[7.0-rc1] Fix PopulateCertificatesFromStore on macOS to only return store certs #43358
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@MackinnonBuck this fixes the issue we were looking at. |
|
@HaoK PTAL |
HaoK
reviewed
Aug 18, 2022
3 tasks
HaoK
reviewed
Aug 18, 2022
| // Note that the actual certs we populate need to be the ones from the store location, and | ||
| // not the version from disk, since we may do other operations with these certs later (such | ||
| // as exporting) which would fail with crypto errors otherwise. | ||
| var onDiskAndKeychain = certsFromStore.Intersect(certsFromDisk, ThumbprintComparer.Instance); |
There was a problem hiding this comment.
We should probably consider at least starting a list of some of these things for maybe a single CTI scenario for to do some ad hoc verification every once in a while, given that we don't have any test coverage for these kinds of things, (for our future selves)
There was a problem hiding this comment.
This was actually caught by the WebTools CTI team (see linked issue) as part of their RC 1 pass.
There was a problem hiding this comment.
Awesome, so we do have coverage, that makes me feel better that they are exercising things then
HaoK
approved these changes
Aug 18, 2022
|
Filed #43374 for the failing H3 test. |
This was referenced Nov 2, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Some certificate export scenarios (exporting to a PEM file for instance) will lead us to try to export an RSA private key. Without this change, the first one of these exports works, and then subsequent ones fail with a vague crypto exception from
SecKeyCopyExternalRepresentation.The fix is simple; we have code in the certificate manager that takes the union of certificates in the new on-disk location and the store (keychain).
The code was previously doing:
which meant that the actual certs returned were the ones loaded from disk (and also happened to be in the keychain), whereas what we want to return is the certs from the keychain that also have on-disk versions. The reason why it works the first time is that the on-disk versions don't exist yet.
This change flips the Intersect call and adds a comment about all of this. While I was here I also noticed a typo on a nearby store location check so I fixed that too.
Fixes #43335