Ab#59979

CHANGELOG.md

@@ -1,4 +1,7 @@
-v2.6.1
+v2.7.0
+- Modified RFJKS store type support java keystores of both PKCS12 and JKS
+- Added support for OpenSSH private keys for SSH authentication
+- Bug fix for orchestrators installed on Windows 2016
 - Bug Fix: Supplied Linux user needing password reset could cause orchestrator locking.
 - Bug Fix: Not supplying group for Linux File Owner on Store Creation caused the supplied owner to erroneously be used as the group for the newly create certificate store file.
 - Updgraded Nuget packages for BouncyCastle and Renci.SSH.Net

README.md

@@ -15,7 +15,7 @@ The Universal Orchestrator is the successor to the Windows Orchestrator. This Or
 
 ## Support for Remote File
 
-Remote File 
+Remote File is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com
 
 ###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
 
@@ -118,7 +118,7 @@ Use cases supported:
 <details>
 <summary>RFJKS</summary>
 
-The RFJKS store type can be used to manage java keystores of type JKS. **PLEASE NOTE:** Java keystores of type PKCS12 **_cannot_** be managed by the RFJKS type. You **_must_** use RFPkcs12.
+The RFJKS store type can be used to manage java keystores of types JKS or PKCS12. If creating a new java keystore and adding a certificate all via Keyfactor Command, the created java keystore will be of type PKCS12, as java keystores of type JKS have been deprecated as of JDK 9.
 
 Use cases supported:
 1. One-to-many trust entries - A trust entry is considered single certificate without a private key in a certificate store. Each trust entry is identified with a custom alias.
@@ -219,7 +219,10 @@ The version number of a the Remote File Orchestrator Extension can be verified b
 
 2. When orchestrating management of local or external certificate stores, the Remote File Orchestrator Extension makes use of SFTP and/or SCP to transfer files to and from the orchestrated server. SFTP/SCP cannot make use of sudo, so all folders containing certificate stores will need to allow SFTP/SCP file transfer for the user assigned to the certificate store/discovery job. If this is not possible, set the values in the config.json apprpriately to use an alternative upload/download folder that does allow SFTP/SCP file transfer. If the certificate store/discovery job is configured for local (agent) access, the account running the Keyfactor Universal Orchestrator service must have access to read/write to the certificate store location, OR the config.json file must be set up to use the alternative upload/download file. 
 
-3. SSH Key Authentication: When creating a Keyfactor certificate store for the remote file orchestrator extension, you may supply either a user id and password for the certificate store credentials (directly or through one of Keyfactor Command's PAM integrations), or supply a user id and SSH private key. Both PKCS#1 (BEGIN RSA PRIVATE KEY) and PKCS#8 (BEGIN PRIVATE KEY) formats are supported for the SSH private key. If using the normal Keyfactor Command credentials dialog without PAM integration, just copy and paste the full SSH private key into the Password textbox. SSH Key Authentication is not available when running locally as an agent.
+3. SSH Key Authentication: When creating a Keyfactor certificate store for the remote file orchestrator extension, you may supply either a user id and password for the certificate store credentials (directly or through one of Keyfactor Command's PAM integrations), or supply a user id and SSH private key. If using the normal Keyfactor Command credentials dialog without PAM integration, just copy and paste the full SSH private key into the Password textbox. SSH Key Authentication is not available when running locally as an agent. The following private key formats are supported: 
+- PKCS#1 (BEGIN RSA PRIVATE KEY) 
+- PKCS#8 (BEGIN PRIVATE KEY)
+- ECDSA OPENSSH (BEGIN OPENSSH PRIVATE KEY) 
 
 Please reference [Configuration File Setup](#configuration-file-setup) for more information on setting up the config.json file and [Certificate Stores and Discovery Jobs](#certificate-stores-and-discovery-jobs) for more information on the items above. 
 </details> 

