ab#76170

Author: leefine02

RemoteFile/InventoryBase.cs

@@ -8,15 +8,18 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
-using System.Security.Cryptography.X509Certificates;
 
 using Keyfactor.Orchestrators.Extensions;
 using Keyfactor.Orchestrators.Common.Enums;
 using Keyfactor.Logging;
 using Keyfactor.Extensions.Orchestrator.RemoteFile.Models;
+using Keyfactor.PKI.Extensions;
 
 using Microsoft.Extensions.Logging;
 using Newtonsoft.Json;
+using Org.BouncyCastle.Pkcs;
+using System.Security.Cryptography.X509Certificates;
+using Keyfactor.PKI.X509;
 
 namespace Keyfactor.Extensions.Orchestrator.RemoteFile
 {
@@ -41,29 +44,29 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
                 certificateStore.Initialize(SudoImpersonatedUser, UseShellCommands);
                 certificateStore.LoadCertificateStore(certificateStoreSerializer, true);
 
-                List<X509Certificate2Collection> collections = certificateStore.GetCertificateChains();
+                List<X509CertificateEntryCollection> collection = certificateStore.GetCertificateChains();
 
                 logger.LogDebug($"Format returned certificates BEGIN");
-                foreach (X509Certificate2Collection collection in collections)
+                foreach (X509CertificateEntryCollection entry in collection)
                 {
-                    if (collection.Count == 0)
+                    if (entry.CertificateChain?.Count > 1)
                         continue;
 
-                    X509Certificate2Ext issuedCertificate = (X509Certificate2Ext)collection[0];
+                    X509CertificateEntry issuedCertificate = entry.CertificateChain[0];
 
                     List<string> certChain = new List<string>();
-                    foreach (X509Certificate2 certificate in collection)
+                    foreach (X509CertificateEntry certificateEntry in entry.CertificateChain)
                     {
-                        certChain.Add(Convert.ToBase64String(certificate.Export(X509ContentType.Cert)));
-                        logger.LogDebug(Convert.ToBase64String(certificate.Export(X509ContentType.Cert)));
+                        CertificateConverter converter = CertificateConverterFactory.FromBouncyCastleCertificate(certificateEntry.Certificate);
+                        certChain.Add(converter.ToPEM(false));
                     }
-
+                    
                     inventoryItems.Add(new CurrentInventoryItem()
                     {
                         ItemStatus = OrchestratorInventoryItemStatus.Unknown,
-                        Alias = string.IsNullOrEmpty(issuedCertificate.FriendlyNameExt) ? issuedCertificate.Thumbprint : issuedCertificate.FriendlyNameExt,
-                        PrivateKeyEntry = issuedCertificate.HasPrivateKey,
-                        UseChainLevel = collection.Count > 1,
+                        Alias = string.IsNullOrEmpty(entry.Alias) ? BouncyCastleX509Extensions.Thumbprint(issuedCertificate.Certificate) : entry.Alias,
+                        PrivateKeyEntry = entry.HasPrivateKey,
+                        UseChainLevel = entry.CertificateChain.Count > 1,
                         Certificates = certChain.ToArray()
                     });
                 }

RemoteFile/ManagementBase.cs

@@ -6,16 +6,19 @@
 // and limitations under the License.
 
 using System;
-using System.Collections.Generic;
-using System.Security.Cryptography.X509Certificates;
 
 using Keyfactor.Logging;
 using Keyfactor.Orchestrators.Extensions;
 using Keyfactor.Orchestrators.Common.Enums;
+using Keyfactor.PKI.Extensions;
+
+using Org.BouncyCastle.X509;
 
 using Microsoft.Extensions.Logging;
 
 using Newtonsoft.Json;
+using Org.BouncyCastle.Pkcs;
+using System.IO;
 
 namespace Keyfactor.Extensions.Orchestrator.RemoteFile
 {
@@ -28,7 +31,7 @@ public abstract class ManagementBase : RemoteFileJobTypeBase, IManagementJobExte
         public JobResult ProcessJob(ManagementJobConfiguration config)
         {
             ILogger logger = LogHandler.GetClassLogger(this.GetType());
-
+            
             ICertificateStoreSerializer certificateStoreSerializer = GetCertificateStoreSerializer(config.CertificateStoreDetails.Properties);
 
