IdentityServer / IdentityServer2

[deprecated] Thinktecture IdentityServer is a light-weight security token service built with .NET 4.5, MVC 4, Web API and WCF.
Other
409 stars 291 forks source link

IdentityServer can retrieve wrong certificate if multiple certificates on server have same subject #823

Closed davisnw closed 9 years ago

davisnw commented 9 years ago

If there are multiple certificates in the machine store that have the same CN, then IdentityServer may pull back the wrong certificate based on the SigningCertificateName of KeyMaterialConfiguration.

When this occurs the issued tokens will be rejected by other applications.

I believe the problem lies in Thinktecture.IdentityServer.Repositories.Sql.Mappings

    public static Models.Configuration.KeyMaterialConfiguration ToDomainModel(this Entities.Configuration.KeyMaterialConfiguration entity)
    {
        ...

        if (!string.IsNullOrWhiteSpace(entity.SigningCertificateName))
        {
            var cert = X509.LocalMachine.My.SubjectDistinguishedName.Find(entity.SigningCertificateName, false).FirstOrDefault();

            if (cert == null)
            {
                throw new InvalidOperationException(string.Format(Core.Repositories.Resources.Mappings.SigningCertificateNotFoundException, entity.SigningCertificateName));
            }

            model.SigningCertificate = cert;
        }
      ...

I believe there are two things that need to happen to resolve this:

brockallen commented 9 years ago

We've known about this issue and the attitude was that you shouldn't be using the same CN in multiple certs.

davisnw commented 9 years ago

From the following links, it is recommended to use different keys for signing than for encryption, which would seem to contradict the assertion that you shouldn't be using the same CN in multiple certs.

leastprivilege commented 9 years ago

right - but it is not recommended to have multiple certs with the same name in the same certificate store. No issue with using different names for signing and encryption certs.

davisnw commented 9 years ago

If I understand what you're saying, you're suggesting that if we have two certs for different purposes (signing vs encryption) for the same CN, then they should each be in a different certificate store.

Maybe I'm missing something - but I don't see that IdentityServer allows you to specify which certificate store to retrieve the certificate from.

Also, other applications seem to support selecting a specific cert when two certs with the same CN are present. For example, IIS has no problem picking up the correct cert (I assume it finds by ThumbPrint). SharePoint 2013 also appears to locate certificates via ThumbPrint for its "Trusted Identity Provider" functionality.

leastprivilege commented 9 years ago

No - I am saying that you should give each cert a unique name.

davisnw commented 9 years ago

I'm not sure giving each cert a unique name is viable. I think external applications require the CN of the certificate to match the realm. I'll do a little testing against an IdentityServer/SharePoint installation I have.

Also, when you say "it is not recommended to have multiple certs with the same name in the same certificate store" upon what is that based? Is it just because IdentityServer doesn't support it, or are their larger issues of which you are thinking?

leastprivilege commented 9 years ago

Only SSL certs have a requirement that the CN matches the DNS name. Signing/encryption certs can be called whatever you like.

davisnw commented 9 years ago

Ok, I see. And I verified that it works in my environment by specifying an arbitrary unique CN for the certificate shared between KeyMaterialConfiguration and my SharePoint trusted identity provider.

Thanks for your help - I really appreciate your quick responses.