public ISecretReader CreateSecretReader() { if (string.IsNullOrEmpty(_vaultName)) { return(new EmptySecretReader()); } var certificate = CertificateUtility.FindCertificateByThumbprint( !string.IsNullOrEmpty(_storeName) ? (StoreName)Enum.Parse(typeof(StoreName), _storeName) : StoreName.My, !string.IsNullOrEmpty(_storeLocation) ? (StoreLocation)Enum.Parse(typeof(StoreLocation), _storeLocation) : StoreLocation.LocalMachine, _certificateThumbprint, _validateCertificate); var keyVaultConfiguration = new KeyVaultConfiguration( _vaultName, _clientId, certificate, _sendX5c); return(new KeyVaultReader(keyVaultConfiguration)); }
private static void AddEncryptingCertificate(Dictionary <string, string> result) { foreach (ServiceElement config in MicrosoftIdentityModelSection.Current.ServiceElements) { if (config.ServiceCertificate != null && config.ServiceCertificate.CertificateReference != null) { var certificateInfo = config.ServiceCertificate.CertificateReference; X509Certificate2 certificate = CertificateUtility.GetCertificate( certificateInfo.StoreName, certificateInfo.StoreLocation, certificateInfo.X509FindType, certificateInfo.FindValue); if (certificate != null) { StringBuilder rowHeader = new StringBuilder(); rowHeader.Append("Encrypting Certificate (from configuration)"); StringBuilder sb = new StringBuilder(); sb.Append(string.Format(CultureInfo.CurrentUICulture, "[Subject] {0}<br/>", certificate.Subject)); sb.Append(string.Format(CultureInfo.CurrentUICulture, "[Issuer] {0}<br/>", certificate.Issuer)); sb.Append(string.Format(CultureInfo.CurrentUICulture, "[Serial Number] {0}<br/>", certificate.SerialNumber)); sb.Append(string.Format(CultureInfo.CurrentUICulture, "[Not Before] {0}<br/>", certificate.NotBefore)); sb.Append(string.Format(CultureInfo.CurrentUICulture, "[Not After] {0}<br/>", certificate.NotAfter)); sb.Append(string.Format(CultureInfo.CurrentUICulture, "[Thumbprint] {0}<br/>", certificate.Thumbprint)); result[rowHeader.ToString()] = sb.ToString(); } } } }
public TokenProviderService(IOptions <TokenProviderServiceSettings> settingsOption) { var settings = settingsOption.Value; _scopes = new[] { settings.Resource + "/.default" }; if (string.IsNullOrEmpty(settings.CertificateThumbprint) && string.IsNullOrEmpty(settings.ClientSecret)) { throw new InvalidOperationException("Configure the token provider settings in the appsettings.json file."); } if (settings.CertificateThumbprint != "" && settings.ClientSecret != "") { throw new InvalidOperationException("Only configure certificate or secret authenticate, not both, in the appsettings file."); } var builder = ConfidentialClientApplicationBuilder .Create(settings.ClientId) .WithAuthority(new Uri(settings.Authority)); if (settings.CertificateThumbprint != "") { var x509Cert = CertificateUtility.GetByThumbprint(settings.CertificateThumbprint); builder = builder.WithCertificate(x509Cert); } else { builder = builder.WithClientSecret(settings.ClientSecret); } _tokenApp = builder.Build(); }
public ISecretReader CreateSecretReader(IDictionary <string, string> settings) { if (JobConfigurationManager.TryGetArgument(settings, JobArgumentNames.VaultName) == null) { return(new EmptySecretReader()); } var storeName = JobConfigurationManager.TryGetArgument(settings, JobArgumentNames.StoreName); var storeLocation = JobConfigurationManager.TryGetArgument(settings, JobArgumentNames.StoreLocation); var certificate = CertificateUtility.FindCertificateByThumbprint( storeName != null ? (StoreName)Enum.Parse(typeof(StoreName), storeName) : StoreName.My, storeLocation != null ? (StoreLocation)Enum.Parse(typeof(StoreLocation), storeLocation) : StoreLocation.LocalMachine, JobConfigurationManager.GetArgument(settings, JobArgumentNames.CertificateThumbprint), JobConfigurationManager.TryGetBoolArgument(settings, JobArgumentNames.ValidateCertificate, defaultValue: true)); var keyVaultConfiguration = new KeyVaultConfiguration( JobConfigurationManager.GetArgument(settings, JobArgumentNames.VaultName), JobConfigurationManager.GetArgument(settings, JobArgumentNames.ClientId), certificate); var refreshIntervalSec = JobConfigurationManager.TryGetIntArgument(settings, JobArgumentNames.RefreshIntervalSec) ?? CachingSecretReader.DefaultRefreshIntervalSec; return(new CachingSecretReader(new KeyVaultReader(keyVaultConfiguration), refreshIntervalSec)); }
