internal void InternalTryFindCertificateTest(string ipAddress, IEnumerable <string> findValues, X509FindType findType)
{
IEnumerable <X509Certificate2> foundCerts;
IEnumerable <string> unfoundCerts = X509CertificateUtility.TryFindCertificate(ipAddress, StoreName.My, findValues, findType, out foundCerts);
bool isThumbprintTest = findType == X509FindType.FindByThumbprint;
this.VerifyCollectionEquity(foundCerts.Select(c => isThumbprintTest ? c.Thumbprint : c.Subject), Utility.installedCertificates.Select(p => isThumbprintTest ? p.Item1 : "CN=" + p.Item3));
this.VerifyCollectionEquity(unfoundCerts, Utility.uninstalledCertificates);
}
public static void UninstallCertificates(IEnumerable <string> thumbprints)
{
IEnumerable <X509Certificate2> installedCerts;
X509CertificateUtility.TryFindCertificate("localhost", StoreName.My, thumbprints, X509FindType.FindByThumbprint, out installedCerts);
ProcessCertificates(new Action <X509Store, X509Certificate2>(
(store, cert) =>
{
store.Remove(cert);
}),
installedCerts);
}
public void IsCertificateValidTest()
{
IEnumerable <X509Certificate2> foundCerts;
X509CertificateUtility.TryFindCertificate(
"localhost",
StoreName.My,
Utility.installedCertificates.Select(p => p.Item1),
X509FindType.FindByThumbprint,
out foundCerts);
Assert.AreEqual(Utility.installedCertificates.Count(), foundCerts.Count());
Assert.IsTrue(foundCerts.All(cert => Utility.installedValidCertificates.Any(p => p.Item1 == cert.Thumbprint) == X509CertificateUtility.IsCertificateValid(cert)));
}
/// <summary>
/// Initializes the configuration options for the target Authentication Provider
/// </summary>
/// <param name="provider">The target Authentication Provider</param>
/// <param name="option">The configuration options for the target Authentication Provider</param>
private static void InitProviderOptions(IAuthenticationProvider provider, PnPCoreAuthenticationCredentialConfigurationOptions option)
{
switch (provider)
{
case X509CertificateAuthenticationProvider x509Certificate:
x509Certificate.ClientId = option.ClientId;
x509Certificate.TenantId = option.TenantId;
x509Certificate.Certificate = X509CertificateUtility.LoadCertificate(
option.X509Certificate.StoreName,
option.X509Certificate.StoreLocation,
option.X509Certificate.Thumbprint);
break;
case ExternalAuthenticationProvider aspNetCore:
aspNetCore.ClientId = option.ClientId;
aspNetCore.TenantId = option.TenantId;
break;
case CredentialManagerAuthenticationProvider credentialManager:
credentialManager.ClientId = option.ClientId;
credentialManager.TenantId = option.TenantId;
credentialManager.CredentialManagerName = option.CredentialManager.CredentialManagerName;
break;
case OnBehalfOfAuthenticationProvider onBehalfOf:
onBehalfOf.ClientId = option.ClientId;
onBehalfOf.TenantId = option.TenantId;
onBehalfOf.ClientSecret = option.OnBehalfOf.ClientSecret.ToSecureString();
break;
case UsernamePasswordAuthenticationProvider usernamePassword:
usernamePassword.ClientId = option.ClientId;
usernamePassword.TenantId = option.TenantId;
usernamePassword.Username = option.UsernamePassword.Username;
usernamePassword.Password = option.UsernamePassword.Password.ToSecureString();
break;
case InteractiveAuthenticationProvider interactive:
interactive.ClientId = option.ClientId;
interactive.TenantId = option.TenantId;
interactive.RedirectUri = option.Interactive.RedirectUri;
break;
case DeviceCodeAuthenticationProvider deviceCode:
deviceCode.ClientId = option.ClientId;
deviceCode.TenantId = option.TenantId;
deviceCode.RedirectUri = option.Interactive.RedirectUri;
break;
}
}
public void FindIssuerTest()
{
IEnumerable <string> cns = Utility.installedCertificates.Select(p => p.Item3);
IEnumerable <X509Certificate2> foundCerts;
IEnumerable <string> unfoundCerts = X509CertificateUtility.TryFindCertificate(string.Empty, StoreName.My, cns, X509FindType.FindBySubjectName, out foundCerts);
Assert.IsFalse(unfoundCerts.Any());
Assert.AreEqual(cns.Count(), foundCerts.Count());
X509Certificate2[] foundCertsResult = foundCerts.ToArray();
for (int i = 0; i < foundCertsResult.Count(); i++)
{
string issuerThumbprint = foundCertsResult[i].FindIssuer(new string[] { Utility.installedCertificates[i].Item1 });
Assert.AreEqual(Utility.installedCertificates[i].Item1, issuerThumbprint);
}
}
public void X509CertUtilityEncryptNoCertTest()
{
byte[] encoded = Encoding.UTF8.GetBytes("test");
Assert.ThrowsException <ArgumentNullException>(() => X509CertificateUtility.Encrypt(encoded, null));
}
public void X509CertUtilityEncryptNothingTest()
{
var certificate = X509CertificateUtility.LoadCertificate(StoreName.My, StoreLocation.CurrentUser, TestCommon.GetX509CertificateThumbprint());
