Add PEM support

javiercn · javiercn · commit fbe5489dfdd5 · 2020-07-01T14:17:14.000-07:00
diff --git a/src/Servers/Kestrel/Core/src/CoreStrings.resx b/src/Servers/Kestrel/Core/src/CoreStrings.resx
@@ -614,4 +614,7 @@ For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?l
   <data name="ArgumentTimeSpanGreaterOrEqual" xml:space="preserve">
     <value>A TimeSpan value greater than or equal to {value} is required.</value>
   </data>
+  <data name="InvalidPemKey" xml:space="preserve">
+    <value>The provided key file is missing or invalid.</value>
+  </data>
 </root>
diff --git a/src/Servers/Kestrel/Core/src/Internal/ConfigurationReader.cs b/src/Servers/Kestrel/Core/src/Internal/ConfigurationReader.cs
@@ -205,6 +205,8 @@ public CertificateConfig(IConfigurationSection configSection)
 
         public string Path { get; set; }
 
+        public string KeyPath { get; set; }
+
         public string Password { get; set; }
 
         // Cert store
diff --git a/src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs b/src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs
@@ -436,6 +436,23 @@ private X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endp
             else if (certInfo.IsFileCert)
             {
                 var env = Options.ApplicationServices.GetRequiredService<IHostEnvironment>();
+                if (certInfo.KeyPath != null)
+                {
+                    if (TryReadPemRSAKey(certInfo, out var rsaKey))
+                    {
+                        var publicCertificate = new X509Certificate2(Path.Combine(env.ContentRootPath, certInfo.Path));
+                        return publicCertificate.CopyWithPrivateKey(rsaKey);
+                    }
+
+                    if (TryReadPemDSAKey(certInfo, out var dsaKey))
+                    {
+                        var publicCertificate = new X509Certificate2(Path.Combine(env.ContentRootPath, certInfo.Path));
+                        return publicCertificate.CopyWithPrivateKey(dsaKey);
+                    }
+
+                    throw new InvalidOperationException(CoreStrings.InvalidPemKey);
+                }
+
                 return new X509Certificate2(Path.Combine(env.ContentRootPath, certInfo.Path), certInfo.Password);
             }
             else if (certInfo.IsStoreCert)
@@ -445,6 +462,52 @@ private X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endp
             return null;
         }
 
+        private static bool TryReadPemRSAKey(CertificateConfig certInfo, out RSA key)
+        {
+            try
+            {
+                var rsaKey = RSA.Create();
+                if (certInfo.Password == null)
+                {
+                    rsaKey.ImportFromPem(File.ReadAllText(certInfo.KeyPath));
+                }
+                else
+                {
+                    rsaKey.ImportFromEncryptedPem(File.ReadAllText(certInfo.KeyPath), certInfo.Password);
+                }
+                key = rsaKey;
+                return true;
+            }
+            catch
+            {
+                key = null;
+                return false;
+            }
+        }
+
+        private static bool TryReadPemDSAKey(CertificateConfig certInfo, out DSA dsaKey)
+        {
+            try
+            {
+                var dsa = DSA.Create();
+                if (certInfo.Password == null)
+                {
+                    dsa.ImportFromPem(File.ReadAllText(certInfo.KeyPath));
+                }
+                else
+                {
+                    dsa.ImportFromEncryptedPem(File.ReadAllText(certInfo.KeyPath), certInfo.Password);
+                }
+                dsaKey = dsa;
+                return true;
+            }
+            catch
+            {
+                dsaKey = null;
+                return false;
+            }
+        }
+
         private static X509Certificate2 LoadFromStoreCert(CertificateConfig certInfo)
         {
             var subject = certInfo.Subject;
diff --git a/src/Servers/Kestrel/Core/test/Microsoft.AspNetCore.Server.Kestrel.Core.Tests.csproj b/src/Servers/Kestrel/Core/test/Microsoft.AspNetCore.Server.Kestrel.Core.Tests.csproj
@@ -13,6 +13,8 @@
     <Compile Include="$(KestrelSharedSourceRoot)test\*.cs" LinkBase="shared" />
     <Compile Include="$(KestrelSharedSourceRoot)KnownHeaders.cs" LinkBase="shared" />
     <Content Include="$(KestrelSharedSourceRoot)test\TestCertificates\*.pfx" LinkBase="shared\TestCertificates" CopyToOutputDirectory="PreserveNewest" />
+    <Content Include="$(KestrelSharedSourceRoot)test\TestCertificates\*.crt" LinkBase="shared\TestCertificates" CopyToOutputDirectory="PreserveNewest" />
+    <Content Include="$(KestrelSharedSourceRoot)test\TestCertificates\*.key" LinkBase="shared\TestCertificates" CopyToOutputDirectory="PreserveNewest" />
     <Compile Include="$(RepoRoot)src\Shared\Buffers.MemoryPool\*.cs" LinkBase="MemoryPool" />
     <Compile Include="$(KestrelSharedSourceRoot)\CorrelationIdGenerator.cs" Link="Internal\CorrelationIdGenerator.cs" />
     <Compile Include="$(SharedSourceRoot)test\Shared.Tests\runtime\**\*.cs" Link="Shared\runtime\%(Filename)%(Extension)" />
diff --git a/src/Servers/Kestrel/Kestrel/test/KestrelConfigurationLoaderTests.cs b/src/Servers/Kestrel/Kestrel/test/KestrelConfigurationLoaderTests.cs
@@ -25,7 +25,7 @@ public class KestrelConfigurationLoaderTests
         private KestrelServerOptions CreateServerOptions()
         {
             var serverOptions = new KestrelServerOptions();
-            var env = new MockHostingEnvironment { ApplicationName = "TestApplication" };
+            var env = new MockHostingEnvironment { ApplicationName = "TestApplication", ContentRootPath = Directory.GetCurrentDirectory() };
             serverOptions.ApplicationServices = new ServiceCollection()
                 .AddLogging()
                 .AddSingleton<IHostEnvironment>(env)
@@ -254,6 +254,141 @@ public void ConfigureEndpointDevelopmentCertificateGetsLoadedWhenPresent()
             }
         }
 
