/// <summary>
/// Updates management interface flags by writing them to Certification Authority.
/// </summary>
/// <param name="restart">
/// Indiciates whether to restart certificate services to immediately apply changes. Updated settings has no effect
/// until CA service is restarted.
/// </param>
/// <exception cref="UnauthorizedAccessException">
/// The caller do not have sufficient permissions to make changes in the CA configuration.
/// </exception>
/// <exception cref="ServerUnavailableException">
/// The target CA server could not be contacted via remote registry and RPC protocol.
/// </exception>
/// <returns>
/// <strong>True</strong> if configuration was changed. If an object was not modified since it was instantiated, configuration is not updated
/// and the method returns <strong>False</strong>.
/// </returns>
/// <remarks>The caller must have <strong>Administrator</strong> permissions on the target CA server.</remarks>
public Boolean SetInfo(Boolean restart)
{
if (IsModified)
{
if (CryptoRegistry.Ping(ComputerName))
{
CryptoRegistry.SetRReg((Int32)InterfaceFlags, "InterfaceFlags", RegistryValueKind.DWord, Name, ComputerName);
if (restart)
{
CertificateAuthority.Restart(ComputerName);
}
IsModified = false;
return(true);
}
if (CertificateAuthority.Ping(ComputerName))
{
CryptoRegistry.SetRegFallback(ConfigString, String.Empty, "InterfaceFlags", (Int32)InterfaceFlags);
if (restart)
{
CertificateAuthority.Restart(ComputerName);
}
IsModified = false;
return(true);
}
ServerUnavailableException e = new ServerUnavailableException(DisplayName);
e.Data.Add(nameof(e.Source), (OfflineSource)3);
throw e;
}
return(false);
}
void m_initialize(CertificateAuthority certificateAuthority)
{
String[] urls;
Name = certificateAuthority.Name;
DisplayName = certificateAuthority.DisplayName;
ComputerName = certificateAuthority.ComputerName;
ConfigString = certificateAuthority.ConfigString;
if (CryptoRegistry.Ping(ComputerName))
{
urls = (String[])CryptoRegistry.GetRReg("CACertPublicationURLs", Name, ComputerName);
}
else
{
if (CertificateAuthority.Ping(ComputerName))
{
urls = (String[])CryptoRegistry.GetRegFallback(ConfigString, String.Empty, "CACertPublicationURLs");
}
else
{
ServerUnavailableException e = new ServerUnavailableException(DisplayName);
e.Data.Add(nameof(e.Source), (OfflineSource)3);
throw e;
}
}
m_aia = urls.Select(url => new AIA(url)).ToArray();
}
void getConfig(String computerName, String caName = null)
{
// if we found CA in DS, we are just fine, no need to touch CA server.
if (foundInDs)
{
ComputerName = computerName;
Name = caName;
ConfigString = ConfigString = ComputerName + "\\" + Name;
return;
}
// otherwise:
// 1. if registry is accessible, read actual config string from registry
if (RegistryOnline)
{
ComputerName = (String)CryptoRegistry.GetRReg("CAServerName", Active, computerName);
Name = (String)CryptoRegistry.GetRReg("CommonName", Active, computerName);
}
else
{
// 2. if registry is not accessible, we must have a CA name in order to read it from ICertAdmin::GetConfig
if (!String.IsNullOrEmpty(caName) && IsAccessible)
{
String configString = $@"{computerName}\{caName}";
ComputerName = (String)CryptoRegistry.GetRegFallback(configString, String.Empty, "CAServerName");
Name = (String)CryptoRegistry.GetRegFallback(configString, String.Empty, "CommonName");
}
else
{
var e = new ServerUnavailableException(computerName);
e.Data.Add(nameof(e.Source), OfflineSource.DCOM | OfflineSource.Registry);
throw e;
}
}
ConfigString = ComputerName + "\\" + Name;
}
/// <summary>
/// Gets the access control list (<strong>ACL</strong>) for the current Certification Authority.
