ab#76170

Author: leefine02

RemoteFile/ImplementedStoreTypes/DER/DERCertificateStoreSerializer.cs

@@ -5,24 +5,22 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
 // and limitations under the License.
 
-using System;
-using System.Collections.Generic;
-using System.IO;
-using System.Linq;
-
-using Newtonsoft.Json;
-
+using Keyfactor.Extensions.Orchestrator.RemoteFile.Models;
+using Keyfactor.Extensions.Orchestrator.RemoteFile.RemoteHandlers;
 using Keyfactor.Logging;
+using Keyfactor.PKI.CryptographicObjects.Formatters;
 using Keyfactor.PKI.PrivateKeys;
 using Keyfactor.PKI.X509;
-using Keyfactor.Extensions.Orchestrator.RemoteFile.RemoteHandlers;
-using Keyfactor.Extensions.Orchestrator.RemoteFile.Models;
-
 using Microsoft.Extensions.Logging;
-
+using Newtonsoft.Json;
 using Org.BouncyCastle.Crypto;
 using Org.BouncyCastle.Pkcs;
+using Org.BouncyCastle.Tls;
 using Org.BouncyCastle.X509;
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
 
 namespace Keyfactor.Extensions.Orchestrator.RemoteFile.DER
 {
@@ -94,8 +92,7 @@ public List<SerializedStoreInfo> SerializeRemoteCertificateStore(Pkcs12Store cer
                         throw new RemoteFileException($"DER certificate store has a private key at {SeparatePrivateKeyFilePath}, but no private key was passed with the certificate to this job.");
                 }
 
-                CertificateConverter certConverter = CertificateConverterFactory.FromBouncyCastleCertificate(certificateStore.GetCertificate(alias).Certificate);
-                certificateBytes = certConverter.ToDER(string.IsNullOrEmpty(storePassword) ? string.Empty : storePassword);
+                certificateBytes = CryptographicObjectFormatter.DER.Format(certificateStore.GetCertificate(alias).Certificate);
 
                 if (!string.IsNullOrEmpty(SeparatePrivateKeyFilePath))
                 {

RemoteFile/ImplementedStoreTypes/PEM/PEMCertificateStoreSerializer.cs

@@ -12,6 +12,7 @@
 using Keyfactor.PKI.Extensions;
 using Keyfactor.PKI.PEM;
 using Keyfactor.PKI.PrivateKeys;
+using Keyfactor.PKI.X509;
 using Microsoft.Extensions.Logging;
 using Newtonsoft.Json;
 using Org.BouncyCastle.Asn1.X9;
@@ -23,10 +24,12 @@
 using Org.BouncyCastle.X509;
 using System;
 using System.Collections.Generic;
+using System.DirectoryServices.Protocols;
 using System.IO;
 using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
+using static Keyfactor.PKI.PEM.PemUtilities;
 
 namespace Keyfactor.Extensions.Orchestrator.RemoteFile.PEM
 {
@@ -50,7 +53,7 @@ private enum PrivateKeyTypeEnum
 
         private ILogger logger;
 
-        public PEMCertificateStoreSerializer(string storeProperties) 
+        public PEMCertificateStoreSerializer(string storeProperties)
         {
             logger = LogHandler.GetClassLogger(this.GetType());
             LoadCustomProperties(storeProperties);
@@ -59,7 +62,7 @@ public PEMCertificateStoreSerializer(string storeProperties)
         public Pkcs12Store DeserializeRemoteCertificateStore(byte[] storeContentBytes, string storePath, string storePassword, IRemoteHandler remoteHandler, bool isInventory)
         {
             logger.MethodEntry(LogLevel.Debug);
-           
+
             Pkcs12StoreBuilder storeBuilder = new Pkcs12StoreBuilder();
             Pkcs12Store store = storeBuilder.Build();
 
