4gust/cca 256sha support (#562)

* Updated the Algo to PR256

* Updated the token header keys

* reformat code

* Added that ADFS and dSTS uses sha1 algo

* Add ADFS and DSTS signing support with RS256 algorithm

* refactoring code

* added comment on nosec issue

* Fetching cert from env directly

* Added temp running on pipeline

* Added secret to yaml file

* secret name changed

* Update build_test.yaml

* Update build_test.yaml

* Update build_test.yaml

* Update build_test.yaml

* Removed the branch name from pipeline

* Update apps/tests/integration/integration_test.go

Co-authored-by: Charles Lowell <[email protected]>

* Update apps/tests/integration/integration_test.go

Co-authored-by: Charles Lowell <[email protected]>

Co-authored-by: Charles Lowell <[email protected]>

Author: 4gust

ado/build_test.yaml

@@ -5,7 +5,7 @@ pr:
   autoCancel: false
   branches:
     include:
-    - main
+      - main
 
 pool:
   vmImage: "ubuntu-latest"
@@ -29,22 +29,24 @@ steps:
   - task: Go@0
     inputs:
       command: "test"
-      arguments: "-race -short ./apps/cache/... ./apps/confidential/... ./apps/public/... ./apps/internal/..."
+      arguments: "-race -short ./apps/cache/... ./apps/confidential/... ./apps/public/... ./apps/internal/... ./apps/managedidentity/..."
       workingDirectory: "$(System.DefaultWorkingDirectory)"
     displayName: "Run Unit Tests"
   - task: AzureKeyVault@2
     displayName: "Connect to Key Vault"
     inputs:
       azureSubscription: "AuthSdkResourceManager"
       KeyVaultName: "msidlabs"
-      SecretsFilter: "LabAuth"
+      SecretsFilter: "LabAuth,IDLABS-APP-Confidential-Client-Cert-OnPrem"
   - task: Bash@3
     displayName: Installing certificate
     inputs:
       targetType: "inline"
       script: |
         echo $(LabAuth) | base64 -d > $(Build.SourcesDirectory)/cert.pfx
-        openssl pkcs12 -in $(Build.SourcesDirectory)/cert.pfx -out $(Build.SourcesDirectory)/cert.pem -nodes -passin pass:''
+        OPENSSL_CONF=/dev/null openssl pkcs12 -in $(Build.SourcesDirectory)/cert.pfx -out $(Build.SourcesDirectory)/cert.pem -nodes -passin pass:'' -legacy
+        echo "$(IDLABS-APP-Confidential-Client-Cert-OnPrem)" | base64 -d > $(Build.SourcesDirectory)/ccaCert.pfx
+        OPENSSL_CONF=/dev/null openssl pkcs12 -in $(Build.SourcesDirectory)/ccaCert.pfx -out $(Build.SourcesDirectory)/ccaCert.pem -nodes -passin pass:'' -legacy
 
   - task: Go@0
     inputs:

apps/confidential/confidential_test.go

@@ -605,12 +605,15 @@ func TestInvalidCredential(t *testing.T) {
 
 func TestNewCredFromCert(t *testing.T) {
 	for _, file := range []struct {
-		path     string
-		numCerts int
+		path          string
+		numCerts      int
+		testAuthority string
 	}{
-		{"../testdata/test-cert.pem", 1},
-		{"../testdata/test-cert-chain.pem", 2},
-		{"../testdata/test-cert-chain-reverse.pem", 2},
+		{"../testdata/test-cert.pem", 1, fakeAuthority},
+		{"../testdata/test-cert.pem", 1, "https://fs.msidlab8.com/adfs"},
+		{"../testdata/test-cert.pem", 1, "https://some.url.dsts.core.azure-test.net/dstsv2/7a433bfc-2514-4697-b467-e0933190487f"},
+		{"../testdata/test-cert-chain.pem", 2, fakeAuthority},
+		{"../testdata/test-cert-chain-reverse.pem", 2, fakeAuthority},
 	} {
 		f, err := os.Open(filepath.Clean(file.path))
 		if err != nil {
@@ -651,7 +654,7 @@ func TestNewCredFromCert(t *testing.T) {
 					AccessToken:   token,
 					ExpiresOn:     time.Now().Add(time.Hour),
 					GrantedScopes: accesstokens.Scopes{Slice: tokenScope},
-				}, cred, fakeAuthority, opts...)
+				}, cred, file.testAuthority, opts...)
 				if err != nil {
 					t.Fatal(err)
 				}
@@ -660,8 +663,12 @@ func TestNewCredFromCert(t *testing.T) {
 				client.base.Token.AccessTokens.(*fake.AccessTokens).ValidateAssertion = func(s string) {
 					validated = true
 					tk, err := jwt.Parse(s, func(tk *jwt.Token) (interface{}, error) {
-						if signingMethod, ok := tk.Method.(*jwt.SigningMethodRSA); !ok {
-							t.Fatalf("unexpected signing method %T", signingMethod)
+						algo := jwt.SigningMethodPS256.Alg()
+						if file.testAuthority != fakeAuthority {
+							algo = jwt.SigningMethodRS256.Alg()
+						}
+						if tk.Method.Alg() != algo {
+							t.Fatalf("unexpected signing method %v", tk.Method.Alg())
 						}
 						return verifyingKey, nil
 					})