/// </summary>
/// <returns>An ACL object.</returns>
/// <remarks>Returned object inherits from <see cref="CommonObjectSecurity"/> and implements common methods.</remarks>
public CASecurityDescriptor GetSecurityDescriptor()
{
var sd = new CASecurityDescriptor(this);
Byte[] sdBinary;
if (CryptoRegistry.Ping(ComputerName))
{
sdBinary = (Byte[])CryptoRegistry.GetRReg("Security", Name, ComputerName);
}
else
{
if (Ping(ComputerName))
{
sdBinary = (Byte[])CryptoRegistry.GetRegFallback(ConfigString, String.Empty, "Security");
}
else
{
ServerUnavailableException e = new ServerUnavailableException(DisplayName);
e.Data.Add(nameof(e.Source), (OfflineSource)3);
throw e;
}
}
sd.SetSecurityDescriptorBinaryForm(sdBinary);
return(sd);
}
void m_initialize(CertificateAuthority certificateAuthority)
{
Name = certificateAuthority.Name;
DisplayName = certificateAuthority.DisplayName;
ComputerName = certificateAuthority.ComputerName;
ConfigString = certificateAuthority.ConfigString;
if (CryptoRegistry.Ping(ComputerName))
{
m_validity = Convert.ToString((Int32)CryptoRegistry.GetRReg("ValidityPeriodUnits", Name, ComputerName)) + " ";
m_validity += (String)CryptoRegistry.GetRReg("ValidityPeriod", Name, ComputerName);
}
else
{
if (certificateAuthority.Ping())
{
m_validity = Convert.ToString((Int32)CryptoRegistry.GetRegFallback(ConfigString, String.Empty, "ValidityPeriodUnits"));
m_validity += (String)CryptoRegistry.GetRegFallback(ConfigString, String.Empty, "ValidityPeriod");
}
else
{
ServerUnavailableException e = new ServerUnavailableException(DisplayName);
e.Data.Add(nameof(e.Source), (OfflineSource)3);
throw e;
}
}
}
void m_initialize(CertificateAuthority certificateAuthority)
{
Name = certificateAuthority.Name;
DisplayName = certificateAuthority.DisplayName;
ComputerName = certificateAuthority.ComputerName;
ConfigString = certificateAuthority.ConfigString;
Version = certificateAuthority.Version;
if (CryptoRegistry.Ping(ComputerName))
{
CRLFlags = (CRLFlagEnum)CryptoRegistry.GetRReg("CRLFlags", Name, ComputerName);
}
else
{
if (CertificateAuthority.Ping(ComputerName))
{
CRLFlags = (CRLFlagEnum)CryptoRegistry.GetRegFallback(ConfigString, "", "CRLFlags");
}
else
{
ServerUnavailableException e = new ServerUnavailableException(DisplayName);
e.Data.Add(nameof(e.Source), (OfflineSource)3);
throw e;
}
}
}
/// <summary>
/// Updates Authority Information Access configuration by writing them to Certification Authority.
/// </summary>
/// <param name="restart">Indiciates whether to restart certificate services to immediately apply changes. Updated settings has no effect until
/// CA service is restarted.
/// </param>
/// <remarks>
/// For this method to succeed, the caller must be granted CA <strong>Administrator</strong> permissions.
/// </remarks>
/// <exception cref="UnauthorizedAccessException">
/// The caller do not have sufficient permissions to make changes in the CA configuration.
/// </exception>
/// <exception cref="ServerUnavailableException">
/// The target CA server could not be contacted via remote registry and RPC protocol.
/// </exception>
/// <returns>
/// <strong>True</strong> if configuration was changed. If an object was not modified since it was instantiated, configuration is not updated
/// and the method returns <strong>False</strong>.
/// </returns>
/// <remarks>The caller must have <strong>Administrator</strong> permissions on the target CA server.</remarks>
public Boolean SetInfo(Boolean restart)
{
if (IsModified)
{
List <String> strings = URI.Length > 0
? URI.Select(str => str.RegURI).ToList()
: null;
if (CryptoRegistry.Ping(ComputerName))
{
CryptoRegistry.SetRReg(strings, "CACertPublicationURLs", Name, ComputerName);
if (restart)
{
CertificateAuthority.Restart(ComputerName);
}
IsModified = false;
return(true);
}
if (CertificateAuthority.Ping(ComputerName))
{
CryptoRegistry.SetRegFallback(ConfigString, String.Empty, "CACertPublicationURLs", strings);
if (restart)
{
CertificateAuthority.Restart(ComputerName);
}
IsModified = false;
return(true);
}
ServerUnavailableException e = new ServerUnavailableException(DisplayName);
e.Data.Add(nameof(e.Source), (OfflineSource)3);
throw e;
}
return(false);
}
/// <summary>
/// Updates policy module flags by writing them to Certification Authority.
/// </summary>
/// <param name="restart">
/// Indicates whether to restart certificate services to immediately apply changes. Updated settings has no effect
/// until CA service is restarted.
/// </param>
/// <exception cref="UnauthorizedAccessException">
/// The caller do not have sufficient permissions to make changes in the CA configuration.
/// </exception>
/// <exception cref="ServerUnavailableException">
/// The target CA server could not be contacted via remote registry and RPC protocol.
/// </exception>
/// <returns>
/// <strong>True</strong> if configuration was changed. If an object was not modified since it was instantiated, configuration is not updated
/// and the method returns <strong>False</strong>.
/// </returns>
/// <remarks>The caller must have <strong>Administrator</strong> permissions on the target CA server.</remarks>
public Boolean SetInfo(Boolean restart)
{
if (IsModified)
{
if (CryptoRegistry.Ping(ComputerName))
{
CryptoRegistry.SetRReg((Int32)EditFlags, "EditFlags", RegistryValueKind.DWord, $@"{Name}\PolicyModules\{activePolicyModule}", ComputerName);
if (restart)
{
CertificateAuthority.Restart(ComputerName);
}
IsModified = false;
return(true);
}
if (CertificateAuthority.Ping(ComputerName))
{
CryptoRegistry.SetRegFallback(configString, $@"PolicyModules\{activePolicyModule}", "EditFlags", (Int32)EditFlags);
if (restart)
{
CertificateAuthority.Restart(ComputerName);
}
IsModified = false;
return(true);
}
ServerUnavailableException e = new ServerUnavailableException(DisplayName);
e.Data.Add(nameof(e.Source), (OfflineSource)3);
throw e;
}
return(false);
}
/// <summary>
/// Updates issued certificate validity setting. Any issued certificate validity cannot exceed this value.
