Cli-microsoft365: Update command: m365 login, allow empty password for a pfx certificate

Created on 29 Nov 2020 · 8Comments · Source: pnp/cli-microsoft365

Usage

m365 login [options]

Description

Allow to login with a .pfx certificate that doesn't require a password.

Options

Unsure how this would be achieved (for now), just believe this should be possible.

Additional Information

I believe we should be able to use a .pfx certificate that doesn't have a password (this is the case when fetching a base64 encoded certificate from Azure Key Vault). Currently, when you don't use the --password option CLI assumes a .pem file is passed in to the --certificateFile option. Naturally, this doesn't achieve the wanted result.
Additionally, you cannot pass in an empty password to the --password option. This always results in errors.

enhancement feature request work in progress

Source

YannickRe

All 8 comments

Thanks for the suggestion. By itself, it's pretty odd though. PFX is secured by password so why would you want to use it without a password?

waldekmastykarz on 29 Nov 2020

There is no rule that a .pfx needs to be protected by a password. When you export a .pfx certificate from Azure KeyVault, it doesn’t have a password. When you make a .pfx from a base64 encoded string, it doesn’t necessarily have a password.
Even if you export a .pfx from the Windows Certificate Store you don’t HAVE to provide a password.

It would make CLI support certificates like this, even if we consider it bad form 🙂

YannickRe on 29 Nov 2020

👍1

Right, so the recommendation is to protect your .pfx with a password because it contains a private key, but it's not necessary. Good catch! We should definitely update CLI to not require password.

waldekmastykarz on 29 Nov 2020

I'll take this one too, if you want. This can be the preparation to cleanly allow #1971 to be implemented.
Approach:

limit (and thus validate) input to .pem and .pfx files (we could extend it afterwards, but this is what your docs currently refer to as being allowed)
set certType to either pem or pfx, and in Auth.ts use that to switch between both logic paths

Sounds good?

YannickRe on 30 Nov 2020

Sounds like a plan! Appreciate your help! 👏

waldekmastykarz on 1 Dec 2020

I didn't like my plan anymore, thinking of how to implement this one so we could easily also implement #1971 .

Current approach:

assume certificate in Buffer is PEM, and decode it.
- if works => great, it is PEM
- if fails with exception ==> assume PFX and continue PFX code path

It's not the cleanest of code but I cannot figure out how to determine if a base64 encoded string is a pem or a pfx without doing the actual conversion and letting it throw the exception if it isn't pem.
Also, I figured it isn't worse than the current solution since that assumes PEM when --password is not provided with no fallback.

I get it might be difficult to follow along without seeing the actual code. It's more for future reference: as an answer to why the implementation differs from what has been discussed.

YannickRe on 1 Dec 2020

👍1

I get it might be difficult to follow along without seeing the actual code.

Feel free to submit a draft PR and lets discuss 😊👍🏻

garrytrinder on 1 Dec 2020

@garrytrinder The PR is waiting for you 😉

YannickRe on 1 Dec 2020

❤1

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Bug report: m365 export flow without suggestedCreationType in manifest.json

joshua-probst · 3Comments

Output with `headers: [object Object]` when --debug specified on multiple locations

VelinGeorgiev · 3Comments

New sample script: restore a default configuration for tenant wide extensions on a tenant

waldekmastykarz · 3Comments

Bug report: Help description example wrong for sharingCapability in the command spo site set

arjunumenon · 3Comments

New command: spo group get

VelinGeorgiev · 3Comments