feat: enhance certificate handling with BouncyCastle and remove firmware version checks

Co-authored-by: Copilot <copilot@github.com>
This commit is contained in:
Neil Dorin 2026-05-07 09:01:27 -06:00
parent 1b32761e8e
commit 89c23f5432
2 changed files with 77 additions and 21 deletions

View file

@ -15,10 +15,12 @@ using Org.BouncyCastle.Asn1.X509;
using Org.BouncyCastle.Crypto; using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Generators; using Org.BouncyCastle.Crypto.Generators;
using Org.BouncyCastle.Crypto.Operators; using Org.BouncyCastle.Crypto.Operators;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Math; using Org.BouncyCastle.Math;
using Org.BouncyCastle.Pkcs; using Org.BouncyCastle.Pkcs;
using Org.BouncyCastle.Security; using Org.BouncyCastle.Security;
using Org.BouncyCastle.X509; using Org.BouncyCastle.X509;
using System.Security.Cryptography;
using Serilog.Formatting; using Serilog.Formatting;
using Serilog.Formatting.Json; using Serilog.Formatting.Json;
@ -172,7 +174,15 @@ namespace PepperDash.Core
using (var ms = new MemoryStream()) using (var ms = new MemoryStream())
{ {
pkcs12Store.Save(ms, _certificatePassword.ToCharArray(), random); var passwordChars = _certificatePassword.ToCharArray();
try
{
pkcs12Store.Save(ms, passwordChars, random);
}
finally
{
Array.Clear(passwordChars, 0, passwordChars.Length);
}
File.WriteAllBytes(outputPath, ms.ToArray()); File.WriteAllBytes(outputPath, ms.ToArray());
} }
@ -215,23 +225,69 @@ namespace PepperDash.Core
private static X509Certificate2 LoadOrRecreateCert(string certPath, string certPassword) private static X509Certificate2 LoadOrRecreateCert(string certPath, string certPassword)
{ {
if (!File.Exists(certPath))
CreateCert();
try try
{ {
// EphemeralKeySet is required on Linux/OpenSSL (Crestron 4-series) to avoid return LoadCertFromBouncyCastle(certPath, certPassword);
// key-container persistence failures, and avoids the private key export restriction.
return new X509Certificate2(certPath, certPassword, X509KeyStorageFlags.EphemeralKeySet);
} }
catch (Exception ex) catch (Exception ex)
{ {
// Cert is stale or was generated by an incompatible library (e.g. old BouncyCastle output). // Cert is corrupt or was written by an incompatible tool — delete and regenerate once.
// Delete it, regenerate with the BCL path, and retry once.
CrestronConsole.PrintLine(string.Format("SSL cert load failed ({0}); regenerating...", ex.Message)); CrestronConsole.PrintLine(string.Format("SSL cert load failed ({0}); regenerating...", ex.Message));
try { File.Delete(certPath); } catch { } try { File.Delete(certPath); } catch { }
CreateCert(); CreateCert();
return new X509Certificate2(certPath, certPassword, X509KeyStorageFlags.EphemeralKeySet); return LoadCertFromBouncyCastle(certPath, certPassword);
} }
} }
/// <summary>
/// Loads a PKCS#12 file written by BouncyCastle and returns an <see cref="X509Certificate2"/> with
/// private key attached via <see cref="RSACryptoServiceProvider"/>.
/// Using BouncyCastle's own reader avoids the .NET/Mono PFX parser, which can reject
/// BouncyCastle-generated archives on the Crestron runtime.
/// </summary>
private static X509Certificate2 LoadCertFromBouncyCastle(string certPath, string certPassword)
{
var passwordChars = certPassword.ToCharArray();
try
{
using (var stream = File.OpenRead(certPath))
{
var store = new Pkcs12StoreBuilder().Build();
store.Load(stream, passwordChars);
foreach (string alias in store.Aliases)
{
if (!store.IsKeyEntry(alias)) continue;
var keyEntry = store.GetKey(alias);
var certChain = store.GetCertificateChain(alias);
if (certChain == null || certChain.Length == 0) continue;
// Build X509Certificate2 from raw DER — no PFX parsing by .NET needed.
var cert = new X509Certificate2(certChain[0].Certificate.GetEncoded());
// Attach the private key via RSACryptoServiceProvider (available on all target runtimes).
var rsaParams = DotNetUtilities.ToRSAParameters(
(RsaPrivateCrtKeyParameters)keyEntry.Key);
var rsa = new RSACryptoServiceProvider();
rsa.ImportParameters(rsaParams);
cert.PrivateKey = rsa;
return cert;
}
}
}
finally
{
Array.Clear(passwordChars, 0, passwordChars.Length);
}
throw new InvalidOperationException("No key entry found in PKCS#12 store: " + certPath);
}
private void Start(int port, string certPath = "", string certPassword = "") private void Start(int port, string certPath = "", string certPassword = "")
{ {
try try

