fix: only fetch valid X.509 certificates from the certificate store (#425)

* fix: only fetch valid X.509 certificates from the certificate store

perf: remove linq code use to improve code generation

* fix: check certificate validity period is valid

* chore: add certificate selection tests.

chore: remove redundant certificate date checks

* Update src/Microsoft.Graph.Cli.Core/Authentication/ClientCertificateCredentialFactory.cs

Co-authored-by: Vincent Biret <[email protected]>

---------

Co-authored-by: Vincent Biret <[email protected]>

Author: calebkiage

src/Microsoft.Graph.Cli.Core.Tests/Authentication/ClientCertificateCredentialFactoryTests.cs

@@ -0,0 +1,52 @@
+using System;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.Graph.Cli.Core.Authentication;
+using Xunit;
+
+namespace Microsoft.Graph.Cli.Core.Tests.Authentication;
+
+public class ClientCertificateCredentialFactoryTests
+{
+    [Fact]
+    public void ReturnsNullWhenStoreIsEmpty()
+    {
+        var store = new X509Certificate2Collection();
+
+        var result = ClientCertificateCredentialFactory.FindLatestByValidity(store);
+
+        Assert.Null(result);
+    }
+
+    [Fact]
+    public void ReturnsLatestValidCertificate()
+    {
+        var store = new X509Certificate2Collection
+        {
+            GenerateSelfSignedCertificate("1", new DateTimeOffset(2020, 1, 2, 0, 0, 0, TimeSpan.Zero),
+                new DateTimeOffset(2027, 1, 1, 0, 0, 0, TimeSpan.Zero)),
+            GenerateSelfSignedCertificate("2", new DateTimeOffset(2020, 1, 1, 0, 0, 0, TimeSpan.Zero),
+                new DateTimeOffset(2027, 1, 1, 0, 0, 0, TimeSpan.Zero))
+        };
+
+        var result = ClientCertificateCredentialFactory.FindLatestByValidity(store);
+
+        Assert.NotNull(result);
+        Assert.Equal("CN=1", result.SubjectName.Name);
+    }
+
+    private static X509Certificate2 GenerateSelfSignedCertificate(string subjectName, DateTimeOffset notBefore,
+        DateTimeOffset notAfter)
+    {
+        if (notAfter < notBefore)
+        {
+            throw new ArgumentException("notAfter must be after notBefore");
+        }
+
+        const string secp256R1Oid = "1.2.840.10045.3.1.7";
+        var ecdsa = ECDsa.Create(ECCurve.CreateFromValue(secp256R1Oid));
+        var certRequest = new CertificateRequest($"CN={subjectName}", ecdsa, HashAlgorithmName.SHA256);
+        var generatedCert = certRequest.CreateSelfSigned(notBefore, notAfter);
+        return generatedCert;
+    }
+}

src/Microsoft.Graph.Cli.Core/Authentication/ClientCertificateCredentialFactory.cs

@@ -1,10 +1,8 @@
 using System;
-using System.Linq;
 using System.Security;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using Azure.Identity;
-using Microsoft.Graph.Cli.Core.Utils;
 
 namespace Microsoft.Graph.Cli.Core.Authentication;
 
@@ -23,7 +21,8 @@ public static class ClientCertificateCredentialFactory
     /// <param name="authorityHost">The entra authentication endpoint (to use with national clouds)</param>
     /// <returns>A ClientCertificateCredential</returns>
     /// <exception cref="ArgumentNullException">When a null url is provided for the authority host.</exception>
-    public static ClientCertificateCredential GetClientCertificateCredential(string? tenantId, string? clientId, string? certificateName, string? certificateThumbPrint, Uri authorityHost)
+    public static ClientCertificateCredential GetClientCertificateCredential(string? tenantId, string? clientId,
+        string? certificateName, string? certificateThumbPrint, Uri authorityHost)
     {
         if (string.IsNullOrWhiteSpace(certificateName) && string.IsNullOrWhiteSpace(certificateThumbPrint))
         {
@@ -46,11 +45,13 @@ public static ClientCertificateCredential GetClientCertificateCredential(string?
 
         X509Certificate2? certificate;
 
