Remove X509Certificate2 usage, refactor certConverter usage to cryptoObjectFormatter usage

Author: keyfactor-ddunn

RemoteFile/ImplementedStoreTypes/DER/DERCertificateStoreSerializer.cs

@@ -17,7 +17,7 @@
 using Keyfactor.PKI.X509;
 using Keyfactor.Extensions.Orchestrator.RemoteFile.RemoteHandlers;
 using Keyfactor.Extensions.Orchestrator.RemoteFile.Models;
-
+using Keyfactor.PKI.Extensions;
 using Microsoft.Extensions.Logging;
 
 using Org.BouncyCastle.Crypto;
@@ -49,12 +49,12 @@ public Pkcs12Store DeserializeRemoteCertificateStore(byte[] storeContentBytes, s
 
             if (String.IsNullOrEmpty(SeparatePrivateKeyFilePath))
             {
-                store.SetCertificateEntry(CertificateConverterFactory.FromBouncyCastleCertificate(certificate.Certificate).ToX509Certificate2().Thumbprint, certificate);
+                store.SetCertificateEntry(certificate.Certificate.Thumbprint(), certificate);
             }
             else
             {
                 AsymmetricKeyEntry keyEntry = GetPrivateKey(storePassword ?? string.Empty, remoteHandler);
-                store.SetKeyEntry(CertificateConverterFactory.FromBouncyCastleCertificate(certificate.Certificate).ToX509Certificate2().Thumbprint, keyEntry, new X509CertificateEntry[] { certificate });
+                store.SetKeyEntry(certificate.Certificate.Thumbprint(), keyEntry, new X509CertificateEntry[] { certificate });
             }
 
             // Second Pkcs12Store necessary because of an obscure BC bug where creating a Pkcs12Store without .Load (code above using "Set" methods only) does not set all internal hashtables necessary to avoid an error later
@@ -94,6 +94,7 @@ public List<SerializedStoreInfo> SerializeRemoteCertificateStore(Pkcs12Store cer
                         throw new RemoteFileException($"DER certificate store has a private key at {SeparatePrivateKeyFilePath}, but no private key was passed with the certificate to this job.");
                 }
 
+                // this still needs refactored to CryptographicObjectFormatter
                 CertificateConverter certConverter = CertificateConverterFactory.FromBouncyCastleCertificate(certificateStore.GetCertificate(alias).Certificate);
                 certificateBytes = certConverter.ToDER(string.IsNullOrEmpty(storePassword) ? string.Empty : storePassword);
 
@@ -140,9 +141,7 @@ private X509CertificateEntry GetCertificate(byte[] storeContentBytes)
 
             try
             {
-                CertificateConverter converter = CertificateConverterFactory.FromDER(storeContentBytes);
-                X509Certificate bcCert = converter.ToBouncyCastleCertificate();
-                certificateEntry = new X509CertificateEntry(bcCert);
+                certificateEntry = new X509CertificateEntry(new X509Certificate(storeContentBytes));
             }
             catch (Exception ex)
             {

RemoteFile/ImplementedStoreTypes/PEM/PEMCertificateStoreSerializer.cs

@@ -9,12 +9,11 @@
 using System.Collections.Generic;
 using System.Text;
 using System.IO;
-
+using System.Linq;
 using Newtonsoft.Json;
 
 using Keyfactor.Logging;
 using Keyfactor.PKI.PrivateKeys;
-using Keyfactor.PKI.X509;
 using Keyfactor.PKI.PEM;
 using Keyfactor.Extensions.Orchestrator.RemoteFile.RemoteHandlers;
 using Keyfactor.Extensions.Orchestrator.RemoteFile.Models;
@@ -26,7 +25,8 @@
 using Org.BouncyCastle.Pkcs;
 using Org.BouncyCastle.X509;
 using System.Security.Cryptography;
-using Org.BouncyCastle.OpenSsl;
+using Keyfactor.PKI.CryptographicObjects.Formatters;
+using Keyfactor.PKI.Extensions;
 using Org.BouncyCastle.Crypto.Parameters;
 using Org.BouncyCastle.Asn1.X9;
 
