thumbprint, certificate);
}
}
ResourceResponse response = new ResourceResponse();
response.Properties.Add(thumbprintKeyName, certificate.Thumbprint);
return response;
}
// A bit of a misnomer - you can't really "put" a cert here, and Get will always return you the cert anyway
public override ResourceResponse Put(ResourceRequestContext context)
{
X509Certificate2 certificate =
CertificateResourceHelpers.GetCertificateGeneratorInstance(context.BridgeConfiguration).AuthorityCertificate.Certificate;
ResourceResponse response = new ResourceResponse();
response.Properties.Add(thumbprintKeyName, certificate.Thumbprint);
return response;
}
// Requests a certificate to be generated by the Bridge
// If the certificate requested is for the local machine, for example if
// server hostname is: foo.bar.com
// local address is considered to be: 127.0.0.1, localhost, foo, foo.bar.com
// Then we also install the certificate to the local machine, because it means we are about to run an HTTPS/SSL test against
// this machine.
// Otherwise, don't bother installing as the cert is for a remote machine.
public override ResourceResponse Put(ResourceRequestContext context)
{
X509Certificate2 certificate;
string subject;
if (!context.Properties.TryGetValue(subjectKeyName, out subject) || string.IsNullOrWhiteSpace(subject))
{
throw new ArgumentException("When PUTting to this resource, specify an non-empty 'subject'", "context.Properties");
}
// There can be multiple subjects, separated by ,
string[] subjects = subject.Split(',');
bool isLocal = IsLocalMachineResource(subjects[0]);
lock (s_certificateResourceLock)
{
if (!s_createdCertsBySubject.TryGetValue(subjects[0], out certificate))
{
CertificateGenerator generator = CertificateResourceHelpers.GetCertificateGeneratorInstance(context.BridgeConfiguration);
if (isLocal)
{
// If we're PUTting a cert that refers to a hostname local to the bridge,
// return the Local Machine cert that CertificateManager caches and add it to the collection
//
// If we are receiving a PUT to the same endpoint address as the bridge server, it means that
// a test is going to be run on this box
//
// In keeping with the semantic of these classes, we must PUT before we can GET a cert
certificate = CertificateManager.CreateAndInstallLocalMachineCertificates(generator);
}
else
{
CertificateCreationSettings certificateCreationSettings = new CertificateCreationSettings() { Subjects = subjects, };
certificate = generator.CreateMachineCertificate(certificateCreationSettings).Certificate;
}
X509Certificate2 dummy;
if (!isLocal || !s_createdCertsByThumbprint.TryGetValue(certificate.Thumbprint, out dummy))
{
// when isLocal, it's possible for there to be > 1 subject sharing the same thumbprint
// in this case, we only cache the first isLocal subject, the rest we don't cache
s_createdCertsBySubject.Add(subjects[0], certificate);
s_createdCertsByThumbprint.Add(certificate.Thumbprint, certificate);
}
}
}
ResourceResponse response = new ResourceResponse();
response.Properties.Add(thumbprintKeyName, certificate.Thumbprint);
response.Properties.Add(isLocalKeyName, isLocal.ToString());
return response;
}
public override ResourceResponse Get(ResourceRequestContext context)
{
var certGenerator = CertificateResourceHelpers.GetCertificateGeneratorInstance(context.BridgeConfiguration);
lock (s_certificateResourceLock)
{
ResourceResponse response = new ResourceResponse();
response.RawResponse = certGenerator.CrlEncoded;
return response;
}
}
// Requests a certificate to be generated by the Bridge based on a user name and not machine name
public override ResourceResponse Put(ResourceRequestContext context)
{
X509Certificate2 certificate;
string subject;
