Release 1.1.0 - Add ability to set alias (friendly) name on certifica…

…tes in PKCS12 store (#8) * add PAM capability for server passwords * adjust prerelease versioning * include all PAM build result files * Add ability to assign an alias (friendly) name to a PKCS12 store certificate (#7) * Update CHANGELOG.md * Update CHANGELOG.md * Add support for PKCS12 alias (friendly) name * Update README.md.tpl * Create keyfactor-extension-generate-readme.yml * Update generated README * Add files via upload * Delete Image2.PNG * Add files via upload * Delete Image2.png * Add files via upload * Add github link flag to manifest * Update integration-manifest.json * Update generated README * commit 1 * More changes * Update CHANGELOG.md Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Rex Wheeler <rex@fuzzytiger.com> Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Rex Wheeler <rex@fuzzytiger.com> * Update CHANGELOG.md Co-authored-by: Matthew Dobrowsky <11599974+doebrowsk@users.noreply.github.com> Co-authored-by: Matthew Dobrowsky <matthew.dobrowsky@keyfactor.com> Co-authored-by: Matthew Dobrowsky <11599974+doebrowsk@users.noreply.github.com> Co-authored-by: Keyfactor <keyfactor@keyfactor.github.io> Co-authored-by: Rex Wheeler <rex@fuzzytiger.com>
Keyfactor · Jul 27, 2021 · 0156ece · 0156ece
1 parent e61446b
commit 0156ece
Show file tree

Hide file tree

Showing 10 changed files with 128 additions and 26 deletions.
diff --git a/.github/workflows/keyfactor-extension-prerelease.yml b/.github/workflows/keyfactor-extension-prerelease.yml
@@ -93,7 +93,8 @@ jobs:
             [Changelog](../CHANGELOG.MD)
           draft: false
           prerelease: true
-          auto_increment_type: patch
+          prerelease_suffix: pre
+          auto_increment_type: prerelease
           tag_schema: semantic
           commitish: ${{ github.sha }}
 

diff --git a/.github/workflows/keyfactor-extension-release.yml b/.github/workflows/keyfactor-extension-release.yml
@@ -99,7 +99,7 @@ jobs:
         if: ${{ success() }}
         run: |
            md ${{ github.workspace }}\zip\Keyfactor
-           Compress-Archive -Path ${{ github.workspace }}\PEMStoreSSH\bin\Release\*.dll,${{ github.workspace }}\PEMStoreSSH\bin\Release\config.json -DestinationPath ${{ github.workspace }}\zip\Keyfactor\$Env:REPO_NAME.zip -Force      
+           Compress-Archive -Path ${{ github.workspace }}\PEMStoreSSH\bin\Release\*.dll,${{ github.workspace }}\PEMStoreSSH\bin\Release\*.json,${{ github.workspace }}\PEMStoreSSH\bin\Release\*.config,${{ github.workspace }}\PEMStoreSSH\bin\Release\Keyfactor.Extensions.Pam.Config.exe -DestinationPath ${{ github.workspace }}\zip\Keyfactor\$Env:REPO_NAME.zip -Force      
       
       - name: Upload Release Asset (x64)
         if: ${{ success() }}

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+v1.1.0:
+- Add support for alias (friendly) name for PKCS12 certificate stores
+- Add local PAM capability for resolving the server password
+
 v1.0.10:
 - Modify private key encryption handling so that if a store password is used, the private key of a cert will be encrypted with that password during add operations.  If no store password is set, the private key will be saved without encryption.
 