/// </summary>
/// <param name="restart">
/// Indiciates whether to restart certificate services to immediately apply changes. Updated settings has no effect until
/// CA service is restarted.
/// </param>
/// <exception cref="UnauthorizedAccessException">
/// The caller do not have sufficient permissions to make changes in the CA configuration.
/// </exception>
/// <exception cref="ServerUnavailableException">
/// The target CA server could not be contacted via remote registry and RPC protocol.
/// </exception>
/// <returns>
/// <strong>True</strong> if configuration was changed. If an object was not modified since it was instantiated, configuration is not updated
/// and the method returns <strong>False</strong>.
/// </returns>
/// <remarks>The caller must have <strong>Administrator</strong> permissions on the target CA server.</remarks>
public Boolean SetInfo(Boolean restart)
{
if (!IsModified)
{
return(false);
}
if (CryptoRegistry.Ping(ComputerName))
{
CryptoRegistry.SetRReg(Period, "ValidityPeriodUnits", RegistryValueKind.DWord, Name, ComputerName);
CryptoRegistry.SetRReg(PeriodUnits, "ValidityPeriod", RegistryValueKind.String, Name, ComputerName);
IsModified = false;
if (restart)
{
CertificateAuthority.Restart(ComputerName);
}
return(true);
}
if (CertificateAuthority.Ping(ComputerName))
{
CryptoRegistry.SetRegFallback(ConfigString, String.Empty, "ValidityPeriodUnits", Period);
CryptoRegistry.SetRegFallback(ConfigString, String.Empty, "ValidityPeriod", PeriodUnits);
IsModified = false;
if (restart)
{
CertificateAuthority.Restart(ComputerName);
}
return(true);
}
ServerUnavailableException e = new ServerUnavailableException(DisplayName);
e.Data.Add(nameof(e.Source), (OfflineSource)3);
throw e;
}
/// <summary>
/// Writes this object to a securable object's Access Control List.
/// </summary>
/// <param name="restart">
/// Indiciates whether to restart certificate services to immediately apply changes. Updated settings has
/// no effect until CA service is restarted.
/// </param>
/// <exception cref="ServerUnavailableException">
/// The target CA server could not be contacted via remote registry and RPC protocol.
/// </exception>
public void SetObjectSecurity(Boolean restart)
{
if (CryptoRegistry.Ping(ComputerName))
{
CryptoRegistry.SetRReg(GetSecurityDescriptorBinaryForm(), "Security", _name, ComputerName);
if (restart)
{
CertificateAuthority.Restart(ComputerName);
}
return;
}
if (CertificateAuthority.Ping(ComputerName))
{
CryptoRegistry.SetRegFallback(_config, String.Empty, "Security", GetSecurityDescriptorBinaryForm());
if (restart)
{
CertificateAuthority.Restart(ComputerName);
}
return;
}
ServerUnavailableException e = new ServerUnavailableException(DisplayName);
e.Data.Add("Source", (OfflineSource)3);
throw e;
}
/// <param name="computerName">Specifies the fully qualified domain name (FQDN) of the computer where Certificate Services
/// are installed.</param>
/// <exception cref="ArgumentNullException">Te <strong>computerName</strong> parameter is null or empty.</exception>
/// <exception cref="ServerUnavailableException">The computer specified in the <strong>computerName</strong>
/// parameter could not be contacted via remote registry.</exception>
public CertificateAuthority(String computerName)
{
if (String.IsNullOrEmpty(computerName))
{
throw new ArgumentNullException(nameof(computerName));
}
RegistryOnline = CryptoRegistry.Ping(computerName);
IsAccessible = Ping(computerName);
lookInDs(computerName);
if (foundInDs)
{
buildFromCertConfigOnly();
initializeFromConfigString(ComputerName, Name);
}
else
{
if (RegistryOnline)
{
initializeFromServerName(computerName);
}
else
{
ServerUnavailableException e = new ServerUnavailableException(computerName);
e.Data.Add(nameof(e.Source), OfflineSource.Registry);
throw e;
}
}
}
void getType()
{
Int32 type;
if (RegistryOnline)
{
type = (Int32)CryptoRegistry.GetRReg("CAType", Active, ComputerName);
}
else
{
type = (Int32)CryptoRegistry.GetRegFallback(ConfigString, String.Empty, "CAType");
}
switch (type)
{
case 0: Type = "Enterprise Root CA"; IsEnterprise = true; break;
case 1: Type = "Enterprise Subordinate CA"; IsEnterprise = true; break;
case 3: Type = "Standalone Root CA"; break;
case 4: Type = "Standalone Subordinate CA"; break;
default: Type = "Undefined"; break;
}
}
void m_initialize(CertificateAuthority certificateAuthority)
{
Name = certificateAuthority.Name;
DisplayName = certificateAuthority.DisplayName;
ComputerName = certificateAuthority.ComputerName;
configString = certificateAuthority.ConfigString;
version = certificateAuthority.Version;