if (!context.Properties.TryGetValue(subjectKeyName, out subject) || string.IsNullOrWhiteSpace(subject))
{
throw new ArgumentException("When PUTting to this resource, specify an non-empty 'subject'", "context.Properties");
}
// There can be multiple subjects, separated by ,
string[] subjects = subject.Split(',');
lock (s_certificateResourceLock)
{
if (!s_createdCertsBySubject.TryGetValue(subjects[0], out certificate))
{
CertificateGenerator generator = CertificateResourceHelpers.GetCertificateGeneratorInstance(context.BridgeConfiguration);
CertificateCreationSettings certificateCreationSettings = new CertificateCreationSettings()
{
FriendlyName = "WCF Bridge - UserCertificateResource",
Subject = subjects[0],
SubjectAlternativeNames = subjects
};
certificate = generator.CreateUserCertificate(certificateCreationSettings).Certificate;
// Cache the certificates
s_createdCertsBySubject.Add(subjects[0], certificate);
s_createdCertsByThumbprint.Add(certificate.Thumbprint, certificate);
// Created certs get put onto the local machine
// We ideally don't want this to happen, but until we find a way to have BridgeClient not need elevation for cert installs
// we need this to happen so that running locally doesn't require elevation as it messes up our CI and developer builds
CertificateManager.InstallCertificateToMyStore(certificate);
}
}
ResourceResponse response = new ResourceResponse();
response.Properties.Add(thumbprintKeyName, certificate.Thumbprint);
return response;
}
public override ResourceResponse Get(ResourceRequestContext context)
{
X509Certificate2 certificate =
CertificateResourceHelpers.GetCertificateGeneratorInstance(context.BridgeConfiguration).AuthorityCertificate.Certificate;
string exportAsPemString = string.Empty;
bool exportAsPem;
ResourceResponse response = new ResourceResponse();
if (context.Properties.TryGetValue(exportAsPemKeyName, out exportAsPemString) && bool.TryParse(exportAsPemString, out exportAsPem) && exportAsPem)
{
response.RawResponse = Encoding.ASCII.GetBytes(GetCertificateAsPem(certificate));
}
else
{
response.Properties.Add(thumbprintKeyName, certificate.Thumbprint);
response.Properties.Add(certificateKeyName, Convert.ToBase64String(certificate.RawData));
}
return response;
}
public override ResourceResponse Put(ResourceRequestContext context)
{
var certGenerator = CertificateResourceHelpers.GetCertificateGeneratorInstance(context.BridgeConfiguration);
string serialNumber;
lock (s_certificateResourceLock)
{
if (context.Properties.TryGetValue(revokeSerialNumberKeyName, out serialNumber) && !string.IsNullOrWhiteSpace(serialNumber))
{
certGenerator.RevokeCertificateBySerialNumber(serialNumber);
}
ResourceResponse response = new ResourceResponse();
response.Properties.Add(crlUriKeyName, certGenerator.CrlUri);
response.Properties.Add(
revokedCertificatesKeyName,
string.Join<string>(",", certGenerator.RevokedCertificates));
return response;
}
}
public override ResourceResponse Get(ResourceRequestContext context)
{
string thumbprint;
bool thumbprintPresent = context.Properties.TryGetValue(thumbprintKeyName, out thumbprint) && !string.IsNullOrWhiteSpace(thumbprint);
string subject;
bool subjectPresent = context.Properties.TryGetValue(subjectKeyName, out subject) && !string.IsNullOrWhiteSpace(subject);
ResourceResponse response = new ResourceResponse();
// if no subject and no thumbprint parameter provided, provide a list of certs already PUT to this resource
if (!thumbprintPresent && !subjectPresent)
{
string retVal = string.Empty;
string[] subjects;
string[] thumbprints;
lock (s_certificateResourceLock)
{
int certNum = s_createdCertsBySubject.Count;
subjects = new string[certNum];
thumbprints = new string[certNum];
foreach (var keyVal in s_createdCertsBySubject)
{
--certNum;
