load certs from azure storage

2025-07-03 00:52:49 -05:00 · 2019-07-10 20:05:07 -04:00
parent f97539d558
commit b5d2a1da75
4 changed files with 67 additions and 9 deletions
--- a/src/Core/Utilities/CoreHelpers.cs
+++ b/src/Core/Utilities/CoreHelpers.cs
@ -15,6 +15,8 @@ using System.Globalization;
 using System.Web;
 using Microsoft.AspNetCore.DataProtection;
 using Bit.Core.Enums;
+using System.Threading.Tasks;
+using Microsoft.WindowsAzure.Storage;

 namespace Bit.Core.Utilities
 {
@ -149,6 +151,24 @@ namespace Bit.Core.Utilities
            }
        }

+        public async static Task<X509Certificate2> GetBlobCertificateAsync(CloudStorageAccount cloudStorageAccount,
+            string container, string file, string password)
+        {
+            var blobClient = cloudStorageAccount.CreateCloudBlobClient();
+            var containerRef = blobClient.GetContainerReference(container);
+            if(await containerRef.ExistsAsync())
+            {
+                var blobRef = containerRef.GetBlobReference(file);
+                if(await blobRef.ExistsAsync())
+                {
+                    var blobBytes = new byte[blobRef.Properties.Length];
+                    await blobRef.DownloadToByteArrayAsync(blobBytes, 0);
+                    return new X509Certificate2(blobBytes, password);
+                }
+            }
+            return null;
+        }
+
        public static long ToEpocMilliseconds(DateTime date)
        {
            return (long)Math.Round((date - _epoc).TotalMilliseconds, 0);
--- a/src/Core/Utilities/ServiceCollectionExtensions.cs
+++ b/src/Core/Utilities/ServiceCollectionExtensions.cs
@ -29,6 +29,7 @@ using System.Security.Claims;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.HttpOverrides;
 using System.Linq;
+using System.Security.Cryptography.X509Certificates;

 namespace Bit.Core.Utilities
 {
@ -131,7 +132,7 @@ namespace Bit.Core.Utilities
                services.AddSingleton<IPushRegistrationService, NoopPushRegistrationService>();
            }

-            if(!globalSettings.SelfHosted && CoreHelpers.SettingHasValue(globalSettings.Storage.ConnectionString))
+            if(!globalSettings.SelfHosted && CoreHelpers.SettingHasValue(globalSettings.Storage?.ConnectionString))
            {
                services.AddSingleton<IBlockIpService, AzureQueueBlockIpService>();
            }
@ -326,7 +327,8 @@ namespace Bit.Core.Utilities
            {
                identityServerBuilder.AddDeveloperSigningCredential(false);
            }
-            else if(!string.IsNullOrWhiteSpace(globalSettings.IdentityServer.CertificatePassword)
+            else if(globalSettings.SelfHosted &&
+                !string.IsNullOrWhiteSpace(globalSettings.IdentityServer.CertificatePassword)
                && File.Exists("identity.pfx"))
            {
                var identityServerCert = CoreHelpers.GetCertificate("identity.pfx",
@ -338,6 +340,15 @@ namespace Bit.Core.Utilities
                var identityServerCert = CoreHelpers.GetCertificate(globalSettings.IdentityServer.CertificateThumbprint);
                identityServerBuilder.AddSigningCredential(identityServerCert);
            }
+            else if(!globalSettings.SelfHosted &&
+                CoreHelpers.SettingHasValue(globalSettings.Storage?.ConnectionString) &&
+                CoreHelpers.SettingHasValue(globalSettings.IdentityServer.CertificatePassword))
+            {
+                var storageAccount = CloudStorageAccount.Parse(globalSettings.Storage.ConnectionString);
+                var identityServerCert = CoreHelpers.GetBlobCertificateAsync(storageAccount, "certificates",
+                    "identity.pfx", globalSettings.IdentityServer.CertificatePassword).GetAwaiter().GetResult();
+                identityServerBuilder.AddSigningCredential(identityServerCert);
+            }
            else
            {
                throw new Exception("No identity certificate to use.");
@ -366,12 +377,21 @@ namespace Bit.Core.Utilities
                    .PersistKeysToFileSystem(new DirectoryInfo(globalSettings.DataProtection.Directory));
            }

-            if(!globalSettings.SelfHosted && CoreHelpers.SettingHasValue(globalSettings.Storage.ConnectionString) &&
-                CoreHelpers.SettingHasValue(globalSettings.DataProtection.CertificateThumbprint))
+            if(!globalSettings.SelfHosted && CoreHelpers.SettingHasValue(globalSettings.Storage?.ConnectionString))
            {
-                var dataProtectionCert = CoreHelpers.GetCertificate(
-                    globalSettings.DataProtection.CertificateThumbprint);
                var storageAccount = CloudStorageAccount.Parse(globalSettings.Storage.ConnectionString);
+                X509Certificate2 dataProtectionCert = null;
+                if(CoreHelpers.SettingHasValue(globalSettings.DataProtection.CertificateThumbprint))
+                {
+                    dataProtectionCert = CoreHelpers.GetCertificate(
+                        globalSettings.DataProtection.CertificateThumbprint);
+                }
+                else if(CoreHelpers.SettingHasValue(globalSettings.DataProtection.CertificatePassword))
+                {
+                    dataProtectionCert = CoreHelpers.GetBlobCertificateAsync(storageAccount, "certificates",
+                        "dataprotection.pfx", globalSettings.DataProtection.CertificatePassword)
+                        .GetAwaiter().GetResult();
+                }
                services.AddDataProtection()
                    .PersistKeysToAzureBlobStorage(storageAccount, "aspnet-dataprotection/keys.xml")
                    .ProtectKeysWithCertificate(dataProtectionCert);