Skip to content

Commit

Permalink
new draft
Browse files Browse the repository at this point in the history
  • Loading branch information
martin-toman committed Oct 15, 2024
1 parent 6db4a56 commit aa0a9ac
Show file tree
Hide file tree
Showing 5 changed files with 32 additions and 18 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -132,12 +132,12 @@ public void DeleteKey()
}
}

public RSA GetKey()
public RSA GetKey(bool useLegacyRsaImpl)
{
return GetKeyFromFile();
return GetKeyFromFile(useLegacyRsaImpl);
}

private RSA GetKeyFromNamedContainer()
private RSA GetKeyFromNamedContainer(bool useLegacyRsaImpl)
{
if (!File.Exists(_keyFile))
{
Expand All @@ -151,7 +151,7 @@ private RSA GetKeyFromNamedContainer()
if (string.IsNullOrEmpty(result.containerName))
{
// we should not get here. GetKeyFromNamedContainer is only called from GetKeyFromFile when result.containerName is not empty
return GetKeyFromFile();
return GetKeyFromFile(useLegacyRsaImpl);
}

if (result.useCng)
Expand All @@ -170,13 +170,24 @@ private RSA GetKeyFromNamedContainer()
Trace.Info("Using RSACryptoServiceProvider");
CspParameters Params = new CspParameters();
Params.KeyContainerName = result.containerName;
Params.Flags |= CspProviderFlags.UseNonExportableKey | CspProviderFlags.UseMachineKeyStore;
var rsa = new RSACryptoServiceProvider(Params);
return rsa;
if (useLegacyRsaImpl)
{
Params.Flags |= CspProviderFlags.UseNonExportableKey | CspProviderFlags.UseMachineKeyStore;
var rsa = new RSACryptoServiceProvider(Params);
return rsa;
}
else
{
Params.Flags |= CspProviderFlags.UseMachineKeyStore;
using (var csp = new RSACryptoServiceProvider(Params))
{
return RSA.Create(csp.ExportParameters(includePrivateParameters: true));
}
}
}
}

private RSA GetKeyFromFile()
private RSA GetKeyFromFile(bool useLegacyRsaImpl)
{
if (!File.Exists(_keyFile))
{
Expand All @@ -190,10 +201,10 @@ private RSA GetKeyFromFile()
if(!string.IsNullOrEmpty(result.containerName))
{
Trace.Info("Keyfile has ContainerName, reading from NamedContainer");
return GetKeyFromNamedContainer();
return GetKeyFromNamedContainer(useLegacyRsaImpl);
}

var rsa = new RSACryptoServiceProvider();
var rsa = useLegacyRsaImpl ? new RSACryptoServiceProvider() : RSA.Create();
rsa.ImportParameters(result.rsaParameters);
return rsa;
}
Expand Down
7 changes: 4 additions & 3 deletions src/Agent.Listener/Configuration/IRSAKeyManager.cs
Original file line number Diff line number Diff line change
Expand Up @@ -35,11 +35,12 @@ public interface IRSAKeyManager : IAgentService
void DeleteKey();

/// <summary>
/// Gets the <c>RSACryptoServiceProvider</c> instance currently stored by the key manager.
/// Gets the <c>RSA</c> instance currently stored by the key manager.
/// </summary>
/// <returns>An <c>RSACryptoServiceProvider</c> instance representing the key for the agent</returns>
/// <param name="useLegacyRsaImpl">Use RSACryptoServiceProvider as the underlying implementation.</param>
/// <returns>An <c>RSA</c> implementation representing the key for the agent</returns>
/// <exception cref="CryptographicException">No key exists in the store</exception>
RSA GetKey();
RSA GetKey(bool useLegacyRsaImpl);
}

public static class IRSAKeyManagerExtensions
Expand Down
2 changes: 1 addition & 1 deletion src/Agent.Listener/Configuration/OAuthCredential.cs
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ public override VssCredentials GetVssCredentials(IHostContext context)
// We expect the key to be in the machine store at this point. Configuration should have set all of
// this up correctly so we can use the key to generate access tokens.
var keyManager = context.GetService<IRSAKeyManager>();
var signingCredentials = VssSigningCredentials.Create(() => keyManager.GetKey());
var signingCredentials = VssSigningCredentials.Create(() => keyManager.GetKey(useLegacyRsaImpl: true)); // RSACryptoServiceProvider is fine for signatures
var clientCredential = new VssOAuthJwtBearerClientCredential(clientId, authorizationUrl, signingCredentials);
var agentCredential = new VssOAuthCredential(new Uri(oathEndpointUrl, UriKind.Absolute), VssOAuthGrant.ClientCredentials, clientCredential);

Expand Down
4 changes: 2 additions & 2 deletions src/Agent.Listener/Configuration/RSAFileKeyManager.cs
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ public void DeleteKey()
}
}

public RSA GetKey()
public RSA GetKey(bool useLegacyRsaImpl)
{
if (!File.Exists(_keyFile))
{
Expand All @@ -80,7 +80,7 @@ public RSA GetKey()
Trace.Info("Loading RSA key parameters from file {0}", _keyFile);

var parameters = IOUtil.LoadObject<RSAParametersSerializable>(_keyFile).RSAParameters;
var rsa = new RSACryptoServiceProvider();
var rsa = useLegacyRsaImpl ? new RSACryptoServiceProvider() : RSA.Create();
rsa.ImportParameters(parameters);
return rsa;
}
Expand Down
6 changes: 4 additions & 2 deletions src/Agent.Listener/MessageListener.cs
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ public async Task<Boolean> CreateSessionAsync(CancellationToken token)
await _agentServer.ConnectAsync(new Uri(serverUrl), creds);
Trace.Info("VssConnection created");

taskAgentSession.AgentCanHandleOaepSHA256 = true;
_session = await _agentServer.CreateAgentSessionAsync(
_settings.PoolId,
taskAgentSession,
Expand Down Expand Up @@ -336,9 +337,10 @@ private ICryptoTransform GetMessageDecryptor(
{
// The agent session encryption key uses the AES symmetric algorithm
var keyManager = HostContext.GetService<IRSAKeyManager>();
using (var rsa = keyManager.GetKey())
RSAEncryptionPadding rsaPadding = _session.EncryptionKey.EncryptionPadding == "OaepSHA256" ? RSAEncryptionPadding.OaepSHA256 : RSAEncryptionPadding.OaepSHA1;
using (var rsa = keyManager.GetKey(useLegacyRsaImpl: rsaPadding == RSAEncryptionPadding.OaepSHA1))
{
return aes.CreateDecryptor(rsa.Decrypt(_session.EncryptionKey.Value, RSAEncryptionPadding.OaepSHA1), message.IV);
return aes.CreateDecryptor(rsa.Decrypt(_session.EncryptionKey.Value, rsaPadding), message.IV);
}
}
else
Expand Down

0 comments on commit aa0a9ac

Please sign in to comment.