isEnterprise = certificateAuthority.IsEnterprise;
if (CryptoRegistry.Ping(ComputerName))
{
activePolicyModule = (String)CryptoRegistry.GetRReg("Active", $@"{Name}\PolicyModules", ComputerName);
EditFlags = (PolicyModuleFlagEnum)CryptoRegistry.GetRReg("EditFlags", $@"{Name}\PolicyModules\{activePolicyModule}", ComputerName);
}
else
{
if (CertificateAuthority.Ping(ComputerName))
{
activePolicyModule = (String)CryptoRegistry.GetRegFallback(configString, "PolicyModules", "EditFlags");
EditFlags = (PolicyModuleFlagEnum)CryptoRegistry.GetRegFallback(configString, $@"PolicyModules\{activePolicyModule}", "EditFlags");
}
else
{
ServerUnavailableException e = new ServerUnavailableException(DisplayName);
e.Data.Add(nameof(e.Source), (OfflineSource)3);
throw e;
}
}
}
void m_initialize(CertificateAuthority certificateAuthority)
{
String[] urls;
keyMap = certificateAuthority.GetKeyMap();
buildVarValueMapping(certificateAuthority);
Name = certificateAuthority.Name;
DisplayName = certificateAuthority.DisplayName;
ComputerName = certificateAuthority.ComputerName;
ConfigString = certificateAuthority.ConfigString;
if (CryptoRegistry.Ping(ComputerName))
{
urls = (String[])CryptoRegistry.GetRReg("CRLPublicationURLs", Name, ComputerName);
}
else
{
if (CertificateAuthority.Ping(ComputerName))
{
urls = (String[])CryptoRegistry.GetRegFallback(ConfigString, String.Empty, "CRLPublicationURLs");
}
else
{
ServerUnavailableException e = new ServerUnavailableException(DisplayName);
e.Data.Add(nameof(e.Source), (OfflineSource)3);
throw e;
}
}
m_cdp = urls.Select(url => new CDP(url)).ToArray();
ResolveUrLs();
}
void pingRegistry(String computerName)
{
RegistryOnline = CryptoRegistry.Ping(computerName);
if (RegistryOnline)
{
Active = (String)CryptoRegistry.GetRReg("Active", "", computerName);
}
}
/// <summary>
/// Updates policy module extension lists by writing them to Certification Authority.
/// </summary>
/// <param name="restart">
/// Indiciates whether to restart certificate services to immediately apply changes. Updated settings has no effect
/// until CA service is restarted.</param>
/// <exception cref="UnauthorizedAccessException">
/// If the caller do not have sufficient permissions to make changes in the CA configuration.
/// </exception>
/// <exception cref="ServerUnavailableException">
/// If the target CA server could not be contacted via remote registry and RPC protocol.
/// </exception>
/// <returns>
/// <strong>True</strong> if configuration was changed. If an object was not modified since it was instantiated, configuration is not updated
/// and the method returns <strong>False</strong>.
/// </returns>
/// <remarks>The caller must have <strong>Administrator</strong> permissions on the target CA server.</remarks>
public Boolean SetInfo(Boolean restart)
{
if (IsModified)
{
List <String> oidstrings;
if (CryptoRegistry.Ping(ComputerName))
{
String path = $@"{Name}\PolicyModules\{ActivePolicyModule}";
oidstrings = EnabledExtensionList.Select(oid => oid.Value).ToList();
CryptoRegistry.SetRReg(oidstrings, "EnableRequestExtensionList", path, ComputerName);
oidstrings.Clear();
oidstrings.AddRange(OfflineExtensionList.Select(oid => oid.Value));
CryptoRegistry.SetRReg(oidstrings, "EnableEnrolleeRequestExtensionList", path, ComputerName);
oidstrings.Clear();
oidstrings.AddRange(DisabledExtensionList.Select(oid => oid.Value));
CryptoRegistry.SetRReg(oidstrings, "DisableExtensionList", path, ComputerName);
oidstrings.Clear();
if (restart)
{
CertificateAuthority.Restart(ComputerName);
}
IsModified = false;
return(true);
}
if (CertificateAuthority.Ping(ComputerName))
{
String path = $@"PolicyModules\{ActivePolicyModule}";
oidstrings = EnabledExtensionList.Select(oid => oid.Value).ToList();
CryptoRegistry.SetRegFallback(ConfigString, path, "EnableRequestExtensionList", oidstrings.ToArray());
oidstrings.Clear();
oidstrings.AddRange(OfflineExtensionList.Select(oid => oid.Value));
CryptoRegistry.SetRegFallback(ConfigString, path, "EnableEnrolleeRequestExtensionList", oidstrings.ToArray());
oidstrings.Clear();
oidstrings.AddRange(DisabledExtensionList.Select(oid => oid.Value));
CryptoRegistry.SetRegFallback(ConfigString, path, "DisableExtensionList", oidstrings.ToArray());
oidstrings.Clear();
if (restart)
{
CertificateAuthority.Restart(ComputerName);
}
IsModified = false;
return(true);
}
ServerUnavailableException e = new ServerUnavailableException(DisplayName);
e.Data.Add(nameof(e.Source), (OfflineSource)3);
throw e;
}
return(false);
}
/// <summary>
/// Updates CA server cryptography settings by writing them to Certification Authority.
