private CreatePrivateCertificateResult ProcessCertificateAuthoritySuccessResponse(ICertificateRequestPublicPrivateKeyPair model, CertificateAuthorityRequestResponse response, CertificateSubject subject, ClaimsPrincipal user)
{
string nonce = secrets.NewSecretBase64(16);
string password = secrets.NewSecret(64);
X509Certificate2 cert = certificateProvider.InstallIssuedCertificate(response.IssuedCertificate);
SetPrivateKeyFileSystemAccess(model, cert, user);
byte[] certContent = cert.Export(X509ContentType.Pfx, password);
CreatePrivateCertificateResult result = new CreatePrivateCertificateResult()
{
Password = password,
Pfx = Convert.ToBase64String(certContent),
Status = PrivateCertificateRequestStatus.Success,
Thumbprint = cert.Thumbprint,
Id = Guid.NewGuid(),
};
List <AccessControlEntry> defaultAcl = authorizationLogic.GetDefaultCertificateAcl(user);
Certificate storedCert = new Certificate()
{
Id = result.Id,
Thumbprint = cert.Thumbprint,
PfxPassword = cipher.Encrypt(password, nonce),
WindowsApi = model.Provider,
Content = certContent,
CertificateStorageFormat = CertificateStorageFormat.Pfx,
HashAlgorithm = model.HashAlgorithm,
CipherAlgorithm = model.CipherAlgorithm,
DisplayName = model.SubjectCommonName,
HasPrivateKey = true,
ValidTo = cert.NotAfter,
ValidFrom = cert.NotBefore,
KeySize = model.KeySize,
KeyUsage = dataTransformation.ParseKeyUsage(model.KeyUsage),
Subject = subject,
Acl = defaultAcl,
PasswordNonce = nonce,
ContentDigest = hashProvider.ComputeHash(certContent)
};
certificateRepository.Insert(storedCert);
return(result);
}
public void ResetCertificatePassword(Guid id, ClaimsPrincipal user)
{
Certificate cert = certificateRepository.Get <Certificate>(id);
if (!authorizationLogic.CanViewPrivateKey(cert, user))
{
audit.LogSecurityAuditFailure(user, cert, EventCategory.CertificatePasswordReset);
throw new UnauthorizedAccessException();
}
if (!hashProvider.ValidateData(cert.Content, cert.ContentDigest))
{
throw new InvalidOperationException("Certificate data is corrupt");
}
if (!cert.HasPrivateKey || cert.CertificateStorageFormat != CertificateStorageFormat.Pfx)
{
throw new ObjectNotInCorrectStateException("Certificate does not have a private key");
}
audit.LogSecurityAuditSuccess(user, cert, EventCategory.CertificatePasswordReset);
byte[] certBytes = cert.Content;
X509Certificate2 x509 = new X509Certificate2();
x509.Import(certBytes, cipher.Decrypt(cert.PfxPassword, cert.PasswordNonce), X509KeyStorageFlags.Exportable);
string nonce = keygen.NewSecretBase64(16);
string password = keygen.NewSecret(64);
byte[] newBytes = x509.Export(X509ContentType.Pfx, password);
cert.ContentDigest = hashProvider.ComputeHash(newBytes);
cert.Content = newBytes;
cert.PfxPassword = cipher.Encrypt(password, nonce);
cert.PasswordNonce = nonce;
certificateRepository.Update <Certificate>(cert);
}