subjects[certNum] = keyVal.Key;
thumbprints[certNum] = keyVal.Value.Thumbprint;
}
}
// this isn't ideal, as semantically in JSON they aren't grouped together. Our current Json serializer implementation
// doesn't support serializing nested key-val pairs
response.Properties.Add(subjectsKeyName, string.Join(",", subjects));
response.Properties.Add(thumbprintsKeyName, string.Join(",", thumbprints));
return response;
}
else
{
// Otherwise, check on the creation state given the certificate thumbprint or subject
// thumbprint is given priority if present
X509Certificate2 certificate = null;
bool certHasBeenCreated = false;
lock (s_certificateResourceLock)
{
if (thumbprintPresent)
{
certHasBeenCreated = s_createdCertsByThumbprint.TryGetValue(thumbprint, out certificate);
}
else if (subjectPresent)
{
certHasBeenCreated = s_createdCertsBySubject.TryGetValue(subject, out certificate);
}
}
if (certHasBeenCreated)
{
var certGenerator = CertificateResourceHelpers.GetCertificateGeneratorInstance(context.BridgeConfiguration);
response.Properties.Add(thumbprintKeyName, certificate.Thumbprint);
response.Properties.Add(certificateKeyName, Convert.ToBase64String(certificate.Export(X509ContentType.Pfx, certGenerator.CertificatePassword)));
}
else
{
response.Properties.Add(thumbprintKeyName, string.Empty);
response.Properties.Add(certificateKeyName, string.Empty);
}
return response;
}
}
public ResourceResponse Get(ResourceRequestContext context)
{
ResourceResponse response = new ResourceResponse();
AuthenticationResourceHelper.AddCredentialsToResponse(response);
return response;
}
public override ResourceResponse Get(ResourceRequestContext context)
{
string thumbprint;
bool thumbprintPresent = context.Properties.TryGetValue(thumbprintKeyName, out thumbprint) && !string.IsNullOrWhiteSpace(thumbprint);
string subject;
bool subjectPresent = context.Properties.TryGetValue(subjectKeyName, out subject) && !string.IsNullOrWhiteSpace(subject);
ResourceResponse response = new ResourceResponse();
// if no subject and no thumbprint parameter provided, provide a list of certs already PUT to this resource
if (!thumbprintPresent && !subjectPresent)
{
string retVal = string.Empty;
string[] subjects;
string[] thumbprints;
lock (s_certificateResourceLock)
{
int certNum = s_createdCertsBySubject.Count;
subjects = new string[certNum];
thumbprints = new string[certNum];
foreach (var keyVal in s_createdCertsBySubject)
{
--certNum;
subjects[certNum] = keyVal.Key;
thumbprints[certNum] = keyVal.Value.Thumbprint;
}
}
response.Properties.Add(subjectsKeyName, string.Join(",", subjects));
response.Properties.Add(thumbprintsKeyName, string.Join(",", thumbprints));
return response;
}
else
{
// Otherwise, check on the creation state given the certificate thumbprint or subject
// thumbprint is given priority if present
X509Certificate2 certificate = null;
bool certHasBeenCreated = false;
lock (s_certificateResourceLock)
{
if (thumbprintPresent)
{
certHasBeenCreated = s_createdCertsByThumbprint.TryGetValue(thumbprint, out certificate);
}
else if (subjectPresent)
{
certHasBeenCreated = s_createdCertsBySubject.TryGetValue(subject, out certificate);
}
}
if (certHasBeenCreated)
{
response.Properties.Add(thumbprintKeyName, certificate.Thumbprint);
response.Properties.Add(certificateKeyName, Convert.ToBase64String(certificate.RawData));
}
else
{
response.Properties.Add(thumbprintKeyName, string.Empty);
response.Properties.Add(certificateKeyName, string.Empty);
}
return response;
}
}
public static void AddCredentialsToResponse(ResourceResponse response)
{
response.Properties.Add(usernameKeyName, s_username);
response.Properties.Add(passwordKeyName, s_password);
response.Properties.Add(digestRealmKeyName, s_digestrealm);
}
