new draft

martin-toman · martin-toman · commit aa0a9acd1178 · 2024-10-15T15:30:12.000Z
diff --git a/src/Agent.Listener/Configuration.Windows/RSAEncryptedFileKeyManager.cs b/src/Agent.Listener/Configuration.Windows/RSAEncryptedFileKeyManager.cs
@@ -132,12 +132,12 @@ public void DeleteKey()
             }
         }
 
-        public RSA GetKey()
+        public RSA GetKey(bool useLegacyRsaImpl)
         {
-            return GetKeyFromFile();
+            return GetKeyFromFile(useLegacyRsaImpl);
         }
 
-        private RSA GetKeyFromNamedContainer()
+        private RSA GetKeyFromNamedContainer(bool useLegacyRsaImpl)
         {
             if (!File.Exists(_keyFile))
             {
@@ -151,7 +151,7 @@ private RSA GetKeyFromNamedContainer()
             if (string.IsNullOrEmpty(result.containerName))
             {
                 // we should not get here.  GetKeyFromNamedContainer is only called from GetKeyFromFile when result.containerName is not empty
-                return GetKeyFromFile();
+                return GetKeyFromFile(useLegacyRsaImpl);
             }
 
             if (result.useCng)
@@ -170,13 +170,24 @@ private RSA GetKeyFromNamedContainer()
                 Trace.Info("Using RSACryptoServiceProvider");
                 CspParameters Params = new CspParameters();
                 Params.KeyContainerName = result.containerName;
-                Params.Flags |= CspProviderFlags.UseNonExportableKey | CspProviderFlags.UseMachineKeyStore;
-                var rsa = new RSACryptoServiceProvider(Params);
-                return rsa;
+                if (useLegacyRsaImpl)
+                {
+                    Params.Flags |= CspProviderFlags.UseNonExportableKey | CspProviderFlags.UseMachineKeyStore;
+                    var rsa = new RSACryptoServiceProvider(Params);
+                    return rsa;
+                }
+                else
+                {
+                    Params.Flags |= CspProviderFlags.UseMachineKeyStore;
+                    using (var csp = new RSACryptoServiceProvider(Params))
+                    {
+                        return RSA.Create(csp.ExportParameters(includePrivateParameters: true));
+                    }
+                }
             }
         }
 
-        private RSA GetKeyFromFile()
+        private RSA GetKeyFromFile(bool useLegacyRsaImpl)
         {
             if (!File.Exists(_keyFile))
             {
@@ -190,10 +201,10 @@ private RSA GetKeyFromFile()
             if(!string.IsNullOrEmpty(result.containerName))
             {
                 Trace.Info("Keyfile has ContainerName, reading from NamedContainer");
-                return GetKeyFromNamedContainer();
+                return GetKeyFromNamedContainer(useLegacyRsaImpl);
             }
 
-            var rsa = new RSACryptoServiceProvider();
+            var rsa = useLegacyRsaImpl ? new RSACryptoServiceProvider() : RSA.Create();
             rsa.ImportParameters(result.rsaParameters);
             return rsa;
         }
diff --git a/src/Agent.Listener/Configuration/IRSAKeyManager.cs b/src/Agent.Listener/Configuration/IRSAKeyManager.cs
@@ -35,11 +35,12 @@ public interface IRSAKeyManager : IAgentService
         void DeleteKey();
 
         /// <summary>
-        /// Gets the <c>RSACryptoServiceProvider</c> instance currently stored by the key manager. 
+        /// Gets the <c>RSA</c> instance currently stored by the key manager. 
         /// </summary>
-        /// <returns>An <c>RSACryptoServiceProvider</c> instance representing the key for the agent</returns>
+        /// <param name="useLegacyRsaImpl">Use RSACryptoServiceProvider as the underlying implementation.</param>
+        /// <returns>An <c>RSA</c> implementation representing the key for the agent</returns>
         /// <exception cref="CryptographicException">No key exists in the store</exception>
-        RSA GetKey();
+        RSA GetKey(bool useLegacyRsaImpl);
     }
 
     public static class IRSAKeyManagerExtensions
diff --git a/src/Agent.Listener/Configuration/OAuthCredential.cs b/src/Agent.Listener/Configuration/OAuthCredential.cs
@@ -42,7 +42,7 @@ public override VssCredentials GetVssCredentials(IHostContext context)
             // We expect the key to be in the machine store at this point. Configuration should have set all of
             // this up correctly so we can use the key to generate access tokens.
             var keyManager = context.GetService<IRSAKeyManager>();
-            var signingCredentials = VssSigningCredentials.Create(() => keyManager.GetKey());
+            var signingCredentials = VssSigningCredentials.Create(() => keyManager.GetKey(useLegacyRsaImpl: true)); // RSACryptoServiceProvider is fine for signatures
             var clientCredential = new VssOAuthJwtBearerClientCredential(clientId, authorizationUrl, signingCredentials);
             var agentCredential = new VssOAuthCredential(new Uri(oathEndpointUrl, UriKind.Absolute), VssOAuthGrant.ClientCredentials, clientCredential);
 
diff --git a/src/Agent.Listener/Configuration/RSAFileKeyManager.cs b/src/Agent.Listener/Configuration/RSAFileKeyManager.cs
@@ -70,7 +70,7 @@ public void DeleteKey()
             }
         }
 