@@ -74,15 +74,15 @@ public Pkcs12Store DeserializeRemoteCertificateStore(byte[] storeContentBytes, s
             {
                 foreach(X509CertificateEntry certificate in certificates)
                 {
-                    store.SetCertificateEntry(CertificateConverterFactory.FromBouncyCastleCertificate(certificate.Certificate).ToX509Certificate2().Thumbprint, certificate);
+                    store.SetCertificateEntry(certificate.Certificate.Thumbprint(), certificate);
                 }
             }
             else
             {
                 PrivateKeyTypeEnum privateKeyType;
                 AsymmetricKeyEntry keyEntry = GetPrivateKey(storeContents, storePassword ?? string.Empty, remoteHandler, out privateKeyType);
 
-                store.SetKeyEntry(CertificateConverterFactory.FromBouncyCastleCertificate(certificates[0].Certificate).ToX509Certificate2().Thumbprint, keyEntry, certificates);
+                store.SetKeyEntry(certificates[0].Certificate.Thumbprint(), keyEntry, certificates);
             }
 
             // Second Pkcs12Store necessary because of an obscure BC bug where creating a Pkcs12Store without .Load (code above using "Set" methods only) does not set all internal hashtables necessary to avoid an error later
@@ -113,22 +113,21 @@ public List<SerializedStoreInfo> SerializeRemoteCertificateStore(Pkcs12Store cer
                     if (certificateStore.IsKeyEntry(alias))
                         throw new RemoteFileException("Cannot add a certificate with a private key to a PEM trust store.");
 
-                    CertificateConverter certConverter = CertificateConverterFactory.FromBouncyCastleCertificate(certificateStore.GetCertificate(alias).Certificate);
-                    pemString += certConverter.ToPEM(true);
+                    pemString += CryptographicObjectFormatter.PEM.Format(certificateStore.GetCertificate(alias).Certificate, false);
                 }
             }
             else
             {
                 string storeContents = Encoding.ASCII.GetString(remoteHandler.DownloadCertificateFile(storePath + storeFileName));
 
-                string begDelim;
                 string privateKeyContents = String.IsNullOrEmpty(SeparatePrivateKeyFilePath) ? storeContents : Encoding.ASCII.GetString(remoteHandler.DownloadCertificateFile(SeparatePrivateKeyFilePath));
-                PrivateKeyTypeEnum privateKeyType = GetPrivateKeyType(privateKeyContents, out begDelim);
+                PrivateKeyTypeEnum privateKeyType = GetPrivateKeyType(privateKeyContents, out _);
 
                 if (!string.IsNullOrEmpty(storePassword) && privateKeyType != PrivateKeyTypeEnum.PKCS8)
                     throw new RemoteFileException("Error retrieving private key.  Certificate store password cannot have a non empty value if the private key is in PKCS#1 format (BEGIN [RSA|EC] PRIVATE KEY)");
 
                 bool keyEntryProcessed = false;
+                //todo: why is this a foreach? seems like it either runs once or throws an exception
                 foreach (string alias in certificateStore.Aliases)
                 {
                     if (keyEntryProcessed)
@@ -140,39 +139,24 @@ public List<SerializedStoreInfo> SerializeRemoteCertificateStore(Pkcs12Store cer
                         throw new RemoteFileException("No private key found.  Private key must be present to add entry to a non-Trust PEM certificate store.");
 
                     X509CertificateEntry[] chainEntries = certificateStore.GetCertificateChain(alias);
-                    CertificateConverter certConverter = CertificateConverterFactory.FromBouncyCastleCertificate(chainEntries[0].Certificate);
+                    X509Certificate endCertificate = chainEntries[0].Certificate;
 
                     AsymmetricKeyParameter privateKey = certificateStore.GetKey(alias).Key;
-                    AsymmetricKeyParameter publicKey = chainEntries[0].Certificate.GetPublicKey();
+                    PrivateKeyConverter keyConverter = PrivateKeyConverterFactory.FromBCPrivateKeyAndCert(privateKey, endCertificate);
 
-                    if (privateKeyType == PrivateKeyTypeEnum.PKCS8)
-                    {
-                        PrivateKeyConverter keyConverter = PrivateKeyConverterFactory.FromBCKeyPair(privateKey, publicKey, false);
+                    keyString = CryptographicObjectFormatter.PEM.Format(keyConverter, storePassword);
+                    pemString = string.IsNullOrEmpty(SeparatePrivateKeyFilePath) 
+                        ? CryptographicObjectFormatter.PEM.Format(endCertificate, keyConverter, storePassword, false)
+                        : CryptographicObjectFormatter.PEM.Format(endCertificate, false);
 
