[release/5.0] Resolve credscan bugs (#32656)

* Resolve conflicts

* Resolve remaining credscan bugs (#31157)

* Resolve final credscan bug (#31196)

Co-authored-by: Kevin Pilch <[email protected]>

Author: wtgodbe

.config/CredScanSuppressions.json

@@ -1,6 +1,10 @@
 {
   "tool": "Credential Scanner",
   "suppressions": [
+    {
+      "placeholder": "aspnetcore",
+      "_justification": "This is a fake password used in test code."
+    },
     {
       "placeholder": "password",
       "_justification": "This is a fake password used in test code."
@@ -9,6 +13,10 @@
       "placeholder": "newpassword",
       "_justification": "This is a fake password used in test code."
     },
+    {
+      "placeholder": "testpassword",
+      "_justification": "This is a fake password used in test code."
+    },
     {
       "placeholder": "AAABAgMEBQYHCAkKCwwNDg+ukCEMDf0yyQ29NYubggE=",
       "_justification": "This is a fake password hash used in test code."
@@ -25,6 +33,98 @@
       "file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\testCert.pfx",
       "_justification": "Legitimate UT certificate file with private key"
     },
+    {
+      "file": "\\src\\DataProtection\\DataProtection\\test\\TestFiles\\TestCert1.pfx",
+      "_justification": "Legitimate UT certificate file with private key"
+    },
+    {
+      "file": "\\src\\DataProtection\\DataProtection\\test\\TestFiles\\TestCert2.pfx",
+      "_justification": "Legitimate UT certificate file with private key"
+    },
+    {
+      "file": "\\src\\DataProtection\\Extensions\\test\\TestFiles\\TestCert.pfx",
+      "_justification": "Legitimate UT certificate file with private key"
+    },
+    {
+      "file": "\\src\\DataProtection\\Extensions\\test\\TestFiles\\TestCert2.pfx",
+      "_justification": "Legitimate UT certificate file with private key"
+    },
+    {
+      "file": "\\src\\DataProtection\\Extensions\\test\\TestFiles\\TestCert3.pfx",
+      "_justification": "Legitimate UT certificate file with private key"
+    },
+    {
+      "file": "\\src\\DataProtection\\Extensions\\test\\TestFiles\\TestCert3WithoutPrivateKey.pfx",
+      "_justification": "Legitimate UT certificate file without private key"
+    },
+    {
+      "file": "\\src\\DataProtection\\Extensions\\test\\TestFiles\\TestCertWithoutPrivateKey.pfx",
+      "_justification": "Legitimate UT certificate file without private key"
+    },
+    {
+      "file": "\\src\\DefaultBuilder\\test\\Microsoft.AspNetCore.FunctionalTests\\testCert.pfx",
+      "_justification": "Legitimate UT certificate file with private key"
+    },
+    {
+      "file": "\\src\\Identity\\ApiAuthorization.IdentityServer\\test\\current.pfx",
+      "_justification": "Legitimate UT certificate file with private key"
+    },
+    {
+      "file": "\\src\\Identity\\ApiAuthorization.IdentityServer\\test\\expired.pfx",
+      "_justification": "Legitimate UT certificate file with private key"
+    },
+    {
+      "file": "\\src\\Identity\\ApiAuthorization.IdentityServer\\test\\future.pfx",
+      "_justification": "Legitimate UT certificate file with private key"
+    },
+    {
+      "file": "\\src\\Identity\\ApiAuthorization.IdentityServer\\test\\test.pfx",
+      "_justification": "Legitimate UT certificate file with private key"
+    },
+    {
+      "file": "\\src\\Middleware\\WebSockets\\test\\ConformanceTests\\AutobahnTestApp\\TestResources\\testCert.pfx",
+      "_justification": "Legitimate UT certificate file with private key"
+    },
+    {
+      "file": "\\src\\Security\\Authentication\\Negotiate\\test\\Negotiate.FunctionalTest\\negotiateAuthCert.pfx",
+      "_justification": "Legitimate UT certificate file with private key"
+    },
+    {
+      "file": "\\src\\Servers\\IIS\\tools\\TestCert.pfx",
+      "_justification": "Legitimate UT certificate file with private key"
+    },
+    {
+      "file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\aspnetdevcert.pfx",
+      "_justification": "Legitimate UT certificate file with private key"
+    },
+    {
+      "file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\eku.client.pfx",
+      "_justification": "Legitimate UT certificate file with private key"
+    },
+    {
+      "file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\eku.code_signing.pfx",
+      "_justification": "Legitimate UT certificate file with private key"
+    },
+    {
+      "file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\eku.multiple_usages.pfx",
+      "_justification": "Legitimate UT certificate file with private key"
+    },
+    {
+      "file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\eku.server.pfx",
+      "_justification": "Legitimate UT certificate file with private key"
+    },
+    {
+      "file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\no_extensions.pfx",
+      "_justification": "Legitimate UT certificate file with private key"
+    },
+    {
+      "file": "\\src\\SignalR\\clients\\ts\\FunctionalTests\\testCert.pfx",
+      "_justification": "Legitimate UT certificate file with private key"
+    },
+    {
+      "file": "\\src\\SignalR\\clients\\ts\\FunctionalTests\\testCertECC.pfx",
+      "_justification": "Legitimate UT certificate file with private key"
+    },
     {
       "file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\https-aspnet.key",
       "_justification": "Legitimate key file used for testing"
@@ -52,6 +152,10 @@
     {
       "file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\https-rsa.key",
       "_justification": "Legitimate key file used for testing"
+    },
+    {
+      "file": "\\src\\SignalR\\clients\\ts\\FunctionalTests\\node_modules\\https-proxy-agent\\node_modules\\agent-base\\test\\ssl-cert-snakeoil.key",
+      "_justification": "Legitimate key file used for testing"
     }
   ]
 }

