private CreatePrivateCertificateResult ProcessCertificateAuthoritySuccessResponse(ICertificateRequestPublicPrivateKeyPair model, CertificateAuthorityRequestResponse response, CertificateSubject subject, ClaimsPrincipal user) { string nonce = secrets.NewSecretBase64(16); string password = secrets.NewSecret(64); X509Certificate2 cert = certificateProvider.InstallIssuedCertificate(response.IssuedCertificate); SetPrivateKeyFileSystemAccess(model, cert, user); byte[] certContent = cert.Export(X509ContentType.Pfx, password); CreatePrivateCertificateResult result = new CreatePrivateCertificateResult() { Password = password, Pfx = Convert.ToBase64String(certContent), Status = PrivateCertificateRequestStatus.Success, Thumbprint = cert.Thumbprint, Id = Guid.NewGuid(), }; List <AccessControlEntry> defaultAcl = authorizationLogic.GetDefaultCertificateAcl(user); Certificate storedCert = new Certificate() { Id = result.Id, Thumbprint = cert.Thumbprint, PfxPassword = cipher.Encrypt(password, nonce), WindowsApi = model.Provider, Content = certContent, CertificateStorageFormat = CertificateStorageFormat.Pfx, HashAlgorithm = model.HashAlgorithm, CipherAlgorithm = model.CipherAlgorithm, DisplayName = model.SubjectCommonName, HasPrivateKey = true, ValidTo = cert.NotAfter, ValidFrom = cert.NotBefore, KeySize = model.KeySize, KeyUsage = dataTransformation.ParseKeyUsage(model.KeyUsage), Subject = subject, Acl = defaultAcl, PasswordNonce = nonce, ContentDigest = hashProvider.ComputeHash(certContent) }; certificateRepository.Insert(storedCert); return(result); }
public void ResetCertificatePassword(Guid id, ClaimsPrincipal user) { Certificate cert = certificateRepository.Get <Certificate>(id); if (!authorizationLogic.CanViewPrivateKey(cert, user)) { audit.LogSecurityAuditFailure(user, cert, EventCategory.CertificatePasswordReset); throw new UnauthorizedAccessException(); } if (!hashProvider.ValidateData(cert.Content, cert.ContentDigest)) { throw new InvalidOperationException("Certificate data is corrupt"); } if (!cert.HasPrivateKey || cert.CertificateStorageFormat != CertificateStorageFormat.Pfx) { throw new ObjectNotInCorrectStateException("Certificate does not have a private key"); } audit.LogSecurityAuditSuccess(user, cert, EventCategory.CertificatePasswordReset); byte[] certBytes = cert.Content; X509Certificate2 x509 = new X509Certificate2(); x509.Import(certBytes, cipher.Decrypt(cert.PfxPassword, cert.PasswordNonce), X509KeyStorageFlags.Exportable); string nonce = keygen.NewSecretBase64(16); string password = keygen.NewSecret(64); byte[] newBytes = x509.Export(X509ContentType.Pfx, password); cert.ContentDigest = hashProvider.ComputeHash(newBytes); cert.Content = newBytes; cert.PfxPassword = cipher.Encrypt(password, nonce); cert.PasswordNonce = nonce; certificateRepository.Update <Certificate>(cert); }