Skip to content

Commit 8e330aa

Browse files
wtgodbePilchie
wtgodbe
and
Pilchie
authored
[release/3.1] Resolve credscan bugs (#32655)
* resolve conflicts * Resolve more conflicts * Resolve final credscan bug (#31196) * Resolve 3.1-specific bug Co-authored-by: Kevin Pilch <[email protected]>
1 parent dbdec83 commit 8e330aa

23 files changed

+317
-173
lines changed

.config/CredScanSuppressions.json

Lines changed: 136 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,10 @@
11
{
22
"tool": "Credential Scanner",
33
"suppressions": [
4+
{
5+
"placeholder": "aspnetcore",
6+
"_justification": "This is a fake password used in test code."
7+
},
48
{
59
"placeholder": "password",
610
"_justification": "This is a fake password used in test code."
@@ -9,6 +13,10 @@
913
"placeholder": "newpassword",
1014
"_justification": "This is a fake password used in test code."
1115
},
16+
{
17+
"placeholder": "testpassword",
18+
"_justification": "This is a fake password used in test code."
19+
},
1220
{
1321
"placeholder": "AAABAgMEBQYHCAkKCwwNDg+ukCEMDf0yyQ29NYubggE=",
1422
"_justification": "This is a fake password hash used in test code."
@@ -20,6 +28,134 @@
2028
{
2129
"placeholder": "1qaz@WSX",
2230
"_justification": "This is a fake password used in test code."
31+
},
32+
{
33+
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\testCert.pfx",
34+
"_justification": "Legitimate UT certificate file with private key"
35+
},
36+
{
37+
"file": "\\src\\DataProtection\\DataProtection\\test\\TestFiles\\TestCert1.pfx",
38+
"_justification": "Legitimate UT certificate file with private key"
39+
},
40+
{
41+
"file": "\\src\\DataProtection\\DataProtection\\test\\TestFiles\\TestCert2.pfx",
42+
"_justification": "Legitimate UT certificate file with private key"
43+
},
44+
{
45+
"file": "\\src\\DataProtection\\Extensions\\test\\TestFiles\\TestCert.pfx",
46+
"_justification": "Legitimate UT certificate file with private key"
47+
},
48+
{
49+
"file": "\\src\\DataProtection\\Extensions\\test\\TestFiles\\TestCert2.pfx",
50+
"_justification": "Legitimate UT certificate file with private key"
51+
},
52+
{
53+
"file": "\\src\\DataProtection\\Extensions\\test\\TestFiles\\TestCert3.pfx",
54+
"_justification": "Legitimate UT certificate file with private key"
55+
},
56+
{
57+
"file": "\\src\\DataProtection\\Extensions\\test\\TestFiles\\TestCert3WithoutPrivateKey.pfx",
58+
"_justification": "Legitimate UT certificate file without private key"
59+
},
60+
{
61+
"file": "\\src\\DataProtection\\Extensions\\test\\TestFiles\\TestCertWithoutPrivateKey.pfx",
62+
"_justification": "Legitimate UT certificate file without private key"
63+
},
64+
{
65+
"file": "\\src\\DefaultBuilder\\test\\Microsoft.AspNetCore.FunctionalTests\\testCert.pfx",
66+
"_justification": "Legitimate UT certificate file with private key"
67+
},
68+
{
69+
"file": "\\src\\Identity\\ApiAuthorization.IdentityServer\\test\\current.pfx",
70+
"_justification": "Legitimate UT certificate file with private key"
71+
},
72+
{
73+
"file": "\\src\\Identity\\ApiAuthorization.IdentityServer\\test\\expired.pfx",
74+
"_justification": "Legitimate UT certificate file with private key"
75+
},
76+
{
77+
"file": "\\src\\Identity\\ApiAuthorization.IdentityServer\\test\\future.pfx",
78+
"_justification": "Legitimate UT certificate file with private key"
79+
},
80+
{
81+
"file": "\\src\\Identity\\ApiAuthorization.IdentityServer\\test\\test.pfx",
82+
"_justification": "Legitimate UT certificate file with private key"
83+
},
84+
{
85+
"file": "\\src\\Middleware\\WebSockets\\test\\ConformanceTests\\AutobahnTestApp\\TestResources\\testCert.pfx",
86+
"_justification": "Legitimate UT certificate file with private key"
87+
},
88+
{
89+
"file": "\\src\\Security\\Authentication\\Negotiate\\test\\Negotiate.FunctionalTest\\negotiateAuthCert.pfx",
90+
"_justification": "Legitimate UT certificate file with private key"
91+
},
92+
{
93+
"file": "\\src\\Servers\\IIS\\tools\\TestCert.pfx",
94+
"_justification": "Legitimate UT certificate file with private key"
95+
},
96+
{
97+
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\aspnetdevcert.pfx",
98+
"_justification": "Legitimate UT certificate file with private key"
99+
},
100+
{
101+
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\eku.client.pfx",
102+
"_justification": "Legitimate UT certificate file with private key"
103+
},
104+
{
105+
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\eku.code_signing.pfx",
106+
"_justification": "Legitimate UT certificate file with private key"
107+
},
108+
{
109+
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\eku.multiple_usages.pfx",
110+
"_justification": "Legitimate UT certificate file with private key"
111+
},
112+
{
113+
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\eku.server.pfx",
114+
"_justification": "Legitimate UT certificate file with private key"
115+
},
116+
{
117+
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\no_extensions.pfx",
118+
"_justification": "Legitimate UT certificate file with private key"
119+
},
120+
{
121+
"file": "\\src\\SignalR\\clients\\ts\\FunctionalTests\\testCert.pfx",
122+
"_justification": "Legitimate UT certificate file with private key"
123+
},
124+
{
125+
"file": "\\src\\SignalR\\clients\\ts\\FunctionalTests\\testCertECC.pfx",
126+
"_justification": "Legitimate UT certificate file with private key"
127+
},
128+
{
129+
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\https-aspnet.key",
130+
"_justification": "Legitimate key file used for testing"
131+
},
132+
{
133+
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\https-dsa-protected.key",
134+
"_justification": "Legitimate key file used for testing"
135+
},
136+
{
137+
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\https-dsa.key",
138+
"_justification": "Legitimate key file used for testing"
139+
},
140+
{
141+
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\https-ecdsa-protected.key",
142+
"_justification": "Legitimate key file used for testing"
143+
},
144+
{
145+
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\https-ecdsa.key",
146+
"_justification": "Legitimate key file used for testing"
147+
},
148+
{
149+
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\https-rsa-protected.key",
150+
"_justification": "Legitimate key file used for testing"
151+
},
152+
{
153+
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\https-rsa.key",
154+
"_justification": "Legitimate key file used for testing"
155+
},
156+
{
157+
"file": "\\src\\SignalR\\clients\\ts\\FunctionalTests\\node_modules\\https-proxy-agent\\node_modules\\agent-base\\test\\ssl-cert-snakeoil.key",
158+
"_justification": "Legitimate key file used for testing"
23159
}
24160
]
25161
}