             try
@@ -52,7 +55,17 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                                 throw new RemoteFileException($"Certificate store {config.CertificateStoreDetails.StorePath} does not exist on server {config.CertificateStoreDetails.ClientMachine}.");
                         }
                         certificateStore.LoadCertificateStore(certificateStoreSerializer, false);
-                        certificateStore.AddCertificate((config.JobCertificate.Alias ?? new X509Certificate2(Convert.FromBase64String(config.JobCertificate.Contents), config.JobCertificate.PrivateKeyPassword, X509KeyStorageFlags.EphemeralKeySet).Thumbprint), config.JobCertificate.Contents, config.Overwrite, config.JobCertificate.PrivateKeyPassword, RemoveRootCertificate);
+
+                        using (MemoryStream ms = new MemoryStream(Convert.FromBase64String(config.JobCertificate.Contents)))
+                        {
+                            Pkcs12StoreBuilder storeBuilder = new Pkcs12StoreBuilder();
+                            Pkcs12Store store = storeBuilder.Build();
+
+                            store.Load(ms, config.JobCertificate.PrivateKeyPassword.ToCharArray());
+
+                            store.Aliases[0]
+                        }
+                        certificateStore.AddCertificate((config.JobCertificate.Alias ?? new X509Certificate(), config.JobCertificate.Contents, config.Overwrite, config.JobCertificate.PrivateKeyPassword, RemoveRootCertificate);
                         certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(), storePathFile.Path, storePathFile.File, StorePassword, certificateStore.RemoteHandler));
 
                         logger.LogDebug($"END add Operation for {config.CertificateStoreDetails.StorePath} on {config.CertificateStoreDetails.ClientMachine}.");

RemoteFile/Models/SerializedStoreInfo.cs

@@ -5,8 +5,6 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
 // and limitations under the License.
 
-using System.Security.Cryptography.X509Certificates;
-
 namespace Keyfactor.Extensions.Orchestrator.RemoteFile.Models
 {
     internal class SerializedStoreInfo

RemoteFile/Models/X509Certificate2Ext.cs renamed to RemoteFile/Models/X509CertificateEntryCollection.cs

@@ -1,20 +1,21 @@
-// Copyright 2021 Keyfactor
+// Copyright 2021 Keyfactor
 // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
 // and limitations under the License.
 
-using System.Security.Cryptography.X509Certificates;
+using Org.BouncyCastle.Pkcs;
+using System.Collections.Generic;
 
 namespace Keyfactor.Extensions.Orchestrator.RemoteFile.Models
 {
-    class X509Certificate2Ext : X509Certificate2
+    internal class X509CertificateEntryCollection
     {
-        public string FriendlyNameExt { get; set; }
+        public string Alias { get; set; }
 
-        public new bool HasPrivateKey { get; set; }
+        public bool HasPrivateKey { get; set; }
 
-        public X509Certificate2Ext(byte[] bytes): base(bytes) { }
+        public List<X509CertificateEntry> CertificateChain { get; set; }
     }
-}
+}

RemoteFile/ReenrollmentBase.cs

@@ -7,18 +7,13 @@
 
 using System;
 using System.Collections.Generic;
-using System.Security.Cryptography.X509Certificates;
 
 using Keyfactor.Logging;
 using Keyfactor.Orchestrators.Extensions;
 using Keyfactor.Orchestrators.Common.Enums;
-using Keyfactor.PKI.PEM;
 
 using Microsoft.Extensions.Logging;
 
-using Newtonsoft.Json;
-using System.Security.Cryptography;
-
 namespace Keyfactor.Extensions.Orchestrator.RemoteFile
 {
     public abstract class ReenrollmentBase : RemoteFileJobTypeBase
@@ -46,74 +41,74 @@ public JobResult ProcessJobToDo(ReenrollmentJobConfiguration config, SubmitReenr
         {
             ILogger logger = LogHandler.GetClassLogger(this.GetType());
 