View file

@ -27,7 +27,7 @@ namespace PepperDash.Essentials
private CEvent _initializeEvent; private CEvent _initializeEvent;
private const long StartupTime = 500; private const long StartupTime = 500;
private const string minimumFirmwareVersion = "2.8006.00110"; // private const string minimumFirmwareVersion = "2.8006.00110";
/// <summary> /// <summary>
/// Initializes a new instance of the ControlSystem class /// Initializes a new instance of the ControlSystem class
@ -50,21 +50,21 @@ namespace PepperDash.Essentials
{ {
// Get FW version and stop if it's too low to run this version of Essentials. Must be greater than v2.8006.00110 // Get FW version and stop if it's too low to run this version of Essentials. Must be greater than v2.8006.00110
var fwVersion = InitialParametersClass.FirmwareVersion; // var fwVersion = InitialParametersClass.FirmwareVersion;
Debug.LogInformation("Control System Hardware Version: {fwVersion}", fwVersion); // Debug.LogInformation("Control System Hardware Version: {fwVersion}", fwVersion);
// split the version into parts and compare against minimumFirmwareVersion // // split the version into parts and compare against minimumFirmwareVersion
var versionParts = fwVersion.Split('.').Select(int.Parse).ToArray(); // var versionParts = fwVersion.Split('.').Select(int.Parse).ToArray();
var minParts = minimumFirmwareVersion.Split('.').Select(int.Parse).ToArray(); // var minParts = minimumFirmwareVersion.Split('.').Select(int.Parse).ToArray();
if (versionParts.Length < minParts.Length // if (versionParts.Length < minParts.Length
|| versionParts[0] < minParts[0] // || versionParts[0] < minParts[0]
|| (versionParts[0] == minParts[0] && versionParts[1] < minParts[1]) // || (versionParts[0] == minParts[0] && versionParts[1] < minParts[1])
|| (versionParts[0] == minParts[0] && versionParts[1] == minParts[1] && versionParts[2] <= minParts[2])) // || (versionParts[0] == minParts[0] && versionParts[1] == minParts[1] && versionParts[2] <= minParts[2]))
{ // {
Debug.LogFatal("Firmware version {fwVersion} is too low to run this version of Essentials. Please upgrade to greater than v{minimumFirmwareVersion}.", fwVersion, minimumFirmwareVersion); // Debug.LogFatal("Firmware version {fwVersion} is too low to run this version of Essentials. Please upgrade to greater than v{minimumFirmwareVersion}.", fwVersion, minimumFirmwareVersion);
return; // return;
} // }
// If the control system is a DMPS type, we need to wait to exit this method until all devices have had time to activate // If the control system is a DMPS type, we need to wait to exit this method until all devices have had time to activate
// to allow any HD-BaseT DM endpoints to register first. // to allow any HD-BaseT DM endpoints to register first.