utilizing the Keyfactor.PKI libraries for cert processing

Author: joevanwanzeeleKF

alteon-orchestrator/Jobs/Management.cs

@@ -13,6 +13,7 @@
 // limitations under the License.
 
 using System;
+using System.Collections.Generic;
 using System.IO;
 using System.Linq;
 using System.Security.Cryptography.X509Certificates;
@@ -21,6 +22,7 @@
 using Keyfactor.Logging;
 using Keyfactor.Orchestrators.Common.Enums;
 using Keyfactor.Orchestrators.Extensions;
+using Keyfactor.PKI.X509;
 using Microsoft.Extensions.Logging;
 using Org.BouncyCastle.Crypto;
 using Org.BouncyCastle.OpenSsl;
@@ -66,16 +68,16 @@ protected virtual async Task<JobResult> PerformAddition(string alias, string pfx
             /// if there is a cert and key, import as "pair"
             /// if there is no key, and the issuer and subject match, import as "clca" (trusted CA)
             /// if there is no key, and the issuer and subject are different, import as "inca" (intermediate CA)
-            
+
             byte[] bytes;
             X509Certificate2 x509;
-            string pemCert, privateKeyString;
+            string pemCert, pemKey;
 
             try
             {
                 bytes = Convert.FromBase64String(entryContents);
                 x509 = new X509Certificate2(bytes, pfxPassword, X509KeyStorageFlags.Exportable);
-                (pemCert, privateKeyString) = GetPemFromPfx(bytes, pfxPassword.ToCharArray());
+                (pemCert, pemKey) = GetPemFromPfx(bytes, pfxPassword);
             }
             catch (Exception ex)
             {
@@ -117,7 +119,7 @@ protected virtual async Task<JobResult> PerformAddition(string alias, string pfx
                         // add key and cert separately.  
                         // this needs to be done in the following order: key, then cert (per Alteon support)                        
                         logger.LogTrace($"adding key and then certificate for certificate with alias {alias}");
-                        await aClient.AddCertificate(alias, pfxPassword, Pemify(privateKeyString), AlteonCertTypes.KEY_ONLY);
+                        await aClient.AddCertificate(alias, pfxPassword, pemKey, AlteonCertTypes.KEY_ONLY);
                         await aClient.AddCertificate(alias, pfxPassword, pemCert, AlteonCertTypes.CERT_ONLY);
                     }
                     else
@@ -158,7 +160,7 @@ protected virtual async Task<JobResult> PerformRemoval(string alias, long jobHis
             try
             {
                 await aClient.RemoveCertificate(alias);
-                complete.Result = OrchestratorJobStatusJobResult.Success;                
+                complete.Result = OrchestratorJobStatusJobResult.Success;
             }
 
             catch (Exception ex)
@@ -169,61 +171,70 @@ protected virtual async Task<JobResult> PerformRemoval(string alias, long jobHis
             return complete;
         }
 
-        private (string, string) GetPemFromPfx(byte[] pfxBytes, char[] pfxPassword)
+        private (string, string) GetPemFromPfx(byte[] pfxBytes, string pfxPassword)
         {
             try
             {
-                logger.LogDebug("Entering GetPemFromPfx(byte[] pfxBytes, char[] pfxPassword)");
-                var p = new Pkcs12Store(new MemoryStream(pfxBytes), pfxPassword);
-
-                // Extract private key
-                var memoryStream = new MemoryStream();
-                TextWriter streamWriter = new StreamWriter(memoryStream);
-                var pemWriter = new PemWriter(streamWriter);
-
-                var alias = p.Aliases.Cast<string>().SingleOrDefault(a => p.IsKeyEntry(a));
-                logger.LogTrace($"alias: {alias}");
-
-                var publicKey = p.GetCertificate(alias).Certificate.GetPublicKey();
-                if (p.GetKey(alias) == null) throw new Exception($"Unable to get the key for alias: {alias}");
-                var privateKey = p.GetKey(alias).Key;
-                var keyPair = new AsymmetricCipherKeyPair(publicKey, privateKey);
-
-                pemWriter.WriteObject(keyPair.Private);
-                streamWriter.Flush();
-                var privateKeyString = Encoding.ASCII.GetString(memoryStream.GetBuffer()).Trim().Replace("\r", "")
-                    .Replace("\0", "");
-                memoryStream.Close();
-                streamWriter.Close();
-
-                // Extract server certificate
-                var certStart = "-----BEGIN CERTIFICATE-----\n";
-                var certEnd = "\n-----END CERTIFICATE-----";
-
-                string Pemify(string ss)
+                logger.MethodEntry();
+
+                CertificateCollectionConverter converter = CertificateCollectionConverterFactory.FromDER(pfxBytes, pfxPassword);
+                string pfxPem = converter.ToPEM(pfxPassword);
+                List<X509Certificate2> clist = converter.ToX509Certificate2List(pfxPassword);
+                StringBuilder certPemBuilder = new StringBuilder();
+
+                //reordering of certificate chain necessary because of BouncyCastle bug.  Being fixed in a later release
+                if (clist.Count > 1)
+                    clist = ReorderPEMLIst(clist);
+
+                logger.LogTrace("Building certificate PEM");
+                foreach (X509Certificate2 cert in clist)
                 {
-                    return ss.Length <= 64 ? ss : ss.Substring(0, 64) + "\n" + Pemify(ss.Substring(64));
+                    certPemBuilder.AppendLine("-----BEGIN CERTIFICATE-----");
+                    certPemBuilder.AppendLine(
+                        Convert.ToBase64String(cert.RawData, Base64FormattingOptions.InsertLineBreaks));
+                    certPemBuilder.AppendLine("-----END CERTIFICATE-----");
                 }
 
