Refactoring certificate loading into different methods, when loading from file and from store. Adding filtering and ordering, when loading from store

Tomas Urbonaitis · Tomas Urbonaitis · commit 52134b418a2c · 2018-12-12T15:04:11.000+02:00
diff --git a/GVFS/GVFS.Common/Git/GitSsl.cs b/GVFS/GVFS.Common/Git/GitSsl.cs
@@ -1,19 +1,20 @@
 ﻿using System;
 using System.Collections.Generic;
-using System.IO;
+using System.IO;
 using System.Linq;
-using System.Security.Cryptography;
-using System.Security.Cryptography.X509Certificates;
-using GVFS.Common.Tracing;
-
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using System.Text.RegularExpressions;
+using GVFS.Common.Tracing;
+
 namespace GVFS.Common.Git
 {
     public class GitSsl : IDisposable
     {
         public readonly string CertificatePathOrSubjectCommonName;
         public readonly bool IsCertificatePasswordProtected;
-        public readonly bool ShouldVerify;
-
+        public readonly bool ShouldVerify;
+
         private readonly Lazy<X509Store> store = new Lazy<X509Store>(() =>
         {
             X509Store s = new X509Store();
@@ -47,8 +48,8 @@ public GitSsl(IDictionary<string, GitConfigSetting> configSettings) : this()
                     this.ShouldVerify = sslVerify.Values.Select(bool.Parse).Single();
                 }
             }
-        }
-
+        }
+
         public string GetCertificatePassword(ITracer tracer, GitProcess git)
         {
             if (git.TryGetCertificatePassword(tracer, this.CertificatePathOrSubjectCommonName, out string password, out string error))
@@ -63,11 +64,25 @@ public X509Certificate2 GetCertificate(ITracer tracer, string certificatePasswor
         {
             EventMetadata metadata = new EventMetadata
             {
-                { "certId", this.CertificatePathOrSubjectCommonName },
+                { "CertificatePathOrSubjectCommonName", this.CertificatePathOrSubjectCommonName },
                 { "isPasswordSpecified", string.IsNullOrEmpty(certificatePassword) },
                 { "shouldVerify", onlyLoadValidCertificateFromStore }
             };
 
+            var result =
+                this.GetCertificateFromFile(tracer, metadata, certificatePassword, onlyLoadValidCertificateFromStore) ??
+                this.GetCertificateFromStore(tracer, metadata, onlyLoadValidCertificateFromStore);
+
+            if (result == null)
+            {
+                tracer.RelatedError("Certificate {0} not found", this.CertificatePathOrSubjectCommonName);
+            }
+
+            return result;
+        }
+
+        private X509Certificate2 GetCertificateFromFile(ITracer tracer, EventMetadata metadata, string certificatePassword, bool onlyLoadValidCertificateFromStore)
+        {
             if (File.Exists(this.CertificatePathOrSubjectCommonName))
             {
                 try
@@ -89,12 +104,29 @@ public X509Certificate2 GetCertificate(ITracer tracer, string certificatePasswor
                 }
             }
 
+            return null;
+        }
+
+        private X509Certificate2 GetCertificateFromStore(ITracer tracer, EventMetadata metadata, bool onlyLoadValidCertificateFromStore)
+        {
             try
             {
                 X509Certificate2Collection findResults = this.store.Value.Certificates.Find(X509FindType.FindBySubjectName, this.CertificatePathOrSubjectCommonName, onlyLoadValidCertificateFromStore);
                 if (findResults?.Count > 0)
                 {
-                    return findResults[0];
+                    LogCertificateCounts(tracer, metadata, findResults.OfType<X509Certificate2>(), "Found {0} certificates by provided name. Matching DNs: {1}");
+
+                    X509Certificate2[] certsWithMatchingCns = findResults
+                        .OfType<X509Certificate2>()
+                        .Where(x => x.HasPrivateKey && Regex.IsMatch(x.Subject, string.Format("(^|,\\s?)CN={0}(,|$)", this.CertificatePathOrSubjectCommonName))) // We only want certificates, that have private keys, as we need them. We also want a complete CN match
+                        .OrderByDescending(x => x.Verify()) // Ordering by validity in a descending order will bring valid certificates to the beginning
+                        .ThenBy(x => x.NotBefore) // We take the one, that was issued earliest, first
+                        .ThenByDescending(x => x.NotAfter) // We then take the one, that is valid for the longest period
+                        .ToArray();
+
+                    LogCertificateCounts(tracer, metadata, certsWithMatchingCns, "Found {0} certificates with a private key and an exact CN match. DNs (sorted by priority, will take first): {1}");
+
+                    return certsWithMatchingCns.FirstOrDefault();
                 }
             }
             catch (CryptographicException cryptEx)
@@ -104,16 +136,43 @@ public X509Certificate2 GetCertificate(ITracer tracer, string certificatePasswor
                 return null;
             }
 
