git-credential-cert

Protect git repository auth token with certificate from hardware token

---

Requirements

1. installed git
2. certificate with private key on hardware token
3. .NET Framework 4.7.1 or higher
4. Visual Studio 2013 to build binary from sources

---

Installation

1. Copy git-credential-cert.exe to C:\Program Files\Git\mingw64\libexec\git-core folder
   
2. Specify git-credential-cert as git credential helper:

git config --global credential.helper cert

3. Don't forget to delete your credentials from Windows Credential Manager and all other places where it is not in safe
   

---

Configuring for Visual Studio

For Visual Studio it is required to specify this helper in %USERPROFILE%\.gitconfig file

You can add it like this:

[credential]
	helper=C:\\\\Program\\ Files\\\\Git\\\\mingw64\\\\libexec\\\\git-core\\\\git-credential-cert.exe

---

Generate certificate

Generate certificate with private key for token encryption and signing credentials data in store:

makecert.exe -pe -r -a sha1 -len 2048 -n "CN=<specify here your own cert name>" -eku "1.3.6.1.5.5.7.3.4" -sky exchange -sv cert.pvk cert.cer

pvk2pfx.exe -pvk cert.pvk -spc cert.cer -pfx cert.pfx

Import certificate to hardware token using SafeNet Authentication Client or any other third-party software.
During import, choose pfx file and enter empty password for importing. Do not forget to delete private key from your disk.

---

Adding new credentials

git push

Git helper checks your database (%USERPROFILE%\git-credential-cert file), and if there are no existing credentials for current URL, it will ask for the username and password to store it.

---

List of existing credentials

git-credential-cert.exe list

---

Delete existing credentials

git-credential-cert.exe delete <URL>

---

Uninstall

1. delete helper:
   del "C:\Program Files\Git\mingw64\libexec\git-core\git-credential-cert.exe"
2. clear git-credential-cert.exe helper from %USERPROFILE%\.gitconfig
   
3. specify your own or previous credential helper (f.e.)
   git config --global credential.helper manager
4. delete git-credential-cert encrypted database (if required):
   del "%USERPROFILE%\\.git-credential-cert"

---

List Of Tests

1. Common

1.1. ✔ Incorrect method
1.2. ✔ Input has no key=value format
1.3. ✔ Input has unknown key
1.4. ✔ Store file corrupted - exception with stacktrace
1.5. ✔ Writing store file exception

2. Add new credentials (STORE):

2.1. ✔ Create new store, file does not exist
2.2. ✔ No certs with private key
2.3. ✔ Fail to encrypt (ejected token) - exception
2.4. ✔ Trying to add already existing url

3. Read existing credentials (GET):

3.1. ✔ There are no required parameters
3.2. ✔ Store has no credential for required url
3.3. ✔ Cert for signature and decryption not found
3.4. ✔ Cert for signature check exist, but have no private key for decryption
3.5. ✔ Incorrect signature

4. List of existing credentials (LIST):

4.1. ✔ List credentials (URL + UserName + Cert.Subject + Cert.Thumbprint + Created DateTime)

5. Remove existing credentials from git (ERASE):

5.1. ✔ Trying to remove not existing credentials

6. Remove existing credentials from command line (DELETE):

6.1. ✔ Trying to remove not existing credentials
6.2. ✔ No url specified

7. Other

7.1. ✔ Working from Visual Studio Code
7.2. ✔ Working from Visual Studio
7.3. ✔ git token revocation (error + erase)