public ISecretReader CreateSecretReader() { ISecretReader secretReader; var vaultName = _configurationService.ReadRawSetting(ResolveKeyVaultSettingName(VaultNameConfigurationKey)); if (!string.IsNullOrEmpty(vaultName)) { var useManagedIdentity = GetOptionalKeyVaultBoolSettingValue(UseManagedIdentityConfigurationKey, defaultValue: false); KeyVaultConfiguration keyVaultConfiguration; if (useManagedIdentity) { keyVaultConfiguration = new KeyVaultConfiguration(vaultName); } else { var clientId = _configurationService.ReadRawSetting(ResolveKeyVaultSettingName(ClientIdConfigurationKey)); var certificateThumbprint = _configurationService.ReadRawSetting(ResolveKeyVaultSettingName(CertificateThumbprintConfigurationKey)); var storeName = GetOptionalKeyVaultEnumSettingValue(CertificateStoreName, StoreName.My); var storeLocation = GetOptionalKeyVaultEnumSettingValue(CertificateStoreLocation, StoreLocation.LocalMachine); var certificate = CertificateUtility.FindCertificateByThumbprint(storeName, storeLocation, certificateThumbprint, validationRequired: true); keyVaultConfiguration = new KeyVaultConfiguration(vaultName, clientId, certificate); } secretReader = new KeyVaultReader(keyVaultConfiguration); } else { secretReader = new EmptySecretReader(); } return(new CachingSecretReader(secretReader, refreshIntervalSec: SecretCachingRefreshInterval)); }
PrimarySignature CreateKeyVaultPrimarySignature(SignPackageRequest request, SignatureContent signatureContent, ILogger logger) { // Get the chain var getter = typeof(SignPackageRequest).GetProperty("Chain", BindingFlags.Instance | BindingFlags.NonPublic) .GetGetMethod(true); var certs = (IReadOnlyList <X509Certificate2>)getter.Invoke(request, null); var cmsSigner = CreateCmsSigner(request, certs, logger); var contentInfo = new ContentInfo(signatureContent.GetBytes()); var cms = new SignedCms(contentInfo); try { cms.ComputeSignature(cmsSigner, false); // silent is false to ensure PIN prompts appear if CNG/CAPI requires it } catch (CryptographicException ex) when(ex.HResult == INVALID_PROVIDER_TYPE_HRESULT) { var exceptionBuilder = new StringBuilder(); exceptionBuilder.AppendLine("Invalid provider type"); exceptionBuilder.AppendLine(CertificateUtility.X509Certificate2ToString(request.Certificate, NuGet.Common.HashAlgorithmName.SHA256)); throw new SignatureException(NuGetLogCode.NU3001, exceptionBuilder.ToString()); } return(PrimarySignature.Load(cms)); }
public ISecretReader CreateSecretReader() { ISecretReader secretReader; var vaultName = _configurationService.ReadRawSetting(ResolveKeyVaultSettingName(VaultNameConfigurationKey)); if (!string.IsNullOrEmpty(vaultName)) { var clientId = _configurationService.ReadRawSetting(ResolveKeyVaultSettingName(ClientIdConfigurationKey)); var certificateThumbprint = _configurationService.ReadRawSetting(ResolveKeyVaultSettingName(CertificateThumbprintConfigurationKey)); var storeName = GetOptionalKeyVaultEnumSettingValue(CertificateStoreName, StoreName.My); var storeLocation = GetOptionalKeyVaultEnumSettingValue(CertificateStoreLocation, StoreLocation.LocalMachine); var certificate = CertificateUtility.FindCertificateByThumbprint(storeName, storeLocation, certificateThumbprint, validationRequired: true); var keyVaultConfiguration = new KeyVaultConfiguration(vaultName, clientId, certificate); secretReader = new KeyVaultReader(keyVaultConfiguration); } else { secretReader = new EmptySecretReader(); } return(new CachingSecretReader(secretReader)); }
