Use SNI certs (#7188)

Moving to SNI certs instead of pinned certs for LabClient token acquisition
AzureAD · Jul 9, 2024 · 1a15eb9 · 1a15eb9
1 parent 6339ce7
commit 1a15eb9
Show file tree

Hide file tree

Showing 5 changed files with 773 additions and 822 deletions.
diff --git a/dev-scripts/updatePemCert.js b/dev-scripts/updatePemCert.js
@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) Microsoft Corporation. All rights reserved.
+ * Licensed under the MIT License.
+ */
+
+const path = require("path");
+const fs = require("fs");
+
+const pemPath = process.argv[2];
+const pemCert = fs.readFileSync(pemPath, "utf8");
+
+const END_PRIVATE_KEY = "-----END PRIVATE KEY-----";
+const END_CERTIFICATE = "-----END CERTIFICATE-----";
+
+// Separate the private key from the x5c certificate chain
+const [privateKey, certs] = pemCert.split(END_PRIVATE_KEY);
+const x5cCerts = reorderCerts(certs);
+const processedPem = `${privateKey}${END_PRIVATE_KEY}${x5cCerts}${END_CERTIFICATE}`;
+
+fs.writeFileSync(pemPath, processedPem, "utf8");
+
+/**
+ * Moves the leaf certificate to the front of the chain
+ * @param {*} certs Serialized x5c certificate chain
+ */
+function reorderCerts(certs) {
+ // Split the certs into an array
+ const x5cCerts = certs.split(END_CERTIFICATE);
+ // Remove the last element which is an empty string
+ x5cCerts.pop();
+ // Move the leaf certificate to the front of the chain
+ x5cCerts.unshift(x5cCerts.pop());
+ // Rejoin into a serialized cert chain
+ return x5cCerts.join(END_CERTIFICATE);
+}
diff --git a/gen_env.ps1 b/gen_env.ps1
@@ -26,11 +26,14 @@ $clientIdValue = $(az keyvault secret show --name "LabVaultAppId" --vault-name "
 $pfxPath = "LabCert.pfx";
 $pemPath = "LabCert.pem";
 # get the lab app cert
-az keyvault secret download --vault-name "msidlabs" -n "LabVaultAccessCert" --file $pfxPath --encoding base64
+az keyvault secret download --vault-name "msidlabs" -n "LabAuth" --file $pfxPath --encoding base64
 # convert pfx file to pem
 openssl pkcs12 -in $pfxPath -out $pemPath -nodes --passin pass:
 
 $fullPemPath = (Get-Location).Path + "\" + $pemPath
+$pemUpdateScriptPath = $PSScriptRoot + "/dev-scripts/updatePemCert.js"
+Write-Output "Re-ordering x5c cert chain in pem file..."
+node $pemUpdateScriptPath $fullPemPath
 
 # Used to secure sessions for samples that use express-session
 $sessionSecret = New-Guid