-        if (!string.IsNullOrWhiteSpace(certificateName) && TryGetCertificateFromStore(certificateName, isThumbPrint: false, out certificate))
+        if (!string.IsNullOrWhiteSpace(certificateName) &&
+            TryGetCertificateFromStore(certificateName, isThumbPrint: false, out certificate))
         {
             return new ClientCertificateCredential(tenantId, clientId, certificate, credOptions);
         }
-        else if (!string.IsNullOrWhiteSpace(certificateThumbPrint) && TryGetCertificateFromStore(certificateThumbPrint, isThumbPrint: true, out certificate))
+        else if (!string.IsNullOrWhiteSpace(certificateThumbPrint) &&
+                 TryGetCertificateFromStore(certificateThumbPrint, isThumbPrint: true, out certificate))
         {
             return new ClientCertificateCredential(tenantId, clientId, certificate, credOptions);
         }
@@ -65,7 +66,8 @@ public static ClientCertificateCredential GetClientCertificateCredential(string?
     /// <param name="isThumbPrint">If true, try to find the certificate by the thumb print.</param>
     /// <param name="certificate">A matching unexpired certificate from the store.</param>
     /// <returns>Returns true if the certificate was fetched successfully.</returns>
-    internal static bool TryGetCertificateFromStore(string certificateNameOrThumbPrint, bool isThumbPrint, out X509Certificate2? certificate)
+    internal static bool TryGetCertificateFromStore(string certificateNameOrThumbPrint, bool isThumbPrint,
+        out X509Certificate2? certificate)
     {
         bool result = false;
         certificate = null;
@@ -74,19 +76,18 @@ internal static bool TryGetCertificateFromStore(string certificateNameOrThumbPri
         try
         {
             store.Open(OpenFlags.ReadOnly);
-
-            // If using a certificate with a trusted root you do not need to FindByTimeValid, instead:
-            // currentCerts.Find(X509FindType.FindBySubjectDistinguishedName, certName, true);
-            X509Certificate2Collection signingCerts = store.Certificates.Find(X509FindType.FindByTimeValid, DateTime.Now, false)
-                .Find(isThumbPrint ? X509FindType.FindByThumbprint : X509FindType.FindBySubjectDistinguishedName, certificateNameOrThumbPrint, false);
+            X509Certificate2Collection signingCerts = store.Certificates
+                .Find(X509FindType.FindByTimeValid, DateTime.Now, false)
+                .Find(isThumbPrint ? X509FindType.FindByThumbprint : X509FindType.FindBySubjectDistinguishedName,
+                    certificateNameOrThumbPrint, false);
             if (signingCerts.Count == 0)
             {
                 result = false;
             }
             else
             {
-                // Return the first certificate in the collection, has the right name and is current.
-                certificate = signingCerts.OrderByDescending(static c => c.NotBefore).FirstOrDefault();
+                certificate = FindLatestByValidity(signingCerts);
+
                 result = true;
             }
         }
@@ -98,7 +99,7 @@ internal static bool TryGetCertificateFromStore(string certificateNameOrThumbPri
         }
         catch (SecurityException)
         {
-            // Isufficient permissions to read the store
+            // Insufficient permissions to read the store
             result = false;
         }
         catch (ArgumentException)
@@ -113,12 +114,30 @@ internal static bool TryGetCertificateFromStore(string certificateNameOrThumbPri
                 certificate.Dispose();
                 certificate = null;
             }
+
             store.Close();
         }
 
         return result;
     }
 
+    internal static X509Certificate2? FindLatestByValidity(X509Certificate2Collection signingCerts)
+    {
+        X509Certificate2? certificate = null;
+        // Return the first certificate in the collection, has the right name and is current.
+        foreach (var cert in signingCerts)
+        {
+            // Use this certificate if it became valid after the currently selected one.
+            if (certificate is null || cert.NotBefore > certificate.NotBefore)
+            {
+                certificate?.Dispose();
+                certificate = cert;
+            }
+        }
+
+        return certificate;
+    }
+
     /// <summary>
     /// Opens a certificate file.
     /// </summary>

src/Microsoft.Graph.Cli.Core/Http/LoggingHandler.cs

@@ -1,8 +1,8 @@
 using System;
 using System.Collections.Generic;
-using System.Linq;
 using System.Net.Http;
 using System.Net.Http.Headers;
+using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Extensions.Logging;
@@ -47,29 +47,48 @@ protected override async Task<HttpResponseMessage> SendAsync(
 
     private static string HeadersToString(in HttpHeaders headers, in HttpContentHeaders? contentHeaders)
     {
-        if (!headers.Any() && contentHeaders?.Any() == false) return string.Empty;
-        static string selector(KeyValuePair<string, IEnumerable<string>> h)
+        var headersEnumerator = headers.GetEnumerator();
+        var contentHeadersEnumerator = contentHeaders?.GetEnumerator();
+        if (!headersEnumerator.MoveNext() && contentHeadersEnumerator?.MoveNext() == false) return string.Empty;
+        headersEnumerator.Dispose();
+        contentHeadersEnumerator?.Dispose();
+        static void StringifyHeader(string name, IEnumerable<string> values, in StringBuilder sb)
         {
-            var value = string.Join(",", h.Value);
-            if (h.Key.Contains("Authorization", StringComparison.OrdinalIgnoreCase))
+            sb.Append(name);
+            sb.Append(':');
+            sb.Append(' ');
+            if (name.Contains("Authorization", StringComparison.OrdinalIgnoreCase))
             {
-                value = "[PROTECTED]";
+                sb.Append("[PROTECTED]");
             }
-            return $"{h.Key}: {value}\n";
-        };
+            else
+            {
+                foreach (var value in values)
+                {
+                    sb.Append(value);
+                    sb.Append(',');
+                }
 
-        static string aggregator(string a, string b)
+                sb.Remove(sb.Length - 1, 1);
+            }
+        }
+        static void JoinHeaders(IEnumerable<KeyValuePair<string, IEnumerable<string>>> headers, in StringBuilder sb)
         {
-            return string.Join(string.Empty, a, b);
+            foreach (var header in headers)
+            {
+                StringifyHeader(header.Key, header.Value, sb);
+                sb.Append('\n');
+            }
         }
 
-        var h = headers.Select(selector).Aggregate("", aggregator);
+        var sb = new StringBuilder(200);
+        JoinHeaders(headers, sb);
         if (contentHeaders != null)
         {
-            h += contentHeaders.Select(selector).Aggregate("", aggregator);
+            JoinHeaders(contentHeaders, sb);
         }
 
-        return h;
+        return sb.ToString();
     }
 
     /// <summary>