-            ICertificateStoreSerializer certificateStoreSerializer = GetCertificateStoreSerializer(config.CertificateStoreDetails.Properties);
-
-            try
-            {
-                SetJobProperties(config, config.CertificateStoreDetails, logger);
-
-                string alias = "abcd";
-                string sans = "reenroll2.Keyfactor.com&reenroll1.keyfactor.com&reenroll3.Keyfactor.com";
-                bool overwrite = true;
-
-                // validate parameters
-                string KeyTypes = string.Join(",", Enum.GetNames(typeof(SupportedKeyTypeEnum)));
-                if (!Enum.TryParse(KeyType.ToUpper(), out SupportedKeyTypeEnum KeyTypeEnum))
-                {
-                    throw new RemoteFileException($"Unsupported KeyType value {KeyType}.  Supported types are {KeyTypes}.");
-                }
-
-                ApplicationSettings.FileTransferProtocolEnum fileTransferProtocol = ApplicationSettings.FileTransferProtocol;
-
-                certificateStore = new RemoteCertificateStore(config.CertificateStoreDetails.ClientMachine, UserName, UserPassword, config.CertificateStoreDetails.StorePath, StorePassword, fileTransferProtocol, SSHPort, IncludePortInSPN);
-                certificateStore.Initialize(SudoImpersonatedUser, UseShellCommands);
-
-                PathFile storePathFile = RemoteCertificateStore.SplitStorePathFile(config.CertificateStoreDetails.StorePath);
-
-                if (!certificateStore.DoesStoreExist())
-                {
-                    throw new RemoteFileException($"Certificate store {config.CertificateStoreDetails.StorePath} does not exist on server {config.CertificateStoreDetails.ClientMachine}.");
-                }
-
-                // generate CSR and call back to enroll certificate
-                string csr = string.Empty;
-                string pemPrivateKey = string.Empty;
-                if (CreateCSROnDevice)
-                {
-                    csr = certificateStore.GenerateCSROnDevice(SubjectText, KeyTypeEnum, KeySize, new List<string>(sans.Split('&', StringSplitOptions.RemoveEmptyEntries)), out pemPrivateKey);
-                }
-                else
-                {
-                    csr = certificateStore.GenerateCSR(SubjectText, KeyTypeEnum, KeySize, new List<string>(sans.Split('&', StringSplitOptions.RemoveEmptyEntries)));
-                }
-
-                X509Certificate2 cert = submitReenrollment.Invoke(csr);
-                if (cert == null || String.IsNullOrEmpty(pemPrivateKey))
-                    throw new RemoteFileException("Enrollment of CSR failed.  Please check Keyfactor Command logs for more information on potential enrollment errors.");
-
-                AsymmetricAlgorithm alg = KeyTypeEnum == SupportedKeyTypeEnum.RSA ? RSA.Create() : ECDsa.Create();
-                alg.ImportEncryptedPkcs8PrivateKey(string.Empty, Keyfactor.PKI.PEM.PemUtilities.PEMToDER(pemPrivateKey), out _);
-                cert = KeyTypeEnum == SupportedKeyTypeEnum.RSA ? cert.CopyWithPrivateKey((RSA)alg) : cert.CopyWithPrivateKey((ECDsa)alg);
-
-                // save certificate
-                certificateStore.LoadCertificateStore(certificateStoreSerializer, false);
-                certificateStore.AddCertificate((alias ?? cert.Thumbprint), Convert.ToBase64String(cert.Export(X509ContentType.Pfx)), overwrite, null, RemoveRootCertificate);
-                certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(), storePathFile.Path, storePathFile.File, StorePassword, certificateStore.RemoteHandler));
-
-                logger.LogDebug($"END add Operation for {config.CertificateStoreDetails.StorePath} on {config.CertificateStoreDetails.ClientMachine}.");
-            }
-
-            catch (Exception ex)
-            {
-                string errorMessage = $"Exception for {config.Capability}: {RemoteFileException.FlattenExceptionMessages(ex, string.Empty)} for job id {config.JobId}";
-                logger.LogError(errorMessage);
-                return new JobResult() { Result = OrchestratorJobStatusJobResult.Failure, JobHistoryId = config.JobHistoryId, FailureMessage = $"Site {config.CertificateStoreDetails.StorePath} on server {config.CertificateStoreDetails.ClientMachine}: {errorMessage}" };
-            }
-            finally
-            {
-                if (certificateStore.RemoteHandler != null)
-                    certificateStore.Terminate();
-            }
+            //ICertificateStoreSerializer certificateStoreSerializer = GetCertificateStoreSerializer(config.CertificateStoreDetails.Properties);
+
+            //try