/// </summary>
/// <param name="restart">
/// Indiciates whether to restart certificate services to immediately apply changes. Updated settings has no effect
/// until CA service is restarted.
/// </param>
/// <exception cref="ServerUnavailableException">
/// The target CA server could not be contacted via remote registry and RPC protocol.
/// </exception>
/// <returns>
/// <strong>True</strong> if configuration was changed. If an object was not modified since it was instantiated, configuration is not updated
/// and the method returns <strong>False</strong>.
/// </returns>
/// <remarks>
/// The caller must have <strong>Administrator</strong> permissions on the target CA server.
/// </remarks>
public Boolean SetInfo(Boolean restart)
{
if (!IsModified)
{
return(false);
}
if (CryptoRegistry.Ping(ComputerName))
{
if (ProviderIsCNG)
{
CryptoRegistry.SetRReg(publicKeyAlgorithm.FriendlyName, "CNGPublicKeyAlgorithm", RegistryValueKind.String, Name + "\\CSP", ComputerName);
CryptoRegistry.SetRReg(hashingAlgorithm.FriendlyName, "CNGHashAlgorithm", RegistryValueKind.String, Name + "\\CSP", ComputerName);
if (alternateSignatureAlgorithm)
{
CryptoRegistry.SetRReg(1, "AlternateSignatureAlgorithm", RegistryValueKind.String, $@"{Name}\CSP", ComputerName);
}
else
{
CryptoRegistry.SetRReg(0, "AlternateSignatureAlgorithm", RegistryValueKind.DWord, $@"{Name}\CSP", ComputerName);
}
}
else
{
CryptoRegistry.SetRReg(getValueFromOid(hashingAlgorithm), "HashAlgorithm", RegistryValueKind.DWord, $@"{Name}\CSP", ComputerName);
}
}
else
{
if (CertificateAuthority.Ping(ComputerName))
{
if (ProviderIsCNG)
{
CryptoRegistry.SetRegFallback(ConfigString, "CSP", "CNGPublicKeyAlgorithm", publicKeyAlgorithm.FriendlyName);
CryptoRegistry.SetRegFallback(ConfigString, "CSP", "CNGHashAlgorithm", hashingAlgorithm.FriendlyName);
CryptoRegistry.SetRegFallback(ConfigString, "CSP", "CNGHashAlgorithm", alternateSignatureAlgorithm ? 1 : 0);
}
else
{
CryptoRegistry.SetRegFallback(ConfigString, "CSP", "HashAlgorithm", getValueFromOid(hashingAlgorithm));
}
}
else
{
ServerUnavailableException e = new ServerUnavailableException(DisplayName);
e.Data.Add(nameof(e.Source), (OfflineSource)3);
throw e;
}
}
if (restart)
{
CertificateAuthority.Restart(ComputerName);
}
IsModified = false;
return(true);
}
void m_initialize(CertificateAuthority certificateAuthority)
{
Name = certificateAuthority.Name;
DisplayName = certificateAuthority.DisplayName;
ComputerName = certificateAuthority.ComputerName;
ConfigString = certificateAuthority.ConfigString;
if (CryptoRegistry.Ping(ComputerName))
{
ProviderIsCNG = (Int32)CryptoRegistry.GetRReg("ProviderType", $@"{Name}\CSP", ComputerName) == 0;
ProviderName = (String)CryptoRegistry.GetRReg("Provider", $@"{Name}\CSP", ComputerName);
publicKeyAlgorithm = ProviderIsCNG
? new Oid((String)CryptoRegistry.GetRReg("CNGPublicKeyAlgorithm", $@"{Name}\CSP", ComputerName))
: new Oid("1.2.840.113549.1.1.1"); // rsa
if (ProviderIsCNG)
{
// CNG
hashingAlgorithm = new Oid((String)CryptoRegistry.GetRReg("CNGHashAlgorithm", $@"{Name}\CSP", ComputerName));
try {
Int32 altName = (Int32)CryptoRegistry.GetRReg("AlternateSignatureAlgorithm", $@"{Name}\CSP", ComputerName);
alternateSignatureAlgorithm = altName != 0;
} catch {
alternateSignatureAlgorithm = false;
}
}
else
{
// legacy
Int32 algId = (Int32)CryptoRegistry.GetRReg("HashAlgorithm", $@"{Name}\CSP", ComputerName);
hashingAlgorithm = getOidFromValue(algId);
}
return;
}
ProviderIsCNG = (Int32)CryptoRegistry.GetRegFallback(ConfigString, "CSP", "ProviderType") == 0;
ProviderName = (String)CryptoRegistry.GetRegFallback(ConfigString, "CSP", "Provider");
publicKeyAlgorithm = ProviderIsCNG
