From 25d7a924c6acbfea056ee1c286607db09d56ccc3 Mon Sep 17 00:00:00 2001 From: Joe DeCock Date: Sat, 7 Dec 2024 14:22:33 -0600 Subject: [PATCH] Fix static signing in hosts --- .../Configuration/IdentityServerExtensions.cs | 31 ----------- hosts/main/IdentityServerExtensions.cs | 51 ++++++++++-------- .../TestKeys/identityserver.test.ecdsa.p12 | Bin 2800 -> 0 bytes .../main/TestKeys/identityserver.test.rsa.p12 | Bin 4079 -> 0 bytes 4 files changed, 30 insertions(+), 52 deletions(-) delete mode 100644 hosts/main/TestKeys/identityserver.test.ecdsa.p12 delete mode 100644 hosts/main/TestKeys/identityserver.test.rsa.p12 diff --git a/hosts/Configuration/IdentityServerExtensions.cs b/hosts/Configuration/IdentityServerExtensions.cs index 1911f5720..54e279d40 100644 --- a/hosts/Configuration/IdentityServerExtensions.cs +++ b/hosts/Configuration/IdentityServerExtensions.cs @@ -35,7 +35,6 @@ internal static WebApplicationBuilder ConfigureIdentityServer(this WebApplicatio .AddInMemoryIdentityResources(Resources.IdentityResources) .AddInMemoryApiScopes(Resources.ApiScopes) .AddInMemoryApiResources(Resources.ApiResources) - //.AddStaticSigningCredential() .AddExtensionGrantValidator() .AddExtensionGrantValidator() .AddJwtBearerClientAuthentication() @@ -67,34 +66,4 @@ internal static WebApplicationBuilder ConfigureIdentityServer(this WebApplicatio return builder; } - - private static IIdentityServerBuilder AddStaticSigningCredential(this IIdentityServerBuilder builder) - { - // create random RS256 key - //builder.AddDeveloperSigningCredential(); - - -#pragma warning disable SYSLIB0057 // Type or member is obsolete - // TODO - Use X509CertificateLoader in a future release (when we drop NET8 support) - - // use an RSA-based certificate with RS256 - using var rsaCert = new X509Certificate2("./testkeys/identityserver.test.rsa.p12", "changeit"); - builder.AddSigningCredential(rsaCert, "RS256"); - - // ...and PS256 - builder.AddSigningCredential(rsaCert, "PS256"); - - // or manually extract ECDSA key from certificate (directly using the certificate is not support by Microsoft right now) - using var ecCert = new X509Certificate2("./testkeys/identityserver.test.ecdsa.p12", "changeit"); -#pragma warning restore SYSLIB0057 // Type