@@ -68,7 +71,7 @@ public Pkcs12Store DeserializeRemoteCertificateStore(byte[] storeContentBytes, s
 
             if (IsTrustStore || (isInventory && IgnorePrivateKeyOnInventory))
             {
-                foreach(X509CertificateEntry certificate in certificates)
+                foreach (X509CertificateEntry certificate in certificates)
                 {
                     store.SetCertificateEntry(certificate.Certificate.Thumbprint(), certificate);
                 }
@@ -122,7 +125,7 @@ public List<SerializedStoreInfo> SerializeRemoteCertificateStore(Pkcs12Store cer
 
                 if (!string.IsNullOrEmpty(storePassword) && privateKeyType != PrivateKeyTypeEnum.PKCS8)
                     throw new RemoteFileException("Error retrieving private key.  Certificate store password cannot have a non empty value if the private key is in PKCS#1 format (BEGIN [RSA|EC] PRIVATE KEY)");
-        
+
                 bool keyEntryProcessed = false;
                 foreach (string alias in certificateStore.Aliases)
                 {
@@ -140,10 +143,27 @@ public List<SerializedStoreInfo> SerializeRemoteCertificateStore(Pkcs12Store cer
                     AsymmetricKeyParameter privateKey = certificateStore.GetKey(alias).Key;
                     PrivateKeyConverter keyConverter = PrivateKeyConverterFactory.FromBCPrivateKeyAndCert(privateKey, endCertificate);
 
-                    keyString = CryptographicObjectFormatter.PEM.Format(keyConverter, storePassword);
-                    pemString = string.IsNullOrEmpty(SeparatePrivateKeyFilePath)
-                        ? CryptographicObjectFormatter.PEM.Format(endCertificate, keyConverter, storePassword, false)
-                        : CryptographicObjectFormatter.PEM.Format(endCertificate, false);
+                    pemString = CryptographicObjectFormatter.PEM.Format(endCertificate, false);
+
+                    if (privateKeyType == PrivateKeyTypeEnum.PKCS8)
+                    {
+                        if (string.IsNullOrEmpty(storePassword))
+                            keyString = PemUtilities.DERToPEM(keyConverter.ToPkcs8BlobUnencrypted(), PemObjectType.PrivateKey);
+                        else
+                            keyString = CryptographicObjectFormatter.PEM.Format(keyConverter, storePassword);
+                    }
+                    else
+                    {
+                        TextWriter textWriter = new StringWriter();
+                        PemWriter pemWriter = new PemWriter(textWriter);
+                        pemWriter.WriteObject(privateKey);
+                        pemWriter.Writer.Flush();
+
+                        keyString = textWriter.ToString();
+                    }
+
+                    if (string.IsNullOrEmpty(SeparatePrivateKeyFilePath))
+                        pemString += keyString;
 
                     if (!IncludesChain)
                     {
@@ -180,7 +200,7 @@ private void LoadCustomProperties(string storeProperties)
             IncludesChain = properties.IncludesChain == null || string.IsNullOrEmpty(properties.IncludesChain.Value) ? false : bool.Parse(properties.IncludesChain.Value);
             SeparatePrivateKeyFilePath = properties.SeparatePrivateKeyFilePath == null || string.IsNullOrEmpty(properties.SeparatePrivateKeyFilePath.Value) ? String.Empty : properties.SeparatePrivateKeyFilePath.Value;
             IgnorePrivateKeyOnInventory = properties.IgnorePrivateKeyOnInventory == null || string.IsNullOrEmpty(properties.IgnorePrivateKeyOnInventory.Value) ? false : bool.Parse(properties.IgnorePrivateKeyOnInventory.Value);
-            
+
             logger.LogDebug("Custom Properties have been loaded:");
             logger.LogDebug($"IsTrustStore: {IsTrustStore}, IncludesChain: {IncludesChain}, SeparatePrivateKeyFilePath: {SeparatePrivateKeyFilePath}, IgnorePrivateKeyOnInventory: {IgnorePrivateKeyOnInventory}");
 