? new Oid((String)CryptoRegistry.GetRegFallback(ConfigString, "CSP", "CNGPublicKeyAlgorithm"))
: new Oid("1.2.840.113549.1.1.1"); // rsa
if (ProviderIsCNG)
{
hashingAlgorithm = new Oid((String)CryptoRegistry.GetRegFallback(ConfigString, "CSP", "CNGHashAlgorithm"));
}
else
{
Int32 algId = (Int32)CryptoRegistry.GetRegFallback(ConfigString, "CSP", "HashAlgorithm");
hashingAlgorithm = getOidFromValue(algId);
}
if (ProviderIsCNG)
{
try {
alternateSignatureAlgorithm = (Int32)CryptoRegistry.GetRegFallback(ConfigString, "CSP", "AlternateSignatureAlgorithm") != 0;
} catch {
alternateSignatureAlgorithm = false;
}
}
}
void m_initialize(CertificateAuthority certificateAuthority)
{
List <Oid> Oids = new List <Oid>();
Name = certificateAuthority.Name;
DisplayName = certificateAuthority.DisplayName;
ComputerName = certificateAuthority.ComputerName;
ConfigString = certificateAuthority.ConfigString;
if (CryptoRegistry.Ping(ComputerName))
{
ActivePolicyModule = (String)CryptoRegistry.GetRReg("Active", $@"{Name}\PolicyModules", ComputerName);
String[] oidstrings = (String[])CryptoRegistry.GetRReg("EnableRequestExtensionList", $@"{Name}\PolicyModules\{ActivePolicyModule}", ComputerName);
Oids.AddRange(oidstrings.Select(item => new Oid(item)));
EnabledExtensionList = Oids.ToArray();
Oids.Clear();
oidstrings = (String[])CryptoRegistry.GetRReg("EnableEnrolleeRequestExtensionList", $@"{Name}\PolicyModules\{ActivePolicyModule}", ComputerName);
Oids.AddRange(oidstrings.Select(item => new Oid(item)));
OfflineExtensionList = Oids.ToArray();
Oids.Clear();
oidstrings = (String[])CryptoRegistry.GetRReg("DisableExtensionList", $@"{Name}\PolicyModules\{ActivePolicyModule}", ComputerName);
Oids.AddRange(oidstrings.Select(item => new Oid(item)));
DisabledExtensionList = Oids.ToArray();
Oids.Clear();
}
else
{
if (CertificateAuthority.Ping(ComputerName))
{
ActivePolicyModule = (String)CryptoRegistry.GetRReg("Active", $@"{Name}\PolicyModules", ComputerName);
String[] oidstrings = (String[])CryptoRegistry.GetRegFallback(ConfigString, $@"PolicyModules\{ActivePolicyModule}", "EnableRequestExtensionList");
Oids.AddRange(oidstrings.Select(item => new Oid(item)));
EnabledExtensionList = Oids.ToArray();
Oids.Clear();
oidstrings = (String[])CryptoRegistry.GetRegFallback(ConfigString, $@"PolicyModules\{ActivePolicyModule}", "EnableEnrolleeRequestExtensionList");
Oids.AddRange(oidstrings.Select(item => new Oid(item)));
OfflineExtensionList = Oids.ToArray();
Oids.Clear();
oidstrings = (String[])CryptoRegistry.GetRegFallback(ConfigString, $@"PolicyModules\{ActivePolicyModule}", "DisableExtensionList");
Oids.AddRange(oidstrings.Select(item => new Oid(item)));
DisabledExtensionList = Oids.ToArray();
}
else
{
ServerUnavailableException e = new ServerUnavailableException(DisplayName);
e.Data.Add(nameof(e.Source), (OfflineSource)3);
throw e;
}
}
}
/// <summary>
/// Updates CRL (Base and Delta CRL) setting.
/// </summary>
/// <param name="restart">
/// Indiciates whether to restart certificate services to immediately apply changes. Updated settings has no effect until
/// CA service is restarted.
/// </param>
/// <exception cref="UnauthorizedAccessException">
/// The caller do not have sufficient permissions to make changes in the CA configuration.
/// </exception>
/// <exception cref="ServerUnavailableException">
/// The target CA server could not be contacted via remote registry and RPC protocol.
/// </exception>
/// <returns>
/// <strong>True</strong> if configuration was changed. If an object was not modified since it was instantiated, configuration is not updated
/// and the method returns <strong>False</strong>.