or member is obsolete - - var key = new ECDsaSecurityKey(ecCert.GetECDsaPrivateKey()) - { - KeyId = CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex) - }; - - return builder.AddSigningCredential( - key, - IdentityServerConstants.ECDsaSigningAlgorithm.ES256); - } } diff --git a/hosts/main/IdentityServerExtensions.cs b/hosts/main/IdentityServerExtensions.cs index de1097ea1..0228a3dad 100644 --- a/hosts/main/IdentityServerExtensions.cs +++ b/hosts/main/IdentityServerExtensions.cs @@ -77,33 +77,42 @@ internal static WebApplicationBuilder ConfigureIdentityServer(this WebApplicatio return builder; } + // To use static signing credentials, create keys and add it to the certificate store. + // This shows how to create both rsa and ec keys, in case you had clients that were configured to use different algorithms + // You can create keys for dev use with the mkcert util: + // mkcert -pkcs12 identityserver.test.rsa + // mkcert -pkcs12 -ecdsa identityserver.test.ecdsa + // Then import the keys into the certificate manager. This code expect keys in the personal store of the current user. private static IIdentityServerBuilder AddStaticSigningCredential(this IIdentityServerBuilder builder) { - // create random RS256 key - //builder.AddDeveloperSigningCredential(); - - -#pragma warning disable SYSLIB0057 // Type or member is obsolete - // TODO - Use X509CertificateLoader in a future release (when we drop NET8 support) - - // use an RSA-based certificate with RS256 - using var rsaCert = new X509Certificate2("./testkeys/identityserver.test.rsa.p12", "changeit"); - builder.AddSigningCredential(rsaCert, "RS256"); + var store = new X509Store(StoreName.My, StoreLocation.CurrentUser); + try + { + store.Open(OpenFlags.ReadOnly); - // ...and PS256 - builder.AddSigningCredential(rsaCert, "PS256"); + var subs = store.Certificates.Select(c => c.Subject); + var subNames = store.Certificates.Select(c => c.SubjectName); - // or manually extract ECDSA key from certificate (directly using the certificate is not support by Microsoft right now) - using var ecCert = new X509Certificate2("./testkeys/identityserver.test.ecdsa.p12", "changeit"); -#pragma warning restore SYSLIB0057 // Type or member is obsolete + var rsaCert = store.Certificates + .Find(X509FindType.FindBySubjectName, "identityserver.test.rsa", true) + .Single(); + builder.AddSigningCredential(rsaCert, "RS256"); + builder.AddSigningCredential(rsaCert, "PS256"); - var key = new ECDsaSecurityKey(ecCert.GetECDsaPrivateKey()) + var ecCert = store.Certificates + .Find(X509FindType.FindBySubjectName, "identityserver.test.ecdsa", true) + .Single(); + var key = new ECDsaSecurityKey(ecCert.GetECDsaPrivateKey()) + { + KeyId = CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex) + }; + builder.AddSigningCredential(key, IdentityServerConstants.ECDsaSigningAlgorithm.ES256); + } + finally { - KeyId = CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex) - }; + store.Close(); + } - return builder.AddSigningCredential( - key, - IdentityServerConstants.ECDsaSigningAlgorithm.ES256); + return builder; } } \ No newline at end of file diff --git a/hosts/main/TestKeys/identityserver.test.ecdsa.p12 b/hosts/main/TestKeys/identityserver.test.ecdsa.p12 deleted file mode 100644 index 5b21ec1bafb4d2936dda7778a692cbdd055d2e2d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2800 zcmV)#f(q;c0Ru3C3b+OdDuzgg_YDCD0ic2ksRV)wr7(gDp)i68j|K@UhDe6@ z4FLxRpn?g2FoFqu0s#Opf(dm72`Yw2hW8Bt2LUh~1_~;MNQUu zg&t*oiblmJLm-f`b8IidmKxTn8Ot}&XhRyhWSTU+! zx{svSK%;T=aX?fK$Va%JtQtgkv2Sb}jAJ8^7GfC@hVY%)hV9)P$v>Kd7z&OK1>nFi zJ8Ee{gtQN&cN9p@Oe1D9f@Yl6jkUfGPJRDJ)lvJNAEBg^_HX;e3$76s_V$A!n$~D_ zua=!!!Oa44-nM(usEiZU;nCJ&xs&C__ds4&u)y^tXf=>`nYDg1R-s&|_vu!Qu>~S` z_)bMs*$si{#$8kUuabZ{P?>43#x{naU%+l&2wVCs0;_(5C{SbGtSSa&EMQsa0&2ul z4@TnlZcYS)%$P{YyRQ)zx)n|+fVYT%DA7fBe9+D7w6%cC86sSD>f{nXzj^>x8q6LJ zK|=9jRcLAF<9pd4osdNhGL>##Yvhwirx%b)t zLcsy8;p#{@)>xDqUjS4Hrm1ELZA#!K3Zcd*`v$TZt!&xV&f!+CZ17xBcgRZcH?;~u z71aAJE2zd$Q*pThVlnxP{5N^S_I_xbS~;!7b57F^*>bI(W;|x zsbU1d4(NC}n-7G_I^BW=_k(~|@NCK(GpoXy*yW6ATZ0rPUqF2qDTK5MY>j%0EnX)P z;A)s8+`eyKkvgSv6tN@MZ>k)Bb2s7fIGr}SU0*bG1Rp84udQ6ghVPk8?bhhKl!U_h zLp6Nro}rjfIB#@qG>f`j36h#KSjMr^!pdp&V`uXEfWuwf-sms73jaV{wE_OSuMkAi z2|=vVdmY2TfNSMFG1&!7J5F!5SsaA2Iw<>oEmu(L!vZ7Ew6vuRAZ3vOKr5+PY1cb; zBm>>An#p{OfhIxyZ8*}dM!qrmhr8}ama+X)z)7S+gSPT-#rotBU0KSk7TzYfD;FyW z+93ixe&gN_pm6`b>kx&yx+z~5^ymb)m{-l`By1t~ z9_~X4CZ8_=O@(YVOF_imga#HcdA_tV1kR1WPVU@ct{_`tVsMa`XA!1I`+O<;Vi`i6y