Assert.ThrowsException <ArgumentNullException>(() => X509CertificateUtility.Encrypt(null, certificate));
}
public void X509CertUtilityDecryptNoCertTest()
{
byte[] encoded = Encoding.UTF8.GetBytes("doesntmatterwhatthisis");
Assert.ThrowsException <ArgumentNullException>(() => X509CertificateUtility.Decrypt(encoded, null));
}
/// <summary>
/// Configure Kestrel to use Certificate-based Authentication
/// </summary>
/// <param name="options"></param>
private static void ConfigureKestrelCertAuth(KestrelServerOptions options)
{
using var scope = options.ApplicationServices.CreateScope();
var logger = scope.ServiceProvider
.GetService <ILoggerFactory>()
?.CreateLogger(nameof(Program));
var settings = scope.ServiceProvider
.GetService <IOptionsMonitor <KestrelAuthenticationConfiguration> >()
?.CurrentValue;
if (settings is null)
{
logger.LogWarning($"{nameof(KestrelAuthenticationConfiguration)} is null, can't configure kestrel");
return;
}
if (!settings.Enabled)
{
logger.LogWarning("skipping configuration of kestrel");
return;
}
if (string.IsNullOrWhiteSpace(settings.Certificate))
{
logger.LogError("no certificate given, provide path to a valid certificate with '" +
$"{nameof(KestrelAuthenticationConfiguration)}:{nameof(KestrelAuthenticationConfiguration.Certificate)}'");
return;
}
X509Certificate2 certificate = null;
if (Path.GetExtension(settings.Certificate) == "pfx")
{
certificate = settings.Password is null
? new X509Certificate2(settings.Certificate)
: new X509Certificate2(settings.Certificate, settings.Password);
}
var certpath = Environment.GetEnvironmentVariable("ASPNETCORE_SSLCERT_PATH");
if (!string.IsNullOrEmpty(certpath) || Path.GetExtension(settings.Certificate) == "crt")
{
var port = Environment.GetEnvironmentVariable("ASPNETCORE_SSL_PORT");
certificate = X509CertificateUtility.LoadFromCrt(certpath) ?? X509CertificateUtility.LoadFromCrt(settings.Certificate);
settings.Port = int.Parse(port ?? settings.Port.ToString());
}
var connectionOptions = new HttpsConnectionAdapterOptions
{
ServerCertificate = certificate
};
var inDocker = bool.Parse(Environment.GetEnvironmentVariable("DOTNET_RUNNING_IN_CONTAINER") ?? "false");
if (!inDocker)
{
logger.LogInformation("Not running in docker, adding client certificate validation");
connectionOptions.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
connectionOptions.ClientCertificateValidation = CertificateValidator.DisableChannelValidation;
}
logger.LogInformation($"loaded certificate: {connectionOptions.ServerCertificate}");
if (string.IsNullOrWhiteSpace(settings.IpAddress))
{
logger.LogError("no ip-address given, provide a valid ipv4 or ipv6 binding-address or 'localhost' for '" +
$"{nameof(KestrelAuthenticationConfiguration)}:{nameof(KestrelAuthenticationConfiguration.IpAddress)}'");
return;
}
if (settings.IpAddress == "localhost")
{
logger.LogInformation($"binding to: https://localhost:{settings.Port}");
options.ListenLocalhost(settings.Port, listenOptions => { listenOptions.UseHttps(connectionOptions); });
}
else if (settings.IpAddress == "*")
{
logger.LogInformation($"binding to: https://*:{settings.Port}");
options.ListenAnyIP(settings.Port, listenOptions => { listenOptions.UseHttps(connectionOptions); });
}
else
{
var ip = IPAddress.Parse(settings.IpAddress);
logger.LogInformation($"binding to: https://{ip}:{settings.Port}");
options.Listen(ip, settings.Port, listenOptions => { listenOptions.UseHttps(connectionOptions); });
}
}
/// <summary>
/// Returns a SharePoint ClientContext using Azure Active Directory App Only Authentication. This requires that you have a certificated created, and updated the key credentials key in the application manifest in the azure AD accordingly.
/// </summary>
/// <param name="siteUrl">Site for which the ClientContext object will be instantiated</param>
/// <param name="clientId">The Azure AD Application Client ID</param>
/// <param name="tenant">The Azure AD Tenant, e.g. mycompany.onmicrosoft.com</param>
/// <param name="storeName">The name of the store for the certificate</param>
/// <param name="storeLocation">The location of the store for the certificate</param>
/// <param name="thumbPrint">The thumbprint of the certificate to locate in the store</param>
/// <returns></returns>
public ClientContext GetAzureADAppOnlyAuthenticatedContext(string siteUrl, string clientId, string tenant, StoreName storeName, StoreLocation storeLocation, string thumbPrint)
{
var cert = X509CertificateUtility.LoadCertificate(storeName, storeLocation, thumbPrint);
return(GetAzureADAppOnlyAuthenticatedContext(siteUrl, clientId, tenant, cert));
}