-            tracer.RelatedError("Certificate {0} not found", this.CertificatePathOrSubjectCommonName);
             return null;
-        }
-
-        public void Dispose()
-        {
+        }
+
+        private static void LogCertificateCounts(ITracer tracer, EventMetadata metadata, IEnumerable<X509Certificate2> certificates, string messageTemplate)
+        {
+            Action<EventMetadata, string> loggingFunction;
+            int numberOfCertificates = certificates.Count();
+
+            switch (numberOfCertificates)
+            {
+                case 0:
+                    loggingFunction = tracer.RelatedError;
+                    break;
+                case 1:
+                    loggingFunction = tracer.RelatedInfo;
+                    break;
+                default:
+                    loggingFunction = tracer.RelatedWarning;
+                    break;
+            }
+
+            loggingFunction(
+                metadata,
+                string.Format(
+                    messageTemplate,
+                    numberOfCertificates,
+                    string.Join(
+                        Environment.NewLine,
+                        certificates.Select(x => x.Subject))));
+        }
+
+        public void Dispose()
+        {
             if (this.store.IsValueCreated)
             {
                 this.store.Value.Dispose();
-            }
-        }
+            }
+        }
     }
 }
diff --git a/GVFS/GVFS.Common/Tracing/ITracer.cs b/GVFS/GVFS.Common/Tracing/ITracer.cs
@@ -13,16 +13,20 @@ public interface ITracer : IDisposable
 
         void RelatedEvent(EventLevel level, string eventName, EventMetadata metadata, Keywords keywords);
 
+        void RelatedInfo(string message);
+
         void RelatedInfo(string format, params object[] args);
-                
+
+        void RelatedInfo(EventMetadata metadata, string message);
+
         void RelatedWarning(EventMetadata metadata, string message);
 
         void RelatedWarning(EventMetadata metadata, string message, Keywords keywords);
 
         void RelatedWarning(string message);
 
-        void RelatedWarning(string format, params object[] args);
-        
+        void RelatedWarning(string format, params object[] args);
+
         void RelatedError(EventMetadata metadata, string message);
 
         void RelatedError(EventMetadata metadata, string message, Keywords keywords);
diff --git a/GVFS/GVFS.Common/Tracing/JsonTracer.cs b/GVFS/GVFS.Common/Tracing/JsonTracer.cs
@@ -120,11 +120,21 @@ public virtual void RelatedEvent(EventLevel level, string eventName, EventMetada
 
         public virtual void RelatedInfo(string format, params object[] args)
         {
-            EventMetadata metadata = new EventMetadata();
-            metadata.Add(TracingConstants.MessageKey.InfoMessage, string.Format(format, args));
-            this.RelatedEvent(EventLevel.Informational, "Information", metadata);
+            this.RelatedInfo(string.Format(format, args));
+        }
+
+        public virtual void RelatedInfo(string message)
+        {
+            this.RelatedInfo(new EventMetadata(), message);
+        }
+
+        public virtual void RelatedInfo(EventMetadata metadata, string message)
+        {
+            metadata = metadata ?? new EventMetadata();
+            metadata.Add(TracingConstants.MessageKey.InfoMessage, message);
+            this.RelatedEvent(EventLevel.Informational, "Information", metadata);
         }
-        
+
         public virtual void RelatedWarning(EventMetadata metadata, string message)
         {
             this.RelatedWarning(metadata, message, Keywords.None);
@@ -139,7 +149,7 @@ public virtual void RelatedWarning(EventMetadata metadata, string message, Keywo
 
         public virtual void RelatedWarning(string message)
         {
-            EventMetadata metadata = new EventMetadata();            
+            EventMetadata metadata = new EventMetadata();
             this.RelatedWarning(metadata, message);
         }
 
diff --git a/GVFS/GVFS.UnitTests/Mock/Common/MockTracer.cs b/GVFS/GVFS.UnitTests/Mock/Common/MockTracer.cs
@@ -45,11 +45,22 @@ public void RelatedEvent(EventLevel error, string eventName, EventMetadata metad
             }
         }
 