zt=D!ent;aJU|DWZ(!ONwafV*VFj=JbKW?2K&DnfaL?Rx=8svpdD3~4b{(01HsAAc7 zsx~`w#zJ!2C?6Hn3{M>#uGAcV8^~qAXT}1>^lv+&5nbB!m!rUNDwK?H-3jbawpFQ@ zNEfpc#AJJ1pjG!Z6B7SBw17N|MdYN=(p@$l=ju@gVm|>;_ zH9N?nR}o^%x*`rDt8{7C4)RZ>XutnLT|eFbcAg}Xp8)j zCQ&_Isd=sG^fM31aUaMaewhk8UjiJCnjd5T@9ftXOX8@m3l@`oI-I3Xc_%iatr(BX zq??CLaAat5dm>C;b&bT7oV0`Dh6OvHtP$hhmTZN-W+(ncP*`b=^1RkgCCR@@@?A}n z?Fw-?K|QHMt`M)m+XoxXFX~*v<3!-movih1?G$| z!exl_y6esayKp9(%VO!OWKO+RW+Q04rBW@LoJx0G&}JCH9bDT_uAyZ=sx{~^@BQC4 zc#o%$fP#Vy51?_r-S}<;Q`rohGugts?Hg(~NZ>dm$2C1{H=~qr&Q6e!)4)vW`%CF5 zFW)bVs=9-JG0$x0k6Zz6r~1=^8)q{vL+`WqvBB#UYw-OSAJ%-lRpmz|>_*_zxS${5 zz8OdW%Yt|i=`Vu*X&c$4v3`Z!!EN~5DY4A z#bCHb+tNN(ac1)`+VRx*< zm2i=dA3AiDMVH`upgN~0zjjjt(WmS&M-~mMTn%UAR!6?9H>AU&)e^m?sni#HFoFRJ z1_>&LNQUdt0s;sC1c8`?*+p4`19XoXR8YA*h$ztYgk{jUz`}67-o_dh z?(;nY8funYHyLez`In06=(6>_6;s=amR|^d3Tv1Teq1^TUS`SdmN@h_39%gNCb=lq zWI{}GSE>`a7rGbBi~!72und-)J&nSFocq;p!?ilC9~#V(%@(o8aOY*rILVzWO87O? z5d$v)Mq_{i&We}-|5&DHb^AauB`_lf2`Yw2hW8Bt2^BFG1Qh-Aj{vBSz>?1cp=}|P z0GS_v3jr`IFdr}n1_dh)0|FWZ6bRdW3Y$Ig^%LTtE~XY{xf$sG!2}3qtnM_TZQ%7& CuqdPe diff --git a/hosts/main/TestKeys/identityserver.test.rsa.p12 b/hosts/main/TestKeys/identityserver.test.rsa.p12 deleted file mode 100644 index 07a23dee1dc108cc4dbf2c1dd5fa04849baedb00..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4079 zcmVrW6|_X=A5EAGO(b&8UWy2$5{ivA<$2$3VO z=zLzcbN_li7Dl{?!UJX9vB-F#&V5ueFF}Bso;^8?5|?l)Cl{Y1RIIp{;+`DDJ&J@6 z&okckcUyiqIGr8-P7Bbs;)_~pI}foWHm#r7MMjI8ihPKrBBiC;IX3uXcQep9F51OK zCSshjT{ci?N_;IWOKdqzb?5`M$9zsWL&v z&g%wN^XScl7J{@aAI2wiBDPoF7!+|beqqT6So*W9I+3^rb52XcG`090u(nFhG&6k^ zs2e{qS}Oht8THi{vR>!Lo)j2&m3Abew|Ek#SQ3z9qu>&MI3`rr+S`)kxwV_wA}zlo z=V+VCl?H;)Wrk;+36XBJi+lUUVci)r}XK6wW#G(=|99J$6AoQU}dJ*$uVh?{= zzZ7Sn_8ZJMmM{Awrc|2mrD5HMPtUNTtIbDE|CpqQEP{p=9KZZet(2h!0Oi4bItux7 zZ2f8kDDxpFQjGSA+6~2a<`y)f8vx2^pMBdsta?a^b zICZ(P%_7QCD=)4Q8$54)@WxZ(Y@~_SSnswMYSJaD{_&J6^qmk9MDMEl`4D|a9n8i_ zB?1FgoJl6%!Tr%uO3aPLK4_weJ^M_jfD)7L7@ygy*gr>G`=`KvNhOb~qkC29v*`Uf zZXKD<#e$MpX?ZXzclIlpwX5jUs`+Y^T@acheS>#N1W+IGMwq)?Gya}8@TDcg#8CBe z6-(OHyzkRv{MArZCvXL>zO`H#Mk~RaC_H7Qg{i?_EJmO-|+vG78 zN2B-F17Cg6IBG(^Mkb16@TucAFI=J5cc3g{T%?hWo63j=?{f^zJ^?jgZ2@Bu^2>$H z)1VY9JKO2&u~bG7@#P77Pcl>qwN#at<@w|KbEt%Si1)g)O_Kr{O&i|!DGHsw8(++mwsQw3?