public X509Certificate2 GetSigningCertificate(SigningCertificateSettings certificateSettings, bool isPrimary)
{
if (isPrimary && string.IsNullOrEmpty(certificateSettings.PrimaryCertificatePath))
{
throw new FabricConfigurationException("You must specify a PrimaryCertificatePath when UseTemporarySigningCredential is set to false.");
}
if (isPrimary && string.IsNullOrEmpty(certificateSettings.PrimaryCertificatePasswordPath))
{
throw new FabricConfigurationException("You must specify a PrimaryCertificatePasswordPath when UseTemporarySigningCredential is set to false.");
}
if (!isPrimary && string.IsNullOrEmpty(certificateSettings.SecondaryCertificatePath))
{
throw new FabricConfigurationException("You must specify a PrimaryCertificatePath when UseTemporarySigningCredential is set to false.");
}
if (!isPrimary && string.IsNullOrEmpty(certificateSettings.SecondaryCertificatePasswordPath))
{
throw new FabricConfigurationException("You must specify a PrimaryCertificatePasswordPath when UseTemporarySigningCredential is set to false.");
}
return(isPrimary
? GetCertFromFile(certificateSettings.PrimaryCertificatePath,
certificateSettings.PrimaryCertificatePasswordPath)
: GetCertFromFile(certificateSettings.SecondaryCertificatePath,
certificateSettings.SecondaryCertificatePasswordPath));
}
internal void ApplySettings(SigningCertificateSettings signingCertificateStoreSettings)
{
Utility.IfNullThrowNullArgumentException(signingCertificateStoreSettings, "signingCertificateStoreSettings");
this.CertificatesStoreName = signingCertificateStoreSettings.StoreName;
this.CertificatesStoreLocation = signingCertificateStoreSettings.StoreLocation;
this.CertificatesStoreFindType = signingCertificateStoreSettings.StoreFindType;
this.StoreIdentifyingValue = signingCertificateStoreSettings.StoreIdentifyingValue;
}
public X509Certificate2 GetEncryptionCertificate(SigningCertificateSettings certificateSettings)
{
if (string.IsNullOrWhiteSpace(certificateSettings?.EncryptionCertificateThumbprint))
{
throw new FabricConfigurationException("You must specify an EncryptionCertificateThumprint if you are encrypting configuration settings.");
}
return(X509.LocalMachine.My.Thumbprint
.Find(CleanThumbprint(certificateSettings.EncryptionCertificateThumbprint), false)
.FirstOrDefault());
}
public CouchDbIdentityServerConfigurator(
IIdentityServerBuilder identityServerBuilder,
IServiceCollection serviceCollection,
ICertificateService certificateService,
SigningCertificateSettings signingCertificateSettings,
HostingOptions hostingOptions,
ICouchDbSettings couchDbSettings,
ILogger logger) : base(identityServerBuilder, serviceCollection, hostingOptions, logger)
{
_certificateService = certificateService;
_signingCertificateSettings = signingCertificateSettings;
_couchDbSettings = couchDbSettings;
}
public void DecryptString_HandlesNullOrEmptyString(string stringToDecrypt)
{
// Arrange
var privateKey = GetPrivateKey();
var mockCertificateService = GetMockCertificateService(privateKey);
var signingCertificateSettings = new SigningCertificateSettings();
var decryptionService = new DecryptionService(mockCertificateService);
// Act
var decryptedString = decryptionService.DecryptString(stringToDecrypt, signingCertificateSettings);
// Assert
Assert.Equal(stringToDecrypt, decryptedString);
}
public void DecryptString_ThrowsFormatException_InvalidBase64String()
{
// Arrange
var privateKey = GetPrivateKey();
var stringToEncrypt = Guid.NewGuid().ToString();
var encryptedString = $"{DecryptionService.EncryptionPrefix}{EncryptString(privateKey, stringToEncrypt).Substring(1)}";
var mockCertificateService = GetMockCertificateService(privateKey);
var signingCertificateSettings = new SigningCertificateSettings();
var decryptionService = new DecryptionService(mockCertificateService);
// Act & Assert
Assert.Throws <FormatException>(
() => decryptionService.DecryptString(encryptedString, signingCertificateSettings));
}
public X509Certificate2 GetSigningCertificate(SigningCertificateSettings certificateSettings, bool isPrimary = true)
{
if (isPrimary && string.IsNullOrEmpty(certificateSettings.PrimaryCertificateThumbprint))
{
throw new FabricConfigurationException("You must specify a PrimaryCertificateThumbprint when UseTemporarySigningCredential is set to false.");
}
if (!isPrimary && string.IsNullOrEmpty(certificateSettings.SecondaryCertificateThumbprint))
{
throw new FabricConfigurationException("You must specify a SecondardCertificateThumbprint to use AddValdationKeys.");
}
var thumbprint = GetThumbprint(certificateSettings, isPrimary);
return(X509.LocalMachine.My.Thumbprint.Find(thumbprint, validOnly: false).FirstOrDefault());
}
public void DecryptString_ReturnsNonEncryptedString()
{
// Arrange
var privateKey = GetPrivateKey();
