Merge 789b32c into 3bc366f

Keyfactor · Jul 26, 2024 · 51f86ee · 51f86ee
2 parents 3bc366f + 789b32c
commit 51f86ee
Show file tree

Hide file tree

Showing 12 changed files with 98 additions and 50 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+v2.8.0
+- Added new custom field - Remove Root Certificate from Chain - to allow adding certificate entries with the root CA certificate removed from the chain.
+- Added SSH KeyboardInteractive Authentication support if Password Authentication is not enabled.
+
 v2.7.0
 - Modified RFJKS store type support java keystores of both PKCS12 and JKS
 - Added support for OpenSSH private keys for SSH authentication

diff --git a/README.md b/README.md
diff --git a/RemoteFile/InventoryBase.cs b/RemoteFile/InventoryBase.cs
@@ -31,6 +31,7 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
             logger.LogDebug($"Begin {config.Capability} for job id {config.JobId}...");
             logger.LogDebug($"Server: { config.CertificateStoreDetails.ClientMachine }");
             logger.LogDebug($"Store Path: { config.CertificateStoreDetails.StorePath }");
+            logger.LogDebug($"Store Properties: {config.CertificateStoreDetails.Properties.ToString()}");
             logger.LogDebug($"Job Properties:");
             foreach (KeyValuePair<string, object> keyValue in config.JobProperties ?? new Dictionary<string,object>())
             {
@@ -54,7 +55,7 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
 
                 certificateStore = new RemoteCertificateStore(config.CertificateStoreDetails.ClientMachine, userName, userPassword, config.CertificateStoreDetails.StorePath, storePassword, config.JobProperties);
                 certificateStore.Initialize(sudoImpersonatedUser);
-                certificateStore.LoadCertificateStore(certificateStoreSerializer, config.CertificateStoreDetails.Properties, true);
+                certificateStore.LoadCertificateStore(certificateStoreSerializer, true);
 
                 List<X509Certificate2Collection> collections = certificateStore.GetCertificateChains();
 

diff --git a/RemoteFile/ManagementBase.cs b/RemoteFile/ManagementBase.cs
@@ -29,8 +29,9 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
         {
             ILogger logger = LogHandler.GetClassLogger(this.GetType());
             logger.LogDebug($"Begin {config.Capability} for job id {config.JobId}...");
-            logger.LogDebug($"Server: { config.CertificateStoreDetails.ClientMachine }");
-            logger.LogDebug($"Store Path: { config.CertificateStoreDetails.StorePath }");
+            logger.LogDebug($"Server: {config.CertificateStoreDetails.ClientMachine}");
+            logger.LogDebug($"Store Path: {config.CertificateStoreDetails.StorePath}");
+            logger.LogDebug($"Store Properties: {config.CertificateStoreDetails.Properties.ToString()}");
             logger.LogDebug($"Job Properties:");
             foreach (KeyValuePair<string, object> keyValue in config.JobProperties == null ? new Dictionary<string, object>() : config.JobProperties)
             {
@@ -50,6 +51,9 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                 string sudoImpersonatedUser = properties.SudoImpersonatedUser == null || string.IsNullOrEmpty(properties.SudoImpersonatedUser.Value) ?
                     ApplicationSettings.DefaultSudoImpersonatedUser :
                     properties.SudoImpersonatedUser.Value;
+                bool removeRootCertificate = properties.RemoveRootCertificate == null || string.IsNullOrEmpty(properties.RemoveRootCertificate.Value) ?
+                    false :
+                    Convert.ToBoolean(properties.RemoveRootCertificate.Value);
 
                 certificateStore = new RemoteCertificateStore(config.CertificateStoreDetails.ClientMachine, userName, userPassword, config.CertificateStoreDetails.StorePath, storePassword, config.JobProperties);
                 certificateStore.Initialize(sudoImpersonatedUser);
@@ -67,8 +71,8 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                             else
                                 throw new RemoteFileException($"Certificate store {config.CertificateStoreDetails.StorePath} does not exist on server {config.CertificateStoreDetails.ClientMachine}.");
                         }
-                        certificateStore.LoadCertificateStore(certificateStoreSerializer, config.CertificateStoreDetails.Properties, false);
-                        certificateStore.AddCertificate((config.JobCertificate.Alias ?? new X509Certificate2(Convert.FromBase64String(config.JobCertificate.Contents), config.JobCertificate.PrivateKeyPassword, X509KeyStorageFlags.EphemeralKeySet).Thumbprint), config.JobCertificate.Contents, config.Overwrite, config.JobCertificate.PrivateKeyPassword);
+                        certificateStore.LoadCertificateStore(certificateStoreSerializer, false);
+                        certificateStore.AddCertificate((config.JobCertificate.Alias ?? new X509Certificate2(Convert.FromBase64String(config.JobCertificate.Contents), config.JobCertificate.PrivateKeyPassword, X509KeyStorageFlags.EphemeralKeySet).Thumbprint), config.JobCertificate.Contents, config.Overwrite, config.JobCertificate.PrivateKeyPassword, removeRootCertificate);
                         certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(), storePathFile.Path, storePathFile.File, storePassword, certificateStore.RemoteHandler));
 