-        public void RelatedInfo(string format, params object[] args)
+        public void RelatedInfo(string message)
         {
-            this.RelatedInfoEvents.Add(string.Format(format, args));
+            this.RelatedInfoEvents.Add(message);
+        }
+
+        public void RelatedInfo(EventMetadata metadata, string message)
+        {
+            metadata[TracingConstants.MessageKey.InfoMessage] = message;
+            this.RelatedWarningEvents.Add(JsonConvert.SerializeObject(metadata));
         }
-        
+
+        public void RelatedInfo(string format, params object[] args)
+        {
+            this.RelatedInfo(string.Format(format, args));
+        }
+
         public void RelatedWarning(EventMetadata metadata, string message)
         {
             metadata[TracingConstants.MessageKey.WarningMessage] = message;
@@ -69,8 +80,8 @@ public void RelatedWarning(string message)
         public void RelatedWarning(string format, params object[] args)
         {
             this.RelatedWarningEvents.Add(string.Format(format, args));
-        }
-        
+        }
+
         public void RelatedError(EventMetadata metadata, string message)
         {
             metadata[TracingConstants.MessageKey.ErrorMessage] = message;
@@ -128,6 +139,6 @@ protected void Dispose(bool disposing)
                     this.waitEvent = null;
                 }
             }
-        }
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -45,11 +45,22 @@ public void RelatedEvent(EventLevel error, string eventName, EventMetadata metad`
`45`	`45`	`}`
`46`	`46`	`}`
`47`	`47`
`48`		`- public void RelatedInfo(string format, params object[] args)`
	`48`	`+ public void RelatedInfo(string message)`
`49`	`49`	`{`
`50`		`- this.RelatedInfoEvents.Add(string.Format(format, args));`
	`50`	`+ this.RelatedInfoEvents.Add(message);`
	`51`	`+ }`
	`52`	`+`
	`53`	`+ public void RelatedInfo(EventMetadata metadata, string message)`
	`54`	`+ {`
	`55`	`+ metadata[TracingConstants.MessageKey.InfoMessage] = message;`
	`56`	`+ this.RelatedWarningEvents.Add(JsonConvert.SerializeObject(metadata));`
`51`	`57`	`}`
`52`		`-`
	`58`	`+`
	`59`	`+ public void RelatedInfo(string format, params object[] args)`
	`60`	`+ {`
	`61`	`+ this.RelatedInfo(string.Format(format, args));`
	`62`	`+ }`
	`63`	`+`
`53`	`64`	`public void RelatedWarning(EventMetadata metadata, string message)`
`54`	`65`	`{`
`55`	`66`	`metadata[TracingConstants.MessageKey.WarningMessage] = message;`
`@@ -69,8 +80,8 @@ public void RelatedWarning(string message)`
`69`	`80`	`public void RelatedWarning(string format, params object[] args)`
`70`	`81`	`{`
`71`	`82`	`this.RelatedWarningEvents.Add(string.Format(format, args));`
`72`		`- }`
`73`		`-`
	`83`	`+ }`
	`84`	`+`
`74`	`85`	`public void RelatedError(EventMetadata metadata, string message)`
`75`	`86`	`{`
`76`	`87`	`metadata[TracingConstants.MessageKey.ErrorMessage] = message;`
`@@ -128,6 +139,6 @@ protected void Dispose(bool disposing)`
`128`	`139`	`this.waitEvent = null;`
`129`	`140`	`}`
`130`	`141`	`}`
`131`		`- }`
	`142`	`+ }`
`132`	`143`	`}`
`133`	`144`	`}`