^fva_UNc6Fm?51%e z?JYD&Wjk_gWkT^N8-U=_`)$4fg<+~Q&|na#GQI^>*qf@ykct#Ur>1NNlc7}9#F z?p^eLwksGd1`=rYUY>hHe+T8Y>BYnT@)FKlS!wh-VoA4H6X*GgJ07Z~VSaoyuMbdM zCEw%%pCoaQ0yBsg{F-WK{l=}W=f9hSy+bzT~ZK?)eTit%8E)+Uu7)~oDYNQGyWx`A>KdHPjXiJ>43T# z(%D+_Ub^agnGxlE%}()oOQO*&>EVG|9*X|gr<^wN+Ed(NSb_qR*)6)(vO6_ZYoMWE z0`u|)NoKq3*(BZEaRN?mKkhCJvhoMFVDpvK3tWe^Vd9tFwu@<5rhsga*a02zA>9gE zkoI1%8lDj$IIA^@xQ`K)NTz6>@{?sV2+4-&1F3dh0A^ zJ?yaVok?~m$7|K7TK`8oi<*AA(08C4s4Bw?&VU1!*2kaS--stgq7uuEy~a{a%a}~m z!$y8oLIjx1$*@5yT5OW>4sR=O?^hd)OhTpq?ETmz8x6ju=Jn~@xXz{tP^a6At(P~&1)ULB%; zUSLavQ-G4tk2w)cVW|(w_ob^L*PO91o4(xlmrM&{e8@z}s#_+cPax=nfdu1$Tk!n^ zS0=(To04nV*TXP};$$Ox8NMkjm1vwGb7e51&u;2C`|G=x#KPUuJz~egVf<6=dio7bk4d z(+OFUh#kTuh!91d8{$U1UNXm)ImHpugw>LvxMER;V z^>MI%uZ2UM6M4`w@jTT&$)4x1FwjiD0~LjWbp2sc3wTqz!c=ZdQ|V_LThS=OVa5z{ z6HKk=EJyK6l6`|b6$F&^N}wCL0Oy&0yQNrPY}|weC`!(h#-E;x!73K&ckVO6yKVsh z&1K>yki7n=)!+vl3~lHZC){qy`44D4<`{(A;^qyLU%;e@pqI~mno&Ye7mD&D0YsV7 zaqrru!Ue3*|4UGV_>6`ct+NRQYk^?vaiOsESMBa?1_o=j3e-g95i}bS4I!F&Uv_~1 zeahC{W<0K&&wX4o4R)hv}#xf=c0Xp#3;oZJk+cnFi|y`!Cnfk*oXi0Mod-QLa*x zFrGKUI}P8}MSIRCog6;w9(@+C?wjdXlSt_e+VAmuUN7|Z|cV$3vm5Wy2#u(@ze zvAi*qB^c5L;EGJyibjhvpcMH+S^uqVi-{O!Wk0OTIY&j^PT!n{FoFd^1_>&LNQU@QNj8^oVGjKCp@a4KFO#KVwX+T5uQR{DcJIUYqvMfA>w@l#P17y3 z?PxMFF|fRR^KGGWLOcOHpS-$07)Pi7#0@YDM=dyDOYu*=#eLoGI*1&cgA0h%(SmL5 zx&%!%!tf@T%bNKsV;T={yG&Owgq(W#=>(iWFfr>W(`%zDIe&t{E~MkQ(a zZ)GQmI9|7e^&l!u&4$!bON)e(qyEFud~*pigeWbzxD`F0wE*ay9*xWakjaX8@O=WC z-w7KB$G3it9jDWPCU(2!RC7_6ljbE6Pv|E8oAL>N=T4|K+ieN0^tYfuZ3aZI|0SN= z_?Dq=B_xpLL{Aqs5lO!{Vh%ZqZ+rApBq{^4eLxHlP#P*7sg&gu{D{!G zyaI7rQgF%{`z(D$Ps?isVAQcvopbVrTg2ELdyb92SiIAgtJH7=SXNc1r-EQ@K_Tn1DzWNJV@)4=Y8C9 zlzvR1Vd^kH$0ZYbz*7L$(c?aoA8f1IFNmkl#4AZufv*+}V-l{tiiZR06CCklr;KJH z%kNDygSPK?ez)S(V;%#BFF~=CEQ~8eE04x?3CEtz%iR>Vtp6k80X>XceNM0quqbyN zm@fPzKh+6u%SmLnxUc10nT>?3DP(qu%jntQlrt%NfDX`xhTtF`2d-^qw^%FdpOAT9 z{>MG%@MIS-Fgw8)5nOfN^YZw6`u6kzH5%;rIQNt+Mb)gvO#F44g4JEtGZ^W9S{s<> zEoW6AD7I2b6OvGP9z6{M`QK)IR`@mH5a{ES_O+S}x%f-3?Lxv@&V6`Xf4 zmFyiebL_g9S(hQzPiPGp*UHv!B3#fPSVbP7@$RD)sEUPe<#fDeqQX0#Z-KvYA$u5X zc6~e`pZF#3+23nA?UTNA1P08I5Ix3k?P4NxCJh?DZB-vY5#la*wmHVT_%1HJJaUJ6 zSS!yvhiTK07=t8D2%+i~@ZJkq-&ags3V33SHC@!C{MCX|VU+?f)i3B@V{*_$+P|lv{0X+9E<8%5@x6$vrV8 zFe3&DDuzgg_YDCF6)_eB6univ-`Ctjrn=2SZf?QhitIe&bucS1A20_71uG5%0vZGq hg#$sDQ%yq|2Jm8%c+lsp3%uNY1PGzLN^>8>AF)iOsZ9U?