                         logger.LogDebug($"END add Operation for {config.CertificateStoreDetails.StorePath} on {config.CertificateStoreDetails.ClientMachine}.");
@@ -82,7 +86,7 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                         }
                         else
                         {
-                            certificateStore.LoadCertificateStore(certificateStoreSerializer, config.CertificateStoreDetails.Properties, false);
+                            certificateStore.LoadCertificateStore(certificateStoreSerializer, false);
                             certificateStore.DeleteCertificateByAlias(config.JobCertificate.Alias);
                             certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(), storePathFile.Path, storePathFile.File, storePassword, certificateStore.RemoteHandler));
                         }

diff --git a/RemoteFile/ReenrollmentBase.cs b/RemoteFile/ReenrollmentBase.cs
@@ -68,6 +68,9 @@ public JobResult ProcessJobToDo(ReenrollmentJobConfiguration config, SubmitReenr
                 string sudoImpersonatedUser = properties.SudoImpersonatedUser == null || string.IsNullOrEmpty(properties.SudoImpersonatedUser.Value) ?
                     ApplicationSettings.DefaultSudoImpersonatedUser :
                     properties.SudoImpersonatedUser.Value;
+                bool removeRootCertificate = properties.RemoveRootCertificate == null || string.IsNullOrEmpty(properties.RemoveRootCertificate.Value) ?
+                    false :
+                    Convert.ToBoolean(properties.RemoveRootCertificate.Value);
                 bool createCSROnDevice = properties.CreateCSROnDevice == null || string.IsNullOrEmpty(properties.CreateCSROnDevice.Value) ?
                     ApplicationSettings.CreateCSROnDevice :
                     Convert.ToBoolean(properties.CreateCSROnDevice.Value);
@@ -118,8 +121,8 @@ public JobResult ProcessJobToDo(ReenrollmentJobConfiguration config, SubmitReenr
                 cert = keyTypeEnum == SupportedKeyTypeEnum.RSA ? cert.CopyWithPrivateKey((RSA)alg) : cert.CopyWithPrivateKey((ECDsa)alg);
 
                 // save certificate
-                certificateStore.LoadCertificateStore(certificateStoreSerializer, config.CertificateStoreDetails.Properties, false);
-                certificateStore.AddCertificate((alias ?? cert.Thumbprint), Convert.ToBase64String(cert.Export(X509ContentType.Pfx)), overwrite, null);
+                certificateStore.LoadCertificateStore(certificateStoreSerializer, false);
+                certificateStore.AddCertificate((alias ?? cert.Thumbprint), Convert.ToBase64String(cert.Export(X509ContentType.Pfx)), overwrite, null, removeRootCertificate);
                 certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(), storePathFile.Path, storePathFile.File, storePassword, certificateStore.RemoteHandler));
 
                 logger.LogDebug($"END add Operation for {config.CertificateStoreDetails.StorePath} on {config.CertificateStoreDetails.ClientMachine}.");

diff --git a/RemoteFile/RemoteCertificateStore.cs b/RemoteFile/RemoteCertificateStore.cs
@@ -103,7 +103,7 @@ internal RemoteCertificateStore(string server, string serverId, string serverPas
             logger.MethodExit(LogLevel.Debug);
         }
 
-        internal void LoadCertificateStore(ICertificateStoreSerializer certificateStoreSerializer, string storeProperties, bool isInventory)
+        internal void LoadCertificateStore(ICertificateStoreSerializer certificateStoreSerializer, bool isInventory)
         {
             logger.MethodEntry(LogLevel.Debug);
 
@@ -242,7 +242,7 @@ internal void CreateCertificateStore(ICertificateStoreSerializer certificateStor
             logger.MethodExit(LogLevel.Debug);
         }
 