-        public RSA GetKey()
+        public RSA GetKey(bool useLegacyRsaImpl)
         {
             if (!File.Exists(_keyFile))
             {
@@ -80,7 +80,7 @@ public RSA GetKey()
             Trace.Info("Loading RSA key parameters from file {0}", _keyFile);
 
             var parameters = IOUtil.LoadObject<RSAParametersSerializable>(_keyFile).RSAParameters;
-            var rsa = new RSACryptoServiceProvider();
+            var rsa = useLegacyRsaImpl ? new RSACryptoServiceProvider() : RSA.Create();
             rsa.ImportParameters(parameters);
             return rsa;
         }
diff --git a/src/Agent.Listener/MessageListener.cs b/src/Agent.Listener/MessageListener.cs
@@ -95,6 +95,7 @@ public async Task<Boolean> CreateSessionAsync(CancellationToken token)
                     await _agentServer.ConnectAsync(new Uri(serverUrl), creds);
                     Trace.Info("VssConnection created");
 
+                    taskAgentSession.AgentCanHandleOaepSHA256 = true;
                     _session = await _agentServer.CreateAgentSessionAsync(
                                                         _settings.PoolId,
                                                         taskAgentSession,
@@ -336,9 +337,10 @@ private ICryptoTransform GetMessageDecryptor(
             {
                 // The agent session encryption key uses the AES symmetric algorithm
                 var keyManager = HostContext.GetService<IRSAKeyManager>();
-                using (var rsa = keyManager.GetKey())
+                RSAEncryptionPadding rsaPadding = _session.EncryptionKey.EncryptionPadding == "OaepSHA256" ? RSAEncryptionPadding.OaepSHA256 : RSAEncryptionPadding.OaepSHA1;
+                using (var rsa = keyManager.GetKey(useLegacyRsaImpl: rsaPadding == RSAEncryptionPadding.OaepSHA1))
                 {
-                    return aes.CreateDecryptor(rsa.Decrypt(_session.EncryptionKey.Value, RSAEncryptionPadding.OaepSHA1), message.IV);
+                    return aes.CreateDecryptor(rsa.Decrypt(_session.EncryptionKey.Value, rsaPadding), message.IV);
                 }
             }
             else