private static ISecretInjector GetSecretInjector(IDictionary <string, string> arguments) { ISecretReader secretReader; var vaultName = arguments.GetOrDefault <string>(Arguments.VaultName); if (string.IsNullOrEmpty(vaultName)) { secretReader = new EmptySecretReader(); } else { var clientId = arguments.GetOrThrow <string>(Arguments.ClientId); var certificateThumbprint = arguments.GetOrThrow <string>(Arguments.CertificateThumbprint); var storeName = arguments.GetOrDefault(Arguments.StoreName, StoreName.My); var storeLocation = arguments.GetOrDefault(Arguments.StoreLocation, StoreLocation.LocalMachine); var shouldValidateCert = arguments.GetOrDefault(Arguments.ValidateCertificate, true); var keyVaultCertificate = CertificateUtility.FindCertificateByThumbprint(storeName, storeLocation, certificateThumbprint, shouldValidateCert); var keyVaultConfig = new KeyVaultConfiguration(vaultName, clientId, keyVaultCertificate); secretReader = new CachingSecretReader(new KeyVaultReader(keyVaultConfig), arguments.GetOrDefault(Arguments.RefreshIntervalSec, CachingSecretReader.DefaultRefreshIntervalSec)); } return(new SecretInjector(secretReader)); }
private CertificateItem GetCertificateItemForSignature(ISignature signature, bool allowUntrustedRoot = false) { var defaultHashAlgorithm = HashAlgorithmName.SHA256; var fingerprint = CertificateUtility.GetHashString(signature.SignerInfo.Certificate, defaultHashAlgorithm); return(new CertificateItem(fingerprint, defaultHashAlgorithm, allowUntrustedRoot)); }
private void SaveCRTPrivateKey(CSR csr) { using (TextWriter writer = new StreamWriter(@"c:\temp\crt.key")) { CertificateUtility.ExportRSAPrivateKey(csr.RSAParameters, writer); } }
public void IsSelfIssued_WithPartialChain_ReturnsFalse() { using (var certificate = SigningTestUtility.GetCertificate("leaf.crt")) { Assert.False(CertificateUtility.IsSelfIssued(certificate)); } }
public ISecretReader CreateSecretReader(IConfigurationService configurationService) { var vaultName = configurationService.Get(VaultNameKey).Result; ISecretReader secretReader; // Is key vault configured? if (string.IsNullOrEmpty(vaultName)) { secretReader = new EmptySecretReader(); } else { var clientId = configurationService.Get(ClientIdKey).Result; var certificateThumbprint = configurationService.Get(CertificateThumbprintKey).Result; var storeLocation = (StoreLocation)Enum.Parse(typeof(StoreLocation), configurationService.Get(StoreLocationKey).Result); var storeName = (StoreName)Enum.Parse(typeof(StoreName), configurationService.Get(StoreNameKey).Result); var validateCertificate = bool.Parse(configurationService.Get(ValidateCertificateKey).Result); var certificate = CertificateUtility.FindCertificateByThumbprint(storeName, storeLocation, certificateThumbprint, validateCertificate); secretReader = new KeyVaultReader( new KeyVaultConfiguration( vaultName, clientId, certificate)); } return(secretReader); }
public void IsSelfIssued_WithNonSelfSignedCertificate_ReturnsFalse() { using (var certificate = _fixture.GetNonSelfSignedCertificate()) { Assert.False(CertificateUtility.IsSelfIssued(certificate)); } }
public void DeleteDeploymentTest() { DeploymentHelper target = new DeploymentHelper(); string subscriptionId = "e57cc5fa-5cf7-41c0-a33c-3adaf2944c4a"; string filePath = @"C:\Development\Certificates\AzureManagementCertificate.cer"; List <Byte> certificateBytes = CertificateUtility.GetCertificateBytes(filePath); string serviceName = "commandlinetest"; string deploymentSlot = "staging"; string expected = string.Empty; string actual; actual = target.DeleteDeployment(subscriptionId, certificateBytes, serviceName, deploymentSlot); string opsStatus = string.Empty; string status = "InProgress"; while (status == "InProgress") { opsStatus = target.GetOperationStatus(subscriptionId, certificateBytes, actual, out status); Trace.WriteLine("Ops Status = " + status); Thread.Sleep(2000); } Assert.AreEqual(expected, actual); }
public void IsSelfIssued_WithRootCertificate_ReturnsTrue() { using (var certificate = _fixture.GetRootCertificate()) { Assert.True(CertificateUtility.IsSelfIssued(certificate)); } }
