From 89c23f5432005b38c9796f79a65c16a80932d5e1 Mon Sep 17 00:00:00 2001 From: Neil Dorin Date: Thu, 7 May 2026 09:01:27 -0600 Subject: [PATCH] feat: enhance certificate handling with BouncyCastle and remove firmware version checks Co-authored-by: Copilot --- .../Logging/DebugWebsocketSink.cs | 70 +++++++++++++++++-- src/PepperDash.Essentials/ControlSystem.cs | 28 ++++---- 2 files changed, 77 insertions(+), 21 deletions(-) diff --git a/src/PepperDash.Core/Logging/DebugWebsocketSink.cs b/src/PepperDash.Core/Logging/DebugWebsocketSink.cs index e083da2d..1f4dda7a 100644 --- a/src/PepperDash.Core/Logging/DebugWebsocketSink.cs +++ b/src/PepperDash.Core/Logging/DebugWebsocketSink.cs @@ -15,10 +15,12 @@ using Org.BouncyCastle.Asn1.X509; using Org.BouncyCastle.Crypto; using Org.BouncyCastle.Crypto.Generators; using Org.BouncyCastle.Crypto.Operators; +using Org.BouncyCastle.Crypto.Parameters; using Org.BouncyCastle.Math; using Org.BouncyCastle.Pkcs; using Org.BouncyCastle.Security; using Org.BouncyCastle.X509; +using System.Security.Cryptography; using Serilog.Formatting; using Serilog.Formatting.Json; @@ -172,7 +174,15 @@ namespace PepperDash.Core using (var ms = new MemoryStream()) { - pkcs12Store.Save(ms, _certificatePassword.ToCharArray(), random); + var passwordChars = _certificatePassword.ToCharArray(); + try + { + pkcs12Store.Save(ms, passwordChars, random); + } + finally + { + Array.Clear(passwordChars, 0, passwordChars.Length); + } File.WriteAllBytes(outputPath, ms.ToArray()); } @@ -215,23 +225,69 @@ namespace PepperDash.Core private static X509Certificate2 LoadOrRecreateCert(string certPath, string certPassword) { + if (!File.Exists(certPath)) + CreateCert(); + try { - // EphemeralKeySet is required on Linux/OpenSSL (Crestron 4-series) to avoid - // key-container persistence failures, and avoids the private key export restriction. - return new X509Certificate2(certPath, certPassword, X509KeyStorageFlags.EphemeralKeySet); + return LoadCertFromBouncyCastle(certPath, certPassword); } catch (Exception ex) { - // Cert is stale or was generated by an incompatible library (e.g. old BouncyCastle output). - // Delete it, regenerate with the BCL path, and retry once. + // Cert is corrupt or was written by an incompatible tool — delete and regenerate once. CrestronConsole.PrintLine(string.Format("SSL cert load failed ({0}); regenerating...", ex.Message)); try { File.Delete(certPath); } catch { } CreateCert(); - return new X509Certificate2(certPath, certPassword, X509KeyStorageFlags.EphemeralKeySet); + return LoadCertFromBouncyCastle(certPath, certPassword); } } + /// + /// Loads a PKCS#12 file written by BouncyCastle and returns an with + /// private key attached via . + /// Using BouncyCastle's own reader avoids the .NET/Mono PFX parser, which can reject + /// BouncyCastle-generated archives on the Crestron runtime. + /// + private static X509Certificate2 LoadCertFromBouncyCastle(string certPath, string certPassword) + { + var passwordChars = certPassword.ToCharArray(); + try + { + using (var stream = File.OpenRead(certPath)) + { + var store = new Pkcs12StoreBuilder().Build(); + store.Load(stream, passwordChars); + + foreach (string alias in store.Aliases) + { + if (!store.IsKeyEntry(alias)) continue; + + var keyEntry = store.GetKey(alias); + var certChain = store.GetCertificateChain(alias); + if (certChain == null || certChain.Length == 0) continue; + + // Build X509Certificate2 from raw DER — no PFX parsing by .NET needed. + var cert = new X509Certificate2(certChain[0].Certificate.GetEncoded()); + + // Attach the private key via RSACryptoServiceProvider (available on all target runtimes). + var rsaParams = DotNetUtilities.ToRSAParameters( + (RsaPrivateCrtKeyParameters)keyEntry.Key); + var rsa = new RSACryptoServiceProvider(); + rsa.ImportParameters(rsaParams); + cert.PrivateKey = rsa; + + return cert; + } + } + } + finally + { + Array.Clear(passwordChars, 0, passwordChars.Length); + } + + throw new InvalidOperationException("No key entry found in PKCS#12 store: " + certPath); + } + private void Start(int port, string certPath = "", string certPassword = "") { try diff --git a/src/PepperDash.Essentials/ControlSystem.cs b/src/PepperDash.Essentials/ControlSystem.cs index e6c61c60..d4a7545a 100644 --- a/src/PepperDash.Essentials/ControlSystem.cs +++ b/src/PepperDash.Essentials/ControlSystem.cs @@ -27,7 +27,7 @@ namespace PepperDash.Essentials private CEvent _initializeEvent; private const long StartupTime = 500; - private const string minimumFirmwareVersion = "2.8006.00110"; + // private const string minimumFirmwareVersion = "2.8006.00110"; /// /// Initializes a new instance of the ControlSystem class @@ -50,21 +50,21 @@ namespace PepperDash.Essentials { // Get FW version and stop if it's too low to run this version of Essentials. Must be greater than v2.8006.00110 - var fwVersion = InitialParametersClass.FirmwareVersion; + // var fwVersion = InitialParametersClass.FirmwareVersion; - Debug.LogInformation("Control System Hardware Version: {fwVersion}", fwVersion); + // Debug.LogInformation("Control System Hardware Version: {fwVersion}", fwVersion); - // split the version into parts and compare against minimumFirmwareVersion - var versionParts = fwVersion.Split('.').Select(int.Parse).ToArray(); - var minParts = minimumFirmwareVersion.Split('.').Select(int.Parse).ToArray(); - if (versionParts.Length < minParts.Length - || versionParts[0] < minParts[0] - || (versionParts[0] == minParts[0] && versionParts[1] < minParts[1]) - || (versionParts[0] == minParts[0] && versionParts[1] == minParts[1] && versionParts[2] <= minParts[2])) - { - Debug.LogFatal("Firmware version {fwVersion} is too low to run this version of Essentials. Please upgrade to greater than v{minimumFirmwareVersion}.", fwVersion, minimumFirmwareVersion); - return; - } + // // split the version into parts and compare against minimumFirmwareVersion + // var versionParts = fwVersion.Split('.').Select(int.Parse).ToArray(); + // var minParts = minimumFirmwareVersion.Split('.').Select(int.Parse).ToArray(); + // if (versionParts.Length < minParts.Length + // || versionParts[0] < minParts[0] + // || (versionParts[0] == minParts[0] && versionParts[1] < minParts[1]) + // || (versionParts[0] == minParts[0] && versionParts[1] == minParts[1] && versionParts[2] <= minParts[2])) + // { + // Debug.LogFatal("Firmware version {fwVersion} is too low to run this version of Essentials. Please upgrade to greater than v{minimumFirmwareVersion}.", fwVersion, minimumFirmwareVersion); + // return; + // } // If the control system is a DMPS type, we need to wait to exit this method until all devices have had time to activate // to allow any HD-BaseT DM endpoints to register first.