Add certificate password

DavidBoike · DavidBoike · commit 71725b317fca · 2025-01-31T15:31:32.000-06:00
diff --git a/src/ServiceControl.Audit.Persistence.RavenDB/RavenPersistenceConfiguration.cs b/src/ServiceControl.Audit.Persistence.RavenDB/RavenPersistenceConfiguration.cs
@@ -14,6 +14,7 @@ public class RavenPersistenceConfiguration : IPersistenceConfiguration
         public const string ConnectionStringKey = "RavenDB/ConnectionString";
         public const string ClientCertificatePathKey = "RavenDB/ClientCertificatePath";
         public const string ClientCertificateBase64Key = "RavenDB/ClientCertificateBase64";
+        public const string ClientCertificatePasswordKey = "RavenDB/ClientCertificatePassword";
         public const string DatabaseMaintenancePortKey = "DatabaseMaintenancePort";
         public const string ExpirationProcessTimerInSecondsKey = "ExpirationProcessTimerInSeconds";
         public const string LogPathKey = "LogPath";
@@ -28,6 +29,7 @@ public class RavenPersistenceConfiguration : IPersistenceConfiguration
             ConnectionStringKey,
             ClientCertificatePathKey,
             ClientCertificateBase64Key,
+            ClientCertificatePasswordKey,
             DatabaseMaintenancePortKey,
             ExpirationProcessTimerInSecondsKey,
             LogPathKey,
@@ -72,6 +74,10 @@ internal static DatabaseConfiguration GetDatabaseConfiguration(PersistenceSettin
                 {
                     serverConfiguration.ClientCertificateBase64 = clientCertificateBase64;
                 }
+                if (settings.PersisterSpecificSettings.TryGetValue(ClientCertificatePasswordKey, out var clientCertificatePassword))
+                {
+                    serverConfiguration.ClientCertificatePassword = clientCertificatePassword;
+                }
             }
             else
             {
diff --git a/src/ServiceControl.Audit.Persistence.RavenDB/ServerConfiguration.cs b/src/ServiceControl.Audit.Persistence.RavenDB/ServerConfiguration.cs
@@ -22,6 +22,7 @@ public ServerConfiguration(string dbPath, string serverUrl, string logPath, stri
         public string ConnectionString { get; }
         public string ClientCertificatePath { get; internal set; }
         public string ClientCertificateBase64 { get; internal set; }
+        public string ClientCertificatePassword { get; internal set; }
         public bool UseEmbeddedServer { get; }
         public string DbPath { get; internal set; } //Setter for ATT only
         public string ServerUrl { get; }
diff --git a/src/ServiceControl.Persistence.RavenDB/RavenBootstrapper.cs b/src/ServiceControl.Persistence.RavenDB/RavenBootstrapper.cs
@@ -9,6 +9,7 @@ static class RavenBootstrapper
         public const string ConnectionStringKey = "RavenDB/ConnectionString";
         public const string ClientCertificatePathKey = "RavenDB/ClientCertificatePath";
         public const string ClientCertificateBase64Key = "RavenDB/ClientCertificateBase64";
+        public const string ClientCertificatePasswordKey = "RavenDB/ClientCertificatePassword";
         public const string MinimumStorageLeftRequiredForIngestionKey = "MinimumStorageLeftRequiredForIngestion";
         public const string DatabaseNameKey = "RavenDB/DatabaseName";
         public const string LogsPathKey = "LogPath";
diff --git a/src/ServiceControl.Persistence.RavenDB/RavenPersistenceConfiguration.cs b/src/ServiceControl.Persistence.RavenDB/RavenPersistenceConfiguration.cs
@@ -36,6 +36,7 @@ static T GetRequiredSetting<T>(SettingsRootNamespace settingsRootNamespace, stri
                 ConnectionString = SettingsReader.Read<string>(settingsRootNamespace, RavenBootstrapper.ConnectionStringKey),
                 ClientCertificatePath = SettingsReader.Read<string>(settingsRootNamespace, RavenBootstrapper.ClientCertificatePathKey),
                 ClientCertificateBase64 = SettingsReader.Read<string>(settingsRootNamespace, RavenBootstrapper.ClientCertificateBase64Key),
+                ClientCertificatePassword = SettingsReader.Read<string>(settingsRootNamespace, RavenBootstrapper.ClientCertificatePasswordKey),
                 DatabaseName = SettingsReader.Read(settingsRootNamespace, RavenBootstrapper.DatabaseNameKey, RavenPersisterSettings.DatabaseNameDefault),
                 DatabasePath = SettingsReader.Read(settingsRootNamespace, RavenBootstrapper.DatabasePathKey, DefaultDatabaseLocation()),
                 DatabaseMaintenancePort = SettingsReader.Read(settingsRootNamespace, RavenBootstrapper.DatabaseMaintenancePortKey, RavenPersisterSettings.DatabaseMaintenancePortDefault),
diff --git a/src/ServiceControl.Persistence.RavenDB/RavenPersisterSettings.cs b/src/ServiceControl.Persistence.RavenDB/RavenPersisterSettings.cs
@@ -26,6 +26,7 @@ class RavenPersisterSettings : PersistenceSettings, IRavenClientCertificateInfo
     public string ConnectionString { get; set; }
     public string ClientCertificatePath { get; set; }
     public string ClientCertificateBase64 { get; set; }
+    public string ClientCertificatePassword { get; set; }
     public bool UseEmbeddedServer => string.IsNullOrWhiteSpace(ConnectionString);
     public string LogPath { get; set; }
     public string LogsMode { get; set; } = LogsModeDefault;
diff --git a/src/ServiceControl.RavenDB/RavenClientCertificate.cs b/src/ServiceControl.RavenDB/RavenClientCertificate.cs
@@ -15,7 +15,7 @@ public static class RavenClientCertificate
             try
             {
                 var bytes = Convert.FromBase64String(certInfo.ClientCertificateBase64);
-                return new X509Certificate2(bytes);
+                return new X509Certificate2(bytes, certInfo.ClientCertificatePassword);
             }
             catch (Exception x) when (x is FormatException or CryptographicException)
             {
@@ -25,15 +25,15 @@ public static class RavenClientCertificate
 