public async Task GetTrustResultAsync_VerifyWithCertificateInAllowList_Success() { // Arrange var nupkg = new SimpleTestPackageContext(); using (var dir = TestDirectory.Create()) using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert)) { var signedPackagePath = await SignedArchiveTestUtility.CreateSignedPackageAsync(testCertificate, nupkg, dir); var certificateFingerprint = CertificateUtility.GetHash(testCertificate, HashAlgorithmName.SHA256); var certificateFingerprintString = BitConverter.ToString(certificateFingerprint).Replace("-", ""); var allowListHashes = new[] { certificateFingerprintString, "abc" }; var allowList = allowListHashes.Select(hash => new CertificateHashAllowListEntry(VerificationTarget.Primary, hash)).ToList(); var trustProviders = new[] { new AllowListVerificationProvider(allowList) }; var verifier = new PackageSignatureVerifier(trustProviders, SignedPackageVerifierSettings.Default); using (var packageReader = new PackageArchiveReader(signedPackagePath)) { // Act var result = await verifier.VerifySignaturesAsync(packageReader, CancellationToken.None); // Assert result.Valid.Should().BeTrue(); } } }
public void IsSelfIssued_WhenCertificateNull_Throws() { var exception = Assert.Throws <ArgumentNullException>( () => CertificateUtility.IsSelfIssued(certificate: null)); Assert.Equal("certificate", exception.ParamName); }
private static async Task <X509Certificate2> GetCertificateAsync(SignArgs signArgs) { var certFindOptions = new CertificateSourceOptions() { CertificatePath = signArgs.CertificatePath, CertificatePassword = signArgs.CertificatePassword, Fingerprint = signArgs.CertificateFingerprint, StoreLocation = signArgs.CertificateStoreLocation, StoreName = signArgs.CertificateStoreName, SubjectName = signArgs.CertificateSubjectName, NonInteractive = signArgs.NonInteractive, PasswordProvider = signArgs.PasswordProvider, Token = signArgs.Token }; // get matching certificates var matchingCertCollection = await CertificateProvider.GetCertificatesAsync(certFindOptions); if (matchingCertCollection.Count > 1) { #if IS_DESKTOP if (signArgs.NonInteractive || !RuntimeEnvironmentHelper.IsWindows) { // if on non-windows os or in non interactive mode - display the certs and error out signArgs.Logger.LogInformation(CertificateUtility.X509Certificate2CollectionToString(matchingCertCollection, HashAlgorithmName.SHA256)); throw new SignCommandException( LogMessage.CreateError(NuGetLogCode.NU3001, string.Format(Strings.SignCommandMultipleCertException, nameof(SignArgs.CertificateFingerprint)))); } else { // Else launch UI to select matchingCertCollection = X509Certificate2UI.SelectFromCollection( FilterCodeSigningCertificates(matchingCertCollection), Strings.SignCommandDialogTitle, Strings.SignCommandDialogMessage, X509SelectionFlag.SingleSelection); } #else // if on non-windows os or in non interactive mode - display and error out signArgs.Logger.LogError(CertificateUtility.X509Certificate2CollectionToString(matchingCertCollection, HashAlgorithmName.SHA256)); throw new SignCommandException( LogMessage.CreateError(NuGetLogCode.NU3001, string.Format(Strings.SignCommandMultipleCertException, nameof(SignArgs.CertificateFingerprint)))); #endif } if (matchingCertCollection.Count == 0) { throw new SignCommandException( LogMessage.CreateError(NuGetLogCode.NU3001, Strings.SignCommandNoCertException)); } return(matchingCertCollection[0]); }
public void IsValidForPurposeFast_WithNoEku_ReturnsTrueForCodeSigningEku() { using (var certificate = SigningTestUtility.GenerateCertificate("test", generator => { })) { Assert.Equal(0, GetExtendedKeyUsageCount(certificate)); Assert.True(CertificateUtility.IsValidForPurposeFast(certificate, Oids.CodeSigningEku)); } }
public void HasExtendedKeyUsage_WithoutEku_ReturnsFalseForEku() { using (var certificate = SigningTestUtility.GenerateCertificate("test", generator => { })) { Assert.Equal(0, GetExtendedKeyUsageCount(certificate)); Assert.False(CertificateUtility.HasExtendedKeyUsage(certificate, Oids.CodeSigningEku)); } }
public void HasLifetimeSigningEku_WithoutLifetimeSignerEku_ReturnsFalse() { using (var certificate = SigningTestUtility.GenerateCertificate("test", generator => { })) { Assert.Equal(0, GetExtendedKeyUsageCount(certificate)); Assert.False(CertificateUtility.HasLifetimeSigningEku(certificate)); } }