diff --git a/PEMStoreSSH/App.config b/PEMStoreSSH/App.config
@@ -7,24 +7,24 @@
     <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
       <dependentAssembly>
         <assemblyIdentity name="BouncyCastle.Crypto" publicKeyToken="0e99375e54769942" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-1.8.6.0" newVersion="1.8.6.0" />
+        <bindingRedirect oldVersion="0.0.0.0-1.8.5.0" newVersion="1.8.5.0" />
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />
         <bindingRedirect oldVersion="0.0.0.0-12.0.0.0" newVersion="12.0.0.0" />
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="CSS.Common" publicKeyToken="0ed89d330114ab09" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-1.5.0.0" newVersion="1.5.0.0" />
-      </dependentAssembly>
-      <dependentAssembly>
-        <assemblyIdentity name="CSS.Common" publicKeyToken="0ed89d330114ab09" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-1.5.0.0" newVersion="1.5.0.0" />
+        <bindingRedirect oldVersion="0.0.0.0-1.6.0.0" newVersion="1.6.0.0" />
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="System.Reflection.TypeExtensions" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
         <bindingRedirect oldVersion="0.0.0.0-4.1.2.0" newVersion="4.1.2.0" />
       </dependentAssembly>
+      <dependentAssembly>
+        <assemblyIdentity name="System.Security.Principal.Windows" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
+        <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />
+      </dependentAssembly>
     </assemblyBinding>
   </runtime>
 </configuration>
diff --git a/PEMStoreSSH/CertificateFormats/PKCS12Handler.cs b/PEMStoreSSH/CertificateFormats/PKCS12Handler.cs
@@ -8,10 +8,15 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Text;
 
+using CSS.PKI.X509;
+
+using Org.BouncyCastle.Crypto;
 using Org.BouncyCastle.Pkcs;
+using Org.BouncyCastle.X509;
 
 using PEMStoreSSH.RemoteHandlers;
 
@@ -32,7 +37,7 @@ public X509Certificate2Collection RetrieveCertificates(byte[] binaryCertificates
             {
                 X509Certificate2Collection certCollection = new X509Certificate2Collection();
 
-                if (binaryCertificates.Length > 0)
+                if (binaryCertificates.Length > 50)
                 {
                     certCollection.Import(binaryCertificates, storePassword, X509KeyStorageFlags.Exportable);
 
@@ -64,16 +69,44 @@ public X509Certificate2Collection RetrieveCertificates(byte[] binaryCertificates
         public List<SSHFileInfo> CreateCertificatePacket(string certToAdd, string alias, string pfxPassword, string storePassword, bool hasSeparatePrivateKey)
         {
             List<SSHFileInfo> fileInfo = new List<SSHFileInfo>();
-            Pkcs12Store store;
 
+            X509Certificate2 x509Cert = new X509Certificate2(Convert.FromBase64String(certToAdd), pfxPassword);
+            string aliasToUse = string.IsNullOrEmpty(alias) ? x509Cert.Thumbprint : alias;
+
+            Pkcs12Store tempStore = new Pkcs12Store();
             using (MemoryStream inStream = new MemoryStream(Convert.FromBase64String(certToAdd)))
             {
-                store = new Pkcs12Store(inStream, pfxPassword.ToCharArray());
+                if (string.IsNullOrEmpty(pfxPassword))
+                {
+                    CertificateConverter converter = CertificateConverterFactory.FromDER(Encoding.ASCII.GetBytes(certToAdd));
+                    Org.BouncyCastle.X509.X509Certificate bcCert = converter.ToBouncyCastleCertificate();
+                    X509CertificateEntry entry = new X509CertificateEntry(bcCert);
+                    tempStore.SetCertificateEntry(aliasToUse, entry);
+                }
+                else
+                {
+                    tempStore = new Pkcs12Store(inStream, pfxPassword.ToCharArray());
+                }
+            }
+
+            string tempAlias = string.Empty;
+            foreach (string name in tempStore.Aliases)
+            {
+                tempAlias = name;
+                break;
+            }
+
+            Pkcs12Store store = new Pkcs12Store();
+
+            store.SetCertificateEntry(aliasToUse, tempStore.GetCertificate(tempAlias));
+            if (!string.IsNullOrEmpty(pfxPassword))
+            {
+                store.SetKeyEntry(aliasToUse, tempStore.GetKey(tempAlias), tempStore.GetCertificateChain(tempAlias));
             }
 