-        internal void AddCertificate(string alias, string certificateEntry, bool overwrite, string pfxPassword)
+        internal void AddCertificate(string alias, string certificateEntry, bool overwrite, string pfxPassword, bool removeRootCertificate)
         {
             logger.MethodEntry(LogLevel.Debug);
 
@@ -251,7 +251,9 @@ internal void AddCertificate(string alias, string certificateEntry, bool overwri
                 Pkcs12StoreBuilder storeBuilder = new Pkcs12StoreBuilder();
                 Pkcs12Store certs = storeBuilder.Build();
 
-                byte[] newCertBytes = Convert.FromBase64String(certificateEntry);
+                byte[] newCertBytes = removeRootCertificate && !string.IsNullOrEmpty(pfxPassword) ? 
+                    RemoveRootCertificate(Convert.FromBase64String(certificateEntry), pfxPassword) : 
+                    Convert.FromBase64String(certificateEntry);
 
                 Pkcs12Store newEntry = storeBuilder.Build();
 
@@ -454,11 +456,38 @@ internal void Initialize(string sudoImpersonatedUser)
             else
                 RemoteHandler = new WinRMHandler(Server, ServerId, ServerPassword, treatAsLocal);
 
-            RemoteHandler.Initialize();
-
             logger.MethodExit(LogLevel.Debug);
         }
 
+        private byte[] RemoveRootCertificate(byte[] binCert, string password)
+        {
+            Pkcs12StoreBuilder storeBuilder = new Pkcs12StoreBuilder();
+            Pkcs12Store store = storeBuilder.Build();
+            Pkcs12Store store2 = storeBuilder.Build();
+
+            byte[] rtnCert = new byte[1];
+
+            using (MemoryStream ms = new MemoryStream(binCert))
+            {
+                store.Load(ms, password.ToCharArray());
+            }
+
+            foreach (string alias in store.Aliases)
+            {
+                X509CertificateEntry[] chain = store.GetCertificateChain(alias);
+                chain = chain.Where(p => p.Certificate.SubjectDN.ToString() != p.Certificate.IssuerDN.ToString()).ToArray();
+                store2.SetKeyEntry(alias, store.GetKey(alias), chain);
+
+                using (MemoryStream ms = new MemoryStream())
+                {
+                    store2.Save(ms, password.ToCharArray(), new SecureRandom());
+                    rtnCert = ms.ToArray();
+                }
+            }
+
+            return rtnCert;
+        }
+
         private bool AreValuesSafeRegex(string[] values)
         {
             bool valueIsSafe = true;

diff --git a/RemoteFile/RemoteHandlers/BaseRemoteHandler.cs b/RemoteFile/RemoteHandlers/BaseRemoteHandler.cs
@@ -33,8 +33,6 @@ public static void AreLinuxPermissionsValid(string permissions)
                 throw new RemoteFileException($"Invalid format for Linux file permissions.  This value must be exactly 3 digits long with each digit between 0-7 but found {permissions} instead.");
         }
 
-        public abstract void Initialize();
-
         public abstract void Terminate();
 
         public abstract string RunCommand(string commandText, object[] arguments, bool withSudo, string[] passwordsToMaskInLog);

diff --git a/RemoteFile/RemoteHandlers/IRemoteHandler.cs b/RemoteFile/RemoteHandlers/IRemoteHandler.cs
@@ -13,8 +13,6 @@ namespace Keyfactor.Extensions.Orchestrator.RemoteFile.RemoteHandlers
     /// </summary>
     interface IRemoteHandler
     {
-        void Initialize();
-
         void Terminate();
 
         string RunCommand(string commandText, object[] arguments, bool withSudo, string[] passwordsToMaskInLog);

diff --git a/RemoteFile/RemoteHandlers/LinuxLocalHandler.cs b/RemoteFile/RemoteHandlers/LinuxLocalHandler.cs
@@ -27,12 +27,6 @@ class LinuxLocalHandler : BaseRemoteHandler
         private Command BaseCommand { get; set; }
 
         internal LinuxLocalHandler()
-        {
-            _logger.MethodEntry(LogLevel.Debug);
-            _logger.MethodExit(LogLevel.Debug);
-        }
-
-        public override void Initialize()
         {
             _logger.MethodEntry(LogLevel.Debug);
 

