Merge 973e015 into 7930e17

Author: leefine02

.github/workflows/keyfactor-merge-store-types.yml

@@ -11,10 +11,17 @@ on:
 
 jobs:
   call-starter-workflow:
-    uses: keyfactor/actions/.github/workflows/[email protected]
+    uses: keyfactor/actions/.github/workflows/starter.yml@v4
+    with:
+      command_token_url: ${{ vars.COMMAND_TOKEN_URL }} # Only required for doctool generated screenshots
+      command_hostname: ${{ vars.COMMAND_HOSTNAME }} # Only required for doctool generated screenshots
+      command_base_api_path: ${{ vars.COMMAND_API_PATH }} # Only required for doctool generated screenshots
     secrets:
-      token: ${{ secrets.V2BUILDTOKEN}}
-      APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}}
-      gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }}
-      gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }}
-      scan_token: ${{ secrets.SAST_TOKEN }}
+      token: ${{ secrets.V2BUILDTOKEN}} # REQUIRED
+      gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }} # Only required for golang builds
+      gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }} # Only required for golang builds
+      scan_token: ${{ secrets.SAST_TOKEN }} # REQUIRED
+      entra_username: ${{ secrets.DOCTOOL_ENTRA_USERNAME }} # Only required for doctool generated screenshots
+      entra_password: ${{ secrets.DOCTOOL_ENTRA_PASSWD }} # Only required for doctool generated screenshots
+      command_client_id: ${{ secrets.COMMAND_CLIENT_ID }} # Only required for doctool generated screenshots
+      command_client_secret: ${{ secrets.COMMAND_CLIENT_SECRET }} # Only required for doctool generated screenshots

.github/workflows/keyfactor-starter-workflow.yml

@@ -1,3 +1,6 @@
+v2.12.0
+- Added config.json setting and its override store level custom field - AllowShellCommands.  If "N" (default "Y"), SFTP will be used to create stores and move files on Linux-based certificate store servers.  No Linux shell commands will be used in the integration.
+
 v2.11.5
 - Bug Fix: Rare race condition loading config settings when multiple RemoteFile jobs are running simultaneously on the same orchestrator
 - Documentation update to better list out what Linux commands get executed under what situations in Requirements & Prerequisites section

CHANGELOG.md

@@ -1,16 +1,18 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
     <PropertyGroup>
-        <TargetFramework>net6.0</TargetFramework>
+        <TargetFramework>net8.0</TargetFramework>
         <ImplicitUsings>enable</ImplicitUsings>
         <Nullable>enable</Nullable>
 
         <IsPackable>false</IsPackable>
     </PropertyGroup>
 
     <ItemGroup>
-        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.1.0"/>
-        <PackageReference Include="xunit" Version="2.4.1"/>
+        <PackageReference Include="BouncyCastle.Cryptography" Version="2.6.2" />
+        <PackageReference Include="Keyfactor.PKI" Version="8.1.1" />
+        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.1.0" />
+        <PackageReference Include="xunit" Version="2.4.1" />
         <PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
             <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
             <PrivateAssets>all</PrivateAssets>

README.md

@@ -42,6 +42,7 @@ public enum FileTransferProtocolEnum
         public static string DefaultSudoImpersonatedUser { get { return configuration.ContainsKey("DefaultSudoImpersonatedUser") ? configuration["DefaultSudoImpersonatedUser"] : DEFAULT_SUDO_IMPERSONATION_SETTING; } }
         public static bool CreateCSROnDevice { get { return configuration.ContainsKey("CreateCSROnDevice") ? configuration["CreateCSROnDevice"]?.ToUpper() == "Y" : false; } }
         public static string TempFilePathForODKG { get { return configuration.ContainsKey("TempFilePathForODKG") ? configuration["TempFilePathForODKG"] : string.Empty; } }
+        public static bool UseShellCommands { get { return configuration.ContainsKey("UseShellCommands") ? configuration["UseShellCommands"]?.ToUpper() == "Y" : true; } }
         public static int SSHPort
         {
             get