public STSConfiguration(string piIssuerName, string piSigningCertificateThumbprint, string piIssuerCertificateThumbprint) : base(piIssuerName, new X509SigningCredentials( CertificateUtility.GetCertificateByThumbprint( StoreLocation.LocalMachine, StoreName.My, piSigningCertificateThumbprint))) { Init(piSigningCertificateThumbprint); }
public void GetHashString_UnsupportedHashAlgorithm_Throws() { using (var certificate = _fixture.GetDefaultCertificate()) { Assert.Throws(typeof(ArgumentException), () => CertificateUtility.GetHashString(certificate, (Common.HashAlgorithmName) 46)); } }
public void HasLifetimeSigningEku_WithLifetimeSignerEku_ReturnsTrue() { using (var certificate = _fixture.GetLifetimeSigningCertificate()) { Assert.Equal(1, GetExtendedKeyUsageCount(certificate)); Assert.True(CertificateUtility.HasLifetimeSigningEku(certificate)); } }
public void IsCertificateValidityPeriodInTheFuture_WithValidityStartInThePast_ReturnsFalse() { using (var certificate = SigningTestUtility.GenerateCertificate( "test", generator => { })) { Assert.False(CertificateUtility.IsCertificateValidityPeriodInTheFuture(certificate)); } }
public DnsChallenge(AcmeAccount account, AcmeChallenge challenge, string identifier) { Account = account; Challenge = challenge; Identifier = identifier; Token = challenge.Token; AuthorizationKey = CertificateUtility.CreateAuthorizationKey(account, challenge.Token); }
private async Task <string> AcquireTokenWithCertificateAsync() { var x509Cert = CertificateUtility.GetByThumbprint(_settings.CertificateThumbprint); var clientAssertion = new ClientAssertionCertificate(_settings.ClientId, x509Cert); var context = new AuthenticationContext(_settings.Authority); var authenticationResult = await context.AcquireTokenAsync(_settings.Resource, clientAssertion); return(authenticationResult.AccessToken); }
public void IsSignatureAlgorithmSupported_WhenUnsupported_ReturnsFalse() { using (var certificate = _fixture.GetRsaSsaPssCertificate()) { // RSASSA-PSS Assert.Equal("1.2.840.113549.1.1.10", certificate.SignatureAlgorithm.Value); Assert.False(CertificateUtility.IsSignatureAlgorithmSupported(certificate)); } }
public void IsCertificateValidityPeriodInTheFuture_WithValidityStartInTheFuture_ReturnsTrue() { using (var certificate = SigningTestUtility.GenerateCertificate( "test", modifyGenerator: SigningTestUtility.CertificateModificationGeneratorNotYetValidCert)) { Assert.True(CertificateUtility.IsCertificateValidityPeriodInTheFuture(certificate)); } }
public async Task <int> ExecuteCommandAsync(SignArgs signArgs) { // resolve path into multiple packages if needed. IEnumerable <string> packagesToSign = signArgs.PackagePaths.SelectMany(packagePath => { IEnumerable <string> packages = LocalFolderUtility.ResolvePackageFromPath(packagePath); LocalFolderUtility.EnsurePackageFileExists(packagePath, packages); return(packages); }); var success = true; X509Certificate2 cert = null; try { cert = await GetCertificateAsync(signArgs); } catch (Exception e) { success = false; ExceptionUtilities.LogException(e, signArgs.Logger); } if (success) { signArgs.Logger.LogInformation(Environment.NewLine); signArgs.Logger.LogInformation(Strings.SignCommandDisplayCertificate); signArgs.Logger.LogInformation(CertificateUtility.X509Certificate2ToString(cert, HashAlgorithmName.SHA256)); if (!string.IsNullOrEmpty(signArgs.Timestamper)) { signArgs.Logger.LogInformation(Strings.SignCommandDisplayTimestamper); signArgs.Logger.LogInformation(signArgs.Timestamper); } if (!string.IsNullOrEmpty(signArgs.OutputDirectory)) { signArgs.Logger.LogInformation(Strings.SignCommandOutputPath); signArgs.Logger.LogInformation(signArgs.OutputDirectory); } using (var signRequest = new AuthorSignPackageRequest(cert, signArgs.SignatureHashAlgorithm, signArgs.TimestampHashAlgorithm)) { return(await ExecuteCommandAsync( packagesToSign, signRequest, signArgs.Timestamper, signArgs.Logger, signArgs.OutputDirectory, signArgs.Overwrite, signArgs.Token)); } } return(success ? 0 : 1); }