src/Components/test/E2ETest/Tests/WebAssemblyAuthenticationTests.cs

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -78,7 +78,7 @@ public void AnonymousUser_GetsRedirectedToLogin_AndBackToOriginalProtectedResour
7878
ClickAndNavigate(link, page);
7979

8080
var userName = $"{Guid.NewGuid()}@example.com";
81-
var password = $"!Test.Password1$";
81+
var password = $"[PLACEHOLDER]-1a";
8282

8383
FirstTimeRegister(userName, password);
8484

@@ -96,7 +96,7 @@ public void CanPreserveApplicationState_DuringLogIn()
9696
ClickAndNavigate(link, page);
9797

9898
var userName = $"{Guid.NewGuid()}@example.com";
99-
var password = $"!Test.Password1$";
99+
var password = $"[PLACEHOLDER]-1a";
100100

101101
FirstTimeRegister(userName, password);
102102

@@ -116,7 +116,7 @@ public void CanShareUserRolesBetweenClientAndServer()
116116
ClickAndNavigate(By.PartialLinkText("Log in"), "/Identity/Account/Login");
117117

118118
var userName = $"{Guid.NewGuid()}@example.com";
119-
var password = $"!Test.Password1$";
119+
var password = $"[PLACEHOLDER]-1a";
120120
FirstTimeRegister(userName, password);
121121

122122
ClickAndNavigate(By.PartialLinkText("Make admin"), "/new-admin");
@@ -141,7 +141,7 @@ public void AnonymousUser_CanRegister_AndGetLoggedIn()
141141
ClickAndNavigate(By.PartialLinkText("Register"), "/Identity/Account/Register");
142142

143143
var userName = $"{Guid.NewGuid()}@example.com";
144-
var password = $"!Test.Password1$";
144+
var password = $"[PLACEHOLDER]-1a";
145145
RegisterCore(userName, password);
146146
CompleteProfileDetails();
147147

@@ -158,7 +158,7 @@ public void AuthenticatedUser_ProfileIncludesDetails_And_AccessToken()
158158
ClickAndNavigate(By.PartialLinkText("User"), "/Identity/Account/Login");
159159

160160
var userName = $"{Guid.NewGuid()}@example.com";
161-
var password = $"!Test.Password1$";
161+
var password = $"[PLACEHOLDER]-1a";
162162
FirstTimeRegister(userName, password);
163163

164164
Browser.Contains("user", () => Browser.Url);
@@ -213,7 +213,7 @@ public void AuthenticatedUser_CanGoToProfile()
213213
ClickAndNavigate(By.PartialLinkText("Register"), "/Identity/Account/Register");
214214

215215
var userName = $"{Guid.NewGuid()}@example.com";
216-
var password = $"!Test.Password1$";
216+
var password = $"[PLACEHOLDER]-1a";
217217
RegisterCore(userName, password);
218218
CompleteProfileDetails();
219219

@@ -255,7 +255,7 @@ public void NewlyRegisteredUser_CanLogOut()
255255
ClickAndNavigate(By.PartialLinkText("Register"), "/Identity/Account/Register");
256256

257257
var userName = $"{Guid.NewGuid()}@example.com";
258-
var password = $"!Test.Password1$";
258+
var password = $"[PLACEHOLDER]-1a";
259259
RegisterCore(userName, password);
260260
CompleteProfileDetails();
261261

@@ -268,7 +268,7 @@ public void AlreadyRegisteredUser_CanLogOut()
268268
ClickAndNavigate(By.PartialLinkText("Register"), "/Identity/Account/Register");
269269

270270
var userName = $"{Guid.NewGuid()}@example.com";
271-
var password = $"!Test.Password1$";
271+
var password = $"[PLACEHOLDER]-1a";
272272
RegisterCore(userName, password);
273273
CompleteProfileDetails();
274274

@@ -294,7 +294,7 @@ public void LoggedInUser_OnTheIdP_CanLogInSilently()
294294
ClickAndNavigate(By.PartialLinkText("Register"), "/Identity/Account/Register");
295295

296296
var userName = $"{Guid.NewGuid()}@example.com";
297-
var password = $"!Test.Password1$";
297+
var password = $"[PLACEHOLDER]-1a";
298298
RegisterCore(userName, password);
299299
CompleteProfileDetails();
300300
ValidateLoggedIn(userName);

src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
33

44
using System;
5+
using System.Text;
56
using System.Xml.Linq;
67
using Microsoft.AspNetCore.DataProtection.KeyManagement;
78
using Microsoft.Extensions.Logging.Abstractions;
@@ -15,20 +16,21 @@ public class AuthenticatedEncryptorDescriptorDeserializerTests
1516
public void ImportFromXml_Cbc_CreatesAppropriateDescriptor()
1617
{
1718
// Arrange
19+
var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
1820
var descriptor = new AuthenticatedEncryptorDescriptor(
1921
new AuthenticatedEncryptorConfiguration()
2022
{
2123
EncryptionAlgorithm = EncryptionAlgorithm.AES_192_CBC,
2224
ValidationAlgorithm = ValidationAlgorithm.HMACSHA512
2325
},
24-
"k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret());
26+
masterKey.ToSecret());
2527
var control = CreateEncryptorInstanceFromDescriptor(descriptor);
2628

27-
const string xml = @"
29+
var xml = $@"
2830
<encryptor version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
2931
<encryption algorithm='AES_192_CBC' />
3032
<validation algorithm='HMACSHA512' />
31-
<masterKey enc:requiresEncryption='true'>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</masterKey>
33+
<masterKey enc:requiresEncryption='true'>{masterKey}</masterKey>
3234
</encryptor>";
3335
var deserializedDescriptor = new AuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml));
3436
var test = CreateEncryptorInstanceFromDescriptor(deserializedDescriptor as AuthenticatedEncryptorDescriptor);

src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
using System;
55
using System.Globalization;
66
using System.Security.Cryptography;
7+
using System.Text;
78
using System.Text.RegularExpressions;
89
using Microsoft.AspNetCore.Cryptography.Cng;
910
using Microsoft.AspNetCore.Cryptography.SafeHandles;
@@ -118,20 +119,20 @@ public void CreateAuthenticatedEncryptor_RoundTripsData_ManagedImplementation(
118119
public void ExportToXml_ProducesCorrectPayload_Cbc()
119120
{
120121
// Arrange
121-
var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
122-
var descriptor = CreateDescriptor(EncryptionAlgorithm.AES_192_CBC, ValidationAlgorithm.HMACSHA512, masterKey);
122+
var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
123+
var descriptor = CreateDescriptor(EncryptionAlgorithm.AES_192_CBC, ValidationAlgorithm.HMACSHA512, masterKey.ToSecret());
123124

124125
// Act
125126
var retVal = descriptor.ExportToXml();
126127

127128
// Assert
128129
Assert.Equal(typeof(AuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
129-
const string expectedXml = @"
130+
var expectedXml = $@"
130131
<descriptor>
131132
<encryption algorithm='AES_192_CBC' />
132133
<validation algorithm='HMACSHA512' />
133134
<masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
134-
<value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
135+
<value>{masterKey}</value>
135136
</masterKey>
136137
</descriptor>";
137138
XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
@@ -141,20 +142,20 @@ public void ExportToXml_ProducesCorrectPayload_Cbc()
141142
public void ExportToXml_ProducesCorrectPayload_Gcm()
142143
{
143144
// Arrange
144-
var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
145-
var descriptor = CreateDescriptor(EncryptionAlgorithm.AES_192_GCM, ValidationAlgorithm.HMACSHA512, masterKey);
145+
var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
146+
var descriptor = CreateDescriptor(EncryptionAlgorithm.AES_192_GCM, ValidationAlgorithm.HMACSHA512, masterKey.ToSecret());
146147

147148
// Act
148149
var retVal = descriptor.ExportToXml();
149150

150151
// Assert
151152
Assert.Equal(typeof(AuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
152-
const string expectedXml = @"
153+
var expectedXml = $@"
153154
<descriptor>
154155
<encryption algorithm='AES_192_GCM' />
155156
<!-- some comment here -->
156157
<masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
157-
<value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
158+
<value>{masterKey}</value>
158159
</masterKey>
159160
</descriptor>";
160161
XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);

src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
33

44
using System;
5+
using System.Text;
56
using System.Xml.Linq;
67
using Microsoft.AspNetCore.Cryptography;
78
using Microsoft.AspNetCore.DataProtection.KeyManagement;
@@ -18,6 +19,7 @@ public class CngCbcAuthenticatedEncryptorDescriptorDeserializerTests
1819
[ConditionalRunTestOnlyOnWindows]
1920
public void ImportFromXml_CreatesAppropriateDescriptor()
2021
{
22+
var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
2123
// Arrange
2224
var descriptor = new CngCbcAuthenticatedEncryptorDescriptor(
2325
new CngCbcAuthenticatedEncryptorConfiguration()
@@ -28,14 +30,14 @@ public void ImportFromXml_CreatesAppropriateDescriptor()
2830
HashAlgorithm = Constants.BCRYPT_SHA512_ALGORITHM,
2931
HashAlgorithmProvider = null
3032
},
31-
"k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret());
33+
masterKey.ToSecret());
3234
var control = CreateEncryptorInstanceFromDescriptor(descriptor);
3335

34-
const string xml = @"
36+
var xml = $@"
3537
<descriptor version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
3638
<encryption algorithm='AES' keyLength='192' />
3739
<hash algorithm='SHA512' />
38-
<masterKey enc:requiresEncryption='true'>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</masterKey>
40+
<masterKey enc:requiresEncryption='true'>{masterKey}</masterKey>
3941
</descriptor>";
4042
var deserializedDescriptor = new CngCbcAuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml));
4143
var test = CreateEncryptorInstanceFromDescriptor(deserializedDescriptor as CngCbcAuthenticatedEncryptorDescriptor);

0 commit comments

Comments
 (0)