public ISecretReader CreateSecretReader()
{
if (string.IsNullOrEmpty(_vaultName))
{
return(new EmptySecretReader());
}
var certificate = CertificateUtility.FindCertificateByThumbprint(
!string.IsNullOrEmpty(_storeName)
? (StoreName)Enum.Parse(typeof(StoreName), _storeName)
: StoreName.My,
!string.IsNullOrEmpty(_storeLocation)
? (StoreLocation)Enum.Parse(typeof(StoreLocation), _storeLocation)
: StoreLocation.LocalMachine,
_certificateThumbprint,
_validateCertificate);
var keyVaultConfiguration = new KeyVaultConfiguration(
_vaultName,
_clientId,
certificate,
_sendX5c);
return(new KeyVaultReader(keyVaultConfiguration));
}
private static void AddEncryptingCertificate(Dictionary <string, string> result)
{
foreach (ServiceElement config in MicrosoftIdentityModelSection.Current.ServiceElements)
{
if (config.ServiceCertificate != null && config.ServiceCertificate.CertificateReference != null)
{
var certificateInfo = config.ServiceCertificate.CertificateReference;
X509Certificate2 certificate = CertificateUtility.GetCertificate(
certificateInfo.StoreName,
certificateInfo.StoreLocation,
certificateInfo.X509FindType,
certificateInfo.FindValue);
if (certificate != null)
{
StringBuilder rowHeader = new StringBuilder();
rowHeader.Append("Encrypting Certificate (from configuration)");
StringBuilder sb = new StringBuilder();
sb.Append(string.Format(CultureInfo.CurrentUICulture, "[Subject] {0}<br/>", certificate.Subject));
sb.Append(string.Format(CultureInfo.CurrentUICulture, "[Issuer] {0}<br/>", certificate.Issuer));
sb.Append(string.Format(CultureInfo.CurrentUICulture, "[Serial Number] {0}<br/>", certificate.SerialNumber));
sb.Append(string.Format(CultureInfo.CurrentUICulture, "[Not Before] {0}<br/>", certificate.NotBefore));
sb.Append(string.Format(CultureInfo.CurrentUICulture, "[Not After] {0}<br/>", certificate.NotAfter));
sb.Append(string.Format(CultureInfo.CurrentUICulture, "[Thumbprint] {0}<br/>", certificate.Thumbprint));
result[rowHeader.ToString()] = sb.ToString();
}
}
}
}
public TokenProviderService(IOptions <TokenProviderServiceSettings> settingsOption)
{
var settings = settingsOption.Value;
_scopes = new[] { settings.Resource + "/.default" };
if (string.IsNullOrEmpty(settings.CertificateThumbprint) && string.IsNullOrEmpty(settings.ClientSecret))
{
throw new InvalidOperationException("Configure the token provider settings in the appsettings.json file.");
}
if (settings.CertificateThumbprint != "" && settings.ClientSecret != "")
{
throw new InvalidOperationException("Only configure certificate or secret authenticate, not both, in the appsettings file.");
}
var builder = ConfidentialClientApplicationBuilder
.Create(settings.ClientId)
.WithAuthority(new Uri(settings.Authority));
if (settings.CertificateThumbprint != "")
{
var x509Cert = CertificateUtility.GetByThumbprint(settings.CertificateThumbprint);
builder = builder.WithCertificate(x509Cert);
}
else
{
builder = builder.WithClientSecret(settings.ClientSecret);
}
_tokenApp = builder.Build();
}
public ISecretReader CreateSecretReader(IDictionary <string, string> settings)
{
if (JobConfigurationManager.TryGetArgument(settings, JobArgumentNames.VaultName) == null)
{
return(new EmptySecretReader());
}
var storeName = JobConfigurationManager.TryGetArgument(settings, JobArgumentNames.StoreName);