+            //{
+            //    SetJobProperties(config, config.CertificateStoreDetails, logger);
+
+            //    string alias = "abcd";
+            //    string sans = "reenroll2.Keyfactor.com&reenroll1.keyfactor.com&reenroll3.Keyfactor.com";
+            //    bool overwrite = true;
+
+            //    // validate parameters
+            //    string KeyTypes = string.Join(",", Enum.GetNames(typeof(SupportedKeyTypeEnum)));
+            //    if (!Enum.TryParse(KeyType.ToUpper(), out SupportedKeyTypeEnum KeyTypeEnum))
+            //    {
+            //        throw new RemoteFileException($"Unsupported KeyType value {KeyType}.  Supported types are {KeyTypes}.");
+            //    }
+
+            //    ApplicationSettings.FileTransferProtocolEnum fileTransferProtocol = ApplicationSettings.FileTransferProtocol;
+
+            //    certificateStore = new RemoteCertificateStore(config.CertificateStoreDetails.ClientMachine, UserName, UserPassword, config.CertificateStoreDetails.StorePath, StorePassword, fileTransferProtocol, SSHPort, IncludePortInSPN);
+            //    certificateStore.Initialize(SudoImpersonatedUser, UseShellCommands);
+
+            //    PathFile storePathFile = RemoteCertificateStore.SplitStorePathFile(config.CertificateStoreDetails.StorePath);
+
+            //    if (!certificateStore.DoesStoreExist())
+            //    {
+            //        throw new RemoteFileException($"Certificate store {config.CertificateStoreDetails.StorePath} does not exist on server {config.CertificateStoreDetails.ClientMachine}.");
+            //    }
+
+            //    // generate CSR and call back to enroll certificate
+            //    string csr = string.Empty;
+            //    string pemPrivateKey = string.Empty;
+            //    if (CreateCSROnDevice)
+            //    {
+            //        csr = certificateStore.GenerateCSROnDevice(SubjectText, KeyTypeEnum, KeySize, new List<string>(sans.Split('&', StringSplitOptions.RemoveEmptyEntries)), out pemPrivateKey);
+            //    }
+            //    else
+            //    {
+            //        csr = certificateStore.GenerateCSR(SubjectText, KeyTypeEnum, KeySize, new List<string>(sans.Split('&', StringSplitOptions.RemoveEmptyEntries)));
+            //    }
+
+            //    X509Certificate2 cert = submitReenrollment.Invoke(csr);
+            //    if (cert == null || String.IsNullOrEmpty(pemPrivateKey))
+            //        throw new RemoteFileException("Enrollment of CSR failed.  Please check Keyfactor Command logs for more information on potential enrollment errors.");
+
+            //    AsymmetricAlgorithm alg = KeyTypeEnum == SupportedKeyTypeEnum.RSA ? RSA.Create() : ECDsa.Create();
+            //    alg.ImportEncryptedPkcs8PrivateKey(string.Empty, Keyfactor.PKI.PEM.PemUtilities.PEMToDER(pemPrivateKey), out _);
+            //    cert = KeyTypeEnum == SupportedKeyTypeEnum.RSA ? cert.CopyWithPrivateKey((RSA)alg) : cert.CopyWithPrivateKey((ECDsa)alg);
+
+            //    // save certificate
+            //    certificateStore.LoadCertificateStore(certificateStoreSerializer, false);
+            //    certificateStore.AddCertificate((alias ?? cert.Thumbprint), Convert.ToBase64String(cert.Export(X509ContentType.Pfx)), overwrite, null, RemoveRootCertificate);
+            //    certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(), storePathFile.Path, storePathFile.File, StorePassword, certificateStore.RemoteHandler));
+
+            //    logger.LogDebug($"END add Operation for {config.CertificateStoreDetails.StorePath} on {config.CertificateStoreDetails.ClientMachine}.");
+            //}
+
+            //catch (Exception ex)
+            //{
+            //    string errorMessage = $"Exception for {config.Capability}: {RemoteFileException.FlattenExceptionMessages(ex, string.Empty)} for job id {config.JobId}";
+            //    logger.LogError(errorMessage);
+            //    return new JobResult() { Result = OrchestratorJobStatusJobResult.Failure, JobHistoryId = config.JobHistoryId, FailureMessage = $"Site {config.CertificateStoreDetails.StorePath} on server {config.CertificateStoreDetails.ClientMachine}: {errorMessage}" };
+            //}
+            //finally
+            //{
+            //    if (certificateStore.RemoteHandler != null)
+            //        certificateStore.Terminate();
+            //}
 
             logger.LogDebug($"...End {config.Capability} job for job id {config.JobId}");
             return new JobResult() { Result = OrchestratorJobStatusJobResult.Success, JobHistoryId = config.JobHistoryId };