-                        byte[] privateKeyBytes = string.IsNullOrEmpty(storePassword) ? keyConverter.ToPkcs8BlobUnencrypted() : keyConverter.ToPkcs8Blob(storePassword);
-                        keyString = PemUtilities.DERToPEM(privateKeyBytes, string.IsNullOrEmpty(storePassword) ? PemUtilities.PemObjectType.PrivateKey : PemUtilities.PemObjectType.EncryptedPrivateKey);
-                    }
-                    else
+                    if (!IncludesChain)
                     {
-                        TextWriter textWriter = new StringWriter();
-                        PemWriter pemWriter = new PemWriter(textWriter);
-                        pemWriter.WriteObject(privateKey);
-                        pemWriter.Writer.Flush();
-
-                        keyString = textWriter.ToString();
+                        continue;
                     }
 
-                    pemString = certConverter.ToPEM(true);
-                    if (string.IsNullOrEmpty(SeparatePrivateKeyFilePath))
-                        pemString += keyString;
-
-                    if (IncludesChain)
+                    for (int i = 1; i < chainEntries.Length; i++)
                     {
-                        for (int i = 1; i < chainEntries.Length; i++)
-                        {
-                            CertificateConverter chainConverter = CertificateConverterFactory.FromBouncyCastleCertificate(chainEntries[i].Certificate);
-                            pemString += chainConverter.ToPEM(true);
-                        }
+                        pemString += CryptographicObjectFormatter.PEM.Format(chainEntries[i].Certificate, false);
                     }
                 }
             }
@@ -215,18 +199,10 @@ private X509CertificateEntry[] GetCertificates(string certificates)
 
             try
             {
-                while (certificates.Contains(CertDelimBeg))
-                {
-                    int certStart = certificates.IndexOf(CertDelimBeg);
-                    int certLength = certificates.IndexOf(CertDelimEnd) + CertDelimEnd.Length - certStart;
-                    string certificate = certificates.Substring(certStart, certLength);
-
-                    CertificateConverter c2 = CertificateConverterFactory.FromPEM(Encoding.ASCII.GetBytes(certificate.Replace(CertDelimBeg, string.Empty).Replace(CertDelimEnd, string.Empty)));
-                    X509Certificate bcCert = c2.ToBouncyCastleCertificate();
-                    certificateEntries.Add(new X509CertificateEntry(bcCert));
-
-                    certificates = certificates.Substring(certStart + certLength - 1);
-                }
+                IEnumerable<string> pemCertificates = PemUtilities.SplitCollection(certificates);
+                certificateEntries.AddRange(pemCertificates.Select(cert => 
+                    new X509CertificateEntry(new X509Certificate(CryptographicObjectFormatter.DER.Format(cert))))
+                );
             }
             catch (Exception ex)
             {

RemoteFile/InventoryBase.cs

@@ -8,15 +8,13 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
-using System.Security.Cryptography.X509Certificates;
 
 using Keyfactor.Orchestrators.Extensions;
 using Keyfactor.Orchestrators.Common.Enums;
 using Keyfactor.Logging;
 using Keyfactor.Extensions.Orchestrator.RemoteFile.Models;
-
+using Keyfactor.PKI.Extensions;
 using Microsoft.Extensions.Logging;
-using Newtonsoft.Json;
 
 namespace Keyfactor.Extensions.Orchestrator.RemoteFile
 {
@@ -41,27 +39,27 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
                 certificateStore.Initialize(SudoImpersonatedUser);
                 certificateStore.LoadCertificateStore(certificateStoreSerializer, true);
 
-                List<X509Certificate2Collection> collections = certificateStore.GetCertificateChains();
+                List<List<X509CertificateExt>> collections = certificateStore.GetCertificateChains();
 
                 logger.LogDebug($"Format returned certificates BEGIN");
-                foreach (X509Certificate2Collection collection in collections)
+                foreach (List<X509CertificateExt> collection in collections)
                 {
                     if (collection.Count == 0)
                         continue;
 