@@ -195,7 +215,7 @@ private X509CertificateEntry[] GetCertificates(string certificates)
 
             try
             {
-                IEnumerable<string> pemCertificates = PemUtilities.SplitCollection(certificates);
+                IEnumerable<string> pemCertificates = PemUtilities.SplitCollection(RemovePrivateKey(certificates));
                 certificateEntries.AddRange(pemCertificates.Select(cert =>
                     new X509CertificateEntry(new X509Certificate(CryptographicObjectFormatter.DER.Format(cert))))
                 );
@@ -262,7 +282,7 @@ private AsymmetricKeyEntry GetPrivateKey(string storeContents, string storePassw
 
             logger.MethodExit(LogLevel.Debug);
 
-            return keyEntry; 
+            return keyEntry;
         }
 
         private PrivateKeyTypeEnum GetPrivateKeyType(string storeContents, out string privateKeyBegDelim)
@@ -325,5 +345,29 @@ private AsymmetricKeyParameter ToBCPrivateKey(ECDiffieHellman ecdh)
                 throw new RemoteFileException("Error converting to BouncyCastle private key - Invalid parameter.");
             }
         }
+
+        private string RemovePrivateKey(string pemString)
+        {
+            List<string> delimiters = new List<string>();
+
+            foreach (string delim in PrivateKeyDelimetersPkcs8)
+                delimiters.Add(delim);
+            foreach (string delim in PrivateKeyDelimetersRSA)
+                delimiters.Add(delim);
+            foreach (string delim in PrivateKeyDelimetersEC)
+                delimiters.Add(delim);
+
+            foreach (string delim in delimiters)
+            {
+                string delimEnd = delim.Replace("BEGIN", "END");
+                int certStart = pemString.IndexOf(delim);
+                if (certStart == -1)
+                    continue;
+                int certLength = pemString.IndexOf(delimEnd) + delimEnd.Length - certStart;
+                pemString = pemString.Remove(certStart, certLength);
+            }
+
+            return pemString.Trim();
+        }
     }
 }

RemoteFile/InventoryBase.cs

@@ -5,21 +5,20 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
 // and limitations under the License.
 
-using System;
-using System.Collections.Generic;
-using System.Linq;
-
-using Keyfactor.Orchestrators.Extensions;
-using Keyfactor.Orchestrators.Common.Enums;
-using Keyfactor.Logging;
 using Keyfactor.Extensions.Orchestrator.RemoteFile.Models;
+using Keyfactor.Logging;
+using Keyfactor.Orchestrators.Common.Enums;
+using Keyfactor.Orchestrators.Extensions;
+using Keyfactor.PKI.CryptographicObjects.Formatters;
 using Keyfactor.PKI.Extensions;
-
+using Keyfactor.PKI.X509;
 using Microsoft.Extensions.Logging;
 using Newtonsoft.Json;
 using Org.BouncyCastle.Pkcs;
+using System;
+using System.Collections.Generic;
+using System.Linq;
 using System.Security.Cryptography.X509Certificates;
-using Keyfactor.PKI.X509;
 
 namespace Keyfactor.Extensions.Orchestrator.RemoteFile
 {
@@ -57,10 +56,9 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
                     List<string> certChain = new List<string>();
                     foreach (X509CertificateEntry certificateEntry in entry.CertificateChain)
                     {
-                        CertificateConverter converter = CertificateConverterFactory.FromBouncyCastleCertificate(certificateEntry.Certificate);
-                        certChain.Add(converter.ToPEM(false));
+                        certChain.Add(CryptographicObjectFormatter.PEM.Format(certificateEntry.Certificate, false));
                     }
-                    
+
                     inventoryItems.Add(new CurrentInventoryItem()
                     {
                         ItemStatus = OrchestratorInventoryItemStatus.Unknown,

RemoteFile/ManagementBase.cs

@@ -34,7 +34,7 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
             try
             {
                 SetJobProperties(config, config.CertificateStoreDetails, logger);
-
+                
                 certificateStore = new RemoteCertificateStore(config.CertificateStoreDetails.ClientMachine, UserName, UserPassword, config.CertificateStoreDetails.StorePath, StorePassword, FileTransferProtocol, SSHPort, IncludePortInSPN);
                 certificateStore.Initialize(SudoImpersonatedUser, UseShellCommands);