RemoteFile.UnitTests/RemoteFile.UnitTests.csproj

@@ -57,7 +57,7 @@ public JobResult ProcessJob(DiscoveryJobConfiguration config, SubmitDiscoveryUpd
                 string userPassword = PAMUtilities.ResolvePAMField(_resolver, logger, "Server Password", config.ServerPassword);
 
                 certificateStore = new RemoteCertificateStore(config.ClientMachine, userName, userPassword, directoriesToSearch[0].Substring(0, 1) == "/" ? RemoteCertificateStore.ServerTypeEnum.Linux : RemoteCertificateStore.ServerTypeEnum.Windows, ApplicationSettings.SSHPort);
-                certificateStore.Initialize(ApplicationSettings.DefaultSudoImpersonatedUser);
+                certificateStore.Initialize(ApplicationSettings.DefaultSudoImpersonatedUser, true);
 
                 if (directoriesToSearch.Length == 0)
                     throw new RemoteFileException("Blank or missing search directories for Discovery.");

RemoteFile/ApplicationSettings.cs

@@ -5,30 +5,28 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
 // and limitations under the License.
 
-using System;
-using System.Collections.Generic;
-using System.Text;
-using System.IO;
-
-using Newtonsoft.Json;
-
+using Keyfactor.Extensions.Orchestrator.RemoteFile.Models;
+using Keyfactor.Extensions.Orchestrator.RemoteFile.RemoteHandlers;
 using Keyfactor.Logging;
-using Keyfactor.PKI.PrivateKeys;
-using Keyfactor.PKI.X509;
+using Keyfactor.PKI.CryptographicObjects.Formatters;
+using Keyfactor.PKI.Extensions;
 using Keyfactor.PKI.PEM;
-using Keyfactor.Extensions.Orchestrator.RemoteFile.RemoteHandlers;
-using Keyfactor.Extensions.Orchestrator.RemoteFile.Models;
-
+using Keyfactor.PKI.PrivateKeys;
 using Microsoft.Extensions.Logging;
-
-using Org.BouncyCastle.Math;
+using Newtonsoft.Json;
+using Org.BouncyCastle.Asn1.X9;
 using Org.BouncyCastle.Crypto;
+using Org.BouncyCastle.Crypto.Parameters;
+using Org.BouncyCastle.Math;
+using Org.BouncyCastle.OpenSsl;
 using Org.BouncyCastle.Pkcs;
 using Org.BouncyCastle.X509;
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
 using System.Security.Cryptography;
-using Org.BouncyCastle.OpenSsl;
-using Org.BouncyCastle.Crypto.Parameters;
-using Org.BouncyCastle.Asn1.X9;
+using System.Text;
 
 namespace Keyfactor.Extensions.Orchestrator.RemoteFile.PEM
 {
@@ -37,8 +35,6 @@ class PEMCertificateStoreSerializer : ICertificateStoreSerializer
         string[] PrivateKeyDelimetersPkcs8 = new string[] { "-----BEGIN PRIVATE KEY-----", "-----BEGIN ENCRYPTED PRIVATE KEY-----" };
         string[] PrivateKeyDelimetersRSA = new string[] { "-----BEGIN RSA PRIVATE KEY-----" };
         string[] PrivateKeyDelimetersEC = new string[] { "-----BEGIN EC PRIVATE KEY-----" };
-        string CertDelimBeg = "-----BEGIN CERTIFICATE-----";
-        string CertDelimEnd = "-----END CERTIFICATE-----";
 
         private enum PrivateKeyTypeEnum
         {
@@ -74,15 +70,15 @@ public Pkcs12Store DeserializeRemoteCertificateStore(byte[] storeContentBytes, s
             {
                 foreach(X509CertificateEntry certificate in certificates)
                 {
-                    store.SetCertificateEntry(CertificateConverterFactory.FromBouncyCastleCertificate(certificate.Certificate).ToX509Certificate2().Thumbprint, certificate);
+                    store.SetCertificateEntry(certificate.Certificate.Thumbprint(), certificate);
                 }
             }
             else
             {
                 PrivateKeyTypeEnum privateKeyType;
                 AsymmetricKeyEntry keyEntry = GetPrivateKey(storeContents, storePassword ?? string.Empty, remoteHandler, out privateKeyType);
 
-                store.SetKeyEntry(CertificateConverterFactory.FromBouncyCastleCertificate(certificates[0].Certificate).ToX509Certificate2().Thumbprint, keyEntry, certificates);
+                store.SetKeyEntry(certificates[0].Certificate.Thumbprint(), keyEntry, certificates);
             }
 
             // Second Pkcs12Store necessary because of an obscure BC bug where creating a Pkcs12Store without .Load (code above using "Set" methods only) does not set all internal hashtables necessary to avoid an error later
@@ -113,8 +109,7 @@ public List<SerializedStoreInfo> SerializeRemoteCertificateStore(Pkcs12Store cer
                     if (certificateStore.IsKeyEntry(alias))
                         throw new RemoteFileException("Cannot add a certificate with a private key to a PEM trust store.");
 