var storeLocation = JobConfigurationManager.TryGetArgument(settings, JobArgumentNames.StoreLocation);
var certificate = CertificateUtility.FindCertificateByThumbprint(
storeName != null ? (StoreName)Enum.Parse(typeof(StoreName), storeName) : StoreName.My,
storeLocation != null ? (StoreLocation)Enum.Parse(typeof(StoreLocation), storeLocation) : StoreLocation.LocalMachine,
JobConfigurationManager.GetArgument(settings, JobArgumentNames.CertificateThumbprint),
JobConfigurationManager.TryGetBoolArgument(settings, JobArgumentNames.ValidateCertificate, defaultValue: true));
var keyVaultConfiguration =
new KeyVaultConfiguration(
JobConfigurationManager.GetArgument(settings, JobArgumentNames.VaultName),
JobConfigurationManager.GetArgument(settings, JobArgumentNames.ClientId),
certificate);
var refreshIntervalSec = JobConfigurationManager.TryGetIntArgument(settings,
JobArgumentNames.RefreshIntervalSec) ?? CachingSecretReader.DefaultRefreshIntervalSec;
return(new CachingSecretReader(new KeyVaultReader(keyVaultConfiguration), refreshIntervalSec));
}
public ISecretReader CreateSecretReader()
{
ISecretReader secretReader;
var vaultName = _configurationService.ReadRawSetting(ResolveKeyVaultSettingName(VaultNameConfigurationKey));
if (!string.IsNullOrEmpty(vaultName))
{
var useManagedIdentity = GetOptionalKeyVaultBoolSettingValue(UseManagedIdentityConfigurationKey, defaultValue: false);
KeyVaultConfiguration keyVaultConfiguration;
if (useManagedIdentity)
{
keyVaultConfiguration = new KeyVaultConfiguration(vaultName);
}
else
{
var clientId = _configurationService.ReadRawSetting(ResolveKeyVaultSettingName(ClientIdConfigurationKey));
var certificateThumbprint = _configurationService.ReadRawSetting(ResolveKeyVaultSettingName(CertificateThumbprintConfigurationKey));
var storeName = GetOptionalKeyVaultEnumSettingValue(CertificateStoreName, StoreName.My);
var storeLocation = GetOptionalKeyVaultEnumSettingValue(CertificateStoreLocation, StoreLocation.LocalMachine);
var certificate = CertificateUtility.FindCertificateByThumbprint(storeName, storeLocation, certificateThumbprint, validationRequired: true);
keyVaultConfiguration = new KeyVaultConfiguration(vaultName, clientId, certificate);
}
secretReader = new KeyVaultReader(keyVaultConfiguration);
}
else
{
secretReader = new EmptySecretReader();
}
return(new CachingSecretReader(secretReader, refreshIntervalSec: SecretCachingRefreshInterval));
}
PrimarySignature CreateKeyVaultPrimarySignature(SignPackageRequest request, SignatureContent signatureContent, ILogger logger)
{
// Get the chain
var getter = typeof(SignPackageRequest).GetProperty("Chain", BindingFlags.Instance | BindingFlags.NonPublic)
.GetGetMethod(true);
var certs = (IReadOnlyList <X509Certificate2>)getter.Invoke(request, null);
var cmsSigner = CreateCmsSigner(request, certs, logger);
var contentInfo = new ContentInfo(signatureContent.GetBytes());
var cms = new SignedCms(contentInfo);
try
{
cms.ComputeSignature(cmsSigner, false); // silent is false to ensure PIN prompts appear if CNG/CAPI requires it
}
catch (CryptographicException ex) when(ex.HResult == INVALID_PROVIDER_TYPE_HRESULT)
{
var exceptionBuilder = new StringBuilder();
exceptionBuilder.AppendLine("Invalid provider type");
exceptionBuilder.AppendLine(CertificateUtility.X509Certificate2ToString(request.Certificate, NuGet.Common.HashAlgorithmName.SHA256));