Original file line number	Diff line number	Diff line change
`@@ -132,12 +132,12 @@ public void DeleteKey()`
`132`	`132`	`}`
`133`	`133`	`}`
`134`	`134`
`135`		`- public RSA GetKey()`
	`135`	`+ public RSA GetKey(bool useLegacyRsaImpl)`
`136`	`136`	`{`
`137`		`- return GetKeyFromFile();`
	`137`	`+ return GetKeyFromFile(useLegacyRsaImpl);`
`138`	`138`	`}`
`139`	`139`
`140`		`- private RSA GetKeyFromNamedContainer()`
	`140`	`+ private RSA GetKeyFromNamedContainer(bool useLegacyRsaImpl)`
`141`	`141`	`{`
`142`	`142`	`if (!File.Exists(_keyFile))`
`143`	`143`	`{`
`@@ -151,7 +151,7 @@ private RSA GetKeyFromNamedContainer()`
`151`	`151`	`if (string.IsNullOrEmpty(result.containerName))`
`152`	`152`	`{`
`153`	`153`	`// we should not get here. GetKeyFromNamedContainer is only called from GetKeyFromFile when result.containerName is not empty`
`154`		`- return GetKeyFromFile();`
	`154`	`+ return GetKeyFromFile(useLegacyRsaImpl);`
`155`	`155`	`}`
`156`	`156`
`157`	`157`	`if (result.useCng)`
`@@ -170,13 +170,24 @@ private RSA GetKeyFromNamedContainer()`
`170`	`170`	`Trace.Info("Using RSACryptoServiceProvider");`
`171`	`171`	`CspParameters Params = new CspParameters();`
`172`	`172`	`Params.KeyContainerName = result.containerName;`
`173`		`- Params.Flags \|= CspProviderFlags.UseNonExportableKey \| CspProviderFlags.UseMachineKeyStore;`
`174`		`- var rsa = new RSACryptoServiceProvider(Params);`
`175`		`- return rsa;`
	`173`	`+ if (useLegacyRsaImpl)`
	`174`	`+ {`
	`175`	`+ Params.Flags \|= CspProviderFlags.UseNonExportableKey \| CspProviderFlags.UseMachineKeyStore;`
	`176`	`+ var rsa = new RSACryptoServiceProvider(Params);`
	`177`	`+ return rsa;`
	`178`	`+ }`
	`179`	`+ else`
	`180`	`+ {`
	`181`	`+ Params.Flags \|= CspProviderFlags.UseMachineKeyStore;`
	`182`	`+ using (var csp = new RSACryptoServiceProvider(Params))`
	`183`	`+ {`
	`184`	`+ return RSA.Create(csp.ExportParameters(includePrivateParameters: true));`
	`185`	`+ }`
	`186`	`+ }`
`176`	`187`	`}`
`177`	`188`	`}`
`178`	`189`
`179`		`- private RSA GetKeyFromFile()`
	`190`	`+ private RSA GetKeyFromFile(bool useLegacyRsaImpl)`
`180`	`191`	`{`
`181`	`192`	`if (!File.Exists(_keyFile))`
`182`	`193`	`{`
`@@ -190,10 +201,10 @@ private RSA GetKeyFromFile()`
`190`	`201`	`if(!string.IsNullOrEmpty(result.containerName))`
`191`	`202`	`{`
`192`	`203`	`Trace.Info("Keyfile has ContainerName, reading from NamedContainer");`
`193`		`- return GetKeyFromNamedContainer();`
	`204`	`+ return GetKeyFromNamedContainer(useLegacyRsaImpl);`
`194`	`205`	`}`
`195`	`206`
`196`		`- var rsa = new RSACryptoServiceProvider();`
	`207`	`+ var rsa = useLegacyRsaImpl ? new RSACryptoServiceProvider() : RSA.Create();`
`197`	`208`	`rsa.ImportParameters(result.rsaParameters);`
`198`	`209`	`return rsa;`
`199`	`210`	`}`
Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ public void DeleteKey()`
`70`	`70`	`}`
`71`	`71`	`}`
`72`	`72`
`73`		`- public RSA GetKey()`
	`73`	`+ public RSA GetKey(bool useLegacyRsaImpl)`
`74`	`74`	`{`
`75`	`75`	`if (!File.Exists(_keyFile))`
`76`	`76`	`{`
`@@ -80,7 +80,7 @@ public RSA GetKey()`
`80`	`80`	`Trace.Info("Loading RSA key parameters from file {0}", _keyFile);`
`81`	`81`
`82`	`82`	`var parameters = IOUtil.LoadObject<RSAParametersSerializable>(_keyFile).RSAParameters;`
`83`		`- var rsa = new RSACryptoServiceProvider();`
	`83`	`+ var rsa = useLegacyRsaImpl ? new RSACryptoServiceProvider() : RSA.Create();`
`84`	`84`	`rsa.ImportParameters(parameters);`
`85`	`85`	`return rsa;`
`86`	`86`	`}`
Original file line number	Diff line number	Diff line change
`@@ -95,6 +95,7 @@ public async Task<Boolean> CreateSessionAsync(CancellationToken token)`
`95`	`95`	`await _agentServer.ConnectAsync(new Uri(serverUrl), creds);`
`96`	`96`	`Trace.Info("VssConnection created");`
`97`	`97`
	`98`	`+ taskAgentSession.AgentCanHandleOaepSHA256 = true;`
`98`	`99`	`_session = await _agentServer.CreateAgentSessionAsync(`
`99`	`100`	`_settings.PoolId,`
`100`	`101`	`taskAgentSession,`
`@@ -336,9 +337,10 @@ private ICryptoTransform GetMessageDecryptor(`
`336`	`337`	`{`
`337`	`338`	`// The agent session encryption key uses the AES symmetric algorithm`
`338`	`339`	`var keyManager = HostContext.GetService<IRSAKeyManager>();`
`339`		`- using (var rsa = keyManager.GetKey())`
	`340`	`+ RSAEncryptionPadding rsaPadding = _session.EncryptionKey.EncryptionPadding == "OaepSHA256" ? RSAEncryptionPadding.OaepSHA256 : RSAEncryptionPadding.OaepSHA1;`
	`341`	`+ using (var rsa = keyManager.GetKey(useLegacyRsaImpl: rsaPadding == RSAEncryptionPadding.OaepSHA1))`
`340`	`342`	`{`
`341`		`- return aes.CreateDecryptor(rsa.Decrypt(_session.EncryptionKey.Value, RSAEncryptionPadding.OaepSHA1), message.IV);`
	`343`	`+ return aes.CreateDecryptor(rsa.Decrypt(_session.EncryptionKey.Value, rsaPadding), message.IV);`
`342`	`344`	`}`
`343`	`345`	`}`
`344`	`346`	`else`