/// </returns>
/// <remarks>The caller must have <strong>Administrator</strong> permissions on the target CA server.</remarks>
public Boolean SetInfo(Boolean restart)
{
if (!IsModified)
{
return(false);
}
if (CryptoRegistry.Ping(ComputerName))
{
// Base CRL
CryptoRegistry.SetRReg(BaseUnits, "CRLPeriodUnits", RegistryValueKind.DWord, Name, ComputerName);
CryptoRegistry.SetRReg(BasePeriod, "CRLPeriod", RegistryValueKind.String, Name, ComputerName);
// Base CRL overlap
CryptoRegistry.SetRReg(BaseOverlapUnits, "CRLOverlapUnits", RegistryValueKind.DWord, Name, ComputerName);
CryptoRegistry.SetRReg(BaseOverlap, "CRLOverlapPeriod", RegistryValueKind.String, Name, ComputerName);
// Delta CRL
CryptoRegistry.SetRReg(DeltaUnits, "CRLDeltaPeriodUnits", RegistryValueKind.DWord, Name, ComputerName);
CryptoRegistry.SetRReg(DeltaPeriod, "CRLDeltaPeriod", RegistryValueKind.String, Name, ComputerName);
// Delta CRL overlap
CryptoRegistry.SetRReg(DeltaOverlapUnits, "CRLDeltaOverlapUnits", RegistryValueKind.DWord, Name, ComputerName);
CryptoRegistry.SetRReg(DeltaOverlap, "CRLDeltaOverlapPeriod", RegistryValueKind.String, Name, ComputerName);
IsModified = false;
if (restart)
{
CertificateAuthority.Restart(ComputerName);
}
return(true);
}
if (CertificateAuthority.Ping(ComputerName))
{
// Base CRL
CryptoRegistry.SetRegFallback(ConfigString, String.Empty, "CRLPeriodUnits", BaseUnits);
CryptoRegistry.SetRegFallback(ConfigString, String.Empty, "CRLPeriod", BasePeriod);
// Base CRL overlap
CryptoRegistry.SetRegFallback(ConfigString, String.Empty, "CRLOverlapUnits", BaseOverlapUnits);
CryptoRegistry.SetRegFallback(ConfigString, String.Empty, "CRLOverlapPeriod", BaseOverlap);
// Delta CRL
CryptoRegistry.SetRegFallback(ConfigString, String.Empty, "CRLDeltaPeriodUnits", DeltaUnits);
CryptoRegistry.SetRegFallback(ConfigString, String.Empty, "CRLDeltaPeriod", DeltaPeriod);
// Delta CRL overlap
CryptoRegistry.SetRegFallback(ConfigString, String.Empty, "CRLDeltaOverlapUnits", DeltaOverlapUnits);
CryptoRegistry.SetRegFallback(ConfigString, String.Empty, "CRLDeltaOverlapPeriod", DeltaOverlap);
IsModified = false;
if (restart)
{
CertificateAuthority.Restart(ComputerName);
}
return(true);
}
ServerUnavailableException e = new ServerUnavailableException(DisplayName);
e.Data.Add("Source", (OfflineSource)3);
throw e;
}
void getVersion()
{
if (RegistryOnline)
{
switch ((Int32)CryptoRegistry.GetRReg("Version", String.Empty, ComputerName))
{
case 0x00010001: Version = "2000"; break;
case 0x00020002: Version = "2003"; break;
case 0x00030001: Version = "2008"; break;
case 0x00040001: Version = "2008R2"; break;
case 0x00050001: Version = "2012"; break;
case 0x00060001: Version = "2012R2"; break;
// there are no functional changes between 2016 and 2019, so treat them both as 2016
case 0x00070001:
case 0x00080001: Version = "2016"; break;
}
SetupStatus = (SetupStatusEnum)CryptoRegistry.GetRReg("SetupStatus", String.Empty, ComputerName);
}
else
{
String ver = (String)_certRequest.GetCAProperty(ConfigString, CertAdmConstants.CrPropProductversion, 0, 4, 0);
String[] vers = ver.Split(new [] { ":" }, StringSplitOptions.RemoveEmptyEntries);
switch (vers[0])
{
case "5.0": Version = "2000"; break;
case "5.2": Version = "2003"; break;
case "6.0": Version = "2008"; break;
case "6.1": Version = "2008R2"; break;
case "6.2": Version = "2012"; break;
case "6.3": Version = "2012R2"; break;
default:
Version = vers[0].StartsWith("10.0")
? "2016"
: "Unknown";
break;
}
SetupStatus = SetupStatusEnum.Unknown;
}
}
/// <param name="computerName">
/// Specifies the computer name where Certificate Services are installed.
/// </param>
/// <param name="name">
/// Specifies the common name of the Certification Authority that is installed on the
/// computer specified in the <strong>computerName</strong> parameter.
/// </param>
/// <exception cref="ArgumentNullException">Either <strong>computerName</strong> or <strong>name</strong> parameter is null or empty.</exception>
/// <exception cref="ServerUnavailableException">The server could not be contacted via both methods: remote registry
/// and RPC/DCOM transport.</exception>
/// <remarks>
/// This constructor allows to connect to a CA server if it can be contacted at least via RPC/DCOM.