src/Components/test/E2ETest/Tests/WebAssemblyAuthenticationTests.cs

@@ -78,7 +78,7 @@ public void AnonymousUser_GetsRedirectedToLogin_AndBackToOriginalProtectedResour
             ClickAndNavigate(link, page);
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             FirstTimeRegister(userName, password);
 
@@ -96,7 +96,7 @@ public void CanPreserveApplicationState_DuringLogIn()
             ClickAndNavigate(link, page);
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             FirstTimeRegister(userName, password);
 
@@ -116,7 +116,7 @@ public void CanShareUserRolesBetweenClientAndServer()
             ClickAndNavigate(By.PartialLinkText("Log in"), "/Identity/Account/Login");
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
             FirstTimeRegister(userName, password);
 
             ClickAndNavigate(By.PartialLinkText("Make admin"), "/new-admin");
@@ -141,7 +141,7 @@ public void AnonymousUser_CanRegister_AndGetLoggedIn()
             ClickAndNavigate(By.PartialLinkText("Register"), "/Identity/Account/Register");
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
             RegisterCore(userName, password);
             CompleteProfileDetails();
 
@@ -158,7 +158,7 @@ public void AuthenticatedUser_ProfileIncludesDetails_And_AccessToken()
             ClickAndNavigate(By.PartialLinkText("User"), "/Identity/Account/Login");
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
             FirstTimeRegister(userName, password);
 
             Browser.Contains("user", () => Browser.Url);
@@ -213,7 +213,7 @@ public void AuthenticatedUser_CanGoToProfile()
             ClickAndNavigate(By.PartialLinkText("Register"), "/Identity/Account/Register");
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
             RegisterCore(userName, password);
             CompleteProfileDetails();
 
@@ -255,7 +255,7 @@ public void NewlyRegisteredUser_CanLogOut()
             ClickAndNavigate(By.PartialLinkText("Register"), "/Identity/Account/Register");
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
             RegisterCore(userName, password);
             CompleteProfileDetails();
 
@@ -268,7 +268,7 @@ public void AlreadyRegisteredUser_CanLogOut()
             ClickAndNavigate(By.PartialLinkText("Register"), "/Identity/Account/Register");
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
             RegisterCore(userName, password);
             CompleteProfileDetails();
 
@@ -294,7 +294,7 @@ public void LoggedInUser_OnTheIdP_CanLogInSilently()
             ClickAndNavigate(By.PartialLinkText("Register"), "/Identity/Account/Register");
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
             RegisterCore(userName, password);
             CompleteProfileDetails();
             ValidateLoggedIn(userName);

src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs

@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Text;
 using System.Xml.Linq;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using Microsoft.Extensions.Logging.Abstractions;
@@ -15,20 +16,21 @@ public class AuthenticatedEncryptorDescriptorDeserializerTests
         public void ImportFromXml_Cbc_CreatesAppropriateDescriptor()
         {
             // Arrange
+            var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
             var descriptor = new AuthenticatedEncryptorDescriptor(
                 new AuthenticatedEncryptorConfiguration()
                 {
                     EncryptionAlgorithm = EncryptionAlgorithm.AES_192_CBC,
                     ValidationAlgorithm = ValidationAlgorithm.HMACSHA512
                 },
-                "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret());
+                masterKey.ToSecret());
             var control = CreateEncryptorInstanceFromDescriptor(descriptor);
 