apps/internal/oauth/ops/accesstokens/accesstokens.go

@@ -17,6 +17,7 @@ import (
 
 	/* #nosec */
 	"crypto/sha1"
+	"crypto/sha256"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
@@ -112,19 +113,31 @@ func (c *Credential) JWT(ctx context.Context, authParams authority.AuthParams) (
 		}
 		return c.AssertionCallback(ctx, options)
 	}
-
-	token := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims{
+	claims := jwt.MapClaims{
 		"aud": authParams.Endpoints.TokenEndpoint,
 		"exp": json.Number(strconv.FormatInt(time.Now().Add(10*time.Minute).Unix(), 10)),
 		"iss": authParams.ClientID,
 		"jti": uuid.New().String(),
 		"nbf": json.Number(strconv.FormatInt(time.Now().Unix(), 10)),
 		"sub": authParams.ClientID,
-	})
+	}
+
+	isADFSorDSTS := authParams.AuthorityInfo.AuthorityType == authority.ADFS ||
+		authParams.AuthorityInfo.AuthorityType == authority.DSTS
+
+	var signingMethod jwt.SigningMethod = jwt.SigningMethodPS256
+	thumbprintKey := "x5t#S256"
+
+	if isADFSorDSTS {
+		signingMethod = jwt.SigningMethodRS256
+		thumbprintKey = "x5t"
+	}
+
+	token := jwt.NewWithClaims(signingMethod, claims)
 	token.Header = map[string]interface{}{
-		"alg": "RS256",
-		"typ": "JWT",
-		"x5t": base64.StdEncoding.EncodeToString(thumbprint(c.Cert)),
+		"alg":         signingMethod.Alg(),
+		"typ":         "JWT",
+		thumbprintKey: base64.StdEncoding.EncodeToString(thumbprint(c.Cert, signingMethod.Alg())),
 	}
 
 	if authParams.SendX5C {
@@ -133,17 +146,23 @@ func (c *Credential) JWT(ctx context.Context, authParams authority.AuthParams) (
 
 	assertion, err := token.SignedString(c.Key)
 	if err != nil {
-		return "", fmt.Errorf("unable to sign a JWT token using private key: %w", err)
+		return "", fmt.Errorf("unable to sign JWT token: %w", err)
 	}
+
 	return assertion, nil
 }
 
 // thumbprint runs the asn1.Der bytes through sha1 for use in the x5t parameter of JWT.
 // https://tools.ietf.org/html/rfc7517#section-4.8
-func thumbprint(cert *x509.Certificate) []byte {
-	/* #nosec */
-	a := sha1.Sum(cert.Raw)
-	return a[:]
+func thumbprint(cert *x509.Certificate, alg string) []byte {
+	switch alg {
+	case jwt.SigningMethodRS256.Name: // identity providers like ADFS don't support SHA256 assertions, so need to support this
+		hash := sha1.Sum(cert.Raw) /* #nosec */
+		return hash[:]
+	default:
+		hash := sha256.Sum256(cert.Raw)
+		return hash[:]
+	}
 }
 
 // Client represents the REST calls to get tokens from token generator backends.

apps/tests/integration/integration_test.go

@@ -37,6 +37,7 @@ const (
 	// Default values
 	defaultClientId = "f62c5ae3-bf3a-4af5-afa8-a68b800396e9"
 	pemFile         = "../../../cert.pem"
+	ccaPemFile      = "../../../ccaCert.pem"
 )
 
 var httpClient = http.Client{}
@@ -96,7 +97,7 @@ type secret struct {
 }
 
 func newLabClient() (*labClient, error) {
-	cert, privateKey, err := getCertDataFromFile()
+	cert, privateKey, err := getCertDataFromFile(pemFile)
 	if err != nil {
 		return nil, fmt.Errorf("Could not get cert data: %w", err)
 	}
@@ -114,8 +115,8 @@ func newLabClient() (*labClient, error) {
 	return &labClient{app: app}, nil
 }
 
-func getCertDataFromFile() ([]*x509.Certificate, crypto.PrivateKey, error) {
-	data, err := os.ReadFile(pemFile)
+func getCertDataFromFile(filePath string) ([]*x509.Certificate, crypto.PrivateKey, error) {
+	data, err := os.ReadFile(filePath)
 	if err != nil {
 		fmt.Printf("Error finding certificate: %v\n", err)
 	}
@@ -480,3 +481,33 @@ func TestAccountFromCache(t *testing.T) {
 	}
 
 }
+
+func TestAdfsToken(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping integration test")
+	}
+
+	cert, privateKey, err := getCertDataFromFile(ccaPemFile)
+	if err != nil {
+		t.Fatal("Could not get cert data: %w", err)
+	}
+
+	cred, err := confidential.NewCredFromCert(cert, privateKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	app, err := confidential.New("https://fs.msidlab8.com/adfs", "ConfidentialClientId", cred)
+	if err != nil {
+		t.Fatal(err)
+	}
+	scopes := []string{"openid"}
+	result, err := app.AcquireTokenByCredential(context.Background(), scopes)
+	if err != nil {
+		t.Fatalf("TestConfidentialClientwithSecret: on AcquireTokenByCredential(): got err == %s, want err == nil", errors.Verbose(err))
+	}
+	if result.AccessToken == "" {
+		t.Fatal("TestConfidentialClientwithSecret: on AcquireTokenByCredential(): got AccessToken == '', want AccessToken != ''")
+	}
+
+}