+        [Fact]
+        public void ConfigureEndpoint_CanLoadRsaPemCerts()
+        {
+            var serverOptions = CreateServerOptions();
+            var certificate = new X509Certificate2(TestResources.GetCertPath("https-rsa.crt"));
+
+            var ran1 = false;
+            var config = new ConfigurationBuilder().AddInMemoryCollection(new[]
+            {
+                    new KeyValuePair<string, string>("Endpoints:End1:Url", "https://*:5001"),
+                    new KeyValuePair<string, string>("Certificates:Default:Path", Path.Combine("shared", "TestCertificates", "https-rsa.crt")),
+                    new KeyValuePair<string, string>("Certificates:Default:KeyPath", Path.Combine("shared", "TestCertificates", "https-rsa.key")),
+                }).Build();
+
+            serverOptions
+                .Configure(config)
+                .Endpoint("End1", opt =>
+                {
+                    ran1 = true;
+                    Assert.True(opt.IsHttps);
+                    Assert.Equal(opt.HttpsOptions.ServerCertificate.SerialNumber, certificate.SerialNumber);
+                }).Load();
+
+            Assert.True(ran1);
+            Assert.NotNull(serverOptions.DefaultCertificate);
+        }
+
+        [Fact]
+        public void ConfigureEndpoint_CanLoadProtectedRsaPemCerts()
+        {
+            var serverOptions = CreateServerOptions();
+            var certificate = new X509Certificate2(TestResources.GetCertPath("https-aspnet.crt"));
+
+            var ran1 = false;
+            var config = new ConfigurationBuilder().AddInMemoryCollection(new[]
+            {
+                    new KeyValuePair<string, string>("Endpoints:End1:Url", "https://*:5001"),
+                    new KeyValuePair<string, string>("Certificates:Default:Path", Path.Combine("shared", "TestCertificates", "https-aspnet.crt")),
+                    new KeyValuePair<string, string>("Certificates:Default:KeyPath", Path.Combine("shared", "TestCertificates", "https-aspnet.key")),
+                    new KeyValuePair<string, string>("Certificates:Default:Password", "aspnetcore"),
+                }).Build();
+
+            serverOptions
+                .Configure(config)
+                .Endpoint("End1", opt =>
+                {
+                    ran1 = true;
+                    Assert.True(opt.IsHttps);
+                    Assert.Equal(opt.HttpsOptions.ServerCertificate.SerialNumber, certificate.SerialNumber);
+                }).Load();
+
+            Assert.True(ran1);
+            Assert.NotNull(serverOptions.DefaultCertificate);
+        }
+
+        [Fact]
+        public void ConfigureEndpoint_ThrowsWhen_TheKeyCannotBeRead()
+        {
+            var serverOptions = CreateServerOptions();
+            var certificate = new X509Certificate2(TestResources.GetCertPath("https-aspnet.crt"));
+
+            var config = new ConfigurationBuilder().AddInMemoryCollection(new[]
+            {
+                    new KeyValuePair<string, string>("Endpoints:End1:Url", "https://*:5001"),
+                    new KeyValuePair<string, string>("Certificates:Default:Path", Path.Combine("shared", "TestCertificates", "https-aspnet.crt")),
+                    new KeyValuePair<string, string>("Certificates:Default:KeyPath", Path.Combine("shared", "TestCertificates", "https-aspnet.key"))
+                }).Build();
+
+            var ex = Assert.Throws<InvalidOperationException>(() =>
+            {
+                serverOptions
+                    .Configure(config)
+                    .Endpoint("End1", opt =>
+                    {
+                        Assert.True(opt.IsHttps);
+                    }).Load();
+            });
+            Assert.Equal(CoreStrings.InvalidPemKey, ex.Message);
+        }
+
+        [Fact]
+        public void ConfigureEndpoint_CanLoadDsaPemCerts()
+        {
+            var serverOptions = CreateServerOptions();