         if (certInfo.ClientCertificatePath is not null)
         {
-            return new X509Certificate2(certInfo.ClientCertificatePath);
+            return new X509Certificate2(certInfo.ClientCertificatePath, certInfo.ClientCertificatePassword);
         }
 
         var applicationDirectory = Path.GetDirectoryName(Assembly.GetEntryAssembly()?.Location) ?? string.Empty;
         var certificatePath = Path.Combine(applicationDirectory, "raven-client-certificate.pfx");
 
         if (File.Exists(certificatePath))
         {
-            return new X509Certificate2(certificatePath);
+            return new X509Certificate2(certificatePath, certInfo.ClientCertificatePassword);
         }
         return null;
     }
@@ -43,4 +43,5 @@ public interface IRavenClientCertificateInfo
 {
     string? ClientCertificatePath { get; }
     string? ClientCertificateBase64 { get; }
+    string? ClientCertificatePassword { get; }
 }

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ public static class RavenClientCertificate`
`15`	`15`	`try`
`16`	`16`	`{`
`17`	`17`	`var bytes = Convert.FromBase64String(certInfo.ClientCertificateBase64);`
`18`		`- return new X509Certificate2(bytes);`
	`18`	`+ return new X509Certificate2(bytes, certInfo.ClientCertificatePassword);`
`19`	`19`	`}`
`20`	`20`	`catch (Exception x) when (x is FormatException or CryptographicException)`
`21`	`21`	`{`
`@@ -25,15 +25,15 @@ public static class RavenClientCertificate`
`25`	`25`
`26`	`26`	`if (certInfo.ClientCertificatePath is not null)`
`27`	`27`	`{`
`28`		`- return new X509Certificate2(certInfo.ClientCertificatePath);`
	`28`	`+ return new X509Certificate2(certInfo.ClientCertificatePath, certInfo.ClientCertificatePassword);`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`var applicationDirectory = Path.GetDirectoryName(Assembly.GetEntryAssembly()?.Location) ?? string.Empty;`
`32`	`32`	`var certificatePath = Path.Combine(applicationDirectory, "raven-client-certificate.pfx");`
`33`	`33`
`34`	`34`	`if (File.Exists(certificatePath))`
`35`	`35`	`{`
`36`		`- return new X509Certificate2(certificatePath);`
	`36`	`+ return new X509Certificate2(certificatePath, certInfo.ClientCertificatePassword);`
`37`	`37`	`}`
`38`	`38`	`return null;`
`39`	`39`	`}`
`@@ -43,4 +43,5 @@ public interface IRavenClientCertificateInfo`
`43`	`43`	`{`
`44`	`44`	`string? ClientCertificatePath { get; }`
`45`	`45`	`string? ClientCertificateBase64 { get; }`
	`46`	`+ string? ClientCertificatePassword { get; }`
`46`	`47`	`}`