RemoteFile/ApplicationSettings.cs

@@ -38,6 +38,8 @@ public enum FileTransferProtocolEnum
  public static string DefaultLinuxPermissionsOnStoreCreation { get { return configuration.ContainsKey("DefaultLinuxPermissionsOnStoreCreation") ? configuration["DefaultLinuxPermissionsOnStoreCreation"] : DEFAULT_LINUX_PERMISSION_SETTING; } }
  public static string DefaultOwnerOnStoreCreation { get { return configuration.ContainsKey("DefaultOwnerOnStoreCreation") ? configuration["DefaultOwnerOnStoreCreation"] : DEFAULT_OWNER_SETTING; } }
  public static string DefaultSudoImpersonatedUser { get { return configuration.ContainsKey("DefaultSudoImpersonatedUser") ? configuration["DefaultSudoImpersonatedUser"] : DEFAULT_SUDO_IMPERSONATION_SETTING; } }
+ public static bool CreateCSROnDevice { get { return configuration.ContainsKey("CreateCSROnDevice") ? configuration["CreateCSROnDevice"]?.ToUpper() == "Y" : false; } }
+ public static string TempFilePathForODKG { get { return configuration.ContainsKey("TempFilePathForODKG") ? configuration["TempFilePathForODKG"] : string.Empty; } }
  public static FileTransferProtocolEnum FileTransferProtocol 
  { 
  get 

RemoteFile/Discovery.cs

@@ -22,7 +22,7 @@ namespace Keyfactor.Extensions.Orchestrator.RemoteFile
  public class Discovery: IDiscoveryJobExtension
  {
  public IPAMSecretResolver _resolver;
- public string ExtensionName => "";
+ public string ExtensionName => "Keyfactor.Extensions.Orchestrator.RemoteFile.Discovery";
 
  public Discovery(IPAMSecretResolver resolver)
  {

RemoteFile/ImplementedStoreTypes/DER/Reenrollment.cs

@@ -0,0 +1,24 @@
+// Copyright 2021 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
+
+using Keyfactor.Orchestrators.Extensions.Interfaces;
+
+namespace Keyfactor.Extensions.Orchestrator.RemoteFile.DER
+{
+ public class Reenrollment : ReenrollmentBase
+ {
+ internal override ICertificateStoreSerializer GetCertificateStoreSerializer(string storeProperties)
+ {
+ return new DERCertificateStoreSerializer(storeProperties);
+ }
+
+ public Reenrollment(IPAMSecretResolver resolver)
+ {
+ _resolver = resolver;
+ }
+ }
+}

RemoteFile/ImplementedStoreTypes/JKS/JKSCertificateStoreSerializer.cs

@@ -9,6 +9,7 @@
 using System.Collections.Generic;
 using Keyfactor.Extensions.Orchestrator.RemoteFile.RemoteHandlers;
 using Keyfactor.Extensions.Orchestrator.RemoteFile.Models;
+using Keyfactor.Extensions.Orchestrator.RemoteFile.PKCS12;
 
 using Keyfactor.Logging;
 
@@ -30,6 +31,8 @@ public JKSCertificateStoreSerializer(string storeProperties)
  logger = LogHandler.GetClassLogger(this.GetType());
  }
 
+ private bool IsTypeJKS { get; set; }
+
  public Pkcs12Store DeserializeRemoteCertificateStore(byte[] storeContents, string storePath, string storePassword, IRemoteHandler remoteHandler, bool isInventory)
  {
  logger.MethodEntry(LogLevel.Debug);
@@ -38,42 +41,58 @@ public Pkcs12Store DeserializeRemoteCertificateStore(byte[] storeContents, strin
  Pkcs12Store pkcs12Store = storeBuilder.Build();
  Pkcs12Store pkcs12StoreNew = storeBuilder.Build();
 
- JksStore jksStore = new JksStore();
-
  using (MemoryStream ms = new MemoryStream(storeContents))
  {
- jksStore.Load(ms, string.IsNullOrEmpty(storePassword) ? new char[0] : storePassword.ToCharArray());
+ IsTypeJKS = new JksStore().Probe(ms);
  }
 
- foreach (string alias in jksStore.Aliases)
+ if (IsTypeJKS)
  {
- if (jksStore.IsKeyEntry(alias))
+ logger.LogDebug("Store is of type JKS");
+ JksStore jksStore = new JksStore();
+
+ using (MemoryStream ms = new MemoryStream(storeContents))
  {
- AsymmetricKeyParameter keyParam = jksStore.GetKey(alias, string.IsNullOrEmpty(storePassword) ? new char[0] : storePassword.ToCharArray());
- AsymmetricKeyEntry keyEntry = new AsymmetricKeyEntry(keyParam);
+ ms.Position = 0;
+ jksStore.Load(ms, string.IsNullOrEmpty(storePassword) ? new char[0] : storePassword.ToCharArray());
+ }
 