throw new SignatureException(NuGetLogCode.NU3001, exceptionBuilder.ToString());
}
return(PrimarySignature.Load(cms));
}
public ISecretReader CreateSecretReader()
{
ISecretReader secretReader;
var vaultName = _configurationService.ReadRawSetting(ResolveKeyVaultSettingName(VaultNameConfigurationKey));
if (!string.IsNullOrEmpty(vaultName))
{
var clientId = _configurationService.ReadRawSetting(ResolveKeyVaultSettingName(ClientIdConfigurationKey));
var certificateThumbprint = _configurationService.ReadRawSetting(ResolveKeyVaultSettingName(CertificateThumbprintConfigurationKey));
var storeName = GetOptionalKeyVaultEnumSettingValue(CertificateStoreName, StoreName.My);
var storeLocation = GetOptionalKeyVaultEnumSettingValue(CertificateStoreLocation, StoreLocation.LocalMachine);
var certificate = CertificateUtility.FindCertificateByThumbprint(storeName, storeLocation, certificateThumbprint, validationRequired: true);
var keyVaultConfiguration = new KeyVaultConfiguration(vaultName, clientId, certificate);
secretReader = new KeyVaultReader(keyVaultConfiguration);
}
else
{
secretReader = new EmptySecretReader();
}
return(new CachingSecretReader(secretReader));
}
private static ISecretInjector GetSecretInjector(IDictionary <string, string> arguments)
{
ISecretReader secretReader;
var vaultName = arguments.GetOrDefault <string>(Arguments.VaultName);
if (string.IsNullOrEmpty(vaultName))
{
secretReader = new EmptySecretReader();
}
else
{
var clientId = arguments.GetOrThrow <string>(Arguments.ClientId);
var certificateThumbprint = arguments.GetOrThrow <string>(Arguments.CertificateThumbprint);
var storeName = arguments.GetOrDefault(Arguments.StoreName, StoreName.My);
var storeLocation = arguments.GetOrDefault(Arguments.StoreLocation, StoreLocation.LocalMachine);
var shouldValidateCert = arguments.GetOrDefault(Arguments.ValidateCertificate, true);
var keyVaultCertificate = CertificateUtility.FindCertificateByThumbprint(storeName, storeLocation, certificateThumbprint, shouldValidateCert);
var keyVaultConfig = new KeyVaultConfiguration(vaultName, clientId, keyVaultCertificate);
secretReader = new CachingSecretReader(new KeyVaultReader(keyVaultConfig),
arguments.GetOrDefault(Arguments.RefreshIntervalSec, CachingSecretReader.DefaultRefreshIntervalSec));
}
return(new SecretInjector(secretReader));
}
private CertificateItem GetCertificateItemForSignature(ISignature signature, bool allowUntrustedRoot = false)
{
var defaultHashAlgorithm = HashAlgorithmName.SHA256;
var fingerprint = CertificateUtility.GetHashString(signature.SignerInfo.Certificate, defaultHashAlgorithm);
return(new CertificateItem(fingerprint, defaultHashAlgorithm, allowUntrustedRoot));
}
private void SaveCRTPrivateKey(CSR csr)
{
using (TextWriter writer = new StreamWriter(@"c:\temp\crt.key"))
{
CertificateUtility.ExportRSAPrivateKey(csr.RSAParameters, writer);
}
}
public void IsSelfIssued_WithPartialChain_ReturnsFalse()
{
using (var certificate = SigningTestUtility.GetCertificate("leaf.crt"))
{
Assert.False(CertificateUtility.IsSelfIssued(certificate));
}
}
public ISecretReader CreateSecretReader(IConfigurationService configurationService)
{
var vaultName = configurationService.Get(VaultNameKey).Result;
ISecretReader secretReader;
// Is key vault configured?
