Skip to content

Commit

Permalink
Fix static signing in hosts
Browse files Browse the repository at this point in the history
  • Loading branch information
josephdecock committed Dec 7, 2024
1 parent 9ee9179 commit 25d7a92
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 52 deletions.
31 changes: 0 additions & 31 deletions hosts/Configuration/IdentityServerExtensions.cs
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@ internal static WebApplicationBuilder ConfigureIdentityServer(this WebApplicatio
.AddInMemoryIdentityResources(Resources.IdentityResources)
.AddInMemoryApiScopes(Resources.ApiScopes)
.AddInMemoryApiResources(Resources.ApiResources)
//.AddStaticSigningCredential()
.AddExtensionGrantValidator<Extensions.ExtensionGrantValidator>()
.AddExtensionGrantValidator<Extensions.NoSubjectExtensionGrantValidator>()
.AddJwtBearerClientAuthentication()
Expand Down Expand Up @@ -67,34 +66,4 @@ internal static WebApplicationBuilder ConfigureIdentityServer(this WebApplicatio

return builder;
}

private static IIdentityServerBuilder AddStaticSigningCredential(this IIdentityServerBuilder builder)
{
// create random RS256 key
//builder.AddDeveloperSigningCredential();


#pragma warning disable SYSLIB0057 // Type or member is obsolete
// TODO - Use X509CertificateLoader in a future release (when we drop NET8 support)

// use an RSA-based certificate with RS256
using var rsaCert = new X509Certificate2("./testkeys/identityserver.test.rsa.p12", "changeit");
builder.AddSigningCredential(rsaCert, "RS256");

// ...and PS256
builder.AddSigningCredential(rsaCert, "PS256");

// or manually extract ECDSA key from certificate (directly using the certificate is not support by Microsoft right now)
using var ecCert = new X509Certificate2("./testkeys/identityserver.test.ecdsa.p12", "changeit");
#pragma warning restore SYSLIB0057 // Type or member is obsolete

var key = new ECDsaSecurityKey(ecCert.GetECDsaPrivateKey())
{
KeyId = CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex)
};

return builder.AddSigningCredential(
key,
IdentityServerConstants.ECDsaSigningAlgorithm.ES256);
}
}
51 changes: 30 additions & 21 deletions hosts/main/IdentityServerExtensions.cs
Original file line number Diff line number Diff line change
Expand Up @@ -77,33 +77,42 @@ internal static WebApplicationBuilder ConfigureIdentityServer(this WebApplicatio
return builder;
}

// To use static signing credentials, create keys and add it to the certificate store.
// This shows how to create both rsa and ec keys, in case you had clients that were configured to use different algorithms
// You can create keys for dev use with the mkcert util:
// mkcert -pkcs12 identityserver.test.rsa
// mkcert -pkcs12 -ecdsa identityserver.test.ecdsa
// Then import the keys into the certificate manager. This code expect keys in the personal store of the current user.
private static IIdentityServerBuilder AddStaticSigningCredential(this IIdentityServerBuilder builder)
{
// create random RS256 key
//builder.AddDeveloperSigningCredential();


#pragma warning disable SYSLIB0057 // Type or member is obsolete
// TODO - Use X509CertificateLoader in a future release (when we drop NET8 support)

// use an RSA-based certificate with RS256
using var rsaCert = new X509Certificate2("./testkeys/identityserver.test.rsa.p12", "changeit");
builder.AddSigningCredential(rsaCert, "RS256");
var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
try
{
store.Open(OpenFlags.ReadOnly);

// ...and PS256
builder.AddSigningCredential(rsaCert, "PS256");
var subs = store.Certificates.Select(c => c.Subject);
var subNames = store.Certificates.Select(c => c.SubjectName);

// or manually extract ECDSA key from certificate (directly using the certificate is not support by Microsoft right now)
using var ecCert = new X509Certificate2("./testkeys/identityserver.test.ecdsa.p12", "changeit");
#pragma warning restore SYSLIB0057 // Type or member is obsolete
var rsaCert = store.Certificates
.Find(X509FindType.FindBySubjectName, "identityserver.test.rsa", true)
.Single();
builder.AddSigningCredential(rsaCert, "RS256");
builder.AddSigningCredential(rsaCert, "PS256");

var key = new ECDsaSecurityKey(ecCert.GetECDsaPrivateKey())
var ecCert = store.Certificates
.Find(X509FindType.FindBySubjectName, "identityserver.test.ecdsa", true)
.Single();
var key = new ECDsaSecurityKey(ecCert.GetECDsaPrivateKey())
{
KeyId = CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex)
};
builder.AddSigningCredential(key, IdentityServerConstants.ECDsaSigningAlgorithm.ES256);
}
finally
{
KeyId = CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex)
};
store.Close();
}

return builder.AddSigningCredential(
key,
IdentityServerConstants.ECDsaSigningAlgorithm.ES256);
return builder;
}
}
Binary file removed hosts/main/TestKeys/identityserver.test.ecdsa.p12
Binary file not shown.
Binary file removed hosts/main/TestKeys/identityserver.test.rsa.p12
Binary file not shown.

0 comments on commit 25d7a92

Please sign in to comment.