/// <para>The default behavior is to retrieve registry information via remote registry functions. If the connection is
/// unsuccessfull, the code falls back to RPC/DCOM connections (by using <strong>ICertAdmin2</strong> COM interface) to
/// get registry data.</para>
/// </remarks>
public CertificateAuthority(String computerName, String name)
{
if (String.IsNullOrEmpty(computerName))
{
throw new ArgumentNullException(nameof(computerName));
}
if (String.IsNullOrEmpty(name))
{
throw new ArgumentNullException(nameof(name));
}
RegistryOnline = CryptoRegistry.Ping(computerName);
IsAccessible = Ping(computerName);
lookInDs(computerName);
initializeFromConfigString(computerName, name);
}
internal String GetConfigEntry(String entry)
{
switch (entry)
{
case "CAServerName": return(ComputerName);
case "ServerShortName": return(ComputerName.Split('.')[0]);
case "CommonName": return(Name);
case "CATruncatedName": return(DsUtils.GetSanitizedName(Name));
case "ConfigurationContainer": return((String)CryptoRegistry.GetRReg("DSConfigDN", Name, ComputerName));
default: return(String.Empty);
}
}
void m_initialize(CertificateAuthority certificateAuthority)
{
Name = certificateAuthority.Name;
DisplayName = certificateAuthority.DisplayName;
ComputerName = certificateAuthority.ComputerName;
ConfigString = certificateAuthority.ConfigString;
if (CryptoRegistry.Ping(ComputerName))
{
// Base CRL
BaseUnits = (Int32)CryptoRegistry.GetRReg("CRLPeriodUnits", Name, ComputerName);
BasePeriod = (String)CryptoRegistry.GetRReg("CRLPeriod", Name, ComputerName);
// Base CRL overlap
BaseOverlapUnits = (Int32)CryptoRegistry.GetRReg("CRLOverlapUnits", Name, ComputerName);
BaseOverlap = (String)CryptoRegistry.GetRReg("CRLOverlapPeriod", Name, ComputerName);
// Delta CRL
DeltaUnits = (Int32)CryptoRegistry.GetRReg("CRLDeltaPeriodUnits", Name, ComputerName);
DeltaPeriod = (String)CryptoRegistry.GetRReg("CRLDeltaPeriod", Name, ComputerName);
// Delta CRL overlap
DeltaOverlapUnits = (Int32)CryptoRegistry.GetRReg("CRLDeltaOverlapUnits", Name, ComputerName);
DeltaOverlap = (String)CryptoRegistry.GetRReg("CRLDeltaOverlapPeriod", Name, ComputerName);
}
else
{
if (certificateAuthority.Ping())
{
// Base CRL
BaseUnits = (Int32)CryptoRegistry.GetRegFallback(ConfigString, String.Empty, "CRLPeriodUnits");
BasePeriod = (String)CryptoRegistry.GetRegFallback(ConfigString, String.Empty, "CRLPeriod");
// Base CRL overlap
BaseOverlapUnits = (Int32)CryptoRegistry.GetRegFallback(ConfigString, String.Empty, "CRLOverlapUnits");
BaseOverlap = (String)CryptoRegistry.GetRegFallback(ConfigString, String.Empty, "CRLOverlapPeriod");
// Delta CRL
DeltaUnits = (Int32)CryptoRegistry.GetRegFallback(ConfigString, String.Empty, "CRLDeltaPeriodUnits");
DeltaPeriod = (String)CryptoRegistry.GetRegFallback(ConfigString, String.Empty, "CRLDeltaPeriod");
// Delta CRL overlap
DeltaOverlapUnits = (Int32)CryptoRegistry.GetRegFallback(ConfigString, String.Empty, "CRLDeltaOverlapUnits");
DeltaOverlap = (String)CryptoRegistry.GetRegFallback(ConfigString, String.Empty, "CRLDeltaOverlapPeriod");
}
else
{
ServerUnavailableException e = new ServerUnavailableException(DisplayName);
e.Data.Add("Source", (OfflineSource)3);
throw e;
}
}
}
void getVersion()
{
if (RegistryOnline)
{
switch ((Int32)CryptoRegistry.GetRReg("Version", String.Empty, ComputerName))
{
case 0x00010001: Version = "2000"; break;
case 0x00020002: Version = "2003"; break;
case 0x00030001: Version = "2008"; break;
case 0x00040001: Version = "2008R2"; break;
case 0x00050001: Version = "2012"; break;
case 0x00060001: Version = "2012R2"; break;
case 0x00070001: Version = "2016"; break;
}
SetupStatus = (SetupStatusEnum)CryptoRegistry.GetRReg("SetupStatus", String.Empty, ComputerName);
}
else
{
String ver = (String)CertAdmin.GetCAProperty(ConfigString, CertAdmConst.CrPropProductversion, 0, 4, 0);
String[] vers = ver.Split(new [] { ":" }, StringSplitOptions.RemoveEmptyEntries);
switch (vers[0])
{
case "5.0": Version = "2000"; break;
case "5.2": Version = "2003"; break;
case "6.0": Version = "2008"; break;
case "6.1": Version = "2008R2"; break;
case "6.2": Version = "2012"; break;
case "6.3": Version = "2012R2"; break;
}
SetupStatus = SetupStatusEnum.Unknown;
}
}
void getConfig(String computerName, String configString = "")
{
if (RegistryOnline)
{
Active = (String)CryptoRegistry.GetRReg("Active", "", computerName);
ComputerName = (String)CryptoRegistry.GetRReg("CAServerName", Active, computerName);
Name = (String)CryptoRegistry.GetRReg("CommonName", Active, computerName);
}
else
{
if (!String.IsNullOrEmpty(configString) && IsAccessible)
{
ComputerName = (String)CryptoRegistry.GetRegFallback(configString, String.Empty, "CAServerName");
Name = (String)CryptoRegistry.GetRegFallback(configString, String.Empty, "CommonName");
}
else
{
ServerUnavailableException e = new ServerUnavailableException(computerName);
e.Data.Add(nameof(e.Source), (OfflineSource)3);
throw e;
}
}
ConfigString = ComputerName + "\\" + Name;
}
/// <summary>
/// Gets autoenrollment state and settings.
/// </summary>
/// <param name="userContext">Specifies whether to retrieve autoenrollment for user or machine context.</param>
/// <returns>Autoenrollment state and settings. TODO</returns>
public static Int32 GetAutoenrollmentState(Boolean userContext)
{
return((Int32)CryptoRegistry.GetLKey("Autoenrollment", userContext));
}