if (string.IsNullOrEmpty(vaultName))
{
secretReader = new EmptySecretReader();
}
else
{
var clientId = configurationService.Get(ClientIdKey).Result;
var certificateThumbprint = configurationService.Get(CertificateThumbprintKey).Result;
var storeLocation = (StoreLocation)Enum.Parse(typeof(StoreLocation), configurationService.Get(StoreLocationKey).Result);
var storeName = (StoreName)Enum.Parse(typeof(StoreName), configurationService.Get(StoreNameKey).Result);
var validateCertificate = bool.Parse(configurationService.Get(ValidateCertificateKey).Result);
var certificate = CertificateUtility.FindCertificateByThumbprint(storeName, storeLocation, certificateThumbprint, validateCertificate);
secretReader = new KeyVaultReader(
new KeyVaultConfiguration(
vaultName,
clientId,
certificate));
}
return(secretReader);
}
public void IsSelfIssued_WithNonSelfSignedCertificate_ReturnsFalse()
{
using (var certificate = _fixture.GetNonSelfSignedCertificate())
{
Assert.False(CertificateUtility.IsSelfIssued(certificate));
}
}
public void DeleteDeploymentTest()
{
DeploymentHelper target = new DeploymentHelper();
string subscriptionId = "e57cc5fa-5cf7-41c0-a33c-3adaf2944c4a";
string filePath = @"C:\Development\Certificates\AzureManagementCertificate.cer";
List <Byte> certificateBytes = CertificateUtility.GetCertificateBytes(filePath);
string serviceName = "commandlinetest";
string deploymentSlot = "staging";
string expected = string.Empty;
string actual;
actual = target.DeleteDeployment(subscriptionId, certificateBytes, serviceName, deploymentSlot);
string opsStatus = string.Empty;
string status = "InProgress";
while (status == "InProgress")
{
opsStatus = target.GetOperationStatus(subscriptionId, certificateBytes, actual, out status);
Trace.WriteLine("Ops Status = " + status);
Thread.Sleep(2000);
}
Assert.AreEqual(expected, actual);
}
public void IsSelfIssued_WithRootCertificate_ReturnsTrue()
{
using (var certificate = _fixture.GetRootCertificate())
{
Assert.True(CertificateUtility.IsSelfIssued(certificate));
}
}
public async Task GetTrustResultAsync_VerifyWithCertificateInAllowList_Success()
{
// Arrange
var nupkg = new SimpleTestPackageContext();
using (var dir = TestDirectory.Create())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var signedPackagePath = await SignedArchiveTestUtility.CreateSignedPackageAsync(testCertificate, nupkg, dir);
var certificateFingerprint = CertificateUtility.GetHash(testCertificate, HashAlgorithmName.SHA256);
var certificateFingerprintString = BitConverter.ToString(certificateFingerprint).Replace("-", "");
var allowListHashes = new[] { certificateFingerprintString, "abc" };
var allowList = allowListHashes.Select(hash => new CertificateHashAllowListEntry(VerificationTarget.Primary, hash)).ToList();
var trustProviders = new[]
{
new AllowListVerificationProvider(allowList)
};
var verifier = new PackageSignatureVerifier(trustProviders, SignedPackageVerifierSettings.Default);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
// Act
var result = await verifier.VerifySignaturesAsync(packageReader, CancellationToken.None);
// Assert
result.Valid.Should().BeTrue();
}
}
}
public void IsSelfIssued_WhenCertificateNull_Throws()
{
var exception = Assert.Throws <ArgumentNullException>(
() => CertificateUtility.IsSelfIssued(certificate: null));
Assert.Equal("certificate", exception.ParamName);
}
private static async Task <X509Certificate2> GetCertificateAsync(SignArgs signArgs)
