Merge pull request #1418 from PepperDash/fix/devtools-fixex

ndorin · web-flow · commit beb77ec468fc · 2026-05-11T10:59:58.000-06:00
Fix/devtools fixex
diff --git a/src/PepperDash.Core/Logging/DebugWebsocketSink.cs b/src/PepperDash.Core/Logging/DebugWebsocketSink.cs
@@ -15,12 +15,10 @@
 using Org.BouncyCastle.Crypto;
 using Org.BouncyCastle.Crypto.Generators;
 using Org.BouncyCastle.Crypto.Operators;
-using Org.BouncyCastle.Crypto.Parameters;
 using Org.BouncyCastle.Math;
 using Org.BouncyCastle.Pkcs;
 using Org.BouncyCastle.Security;
 using Org.BouncyCastle.X509;
-using System.Security.Cryptography;
 using Serilog.Formatting;
 using Serilog.Formatting.Json;
 
@@ -244,9 +242,10 @@ private static X509Certificate2 LoadOrRecreateCert(string certPath, string certP
 
         /// <summary>
         /// Loads a PKCS#12 file written by BouncyCastle and returns an <see cref="X509Certificate2"/> with
-        /// private key attached via <see cref="RSACryptoServiceProvider"/>.
-        /// Using BouncyCastle's own reader avoids the .NET/Mono PFX parser, which can reject
-        /// BouncyCastle-generated archives on the Crestron runtime.
+        /// private key attached.
+        /// The PFX is parsed and re-encoded by BouncyCastle (ensuring format compatibility), then passed as
+        /// raw bytes to <see cref="X509Certificate2"/> so neither <c>RSACryptoServiceProvider</c> nor the
+        /// <c>EphemeralKeySet</c> flag (unsupported on the Crestron/Mono runtime) is needed.
         /// </summary>
         private static X509Certificate2 LoadCertFromBouncyCastle(string certPath, string certPassword)
         {
@@ -258,24 +257,16 @@ private static X509Certificate2 LoadCertFromBouncyCastle(string certPath, string
                     var store = new Pkcs12StoreBuilder().Build();
                     store.Load(stream, passwordChars);
 
-                    foreach (string alias in store.Aliases)
+                    // Re-encode through BouncyCastle to guarantee PKCS#12 format compatibility,
+                    // then hand raw bytes to X509Certificate2 — no RSACryptoServiceProvider needed.
+                    using (var ms = new MemoryStream())
                     {
-                        if (!store.IsKeyEntry(alias)) continue;
+                        store.Save(ms, passwordChars, new SecureRandom());
+                        var cert = new X509Certificate2(ms.ToArray(), certPassword);
 
-                        var keyEntry = store.GetKey(alias);
-                        var certChain = store.GetCertificateChain(alias);
-                        if (certChain == null || certChain.Length == 0) continue;
-
-                        // Build X509Certificate2 from raw DER — no PFX parsing by .NET needed.
-                        var cert = new X509Certificate2(certChain[0].Certificate.GetEncoded());
-
-                        // Attach the private key via RSACryptoServiceProvider (available on all target runtimes).
-                        var rsaParams = DotNetUtilities.ToRSAParameters(
-                            (RsaPrivateCrtKeyParameters)keyEntry.Key);
-                        var rsa = new RSACryptoServiceProvider();
-                        rsa.PersistKeyInCsp = false;
-                        rsa.ImportParameters(rsaParams);
-                        cert.PrivateKey = rsa;
+                        if (!cert.HasPrivateKey)
+                            throw new InvalidOperationException(
+                                string.Format("Certificate loaded from '{0}' does not contain a private key and cannot be used as a server certificate.", certPath));
 
                         return cert;
                     }
@@ -285,8 +276,6 @@ private static X509Certificate2 LoadCertFromBouncyCastle(string certPath, string
             {
                 Array.Clear(passwordChars, 0, passwordChars.Length);
             }
-
-            throw new InvalidOperationException("No key entry found in PKCS#12 store: " + certPath);
         }
 
         private void Start(int port, string certPath = "", string certPassword = "")
diff --git a/src/PepperDash.Essentials.Core/Web/RequestHandlers/LoginRequestHandler.cs b/src/PepperDash.Essentials.Core/Web/RequestHandlers/LoginRequestHandler.cs
@@ -1,5 +1,6 @@
 
 using System;
+using System.Collections.Generic;
 using Crestron.SimplSharp.CrestronAuthentication;
 using Crestron.SimplSharp.WebScripting;
 using Newtonsoft.Json;
@@ -91,7 +92,19 @@ protected override void HandlePost(HttpCwsContext context)
                 context.Response.StatusDescription = "OK";
                 context.Response.ContentType = "application/json";
                 context.Response.ContentEncoding = System.Text.Encoding.UTF8;
-                context.Response.Write(JsonConvert.SerializeObject(new { Token = token }, Formatting.Indented), false);
+                context.Response.Write(JsonConvert.SerializeObject(
+                     new
+                     {
+                         Token = new LoginResponse
+                         {
+                             UserName = token.UserName,
+                             Access = token.Access,
+                             State = token.State,
+                             Groups = token.Groups,
+                             ADConnect = token.ADConnect,
+                             Valid = token.Valid
+                         }
+                     }, Formatting.Indented), false);
                 context.Response.End();
             }
             catch (System.Exception ex)
@@ -121,4 +134,40 @@ public class LoginRequest
         /// </summary>
         public string Password { get; set; }
     }
+
+    /// <summary>
+    /// Represents a LoginResponse
+    /// </summary>
+    internal class LoginResponse
+    {
+        /// <summary>
+        /// Gets or sets the username.
+        /// </summary>
+        public string UserName { get; set; }
+
+        /// <summary>
+        /// Gets or sets the access level.
+        /// </summary>
+        public Authentication.UserAuthenticationLevelEnum Access { get; set; }
+
+        /// <summary>
+        /// Gets or sets the token authenticated state.
+        /// </summary>
+        public Authentication.eTokenAuthenticatedState State { get; set; }
+
+        /// <summary>
+        /// Gets or sets the list of groups.
+        /// </summary>
+        public List<string> Groups { get; set; }
+
+        /// <summary>
+        /// Gets or sets the active directory connection flag.
+        /// </summary>
+        public int ADConnect { get; set; }
+
+        /// <summary>
+        /// Gets or sets the valid flag indicating whether the token is valid.
+        /// </summary>
+        public bool Valid { get; set; }
+    }
 }
