Skip to content

New JKS File Store never gets returned in AddOrRemoveCert #26

New issue
New issue
Open
Open
New JKS File Store never gets returned in AddOrRemoveCert#26
@fredwlau

Description

@fredwlau
fredwlau
opened on Apr 16, 2024

hashicorp-vault-orchestrator/hashicorp-vault-orchestrator/FileStores/JksFileStore.cs

Line 221 in 20a84ef

newJksStore.SetKeyEntry(alias,

I'm not sure if I'm understanding this incorrectly but I'm trying to modify this plugin to

  • Support Reenrollment by generating the private key and CSR in the orchestrator memory and calling SubmitReenrollmentCSR.Invoke
  • Aligning with the existing keystore types that are currently supported [JKS, PKCS12, PFX]
  • Create a new keystore everytime

To achieve this I convert the PEM content into a Pkcs12Blob and wrote an additional AddCertificate function like this (entryContents is the base64 encoded pkcs12blob):

public string AddCertificate(string alias, string pfxPassword, string entryContents)
{
    logger.MethodEntry();

    //logger.LogTrace("converting base64 encoded jks store to binary.");
    //var jksBytes = Convert.FromBase64String(storeFileContent);

    //pass null jksBytes to force creation of new JKS
    byte[] jksBytes = null;
    var newCertBytes = Convert.FromBase64String(entryContents);

    logger.LogTrace("adding the new certificate, and getting the new JKS store bytes.");
    var newJksBytes = AddOrRemoveCert(alias, pfxPassword, newCertBytes, jksBytes, pfxPassword);

    return Convert.ToBase64String(newJksBytes);
}

I haven't modified the AddOrRemoveCert method.

While stepping through this in a unit test, this part of the function gets correctly executed because jksBytes is null:

  if (createdNewStore)
  {
      // If createdNewStore is true, create a new store
      logger.LogDebug("Created new JKS store, setting key entry for alias '{Alias}'", al);
      newJksStore.SetKeyEntry(alias,
          keyEntry.Key,
          string.IsNullOrEmpty(existingStorePassword) ? Array.Empty<char>() : existingStorePassword.ToCharArray(),
          certificates.ToArray());
  }

But newJksStore never gets returned from this. After the foreach loop at https://github.com/Keyfactor/hashicorp-vault-orchestrator/blob/main/hashicorp-vault-orchestrator/FileStores/JksFileStore.cs#L204

This always gets executed, returning the existingJksStore (which is null on purpose in our case):

using (var outStream = new MemoryStream())
{
    logger.LogDebug("Saving existing JKS store to outStream");
    existingJksStore.Save(outStream, string.IsNullOrEmpty(existingStorePassword) ? Array.Empty<char>() : existingStorePassword.ToCharArray());

    logger.LogDebug("Returning updated JKS store as byte[]");
    return outStream.ToArray();
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions