fix: macOS PKCS12 confidential mode = None & Integrity mode = Passwor…

…d(null) (#134) When import a PKCS12 certificate to AKV, it is possible that authenticatedSafe confidential mode = None & Integrity mode = Password(null) Resolves #133 Signed-off-by: Junjie Gao <[email protected]> --------- Signed-off-by: Junjie Gao <[email protected]>
Azure · Sep 1, 2023 · 7e45e69 · 7e45e69
1 parent a31b29e
commit 7e45e69
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 2 deletions.
diff --git a/Notation.Plugin.AzureKeyVault.Tests/Certificate/Pkcs12Tests.cs b/Notation.Plugin.AzureKeyVault.Tests/Certificate/Pkcs12Tests.cs
@@ -7,6 +7,7 @@ namespace Notation.Plugin.AzureKeyVault.Certificate.Tests
 {
     public class Pkcs12Tests
     {
+        // MAC integrity mode is password(null) and saftContent confidential mode is password(null)
         [Fact]
         public void ReEncode()
         {
@@ -34,7 +35,8 @@ public void ReEncode_WithInvalidMac()
         }
 
         [Fact]
-        public void ReEncode_withoutMac(){
+        public void ReEncode_withoutMac()
+        {
             // read the pfx file
             byte[] data = File.ReadAllBytes(Path.Combine(Directory.GetCurrentDirectory(), "TestData", "cert_without_mac.pfx"));
             Pkcs12Info originPfx = Pkcs12Info.Decode(data, out _);
@@ -44,7 +46,21 @@ public void ReEncode_withoutMac(){
             byte[] newData = Pkcs12.ReEncode(data);
             Pkcs12Info pfxWithoutMac = Pkcs12Info.Decode(newData, out _);
             Assert.True(pfxWithoutMac.IntegrityMode == Pkcs12IntegrityMode.None);
+        }
+
+        // MAC integrity mode is password(null) and saftContent confidential mode is none
+        [Fact]
+        public void ReEncode_akv_imported()
+        {
+            // read the pfx file
+            byte[] data = File.ReadAllBytes(Path.Combine(Directory.GetCurrentDirectory(), "TestData", "akv_imported_cert.pfx"));
+            Pkcs12Info originPfx = Pkcs12Info.Decode(data, out _);
+            Assert.True(originPfx.IntegrityMode == Pkcs12IntegrityMode.Password);
 
+            // re-encode the pfx file
+            byte[] newData = Pkcs12.ReEncode(data);
+            Pkcs12Info pfxWithoutMac = Pkcs12Info.Decode(newData, out _);
+            Assert.True(pfxWithoutMac.IntegrityMode == Pkcs12IntegrityMode.None);
         }
     }
 }
diff --git a/Notation.Plugin.AzureKeyVault.Tests/TestData/akv_imported_cert.pfx b/Notation.Plugin.AzureKeyVault.Tests/TestData/akv_imported_cert.pfx
diff --git a/Notation.Plugin.AzureKeyVault/Certificate/Pkcs12.cs b/Notation.Plugin.AzureKeyVault/Certificate/Pkcs12.cs
@@ -31,7 +31,10 @@ public static byte[] ReEncode(byte[] data)
             foreach (var safeContent in pfx.AuthenticatedSafe)
             {
                 // decrypt with null password
-                safeContent.Decrypt((byte[]?)null);
+                if (safeContent.ConfidentialityMode == Pkcs12ConfidentialityMode.Password)
+                {
+                    safeContent.Decrypt((byte[]?)null);
+                }
 
                 // create a newSafeContent and only contains the certificate bag
                 var newSafeContent = new Pkcs12SafeContents();