             using (MemoryStream outStream = new MemoryStream())
             {
-                store.Save(outStream, string.IsNullOrEmpty(storePassword) ? pfxPassword.ToCharArray() : storePassword.ToCharArray(), new Org.BouncyCastle.Security.SecureRandom());
+                store.Save(outStream, string.IsNullOrEmpty(storePassword) ? new char[0] : storePassword.ToCharArray(), new Org.BouncyCastle.Security.SecureRandom());
                 fileInfo.Add(new SSHFileInfo()
                 {
                     FileType = SSHFileInfo.FileTypeEnum.Certificate,
@@ -85,6 +118,7 @@ public List<SSHFileInfo> CreateCertificatePacket(string certToAdd, string alias,
             return fileInfo;
         }
 
+
         public void AddCertificateToStore(List<SSHFileInfo> files, string storePath, string privateKeyPath, IRemoteHandler ssh, PEMStore.ServerTypeEnum serverType, bool hasPrivateKey, bool overwrite, bool isSingleCertificateStore)
         {
             foreach (SSHFileInfo file in files)

diff --git a/PEMStoreSSH/Inventory.cs b/PEMStoreSSH/Inventory.cs
@@ -70,7 +70,7 @@ public AnyJobCompleteInfo processJob(AnyJobConfigInfo config, SubmitInventoryUpd
                     inventoryItems.Add(new AgentCertStoreInventoryItem()
                     {
                         ItemStatus = AgentInventoryItemStatus.Unknown,
-                        Alias = certificates[0].Thumbprint,
+                        Alias = string.IsNullOrEmpty(certificates[0].FriendlyName) ? certificates[0].Thumbprint : certificates[0].FriendlyName,
                         PrivateKeyEntry = containsPrivateKey,
                         UseChainLevel = isAChain,
                         Certificates = certList.ToArray()
@@ -83,7 +83,7 @@ public AnyJobCompleteInfo processJob(AnyJobConfigInfo config, SubmitInventoryUpd
                         inventoryItems.Add(new AgentCertStoreInventoryItem()
                         {
                             ItemStatus = AgentInventoryItemStatus.Unknown,
-                            Alias = certificate.Thumbprint,
+                            Alias = string.IsNullOrEmpty(certificates[0].FriendlyName) ? certificates[0].Thumbprint : certificates[0].FriendlyName,
                             PrivateKeyEntry = containsPrivateKey,
                             UseChainLevel = isAChain,
                             Certificates = new string[] { Convert.ToBase64String(certificate.Export(X509ContentType.Cert)) }

diff --git a/PEMStoreSSH/PEMStore.cs b/PEMStoreSSH/PEMStore.cs
@@ -12,6 +12,7 @@
 using System.Security.Cryptography.X509Certificates;
 
 using PEMStoreSSH.RemoteHandlers;
+using Keyfactor.Extensions.Pam.Utilities;
 
 namespace PEMStoreSSH
 {
@@ -49,7 +50,7 @@ internal PEMStore(string server, string serverId, string serverPassword, string
             Server = server;
             StorePath = storeFileAndPath;
             ServerId = serverId;
-            ServerPassword = serverPassword;
+            ServerPassword = PamUtility.ResolvePassword(serverPassword);
             StorePassword = storePassword;
             PrivateKeyPath = privateKeyPath;
             CertificateHandler = GetCertificateHandler(formatType);
@@ -65,7 +66,7 @@ internal PEMStore(string server, string serverId, string serverPassword, ServerT
         {
             Server = server;
             ServerId = serverId;
-            ServerPassword = serverPassword;
+            ServerPassword = PamUtility.ResolvePassword(serverPassword);
             ServerType = serverType;
             CertificateHandler = GetCertificateHandler(formatType);