/// <summary>
/// Save specified certificate to backup
/// </summary>
/// <param name="certDto">Certificate</param>
/// <returns></returns>
public bool SaveCertificateToBackupDisc(CertificateDto certDto)
{
if (!IsUserAccessGranted(WindowsIdentity.GetCurrent().Name))
{
Audit.WriteEvent("User '" + WindowsIdentity.GetCurrent().Name + "' had denied access for method SaveCertificateToBackupDisc", EventLogEntryType.FailureAudit);
}
X509Certificate2 certificate = certDto.GetCert();
activeCertificates.Add(certificate);
CertificateHandler.ExportToFileSystem(X509ContentType.Pfx, certificate, certificate.SubjectName.Name);
string logMessage = "Certificate with subject name '" + certificate.SubjectName.Name + "' is saved on backup server.'";
Audit.WriteEvent(logMessage, EventLogEntryType.Information);
return true;
}
/// <summary>
/// This method is used for integrity update.
/// Integrity update implies data copy from hot to backup server.
/// </summary>
/// <param name="param">Data from hot server</param>
/// <returns></returns>
public bool SetModel(CAModelDto param)
{
bool retVal = true;
// Copy and install valid CA certificate to backup server
if (File.Exists(PFX_PATH))
{
System.IO.File.Delete(PFX_PATH);
}
CertificateHandler.ReplaceCACertificateInStore(caCertificate, param.CaCertificate.GetCert());
caCertificate = param.CaCertificate.GetCert();
caPrivateKey = DotNetUtilities.GetKeyPair(caCertificate.PrivateKey).Private;
CertificateHandler.ExportToFileSystem(X509ContentType.Pfx, caCertificate, caCertificate.SubjectName.Name);
// Export and install active client certificates on backup server
activeCertificates.Clear();
foreach(var cerDto in param.ActiveCertificates)
{
X509Certificate2 cert = cerDto.GetCert();
activeCertificates.Add(cert);
CertificateHandler.ExportToFileSystem(X509ContentType.Pfx, cert, cert.SubjectName.Name);
string fileName = cert.SubjectName.Name.Contains("=") ? cert.SubjectName.Name.Split('=')[1] : cert.SubjectName.Name;
if (!File.Exists(CERT_FOLDER_PATH + cert.SubjectName.Name + fileName + ".pfx"))
{
CertificateHandler.AddCertificateToStore(cert, StoreName.TrustedPeople, StoreLocation.LocalMachine);
}
}
// Set active revocation list on backup server
revocationList.Clear();
foreach (var cerDto in param.RevocationList)
{
X509Certificate2 cert = cerDto.GetCert();
revocationList.Add(cert);
}
clientDict.Clear();
foreach (var pair in param.ClientDict)
{
clientDict.Add(pair.Key, pair.Value);
}
return retVal;
}
/// <summary>
/// Prepare certification authority service for use.
/// Load information about CA.
/// </summary>
private void PrepareCAService()
{
bool isPfxCreated = true;
bool isCertFound = false;
X509Certificate2Collection collection = new X509Certificate2Collection();
if(!IsUserAccessGranted(WindowsIdentity.GetCurrent().Name))
{
Audit.WriteEvent("Access to SecurityStore is denied to user '" + WindowsIdentity.GetCurrent().Name + "' based on ACL content.", EventLogEntryType.Warning);
return;
}
try
{
// Try to import pfx file for the CA(Certification authority)
collection.Import(PFX_PATH, PFX_PASSWORD, X509KeyStorageFlags.Exportable);
}
catch
{
isPfxCreated = false;
}
if(isPfxCreated)
{
foreach (X509Certificate2 cert in collection)
{
if (cert.SubjectName.Name.Equals(CA_SUBJECT_NAME))
{
isCertFound = true;
caCertificate = cert;
caPrivateKey = DotNetUtilities.GetKeyPair(cert.PrivateKey).Private;
break;
}
}
}
if (!isCertFound)
{
// if PFX for the CA isn't created generate certificate and PFX for the CA
caCertificate = CertificateHandler.GenerateCACertificate(CA_SUBJECT_NAME, ref caPrivateKey);
}
Audit.WriteEvent("Certificate for the CA is successfully loaded.", EventLogEntryType.Information);
}
/// <summary>
/// Generate new certificate with specified subject name.
/// If certificate with given subject name already exist this action is forbiden.
/// </summary>
/// <param name="subject">Subject name</param>
/// <param name="address">Host address of client</param>
/// <returns></returns>
public CertificateDto GenerateCertificate(string subject, string address)
{
if(!IsUserAccessGranted(WindowsIdentity.GetCurrent().Name))
{
Audit.WriteEvent("User '" + WindowsIdentity.GetCurrent().Name + "' had denied access for method GenerateCertificate", EventLogEntryType.FailureAudit);
}
CertificateDto retVal = null;
X509Certificate2 newCertificate = null;
string logMessage = String.Empty;
newCertificate = IsCertificatePublished(subject);
if (newCertificate == null)
{
newCertificate = CertificateHandler.GenerateAuthorizeSignedCertificate(subject, "CN=" + CA_SUBJECT_NAME, caPrivateKey);
if (newCertificate != null)
{
activeCertificates.Add(newCertificate);
clientDict.Add(subject, address);
logMessage = "Certificate with subject name '" + subject + "' is issued by '" + CA_SUBJECT_NAME + "'";
Audit.WriteEvent(logMessage, EventLogEntryType.Information);
}
else
{
logMessage = "Generation of certificate with subject name '" + subject + "' failed.";
Audit.WriteEvent(logMessage, EventLogEntryType.Warning);
}
}
else
{
logMessage = "Certificate with subject name '" + subject + "' is already published";
Audit.WriteEvent(logMessage, EventLogEntryType.Warning);
}
retVal = new CertificateDto(newCertificate);
return retVal;
}
