Skip to content

Latest commit

 

History

History
109 lines (94 loc) · 4.16 KB

README.md

File metadata and controls

109 lines (94 loc) · 4.16 KB
Raw

git-credential-cert

Protect git repository auth token with certificate from hardware token

Version: version Stability: release Tests: tests Platform: platform License: GPL3.0

Requirements

  1. installed git
  2. certificate with private key on hardware token
  3. .NET Framework 4.7.1 or higher
  4. Visual Studio 2013 to build binary from sources

Installation

  1. Copy git-credential-cert.exe to C:\Program Files\Git\mingw64\libexec\git-core folder
  2. Specify git-credential-cert as git credential helper:
git config --global credential.helper cert
  1. Don't forget to delete your credentials from Windows Credential Manager and all other places where it is not in safe

Configuring for Visual Studio

For Visual Studio it is required to specify this helper in %USERPROFILE%\.gitconfig file

You can add it like this:

[credential]
	helper=C:\\\\Program\\ Files\\\\Git\\\\mingw64\\\\libexec\\\\git-core\\\\git-credential-cert.exe

Generate certificate

Generate certificate with private key for token encryption and signing credentials data in store:

makecert.exe -pe -r -a sha1 -len 2048 -n "CN=<specify here your own cert name>" -eku "1.3.6.1.5.5.7.3.4" -sky exchange -sv cert.pvk cert.cer

pvk2pfx.exe -pvk cert.pvk -spc cert.cer -pfx cert.pfx

Import certificate to hardware token using SafeNet Authentication Client or any other third-party software.
During import, choose pfx file and enter empty password for importing. Do not forget to delete private key from your disk.

Adding new credentials

git push

Git helper checks your database (%USERPROFILE%\git-credential-cert file), and if there are no existing credentials for current URL, it will ask for the username and password to store it.

List of existing credentials

git-credential-cert.exe list

Delete existing credentials

git-credential-cert.exe delete <URL>

Uninstall

  1. delete helper:
    del "C:\Program Files\Git\mingw64\libexec\git-core\git-credential-cert.exe"
  2. clear git-credential-cert.exe helper from %USERPROFILE%\.gitconfig
  3. specify your own or previous credential helper (f.e.)
    git config --global credential.helper manager
  4. delete git-credential-cert encrypted database (if required):
    del "%USERPROFILE%\\.git-credential-cert"

List Of Tests

1. Common

1.1. ✔ Incorrect method
1.2. ✔ Input has no key=value format
1.3. ✔ Input has unknown key
1.4. ✔ Store file corrupted - exception with stacktrace
1.5. ✔ Writing store file exception

2. Add new credentials (STORE):

2.1. ✔ Create new store, file does not exist
2.2. ✔ No certs with private key
2.3. ✔ Fail to encrypt (ejected token) - exception
2.4. ✔ Trying to add already existing url

3. Read existing credentials (GET):

3.1. ✔ There are no required parameters
3.2. ✔ Store has no credential for required url
3.3. ✔ Cert for signature and decryption not found
3.4. ✔ Cert for signature check exist, but have no private key for decryption
3.5. ✔ Incorrect signature

4. List of existing credentials (LIST):

4.1. ✔ List credentials (URL + UserName + Cert.Subject + Cert.Thumbprint + Created DateTime)

5. Remove existing credentials from git (ERASE):

5.1. ✔ Trying to remove not existing credentials

6. Remove existing credentials from command line (DELETE):

6.1. ✔ Trying to remove not existing credentials
6.2. ✔ No url specified

7. Other

7.1. ✔ Working from Visual Studio Code
7.2. ✔ Working from Visual Studio
7.3. ✔ git token revocation (error + erase)