-            const string xml = @"
+            var xml = $@"
                 <encryptor version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
                   <encryption algorithm='AES_192_CBC' />
                   <validation algorithm='HMACSHA512' />
-                  <masterKey enc:requiresEncryption='true'>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</masterKey>
+                  <masterKey enc:requiresEncryption='true'>{masterKey}</masterKey>
                 </encryptor>";
             var deserializedDescriptor = new AuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml));
             var test = CreateEncryptorInstanceFromDescriptor(deserializedDescriptor as AuthenticatedEncryptorDescriptor);

src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Globalization;
 using System.Security.Cryptography;
+using System.Text;
 using System.Text.RegularExpressions;
 using Microsoft.AspNetCore.Cryptography.Cng;
 using Microsoft.AspNetCore.Cryptography.SafeHandles;
@@ -118,20 +119,20 @@ public void CreateAuthenticatedEncryptor_RoundTripsData_ManagedImplementation(
         public void ExportToXml_ProducesCorrectPayload_Cbc()
         {
             // Arrange
-            var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
-            var descriptor = CreateDescriptor(EncryptionAlgorithm.AES_192_CBC, ValidationAlgorithm.HMACSHA512, masterKey);
+            var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
+            var descriptor = CreateDescriptor(EncryptionAlgorithm.AES_192_CBC, ValidationAlgorithm.HMACSHA512, masterKey.ToSecret());
 
             // Act
             var retVal = descriptor.ExportToXml();
 
             // Assert
             Assert.Equal(typeof(AuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
-            const string expectedXml = @"
+            var expectedXml = $@"
                 <descriptor>
                   <encryption algorithm='AES_192_CBC' />
                   <validation algorithm='HMACSHA512' />
                   <masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
-                    <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
+                    <value>{masterKey}</value>
                   </masterKey>
                 </descriptor>";
             XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
@@ -141,20 +142,20 @@ public void ExportToXml_ProducesCorrectPayload_Cbc()
         public void ExportToXml_ProducesCorrectPayload_Gcm()
         {
             // Arrange
-            var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
-            var descriptor = CreateDescriptor(EncryptionAlgorithm.AES_192_GCM, ValidationAlgorithm.HMACSHA512, masterKey);
+            var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
+            var descriptor = CreateDescriptor(EncryptionAlgorithm.AES_192_GCM, ValidationAlgorithm.HMACSHA512, masterKey.ToSecret());
 
             // Act
             var retVal = descriptor.ExportToXml();
 
             // Assert
             Assert.Equal(typeof(AuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
-            const string expectedXml = @"
+            var expectedXml = $@"
                 <descriptor>
                   <encryption algorithm='AES_192_GCM' />
                   <!-- some comment here -->
                   <masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
-                    <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
+                    <value>{masterKey}</value>
                   </masterKey>
                 </descriptor>";
             XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);

src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs

@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Text;
 using System.Xml.Linq;
 using Microsoft.AspNetCore.Cryptography;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
@@ -18,6 +19,7 @@ public class CngCbcAuthenticatedEncryptorDescriptorDeserializerTests
         [ConditionalRunTestOnlyOnWindows]
         public void ImportFromXml_CreatesAppropriateDescriptor()
         {
+            var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
             // Arrange
             var descriptor = new CngCbcAuthenticatedEncryptorDescriptor(
                 new CngCbcAuthenticatedEncryptorConfiguration()
@@ -28,14 +30,14 @@ public void ImportFromXml_CreatesAppropriateDescriptor()
                     HashAlgorithm = Constants.BCRYPT_SHA512_ALGORITHM,
                     HashAlgorithmProvider = null
                 },
-                "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret());
+                masterKey.ToSecret());
             var control = CreateEncryptorInstanceFromDescriptor(descriptor);
 
-            const string xml = @"
+            var xml = $@"
                 <descriptor version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
                   <encryption algorithm='AES' keyLength='192' />
                   <hash algorithm='SHA512' />
-                  <masterKey enc:requiresEncryption='true'>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</masterKey>
+                  <masterKey enc:requiresEncryption='true'>{masterKey}</masterKey>
                 </descriptor>";
             var deserializedDescriptor = new CngCbcAuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml));
             var test = CreateEncryptorInstanceFromDescriptor(deserializedDescriptor as CngCbcAuthenticatedEncryptorDescriptor);