Skip to content

[7.0-rc1] Fix PopulateCertificatesFromStore on macOS to only return store certs #43358

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 19, 2022
Merged

[7.0-rc1] Fix PopulateCertificatesFromStore on macOS to only return store certs #43358

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions src/Shared/CertificateGeneration/MacOSCertificateManager.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -375,7 +375,7 @@ protected override IList<X509Certificate2> GetCertificatesToRemove(StoreName sto

protected override void PopulateCertificatesFromStore(X509Store store, List<X509Certificate2> certificates)
{
if (store.Name! == StoreName.My.ToString() && store.Location == store.Location && Directory.Exists(MacOSUserHttpsCertificateLocation))
if (store.Name! == StoreName.My.ToString() && store.Location == StoreLocation.CurrentUser && Directory.Exists(MacOSUserHttpsCertificateLocation))
{
var certsFromDisk = GetCertsFromDisk();

Expand All @@ -388,7 +388,10 @@ protected override void PopulateCertificatesFromStore(X509Store store, List<X509
// Certs created (or "upgraded") by .NET 7+.
// .NET 7+ installs the certificate on disk as well as on the user keychain (for backwards
// compatibility with pre-.NET 7).
var onDiskAndKeychain = certsFromDisk.Intersect(certsFromStore, ThumbprintComparer.Instance);
// Note that the actual certs we populate need to be the ones from the store location, and
// not the version from disk, since we may do other operations with these certs later (such
// as exporting) which would fail with crypto errors otherwise.
var onDiskAndKeychain = certsFromStore.Intersect(certsFromDisk, ThumbprintComparer.Instance);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably consider at least starting a list of some of these things for maybe a single CTI scenario for to do some ad hoc verification every once in a while, given that we don't have any test coverage for these kinds of things, (for our future selves)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was actually caught by the WebTools CTI team (see linked issue) as part of their RC 1 pass.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, so we do have coverage, that makes me feel better that they are exercising things then


// The only times we can find a certificate on the keychain and a certificate on keychain+disk
// are when the certificate on disk and keychain has expired and a pre-.NET 7 SDK has been
Expand Down