Merge pull request #1661 from DuendeSoftware/joe/static-signing

Fix static signing in hosts
DuendeSoftware · Dec 11, 2024 · 62df123 · 62df123
2 parents 94f8ad4 + 3eea4e2
commit 62df123
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 55 deletions.
diff --git a/hosts/Configuration/IdentityServerExtensions.cs b/hosts/Configuration/IdentityServerExtensions.cs
@@ -35,7 +35,6 @@ internal static WebApplicationBuilder ConfigureIdentityServer(this WebApplicatio
             .AddInMemoryIdentityResources(Resources.IdentityResources)
             .AddInMemoryApiScopes(Resources.ApiScopes)
             .AddInMemoryApiResources(Resources.ApiResources)
-            //.AddStaticSigningCredential()
             .AddExtensionGrantValidator<Extensions.ExtensionGrantValidator>()
             .AddExtensionGrantValidator<Extensions.NoSubjectExtensionGrantValidator>()
             .AddJwtBearerClientAuthentication()
@@ -67,34 +66,4 @@ internal static WebApplicationBuilder ConfigureIdentityServer(this WebApplicatio
 
         return builder;
     }
-
-    private static IIdentityServerBuilder AddStaticSigningCredential(this IIdentityServerBuilder builder)
-    {
-        // create random RS256 key
-        //builder.AddDeveloperSigningCredential();
-
-
-#pragma warning disable SYSLIB0057 // Type or member is obsolete
-        // TODO - Use X509CertificateLoader in a future release (when we drop NET8 support)
-
-        // use an RSA-based certificate with RS256
-        using var rsaCert = new X509Certificate2("./testkeys/identityserver.test.rsa.p12", "changeit");
-        builder.AddSigningCredential(rsaCert, "RS256");
-
-        // ...and PS256
-        builder.AddSigningCredential(rsaCert, "PS256");
-
-        // or manually extract ECDSA key from certificate (directly using the certificate is not support by Microsoft right now)
-        using var ecCert = new X509Certificate2("./testkeys/identityserver.test.ecdsa.p12", "changeit");
-#pragma warning restore SYSLIB0057 // Type or member is obsolete
-
-        var key = new ECDsaSecurityKey(ecCert.GetECDsaPrivateKey())
-        {
-            KeyId = CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex)
-        };
-
-        return builder.AddSigningCredential(
-            key,
-            IdentityServerConstants.ECDsaSigningAlgorithm.ES256);
-    }
 }
diff --git a/hosts/main/IdentityServerExtensions.cs b/hosts/main/IdentityServerExtensions.cs
@@ -78,33 +78,39 @@ internal static WebApplicationBuilder ConfigureIdentityServer(this WebApplicatio
         return builder;
     }
 
+    // To use static signing credentials, create keys and add it to the certificate store.
+    // This shows how to create both rsa and ec keys, in case you had clients that were configured to use different algorithms
+    // You can create keys for dev use with the mkcert util:
+    //    mkcert -pkcs12 identityserver.test.rsa
+    //    mkcert -pkcs12 -ecdsa identityserver.test.ecdsa
+    // Then import the keys into the certificate manager. This code expect keys in the personal store of the current user.
     private static IIdentityServerBuilder AddStaticSigningCredential(this IIdentityServerBuilder builder)
     {
-        // create random RS256 key
-        //builder.AddDeveloperSigningCredential();
-
-
-#pragma warning disable SYSLIB0057 // Type or member is obsolete
-        // TODO - Use X509CertificateLoader in a future release (when we drop NET8 support)
-
-        // use an RSA-based certificate with RS256
-        using var rsaCert = new X509Certificate2("./testkeys/identityserver.test.rsa.p12", "changeit");
-        builder.AddSigningCredential(rsaCert, "RS256");
-
-        // ...and PS256
-        builder.AddSigningCredential(rsaCert, "PS256");
-
-        // or manually extract ECDSA key from certificate (directly using the certificate is not support by Microsoft right now)
-        using var ecCert = new X509Certificate2("./testkeys/identityserver.test.ecdsa.p12", "changeit");
-#pragma warning restore SYSLIB0057 // Type or member is obsolete
-
-        var key = new ECDsaSecurityKey(ecCert.GetECDsaPrivateKey())
+        var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
+        try
+        {
+            store.Open(OpenFlags.ReadOnly);
+
+            var rsaCert = store.Certificates
+                .Find(X509FindType.FindBySubjectName, "identityserver.test.rsa", true)
+                .Single();
+            builder.AddSigningCredential(rsaCert, "RS256");
+            builder.AddSigningCredential(rsaCert, "PS256");
+
+            var ecCert = store.Certificates
+                .Find(X509FindType.FindBySubjectName, "identityserver.test.ecdsa", true)
+                .Single();  
+            var key = new ECDsaSecurityKey(ecCert.GetECDsaPrivateKey())
+            {
+                KeyId = CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex)
+            };
+            builder.AddSigningCredential(key, IdentityServerConstants.ECDsaSigningAlgorithm.ES256);
+        }
+        finally
         {
-            KeyId = CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex)
-        };
+            store.Close();
+        }
 
-        return builder.AddSigningCredential(
-            key,
-            IdentityServerConstants.ECDsaSigningAlgorithm.ES256);
+        return builder;
     }
 }
diff --git a/hosts/main/TestKeys/identityserver.test.ecdsa.p12 b/hosts/main/TestKeys/identityserver.test.ecdsa.p12
diff --git a/hosts/main/TestKeys/identityserver.test.rsa.p12 b/hosts/main/TestKeys/identityserver.test.rsa.p12