From 64853acbe3639dfe090b1f194aac43b93ce113df Mon Sep 17 00:00:00 2001 From: Matthew Dobrowsky Date: Fri, 26 Jul 2024 03:56:15 +0000 Subject: [PATCH 1/3] remove trace logging of sensitive data --- aws-orchestrator-core/Jobs/Management.cs | 1 - 1 file changed, 1 deletion(-) diff --git a/aws-orchestrator-core/Jobs/Management.cs b/aws-orchestrator-core/Jobs/Management.cs index 25438b2..ea06d70 100644 --- a/aws-orchestrator-core/Jobs/Management.cs +++ b/aws-orchestrator-core/Jobs/Management.cs @@ -152,7 +152,6 @@ internal JobResult PerformAddition(Credentials awsCredentials, ManagementJobConf pemWriter.WriteObject(keyPair.Private); streamWriter.Flush(); privateKeyString = Encoding.ASCII.GetString(memoryStream.GetBuffer()).Trim().Replace("\r", "").Replace("\0", ""); - Logger.LogTrace($"Got Private Key String {privateKeyString}"); memoryStream.Close(); streamWriter.Close(); } From 812a237811cbebf84979186b7993657401edd64a Mon Sep 17 00:00:00 2001 From: Matthew Dobrowsky Date: Fri, 26 Jul 2024 15:25:44 +0000 Subject: [PATCH 2/3] update changelog; mark private key as required in docs --- CHANGELOG.md | 4 ++++ aws-orchestrator-core/Jobs/Management.cs | 3 ++- integration-manifest.json | 2 +- readme_source.md | 2 +- 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e7d9477..17e8974 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +2.0.1 +* Remove logging of sensitive data +* Update Private Key to required for certificates in this store in docs and store definition + 2.0.0 * Consolidate all AWS auth types under one Store Type: `AWS-ACM` * Continues to provide backwards support for previous Store Types `AwsCerManO` and `AwsCerManA` diff --git a/aws-orchestrator-core/Jobs/Management.cs b/aws-orchestrator-core/Jobs/Management.cs index ea06d70..d29ba07 100644 --- a/aws-orchestrator-core/Jobs/Management.cs +++ b/aws-orchestrator-core/Jobs/Management.cs @@ -100,7 +100,7 @@ internal JobResult PerformAddition(Credentials awsCredentials, ManagementJobConf if (!string.IsNullOrWhiteSpace(config.JobCertificate.Alias)) { // Alias is specified, this is a replace / renewal - Logger.LogTrace($"Alias specified, validating existing cert can be renewed / replaced: {config.JobCertificate.Alias}"); + Logger.LogDebug($"Alias specified, validating existing cert can be renewed / replaced: {config.JobCertificate.Alias}"); // ARN Provided, Verify It is Not A PCA/Amazon Issued Cert DescribeCertificateResponse DescribeCertificateResponse = AsyncHelpers.RunSync(() => AcmClient.DescribeCertificateAsync(config.JobCertificate.Alias)); Logger.LogTrace($"DescribeCertificateResponse JSON: {JsonConvert.SerializeObject(DescribeCertificateResponse)}"); @@ -152,6 +152,7 @@ internal JobResult PerformAddition(Credentials awsCredentials, ManagementJobConf pemWriter.WriteObject(keyPair.Private); streamWriter.Flush(); privateKeyString = Encoding.ASCII.GetString(memoryStream.GetBuffer()).Trim().Replace("\r", "").Replace("\0", ""); + Logger.LogTrace("Loaded private key."); memoryStream.Close(); streamWriter.Close(); } diff --git a/integration-manifest.json b/integration-manifest.json index ab55b89..11db8b7 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -144,7 +144,7 @@ "StoreRequired": false, "Style": "Default" }, - "PrivateKeyAllowed": "Optional", + "PrivateKeyAllowed": "Required", "ServerRequired": true, "PowerShell": false, "BlueprintAllowed": true, diff --git a/readme_source.md b/readme_source.md index 8a13f8c..9b4f067 100644 --- a/readme_source.md +++ b/readme_source.md @@ -64,7 +64,7 @@ CONFIG ELEMENT | VALUE | DESCRIPTION Store Path Type | Freeform | Determines what restrictions are applied to the store path field when configuring a new store. Store Path Value | N/A | This is reserved for the AWS Account Id when setting up the store. Supports Custom Alias | Optional | Determines if an individual entry within a store can have a custom Alias. -Private Keys | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. +Private Keys | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. PFX Password Style | Default or Custom | "Default" - PFX password is randomly generated, "Custom" - PFX password may be specified when the enrollment job is created (Requires the *Allow Custom Password* application setting to be enabled.) **Custom Fields:** From dafaf2bf13227c94d15c5398456b6db66e077b7a Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Fri, 26 Jul 2024 15:26:13 +0000 Subject: [PATCH 3/3] Update generated README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ed16110..3495285 100644 --- a/README.md +++ b/README.md @@ -163,7 +163,7 @@ CONFIG ELEMENT | VALUE | DESCRIPTION Store Path Type | Freeform | Determines what restrictions are applied to the store path field when configuring a new store. Store Path Value | N/A | This is reserved for the AWS Account Id when setting up the store. Supports Custom Alias | Optional | Determines if an individual entry within a store can have a custom Alias. -Private Keys | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. +Private Keys | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. PFX Password Style | Default or Custom | "Default" - PFX password is randomly generated, "Custom" - PFX password may be specified when the enrollment job is created (Requires the *Allow Custom Password* application setting to be enabled.) **Custom Fields:**