-                    CertificateConverter certConverter = CertificateConverterFactory.FromBouncyCastleCertificate(certificateStore.GetCertificate(alias).Certificate);
-                    pemString += certConverter.ToPEM(true);
+                    pemString += CryptographicObjectFormatter.PEM.Format(certificateStore.GetCertificate(alias).Certificate, false);
                 }
             }
             else
@@ -140,44 +135,29 @@ public List<SerializedStoreInfo> SerializeRemoteCertificateStore(Pkcs12Store cer
                         throw new RemoteFileException("No private key found.  Private key must be present to add entry to a non-Trust PEM certificate store.");
 
                     X509CertificateEntry[] chainEntries = certificateStore.GetCertificateChain(alias);
-                    CertificateConverter certConverter = CertificateConverterFactory.FromBouncyCastleCertificate(chainEntries[0].Certificate);
+                    X509Certificate endCertificate = chainEntries[0].Certificate;
 
                     AsymmetricKeyParameter privateKey = certificateStore.GetKey(alias).Key;
-                    AsymmetricKeyParameter publicKey = chainEntries[0].Certificate.GetPublicKey();
+                    PrivateKeyConverter keyConverter = PrivateKeyConverterFactory.FromBCPrivateKeyAndCert(privateKey, endCertificate);
 
-                    if (privateKeyType == PrivateKeyTypeEnum.PKCS8)
-                    {
-                        PrivateKeyConverter keyConverter = PrivateKeyConverterFactory.FromBCKeyPair(privateKey, publicKey, false);
+                    keyString = CryptographicObjectFormatter.PEM.Format(keyConverter, storePassword);
+                    pemString = string.IsNullOrEmpty(SeparatePrivateKeyFilePath)
+                        ? CryptographicObjectFormatter.PEM.Format(endCertificate, keyConverter, storePassword, false)
+                        : CryptographicObjectFormatter.PEM.Format(endCertificate, false);
 
-                        byte[] privateKeyBytes = string.IsNullOrEmpty(storePassword) ? keyConverter.ToPkcs8BlobUnencrypted() : keyConverter.ToPkcs8Blob(storePassword);
-                        keyString = PemUtilities.DERToPEM(privateKeyBytes, string.IsNullOrEmpty(storePassword) ? PemUtilities.PemObjectType.PrivateKey : PemUtilities.PemObjectType.EncryptedPrivateKey);
-                    }
-                    else
+                    if (!IncludesChain)
                     {
-                        TextWriter textWriter = new StringWriter();
-                        PemWriter pemWriter = new PemWriter(textWriter);
-                        pemWriter.WriteObject(privateKey);
-                        pemWriter.Writer.Flush();
-
-                        keyString = textWriter.ToString();
+                        continue;
                     }
 
-                    pemString = certConverter.ToPEM(true);
-                    if (string.IsNullOrEmpty(SeparatePrivateKeyFilePath))
-                        pemString += keyString;
-
-                    if (IncludesChain)
+                    for (int i = 1; i < chainEntries.Length; i++)
                     {
-                        for (int i = 1; i < chainEntries.Length; i++)
-                        {
-                            CertificateConverter chainConverter = CertificateConverterFactory.FromBouncyCastleCertificate(chainEntries[i].Certificate);
-                            pemString += chainConverter.ToPEM(true);
-                        }
+                        pemString += CryptographicObjectFormatter.PEM.Format(chainEntries[i].Certificate, false);
                     }
                 }
             }
 
-            storeInfo.Add(new SerializedStoreInfo() { FilePath = storePath+storeFileName, Contents = Encoding.ASCII.GetBytes(pemString) });
+            storeInfo.Add(new SerializedStoreInfo() { FilePath = storePath + storeFileName, Contents = Encoding.ASCII.GetBytes(pemString) });
             if (!string.IsNullOrEmpty(SeparatePrivateKeyFilePath))
                 storeInfo.Add(new SerializedStoreInfo() { FilePath = SeparatePrivateKeyFilePath, Contents = Encoding.ASCII.GetBytes(keyString) });
 