+            var certificate = new X509Certificate2(TestResources.GetCertPath("https-dsa.crt"));
+
+            var ran1 = false;
+            var config = new ConfigurationBuilder().AddInMemoryCollection(new[]
+            {
+                    new KeyValuePair<string, string>("Endpoints:End1:Url", "https://*:5001"),
+                    new KeyValuePair<string, string>("Certificates:Default:Path", Path.Combine("shared", "TestCertificates", "https-dsa.crt")),
+                    new KeyValuePair<string, string>("Certificates:Default:KeyPath", Path.Combine("shared", "TestCertificates", "https-dsa.key")),
+                    new KeyValuePair<string, string>("Certificates:Default:Password", "asdf"),
+                }).Build();
+
+            serverOptions
+                .Configure(config)
+                .Endpoint("End1", opt =>
+                {
+                    ran1 = true;
+                    Assert.True(opt.IsHttps);
+                    Assert.Equal(opt.HttpsOptions.ServerCertificate.SerialNumber, certificate.SerialNumber);
+                }).Load();
+
+            Assert.True(ran1);
+            Assert.NotNull(serverOptions.DefaultCertificate);
+        }
+
+        [Fact]
+        public void ConfigureEndpoint_CanLoadUnprotectedDsaPemCerts()
+        {
+            var serverOptions = CreateServerOptions();
+            var certificate = new X509Certificate2(TestResources.GetCertPath("https-dsa.crt"));
+
+            var ran1 = false;
+            var config = new ConfigurationBuilder().AddInMemoryCollection(new[]
+            {
+                    new KeyValuePair<string, string>("Endpoints:End1:Url", "https://*:5001"),
+                    new KeyValuePair<string, string>("Certificates:Default:Path", Path.Combine("shared", "TestCertificates", "https-dsa.crt")),
+                    new KeyValuePair<string, string>("Certificates:Default:KeyPath", Path.Combine("shared", "TestCertificates", "https-dsa-no-pass.key")),
+                }).Build();
+
+            serverOptions
+                .Configure(config)
+                .Endpoint("End1", opt =>
+                {
+                    ran1 = true;
+                    Assert.True(opt.IsHttps);
+                    Assert.Equal(opt.HttpsOptions.ServerCertificate.SerialNumber, certificate.SerialNumber);
+                }).Load();
+
+            Assert.True(ran1);
+            Assert.NotNull(serverOptions.DefaultCertificate);
+        }
+
         [Fact]
         public void ConfigureEndpointDevelopmentCertificateGetsIgnoredIfPasswordIsNotCorrect()
         {
diff --git a/src/Servers/Kestrel/Kestrel/test/Microsoft.AspNetCore.Server.Kestrel.Tests.csproj b/src/Servers/Kestrel/Kestrel/test/Microsoft.AspNetCore.Server.Kestrel.Tests.csproj
@@ -8,6 +8,8 @@
     <Compile Include="$(SharedSourceRoot)NullScope.cs" />
     <Compile Include="$(KestrelSharedSourceRoot)test\*.cs" LinkBase="shared" />
     <Content Include="$(KestrelSharedSourceRoot)test\TestCertificates\*.pfx" LinkBase="shared\TestCertificates" CopyToOutputDirectory="PreserveNewest" />
+    <Content Include="$(KestrelSharedSourceRoot)test\TestCertificates\*.crt" LinkBase="shared\TestCertificates" CopyToOutputDirectory="PreserveNewest" />
+    <Content Include="$(KestrelSharedSourceRoot)test\TestCertificates\*.key" LinkBase="shared\TestCertificates" CopyToOutputDirectory="PreserveNewest" />
     <Content Include="$(KestrelRoot)Core\src\Internal\Http\HttpHeaders.Generated.cs" LinkBase="shared\GeneratedContent" CopyToOutputDirectory="PreserveNewest" />
     <Content Include="$(KestrelRoot)Core\src\Internal\Http\HttpProtocol.Generated.cs" LinkBase="shared\GeneratedContent" CopyToOutputDirectory="PreserveNewest" />
     <Content Include="$(KestrelRoot)Core\src\Internal\Infrastructure\HttpUtilities.Generated.cs" LinkBase="shared\GeneratedContent" CopyToOutputDirectory="PreserveNewest" />
