From e0cbf975c4f815bbadc9dfc56f90b1836450b1f8 Mon Sep 17 00:00:00 2001 From: leefine02 Date: Fri, 5 Jul 2024 19:25:21 +0000 Subject: [PATCH] ab#59979 --- RemoteFile/ReenrollmentBase.cs | 33 +++++++++++++++++----------- RemoteFile/RemoteCertificateStore.cs | 28 +++++++++++++---------- 2 files changed, 37 insertions(+), 24 deletions(-) diff --git a/RemoteFile/ReenrollmentBase.cs b/RemoteFile/ReenrollmentBase.cs index e748a2f..9f8fafa 100644 --- a/RemoteFile/ReenrollmentBase.cs +++ b/RemoteFile/ReenrollmentBase.cs @@ -12,17 +12,11 @@ using Keyfactor.Logging; using Keyfactor.Orchestrators.Extensions; using Keyfactor.Orchestrators.Common.Enums; +using Keyfactor.PKI.PEM; using Microsoft.Extensions.Logging; using Newtonsoft.Json; -using Org.BouncyCastle.Asn1.Pkcs; -using Org.BouncyCastle.Asn1.X509; -using Org.BouncyCastle.Asn1; -using Org.BouncyCastle.Crypto.Generators; -using Org.BouncyCastle.Crypto.Prng; -using Org.BouncyCastle.Crypto; -using Org.BouncyCastle.Pkcs; using System.Security.Cryptography; namespace Keyfactor.Extensions.Orchestrator.RemoteFile @@ -108,17 +102,29 @@ public JobResult ProcessJob(ReenrollmentJobConfiguration config, SubmitReenrollm } X509Certificate2 cert = submitReenrollment.Invoke(csr); + if (cert == null) + throw new RemoteFileException("Enrollment of CSR failed. Please check Keyfactor Command logs for more information on potential enrollment errors."); if (!string.IsNullOrEmpty(pemPrivateKey)) { - RSA rsa = RSA.Create(); - rsa.ImportEncryptedPkcs8PrivateKey(string.Empty, Convert.FromBase64String(pemPrivateKey), out _); - cert = cert.CopyWithPrivateKey(rsa); + if (keyTypeEnum == SupportedKeyTypeEnum.RSA) + { + RSA rsa = RSA.Create(); + rsa.ImportEncryptedPkcs8PrivateKey(string.Empty, Keyfactor.PKI.PEM.PemUtilities.PEMToDER(pemPrivateKey), out _); + cert = cert.CopyWithPrivateKey(rsa); + } + else + { + ECCurve ec = ECCurve.CreateFromValue("1.3.132.0.34"); + ECDsa e = ECDsa.Create(ec); + e.ImportECPrivateKey(Keyfactor.PKI.PEM.PemUtilities.PEMToDER(pemPrivateKey), out _); + cert = cert.CopyWithPrivateKey(e); + } } // save certificate certificateStore.LoadCertificateStore(certificateStoreSerializer, config.CertificateStoreDetails.Properties, false); - certificateStore.AddCertificate((alias ?? cert.Thumbprint), Convert.ToBase64String(cert.Export(X509ContentType.Cert)), overwrite, null); + certificateStore.AddCertificate((alias ?? cert.Thumbprint), Convert.ToBase64String(cert.Export(X509ContentType.Pfx)), overwrite, null); certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(), storePathFile.Path, storePathFile.File, storePassword, certificateStore.RemoteHandler)); logger.LogDebug($"END add Operation for {config.CertificateStoreDetails.StorePath} on {config.CertificateStoreDetails.ClientMachine}."); @@ -126,8 +132,9 @@ public JobResult ProcessJob(ReenrollmentJobConfiguration config, SubmitReenrollm catch (Exception ex) { - logger.LogError($"Exception for {config.Capability}: {RemoteFileException.FlattenExceptionMessages(ex, string.Empty)} for job id {config.JobId}"); - return new JobResult() { Result = OrchestratorJobStatusJobResult.Failure, JobHistoryId = config.JobHistoryId, FailureMessage = RemoteFileException.FlattenExceptionMessages(ex, $"Site {config.CertificateStoreDetails.StorePath} on server {config.CertificateStoreDetails.ClientMachine}:") }; + string errorMessage = $"Exception for {config.Capability}: {RemoteFileException.FlattenExceptionMessages(ex, string.Empty)} for job id {config.JobId}"; + logger.LogError(errorMessage); + return new JobResult() { Result = OrchestratorJobStatusJobResult.Failure, JobHistoryId = config.JobHistoryId, FailureMessage = $"Site {config.CertificateStoreDetails.StorePath} on server {config.CertificateStoreDetails.ClientMachine}: {errorMessage}" }; } finally { diff --git a/RemoteFile/RemoteCertificateStore.cs b/RemoteFile/RemoteCertificateStore.cs index 301a4bf..3a8dd18 100644 --- a/RemoteFile/RemoteCertificateStore.cs +++ b/RemoteFile/RemoteCertificateStore.cs @@ -390,7 +390,7 @@ internal string GenerateCSROnDevice(string subjectText, SupportedKeyTypeEnum key string fileName = Guid.NewGuid().ToString(); X500DistinguishedName dn = new X500DistinguishedName(subjectText); - string opensslSubject = dn.Format(true); + string opensslSubject = dn.Format(true).Replace("S=","ST="); opensslSubject = opensslSubject.Replace(System.Environment.NewLine, "/"); opensslSubject = "/" + opensslSubject.Substring(0, opensslSubject.Length - 1); @@ -419,19 +419,25 @@ internal string GenerateCSROnDevice(string subjectText, SupportedKeyTypeEnum key privateKey = string.Empty; try { - RemoteHandler.RunCommand(cmd, null, ApplicationSettings.UseSudo, null); - privateKey = Encoding.UTF8.GetString(RemoteHandler.DownloadCertificateFile(path + fileName + "key")); - csr = Encoding.UTF8.GetString(RemoteHandler.DownloadCertificateFile(path + fileName + "csr")); - } - catch (Exception ex) - { - if (!ex.Message.Contains("----") || !ex.Message.Contains("++++")) - throw; + try + { + RemoteHandler.RunCommand(cmd, null, ApplicationSettings.UseSudo, null); + } + catch (Exception ex) + { + if (!ex.Message.Contains("----")) + throw; + } + + privateKey = Encoding.UTF8.GetString(RemoteHandler.DownloadCertificateFile(path + fileName + ".key")); + csr = Encoding.UTF8.GetString(RemoteHandler.DownloadCertificateFile(path + fileName + ".csr")); } finally { - RemoteHandler.RemoveCertificateFile(path, fileName + "key"); - RemoteHandler.RemoveCertificateFile(path, fileName + "csr"); + if (RemoteHandler.DoesFileExist(path + fileName + ".key")) + RemoteHandler.RemoveCertificateFile(path, fileName + ".key"); + if (RemoteHandler.DoesFileExist(path + fileName + ".csr")) + RemoteHandler.RemoveCertificateFile(path, fileName + ".csr"); } return csr;