diff --git a/RemoteFile/RemoteHandlers/SSHHandler.cs b/RemoteFile/RemoteHandlers/SSHHandler.cs
@@ -18,6 +18,9 @@
 using Keyfactor.Logging;
 using Keyfactor.PKI.PrivateKeys;
 using Keyfactor.PKI.PEM;
+using static Microsoft.ApplicationInsights.MetricDimensionNames.TelemetryContext;
+using Renci.SshNet.Common;
+using Org.BouncyCastle.Bcpg;
 
 namespace Keyfactor.Extensions.Orchestrator.RemoteFile.RemoteHandlers
 {
@@ -26,6 +29,8 @@ class SSHHandler : BaseRemoteHandler
         private ConnectionInfo Connection { get; set; }
         private string SudoImpersonatedUser { get; set; }
         private bool IsStoreServerLinux { get; set; }
+        private string UserId { get; set; }
+        private string Password { get; set; }
         private SshClient sshClient;
 
         internal SSHHandler(string server, string serverLogin, string serverPassword, bool isStoreServerLinux, string sudoImpersonatedUser)
@@ -35,11 +40,14 @@ internal SSHHandler(string server, string serverLogin, string serverPassword, bo
             Server = server;
             SudoImpersonatedUser = sudoImpersonatedUser;
             IsStoreServerLinux = isStoreServerLinux;
+            UserId = serverLogin;
+            Password = serverPassword;
 
-            List<AuthenticationMethod> authenticationMethods = new List<AuthenticationMethod>();
             if (serverPassword.Length < PASSWORD_LENGTH_MAX)
             {
-                authenticationMethods.Add(new PasswordAuthenticationMethod(serverLogin, serverPassword));
+                KeyboardInteractiveAuthenticationMethod keyboardAuthentication = new KeyboardInteractiveAuthenticationMethod(UserId);
+                keyboardAuthentication.AuthenticationPrompt += KeyboardAuthentication_AuthenticationPrompt;
+                Connection = new ConnectionInfo(server, serverLogin, new PasswordAuthenticationMethod(serverLogin, serverPassword), keyboardAuthentication);
             }
             else
             {
@@ -60,18 +68,9 @@ internal SSHHandler(string server, string serverLogin, string serverPassword, bo
                     }
                 }
 
-                authenticationMethods.Add(new PrivateKeyAuthenticationMethod(serverLogin, privateKeyFile));
+                Connection = new ConnectionInfo(server, serverLogin, new PrivateKeyAuthenticationMethod(serverLogin, privateKeyFile)); 
             }
 
-            Connection = new ConnectionInfo(server, serverLogin, authenticationMethods.ToArray());
-
-            _logger.MethodExit(LogLevel.Debug);
-        }
-
-        public override void Initialize()
-        {
-            _logger.MethodEntry(LogLevel.Debug);
-
             try
             {
                 sshClient = new SshClient(Connection);
@@ -382,6 +381,17 @@ public override void RemoveCertificateFile(string path, string fileName)
             RunCommand($"rm {path}{fileName}", null, ApplicationSettings.UseSudo, null);
         }
 
+        private void KeyboardAuthentication_AuthenticationPrompt(object sender, AuthenticationPromptEventArgs e)
+        {
+            _logger.MethodEntry(LogLevel.Debug);
+            foreach (AuthenticationPrompt prompt in e.Prompts)
+            {
+                if (prompt.Request.StartsWith("Password"))
+                    prompt.Response = Password;
+            }
+            _logger.MethodExit(LogLevel.Debug);
+        }
+
         private void SplitStorePathFile(string pathFileName, out string path, out string fileName)
         {
             _logger.MethodEntry(LogLevel.Debug);

diff --git a/RemoteFile/RemoteHandlers/WinRMHandler.cs b/RemoteFile/RemoteHandlers/WinRMHandler.cs
@@ -43,13 +43,6 @@ internal WinRMHandler(string server, string serverLogin, string serverPassword,
                 }
             }
 
-            _logger.MethodExit(LogLevel.Debug);
-        }
-
-        public override void Initialize()
-        {
-            _logger.MethodEntry(LogLevel.Debug);
-
             try
             {
                 if (RunLocal)
@@ -69,8 +62,8 @@ public override void Initialize()
 
             catch (Exception ex)
             {
-                _logger.LogError($"Exception during Initialize...{RemoteFileException.FlattenExceptionMessages(ex, ex.Message)}");
-                throw ex;
+                _logger.LogError($"Exception attempting to connect to server...{RemoteFileException.FlattenExceptionMessages(ex, ex.Message)}");
+                throw;
             }
 
             _logger.MethodExit(LogLevel.Debug);