-                var certPem =
-                    certStart + Pemify(Convert.ToBase64String(p.GetCertificate(alias).Certificate.GetEncoded())) +
-                    certEnd;
-                logger.LogTrace($"certPem: {certPem}");
-                logger.LogDebug("Exiting GetPemFromPfx(byte[] pfxBytes, char[] pfxPassword)");
-                return (certPem, privateKeyString);
+                logger.LogTrace("Building the key PEM");
+                byte[] pkBytes = PKI.PrivateKeys.PrivateKeyConverterFactory.FromPKCS12(pfxBytes, pfxPassword.ToString()).ToPkcs8BlobUnencrypted();
+                StringBuilder keyPemBuilder = new StringBuilder();
+                keyPemBuilder.AppendLine("-----BEGIN PRIVATE KEY-----");
+                keyPemBuilder.AppendLine(
+                    Convert.ToBase64String(pkBytes, Base64FormattingOptions.InsertLineBreaks));
+                keyPemBuilder.AppendLine("-----END PRIVATE KEY-----");
+
+                logger.LogTrace($"certPem: {certPemBuilder}");
+                logger.MethodExit();
+                return (certPemBuilder.ToString(), keyPemBuilder.ToString());
             }
             catch (Exception e)
             {
                 logger.LogError(
-                    $"Error Occurred in GetPemFromPfx(byte[] pfxBytes, char[] pfxPassword): {LogHandler.FlattenException(e)}");
+                    $"Error Occurred in GetPemFromPfx(byte[] pfxBytes, string pfxPassword): {LogHandler.FlattenException(e)}");
                 throw;
             }
         }
-
-        private string Pemify(string ss)
+        private List<X509Certificate2> ReorderPEMLIst(List<X509Certificate2> certList)
         {
-            return ss.Length <= 64 ? ss : ss.Substring(0, 64) + "\n" + Pemify(ss.Substring(64));
-        }
+            List<X509Certificate2> rtnList = new List<X509Certificate2>();
+            X509Certificate2 root = certList.FirstOrDefault(p => p.IssuerName.RawData.SequenceEqual(p.SubjectName.RawData));
+            if (root == null || string.IsNullOrEmpty(root.SerialNumber))
+                throw new Exception("Invalid certificate chain.  No root CA certificate found.");
 
+            rtnList.Add(root);
+
+            X509Certificate2 parentCert = root;
+            for (int i = 1; i < certList.Count; i++)
+            {
+                X509Certificate2 childCert = certList.FirstOrDefault(p => p.IssuerName.RawData.SequenceEqual(parentCert.SubjectName.RawData) && !p.IssuerName.RawData.SequenceEqual(p.SubjectName.RawData));
+                if (root == null || string.IsNullOrEmpty(root.SerialNumber))
+                    throw new Exception("Invalid certificate chain.  End entity or issuing CA certificate not found.");
+
+                rtnList.Insert(0, childCert);
+                parentCert = childCert;
+            }
+
+            return rtnList;
+        }
     }
 }

alteon-orchestrator/alteon-orchestrator.csproj

@@ -18,6 +18,7 @@
     <PackageReference Include="Keyfactor.Orchestrators.Common" Version="3.1.2" />
     <PackageReference Include="Keyfactor.Orchestrators.IOrchestratorJobExtensions" Version="0.6.0" />
     <PackageReference Include="Keyfactor.Orchestrators.IOrchestratorRegistrationUpdater" Version="1.0.3" />
+    <PackageReference Include="Keyfactor.PKI" Version="5.5.0" />
     <PackageReference Include="NLog" Version="5.0.1" />
     <PackageReference Include="NLog.Extensions.Logging" Version="5.0.0" />
     <PackageReference Include="RestSharp" Version="112.0.0" />