OPENICF-393 Add Secure communication support to .Net and test from Java

Author: Laszlo Hordos

ConnectorServerService/ConnectorServerService.cs

@@ -53,6 +53,7 @@ namespace Org.ForgeRock.OpenICF.Framework.ConnectorServerService
     public partial class ConnectorServerService : ServiceBase
     {
         public const string PropKey = "connectorserver.key";
+        public const string PropCertificateThumbprint = "connectorserver.certificateThumbprint";
         public const string PropFacadeLifetime = "connectorserver.maxFacadeLifeTime";
 
         private Action _closeAction;
@@ -203,7 +204,6 @@ protected override void OnStop()
 
     public class VtortConnectorServiceHost
     {
-        private const string PropCertstore = "connectorserver.certificatestorename";
         private WebSocketListener _listener;
         private readonly ClientAuthenticationValidator _validator;
         private readonly Uri _endPointUri;
@@ -221,7 +221,7 @@ public void Open()
             {
                 ipAddress = IPAddress.Loopback;
             }
-            else if (!"*".Equals(_endPointUri.DnsSafeHost))
+            else if (!"0.0.0.0".Equals(_endPointUri.DnsSafeHost))
             {
                 ipAddress = IOUtil.GetIPAddress(_endPointUri.DnsSafeHost);
             }
@@ -320,26 +320,35 @@ public void Close()
         protected X509Certificate2 GetCertificate()
         {
             NameValueCollection settings = ConfigurationManager.AppSettings;
-            String storeName = settings.Get(PropCertstore);
-            if (storeName == null)
+            String certificateThumbprint = settings.Get(ConnectorServerService.PropCertificateThumbprint);
+            if (String.IsNullOrWhiteSpace(certificateThumbprint))
             {
                 throw new Org.IdentityConnectors.Framework.Common.Exceptions.ConfigurationException(
-                    "Missing required configuration setting: " + PropCertstore);
+                    "Missing required configuration setting: " + ConnectorServerService.PropCertificateThumbprint);
             }
 
-            X509Store store = new X509Store(storeName,
-                StoreLocation.LocalMachine);
-
-            store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
-            X509Certificate2Collection certificates = store.Certificates;
-            if (certificates.Count != 1)
+            X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
+            try
             {
-                throw new Org.IdentityConnectors.Framework.Common.Exceptions.ConfigurationException(
-                    "There is supported to be exactly one certificate in the store: " + storeName);
+                store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
+
+                X509Certificate2 certificate =
+                    store.Certificates.Cast<X509Certificate2>()
+                        .FirstOrDefault(
+                            certificate1 =>
+                                String.Equals(certificate1.Thumbprint, certificateThumbprint,
+                                    StringComparison.CurrentCultureIgnoreCase));
+                if (certificate == null)
+                {
+                    throw new Org.IdentityConnectors.Framework.Common.Exceptions.ConfigurationException(
+                        "The Certificate can not be found with thumbprint: " + certificateThumbprint);
+                }
+                return certificate;
+            }
+            finally
+            {
+                store.Close();
             }
-            X509Certificate2 certificate = store.Certificates[0];
-            store.Close();
-            return certificate;
         }
 
         private async Task ListenAsync()

ConnectorServerService/Program.cs

@@ -4,6 +4,7 @@
 using System.Diagnostics;
 using System.IO;
 using System.Reflection;
+using System.Security.Cryptography.X509Certificates;
 using System.ServiceProcess;
 using Org.ForgeRock.OpenICF.Framework.ConnectorServerService.Properties;
 using Org.IdentityConnectors.Common.Security;
@@ -21,6 +22,7 @@ private static void Usage()
             Console.WriteLine("       /uninstall [/serviceName <serviceName>] - Uninstalls the service.");
             Console.WriteLine("       /run - Runs the service from the console.");
             Console.WriteLine("       /setKey [<key>] - Sets the connector server key.");
+            Console.WriteLine("       /setCertificate - Sets secure server certificate thumbprint");
             Console.WriteLine("       /setDefaults - Sets default app.config");
         }
 
@@ -46,6 +48,16 @@ private static void Main(string[] args)
                     DoSetKey(args.Length > 1 ? args[1] : null);
                     return;
                 }
+                if (cmd.Equals("/setCertificate", StringComparison.InvariantCultureIgnoreCase))
+                {
+                    if (args.Length > 1)
+                    {
+                        Usage();
+                        return;
+                    }
+                    DoSetCertificate();
+                    return;
+                }
                 if (cmd.Equals("/setDefaults", StringComparison.InvariantCultureIgnoreCase))
                 {
                     if (args.Length > 1)
@@ -165,6 +177,68 @@ private static GuardedString ReadPassword()
             }
         }
 