-  X509Certificate[] certificateChain = jksStore.GetCertificateChain(alias);
-  List<X509CertificateEntry> certificateChainEntries = new List<X509CertificateEntry>();
- foreach (X509Certificate certificate in certificateChain)
+ foreach (string alias in jksStore.Aliases)
+ {
+ if (jksStore.IsKeyEntry(alias))
  {
- certificateChainEntries.Add(new X509CertificateEntry(certificate));
- }
+ AsymmetricKeyParameter keyParam = jksStore.GetKey(alias, string.IsNullOrEmpty(storePassword) ? new char[0] : storePassword.ToCharArray());
+  AsymmetricKeyEntry keyEntry = new AsymmetricKeyEntry(keyParam);
 
- pkcs12Store.SetKeyEntry(alias, keyEntry, certificateChainEntries.ToArray());
- }
- else
- {
- pkcs12Store.SetCertificateEntry(alias, new X509CertificateEntry(jksStore.GetCertificate(alias)));
+ X509Certificate[] certificateChain = jksStore.GetCertificateChain(alias);
+ List<X509CertificateEntry> certificateChainEntries = new List<X509CertificateEntry>();
+ foreach (X509Certificate certificate in certificateChain)
+ {
+ certificateChainEntries.Add(new X509CertificateEntry(certificate));
+ }
+
+ pkcs12Store.SetKeyEntry(alias, keyEntry, certificateChainEntries.ToArray());
+ }
+ else
+ {
+ pkcs12Store.SetCertificateEntry(alias, new X509CertificateEntry(jksStore.GetCertificate(alias)));
+ }
  }
- }
 
- // Second Pkcs12Store necessary because of an obscure BC bug where creating a Pkcs12Store without .Load (code above using "Set" methods only) does not set all internal hashtables necessary to avoid an error later
- // when processing store.
- MemoryStream ms2 = new MemoryStream();
- pkcs12Store.Save(ms2, string.IsNullOrEmpty(storePassword) ? new char[0] : storePassword.ToCharArray(), new Org.BouncyCastle.Security.SecureRandom());
- ms2.Position = 0;
+  // Second Pkcs12Store necessary because of an obscure BC bug where creating a Pkcs12Store without .Load (code above using "Set" methods only) does not set all internal hashtables necessary to avoid an error later
+  // when processing store.
+  MemoryStream ms2 = new MemoryStream();
+  pkcs12Store.Save(ms2, string.IsNullOrEmpty(storePassword) ? new char[0] : storePassword.ToCharArray(), new Org.BouncyCastle.Security.SecureRandom());
+  ms2.Position = 0;
 
- pkcs12StoreNew.Load(ms2, string.IsNullOrEmpty(storePassword) ? new char[0] : storePassword.ToCharArray());
+ pkcs12StoreNew.Load(ms2, string.IsNullOrEmpty(storePassword) ? new char[0] : storePassword.ToCharArray());
+ }
+ else
+ {
+ logger.LogDebug("Store is of type PKCS12");
+ PKCS12CertificateStoreSerializer pkcs12Serializer = new PKCS12CertificateStoreSerializer(string.Empty);
+ pkcs12StoreNew = pkcs12Serializer.DeserializeRemoteCertificateStore(storeContents, storePath, storePassword, remoteHandler, isInventory);
+ }
 
  logger.MethodExit(LogLevel.Debug);
  return pkcs12StoreNew;
@@ -83,39 +102,50 @@ public List<SerializedStoreInfo> SerializeRemoteCertificateStore(Pkcs12Store cer
  {
  logger.MethodEntry(LogLevel.Debug);
 
- JksStore jksStore = new JksStore();
+ List<SerializedStoreInfo> storeInfo = new List<SerializedStoreInfo>();
 
- foreach (string alias in certificateStore.Aliases)
+ if (IsTypeJKS)
  {
- if (certificateStore.IsKeyEntry(alias))
+ JksStore jksStore = new JksStore();
+
+ foreach (string alias in certificateStore.Aliases)
  {
- AsymmetricKeyEntry keyEntry = certificateStore.GetKey(alias);
- X509CertificateEntry[] certificateChain = certificateStore.GetCertificateChain(alias);
+ if (certificateStore.IsKeyEntry(alias))
+ {
+ AsymmetricKeyEntry keyEntry = certificateStore.GetKey(alias);
+ X509CertificateEntry[] certificateChain = certificateStore.GetCertificateChain(alias);
 