{
var certFindOptions = new CertificateSourceOptions()
{
CertificatePath = signArgs.CertificatePath,
CertificatePassword = signArgs.CertificatePassword,
Fingerprint = signArgs.CertificateFingerprint,
StoreLocation = signArgs.CertificateStoreLocation,
StoreName = signArgs.CertificateStoreName,
SubjectName = signArgs.CertificateSubjectName,
NonInteractive = signArgs.NonInteractive,
PasswordProvider = signArgs.PasswordProvider,
Token = signArgs.Token
};
// get matching certificates
var matchingCertCollection = await CertificateProvider.GetCertificatesAsync(certFindOptions);
if (matchingCertCollection.Count > 1)
{
#if IS_DESKTOP
if (signArgs.NonInteractive || !RuntimeEnvironmentHelper.IsWindows)
{
// if on non-windows os or in non interactive mode - display the certs and error out
signArgs.Logger.LogInformation(CertificateUtility.X509Certificate2CollectionToString(matchingCertCollection, HashAlgorithmName.SHA256));
throw new SignCommandException(
LogMessage.CreateError(NuGetLogCode.NU3001,
string.Format(Strings.SignCommandMultipleCertException,
nameof(SignArgs.CertificateFingerprint))));
}
else
{
// Else launch UI to select
matchingCertCollection = X509Certificate2UI.SelectFromCollection(
FilterCodeSigningCertificates(matchingCertCollection),
Strings.SignCommandDialogTitle,
Strings.SignCommandDialogMessage,
X509SelectionFlag.SingleSelection);
}
#else
// if on non-windows os or in non interactive mode - display and error out
signArgs.Logger.LogError(CertificateUtility.X509Certificate2CollectionToString(matchingCertCollection, HashAlgorithmName.SHA256));
throw new SignCommandException(
LogMessage.CreateError(NuGetLogCode.NU3001,
string.Format(Strings.SignCommandMultipleCertException,
nameof(SignArgs.CertificateFingerprint))));
#endif
}
if (matchingCertCollection.Count == 0)
{
throw new SignCommandException(
LogMessage.CreateError(NuGetLogCode.NU3001,
Strings.SignCommandNoCertException));
}
return(matchingCertCollection[0]);
}
public void IsValidForPurposeFast_WithNoEku_ReturnsTrueForCodeSigningEku()
{
using (var certificate = SigningTestUtility.GenerateCertificate("test", generator => { }))
{
Assert.Equal(0, GetExtendedKeyUsageCount(certificate));
Assert.True(CertificateUtility.IsValidForPurposeFast(certificate, Oids.CodeSigningEku));
}
}
public void HasExtendedKeyUsage_WithoutEku_ReturnsFalseForEku()
{
using (var certificate = SigningTestUtility.GenerateCertificate("test", generator => { }))
{
Assert.Equal(0, GetExtendedKeyUsageCount(certificate));
Assert.False(CertificateUtility.HasExtendedKeyUsage(certificate, Oids.CodeSigningEku));
}
}
public void HasLifetimeSigningEku_WithoutLifetimeSignerEku_ReturnsFalse()
{
using (var certificate = SigningTestUtility.GenerateCertificate("test", generator => { }))
{
Assert.Equal(0, GetExtendedKeyUsageCount(certificate));
Assert.False(CertificateUtility.HasLifetimeSigningEku(certificate));
}
}
public STSConfiguration(string piIssuerName, string piSigningCertificateThumbprint, string piIssuerCertificateThumbprint)
: base(piIssuerName, new X509SigningCredentials(
CertificateUtility.GetCertificateByThumbprint(
StoreLocation.LocalMachine,
StoreName.My, piSigningCertificateThumbprint)))
{
Init(piSigningCertificateThumbprint);
}
public void GetHashString_UnsupportedHashAlgorithm_Throws()
{
using (var certificate = _fixture.GetDefaultCertificate())
{
Assert.Throws(typeof(ArgumentException),
() => CertificateUtility.GetHashString(certificate, (Common.HashAlgorithmName) 46));