var clearTextstringToDecrypt = Guid.NewGuid().ToString();
var mockCertificateService = GetMockCertificateService(privateKey);
var signingCertificateSettings = new SigningCertificateSettings();
var decryptionService = new DecryptionService(mockCertificateService);
// Act
var decryptedString = decryptionService.DecryptString(clearTextstringToDecrypt, signingCertificateSettings);
// Assert
Assert.Equal(clearTextstringToDecrypt, decryptedString);
}
public void DecryptString_DecryptsEncryptedString()
{
// Arrange
var privateKey = GetPrivateKey();
var stringToEncrypt = Guid.NewGuid().ToString();
var encryptedString = $"{DecryptionService.EncryptionPrefix}{EncryptString(privateKey, stringToEncrypt)}";
var mockCertificateService = GetMockCertificateService(privateKey);
var signingCertificateSettings = new SigningCertificateSettings();
var decryptionService = new DecryptionService(mockCertificateService);
// Act
var decryptedString = decryptionService.DecryptString(encryptedString, signingCertificateSettings);
// Assert
Assert.Equal(stringToEncrypt, decryptedString);
}
public string DecryptString(string encryptedString, SigningCertificateSettings signingCertificateSettings)
{
if (!IsEncrypted(encryptedString))
{
return(encryptedString);
}
var privateKey =
_certificateService.GetEncryptionCertificatePrivateKey(signingCertificateSettings);
var encryptedPasswordAsBytes =
Convert.FromBase64String(
encryptedString.Replace(EncryptionPrefix, string.Empty));
var decryptedPasswordAsBytes =
privateKey.Decrypt(encryptedPasswordAsBytes, RSAEncryptionPadding.OaepSHA1);
return(System.Text.Encoding.UTF8.GetString(decryptedPasswordAsBytes));
}
public static IIdentityServerBuilder AddSigningCredentialAndValidationKeys(this IIdentityServerBuilder identityServerBuilder,
SigningCertificateSettings certificateSettings, ICertificateService certificateService, ILogger logger)
{
if (certificateSettings.UseTemporarySigningCredential)
{
logger.Information("Using temporary signing credential - this is not recommended for production");
identityServerBuilder.AddDeveloperSigningCredential();
return(identityServerBuilder);
}
var isLinux = RuntimeInformation.IsOSPlatform(OSPlatform.Linux);
identityServerBuilder.AddSigningCredential(certificateService.GetSigningCertificate(certificateSettings));
if (HasSecondarySigningKeys(certificateSettings, isLinux))
{
identityServerBuilder.AddValidationKeys(
new X509SecurityKey(certificateService.GetSigningCertificate(certificateSettings, isPrimary: false)));
}
return(identityServerBuilder);
}
public void GetCertificate_WithoutCertPath_ThrowsFileNotFoundException(SigningCertificateSettings signingCertificateSettings, bool isPrimary)
{
var certificateService = new LinuxCertificateService();
Assert.Throws <FileNotFoundException>(() => certificateService.GetSigningCertificate(signingCertificateSettings, isPrimary));
}
public X509Certificate2 GetEncryptionCertificate(SigningCertificateSettings certificateSettings)
{
throw new FabricConfigurationException("Do not encrypt settings when running on a Linux container, instead use Docker Secrets to protect sensitive configuration settings.");
}
internal void ApplySettings(SigningCertificateSettings signingCertificateStoreSettings)
{
Utility.IfNullThrowNullArgumentException(signingCertificateStoreSettings, "signingCertificateStoreSettings");
this.CertificatesStoreName = signingCertificateStoreSettings.StoreName;
this.CertificatesStoreLocation = signingCertificateStoreSettings.StoreLocation;
this.CertificatesStoreFindType = signingCertificateStoreSettings.StoreFindType;
this.StoreIdentifyingValue = signingCertificateStoreSettings.StoreIdentifyingValue;
}
private string GetThumbprint(SigningCertificateSettings certificateSettings, bool isPrimary)
{
return(isPrimary
? CleanThumbprint(certificateSettings.PrimaryCertificateThumbprint)
: CleanThumbprint(certificateSettings.SecondaryCertificateThumbprint));
}
private static bool HasSecondarySigningKeys(SigningCertificateSettings certificateSettings, bool isLinux)
{
return(isLinux && !string.IsNullOrEmpty(certificateSettings.SecondaryCertificatePath) &&
!string.IsNullOrEmpty(certificateSettings.SecondaryCertificatePasswordPath) || !isLinux &&
!string.IsNullOrEmpty(certificateSettings.SecondaryCertificateThumbprint));
}
public RSA GetEncryptionCertificatePrivateKey(SigningCertificateSettings certificateSettings)
{
var cert = GetEncryptionCertificate(certificateSettings);
return(cert.GetRSAPrivateKey());
}
public void GetCertificate_WithoutThumbprint_ThrowsException(SigningCertificateSettings signingCertificateSettings, bool isPrimary)
{
var certificateService = new WindowsCertificateService();
Assert.Throws <FabricConfigurationException>(() => certificateService.GetSigningCertificate(signingCertificateSettings, isPrimary));
}