- List<X509Certificate> certificates = new List<X509Certificate>();
- foreach (X509CertificateEntry certificateEntry in certificateChain)
+ List<X509Certificate> certificates = new List<X509Certificate>();
+ foreach (X509CertificateEntry certificateEntry in certificateChain)
+ {
+ certificates.Add(certificateEntry.Certificate);
+ }
+
+ jksStore.SetKeyEntry(alias, keyEntry.Key, string.IsNullOrEmpty(storePassword) ? new char[0] : storePassword.ToCharArray(), certificates.ToArray());
+ }
+ else
  {
- certificates.Add(certificateEntry.Certificate);
+ jksStore.SetCertificateEntry(alias, certificateStore.GetCertificate(alias).Certificate);
  }
-
- jksStore.SetKeyEntry(alias, keyEntry.Key, string.IsNullOrEmpty(storePassword) ? new char[0] : storePassword.ToCharArray(), certificates.ToArray());
  }
- else
+
+ using (MemoryStream outStream = new MemoryStream())
  {
- jksStore.SetCertificateEntry(alias, certificateStore.GetCertificate(alias).Certificate);
+ jksStore.Save(outStream, string.IsNullOrEmpty(storePassword) ? new char[0] : storePassword.ToCharArray());
+
+ storeInfo.Add(new SerializedStoreInfo() { FilePath = storePath + storeFileName, Contents = outStream.ToArray() });
+
+ logger.MethodExit(LogLevel.Debug);
+ return storeInfo;
  }
  }
-
- using (MemoryStream outStream = new MemoryStream())
+ else
  {
- jksStore.Save(outStream, string.IsNullOrEmpty(storePassword) ? new char[0] : storePassword.ToCharArray());
-
- List<SerializedStoreInfo> storeInfo = new List<SerializedStoreInfo>();
- storeInfo.Add(new SerializedStoreInfo() { FilePath = storePath + storeFileName, Contents = outStream.ToArray() });
-
- logger.MethodExit(LogLevel.Debug);
- return storeInfo;
+ PKCS12CertificateStoreSerializer pkcs12Serializer = new PKCS12CertificateStoreSerializer(string.Empty);
+ storeInfo = pkcs12Serializer.SerializeRemoteCertificateStore(certificateStore, storePath, storeFileName, storePassword, remoteHandler);
  }
+
+ return storeInfo;
  }
 
  public string GetPrivateKeyPath()

RemoteFile/ImplementedStoreTypes/JKS/Reenrollment.cs

@@ -0,0 +1,24 @@
+// Copyright 2021 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
+
+using Keyfactor.Orchestrators.Extensions.Interfaces;
+
+namespace Keyfactor.Extensions.Orchestrator.RemoteFile.JKS
+{
+ public class Reenrollment : ReenrollmentBase
+ {
+ internal override ICertificateStoreSerializer GetCertificateStoreSerializer(string storeProperties)
+ {
+ return new JKSCertificateStoreSerializer(storeProperties);
+ }
+
+ public Reenrollment(IPAMSecretResolver resolver)
+ {
+ _resolver = resolver;
+ }
+ }
+}

RemoteFile/ImplementedStoreTypes/KDB/Reenrollment.cs

@@ -0,0 +1,24 @@
+// Copyright 2021 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
+
+using Keyfactor.Orchestrators.Extensions.Interfaces;
+
+namespace Keyfactor.Extensions.Orchestrator.RemoteFile.KDB
+{
+ public class Reenrollment : ReenrollmentBase
+ {
+ internal override ICertificateStoreSerializer GetCertificateStoreSerializer(string storeProperties)
+ {
+ return new KDBCertificateStoreSerializer(storeProperties);
+ }
+
+ public Reenrollment(IPAMSecretResolver resolver)
+ {
+ _resolver = resolver;
+ }
+ }
+}

RemoteFile/ImplementedStoreTypes/OraWlt/Reenrollment.cs

@@ -0,0 +1,25 @@
+// Copyright 2021 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
+
+using Keyfactor.Extensions.Orchestrator.RemoteFile.KDB;
+using Keyfactor.Orchestrators.Extensions.Interfaces;
+
+namespace Keyfactor.Extensions.Orchestrator.RemoteFile.OraWlt
+{
+ public class Reenrollment : ReenrollmentBase
+ {
+ internal override ICertificateStoreSerializer GetCertificateStoreSerializer(string storeProperties)
+ {
+ return new OraWltCertificateStoreSerializer(storeProperties);
+ }
+
+ public Reenrollment(IPAMSecretResolver resolver)
+ {
+ _resolver = resolver;
+ }
+ }
+}