From 99659c7b21fd18c8bd02acdf3ede9789ba30c09a Mon Sep 17 00:00:00 2001 From: Lee Fine Date: Tue, 21 Jan 2025 18:52:31 +0000 Subject: [PATCH] ab#55979 --- .../PEM/PEMCertificateStoreSerializer.cs | 40 +++++++------------ 1 file changed, 15 insertions(+), 25 deletions(-) diff --git a/RemoteFile/ImplementedStoreTypes/PEM/PEMCertificateStoreSerializer.cs b/RemoteFile/ImplementedStoreTypes/PEM/PEMCertificateStoreSerializer.cs index 2e1bdc1..16a73da 100644 --- a/RemoteFile/ImplementedStoreTypes/PEM/PEMCertificateStoreSerializer.cs +++ b/RemoteFile/ImplementedStoreTypes/PEM/PEMCertificateStoreSerializer.cs @@ -33,7 +33,7 @@ namespace Keyfactor.Extensions.Orchestrator.RemoteFile.PEM class PEMCertificateStoreSerializer : ICertificateStoreSerializer { string[] PrivateKeyDelimetersPkcs8 = new string[] { "-----BEGIN PRIVATE KEY-----", "-----BEGIN ENCRYPTED PRIVATE KEY-----" }; - string[] PrivateKeyDelimetersPkcs1 = new string[] { "-----BEGIN RSA PRIVATE KEY-----" }; + string[] PrivateKeyDelimetersRSA = new string[] { "-----BEGIN RSA PRIVATE KEY-----", "-----BEGIN ENCRYPTED RSA PRIVATE KEY-----", "-----BEGIN RSA ENCRYPTED PRIVATE KEY-----" }; string[] PrivateKeyDelimetersEC = new string[] { "-----BEGIN EC PRIVATE KEY-----", "-----BEGIN EC ENCRYPTED PRIVATE KEY-----", "-----BEGIN ENCRYPTED EC PRIVATE KEY-----" }; string CertDelimBeg = "-----BEGIN CERTIFICATE-----"; string CertDelimEnd = "-----END CERTIFICATE-----"; @@ -41,7 +41,7 @@ class PEMCertificateStoreSerializer : ICertificateStoreSerializer private enum PrivateKeyTypeEnum { EC, - PKCS1, + RSA, PKCS8 } @@ -80,9 +80,6 @@ public Pkcs12Store DeserializeRemoteCertificateStore(byte[] storeContentBytes, s PrivateKeyTypeEnum privateKeyType; AsymmetricKeyEntry keyEntry = GetPrivateKey(storeContents, storePassword ?? string.Empty, remoteHandler, out privateKeyType); - if (privateKeyType == PrivateKeyTypeEnum.PKCS1 && !string.IsNullOrEmpty(storePassword)) - throw new RemoteFileException($"Certificate store with an RSA Private Key cannot contain a store password. Invalid store format not supported."); - store.SetKeyEntry(CertificateConverterFactory.FromBouncyCastleCertificate(certificates[0].Certificate).ToX509Certificate2().Thumbprint, keyEntry, certificates); } @@ -121,15 +118,9 @@ public List SerializeRemoteCertificateStore(Pkcs12Store cer else { string storeContents = Encoding.ASCII.GetString(remoteHandler.DownloadCertificateFile(storePath + storeFileName)); - PrivateKeyTypeEnum privateKeyType = PrivateKeyTypeEnum.PKCS8; - try - { - GetPrivateKey(storeContents, storePassword, remoteHandler, out privateKeyType); - } - catch (RemoteFileException) { } - if (privateKeyType == PrivateKeyTypeEnum.PKCS1 && !string.IsNullOrEmpty(storePassword)) - throw new RemoteFileException($"Certificate store with an RSA Private Key cannot contain a store password. Invalid store format not supported."); + PrivateKeyTypeEnum privateKeyType = PrivateKeyTypeEnum.PKCS8; + GetPrivateKey(storeContents, storePassword, remoteHandler, out privateKeyType); bool keyEntryProcessed = false; foreach (string alias in certificateStore.Aliases) @@ -144,12 +135,18 @@ public List SerializeRemoteCertificateStore(Pkcs12Store cer X509CertificateEntry[] chainEntries = certificateStore.GetCertificateChain(alias); CertificateConverter certConverter = CertificateConverterFactory.FromBouncyCastleCertificate(chainEntries[0].Certificate); - ECDiffieHellman + AsymmetricKeyParameter privateKey = certificateStore.GetKey(alias).Key; - X509CertificateEntry[] certEntries = certificateStore.GetCertificateChain(alias); - AsymmetricKeyParameter publicKey = certEntries[0].Certificate.GetPublicKey(); + AsymmetricKeyParameter publicKey = chainEntries[0].Certificate.GetPublicKey(); - if (isRSAPrivateKey) + if (privateKeyType == PrivateKeyTypeEnum.PKCS8) + { + PrivateKeyConverter keyConverter = PrivateKeyConverterFactory.FromBCKeyPair(privateKey, publicKey, false); + + byte[] privateKeyBytes = string.IsNullOrEmpty(storePassword) ? keyConverter.ToPkcs8BlobUnencrypted() : keyConverter.ToPkcs8Blob(storePassword); + keyString = PemUtilities.DERToPEM(privateKeyBytes, string.IsNullOrEmpty(storePassword) ? PemUtilities.PemObjectType.PrivateKey : PemUtilities.PemObjectType.EncryptedPrivateKey); + } + else { TextWriter textWriter = new StringWriter(); PemWriter pemWriter = new PemWriter(textWriter); @@ -158,13 +155,6 @@ public List SerializeRemoteCertificateStore(Pkcs12Store cer keyString = textWriter.ToString(); } - else - { - PrivateKeyConverter keyConverter = PrivateKeyConverterFactory.FromBCKeyPair(privateKey, publicKey, false); - - byte[] privateKeyBytes = string.IsNullOrEmpty(storePassword) ? keyConverter.ToPkcs8BlobUnencrypted() : keyConverter.ToPkcs8Blob(storePassword); - keyString = PemUtilities.DERToPEM(privateKeyBytes, string.IsNullOrEmpty(storePassword) ? PemUtilities.PemObjectType.PrivateKey : PemUtilities.PemObjectType.EncryptedPrivateKey); - } pemString = certConverter.ToPEM(true); if (string.IsNullOrEmpty(SeparatePrivateKeyFilePath)) @@ -239,7 +229,7 @@ private X509CertificateEntry[] GetCertificates(string certificates) return certificateEntries.ToArray(); } - private AsymmetricKeyEntry GetPrivateKey(string storeContents, string storePassword, IRemoteHandler remoteHandler, out PrivateKeyTypeEnum? privateKeyType) + private AsymmetricKeyEntry GetPrivateKey(string storeContents, string storePassword, IRemoteHandler remoteHandler, out PrivateKeyTypeEnum privateKeyType) { logger.MethodEntry(LogLevel.Debug);