}
}
public void HasLifetimeSigningEku_WithLifetimeSignerEku_ReturnsTrue()
{
using (var certificate = _fixture.GetLifetimeSigningCertificate())
{
Assert.Equal(1, GetExtendedKeyUsageCount(certificate));
Assert.True(CertificateUtility.HasLifetimeSigningEku(certificate));
}
}
public void IsCertificateValidityPeriodInTheFuture_WithValidityStartInThePast_ReturnsFalse()
{
using (var certificate = SigningTestUtility.GenerateCertificate(
"test",
generator => { }))
{
Assert.False(CertificateUtility.IsCertificateValidityPeriodInTheFuture(certificate));
}
}
public DnsChallenge(AcmeAccount account, AcmeChallenge challenge, string identifier)
{
Account = account;
Challenge = challenge;
Identifier = identifier;
Token = challenge.Token;
AuthorizationKey = CertificateUtility.CreateAuthorizationKey(account, challenge.Token);
}
private async Task <string> AcquireTokenWithCertificateAsync()
{
var x509Cert = CertificateUtility.GetByThumbprint(_settings.CertificateThumbprint);
var clientAssertion = new ClientAssertionCertificate(_settings.ClientId, x509Cert);
var context = new AuthenticationContext(_settings.Authority);
var authenticationResult = await context.AcquireTokenAsync(_settings.Resource, clientAssertion);
return(authenticationResult.AccessToken);
}
public void IsSignatureAlgorithmSupported_WhenUnsupported_ReturnsFalse()
{
using (var certificate = _fixture.GetRsaSsaPssCertificate())
{
// RSASSA-PSS
Assert.Equal("1.2.840.113549.1.1.10", certificate.SignatureAlgorithm.Value);
Assert.False(CertificateUtility.IsSignatureAlgorithmSupported(certificate));
}
}
public void IsCertificateValidityPeriodInTheFuture_WithValidityStartInTheFuture_ReturnsTrue()
{
using (var certificate = SigningTestUtility.GenerateCertificate(
"test",
modifyGenerator: SigningTestUtility.CertificateModificationGeneratorNotYetValidCert))
{
Assert.True(CertificateUtility.IsCertificateValidityPeriodInTheFuture(certificate));
}
}
public async Task <int> ExecuteCommandAsync(SignArgs signArgs)
{
// resolve path into multiple packages if needed.
IEnumerable <string> packagesToSign = signArgs.PackagePaths.SelectMany(packagePath =>
{
IEnumerable <string> packages = LocalFolderUtility.ResolvePackageFromPath(packagePath);
LocalFolderUtility.EnsurePackageFileExists(packagePath, packages);
return(packages);
});
var success = true;
X509Certificate2 cert = null;
try
{
cert = await GetCertificateAsync(signArgs);
}
catch (Exception e)
{
success = false;
ExceptionUtilities.LogException(e, signArgs.Logger);
}
if (success)
{
signArgs.Logger.LogInformation(Environment.NewLine);
signArgs.Logger.LogInformation(Strings.SignCommandDisplayCertificate);
signArgs.Logger.LogInformation(CertificateUtility.X509Certificate2ToString(cert, HashAlgorithmName.SHA256));
if (!string.IsNullOrEmpty(signArgs.Timestamper))
{
signArgs.Logger.LogInformation(Strings.SignCommandDisplayTimestamper);
signArgs.Logger.LogInformation(signArgs.Timestamper);
}
if (!string.IsNullOrEmpty(signArgs.OutputDirectory))
{
signArgs.Logger.LogInformation(Strings.SignCommandOutputPath);
signArgs.Logger.LogInformation(signArgs.OutputDirectory);
}
using (var signRequest = new AuthorSignPackageRequest(cert, signArgs.SignatureHashAlgorithm, signArgs.TimestampHashAlgorithm))
{
return(await ExecuteCommandAsync(
packagesToSign,
signRequest,
signArgs.Timestamper,
signArgs.Logger,
signArgs.OutputDirectory,
signArgs.Overwrite,
signArgs.Token));
}
}
return(success ? 0 : 1);
}