@@ -215,18 +195,10 @@ private X509CertificateEntry[] GetCertificates(string certificates)
 
             try
             {
-                while (certificates.Contains(CertDelimBeg))
-                {
-                    int certStart = certificates.IndexOf(CertDelimBeg);
-                    int certLength = certificates.IndexOf(CertDelimEnd) + CertDelimEnd.Length - certStart;
-                    string certificate = certificates.Substring(certStart, certLength);
-
-                    CertificateConverter c2 = CertificateConverterFactory.FromPEM(Encoding.ASCII.GetBytes(certificate.Replace(CertDelimBeg, string.Empty).Replace(CertDelimEnd, string.Empty)));
-                    X509Certificate bcCert = c2.ToBouncyCastleCertificate();
-                    certificateEntries.Add(new X509CertificateEntry(bcCert));
-
-                    certificates = certificates.Substring(certStart + certLength - 1);
-                }
+                IEnumerable<string> pemCertificates = PemUtilities.SplitCollection(certificates);
+                certificateEntries.AddRange(pemCertificates.Select(cert =>
+                    new X509CertificateEntry(new X509Certificate(CryptographicObjectFormatter.DER.Format(cert))))
+                );
             }
             catch (Exception ex)
             {

RemoteFile/Discovery.cs

@@ -8,15 +8,18 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
-using System.Security.Cryptography.X509Certificates;
 
 using Keyfactor.Orchestrators.Extensions;
 using Keyfactor.Orchestrators.Common.Enums;
 using Keyfactor.Logging;
 using Keyfactor.Extensions.Orchestrator.RemoteFile.Models;
+using Keyfactor.PKI.Extensions;
 
 using Microsoft.Extensions.Logging;
 using Newtonsoft.Json;
+using Org.BouncyCastle.Pkcs;
+using System.Security.Cryptography.X509Certificates;
+using Keyfactor.PKI.X509;
 
 namespace Keyfactor.Extensions.Orchestrator.RemoteFile
 {
@@ -38,32 +41,32 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
                 SetJobProperties(config, config.CertificateStoreDetails, logger);
 
                 certificateStore = new RemoteCertificateStore(config.CertificateStoreDetails.ClientMachine, UserName, UserPassword, config.CertificateStoreDetails.StorePath, StorePassword, FileTransferProtocol, SSHPort, IncludePortInSPN);
-                certificateStore.Initialize(SudoImpersonatedUser);
+                certificateStore.Initialize(SudoImpersonatedUser, UseShellCommands);
                 certificateStore.LoadCertificateStore(certificateStoreSerializer, true);
 
-                List<X509Certificate2Collection> collections = certificateStore.GetCertificateChains();
+                List<X509CertificateEntryCollection> collection = certificateStore.GetCertificateChains();
 
                 logger.LogDebug($"Format returned certificates BEGIN");
-                foreach (X509Certificate2Collection collection in collections)
+                foreach (X509CertificateEntryCollection entry in collection)
                 {
-                    if (collection.Count == 0)
+                    if (entry.CertificateChain?.Count > 1)
                         continue;
 
-                    X509Certificate2Ext issuedCertificate = (X509Certificate2Ext)collection[0];
+                    X509CertificateEntry issuedCertificate = entry.CertificateChain[0];
 
                     List<string> certChain = new List<string>();
-                    foreach (X509Certificate2 certificate in collection)
+                    foreach (X509CertificateEntry certificateEntry in entry.CertificateChain)
                     {
-                        certChain.Add(Convert.ToBase64String(certificate.Export(X509ContentType.Cert)));
-                        logger.LogDebug(Convert.ToBase64String(certificate.Export(X509ContentType.Cert)));
+                        CertificateConverter converter = CertificateConverterFactory.FromBouncyCastleCertificate(certificateEntry.Certificate);
+                        certChain.Add(converter.ToPEM(false));
                     }
-
+                    
                     inventoryItems.Add(new CurrentInventoryItem()
                     {
                         ItemStatus = OrchestratorInventoryItemStatus.Unknown,
-                        Alias = string.IsNullOrEmpty(issuedCertificate.FriendlyNameExt) ? issuedCertificate.Thumbprint : issuedCertificate.FriendlyNameExt,
-                        PrivateKeyEntry = issuedCertificate.HasPrivateKey,
-                        UseChainLevel = collection.Count > 1,
+                        Alias = string.IsNullOrEmpty(entry.Alias) ? BouncyCastleX509Extensions.Thumbprint(issuedCertificate.Certificate) : entry.Alias,
+                        PrivateKeyEntry = entry.HasPrivateKey,
+                        UseChainLevel = entry.CertificateChain.Count > 1,
                         Certificates = certChain.ToArray()
                     });
                 }