Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding support for optional Azure Key Vault certificate version selection #268

Merged
merged 3 commits into from
Sep 16, 2024
Merged

Adding support for optional Azure Key Vault certificate version selection #268

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a14010f
Adding support for optional Azure Key Vault certificate version selec…
ConcernedCitizen Sep 16, 2024
ce108b5
Merge branch 'main' into cert-version-selection
ConcernedCitizen Sep 16, 2024
40c96e9
Remove unneeded usings.
vcsjones Sep 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/AzureSignTool/AzureKeyVaultSignConfigurationSet.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ public sealed class AzureKeyVaultSignConfigurationSet
public string AzureTenantId { get; init; }
public Uri AzureKeyVaultUrl { get; init; }
public string AzureKeyVaultCertificateName { get; init; }
public string AzureKeyVaultCertificateVersion { get; init; }
public string AzureAccessToken { get; init; }
public string AzureAuthority { get; init; }
}
Expand Down
18 changes: 14 additions & 4 deletions src/AzureSignTool/KeyVaultConfigurationDiscoverer.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@

using Microsoft.Extensions.Logging;
using System;
using System.ComponentModel.DataAnnotations;
using System.Globalization;
vcsjones marked this conversation as resolved.
Show resolved Hide resolved
using System.Security.Cryptography.X509Certificates;
using System.Threading.Tasks;

Expand Down Expand Up @@ -47,14 +49,22 @@ public async Task<ErrorOr<AzureKeyVaultMaterializedConfiguration>> Materialize(A


X509Certificate2 certificate;
KeyVaultCertificateWithPolicy azureCertificate;
KeyVaultCertificate azureCertificate;
try
{
var certClient = new CertificateClient(configuration.AzureKeyVaultUrl, credential);

_logger.LogTrace($"Retrieving certificate {configuration.AzureKeyVaultCertificateName}.");
azureCertificate = (await certClient.GetCertificateAsync(configuration.AzureKeyVaultCertificateName).ConfigureAwait(false)).Value;
_logger.LogTrace($"Retrieved certificate {configuration.AzureKeyVaultCertificateName}.");
if (!string.IsNullOrWhiteSpace(configuration.AzureKeyVaultCertificateVersion))
{
_logger.LogTrace($"Retrieving version [{configuration.AzureKeyVaultCertificateVersion}] of certificate {configuration.AzureKeyVaultCertificateName}.");
azureCertificate = (await certClient.GetCertificateVersionAsync(configuration.AzureKeyVaultCertificateName, configuration.AzureKeyVaultCertificateVersion).ConfigureAwait(false)).Value;
}
else
{
_logger.LogTrace($"Retrieving current version of certificate {configuration.AzureKeyVaultCertificateName}.");
azureCertificate = (await certClient.GetCertificateAsync(configuration.AzureKeyVaultCertificateName).ConfigureAwait(false)).Value;
}
_logger.LogTrace($"Retrieved certificate with Id {azureCertificate.Id}.");

certificate = new X509Certificate2(azureCertificate.Cer);
}
Expand Down
7 changes: 5 additions & 2 deletions src/AzureSignTool/Program.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ internal sealed class SignCommand : Command
internal string? KeyVaultClientSecret { get; set; }
internal string? KeyVaultTenantId { get; set; }
internal string? KeyVaultCertificate { get; set; }
internal string? KeyVaultCertificateVersion { get; set; }
internal string? KeyVaultAccessToken { get; set; }
internal bool UseManagedIdentity { get; set; }
internal string? SignDescription { get; set; }
Expand Down Expand Up @@ -150,16 +151,17 @@ public SignCommand() : base("sign", "Sign a file.", null)
this.Add("kvs|azure-key-vault-client-secret=", "The Client Secret to authenticate to the Azure Key Vault.", v => KeyVaultClientSecret = v);
this.Add("kvt|azure-key-vault-tenant-id=", "The Tenant Id to authenticate to the Azure Key Vault.", v => KeyVaultTenantId = v);
this.Add("kvc|azure-key-vault-certificate=", "The name of the certificate in Azure Key Vault.", v => KeyVaultCertificate = v);
this.Add("kvcv|azure-key-vault-certificate-version=", "The version of the certificate in Azure Key Vault to use. The current version of the certificate is used by default.", v => KeyVaultCertificateVersion = v);
this.Add("kva|azure-key-vault-accesstoken=", "The Access Token to authenticate to the Azure Key Vault.", v => KeyVaultAccessToken = v);
this.Add("kvm|azure-key-vault-managed-identity", "Use the current Azure mananaged identity.", v => UseManagedIdentity = v is not null);
this.Add("kvm|azure-key-vault-managed-identity", "Use the current Azure managed identity.", v => UseManagedIdentity = v is not null);
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

this.Add("d|description=", "Provide a description of the signed content.", v => SignDescription = v);
this.Add("du|description-url=", "Provide a URL with more information about the signed content.", v => SignDescriptionUrl = v);
this.Add("tr|timestamp-rfc3161=", "Specifies the RFC 3161 timestamp server's URL. If this option (or -t) is not specified, the signed file will not be timestamped.", v => Rfc3161TimestampUrl = v);
this.Add("td|timestamp-digest=", "Used with the -tr switch to request a digest algorithm used by the RFC 3161 timestamp server.", v => TimestampDigestAlgorithm = v);
this.Add("fd|file-digest=", "The digest algorithm to hash the file with.", v => FileDigestAlgorithm = v);
this.Add("t|timestamp-authenticode=", "Specify the legacy timestamp server's URL. This option is generally not recommended. Use the --timestamp-rfc3161 option instead.", v => AuthenticodeTimestampUrl = v);
this.Add("ac|additional-certificates=", "Specify one or more certificates to include in the public certificate chain.", AdditionalCertificates);
this.Add("v|verbose", "Specify one or more certificates to include in the public certificate chain.", v => Verbose = v is not null);
this.Add("v|verbose", "Include additional output in the log. This parameter does not accept a value and cannot be combine with the --quiet option.", v => Verbose = v is not null);
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ohh extra thank you.

this.Add("q|quiet", "Do not print any output to the console.", v => Quiet = v is not null);
this.Add("ph|page-hashing", "Generate page hashes for executable files if supported.", v => PageHashing = v is not null);
this.Add("nph|no-page-hashing", "Suppress page hashes for executable files if supported.", v => NoPageHashing = v is not null);
Expand Down Expand Up @@ -212,6 +214,7 @@ private async ValueTask<int> RunSign()
{
AzureKeyVaultUrl = new Uri(KeyVaultUrl!),
AzureKeyVaultCertificateName = KeyVaultCertificate,
AzureKeyVaultCertificateVersion = KeyVaultCertificateVersion,
AzureClientId = KeyVaultClientId,
AzureTenantId = KeyVaultTenantId,
AzureAccessToken = KeyVaultAccessToken,
Expand Down