+        private static void DoSetCertificate()
+        {
+            X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
+            try
+            {
+                store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
+                X509Certificate2Collection certificates = store.Certificates;
+                int i = 0;
+                if (certificates.Count > 0)
+                {
+                    Console.WriteLine(@"Select certificate you want to use:");
+                    Console.WriteLine(@"Index  Issued To                Thumbprint");
+                    Console.WriteLine(@"-----  ---------                -------------------------");
+                    Console.WriteLine();
+                    foreach (var cerItem in certificates)
+                    {
+                        Console.WriteLine(@"{0,4})  {1,-25} {2}", i++,
+                            cerItem.GetNameInfo(X509NameType.SimpleName, false),
+                            cerItem.Thumbprint);
+                    }
+                    string line;
+                    Console.WriteLine();
+                    do
+                    {
+                        line = Console.ReadLine();
+                        if (!String.IsNullOrWhiteSpace(line))
+                        {
+                            try
+                            {
+                                int inputIndex = Convert.ToInt32(line);
+                                if (inputIndex >= 0 && inputIndex < certificates.Count)
+                                {
+                                    X509Certificate2 certificate = store.Certificates[inputIndex];
+                                    Configuration config =
+                                        ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);
+                                    config.AppSettings.Settings.Remove(ConnectorServerService.PropCertificateThumbprint);
+                                    config.AppSettings.Settings.Add(ConnectorServerService.PropCertificateThumbprint,
+                                        certificate.Thumbprint);
+                                    config.Save(ConfigurationSaveMode.Modified);
+                                    Console.WriteLine(@"Certificate Thumbprint has been successfully updated to {0}.",
+                                        certificate.Thumbprint);
+                                    break;
+                                }
+                            }
+                            catch (FormatException)
+                            {
+                            }
+                            Console.WriteLine(@"Invalid input: {0}", line);
+                        }
+                    } while (!String.IsNullOrWhiteSpace(line));
+                }
+                else
+                {
+                    Console.WriteLine(@"No certificate was found in 'LocalMachine:My' store");
+                }
+            }
+            finally
+            {
+                store.Close();
+            }
+        }
+
         private static void DoSetKey(string key)
         {
             GuardedString str;

ConnectorServerService/Properties/Resources.Designer.cs

@@ -124,7 +124,7 @@
     <!-- Access these values via the property:
             System.Configuration.ConfigurationManager.AppSettings[key]
      -->
-    <add key="connectorserver.certificatestorename" value="ConnectorServerSSLCertificate" />
+    <add key="connectorserver.certificateThumbprint" value="Use certutil and copy: Cert Hash(sha1) Example:1b0889cdf9e0cee904646bb8a3d0aa4f72035056" />
     <add key="connectorserver.maxFacadeLifeTime" value="0" />
     <add key="connectorserver.key" value="lmA6bMfENJGlIDbfrVtklXFK32s=" />
     <!-- Enable/Disable the logging proxy for all operations. -->
@@ -157,8 +157,8 @@
           <byteStreamMessageEncoding />
           <httpTransport authenticationScheme="Basic" realm="OpenICF">
             <webSocketSettings transportUsage="Always" createNotificationOnConnection="true"
-                               subProtocol="v1.openicf.forgerock.org" />
-          </httpTransport>
+                               subProtocol="v1.openicf.forgerock.org" />            
+          </httpTransport>          
         </binding>
       </customBinding>
     </bindings>

ConnectorServerService/Properties/Resources.resx

@@ -301,11 +301,14 @@ public void OnNext(Org.IdentityConnectors.Framework.Common.Objects.ConnectorObje
             {
                 if (null != value)
                 {
-                    TryHandleResult(new
+                    if (!TryHandleResult(new
                         ConnectorEventSubscriptionOpResponse
                     {
                         ConnectorObject = MessagesUtil.SerializeMessage<Common.ProtoBuf.ConnectorObject>(value)
-                    });
+                    }))
+                    {
+                        OnError(new Exception("Failed to Handle OnNext event."));
+                    }
                 }
             }
 
@@ -586,11 +589,14 @@ public void OnNext(OBJ.SyncDelta value)
             {
                 if (null != value)
                 {
-                    TryHandleResult(new
+                    if (!TryHandleResult(new
                         SyncEventSubscriptionOpResponse
                     {
                         SyncDelta = MessagesUtil.SerializeMessage<Common.ProtoBuf.SyncDelta>(value)
-                    });
+                    }))
+                    {
+                        OnError(new Exception("Failed to Handle OnNext event."));
+                    }
                 }
             }