-                    X509Certificate2Ext issuedCertificate = (X509Certificate2Ext)collection[0];
+                    X509CertificateExt issuedCertificate = collection[0];
 
                     List<string> certChain = new List<string>();
-                    foreach (X509Certificate2 certificate in collection)
+                    foreach (X509CertificateExt certificate in collection)
                     {
-                        certChain.Add(Convert.ToBase64String(certificate.Export(X509ContentType.Cert)));
-                        logger.LogDebug(Convert.ToBase64String(certificate.Export(X509ContentType.Cert)));
+                        certChain.Add(Convert.ToBase64String(certificate.GetEncoded()));
+                        logger.LogDebug(Convert.ToBase64String(certificate.GetEncoded()));
                     }
 
                     inventoryItems.Add(new CurrentInventoryItem()
                     {
                         ItemStatus = OrchestratorInventoryItemStatus.Unknown,
-                        Alias = string.IsNullOrEmpty(issuedCertificate.FriendlyNameExt) ? issuedCertificate.Thumbprint : issuedCertificate.FriendlyNameExt,
+                        Alias = string.IsNullOrEmpty(issuedCertificate.FriendlyNameExt) ? issuedCertificate.Thumbprint() : issuedCertificate.FriendlyNameExt,
                         PrivateKeyEntry = issuedCertificate.HasPrivateKey,
                         UseChainLevel = collection.Count > 1,
                         Certificates = certChain.ToArray()

RemoteFile/ManagementBase.cs

@@ -6,16 +6,15 @@
 // and limitations under the License.
 
 using System;
-using System.Collections.Generic;
-using System.Security.Cryptography.X509Certificates;
 
 using Keyfactor.Logging;
 using Keyfactor.Orchestrators.Extensions;
 using Keyfactor.Orchestrators.Common.Enums;
-
+using Keyfactor.PKI.Extensions;
 using Microsoft.Extensions.Logging;
 
 using Newtonsoft.Json;
+using Org.BouncyCastle.X509;
 
 namespace Keyfactor.Extensions.Orchestrator.RemoteFile
 {
@@ -52,7 +51,7 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                                 throw new RemoteFileException($"Certificate store {config.CertificateStoreDetails.StorePath} does not exist on server {config.CertificateStoreDetails.ClientMachine}.");
                         }
                         certificateStore.LoadCertificateStore(certificateStoreSerializer, false);
-                        certificateStore.AddCertificate((config.JobCertificate.Alias ?? new X509Certificate2(Convert.FromBase64String(config.JobCertificate.Contents), config.JobCertificate.PrivateKeyPassword, X509KeyStorageFlags.EphemeralKeySet).Thumbprint), config.JobCertificate.Contents, config.Overwrite, config.JobCertificate.PrivateKeyPassword, RemoveRootCertificate);
+                        certificateStore.AddCertificate(config.JobCertificate.Alias ?? new X509Certificate(Convert.FromBase64String(config.JobCertificate.Contents)).Thumbprint(), config.JobCertificate.Contents, config.Overwrite, config.JobCertificate.PrivateKeyPassword, RemoveRootCertificate);
                         certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(), storePathFile.Path, storePathFile.File, StorePassword, certificateStore.RemoteHandler));
 
                         logger.LogDebug($"END add Operation for {config.CertificateStoreDetails.StorePath} on {config.CertificateStoreDetails.ClientMachine}.");

RemoteFile/Models/SerializedStoreInfo.cs

@@ -5,8 +5,6 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
 // and limitations under the License.
 
-using System.Security.Cryptography.X509Certificates;
-
 namespace Keyfactor.Extensions.Orchestrator.RemoteFile.Models
 {
     internal class SerializedStoreInfo

RemoteFile/Models/X509Certificate2Ext.cs

@@ -12,11 +12,9 @@
 using Keyfactor.Logging;
 using Keyfactor.Orchestrators.Extensions;
 using Keyfactor.Orchestrators.Common.Enums;
-using Keyfactor.PKI.PEM;
 
 using Microsoft.Extensions.Logging;
 
-using Newtonsoft.Json;
 using System.Security.Cryptography;
 
 namespace Keyfactor.Extensions.Orchestrator.RemoteFile